[Bug tree-optimization/98192] New: Double free in SLP

marxin at gcc dot gnu.org via Gcc-bugs Tue, 08 Dec 2020 01:06:24 -0800

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=98192


            Bug ID: 98192
           Summary: Double free in SLP
           Product: gcc
           Version: 11.0
            Status: UNCONFIRMED
          Keywords: ice-on-valid-code
          Severity: normal
          Priority: P3
         Component: tree-optimization
          Assignee: unassigned at gcc dot gnu.org
          Reporter: marxin at gcc dot gnu.org
                CC: rguenth at gcc dot gnu.org
  Target Milestone: ---
              Host: x86_64-linux
            Target: ppc64le-linux-gnu

One can see it here:

$ valgrind --trace-children=yes ./xgcc -B.
/home/marxin/Programming/gcc/gcc/testsuite/gcc.target/powerpc/vsx-extract-7.c
-O2 -ftree-slp-vectorize -c
...
==14527== Invalid read of size 1
==14527==    at 0x132C855: vec<_stmt_vec_info*, va_heap,
vl_ptr>::using_auto_storage() const (vec.h:2126)
==14527==    by 0x132B313: vec<_stmt_vec_info*, va_heap, vl_ptr>::release()
(vec.h:1826)
==14527==    by 0x15C2FEA: _bb_vec_info::~_bb_vec_info() (tree-vect-slp.c:3401)
==14527==    by 0x15C6EB7: vect_slp_region(vec<basic_block_def*, va_heap,
vl_ptr>, vec<data_reference*, va_heap, vl_ptr>, vec<int, va_heap, vl_ptr>*,
unsigned int) (tree-vect-slp.c:4575)
==14527==    by 0x15C73D9: vect_slp_bbs(vec<basic_block_def*, va_heap, vl_ptr>)
(tree-vect-slp.c:4645)
==14527==    by 0x15C7884: vect_slp_function(function*) (tree-vect-slp.c:4731)
==14527==    by 0x15DA4BF: (anonymous
namespace)::pass_slp_vectorize::execute(function*) (tree-vectorizer.c:1436)
==14527==    by 0x10D7207: execute_one_pass(opt_pass*) (passes.c:2567)
==14527==    by 0x10D753C: execute_pass_list_1(opt_pass*) (passes.c:2656)
==14527==    by 0x10D756D: execute_pass_list_1(opt_pass*) (passes.c:2657)
==14527==    by 0x10D756D: execute_pass_list_1(opt_pass*) (passes.c:2657)
==14527==    by 0x10D75C5: execute_pass_list(function*, opt_pass*)
(passes.c:2667)
==14527==  Address 0x5af0153 is 3 bytes inside a block of size 24 free'd
==14527==    at 0x483A9AB: free (in
/usr/lib64/valgrind/vgpreload_memcheck-amd64-linux.so)
==14527==    by 0x132C892: void
va_heap::release<_stmt_vec_info*>(vec<_stmt_vec_info*, va_heap, vl_embed>*&)
(vec.h:316)
==14527==    by 0x132B333: vec<_stmt_vec_info*, va_heap, vl_ptr>::release()
(vec.h:1832)
==14527==    by 0x15BF974: vect_build_slp_instance(vec_info*,
slp_instance_kind, vec<_stmt_vec_info*, va_heap, vl_ptr>, _stmt_vec_info*,
unsigned int, hash_map<vec<gimple*, va_heap, vl_ptr>, _slp_tree*,
simple_hashmap_traits<bst_traits, _slp_tree*> >*, _stmt_vec_info*)
(tree-vect-slp.c:2370)
==14527==    by 0x15C0624: vect_analyze_slp(vec_info*, unsigned int)
(tree-vect-slp.c:2586)
==14527==    by 0x15C63CB: vect_slp_analyze_bb_1(_bb_vec_info*, int, bool&,
vec<int, va_heap, vl_ptr>*) (tree-vect-slp.c:4385)
==14527==    by 0x15C692C: vect_slp_region(vec<basic_block_def*, va_heap,
vl_ptr>, vec<data_reference*, va_heap, vl_ptr>, vec<int, va_heap, vl_ptr>*,
unsigned int) (tree-vect-slp.c:4497)
==14527==    by 0x15C73D9: vect_slp_bbs(vec<basic_block_def*, va_heap, vl_ptr>)
(tree-vect-slp.c:4645)
==14527==    by 0x15C7884: vect_slp_function(function*) (tree-vect-slp.c:4731)
==14527==    by 0x15DA4BF: (anonymous
namespace)::pass_slp_vectorize::execute(function*) (tree-vectorizer.c:1436)
==14527==    by 0x10D7207: execute_one_pass(opt_pass*) (passes.c:2567)
==14527==    by 0x10D753C: execute_pass_list_1(opt_pass*) (passes.c:2656)
==14527==  Block was alloc'd at
==14527==    at 0x483977F: malloc (in
/usr/lib64/valgrind/vgpreload_memcheck-amd64-linux.so)
==14527==    by 0x214853F: xrealloc (xmalloc.c:177)
==14527==    by 0x132C995: void
va_heap::reserve<_stmt_vec_info*>(vec<_stmt_vec_info*, va_heap, vl_embed>*&,
unsigned int, bool) (vec.h:290)
==14527==    by 0x132B3E5: vec<_stmt_vec_info*, va_heap,
vl_ptr>::reserve(unsigned int, bool) (vec.h:1778)
==14527==    by 0x15CEC18: vec<_stmt_vec_info*, va_heap,
vl_ptr>::reserve_exact(unsigned int) (vec.h:1798)
==14527==    by 0x15CCEE2: vec<_stmt_vec_info*, va_heap,
vl_ptr>::create(unsigned int) (vec.h:1813)
==14527==    by 0x15C5C54: vect_slp_check_for_constructors(_bb_vec_info*)
(tree-vect-slp.c:4269)
==14527==    by 0x15C62E2: vect_slp_analyze_bb_1(_bb_vec_info*, int, bool&,
vec<int, va_heap, vl_ptr>*) (tree-vect-slp.c:4360)
==14527==    by 0x15C692C: vect_slp_region(vec<basic_block_def*, va_heap,
vl_ptr>, vec<data_reference*, va_heap, vl_ptr>, vec<int, va_heap, vl_ptr>*,
unsigned int) (tree-vect-slp.c:4497)
==14527==    by 0x15C73D9: vect_slp_bbs(vec<basic_block_def*, va_heap, vl_ptr>)
(tree-vect-slp.c:4645)
==14527==    by 0x15C7884: vect_slp_function(function*) (tree-vect-slp.c:4731)
==14527==    by 0x15DA4BF: (anonymous
namespace)::pass_slp_vectorize::execute(function*) (tree-vectorizer.c:1436)
==14527== 
==14527== Invalid free() / delete / delete[] / realloc()
==14527==    at 0x483A9AB: free (in
/usr/lib64/valgrind/vgpreload_memcheck-amd64-linux.so)
==14527==    by 0x132C892: void
va_heap::release<_stmt_vec_info*>(vec<_stmt_vec_info*, va_heap, vl_embed>*&)
(vec.h:316)
==14527==    by 0x132B333: vec<_stmt_vec_info*, va_heap, vl_ptr>::release()
(vec.h:1832)
==14527==    by 0x15C2FEA: _bb_vec_info::~_bb_vec_info() (tree-vect-slp.c:3401)
==14527==    by 0x15C6EB7: vect_slp_region(vec<basic_block_def*, va_heap,
vl_ptr>, vec<data_reference*, va_heap, vl_ptr>, vec<int, va_heap, vl_ptr>*,
unsigned int) (tree-vect-slp.c:4575)
==14527==    by 0x15C73D9: vect_slp_bbs(vec<basic_block_def*, va_heap, vl_ptr>)
(tree-vect-slp.c:4645)
==14527==    by 0x15C7884: vect_slp_function(function*) (tree-vect-slp.c:4731)
==14527==    by 0x15DA4BF: (anonymous
namespace)::pass_slp_vectorize::execute(function*) (tree-vectorizer.c:1436)
==14527==    by 0x10D7207: execute_one_pass(opt_pass*) (passes.c:2567)
==14527==    by 0x10D753C: execute_pass_list_1(opt_pass*) (passes.c:2656)
==14527==    by 0x10D756D: execute_pass_list_1(opt_pass*) (passes.c:2657)
==14527==    by 0x10D756D: execute_pass_list_1(opt_pass*) (passes.c:2657)
==14527==  Address 0x5af0150 is 0 bytes inside a block of size 24 free'd
==14527==    at 0x483A9AB: free (in
/usr/lib64/valgrind/vgpreload_memcheck-amd64-linux.so)
==14527==    by 0x132C892: void
va_heap::release<_stmt_vec_info*>(vec<_stmt_vec_info*, va_heap, vl_embed>*&)
(vec.h:316)
==14527==    by 0x132B333: vec<_stmt_vec_info*, va_heap, vl_ptr>::release()
(vec.h:1832)
==14527==    by 0x15BF974: vect_build_slp_instance(vec_info*,
slp_instance_kind, vec<_stmt_vec_info*, va_heap, vl_ptr>, _stmt_vec_info*,
unsigned int, hash_map<vec<gimple*, va_heap, vl_ptr>, _slp_tree*,
simple_hashmap_traits<bst_traits, _slp_tree*> >*, _stmt_vec_info*)
(tree-vect-slp.c:2370)
==14527==    by 0x15C0624: vect_analyze_slp(vec_info*, unsigned int)
(tree-vect-slp.c:2586)
==14527==    by 0x15C63CB: vect_slp_analyze_bb_1(_bb_vec_info*, int, bool&,
vec<int, va_heap, vl_ptr>*) (tree-vect-slp.c:4385)
==14527==    by 0x15C692C: vect_slp_region(vec<basic_block_def*, va_heap,
vl_ptr>, vec<data_reference*, va_heap, vl_ptr>, vec<int, va_heap, vl_ptr>*,
unsigned int) (tree-vect-slp.c:4497)
==14527==    by 0x15C73D9: vect_slp_bbs(vec<basic_block_def*, va_heap, vl_ptr>)
(tree-vect-slp.c:4645)
==14527==    by 0x15C7884: vect_slp_function(function*) (tree-vect-slp.c:4731)
==14527==    by 0x15DA4BF: (anonymous
namespace)::pass_slp_vectorize::execute(function*) (tree-vectorizer.c:1436)
==14527==    by 0x10D7207: execute_one_pass(opt_pass*) (passes.c:2567)
==14527==    by 0x10D753C: execute_pass_list_1(opt_pass*) (passes.c:2656)
==14527==  Block was alloc'd at
==14527==    at 0x483977F: malloc (in
/usr/lib64/valgrind/vgpreload_memcheck-amd64-linux.so)
==14527==    by 0x214853F: xrealloc (xmalloc.c:177)
==14527==    by 0x132C995: void
va_heap::reserve<_stmt_vec_info*>(vec<_stmt_vec_info*, va_heap, vl_embed>*&,
unsigned int, bool) (vec.h:290)
==14527==    by 0x132B3E5: vec<_stmt_vec_info*, va_heap,
vl_ptr>::reserve(unsigned int, bool) (vec.h:1778)
==14527==    by 0x15CEC18: vec<_stmt_vec_info*, va_heap,
vl_ptr>::reserve_exact(unsigned int) (vec.h:1798)
==14527==    by 0x15CCEE2: vec<_stmt_vec_info*, va_heap,
vl_ptr>::create(unsigned int) (vec.h:1813)
==14527==    by 0x15C5C54: vect_slp_check_for_constructors(_bb_vec_info*)
(tree-vect-slp.c:4269)
==14527==    by 0x15C62E2: vect_slp_analyze_bb_1(_bb_vec_info*, int, bool&,
vec<int, va_heap, vl_ptr>*) (tree-vect-slp.c:4360)
==14527==    by 0x15C692C: vect_slp_region(vec<basic_block_def*, va_heap,
vl_ptr>, vec<data_reference*, va_heap, vl_ptr>, vec<int, va_heap, vl_ptr>*,
unsigned int) (tree-vect-slp.c:4497)
==14527==    by 0x15C73D9: vect_slp_bbs(vec<basic_block_def*, va_heap, vl_ptr>)
(tree-vect-slp.c:4645)
==14527==    by 0x15C7884: vect_slp_function(function*) (tree-vect-slp.c:4731)
==14527==    by 0x15DA4BF: (anonymous
namespace)::pass_slp_vectorize::execute(function*) (tree-vectorizer.c:1436)

[Bug tree-optimization/98192] New: Double free in SLP

Reply via email to