[GHC] #13916: Optimizations create run time seg faults

[GHC]

#13916: Optimizations create run time seg faults
-------------------------------------+-------------------------------------
        Reporter:  newthin           |                Owner:  (none)
            Type:  bug               |               Status:  new
        Priority:  normal            |            Milestone:
       Component:  Compiler          |              Version:  8.0.2
  (CodeGen)                          |
      Resolution:                    |             Keywords:  optimization
Operating System:  Unknown/Multiple  |         Architecture:
                                     |  Unknown/Multiple
 Type of failure:  Runtime crash     |            Test Case:
      Blocked By:                    |             Blocking:
 Related Tickets:                    |  Differential Rev(s):
       Wiki Page:                    |
-------------------------------------+-------------------------------------

Comment (by bgamari):

 Oh dear, this looks quite bad indeed. Thanks for providing such a nice
 reproducer!

 `gdb` places the crash in,
 {{{
 Program received signal SIGSEGV, Segmentation fault.
 stg_takeMVarzh () at rts/PrimOps.cmm:1483
 1483    rts/PrimOps.cmm: No such file or directory.
 (gdb) bt
 #0  stg_takeMVarzh () at rts/PrimOps.cmm:1483
 #1  0x000000000064dc88 in
 base_GHCziIOziHandleziInternals_zdwdozuoperation_info () at
 libraries/base/GHC/IO/Handle/Internals.hs:163
 #2  0x0000000000646ce0 in sb1n_info () at
 libraries/base/GHC/IO/Handle.hs:470
 #3  0x0000000000407378 in s6zq_info () at ./Bracket.hs:105
 #4  0x0000000000613e58 in s3E1_info () at
 libraries/base/Control/Exception/Base.hs:222
 #5  0x00000000006e75f0 in ?? ()
 #6  0x000000000040a328 in sdbc_info () at main.hs:21
 #7  0x0000000000454680 in sbFu_info ()
 #8  0x0000000000000000 in ?? ()
 }}}

 The disassembly of the top frame is,
 {{{
 (gdb) disassemble
 Dump of assembler code for function stg_takeMVarzh:
    0x00000000006ebd70 <+0>:     mov    (%rbx),%rax
    0x00000000006ebd73 <+3>:     cmpq   $0x94f088,0x18(%rbx)
    0x00000000006ebd7b <+11>:    je     0x6ebe97 <stg_takeMVarzh+295>
    0x00000000006ebd81 <+17>:    mov    %rbx,%rcx
    0x00000000006ebd84 <+20>:    mov    0x18(%rbx),%rdx
    0x00000000006ebd88 <+24>:    mov    0x8(%rbx),%rbx
    0x00000000006ebd8c <+28>:    cmp    $0x94f088,%rbx
    0x00000000006ebd93 <+35>:    je     0x6ebe56 <stg_takeMVarzh+230>
 => 0x00000000006ebd99 <+41>:    cmpq   $0x6ecf30,(%rbx)
    0x00000000006ebda0 <+48>:    je     0x6ebe4d <stg_takeMVarzh+221>
 ...
 }}}

 Where 0x6ecf30 is apparently `stg_IND_info`. This likely means that we are
 approximately here in `stg_takeMVarzh`,
 {{{#!c
 ...
 loop:
     if (q == stg_END_TSO_QUEUE_closure) {
         /* No further putMVars, MVar is now empty */
         StgMVar_value(mvar) = stg_END_TSO_QUEUE_closure;
         // If the MVar is not already dirty, then we don't need to make
         // it dirty, as it is empty with nothing blocking on it.
         unlockClosure(mvar, info);
         return (val);
     }
     if (StgHeader_info(q) == stg_IND_info ||     /* <- perhaps here */
         StgHeader_info(q) == stg_MSG_NULL_info) {
         q = StgInd_indirectee(q);
         goto loop;
     }
 ...
 }}}
 The value of `$rbx` looks quite crazy,
 {{{
 (gdb) print $rbx
 $1 = 5283285312859013268
 }}}

--
Ticket URL: <http://ghc.haskell.org/trac/ghc/ticket/13916#comment:1>
GHC <http://www.haskell.org/ghc/>
The Glasgow Haskell Compiler