Comment 1 Agostino Sarubbo 2024-07-26 07:27:18 UTC

Created attachment 898342 [details]
build.log

build log and emerge --info

Comment 2 Agostino Sarubbo 2024-07-26 07:27:19 UTC

Created attachment 898343 [details]
1-test-suite.log

1-test-suite.log

Comment 3 Agostino Sarubbo 2024-07-26 07:27:19 UTC

Error(s) that match a know pattern in addition to what has been reported in the summary:


../build-aux/test-driver: line 112:  1406 Segmentation fault      "$@" >> "$log_file" 2>&1
../build-aux/test-driver: line 112:  1413 Segmentation fault      "$@" >> "$log_file" 2>&1
FAIL: map_gen_test
FAIL: map_test

Comment 4 Petr Vaněk 2024-07-26 09:06:50 UTC

I can reproduce it with GCC 14, however, all tests pass for me with GCC 15.

Comment 5 Petr Vaněk 2024-07-26 09:44:55 UTC

Some older GCC 15 versions make tests fail as well. I manually bisected through my binary gcc packages:

Gentoo 15.0.0_pre20240505 p1  fails
Gentoo 15.0.0_pre20240512 p1  fails
Gentoo 15.0.0_pre20240519 p1  pass
Gentoo 15.0.0_pre20240526 p1  pass
Gentoo 15.0.0_pre20240616 p4  pass
Gentoo 15.0.0_pre20240721 p6  pass

Comment 6 Petr Vaněk 2024-07-26 15:20:35 UTC

The tests pass since GCC commit 99b1daae18c0 ("tree-optimization/114589 - remove profile based sink heuristics"). 

https://gcc.gnu.org/git/?p=gcc.git;a=commitdiff;h=99b1daae18c095d6c94d32efb77442838e11cbfb

Comment 7 Sam James 2024-07-26 16:02:40 UTC

(In reply to Petr Vaněk from comment #6)
> The tests pass since GCC commit 99b1daae18c0 ("tree-optimization/114589 -
> remove profile based sink heuristics"). 
> 
> https://gcc.gnu.org/git/?p=gcc.git;a=commitdiff;
> h=99b1daae18c095d6c94d32efb77442838e11cbfb

OK, so probably a chance thing (becomes latent now).

Can you get a verbose backtrace next for the crash, then also check with asan+ubsan and valgrind?

Comment 8 Petr Vaněk 2024-07-29 13:17:03 UTC

I bisected gcc to the point where it produces segfaulting code, which is since commit 10478270fe0c ("ipa-sra: Treat REFERENCE_TYPES as always dereferencable").

libcdada basically passes (void*)0x123 to the std::map::find method, which segfaults the binary when it is dereferenced. Just out of curiosity, I reduced the code to a minimal reproducer:

```c++
struct _Rb_tree_iterator {
  _Rb_tree_iterator(int) {}
} typedef *_Link_type;

_Link_type _M_lower_bound___x;

int _M_lower_bound___y;

_Rb_tree_iterator _M_lower_bound(int __k) {
  while (_M_lower_bound___x)
    if (__k)
      _M_lower_bound___x = 0;
  return _M_lower_bound___y;
}

struct {
  _Rb_tree_iterator find(int __k) {
    _Rb_tree_iterator __j = _M_lower_bound(__k);
    return __j;
  }
} _M_t;

_Rb_tree_iterator find(int __x) { return _M_t.find(__x); }

int
main() {
        _Rb_tree_iterator main_it = find(*(int *)291);
        return 3;
}
```

The test can be reproduced with following commands:

  g++-14 -O2 -o map_test map_test.cpp && ./map_test # segfaults
  g++-15 -O2 -o map_test map_test.cpp && ./map_test # exits with 3

The -O2 is important, both outputs segfault with -O0 or -O1.

The difference in the result is because GCC 14 first moves content of 0x123 address to the eax register and then jumps based on earlier comparison

0000000000001040 <main>:
    1040:       f3 0f 1e fa             endbr64
    1044:       48 83 3d d4 2f 00 00    cmpq   $0x0,0x2fd4(%rip)        # 4020 <_M_lower_bound___x>
    104b:       00
    104c:       8b 04 25 23 01 00 00    mov    0x123,%eax
    1053:       74 16                   je     106b <main+0x2b>
    1055:       85 c0                   test   %eax,%eax
    1057:       75 07                   jne    1060 <main+0x20>
    1059:       eb fe                   jmp    1059 <main+0x19>
    105b:       0f 1f 44 00 00          nopl   0x0(%rax,%rax,1)
    1060:       48 c7 05 b5 2f 00 00    movq   $0x0,0x2fb5(%rip)        # 4020 <_M_lower_bound___x>
    ...

however, GCC 15 produced .text which directly jumps after a comparison and thus it skips the move because the map is empty.

0000000000001040 <main>:
    1040:       f3 0f 1e fa             endbr64
    1044:       48 83 3d d4 2f 00 00    cmpq   $0x0,0x2fd4(%rip)        # 4020 <_M_lower_bound___x>
    104b:       00
    104c:       74 1d                   je     106b <main+0x2b>
    104e:       8b 04 25 23 01 00 00    mov    0x123,%eax
    1055:       85 c0                   test   %eax,%eax
    1057:       75 07                   jne    1060 <main+0x20>
    1059:       eb fe                   jmp    1059 <main+0x19>
    105b:       0f 1f 44 00 00          nopl   0x0(%rax,%rax,1)
    1060:       48 c7 05 b5 2f 00 00    movq   $0x0,0x2fb5(%rip)        # 4020 <_M_lower_bound___x>
    ...

Comment 9 Larry the Git Cow 2024-07-30 06:08:24 UTC

The bug has been closed via the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=53c5241d0067680af1393881962afaa5a83bfe32

commit 53c5241d0067680af1393881962afaa5a83bfe32
Author:     Petr Vaněk <arkamar@gentoo.org>
AuthorDate: 2024-07-30 06:03:29 +0000
Commit:     Petr Vaněk <arkamar@gentoo.org>
CommitDate: 2024-07-30 06:07:11 +0000

    dev-libs/libcdada: add 0.6.1
    
    Closes: https://bugs.gentoo.org/936651
    Signed-off-by: Petr Vaněk <arkamar@gentoo.org>

 dev-libs/libcdada/Manifest              |  1 +
 dev-libs/libcdada/libcdada-0.6.1.ebuild | 53 +++++++++++++++++++++++++++++++++
 2 files changed, 54 insertions(+)