search

llvm / llvm-project

The LLVM Project is a collection of modular and reusable compiler and toolchain technologies.
http://llvm.org
Other
29.15k stars 12.03k forks source link

clang crash(Segmentation fault) at -O2/3 (13 Regression) #68585

Open junweizeng opened 1 year ago

junweizeng commented 1 year ago

Clang at -O2/3 crashes.

When I compiled this code with different optimization levels on different versions of clang, I found that -O2 caused ICE starting from clang-13.0.0, while -O3 caused ICE starting from clang-15.0.0.

Compiler explorer: https://godbolt.org/z/s9rWe464P

$ cat test.c
int a[];
int b, c, d, g;
long e;
void h() {
  b = 5 ^ b & b >> 8 & 15;
  b = 8 ^ a[b];
  b = 8 ^ a[b & 15];
}
void i() {
  int f[][5] = {1, 5, 5, 5, 10, 10, 5};
  for (; e;) {
    h();
    g = 4;
    for (; g; g--)
      if (f[g][g])
        ;
      else
        for (;;)
          ;
    c = 0;
    for (; c <= 7; c++) {
      d = 7;
      for (; d >= 2; d--)
        for (int k = 0; k < 6; k++)
          for (int j = 0; j < 7; j++)
            h();
    }
  }
}
$
$ clang-16 -O2 test.c
test.c:1:5: warning: tentative array definition assumed to have one element
int a[];
    ^
PLEASE submit a bug report to https://github.com/llvm/llvm-project/issues/ and include the crash backtrace, preprocessed source, and associated run script.
Stack dump:
0.  Program arguments: /home/jwzeng/compilers/llvm/llvm-16.0.0/bin/clang-16 -cc1 -triple x86_64-unknown-linux-gnu -emit-obj -disable-free -clear-ast-before-backend -disable-llvm-verifier -discard-value-names -main-file-name test.c -mrelocation-model pic -pic-level 2 -pic-is-pie -mframe-pointer=none -fmath-errno -ffp-contract=on -fno-rounding-math -mconstructor-aliases -funwind-tables=2 -target-cpu x86-64 -tune-cpu generic -mllvm -treat-scalable-fixed-error-as-warning -debugger-tuning=gdb -fcoverage-compilation-dir=/home/jwzeng/workplace/compiler_testing/scripts/testing-20231008-100t8csmith-v3-ubuntu/result/crash-S_1113912547/reduce1 -resource-dir /home/jwzeng/compilers/llvm/llvm-16.0.0/lib/clang/16 -I /home/jwzeng/tools/csmith/include -internal-isystem /home/jwzeng/compilers/llvm/llvm-16.0.0/lib/clang/16/include -internal-isystem /usr/local/include -internal-isystem /usr/lib/gcc/x86_64-linux-gnu/10/../../../../x86_64-linux-gnu/include -internal-externc-isystem /usr/include/x86_64-linux-gnu -internal-externc-isystem /include -internal-externc-isystem /usr/include -O2 -fdebug-compilation-dir=/home/jwzeng/workplace/compiler_testing/scripts/testing-20231008-100t8csmith-v3-ubuntu/result/crash-S_1113912547/reduce1 -ferror-limit 19 -fgnuc-version=4.2.1 -vectorize-loops -vectorize-slp -faddrsig -D__GCC_HAVE_DWARF2_CFI_ASM=1 -o /tmp/test-ced2bc.o -x c test.c
1.  <eof> parser at end of file
2.  Optimizer
  #0 0x0000561623103b68 llvm::sys::PrintStackTrace(llvm::raw_ostream&, int) (/home/jwzeng/compilers/llvm/llvm-16.0.0/bin/clang-16+0x3103b68)
  #1 0x0000561623101aae llvm::sys::RunSignalHandlers() (/home/jwzeng/compilers/llvm/llvm-16.0.0/bin/clang-16+0x3101aae)
  #2 0x00005616231041ed SignalHandler(int) Signals.cpp:0:0
  #3 0x00007f74165fb520 (/lib/x86_64-linux-gnu/libc.so.6+0x42520)
  #4 0x00005616225eb1f1 computeKnownBitsFromOperator(llvm::Operator const*, llvm::APInt const&, llvm::KnownBits&, unsigned int, (anonymous namespace)::Query const&) ValueTracking.cpp:0:0
  #5 0x00005616225d9de5 computeKnownBits(llvm::Value const*, llvm::APInt const&, llvm::KnownBits&, unsigned int, (anonymous namespace)::Query const&) ValueTracking.cpp:0:0
  #6 0x00005616225f3cd3 computeKnownBitsFromShiftOperator(llvm::Operator const*, llvm::APInt const&, llvm::KnownBits&, llvm::KnownBits&, unsigned int, (anonymous namespace)::Query const&, llvm::function_ref<llvm::KnownBits (llvm::KnownBits const&, llvm::KnownBits const&)>) ValueTracking.cpp:0:0
  #7 0x00005616225eb67c computeKnownBitsFromOperator(llvm::Operator const*, llvm::APInt const&, llvm::KnownBits&, unsigned int, (anonymous namespace)::Query const&) ValueTracking.cpp:0:0
  #8 0x00005616225d9de5 computeKnownBits(llvm::Value const*, llvm::APInt const&, llvm::KnownBits&, unsigned int, (anonymous namespace)::Query const&) ValueTracking.cpp:0:0
  #9 0x00005616225ebe2e computeKnownBitsFromOperator(llvm::Operator const*, llvm::APInt const&, llvm::KnownBits&, unsigned int, (anonymous namespace)::Query const&) ValueTracking.cpp:0:0
  ...
  ...
  ...
  #255 0x000056162258bfbc llvm::ScalarEvolution::getSCEVAtScope(llvm::SCEV const*, llvm::Loop const*) (/home/jwzeng/compilers/llvm/llvm-16.0.0/bin/clang-16+0x258bfbc)
clang-16: error: unable to execute command: Segmentation fault (core dumped)
clang-16: error: clang frontend command failed due to signal (use -v to see invocation)
clang version 16.0.0
Target: x86_64-unknown-linux-gnu
Thread model: posix
InstalledDir: /home/jwzeng/compilers/llvm/llvm-16.0.0/bin
clang-16: note: diagnostic msg: 
********************

PLEASE ATTACH THE FOLLOWING FILES TO THE BUG REPORT:
Preprocessed source(s) and associated run script(s) are located at:
clang-16: note: diagnostic msg: /tmp/test-321019.c
clang-16: note: diagnostic msg: /tmp/test-321019.sh
clang-16: note: diagnostic msg: 

********************
junweizeng commented 1 year ago

The code below is another reduced code that only crashes on clang-trunk.

int a[];
int b, c, e, f, g;
void h() {
  int d[][5] = {1, 5, 5, 5, 10, 10, 5};
  for (; e < 2;) {
    for (; e < 5; e++)
      b = 5;
    g = 4;
    for (; g; g--)
      if (d[g][g])
        ;
      else
        for (;;)
          ;
    c = 0;
    for (; c <= 7; c++) {
      f = 7;
      for (; f >= 2; f--)
        for (int i = 0; i < 6; i++)
          for (int j = 0; j < 7; j++) {
            b = b & 5 ^ 5;
            b = 8 ^ a[b];
            b = a[b & 15];
          }
    }
  }
}

Compiler explorer: https://godbolt.org/z/ozsaGKrnq

XChy commented 1 year ago

llvm-reduce IR:


@b = external global i32
@__const.i.f = constant [2 x [5 x i32]] [[5 x i32] [i32 1, i32 5, i32 5, i32 5, i32 10], [5 x i32] [i32 10, i32 5, i32 0, i32 0, i32 0]]
@c = external global i32
@d = external global i32
@a = external global [1 x i32]

define void @h() {
entry:
  %0 = load i32, ptr @b, align 4
  %idxprom = sext i32 %0 to i64
  %arrayidx = getelementptr [0 x i32], ptr @a, i64 0, i64 %idxprom
  %1 = load i32, ptr %arrayidx, align 4
  %idxprom4 = sext i32 %1 to i64
  %arrayidx5 = getelementptr [0 x i32], ptr @a, i64 0, i64 %idxprom4
  %2 = load i32, ptr %arrayidx5, align 4
  store i32 %2, ptr @b, align 4
  ret void
}

define void @i(i1 %tobool) {
entry:
  br label %for.cond

for.cond:                                         ; preds = %for.cond8, %entry
  br i1 %tobool, label %for.body, label %common.ret

for.body:                                         ; preds = %for.cond
  call void @h()
  br label %for.cond1

for.cond1:                                        ; preds = %for.body3, %for.body
  %tobool2.not = phi i1 [ false, %for.body ], [ true, %for.body3 ]
  %0 = phi i32 [ 4, %for.body ], [ 0, %for.body3 ]
  br i1 %tobool2.not, label %for.cond8, label %for.body3

for.body3:                                        ; preds = %for.cond1
  %idxprom = zext i32 %0 to i64
  %arrayidx = getelementptr [2 x [5 x i32]], ptr @__const.i.f, i64 0, i64 %idxprom
  %1 = load i32, ptr %arrayidx, align 4
  %tobool6.not = icmp eq i32 %1, 0
  br i1 %tobool6.not, label %common.ret, label %for.cond1

common.ret:                                       ; preds = %for.body3, %for.cond
  ret void

for.cond8:                                        ; preds = %for.inc27, %for.cond1
  %storemerge = phi i32 [ %inc28, %for.inc27 ], [ 0, %for.cond1 ]
  %2 = phi i32 [ %7, %for.inc27 ], [ 0, %for.cond1 ]
  store i32 %storemerge, ptr @c, align 4
  %cmp = icmp slt i32 %2, 8
  br i1 %cmp, label %for.cond10, label %for.cond

for.cond10:                                       ; preds = %for.inc24, %for.cond8
  %storemerge1 = phi i32 [ %dec25, %for.inc24 ], [ 7, %for.cond8 ]
  %3 = phi i32 [ %6, %for.inc24 ], [ 0, %for.cond8 ]
  store i32 %storemerge1, ptr @d, align 4
  %cmp11 = icmp sgt i32 %3, -1
  br i1 %cmp11, label %for.cond13, label %for.inc27

for.cond13:                                       ; preds = %for.inc21, %for.cond10
  %4 = phi i32 [ %inc22, %for.inc21 ], [ 0, %for.cond10 ]
  %cmp14 = icmp slt i32 %4, 6
  br i1 %cmp14, label %for.cond16, label %for.inc24

for.cond16:                                       ; preds = %for.body18, %for.cond13
  %5 = phi i32 [ %inc, %for.body18 ], [ 0, %for.cond13 ]
  %cmp17 = icmp slt i32 %5, 7
  br i1 %cmp17, label %for.body18, label %for.inc21

for.body18:                                       ; preds = %for.cond16
  call void @h()
  %inc = add i32 %5, 1
  br label %for.cond16

for.inc21:                                        ; preds = %for.cond16
  %inc22 = add i32 %4, 1
  br label %for.cond13

for.inc24:                                        ; preds = %for.cond13
  %6 = load i32, ptr @d, align 4
  %dec25 = add i32 %6, -1
  br label %for.cond10

for.inc27:                                        ; preds = %for.cond10
  %7 = load i32, ptr @c, align 4
  %inc28 = add i32 %7, 1
  br label %for.cond8
}