Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

cmd/compile: panic: branch too far on arm64 #23889

Closed
ALTree opened this issue Feb 17, 2018 · 6 comments
Closed

cmd/compile: panic: branch too far on arm64 #23889

ALTree opened this issue Feb 17, 2018 · 6 comments
Labels
FrozenDueToAge NeedsFix The path to resolution is known, but the work has not been done. release-blocker
Milestone

Comments

@ALTree
Copy link
Member

ALTree commented Feb 17, 2018

$ go version
go version devel +549cb18a91 Sat Feb 17 04:38:14 2018 +0000 linux/amd64

The program at the end of this report crashes the tip compiler when built for arm64 with optimizations disabled, as GOARCH=arm64 go build -gcflags -N crash.go, with the following error:

# command-line-arguments
panic: branch too far

goroutine 8 [running]:
cmd/internal/obj/arm64.(*ctxt7).brdist(0xc00098ddc0, 0xc00014bae8, 0x0, 0xe, 0x2, 0xc0f94017e0)
	go/src/cmd/internal/obj/arm64/asm7.go:4672 +0x32a
cmd/internal/obj/arm64.(*ctxt7).asmout(0xc00098ddc0, 0xc00014bae8, 0xf9ec7e, 0xc00098dd50, 0x6, 0x6)
	go/src/cmd/internal/obj/arm64/asm7.go:2884 +0x5ab2
cmd/internal/obj/arm64.span7(0xc00000e240, 0xc0005a4070, 0xc00004e480)
	go/src/cmd/internal/obj/arm64/asm7.go:787 +0x951
cmd/internal/obj.Flushplist(0xc00000e240, 0xc00098df08, 0xc00004e480, 0x7ffdb24382fe, 0x16)
	go/src/cmd/internal/obj/plist.go:107 +0x6ca
cmd/compile/internal/gc.(*Progs).Flush(0xc000081f40)
	go/src/cmd/compile/internal/gc/gsubr.go:87 +0xc1
cmd/compile/internal/gc.compileSSA(0xc000001200, 0x1)
	go/src/cmd/compile/internal/gc/pgen.go:247 +0x188
cmd/compile/internal/gc.compileFunctions.func2(0xc00059ac60, 0xc0005284a0, 0x1)
	go/src/cmd/compile/internal/gc/pgen.go:288 +0x49
created by cmd/compile/internal/gc.compileFunctions
	go/src/cmd/compile/internal/gc/pgen.go:286 +0x11c

go tool compile says:

crash.go:62:3: branch too far 0x2000 vs 0x2000 [0x0]
00228 (crash.go:10)	TBZ	$63, R0, 32996
32996 (crash.go:10)	JMP	26972

The issue is not present in 1.10, and it was introduced in commit cdd9616 (cmd/compile: generate tbz/tbnz when comparing against zero on arm64).

Apologies for the reproducer length. The program was generated by a fuzzer and deleting any line makes the crash go away.

package p

func fun0() {
	var B0, B1, B2, B3, B4 bool
	var S0, S1 string
	var I0, I1, I2, I3, I4 int
	for true {
		var B5, B6 bool
		for !(S0 >= "ccc" || !true || I4 == I3) {
			var I5, I6 int
			var B7, B8 bool
			switch S0[8:10] + (S0) + (S0[1:12]) + (S1[2:15] + S0[5:24]) + (S0 + "ffffff") {
			case "bb" + S0[0:20] + S1 + (S1 + S1[8:23] + (S1[2:17])) + (S1[1:15] + S0[7:21] + (S0[6:11] + S1 + ("dddd" + S1[6:10]))):
				B3 = S0[8:23]+S0[0:23]+("dddd"+S1[7:21]+(S0[0:21]+S0[3:12]))+(S1+S1+(S1[0:16]+S1)) != "ffffff"+S1[1:18] || I2 < I6
				I2 = 50 + 70 + len([]int{len("eeeee")})
				S1 = S1[2:15] + S1 + (S1 + S1) + ("a" + "a")
				S1 = S0 + S0[0:10] + S0 + S0 + "dddd"
				B1 = I5+I6 > len([]string{S0[4:15] + S1, S0[1:8] + "dddd" + (S0[0:14] + S1), S0 + "ccc" + (S1 + "bb")})
				S0 = "eeeee" + S1[7:15] + ("bb" + S0 + (S0[7:22] + "a" + ("ccc" + S0[7:16] + (S0 + S0)) + (S1[2:8] + S1))) + (S1[8:14] + S1[7:19])
			}
			for len([]string{S1[3:11] + S1[0:15] + ("bb" + S0) + ("a" + S0), S1[2:18] + S1 + (S1[7:15] + S1) + (S1 + "eeeee") + (S0 + S1[8:21])}) >= len([]string{S0[0:14] + "eeeee"})+(I0+35+len(S0[2:24])) {
				var S2 string
				I0 = len(S1)
				B3 = false && B2
				B8 = S1 > S1
				B8 = "dddd" < S1[7:17]
				S1 = S0 + S1 + ("dddd" + S2[6:12] + (S2 + "ccc") + ("a" + S1[0:13] + (S1[8:15] + S2[0:14] + (S2[6:22] + S2)))) + (S2[6:10] + "eeeee" + (S2[3:22] + S0[2:22] + (S0[7:13] + S2[2:20])) + (S1 + S0[1:8] + (S0 + S1[6:13])) + (S0[0:12] + S0[2:14]) + (S0 + S0))
			}
			switch len([]bool{I4 > 25}) <= I1+len([]bool{}) || (B8 && B2) != B0 {
			case true && I6 < I0:
				S0 = S1[7:19] + S1[4:20] + (S0 + S1) + (S0[0:24] + S1) + ("eeeee" + S0 + ("a" + "ffffff" + (S1 + S0) + (S0[0:13] + S0[6:19] + (S1[7:11] + "ccc")) + (S1 + S1[1:15] + (S0[3:9] + "dddd") + (S1 + S1[6:22])) + (S0 + "ccc")) + (S0 + S0 + ("eeeee" + S1)))
				B1 = S1[7:8]+S1+(S1+S1[7:10]) == "eeeee"+S0
				I0 = len([]string{S0[6:9] + S0[8:14] + ("a" + "a"), S1 + S0 + (S0 + S0) + (S0 + S0 + (S0 + "bb" + ("bb" + S1)) + ("bb" + S1 + (S0[7:19] + S0[5:11])) + (S0 + S0[3:19] + (S0[6:21] + "bb" + (S1 + "a")) + (S1[0:15] + S0 + (S0[7:24] + S0 + ("bb" + "ffffff") + (S0 + "bb"))) + (S1[4:24] + S1[6:15] + ("bb" + S1[7:17])))), "eeeee" + S1 + (S0 + S1)})
				I4 = len(S1)
				S0 = "ffffff" + S1[8:23] + (S0[7:17] + "eeeee" + (S1 + S0[2:9]) + (S1[1:20] + S1) + (S0[6:17] + "bb")) + (S0[7:20] + S1[1:19] + (S1[8:9] + S0) + ("a" + S1[0:14])) + (S0[5:21] + S0 + (S1[8:17] + S0[5:9])) + ("ffffff" + S0 + (S0 + S0[4:16])) + (S0 + "eeeee")
				B3 = B1 && B0
				I5 = len([]bool{})
			}
			switch S0[0:9] + S0 + (S0[8:13] + "bb" + ("dddd" + S1 + (S0[6:23] + "eeeee") + (S0[7:9] + "ffffff")) + ("bb" + S0[3:23])) + (S1[0:21] + "dddd" + (S0 + S1 + (S1 + S0[3:15]))) {
			case S1[6:8] + S1:
				S1 = "ffffff" + S0 + ("ccc" + S1[2:12] + (S0 + S1)) + (S0 + "a") + (S0 + S0 + (S0 + "eeeee")) + (S1 + S1[2:10] + (S0 + S0 + (S1[6:18] + "eeeee") + (S0[5:16] + S1 + (S1[0:24] + "a")))) + ("a" + S0 + (S1[7:19] + "a" + (S0[2:20] + S1[4:22] + (S1 + S1[2:14])) + (S0 + S1[6:20] + (S0[7:13] + S0 + (S1 + "ccc" + ("ccc" + S1 + (S0 + S0))))) + (S1 + "ccc")))
				S0 = S0[6:14] + S1 + (S0[5:18] + S0) + (S0 + S1[7:23] + (S1 + "a" + (S0[2:19] + S1) + (S1[5:11] + "eeeee" + ("ccc" + "bb")))) + ("bb" + S0[5:23] + (S0 + S0))
				B8 = I6 != I3
				S0 = S0 + S1 + ("ffffff" + S1 + (S0 + S0[2:22]))
				I6 = I3 + I3 - len([]int{I0 - 57, -19, len([]int{+89 + (len(S1[6:10]) - (I6 - I1)), len("a")})})
				I6 = len("ccc") - (I0 - I3 + (2 + I1 + len(S1[8:21]) - (len([]int{len([]int{len([]bool{B3 != B6, false || true}), I3 - 0, len(S0[5:13]), len([]bool{S1 != S0, I5 < I5, 81 > I1})}), -I0}) - len([]int{len([]string{S0 + S0}), len([]bool{I1 >= I5 || !B7, B4 && B5}), len(S0[0:12])}))))
				B8 = !(-(+18 + (88 - I1)) <= 16-I6) && (!(26 <= I4) || S1+S0+("a"+S1+("ccc"+S0)) > S0+"ffffff"+("eeeee"+S1)+(S1[5:24]+S1[7:19]+(S0+S0[2:22]+(S0+"eeeee"+(S0+S0)+(S1[5:9]+S0[2:13]))+(S1+S0))))
			}
			I4 = len([]int{len([]string{S1 + S1, "bb" + S1 + (S0[2:20] + S0[0:15]) + (S0 + "dddd" + (S0[1:12] + S0) + (S0 + S0[2:14]) + (S0 + "eeeee"))}) + len([]int{}), len("ccc")}) + len("eeeee")
			B0 = !(((B5 || B7) && "dddd" <= "dddd" || S1[7:8]+S1[1:24]+(S0+S1+("ffffff"+"dddd")+("ccc"+S1))+(S1[2:19]+"ffffff")+(S1[8:21]+S1[8:21]+("a"+S1[5:9]+("ccc"+"ffffff"))) <= S1+"dddd") && S0[7:23]+S1[8:9]+("dddd"+"ffffff") == S0[3:18]+S1) != (S0[5:15]+S1 > S1[4:23]+S1[5:9]+(S0[3:12]+S0[0:16]) && (!(I0 >= 30) && "eeeee"+"eeeee" == "bb"+S1))
		}
		var S2, S3 string
		switch len([]string{}) {
		case len(S0[8:24]):
			S1 = "ffffff" + S1[0:14] + (S1[2:23] + "eeeee") + (S3 + S1 + ("ccc" + S0) + ("bb" + S0[5:17]) + (S0 + S2)) + (S1 + S1 + (S2[8:13] + S3 + ("ffffff" + S3) + (S3 + S2 + (S0 + S3[6:8] + (S2[4:24] + S3) + (S3[2:19] + S1[5:15])))))
			S2 = S2[7:18] + S1[4:21]
			S2 = S2 + "bb" + (S3[1:10] + "eeeee" + (S3[1:23] + S1 + (S0[1:23] + S1) + (S2[5:20] + S1[2:18] + (S2[3:22] + "dddd") + (S0 + S2[4:14] + (S1 + S0[8:20]))) + (S3 + S0)))
			S1 = S1 + S2[6:24] + ("eeeee" + S3 + (S3 + S1 + (S0 + S3[4:8]) + (S3 + S2[8:14])) + (S1[4:8] + S3 + (S1 + S3[1:23] + (S2 + S3)) + ("a" + S0[7:21])))
		}
		for I4+len([]string{"bb" + S0}) != -((I1+I4)+len([]bool{!B2, !B5, "bb"+S1 >= S1[4:16]+"ffffff"})) || 95 > I1 {
			S0 = S0[1:24] + S3[1:10] + ("ccc" + S2[3:9] + ("ffffff" + S0)) + ("a" + S0[2:8]) + (S2[4:14] + "a" + (S2 + S0[6:12]))
		}
	}
}
@ALTree ALTree added this to the Go1.11 milestone Feb 17, 2018
@ALTree
Copy link
Member Author

ALTree commented Feb 17, 2018

Oh, I found another, much bigger reproducer that causes the crash even without -N.

prog5139950150760489618.go:3568:37: branch too far 0x21aa vs 0x2000 [0x0]
04048 (prog5139950150760489618.go:732)	TBZ	$63, R0, 38520
38520 (prog5139950150760489618.go:735)	MOVD	$""..autotmp_4462-25600(SP), R17

So this has nothing to do with optimizations, it just happen to be easier to trigger when optimizations are disabled.

@ALTree ALTree changed the title cmd/compile: panic: branch too far on arm64 with -N cmd/compile: panic: branch too far on arm64 Feb 17, 2018
@gopherbot
Copy link
Contributor

Change https://golang.org/cl/94902 mentions this issue: cmd/internal/obj/arm64: fix branch-too-far with TBZ like instructions

@kraj
Copy link

kraj commented Mar 3, 2018

btw. I see this issue while compiling influxdb master using 1.10 on aarch64 and the patch above fixes the problem. So it might be a candidate for backport to 1.10 release.

| # github.com/influxdata/influxdb/tests
| panic: branch too far
|
| goroutine 70 [running]:
| cmd/internal/obj/arm64.(*ctxt7).brdist(0xc421e63dc0, 0xc4202fafa0, 0x0, 0xe, 0x2, 0xf943afe0)
|       /mnt/a/zonit/build/tmp/work/x86_64-linux/go-cross-aarch64/1.10-r0/recipe-sysroot-native/usr/lib/aarch64-bec-linux/go/s
rc/cmd/internal/obj/arm64/asm7.go:4616 +0x32a
| cmd/internal/obj/arm64.(*ctxt7).asmout(0xc421e63dc0, 0xc4202fafa0, 0xfa1922, 0xc421e63d50, 0x6, 0x6)
|       /mnt/a/zonit/build/tmp/work/x86_64-linux/go-cross-aarch64/1.10-r0/recipe-sysroot-native/usr/lib/aarch64-bec-linux/go/s
rc/cmd/internal/obj/arm64/asm7.go:2855 +0xcf0
| cmd/internal/obj/arm64.span7(0xc42039e000, 0xc4217db650, 0xc421770250)
|       /mnt/a/zonit/build/tmp/work/x86_64-linux/go-cross-aarch64/1.10-r0/recipe-sysroot-native/usr/lib/aarch64-bec-linux/go/s
rc/cmd/internal/obj/arm64/asm7.go:760 +0x951
| cmd/internal/obj.Flushplist(0xc42039e000, 0xc421e63f08, 0xc421770250, 0x7ffe8e8b440c, 0x24)
|       /mnt/a/zonit/build/tmp/work/x86_64-linux/go-cross-aarch64/1.10-r0/recipe-sysroot-native/usr/lib/aarch64-bec-linux/go/s
rc/cmd/internal/obj/plist.go:107 +0x6ca
| cmd/compile/internal/gc.(*Progs).Flush(0xc421dd4e10)
|       /mnt/a/zonit/build/tmp/work/x86_64-linux/go-cross-aarch64/1.10-r0/recipe-sysroot-native/usr/lib/aarch64-bec-linux/go/s
rc/cmd/compile/internal/gc/gsubr.go:87 +0xc1
| cmd/compile/internal/gc.compileSSA(0xc4200e3c80, 0x3)
|       /mnt/a/zonit/build/tmp/work/x86_64-linux/go-cross-aarch64/1.10-r0/recipe-sysroot-native/usr/lib/aarch64-bec-linux/go/s
rc/cmd/compile/internal/gc/pgen.go:248 +0x188
| cmd/compile/internal/gc.compileFunctions.func2(0xc4217fd9e0, 0xc4217d2b90, 0x3)
|       /mnt/a/zonit/build/tmp/work/x86_64-linux/go-cross-aarch64/1.10-r0/recipe-sysroot-native/usr/lib/aarch64-bec-linux/go/s
rc/cmd/compile/internal/gc/pgen.go:289 +0x49
| created by cmd/compile/internal/gc.compileFunctions
|       /mnt/a/zonit/build/tmp/work/x86_64-linux/go-cross-aarch64/1.10-r0/recipe-sysroot-native/usr/lib/aarch64-bec-linux/go/s
rc/cmd/compile/internal/gc/pgen.go:287 +0x11c

@bronze1man
Copy link
Contributor

bronze1man commented Jun 8, 2018

@gopherbot please consider this for backport to 1.10. I just come cross this bug in my ios project with go version go1.10.3 darwin/amd64.

Follow golang version do not have this bug in my ios project:
go version go1.9.2 darwin/amd64
go version go1.9.7 darwin/amd64

@gopherbot
Copy link
Contributor

Backport issue(s) opened: #25794 (for 1.10).

Remember to create the cherry-pick CL(s) as soon as the patch is submitted to master, according to https://golang.org/wiki/MinorReleases.

@gopherbot
Copy link
Contributor

Change https://golang.org/cl/147057 mentions this issue: [release-branch.go1.10] cmd/internal/obj/arm64: fix branch-too-far with TBZ like instructions

gopherbot pushed a commit that referenced this issue Nov 2, 2018
…th TBZ like instructions

The compiler now emits TBZ like instructions, but the assembler's
too-far-branch patch code didn't include that case. Add it.

Updates #23889
Fixes #25794

Change-Id: Ib75f9250c660b9fb652835fbc83263a5d5073dc5
Reviewed-on: https://go-review.googlesource.com/94902
Run-TryBot: Cherry Zhang <cherryyz@google.com>
TryBot-Result: Gobot Gobot <gobot@golang.org>
Reviewed-by: David Chase <drchase@google.com>
(cherry picked from commit 911839c)
Reviewed-on: https://go-review.googlesource.com/c/147057
Reviewed-by: Cherry Zhang <cherryyz@google.com>
Run-TryBot: Dmitri Shuralyov <dmitshur@golang.org>
@golang golang locked and limited conversation to collaborators Nov 2, 2019
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Labels
FrozenDueToAge NeedsFix The path to resolution is known, but the work has not been done. release-blocker
Projects
None yet
Development

No branches or pull requests

4 participants