crash at -O2 on x86_64-linxu-gnu in both 32-bit and 64-bit modes (Loops should be in LCSSA form after loop-unroll.)

[Quuxplusone]

Bugzilla Link	PR27838
Status	NEW
Importance	P normal
Reported by	Chengnian Sun (chengniansun@gmail.com)
Reported on	2016-05-22 22:52:41 -0700
Last modified on	2016-08-03 17:54:52 -0700
Version	trunk
Hardware	PC All
CC	hans@chromium.org, hfinkel@anl.gov, llvm-bugs@lists.llvm.org, michael.v.zolotukhin@gmail.com, sanjoy@playingwithpointers.com
Fixed by commit(s)
Attachments
Blocks
Blocked by
See also

The following code crashes the trunk at -O2 in 32-bit and 64-bit modes on
x86_64-linux-gnu.

$: clang-trunk -v
clang version 3.9.0 (trunk 270354)
Target: x86_64-unknown-linux-gnu
Thread model: posix
InstalledDir: /usr/local/bin
Found candidate GCC installation: /usr/lib/gcc/i686-linux-gnu/4.9
Found candidate GCC installation: /usr/lib/gcc/i686-linux-gnu/4.9.3
Found candidate GCC installation: /usr/lib/gcc/i686-linux-gnu/5.3.0
Found candidate GCC installation: /usr/lib/gcc/x86_64-linux-gnu/4.4
Found candidate GCC installation: /usr/lib/gcc/x86_64-linux-gnu/4.4.7
Found candidate GCC installation: /usr/lib/gcc/x86_64-linux-gnu/4.6
Found candidate GCC installation: /usr/lib/gcc/x86_64-linux-gnu/4.6.4
Found candidate GCC installation: /usr/lib/gcc/x86_64-linux-gnu/4.7
Found candidate GCC installation: /usr/lib/gcc/x86_64-linux-gnu/4.7.3
Found candidate GCC installation: /usr/lib/gcc/x86_64-linux-gnu/4.8
Found candidate GCC installation: /usr/lib/gcc/x86_64-linux-gnu/4.8.5
Found candidate GCC installation: /usr/lib/gcc/x86_64-linux-gnu/4.9
Found candidate GCC installation: /usr/lib/gcc/x86_64-linux-gnu/4.9.3
Found candidate GCC installation: /usr/lib/gcc/x86_64-linux-gnu/5.3.0
Found candidate GCC installation: /usr/local/bin/../lib/gcc/x86_64-unknown-
linux-gnu/4.6.3
Found candidate GCC installation: /usr/local/bin/../lib/gcc/x86_64-unknown-
linux-gnu/4.7.4
Found candidate GCC installation: /usr/local/bin/../lib/gcc/x86_64-unknown-
linux-gnu/4.8.2
Selected GCC installation: /usr/lib/gcc/x86_64-linux-gnu/4.9
Candidate multilib: .;@m64
Candidate multilib: 32;@m32
Candidate multilib: x32;@mx32
Selected multilib: .;@m64
$:
$: clang-trunk -O2 -w small.c
clang-3.9: /tmp/llvm-builder/llvm-source-
trunk/lib/Transforms/Utils/LoopUnroll.cpp:676: bool
llvm::UnrollLoop(llvm::Loop*, unsigned int, unsigned int, bool, bool, unsigned
int, llvm::LoopInfo*, llvm::ScalarEvolution*, llvm::DominatorTree*,
llvm::AssumptionCache*, bool): Assertion `OuterL->isLCSSAForm(*DT) && "Loops
should be in LCSSA form after loop-unroll."' failed.
0  clang-3.9       0x0000000001de6ac5
llvm::sys::PrintStackTrace(llvm::raw_ostream&) + 37
1  clang-3.9       0x0000000001de4a56 llvm::sys::RunSignalHandlers() + 54
2  clang-3.9       0x0000000001de4c74
3  libpthread.so.0 0x00007faaf3cdc340
4  libc.so.6       0x00007faaf2efacc9 gsignal + 57
5  libc.so.6       0x00007faaf2efe0d8 abort + 328
6  libc.so.6       0x00007faaf2ef3b86
7  libc.so.6       0x00007faaf2ef3c32
8  clang-3.9       0x0000000001e43f98 llvm::UnrollLoop(llvm::Loop*, unsigned
int, unsigned int, bool, bool, unsigned int, llvm::LoopInfo*,
llvm::ScalarEvolution*, llvm::DominatorTree*, llvm::AssumptionCache*, bool) +
11752
9  clang-3.9       0x0000000001ce340e
10 clang-3.9       0x0000000001ce492c
11 clang-3.9       0x00000000026a5b3b
llvm::LPPassManager::runOnFunction(llvm::Function&) + 2011
12 clang-3.9       0x0000000001a51a63
llvm::FPPassManager::runOnFunction(llvm::Function&) + 643
13 clang-3.9       0x00000000026837f7
14 clang-3.9       0x0000000001a521a8
llvm::legacy::PassManagerImpl::run(llvm::Module&) + 872
15 clang-3.9       0x0000000001f34368
clang::EmitBackendOutput(clang::DiagnosticsEngine&, clang::CodeGenOptions
const&, clang::TargetOptions const&, clang::LangOptions const&,
llvm::DataLayout const&, llvm::Module*, clang::BackendAction,
llvm::raw_pwrite_stream*) + 4184
16 clang-3.9       0x000000000257487d
17 clang-3.9       0x00000000028d543d clang::ParseAST(clang::Sema&, bool, bool)
+ 845
18 clang-3.9       0x0000000002574bde clang::CodeGenAction::ExecuteAction() + 78
19 clang-3.9       0x000000000225330e clang::FrontendAction::Execute() + 286
20 clang-3.9       0x0000000002228fa6
clang::CompilerInstance::ExecuteAction(clang::FrontendAction&) + 310
21 clang-3.9       0x00000000022e1342
clang::ExecuteCompilerInvocation(clang::CompilerInstance*) + 2370
22 clang-3.9       0x0000000000ad91b8 cc1_main(llvm::ArrayRef<char const*>,
char const*, void*) + 3272
23 clang-3.9       0x0000000000a92d0e main + 6350
24 libc.so.6       0x00007faaf2ee5ec5 __libc_start_main + 245
25 clang-3.9       0x0000000000ad5224
Stack dump:
0.      Program arguments: /usr/local/clang-trunk/bin/clang-3.9 -cc1 -triple
x86_64-unknown-linux-gnu -emit-obj -disable-free -main-file-name small.c -
mrelocation-model static -mthread-model posix -fmath-errno -masm-verbose -
mconstructor-aliases -munwind-tables -fuse-init-array -target-cpu x86-64 -momit-
leaf-frame-pointer -dwarf-column-info -debugger-tuning=gdb -resource-dir
/usr/local/clang-trunk/bin/../lib/clang/3.9.0 -internal-isystem
/usr/local/include -internal-isystem /usr/local/clang-
trunk/bin/../lib/clang/3.9.0/include -internal-externc-isystem
/usr/include/x86_64-linux-gnu -internal-externc-isystem /include -internal-
externc-isystem /usr/include -O2 -w -fdebug-compilation-dir /data2/c-hunter-
results/C/instrument-bugs/REDUCED/20160522-clang-trunk-m64-g-O3-build-
171343/delta -ferror-limit 19 -fmessage-length 220 -fobjc-runtime=gcc -
fdiagnostics-show-option -fcolor-diagnostics -vectorize-loops -vectorize-slp -o
/tmp/small-aba209.o -x c small.c
1.      <eof> parser at end of file
2.      Per-module optimization passes
3.      Running pass 'CallGraph Pass Manager' on module 'small.c'.
4.      Running pass 'Loop Pass Manager' on function '@fn1'
5.      Running pass 'Unroll loops' on basic block '%for.cond5.preheader'
clang-3.9: error: unable to execute command: Aborted (core dumped)
clang-3.9: error: clang frontend command failed due to signal (use -v to see
invocation)
clang version 3.9.0 (trunk 270354)
Target: x86_64-unknown-linux-gnu
Thread model: posix
InstalledDir: /usr/local/bin
clang-3.9: note: diagnostic msg: PLEASE submit a bug report to
http://llvm.org/bugs/ and include the crash backtrace, preprocessed source, and
associated run script.
clang-3.9: note: diagnostic msg:
********************

PLEASE ATTACH THE FOLLOWING FILES TO THE BUG REPORT:
Preprocessed source(s) and associated run script(s) are located at:
clang-3.9: note: diagnostic msg: /tmp/small-2588f1.c
clang-3.9: note: diagnostic msg: /tmp/small-2588f1.sh
clang-3.9: note: diagnostic msg:

********************
$:
$: cat small.c
int *a;
char b = 3;
void fn1() {
  char c;
  for (; c - 2; c = c - 6) {
    b--;
    c = 6;
    for (; c >= 0; c--)
      for (; a; *a = 1)
        ;
    if (a)
      break;
  }
}

int main() {}
$:

[Quuxplusone]

Looks like the problem is in simplifyLoop function.

It doesn't always preserve LCSSA form, namely a call to
FoldBranchToCommonDest(BI) destroys it in the provided testcase
(LoopSimplify.cpp:661). The following patch fixes the issue:

diff --git a/lib/Transforms/Utils/LoopSimplify.cpp
b/lib/Transforms/Utils/LoopSimplify.cpp
index 63d4a04..fb5282c 100644
--- a/lib/Transforms/Utils/LoopSimplify.cpp
+++ b/lib/Transforms/Utils/LoopSimplify.cpp
@@ -658,7 +658,7 @@ ReprocessLoop:
       // The block has now been cleared of all instructions except for
       // a comparison and a conditional branch. SimplifyCFG may be able
       // to fold it now.
-      if (!FoldBranchToCommonDest(BI))
+      if (PreserveLCSSA || !FoldBranchToCommonDest(BI))
         continue;

       // Success. The block is now dead, so remove it from the loop,

I'm having troubles with writing a testcase for this though, probably becuase
of implicit dependencies that, when run, fix-up the test.

[Quuxplusone]

I can't reproruce this on 3.9 or trunk. Is it fixed?

[Quuxplusone]

I didn't commit the patch.

My guess is that the bug might be still there, but now it's concealed. I'll take another look at this soon.