Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Segfault in ARM instruction scheduling #58911

Closed
ostannard opened this issue Nov 10, 2022 · 3 comments
Closed

Segfault in ARM instruction scheduling #58911

ostannard opened this issue Nov 10, 2022 · 3 comments
Labels
crash Prefer [crash-on-valid] or [crash-on-invalid] llvm:codegen

Comments

@ostannard
Copy link
Collaborator

ostannard commented Nov 10, 2022
edited by VoltrexKeyva
Loading

This code causes a segfault during instruction scheduling when compiled for armv7-a or armv8-a at most optimisation levels:

volatile long long a;
unsigned d;

void f() {
  a = 0;
  a = d ? -(long long)d : d;
}
$ ../ac6/build-llvm-dbg/bin/clang --target=arm-none-eabi -march=armv7-a -c test.c -O1
PLEASE submit a bug report to https://github.com/llvm/llvm-project/issues/ and include the crash backtrace, preprocessed source, and associated run script.
Stack dump:
0.      Program arguments: ../ac6/build-llvm-dbg/bin/clang --target=arm-none-eabi -march=armv7-a -c test.c -O1
1.      <eof> parser at end of file
2.      Code generation
3.      Running pass 'Function Pass Manager' on module 'test.c'.
4.      Running pass 'ARM Instruction Selection' on function '@f'
 #0 0x000055ea48d9eb4e llvm::sys::PrintStackTrace(llvm::raw_ostream&, int) (.localalias) /work/ac6/main/llvm/lib/Support/Unix/Signals.inc:569:22
 #1 0x000055ea48d9ec09 PrintStackTraceSignalHandler(void*) /work/ac6/main/llvm/lib/Support/Unix/Signals.inc:636:1
 #2 0x000055ea48d9c814 llvm::sys::RunSignalHandlers() (.localalias) /work/ac6/main/llvm/lib/Support/Signals.cpp:104:20
 #3 0x000055ea48d9e35b llvm::sys::CleanupOnSignal(unsigned long) /work/ac6/main/llvm/lib/Support/Unix/Signals.inc:361:31
 #4 0x000055ea48caac81 (anonymous namespace)::CrashRecoveryContextImpl::HandleCrash(int, unsigned long) /work/ac6/main/llvm/lib/Support/CrashRecoveryContext.cpp:77:5
 #5 0x000055ea48cab1fc CrashRecoverySignalHandler(int) /work/ac6/main/llvm/lib/Support/CrashRecoveryContext.cpp:398:1
 #6 0x00007f1cd7e01420 __restore_rt (/lib/x86_64-linux-gnu/libpthread.so.0+0x14420)
 #7 0x000055ea456847b6 llvm::TargetRegisterClass::getID() const /work/ac6/main/llvm/include/llvm/CodeGen/TargetRegisterInfo.h:75:35
 #8 0x000055ea4aa2bf22 (anonymous namespace)::RegReductionPQBase::unscheduledNode(llvm::SUnit*) /work/ac6/main/llvm/lib/CodeGen/SelectionDAG/ScheduleDAGRRList.cpp:2309:56
 #9 0x000055ea4aa26127 (anonymous namespace)::ScheduleDAGRRList::UnscheduleNodeBottomUp(llvm::SUnit*) /work/ac6/main/llvm/lib/CodeGen/SelectionDAG/ScheduleDAGRRList.cpp:923:1
#10 0x000055ea4aa2634a (anonymous namespace)::ScheduleDAGRRList::BacktrackBottomUp(llvm::SUnit*, llvm::SUnit*) /work/ac6/main/llvm/lib/CodeGen/SelectionDAG/ScheduleDAGRRList.cpp:955:5
#11 0x000055ea4aa296ad (anonymous namespace)::ScheduleDAGRRList::PickNodeToScheduleBottomUp() /work/ac6/main/llvm/lib/CodeGen/SelectionDAG/ScheduleDAGRRList.cpp:1531:17
#12 0x000055ea4aa29f9c (anonymous namespace)::ScheduleDAGRRList::ListScheduleBottomUp() /work/ac6/main/llvm/lib/CodeGen/SelectionDAG/ScheduleDAGRRList.cpp:1630:43
#13 0x000055ea4aa23db6 (anonymous namespace)::ScheduleDAGRRList::Schedule() /work/ac6/main/llvm/lib/CodeGen/SelectionDAG/ScheduleDAGRRList.cpp:383:3
#14 0x000055ea4aa355d1 llvm::ScheduleDAGSDNodes::Run(llvm::SelectionDAG*, llvm::MachineBasicBlock*) /work/ac6/main/llvm/lib/CodeGen/SelectionDAG/ScheduleDAGSDNodes.cpp:64:1
#15 0x000055ea4aa0a4fd llvm::SelectionDAGISel::CodeGenAndEmitDAG() (.localalias) /work/ac6/main/llvm/lib/CodeGen/SelectionDAG/SelectionDAGISel.cpp:950:61
#16 0x000055ea4aa0899b llvm::SelectionDAGISel::SelectBasicBlock(llvm::ilist_iterator<llvm::ilist_detail::node_options<llvm::Instruction, true, false, void>, false, true>, llvm::ilist_iterator<llvm::ilist_detail::node_options<llvm::Instruction, true, false, void>, false, true>, bool&) (.localalias) /work/ac6/main/llvm/lib/CodeGen/SelectionDAG/SelectionDAGISel.cpp:688:1
#17 0x000055ea4aa0d8be llvm::SelectionDAGISel::SelectAllBasicBlocks(llvm::Function const&) (.localalias) /work/ac6/main/llvm/lib/CodeGen/SelectionDAG/SelectionDAGISel.cpp:1603:33
#18 0x000055ea4aa0743f llvm::SelectionDAGISel::runOnMachineFunction(llvm::MachineFunction&) (.localalias) /work/ac6/main/llvm/lib/CodeGen/SelectionDAG/SelectionDAGISel.cpp:468:7
#19 0x000055ea4626dd52 (anonymous namespace)::ARMDAGToDAGISel::runOnMachineFunction(llvm::MachineFunction&) /work/ac6/main/llvm/lib/Target/ARM/ARMISelDAGToDAG.cpp:67:12
#20 0x000055ea47b09908 llvm::MachineFunctionPass::runOnFunction(llvm::Function&) (.localalias) /work/ac6/main/llvm/lib/CodeGen/MachineFunctionPass.cpp:91:33
#21 0x000055ea48249ece llvm::FPPassManager::runOnFunction(llvm::Function&) (.localalias) /work/ac6/main/llvm/lib/IR/LegacyPassManager.cpp:1430:20
#22 0x000055ea4824a197 llvm::FPPassManager::runOnModule(llvm::Module&) (.localalias) /work/ac6/main/llvm/lib/IR/LegacyPassManager.cpp:1476:13
#23 0x000055ea4824a609 (anonymous namespace)::MPPassManager::runOnModule(llvm::Module&) /work/ac6/main/llvm/lib/IR/LegacyPassManager.cpp:1545:20
#24 0x000055ea4824552a llvm::legacy::PassManagerImpl::run(llvm::Module&) (.localalias) /work/ac6/main/llvm/lib/IR/LegacyPassManager.cpp:535:13
#25 0x000055ea4824aedf llvm::legacy::PassManager::run(llvm::Module&) /work/ac6/main/llvm/lib/IR/LegacyPassManager.cpp:1673:1
#26 0x000055ea49c8ca02 (anonymous namespace)::EmitAssemblyHelper::RunCodegenPipeline(clang::BackendAction, std::unique_ptr<llvm::raw_pwrite_stream, std::default_delete<llvm::raw_pwrite_stream> >&, std::unique_ptr<llvm::ToolOutputFile, std::default_delete<llvm::ToolOutputFile> >&) /work/ac6/main/clang/lib/CodeGen/BackendUtil.cpp:1062:51
#27 0x000055ea49c8cc0a (anonymous namespace)::EmitAssemblyHelper::EmitAssembly(clang::BackendAction, std::unique_ptr<llvm::raw_pwrite_stream, std::default_delete<llvm::raw_pwrite_stream> >) /work/ac6/main/clang/lib/CodeGen/BackendUtil.cpp:1087:17
#28 0x000055ea49c8dc84 clang::EmitBackendOutput(clang::DiagnosticsEngine&, clang::HeaderSearchOptions const&, clang::CodeGenOptions const&, clang::TargetOptions const&, clang::LangOptions const&, llvm::StringRef, llvm::Module*, clang::BackendAction, std::unique_ptr<llvm::raw_pwrite_stream, std::default_delete<llvm::raw_pwrite_stream> >) /work/ac6/main/clang/lib/CodeGen/BackendUtil.cpp:1243:25
#29 0x000055ea4a28b216 clang::BackendConsumer::HandleTranslationUnit(clang::ASTContext&) /work/ac6/main/clang/lib/CodeGen/CodeGenAction.cpp:381:24
#30 0x000055ea4c819ac9 clang::ParseAST(clang::Sema&, bool, bool) (.localalias) /work/ac6/main/clang/lib/Parse/ParseAST.cpp:203:14
#31 0x000055ea4a0c8005 clang::ASTFrontendAction::ExecuteAction() (.localalias) /work/ac6/main/clang/lib/Frontend/FrontendAction.cpp:1162:11
#32 0x000055ea4a287638 clang::CodeGenAction::ExecuteAction() (.localalias) /work/ac6/main/clang/lib/CodeGen/CodeGenAction.cpp:1171:5
#33 0x000055ea4a0c78c4 clang::FrontendAction::Execute() /work/ac6/main/clang/lib/Frontend/FrontendAction.cpp:1059:38
#34 0x000055ea49ff312b clang::CompilerInstance::ExecuteAction(clang::FrontendAction&) (.localalias) /work/ac6/main/clang/lib/Frontend/CompilerInstance.cpp:1044:42
#35 0x000055ea4a273071 clang::ExecuteCompilerInvocation(clang::CompilerInstance*) /work/ac6/main/clang/lib/FrontendTool/ExecuteCompilerInvocation.cpp:266:38
#36 0x000055ea4558021a cc1_main(llvm::ArrayRef<char const*>, char const*, void*) /work/ac6/main/clang/tools/driver/cc1_main.cpp:250:40
#37 0x000055ea4556e15a ExecuteCC1Tool(llvm::SmallVectorImpl<char const*>&) /work/ac6/main/clang/tools/driver/driver.cpp:319:20
#38 0x000055ea49eaae8f clang::driver::CC1Command::Execute(llvm::ArrayRef<llvm::Optional<llvm::StringRef> >, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >*, bool*) const::'lambda'()::operator()() const /work/ac6/main/clang/lib/Driver/Job.cpp:428:32
#39 0x000055ea49eab49b void llvm::function_ref<void ()>::callback_fn<clang::driver::CC1Command::Execute(llvm::ArrayRef<llvm::Optional<llvm::StringRef> >, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >*, bool*) const::'lambda'()>(long) /work/ac6/main/llvm/include/llvm/ADT/STLFunctionalExtras.h:46:40
#40 0x000055ea479033e4 llvm::function_ref<void ()>::operator()() const /work/ac6/main/llvm/include/llvm/ADT/STLFunctionalExtras.h:68:62
#41 0x000055ea48cab40e llvm::CrashRecoveryContext::RunSafely(llvm::function_ref<void ()>) (.localalias) /work/ac6/main/llvm/lib/Support/CrashRecoveryContext.cpp:434:10
#42 0x000055ea49eab0ad clang::driver::CC1Command::Execute(llvm::ArrayRef<llvm::Optional<llvm::StringRef> >, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >*, bool*) const (.localalias) /work/ac6/main/clang/lib/Driver/Job.cpp:428:7
#43 0x000055ea49e46680 clang::driver::Compilation::ExecuteCommand(clang::driver::Command const&, clang::driver::Command const*&, bool) const (.localalias) /work/ac6/main/clang/lib/Driver/Compilation.cpp:200:22
#44 0x000055ea49e46a0e clang::driver::Compilation::ExecuteJobs(clang::driver::JobList const&, llvm::SmallVectorImpl<std::pair<int, clang::driver::Command const*> >&, bool) const /work/ac6/main/clang/lib/Driver/Compilation.cpp:254:62
#45 0x000055ea49e58e65 clang::driver::Driver::ExecuteCompilation(clang::driver::Compilation&, llvm::SmallVectorImpl<std::pair<int, clang::driver::Command const*> >&) /work/ac6/main/clang/lib/Driver/Driver.cpp:1820:28
#46 0x000055ea4556f72b clang_main(int, char**) /work/ac6/main/clang/tools/driver/driver.cpp:520:39
#47 0x000055ea4559f57c main /work/ac6/build-llvm-dbg/tools/clang/tools/driver/clang-driver.cpp:11:63
#48 0x00007f1cd787f083 __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x24083)
#49 0x000055ea4556c7ee _start (../ac6/build-llvm-dbg/bin/clang+0xba677ee)
clang-16: error: clang frontend command failed with exit code 139 (use -v to see invocation)
clang version 16.0.0 (ssh://omitted)
Target: arm-none-unknown-eabi
Thread model: posix
InstalledDir: /work/scratch/../ac6/build-llvm-dbg/bin
clang-16: note: diagnostic msg: 
********************

PLEASE ATTACH THE FOLLOWING FILES TO THE BUG REPORT:
Preprocessed source(s) and associated run script(s) are located at:
clang-16: note: diagnostic msg: /tmp/test-998406.c
clang-16: note: diagnostic msg: /tmp/test-998406.sh
clang-16: note: diagnostic msg: 

********************
@ostannard ostannard added backend:ARM crash Prefer [crash-on-valid] or [crash-on-invalid] labels Nov 10, 2022
@llvmbot
Copy link
Collaborator

llvmbot commented Nov 10, 2022

@llvm/issue-subscribers-backend-arm

@fzhinkin
Copy link
Contributor

The crash happened on attempt to unschedule STOREDUAL's predecessor which appeared to be REG_SEQUENCE.
REG_SEQUENCE node is untyped, TargetLowering::getRepRegClassFor returned nullptr and its dereference caused the crash.

SelectionDAG has 28 nodes:
  t0: ch,glue = EntryToken
  t22: i32 = MOVi TargetConstant:i32<0>, TargetConstant:i32<14>, Register:i32 $noreg, Register:i32 $noreg
  t59: i32 = MOVi32imm TargetGlobalAddress:i32<ptr @a> 0
    t57: i32 = MOVi32imm TargetGlobalAddress:i32<ptr @d> 0
  t26: i32,ch = LDRi12<Mem:(dereferenceable load (s32) from @d, !tbaa !8)> t57, TargetConstant:i32<0>, TargetConstant:i32<14>, Register:i32 $noreg, t0
  t52: i32,i32 = RSBSri t26, TargetConstant:i32<0>, TargetConstant:i32<14>, Register:i32 $noreg
            t61: i32,glue = CMPri t26, TargetConstant:i32<0>, TargetConstant:i32<14>, Register:i32 $noreg
          t62: i32 = MOVCCr t26, t52, TargetConstant:i32<1>, Register:i32 $cpsr, t61:1
              t75: ch,glue = CopyToReg t0, Register:i32 $cpsr, t52:1
            t46: i32,i32 = SBCri t22, TargetConstant:i32<0>, TargetConstant:i32<14>, Register:i32 $noreg, Register:i32 $noreg, t75:1
            t64: i32,glue = CMPri t26, TargetConstant:i32<0>, TargetConstant:i32<14>, Register:i32 $noreg
          t65: i32 = MOVCCr t26, t46, TargetConstant:i32<1>, Register:i32 $cpsr, t64:1
        t72: Untyped = REG_SEQUENCE TargetConstant:i32<53>, t62, TargetConstant:i32<9>, t65, TargetConstant:i32<10>
          t76: Untyped = REG_SEQUENCE TargetConstant:i32<53>, t22, TargetConstant:i32<9>, t22, TargetConstant:i32<10>
        t77: ch = STOREDUAL<Mem:(volatile store (s64) into @a, !tbaa !4)> t76, t59, Register:i32 $noreg, TargetConstant:i32<0>, t0
      t73: ch = STOREDUAL<Mem:(volatile store (s64) into @a, !tbaa !4)> t72, t59, Register:i32 $noreg, TargetConstant:i32<0>, t77
    t21: ch = TokenFactor t73, t26:1
  t14: ch = BX_RET TargetConstant:i32<14>, Register:i32 $noreg, t21

...

Examining Available:
*** Unscheduling [7]: SU(7): t22: i32 = MOVi TargetConstant:i32<0>, TargetConstant:i32<14>, Register:i32 $noreg, Register:i32 $noreg

GPR: 3 / 9
*** Unscheduling [6]: SU(6): t76: Untyped = REG_SEQUENCE TargetConstant:i32<53>, t22, TargetConstant:i32<9>, t22, TargetConstant:i32<10>

*** Unscheduling [6]: SU(8): t59: i32 = MOVi32imm TargetGlobalAddress:i32<ptr @a> 0

GPR: 3 / 9
*** Unscheduling [4]: SU(5): t77: ch = STOREDUAL<Mem:(volatile store (s64) into @a, !tbaa !4)> t76, t59, Register:i32 $noreg, TargetConstant:i32<0>, t0

<crash>

Possible fix: https://reviews.llvm.org/D138837

fzhinkin added a commit that referenced this issue Dec 30, 2022
@fzhinkin
[ScheduleDAG] Support REQ_SEQUENCE unscheduling
98265db 
REG_SEQUENCE node requires special treatment during the
unscheduling because the node is untyped and neither its
class, nor cost could be retrieved the same way as for
typed nodes.

Related issue: #58911

Reviewed By: efriedma

Differential Revision: https://reviews.llvm.org/D138837
CarlosAlbertoEnciso pushed a commit to SNSystems/llvm-debuginfo-analyzer that referenced this issue Dec 31, 2022
@fzhinkin @CarlosAlbertoEnciso
[ScheduleDAG] Support REQ_SEQUENCE unscheduling
6cc87ed 
REG_SEQUENCE node requires special treatment during the
unscheduling because the node is untyped and neither its
class, nor cost could be retrieved the same way as for
typed nodes.

Related issue: llvm/llvm-project#58911

Reviewed By: efriedma

Differential Revision: https://reviews.llvm.org/D138837
@john-brawn-arm
Copy link
Collaborator

This example no longer segfaults, closing.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
crash Prefer [crash-on-valid] or [crash-on-invalid] llvm:codegen
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
5 participants
@ostannard @EugeneZelenko @fzhinkin @john-brawn-arm @llvmbot