https://gcc.gnu.org/bugzilla/show_bug.cgi?id=93318
Jan Hubicka <hubicka at gcc dot gnu.org> changed:
What |Removed |Added
----------------------------------------------------------------------------
Status|UNCONFIRMED |NEW
Last reconfirmed| |2020-01-18
CC| |luoxhu at gcc dot gnu.org
Ever confirmed|0 |1
--- Comment #2 from Jan Hubicka <hubicka at gcc dot gnu.org> ---
The problem happens at WPA. We end up producing unmatched indirect call.
We produce speculative call and later try to resolve it to direct call:
(gdb) up
#1 0x0000000000a1fca9 in cgraph_edge::remove (edge=0x7fff8a778a28) at
../../gcc/cgraph.c:1027
1027 edge->remove_caller ();
(gdb)
#2 0x0000000000a20368 in cgraph_edge::resolve_speculation
(edge=0x7fff8a7764e0, callee_decl=0x7fff9803ed00) at ../../gcc/cgraph.c:1246
1246 remove (e2);
(gdb)
#3 0x0000000000a20403 in cgraph_edge::make_direct (edge=0x7fff8a778a28,
callee=0x7fff79251b40) at ../../gcc/cgraph.c:1266
1266 edge = resolve_speculation (edge, callee->decl);
(gdb)
#4 0x0000000000d394b8 in ipa_make_edge_direct_to_target (ie=0x7fff8a778a28,
target=0x7fff9803ed00, speculative=false) at ../../gcc/ipa-prop.c:3305
3305 ie = cgraph_edge::make_direct (ie, callee);
(gdb)
#5 0x0000000000d39f09 in try_make_edge_direct_simple_call (ie=0x7fff8a778a28,
jfunc=0x7fff601b4870, target_type=0x7fff9800a3f0, new_root=0x7fff7a06c000,
new_root_info=0x7fff608a0a80) at ../../gcc/ipa-prop.c:3590
3590 cs = ipa_make_edge_direct_to_target (ie, target);
(gdb)
#6 0x0000000000d3a82f in update_indirect_edges_after_inlining
(cs=0x7fff792d54e0, node=0x7fff858fe000, new_edges=0x7fffffffdd98) at
../../gcc/ipa-prop.c:3812
3812 new_direct_edge = try_make_edge_direct_simple_call (ie,
jfunc,
(gdb)
after this we already have one speculative edge but no indirect edge:
_ZN2js8frontend12FunctionTree16visitRecursivelyEP9JSContextPNS0_10ParserBaseEPFbS5_PS1_E/35641710
(visitRecursively) @0x7fff858fe000
Type: function definition analyzed
Visibility:
next sharing asm name: 35638756
References:
_ZZN2js8frontend10ParserBase24publishDeferredFunctionsEPNS0_12FunctionTreeEENUlPS1_S3_E_4_FUNES4_S3_/33954806
(addr) (speculative)
Referring:
Read from file: ../../../js/src/build/libjs_static.a
Function visitRecursively/35641710 is inline copy in
publishDeferredItems/33218097
Clone of
_ZN2js8frontend12FunctionTree16visitRecursivelyEP9JSContextPNS0_10ParserBaseEPFbS5_PS1_E/33948013
Availability: local
Unit id: 2275
Function flags: count:24992 (guessed) first_run:4521 local hot
Called by:
_ZN2js8frontend10ParserBase18publishLazyScriptsEPNS0_12FunctionTreeE/33954804
(inlined) (24992 (guessed),1.00 per call)
Calls: __builtin_expect/10953 (24992 (guessed),1.00 per call)
__builtin_expect/10953 (24992 (guessed),1.00 per call)
_ZN2js28RunningWithTrustedPrincipalsEP9JSContext/32911433 (0 (precise),0.00 per
call) __builtin_expect/10953 (0 (precise),0.00 per call)
_ZN2js18ReportOverRecursedEP9JSContext/33263272 (0 (precise),0.00 per call)
_ZN2js8frontend12FunctionTree16visitRecursivelyEP9JSContextPNS0_10ParserBaseEPFbS5_PS1_E/33948013
(0 (precise),0.00 per call)
_ZZN2js8frontend10ParserBase18publishLazyScriptsEPNS0_12FunctionTreeEENUlPS1_S3_E_4_FUNES4_S3_/35641711
(inlined) (18743 (guessed),0.75 per call)
_ZZN2js8frontend10ParserBase24publishDeferredFunctionsEPNS0_12FunctionTreeEENUlPS1_S3_E_4_FUNES4_S3_/35641713
(speculative) (inlined) (6249 (guessed),0.25 per call)
It seems that resolve_speculation is broken. It definitely should not leave
the call in inconsistent shape. Also the new code documents that one needs to
iterate on speculations which is not done by cgraph_edge::make_direct
