clang crashes on valid code at -O3 on x86_64-linux-gnu: Assertion `N->getOpcode() != ISD::DELETED_NODE && RV.getOpcode() != ISD::DELETED_NODE && "Node was deleted but visit returned new node!"' failed

[Quuxplusone]

Bugzilla Link	PR51298
Status	NEW
Importance	P enhancement
Reported by	Zhendong Su (zhendong.su@inf.ethz.ch)
Reported on	2021-08-01 05:34:52 -0700
Last modified on	2021-08-01 11:38:10 -0700
Version	trunk
Hardware	PC All
CC	llvm-bugs@lists.llvm.org, llvm-dev@redking.me.uk, spatel+llvm@rotateright.com
Fixed by commit(s)
Attachments
Blocks
Blocked by
See also

[544] % clangtk -v
clang version 14.0.0 (https://github.com/llvm/llvm-project.git
7d855605830f4a524f02b09d6891b351ff716782)
Target: x86_64-unknown-linux-gnu
Thread model: posix
InstalledDir: /local/suz-local/opfuzz/bin
Found candidate GCC installation: /usr/lib/gcc/i686-linux-gnu/8
Found candidate GCC installation: /usr/lib/gcc/x86_64-linux-gnu/6
Found candidate GCC installation: /usr/lib/gcc/x86_64-linux-gnu/6.5.0
Found candidate GCC installation: /usr/lib/gcc/x86_64-linux-gnu/7
Found candidate GCC installation: /usr/lib/gcc/x86_64-linux-gnu/7.5.0
Found candidate GCC installation: /usr/lib/gcc/x86_64-linux-gnu/8
Selected GCC installation: /usr/lib/gcc/x86_64-linux-gnu/7.5.0
Candidate multilib: .;@m64
Candidate multilib: 32;@m32
Candidate multilib: x32;@mx32
Selected multilib: .;@m64
[545] %
[545] % clangtk -O2 small.c
[546] %
[546] % clangtk -O3 small.c
clang-14: /local/suz-local/software/clangbuild/llvm-
project/llvm/lib/CodeGen/SelectionDAG/DAGCombiner.cpp:1572: void
{anonymous}::DAGCombiner::Run(llvm::CombineLevel): Assertion `N->getOpcode() !=
ISD::DELETED_NODE && RV.getOpcode() != ISD::DELETED_NODE && "Node was deleted
but visit returned new node!"' failed.
PLEASE submit a bug report to https://bugs.llvm.org/ and include the crash
backtrace, preprocessed source, and associated run script.
Stack dump:
0.  Program arguments: /local/suz-local/software/local/clang-trunk/bin/clang-14 -
cc1 -triple x86_64-unknown-linux-gnu -emit-obj --mrelax-relocations -disable-
free -main-file-name small.c -mrelocation-model static -mframe-pointer=none -
fmath-errno -ffp-contract=on -fno-rounding-math -mconstructor-aliases -munwind-
tables -target-cpu x86-64 -tune-cpu generic -debugger-tuning=gdb -fcoverage-
compilation-dir=/local/suz-local/software/emitesting/bugs/20210801-clangtk-m64-
O3-build-131529/delta -resource-dir /local/suz-local/software/local/clang-
trunk/lib/clang/14.0.0 -I /usr/local/include/csmith -I /local/suz-
local/software/local/include -internal-isystem /local/suz-
local/software/local/clang-trunk/lib/clang/14.0.0/include -internal-isystem
/usr/local/include -internal-isystem /usr/lib/gcc/x86_64-linux-
gnu/7.5.0/../../../../x86_64-linux-gnu/include -internal-externc-isystem
/usr/include/x86_64-linux-gnu -internal-externc-isystem /include -internal-
externc-isystem /usr/include -O3 -fdebug-compilation-dir=/local/suz-
local/software/emitesting/bugs/20210801-clangtk-m64-O3-build-131529/delta -
ferror-limit 19 -fgnuc-version=4.2.1 -fcolor-diagnostics -vectorize-loops -
vectorize-slp -faddrsig -D__GCC_HAVE_DWARF2_CFI_ASM=1 -o /tmp/small-a37cb3.o -x
c small.c
1.  <eof> parser at end of file
2.  Code generation
3.  Running pass 'Function Pass Manager' on module 'small.c'.
4.  Running pass 'X86 DAG->DAG Instruction Selection' on function '@main'
 #0 0x000055932b405bef PrintStackTraceSignalHandler(void*) Signals.cpp:0:0
 #1 0x000055932b40339d SignalHandler(int) Signals.cpp:0:0
 #2 0x00007f4c25250980 __restore_rt (/lib/x86_64-linux-gnu/libpthread.so.0+0x12980)
 #3 0x00007f4c23f01fb7 raise /build/glibc-S9d2JN/glibc-2.27/signal/../sysdeps/unix/sysv/linux/raise.c:51:0
 #4 0x00007f4c23f03921 abort /build/glibc-S9d2JN/glibc-2.27/stdlib/abort.c:81:0
 #5 0x00007f4c23ef348a __assert_fail_base /build/glibc-S9d2JN/glibc-2.27/assert/assert.c:89:0
 #6 0x00007f4c23ef3502 (/lib/x86_64-linux-gnu/libc.so.6+0x30502)
 #7 0x000055932c1f6b91 llvm::SelectionDAG::Combine(llvm::CombineLevel, llvm::AAResults*, llvm::CodeGenOpt::Level) (/local/suz-local/software/local/clang-trunk/bin/clang-14+0x47beb91)
 #8 0x000055932c2e0efd llvm::SelectionDAGISel::CodeGenAndEmitDAG() (/local/suz-local/software/local/clang-trunk/bin/clang-14+0x48a8efd)
 #9 0x000055932c2e45e3 llvm::SelectionDAGISel::SelectAllBasicBlocks(llvm::Function const&) (/local/suz-local/software/local/clang-trunk/bin/clang-14+0x48ac5e3)
#10 0x000055932c2e6348
llvm::SelectionDAGISel::runOnMachineFunction(llvm::MachineFunction&)
(.part.958) SelectionDAGISel.cpp:0:0
#11 0x000055932a029241 (anonymous
namespace)::X86DAGToDAGISel::runOnMachineFunction(llvm::MachineFunction&)
X86ISelDAGToDAG.cpp:0:0
#12 0x000055932a6ef8e6
llvm::MachineFunctionPass::runOnFunction(llvm::Function&) (/local/suz-
local/software/local/clang-trunk/bin/clang-14+0x2cb78e6)
#13 0x000055932ab8b866 llvm::FPPassManager::runOnFunction(llvm::Function&)
(/local/suz-local/software/local/clang-trunk/bin/clang-14+0x3153866)
#14 0x000055932ab8bbb9 llvm::FPPassManager::runOnModule(llvm::Module&)
(/local/suz-local/software/local/clang-trunk/bin/clang-14+0x3153bb9)
#15 0x000055932ab8ca10 llvm::legacy::PassManagerImpl::run(llvm::Module&)
(/local/suz-local/software/local/clang-trunk/bin/clang-14+0x3154a10)
#16 0x000055932b7088f5 (anonymous
namespace)::EmitAssemblyHelper::EmitAssemblyWithNewPassManager(clang::BackendAction,
std::unique_ptr<llvm::raw_pwrite_stream,
std::default_delete<llvm::raw_pwrite_stream> >) BackendUtil.cpp:0:0
#17 0x000055932b70c143 clang::EmitBackendOutput(clang::DiagnosticsEngine&,
clang::HeaderSearchOptions const&, clang::CodeGenOptions const&,
clang::TargetOptions const&, clang::LangOptions const&, llvm::StringRef,
llvm::Module*, clang::BackendAction, std::unique_ptr<llvm::raw_pwrite_stream,
std::default_delete<llvm::raw_pwrite_stream> >) (/local/suz-
local/software/local/clang-trunk/bin/clang-14+0x3cd4143)
#18 0x000055932c3f7cea
clang::BackendConsumer::HandleTranslationUnit(clang::ASTContext&) (/local/suz-
local/software/local/clang-trunk/bin/clang-14+0x49bfcea)
#19 0x000055932d2d0459 clang::ParseAST(clang::Sema&, bool, bool) (/local/suz-
local/software/local/clang-trunk/bin/clang-14+0x5898459)
#20 0x000055932c3f7e88 clang::CodeGenAction::ExecuteAction() (/local/suz-
local/software/local/clang-trunk/bin/clang-14+0x49bfe88)
#21 0x000055932bd44ff1 clang::FrontendAction::Execute() (/local/suz-
local/software/local/clang-trunk/bin/clang-14+0x430cff1)
#22 0x000055932bce126a
clang::CompilerInstance::ExecuteAction(clang::FrontendAction&) (/local/suz-
local/software/local/clang-trunk/bin/clang-14+0x42a926a)
#23 0x000055932be1464a
clang::ExecuteCompilerInvocation(clang::CompilerInstance*) (/local/suz-
local/software/local/clang-trunk/bin/clang-14+0x43dc64a)
#24 0x0000559328f126ec cc1_main(llvm::ArrayRef<char const*>, char const*,
void*) (/local/suz-local/software/local/clang-trunk/bin/clang-14+0x14da6ec)
#25 0x0000559328f0da99 ExecuteCC1Tool(llvm::SmallVectorImpl<char const*>&)
driver.cpp:0:0
#26 0x0000559328e3b416 main (/local/suz-local/software/local/clang-
trunk/bin/clang-14+0x1403416)
#27 0x00007f4c23ee4bf7 __libc_start_main /build/glibc-S9d2JN/glibc-
2.27/csu/../csu/libc-start.c:344:0
#28 0x0000559328f0d60a _start (/local/suz-local/software/local/clang-
trunk/bin/clang-14+0x14d560a)
clang-14: error: unable to execute command: Aborted
clang-14: error: clang frontend command failed due to signal (use -v to see
invocation)
clang version 14.0.0 (https://github.com/llvm/llvm-project.git
7d855605830f4a524f02b09d6891b351ff716782)
Target: x86_64-unknown-linux-gnu
Thread model: posix
InstalledDir: /local/suz-local/opfuzz/bin
clang-14: note: diagnostic msg:
********************

PLEASE ATTACH THE FOLLOWING FILES TO THE BUG REPORT:
Preprocessed source(s) and associated run script(s) are located at:
clang-14: note: diagnostic msg: /tmp/small-0e647e.c
clang-14: note: diagnostic msg: /tmp/small-0e647e.sh
clang-14: note: diagnostic msg:

********************
[547] %
[547] % cat small.c
int printf(const char *, ...);
int a, c, d, f, g, h, i;
short b;
static int e = 1;
short j(int k) { return b ? b : b << k; }
void o() {
  int p[] = {};
  if (a)
    e = p[0];
}
int main() {
  int m;
L:
  for (; h < 1; h++)
    m = 0;
  for (; m < 8; m++)
    for (i = 0; i < 4; i++) {
      d--;
      g = f >> a;
      c = j(1) && 1;
      if (e)
        continue;
      printf("%d", i);
    }
  printf("8");
  if (a)
    goto L;
  return 0;
}

[Quuxplusone]

A somewhat more properly reduced repro:

--------

int printf(const char *, ...);
short a, b;
static int c = 2, d, h;
int e, f, g, i, j, k;
short l(int m) { return a ? a : a << m; }
void q() {
  for (; k; k++)
    c = g;
  c = 1;
}
int main() {
  int n;
L:
  for (; j < 1; j++)
    n = 0;
  for (; n < 10; n++) {
    h = 0;
    for (; h < 1; h++) {
      b = i * c;
      e = f = l(1) && 1;
      if (c)
        continue;
      printf("%d\n", d);
    }
  }
  printf("8");
  if (a)
    goto L;
  return 0;
}

[Quuxplusone]

This is the bugpoint reduction that fails in llc:

; ModuleID = 'bugpoint-reduced-simplified.bc'
source_filename = "fuzz.cpp"
target datalayout = "e-m:e-p270:32:32-p271:32:32-p272:64:64-i64:64-f80:128-
n8:16:32:64-S128"
target triple = "x86_64-unknown-linux-gnu"

@a = external dso_local local_unnamed_addr global i32, align 4
@c = external dso_local local_unnamed_addr global i32, align 4
@d = external dso_local local_unnamed_addr global i32, align 4
@f = external dso_local local_unnamed_addr global i32, align 4
@g = external dso_local local_unnamed_addr global i32, align 4
@h = external dso_local local_unnamed_addr global i32, align 4
@i = external dso_local local_unnamed_addr global i32, align 4
@b = external dso_local local_unnamed_addr global i16, align 2

define dso_local void @main() local_unnamed_addr #0 {
entry:
  store i32 1, i32* @h, align 4
  %i = load i32, i32* @f, align 4
  %i1 = load i16, i16* @b, align 2
  %tobool.not.i.us = icmp eq i16 %i1, 0
  %shl.i.us = zext i1 %tobool.not.i.us to i16
  %cond.i.us = shl i16 %i1, %shl.i.us
  %tobool.us = icmp ne i16 %cond.i.us, 0
  %d.promoted = load i32, i32* @d, align 4
  %i2 = add i32 %d.promoted, -4
  %shr.us = ashr i32 %i, 0
  %conv.us = zext i1 %tobool.us to i32
  store i32 %i2, i32* @d, align 4
  store i32 %shr.us, i32* @g, align 4
  store i32 %conv.us, i32* @c, align 4
  store i32 0, i32* @i, align 4
  %i3 = load i16, i16* @b, align 2
  %tobool.not.i.us.1 = icmp eq i16 %i3, 0
  %shl.i.us.1 = zext i1 %tobool.not.i.us.1 to i16
  %cond.i.us.1 = shl i16 %i3, %shl.i.us.1
  %tobool.us.1 = icmp ne i16 %cond.i.us.1, 0
  %d.promoted.1 = load i32, i32* @d, align 4
  %conv.us.1 = zext i1 %tobool.us.1 to i32
  store i32 0, i32* @g, align 4
  store i32 %conv.us.1, i32* @c, align 4
  %i4 = load i32, i32* @f, align 4
  %i5 = load i32, i32* @a, align 4
  %d.promoted.2 = load i32, i32* @d, align 4
  %i6 = add i32 %d.promoted.2, -4
  %shr.us.2 = ashr i32 %i4, %i5
  store i32 %i6, i32* @d, align 4
  store i32 %shr.us.2, i32* @g, align 4
  %i7 = load i16, i16* @b, align 2
  %tobool.not.i.us.3 = icmp eq i16 %i7, 0
  %shl.i.us.3 = zext i1 %tobool.not.i.us.3 to i16
  %cond.i.us.3 = shl i16 %i7, %shl.i.us.3
  %tobool.us.3 = icmp ne i16 %cond.i.us.3, 0
  %d.promoted.3 = load i32, i32* @d, align 4
  %i8 = add i32 %d.promoted.3, -4
  %conv.us.3 = zext i1 %tobool.us.3 to i32
  store i32 %i8, i32* @d, align 4
  store i32 undef, i32* @g, align 4
  store i32 %conv.us.3, i32* @c, align 4, !tbaa !1
  %i9 = load i16, i16* @b, align 2
  %tobool.not.i.us.4 = icmp eq i16 %i9, 0
  %shl.i.us.4 = zext i1 %tobool.not.i.us.4 to i16
  %cond.i.us.4 = shl i16 %i9, %shl.i.us.4
  %tobool.us.4 = icmp ne i16 %cond.i.us.4, 0
  %d.promoted.4 = load i32, i32* @d, align 4
  %i10 = add i32 %d.promoted.4, -4
  %conv.us.4 = zext i1 %tobool.us.4 to i32
  store i32 %i10, i32* @d, align 4
  store i32 0, i32* @g, align 4
  store i32 %conv.us.4, i32* @c, align 4
  %i11 = load i32, i32* @f, align 4
  %d.promoted.5 = load i32, i32* @d, align 4
  %i12 = add i32 %d.promoted.5, -4
  %shr.us.5 = ashr i32 %i11, 0
  store i32 %i12, i32* @d, align 4
  store i32 %shr.us.5, i32* @g, align 4
  store i32 0, i32* @i, align 4
  store i32 0, i32* @g, align 4
  unreachable
}

attributes #0 = { "tune-cpu"="generic" }

!llvm.ident = !{!0}

!0 = !{!"clang version 13.0.0 (https://github.com/llvm/llvm-project.git
afc760ef3527ef783a9f14f53583df2de8f0bd84)"}
!1 = !{!2, !2, i64 0}
!2 = !{!"int", !3, i64 0}
!3 = !{!"omnipotent char", !4, i64 0}
!4 = !{!"Simple C++ TBAA"}