https://gcc.gnu.org/bugzilla/show_bug.cgi?id=100513
--- Comment #13 from Richard Biener <rguenth at gcc dot gnu.org> ---
So we're reaching a unreleased SSA names def_stmt which points to a ggc_freed
CFG block. Referenced from a function decls symtab node and edge call stmts.
And we're collecting after PRE.
The basic-block in question is released via
#0 ggc_free (p=0x7ffff607d3a8) at /home/rguenther/src/gcc3/gcc/ggc-page.c:1612
#1 0x0000000002596ae0 in free_block (bb=<basic_block 0x7ffff607d3a8 (7)>)
at /home/rguenther/src/gcc3/gcc/cfg.c:105
#2 0x0000000002596b76 in free_cfg (fn=0x7ffff56d7228)
at /home/rguenther/src/gcc3/gcc/cfg.c:122
#3 0x000000000105bed8 in release_function_body (
decl=<function_decl 0x7ffff3f66c00 ei_safe_edge.isra>)
at /home/rguenther/src/gcc3/gcc/cgraph.c:1821
#4 0x000000000105c0b7 in cgraph_node::release_body (
this=<cgraph_node * const 0x7ffff402cbb0 "ei_safe_edge.isra"/1010>,
keep_arguments=false) at /home/rguenther/src/gcc3/gcc/cgraph.c:1857
#5 0x000000000105c723 in cgraph_node::remove (
this=<cgraph_node * const 0x7ffff402cbb0 "ei_safe_edge.isra"/1010>)
at /home/rguenther/src/gcc3/gcc/cgraph.c:1957
#6 0x00000000017ab133 in expand_call_inline (
bb=<basic_block 0x7ffff60d51a0 (12)>, stmt=<gimple_assign 0x7ffff3e93780>,
id=0x7fffffffd920, to_purge=0x7fffffffd900)
at /home/rguenther/src/gcc3/gcc/tree-inline.c:5270
#7 0x00000000017ab242 in gimple_expand_calls_inline (
bb=<basic_block 0x7ffff60d51a0 (12)>, id=0x7fffffffd920,
to_purge=0x7fffffffd900) at /home/rguenther/src/gcc3/gcc/tree-inline.c:5299
#8 0x00000000017aba14 in optimize_inline_calls (
fn=<function_decl 0x7ffff55f4d00 gimple_purge_dead_abnormal_call_edges
but the interesting thing is that the SSA name refering to the released
block is not associated with the function released.
<ssa_name 0x7ffff61e1870
type <pointer_type 0x7ffff582d3f0 edge
type <record_type 0x7ffff582d2a0 edge_def cxx-odr-p type_5 type_6 BLK
size <integer_cst 0x7ffff63e9060 constant 384>
unit-size <integer_cst 0x7ffff63cdd98 constant 48>
align:64 warn_if_not_align:0 symtab:0 alias-set 37 canonical-type
0x7ffff582d2a0 fields <field_decl 0x7ffff57c0980 src> context
<translation_unit_decl 0x7ffff6578168 t.ii>
full-name "class edge_def"
X() X(constX&) this=(X&) n_parents=0 use_template=0
interface-unknown
pointer_to_this <pointer_type 0x7ffff582d348> chain <type_decl
0x7ffff5c24d10 edge_def>>
sizes-gimplified public unsigned DI
size <integer_cst 0x7ffff656aeb8 constant 64>
unit-size <integer_cst 0x7ffff656aed0 constant 8>
align:64 warn_if_not_align:0 symtab:0 alias-set -1 canonical-type
0x7ffff582d348
pointer_to_this <pointer_type 0x7ffff5789c78>>
visited
def_stmt _6 = ei_edge (i, ISRA.1211_9(D), ISRA.1212_10(D));
version:8
ptr-info 0x7ffff610b588>
(gdb) p t->ssa_name.def_stmt->bb
$31 = <basic_block 0x7ffff3ef05b0 (3)>
the SSA name is originally created by into SSA and rewritten via
#1 0x00000000013ef215 in ipa_param_body_adjustments::modify_call_stmt (
this=0x3f45fc0, stmt_p=0x7fffffffd1a0)
at /home/rguenther/src/gcc3/gcc/ipa-param-manipulation.c:1695
1695 gimple_call_set_lhs (new_stmt, lhs);
(gdb) l
1690 gimple_call_set_chain (new_stmt, gimple_call_chain (stmt));
1691 gimple_call_copy_flags (new_stmt, stmt);
1692 if (tree lhs = gimple_call_lhs (stmt))
1693 {
1694 modify_expression (&lhs, false);
1695 gimple_call_set_lhs (new_stmt, lhs);
1696 }
where this alters the 'lhs' SSA_NAME_DEF_STMT to new_stmt which has a
NULL basic-block at this point. I suppose the old stmt is dead
afterwards - because the caller will only remap the LHS SSA name _after_
this call adjustment.
diff --git a/gcc/ipa-param-manipulation.c b/gcc/ipa-param-manipulation.c
index 1d1e64f546a..8385c8f3073 100644
--- a/gcc/ipa-param-manipulation.c
+++ b/gcc/ipa-param-manipulation.c
@@ -1692,7 +1692,7 @@ ipa_param_body_adjustments::modify_call_stmt (gcall
**stmt_p)
if (tree lhs = gimple_call_lhs (stmt))
{
modify_expression (&lhs, false);
- gimple_call_set_lhs (new_stmt, lhs);
+ gimple_set_op (new_stmt, 0, lhs);
}
*stmt_p = new_stmt;
return true;
fixes this and the GC issue.
