[Bug tree-optimization/53269] New: [4.8 Regression] firefox crashes in /media/libtheora/lib/decode.c when compiled with -O2

Mon, 07 May 2012 13:02:33 -0700 

http://gcc.gnu.org/bugzilla/show_bug.cgi?id=53269

             Bug #: 53269
           Summary: [4.8 Regression] firefox crashes in
                    /media/libtheora/lib/decode.c when compiled with -O2
    Classification: Unclassified
           Product: gcc
           Version: 4.8.0
            Status: UNCONFIRMED
          Severity: normal
          Priority: P3
         Component: tree-optimization
        AssignedTo: [email protected]
        ReportedBy: [email protected]


Firefox compiled with gcc-4.8.0 and -O2 crashes on the following site
http://archive.org/details/Eisenstein-October , when one starts the movie.

 Program received signal SIGSEGV, Segmentation fault.
[Switching to Thread 0x7fffdd171700 (LWP 5185)]
0x00007ffff5e21f1e in oc_dec_init (_setup=0x7fffd31e2800, _info=<optimized
out>, _dec=0x7fffd6e56010)
    at /var/tmp/mozilla-central/media/libtheora/lib/decode.c:403
403           qsum+=_dec->state.dequant_tables[qti][pli][qi][12]+
(gdb) bt
#0  0x00007ffff5e21f1e in oc_dec_init (_setup=0x7fffd31e2800, _info=<optimized
out>, _dec=0x7fffd6e56010)
    at /var/tmp/mozilla-central/media/libtheora/lib/decode.c:403
#1  th_decode_alloc (_info=<optimized out>, _setup=0x7fffd31e2800) at
/var/tmp/mozilla-central/media/libtheora/lib/decode.c:1963
#2  0x00007ffff5727dbc in Init (this=0x7fffdb902c00) at
/var/tmp/mozilla-central/content/media/ogg/nsOggCodecState.cpp:282
#3  nsTheoraState::Init (this=0x7fffdb902c00) at
/var/tmp/mozilla-central/content/media/ogg/nsOggCodecState.cpp:264
#4  0x00007ffff572dfa2 in nsOggReader::ReadMetadata (this=0x7fffd9b28000,
aInfo=0x7fffdd170ce8)
    at /var/tmp/mozilla-central/content/media/ogg/nsOggReader.cpp:268
#5  0x00007ffff571d81c in nsBuiltinDecoderStateMachine::DecodeMetadata
(this=this@entry=0x7fffd6e48460)
    at
/var/tmp/mozilla-central/content/media/nsBuiltinDecoderStateMachine.cpp:1792
#6  0x00007ffff571e1aa in nsBuiltinDecoderStateMachine::DecodeThreadRun
(this=0x7fffd6e48460)
    at
/var/tmp/mozilla-central/content/media/nsBuiltinDecoderStateMachine.cpp:507
#7  0x00007ffff4f58bd7 in nsRunnableMethodImpl<void (nsPACMan::*)(), true>::Run
(this=<optimized out>) at ../../../dist/include/nsThreadUtils.h:345
#8  0x00007ffff5ca1a8e in nsThread::ProcessNextEvent (this=0x7fffd7855710,
mayWait=<optimized out>, result=0x7fffdd170e0f)
    at /var/tmp/mozilla-central/xpcom/threads/nsThread.cpp:656
#9  0x00007ffff5c62d72 in NS_ProcessNextEvent_P (thread=<optimized out>,
mayWait=<optimized out>)
    at /var/tmp/mozilla-central/moz-build-dir/xpcom/build/nsThreadUtils.cpp:245
#10 0x00007ffff5ca1349 in nsThread::ThreadFunc (arg=0x7fffd7855710) at
/var/tmp/mozilla-central/xpcom/threads/nsThread.cpp:289
#11 0x00007ffff4604bc3 in ?? () from /usr/lib64/libnspr4.so
#12 0x00007ffff7bc8dff in start_thread (arg=0x7fffdd171700) at
pthread_create.c:304
#13 0x00007ffff72a495d in clone () at
../sysdeps/unix/sysv/linux/x86_64/clone.S:114

I've narrowed this down to one function in media/libtheora/lib/decode.c:
 367 __attribute__((optimize ("-O1")))
 368 static int oc_dec_init(oc_dec_ctx *_dec,const th_info *_info,
 369  const th_setup_info *_setup){
 370   int qti;
 371   int pli;
 372   int qi;
 373   int ret;
 374   ret=oc_state_init(&_dec->state,_info,3);
 375   if(ret<0)return ret;
 376   ret=oc_huff_trees_copy(_dec->huff_tables,
 377    (const ogg_int16_t *const *)_setup->huff_tables);
 378   if(ret<0){
 379     oc_state_clear(&_dec->state);
 380     return ret;
 381   }
 382   /*For each fragment, allocate one byte for every DCT coefficient token,
plus
 383      one byte for extra-bits for each token, plus one more byte for the
long
 384      EOB run, just in case it's the very last token and has a run length
of
 385      one.*/
 386   _dec->dct_tokens=(unsigned char *)_ogg_malloc((64+64+1)*
 387    _dec->state.nfrags*sizeof(_dec->dct_tokens[0]));
 388   if(_dec->dct_tokens==NULL){
 389     oc_huff_trees_clear(_dec->huff_tables);
 390     oc_state_clear(&_dec->state);
 391     return TH_EFAULT;
 392   }
 393   for(qi=0;qi<64;qi++)for(pli=0;pli<3;pli++)for(qti=0;qti<2;qti++){
 394     _dec->state.dequant_tables[qi][pli][qti]=
 395      _dec->state.dequant_table_data[qi][pli][qti];
 396   }
 397   oc_dequant_tables_init(_dec->state.dequant_tables,_dec->pp_dc_scale,
 398    &_setup->qinfo);
 399   for(qi=0;qi<64;qi++){
 400     int qsum;
 401     qsum=0;
 402     for(qti=0;qti<2;qti++)for(pli=0;pli<3;pli++){
 403       qsum+=_dec->state.dequant_tables[qti][pli][qi][12]+
 404        _dec->state.dequant_tables[qti][pli][qi][17]+
 405        _dec->state.dequant_tables[qti][pli][qi][18]+
 406        _dec->state.dequant_tables[qti][pli][qi][24]<<(pli==0);
 407     }
 408     _dec->pp_sharp_mod[qi]=-(qsum>>11);
 409   }
...

With "__attribute__((optimize ("-O1")))" Firefox no longer crashes.
So it looks like the nested for loop (starting at line 399) gets miscompiled.
gcc-4.7 is fine.

Reply via email to