[Bug target/110313] [14 Regression] GCN Fiji reload ICE in 'process_alt_operands'

[burnus at gcc dot gnu.org via Gcc-bugs]

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=110313

--- Comment #6 from Tobias Burnus <burnus at gcc dot gnu.org> ---
Some more debugging: We have:

(gdb) p debug_rtx(curr_id->insn)
(insn 106 3450 3080 4 (parallel [
            (set (reg/f:DI 1433)
                (plus:DI (reg/f:DI 16 s16 [3483])
                    (const_int -48 [0xffffffffffffffd0])))
            (clobber (reg:BI 1852))
            (clobber (reg:DI 1853))
        ]) "libgomp/testsuite/libgomp.c/../libgomp.c-c++-common/for-2.h":530:9
29 {adddi3}
     (expr_list:REG_UNUSED (reg:DI 1853)
        (expr_list:REG_UNUSED (reg:BI 1852)
            (nil))))

With:
 debug_rtx(*curr_id->operand_loc[0]) → (reg/f:DI 1433)
 debug_rtx(*curr_id->operand_loc[1]) → (reg/f:DI 16 s16 [3483])

where 3483 == ORIGINAL_REGNO (op) == ORIGINAL_REGNO(operand_reg[nop])
and lra_reg_info[3483] → Cannot access memory at address 0x43ad8a0

* * *

This seems to be gcn.md's:

(define_expand "adddi3_scc"
  [(parallel [(set (match_operand:DI 0 "register_operand")
                   (plus:DI (match_operand:DI 1 "register_operand")
                            (match_operand:DI 2 "nonmemory_operand")))
              (clobber (reg:BI SCC_REG))
              (clobber (scratch:DI))])]
  ""
  {})

* * *

The ORIGINAL_REGNO with value 3483 is created via

#0  init_raw_REG (x=x@entry=0x7ffff7829618, mode=mode@entry=E_DImode,
regno=regno@entry=3483)
    at emit-rtl.cc:477
#1  0x0000000000bca0e0 in gen_raw_REG (mode=mode@entry=E_DImode, regno=3483)
    at emit-rtl.cc:489
#2  0x0000000000bca97f in gen_reg_rtx (mode=mode@entry=E_DImode) at
emit-rtl.cc:1213
#3  0x000000000104039a in lra_create_new_reg_with_unique_value
(md_mode=md_mode@entry=E_DImode, original=original@entry=0x0,
rclass=rclass@entry=VGPR_REGS, 
    exclude_start_hard_regs=exclude_start_hard_regs@entry=0x0,
title=title@entry=0x2de1511 "base + disp")
    at lra.cc:192
#4  0x0000000001040807 in lra_create_new_reg (md_mode=E_DImode,
original=original@entry=0x0, rclass=rclass@entry=VGPR_REGS, 
    exclude_start_hard_regs=exclude_start_hard_regs@entry=0x0,
title=title@entry=0x2de1511 "base + disp")
    at lra.cc:233
#5  0x0000000001054d84 in base_plus_disp_to_reg (ad=ad@entry=0x7fffffffd1f0,
disp=0x7ffff78a0240)
    at lra-constraints.cc:3335
#6  0x0000000001063484 in process_address_1 (nop=nop@entry=1,
check_only_p=check_only_p@entry=false, before=before@entry=0x7fffffffd498,
after=after@entry=0x7fffffffd490)
    at lra-constraints.cc:3781
#7  0x0000000001063de5 in process_address (nop=nop@entry=1,
check_only_p=check_only_p@entry=false, before=before@entry=0x7fffffffd498,
after=after@entry=0x7fffffffd490)
    at lra-constraints.cc:3869
#8  0x0000000001068fb9 in curr_insn_transform
(check_only_p=check_only_p@entry=false)
    at lra-constraints.cc:4177
#9  0x000000000106d61c in lra_constraints (first_p=<optimized out>)
    at lra-constraints.cc:5397
#10 0x00000000010470e7 in lra (f=0x0) at lra.cc:2396
#11 0x0000000000fc1efb in do_reload () at ira.cc:5967

* * * 

lra_reg_info is first allocated in init_reg_info to:

  lra_reg_info = XNEWVEC (class lra_reg, reg_info_size);

and later possibly extended via expand_reg_info:

  lra_reg_info = XRESIZEVEC (class lra_reg, lra_reg_info, reg_info_size);


At the time of the backtrace above (call to init_raw_REG), we have:

reg_info_size == 3659  which is > 3483

and it is possible to print lra_reg_info[3483].

 * * *

However, the init_raw_REG is called many times with regno = 3483.

In the failing case (segfault), lra_reg_info is still 3659 but accessing
lra_reg_info[3483] fails.

Additionally lra_reg_info[0] shows: 'insn_bitmap = {static crashme' indicating
that memory has been released.