cmd/compile: panic: branch too far on arm64 #23889

ALTree · 2018-02-17T14:28:05Z

$ go version
go version devel +549cb18a91 Sat Feb 17 04:38:14 2018 +0000 linux/amd64

The program at the end of this report crashes the tip compiler when built for arm64 with optimizations disabled, as GOARCH=arm64 go build -gcflags -N crash.go, with the following error:

# command-line-arguments
panic: branch too far

goroutine 8 [running]:
cmd/internal/obj/arm64.(*ctxt7).brdist(0xc00098ddc0, 0xc00014bae8, 0x0, 0xe, 0x2, 0xc0f94017e0)
	go/src/cmd/internal/obj/arm64/asm7.go:4672 +0x32a
cmd/internal/obj/arm64.(*ctxt7).asmout(0xc00098ddc0, 0xc00014bae8, 0xf9ec7e, 0xc00098dd50, 0x6, 0x6)
	go/src/cmd/internal/obj/arm64/asm7.go:2884 +0x5ab2
cmd/internal/obj/arm64.span7(0xc00000e240, 0xc0005a4070, 0xc00004e480)
	go/src/cmd/internal/obj/arm64/asm7.go:787 +0x951
cmd/internal/obj.Flushplist(0xc00000e240, 0xc00098df08, 0xc00004e480, 0x7ffdb24382fe, 0x16)
	go/src/cmd/internal/obj/plist.go:107 +0x6ca
cmd/compile/internal/gc.(*Progs).Flush(0xc000081f40)
	go/src/cmd/compile/internal/gc/gsubr.go:87 +0xc1
cmd/compile/internal/gc.compileSSA(0xc000001200, 0x1)
	go/src/cmd/compile/internal/gc/pgen.go:247 +0x188
cmd/compile/internal/gc.compileFunctions.func2(0xc00059ac60, 0xc0005284a0, 0x1)
	go/src/cmd/compile/internal/gc/pgen.go:288 +0x49
created by cmd/compile/internal/gc.compileFunctions
	go/src/cmd/compile/internal/gc/pgen.go:286 +0x11c

go tool compile says:

crash.go:62:3: branch too far 0x2000 vs 0x2000 [0x0]
00228 (crash.go:10)	TBZ	$63, R0, 32996
32996 (crash.go:10)	JMP	26972

The issue is not present in 1.10, and it was introduced in commit cdd9616 (cmd/compile: generate tbz/tbnz when comparing against zero on arm64).

Apologies for the reproducer length. The program was generated by a fuzzer and deleting any line makes the crash go away.

package p

func fun0() {
	var B0, B1, B2, B3, B4 bool
	var S0, S1 string
	var I0, I1, I2, I3, I4 int
	for true {
		var B5, B6 bool
		for !(S0 >= "ccc" || !true || I4 == I3) {
			var I5, I6 int
			var B7, B8 bool
			switch S0[8:10] + (S0) + (S0[1:12]) + (S1[2:15] + S0[5:24]) + (S0 + "ffffff") {
			case "bb" + S0[0:20] + S1 + (S1 + S1[8:23] + (S1[2:17])) + (S1[1:15] + S0[7:21] + (S0[6:11] + S1 + ("dddd" + S1[6:10]))):
				B3 = S0[8:23]+S0[0:23]+("dddd"+S1[7:21]+(S0[0:21]+S0[3:12]))+(S1+S1+(S1[0:16]+S1)) != "ffffff"+S1[1:18] || I2 < I6
				I2 = 50 + 70 + len([]int{len("eeeee")})
				S1 = S1[2:15] + S1 + (S1 + S1) + ("a" + "a")
				S1 = S0 + S0[0:10] + S0 + S0 + "dddd"
				B1 = I5+I6 > len([]string{S0[4:15] + S1, S0[1:8] + "dddd" + (S0[0:14] + S1), S0 + "ccc" + (S1 + "bb")})
				S0 = "eeeee" + S1[7:15] + ("bb" + S0 + (S0[7:22] + "a" + ("ccc" + S0[7:16] + (S0 + S0)) + (S1[2:8] + S1))) + (S1[8:14] + S1[7:19])
			}
			for len([]string{S1[3:11] + S1[0:15] + ("bb" + S0) + ("a" + S0), S1[2:18] + S1 + (S1[7:15] + S1) + (S1 + "eeeee") + (S0 + S1[8:21])}) >= len([]string{S0[0:14] + "eeeee"})+(I0+35+len(S0[2:24])) {
				var S2 string
				I0 = len(S1)
				B3 = false && B2
				B8 = S1 > S1
				B8 = "dddd" < S1[7:17]
				S1 = S0 + S1 + ("dddd" + S2[6:12] + (S2 + "ccc") + ("a" + S1[0:13] + (S1[8:15] + S2[0:14] + (S2[6:22] + S2)))) + (S2[6:10] + "eeeee" + (S2[3:22] + S0[2:22] + (S0[7:13] + S2[2:20])) + (S1 + S0[1:8] + (S0 + S1[6:13])) + (S0[0:12] + S0[2:14]) + (S0 + S0))
			}
			switch len([]bool{I4 > 25}) <= I1+len([]bool{}) || (B8 && B2) != B0 {
			case true && I6 < I0:
				S0 = S1[7:19] + S1[4:20] + (S0 + S1) + (S0[0:24] + S1) + ("eeeee" + S0 + ("a" + "ffffff" + (S1 + S0) + (S0[0:13] + S0[6:19] + (S1[7:11] + "ccc")) + (S1 + S1[1:15] + (S0[3:9] + "dddd") + (S1 + S1[6:22])) + (S0 + "ccc")) + (S0 + S0 + ("eeeee" + S1)))
				B1 = S1[7:8]+S1+(S1+S1[7:10]) == "eeeee"+S0
				I0 = len([]string{S0[6:9] + S0[8:14] + ("a" + "a"), S1 + S0 + (S0 + S0) + (S0 + S0 + (S0 + "bb" + ("bb" + S1)) + ("bb" + S1 + (S0[7:19] + S0[5:11])) + (S0 + S0[3:19] + (S0[6:21] + "bb" + (S1 + "a")) + (S1[0:15] + S0 + (S0[7:24] + S0 + ("bb" + "ffffff") + (S0 + "bb"))) + (S1[4:24] + S1[6:15] + ("bb" + S1[7:17])))), "eeeee" + S1 + (S0 + S1)})
				I4 = len(S1)
				S0 = "ffffff" + S1[8:23] + (S0[7:17] + "eeeee" + (S1 + S0[2:9]) + (S1[1:20] + S1) + (S0[6:17] + "bb")) + (S0[7:20] + S1[1:19] + (S1[8:9] + S0) + ("a" + S1[0:14])) + (S0[5:21] + S0 + (S1[8:17] + S0[5:9])) + ("ffffff" + S0 + (S0 + S0[4:16])) + (S0 + "eeeee")
				B3 = B1 && B0
				I5 = len([]bool{})
			}
			switch S0[0:9] + S0 + (S0[8:13] + "bb" + ("dddd" + S1 + (S0[6:23] + "eeeee") + (S0[7:9] + "ffffff")) + ("bb" + S0[3:23])) + (S1[0:21] + "dddd" + (S0 + S1 + (S1 + S0[3:15]))) {
			case S1[6:8] + S1:
				S1 = "ffffff" + S0 + ("ccc" + S1[2:12] + (S0 + S1)) + (S0 + "a") + (S0 + S0 + (S0 + "eeeee")) + (S1 + S1[2:10] + (S0 + S0 + (S1[6:18] + "eeeee") + (S0[5:16] + S1 + (S1[0:24] + "a")))) + ("a" + S0 + (S1[7:19] + "a" + (S0[2:20] + S1[4:22] + (S1 + S1[2:14])) + (S0 + S1[6:20] + (S0[7:13] + S0 + (S1 + "ccc" + ("ccc" + S1 + (S0 + S0))))) + (S1 + "ccc")))
				S0 = S0[6:14] + S1 + (S0[5:18] + S0) + (S0 + S1[7:23] + (S1 + "a" + (S0[2:19] + S1) + (S1[5:11] + "eeeee" + ("ccc" + "bb")))) + ("bb" + S0[5:23] + (S0 + S0))
				B8 = I6 != I3
				S0 = S0 + S1 + ("ffffff" + S1 + (S0 + S0[2:22]))
				I6 = I3 + I3 - len([]int{I0 - 57, -19, len([]int{+89 + (len(S1[6:10]) - (I6 - I1)), len("a")})})
				I6 = len("ccc") - (I0 - I3 + (2 + I1 + len(S1[8:21]) - (len([]int{len([]int{len([]bool{B3 != B6, false || true}), I3 - 0, len(S0[5:13]), len([]bool{S1 != S0, I5 < I5, 81 > I1})}), -I0}) - len([]int{len([]string{S0 + S0}), len([]bool{I1 >= I5 || !B7, B4 && B5}), len(S0[0:12])}))))
				B8 = !(-(+18 + (88 - I1)) <= 16-I6) && (!(26 <= I4) || S1+S0+("a"+S1+("ccc"+S0)) > S0+"ffffff"+("eeeee"+S1)+(S1[5:24]+S1[7:19]+(S0+S0[2:22]+(S0+"eeeee"+(S0+S0)+(S1[5:9]+S0[2:13]))+(S1+S0))))
			}
			I4 = len([]int{len([]string{S1 + S1, "bb" + S1 + (S0[2:20] + S0[0:15]) + (S0 + "dddd" + (S0[1:12] + S0) + (S0 + S0[2:14]) + (S0 + "eeeee"))}) + len([]int{}), len("ccc")}) + len("eeeee")
			B0 = !(((B5 || B7) && "dddd" <= "dddd" || S1[7:8]+S1[1:24]+(S0+S1+("ffffff"+"dddd")+("ccc"+S1))+(S1[2:19]+"ffffff")+(S1[8:21]+S1[8:21]+("a"+S1[5:9]+("ccc"+"ffffff"))) <= S1+"dddd") && S0[7:23]+S1[8:9]+("dddd"+"ffffff") == S0[3:18]+S1) != (S0[5:15]+S1 > S1[4:23]+S1[5:9]+(S0[3:12]+S0[0:16]) && (!(I0 >= 30) && "eeeee"+"eeeee" == "bb"+S1))
		}
		var S2, S3 string
		switch len([]string{}) {
		case len(S0[8:24]):
			S1 = "ffffff" + S1[0:14] + (S1[2:23] + "eeeee") + (S3 + S1 + ("ccc" + S0) + ("bb" + S0[5:17]) + (S0 + S2)) + (S1 + S1 + (S2[8:13] + S3 + ("ffffff" + S3) + (S3 + S2 + (S0 + S3[6:8] + (S2[4:24] + S3) + (S3[2:19] + S1[5:15])))))
			S2 = S2[7:18] + S1[4:21]
			S2 = S2 + "bb" + (S3[1:10] + "eeeee" + (S3[1:23] + S1 + (S0[1:23] + S1) + (S2[5:20] + S1[2:18] + (S2[3:22] + "dddd") + (S0 + S2[4:14] + (S1 + S0[8:20]))) + (S3 + S0)))
			S1 = S1 + S2[6:24] + ("eeeee" + S3 + (S3 + S1 + (S0 + S3[4:8]) + (S3 + S2[8:14])) + (S1[4:8] + S3 + (S1 + S3[1:23] + (S2 + S3)) + ("a" + S0[7:21])))
		}
		for I4+len([]string{"bb" + S0}) != -((I1+I4)+len([]bool{!B2, !B5, "bb"+S1 >= S1[4:16]+"ffffff"})) || 95 > I1 {
			S0 = S0[1:24] + S3[1:10] + ("ccc" + S2[3:9] + ("ffffff" + S0)) + ("a" + S0[2:8]) + (S2[4:14] + "a" + (S2 + S0[6:12]))
		}
	}
}

The text was updated successfully, but these errors were encountered:

ALTree · 2018-02-17T15:02:33Z

Oh, I found another, much bigger reproducer that causes the crash even without -N.

prog5139950150760489618.go:3568:37: branch too far 0x21aa vs 0x2000 [0x0]
04048 (prog5139950150760489618.go:732)	TBZ	$63, R0, 38520
38520 (prog5139950150760489618.go:735)	MOVD	$""..autotmp_4462-25600(SP), R17

So this has nothing to do with optimizations, it just happen to be easier to trigger when optimizations are disabled.

gopherbot · 2018-02-17T15:37:37Z

Change https://golang.org/cl/94902 mentions this issue: cmd/internal/obj/arm64: fix branch-too-far with TBZ like instructions

kraj · 2018-03-03T05:40:40Z

btw. I see this issue while compiling influxdb master using 1.10 on aarch64 and the patch above fixes the problem. So it might be a candidate for backport to 1.10 release.

| # github.com/influxdata/influxdb/tests
| panic: branch too far
|
| goroutine 70 [running]:
| cmd/internal/obj/arm64.(*ctxt7).brdist(0xc421e63dc0, 0xc4202fafa0, 0x0, 0xe, 0x2, 0xf943afe0)
|       /mnt/a/zonit/build/tmp/work/x86_64-linux/go-cross-aarch64/1.10-r0/recipe-sysroot-native/usr/lib/aarch64-bec-linux/go/s
rc/cmd/internal/obj/arm64/asm7.go:4616 +0x32a
| cmd/internal/obj/arm64.(*ctxt7).asmout(0xc421e63dc0, 0xc4202fafa0, 0xfa1922, 0xc421e63d50, 0x6, 0x6)
|       /mnt/a/zonit/build/tmp/work/x86_64-linux/go-cross-aarch64/1.10-r0/recipe-sysroot-native/usr/lib/aarch64-bec-linux/go/s
rc/cmd/internal/obj/arm64/asm7.go:2855 +0xcf0
| cmd/internal/obj/arm64.span7(0xc42039e000, 0xc4217db650, 0xc421770250)
|       /mnt/a/zonit/build/tmp/work/x86_64-linux/go-cross-aarch64/1.10-r0/recipe-sysroot-native/usr/lib/aarch64-bec-linux/go/s
rc/cmd/internal/obj/arm64/asm7.go:760 +0x951
| cmd/internal/obj.Flushplist(0xc42039e000, 0xc421e63f08, 0xc421770250, 0x7ffe8e8b440c, 0x24)
|       /mnt/a/zonit/build/tmp/work/x86_64-linux/go-cross-aarch64/1.10-r0/recipe-sysroot-native/usr/lib/aarch64-bec-linux/go/s
rc/cmd/internal/obj/plist.go:107 +0x6ca
| cmd/compile/internal/gc.(*Progs).Flush(0xc421dd4e10)
|       /mnt/a/zonit/build/tmp/work/x86_64-linux/go-cross-aarch64/1.10-r0/recipe-sysroot-native/usr/lib/aarch64-bec-linux/go/s
rc/cmd/compile/internal/gc/gsubr.go:87 +0xc1
| cmd/compile/internal/gc.compileSSA(0xc4200e3c80, 0x3)
|       /mnt/a/zonit/build/tmp/work/x86_64-linux/go-cross-aarch64/1.10-r0/recipe-sysroot-native/usr/lib/aarch64-bec-linux/go/s
rc/cmd/compile/internal/gc/pgen.go:248 +0x188
| cmd/compile/internal/gc.compileFunctions.func2(0xc4217fd9e0, 0xc4217d2b90, 0x3)
|       /mnt/a/zonit/build/tmp/work/x86_64-linux/go-cross-aarch64/1.10-r0/recipe-sysroot-native/usr/lib/aarch64-bec-linux/go/s
rc/cmd/compile/internal/gc/pgen.go:289 +0x49
| created by cmd/compile/internal/gc.compileFunctions
|       /mnt/a/zonit/build/tmp/work/x86_64-linux/go-cross-aarch64/1.10-r0/recipe-sysroot-native/usr/lib/aarch64-bec-linux/go/s
rc/cmd/compile/internal/gc/pgen.go:287 +0x11c

bronze1man · 2018-06-08T07:45:47Z

@gopherbot please consider this for backport to 1.10. I just come cross this bug in my ios project with go version go1.10.3 darwin/amd64.

Follow golang version do not have this bug in my ios project:
go version go1.9.2 darwin/amd64
go version go1.9.7 darwin/amd64

gopherbot · 2018-06-08T07:45:52Z

Backport issue(s) opened: #25794 (for 1.10).

Remember to create the cherry-pick CL(s) as soon as the patch is submitted to master, according to https://golang.org/wiki/MinorReleases.

gopherbot · 2018-11-02T16:12:25Z

Change https://golang.org/cl/147057 mentions this issue: [release-branch.go1.10] cmd/internal/obj/arm64: fix branch-too-far with TBZ like instructions

…th TBZ like instructions The compiler now emits TBZ like instructions, but the assembler's too-far-branch patch code didn't include that case. Add it. Updates #23889 Fixes #25794 Change-Id: Ib75f9250c660b9fb652835fbc83263a5d5073dc5 Reviewed-on: https://go-review.googlesource.com/94902 Run-TryBot: Cherry Zhang <cherryyz@google.com> TryBot-Result: Gobot Gobot <gobot@golang.org> Reviewed-by: David Chase <drchase@google.com> (cherry picked from commit 911839c) Reviewed-on: https://go-review.googlesource.com/c/147057 Reviewed-by: Cherry Zhang <cherryyz@google.com> Run-TryBot: Dmitri Shuralyov <dmitshur@golang.org>

ALTree added the release-blocker label Feb 17, 2018

ALTree added this to the Go1.11 milestone Feb 17, 2018

ALTree changed the title ~~cmd/compile: panic: branch too far on arm64 with -N~~ cmd/compile: panic: branch too far on arm64 Feb 17, 2018

ALTree added the NeedsFix The path to resolution is known, but the work has not been done. label Mar 7, 2018

mark-rushakoff mentioned this issue Mar 7, 2018

panic: runtime error: invalid memory address or nil pointer dereference in models.appendField influxdata/influxdb#9521

Closed

gopherbot closed this as completed in 911839c Mar 13, 2018

gopherbot mentioned this issue Jun 8, 2018

cmd/compile: panic: branch too far on arm64 [1.10 backport] #25794

Closed

golang locked and limited conversation to collaborators Nov 2, 2019

gopherbot added the FrozenDueToAge label Nov 2, 2019

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

cmd/compile: panic: branch too far on arm64 #23889

cmd/compile: panic: branch too far on arm64 #23889

ALTree commented Feb 17, 2018 •

edited

ALTree commented Feb 17, 2018

gopherbot commented Feb 17, 2018

kraj commented Mar 3, 2018

bronze1man commented Jun 8, 2018 •

edited

gopherbot commented Jun 8, 2018

gopherbot commented Nov 2, 2018

cmd/compile: panic: branch too far on arm64 #23889

cmd/compile: panic: branch too far on arm64 #23889

Comments

ALTree commented Feb 17, 2018 • edited

ALTree commented Feb 17, 2018

gopherbot commented Feb 17, 2018

kraj commented Mar 3, 2018

bronze1man commented Jun 8, 2018 • edited

gopherbot commented Jun 8, 2018

gopherbot commented Nov 2, 2018

ALTree commented Feb 17, 2018 •

edited

bronze1man commented Jun 8, 2018 •

edited