segfault in stime -p

[Ravenslofty]

This was simplified from YosysHQ/yosys#4473.

Using yosys-abc-sK8f22.zip, run abc -f abc.script, and watch it crash inside stime -p.

gdb gives the following backtrace:

Program received signal SIGSEGV, Segmentation fault.
0x00005555559d42db in abc::Abc_SclTimeNtkPrint (p=p@entry=0x5555577b1410, fShowAll=fShowAll@entry=0,
    fPrintPath=fPrintPath@entry=1) at src/map/scl/sclSize.c:203
203                 nLength = Abc_MaxInt( nLength, strlen(Abc_SclObjCell(pObj)->pName) );
#0  0x00005555559d42db in abc::Abc_SclTimeNtkPrint (p=p@entry=0x5555577b1410, fShowAll=fShowAll@entry=0,
    fPrintPath=fPrintPath@entry=1) at src/map/scl/sclSize.c:203
#1  0x00005555559d70cc in abc::Abc_SclTimePerformInt (pLib=pLib@entry=0x55555686f9e0, pNtk=pNtk@entry=0x555557646440,
    nTreeCRatio=nTreeCRatio@entry=0, fUseWireLoads=fUseWireLoads@entry=0, fShowAll=fShowAll@entry=0,
    fPrintPath=fPrintPath@entry=1, fDumpStats=0) at src/map/scl/sclSize.c:690
#2  0x00005555559d73e0 in abc::Abc_SclTimePerform (pLib=0x55555686f9e0, pNtk=0x555557646440, nTreeCRatio=nTreeCRatio@entry=0,
    fUseWireLoads=fUseWireLoads@entry=0, fShowAll=fShowAll@entry=0, fPrintPath=fPrintPath@entry=1, fDumpStats=0)
    at src/map/scl/sclSize.c:712
#3  0x00005555559a7472 in abc::Scl_CommandStime (pAbc=0x555556838200, argc=2, argv=0x5555578a8d20) at src/map/scl/scl.c:895
#4  0x00005555557a6c2b in abc::CmdCommandDispatch (pAbc=pAbc@entry=0x555556838200, pargc=pargc@entry=0x7ffffffed108,
    pargv=pargv@entry=0x7ffffffed110) at src/base/cmd/cmdUtils.c:157
#5  0x00005555557a078e in abc::Cmd_CommandExecute (pAbc=pAbc@entry=0x555556838200,
    sCommand=sCommand@entry=0x7ffffffed170 "stime -p;\n") at src/base/cmd/cmdApi.c:210
#6  0x000055555579e6d7 in abc::CmdCommandSource (pAbc=0x555556838200, argc=<optimized out>, argv=<optimized out>)
    at src/base/cmd/cmd.c:787
#7  0x00005555557a6c2b in abc::CmdCommandDispatch (pAbc=pAbc@entry=0x555556838200, pargc=pargc@entry=0x7fffffff5228,
    pargv=pargv@entry=0x7fffffff5230) at src/base/cmd/cmdUtils.c:157
#8  0x00005555557a078e in abc::Cmd_CommandExecute (pAbc=pAbc@entry=0x555556838200,
    sCommand=sCommand@entry=0x555556837e10 "source abc.script") at src/base/cmd/cmdApi.c:210
#9  0x00005555557e758a in abc::Abc_RealMain (argc=3, argv=<optimized out>) at src/base/main/mainReal.c:332
#10 0x00005555557e4e40 in main (argc=<optimized out>, argv=<optimized out>) at src/base/main/main.c:11

[wjrforcyber]

A bit following up here, after running with lldb with the latest abc(commit hash 2d70debd0743e95c8112edd40cf047b7f3fed2b1), it seems the vGates is not filled with actually value since all 67 Objs in pNtk are identified as barrier buffer.
In function Abc_SclMioGates2SclGates of command stime, before write the entry in the vGates, it does indeed initialised with -1, and inside the loop, it should be filled with actually value larger than 0, but the section inside the brackets is skipped every each time in the 67 loops, so the vGates is remained filled with -1. (See that n directly jump at the end of the loop).

(lldb) n
Process 62222 stopped
* thread #1, queue = 'com.apple.main-thread', stop reason = step over
    frame #0: 0x000000010061eee4 abc`Abc_SclMioGates2SclGates(pLib=0x00006000024a8000, p=0x0000000139ed2a90) at sclUtil.c:60:5
   57  	    bufferId = Abc_SclCellFind( pLib, Mio_GateReadName(Mio_LibraryReadBuf((Mio_Library_t *)p->pManFunc)) );
   58  	    assert( bufferId >= 0 );
   59  	    // remap cells
-> 60  	    assert( p->vGates == NULL );
   61  	    p->vGates = Vec_IntStartFull( Abc_NtkObjNumMax(p) );
   62  	    Abc_NtkForEachNodeNotBarBuf1( p, pObj, i )
   63  	    {
Target 0: (abc) stopped.
(lldb) n
Process 62222 stopped
* thread #1, queue = 'com.apple.main-thread', stop reason = step over
    frame #0: 0x000000010061ef2c abc`Abc_SclMioGates2SclGates(pLib=0x00006000024a8000, p=0x0000000139ed2a90) at sclUtil.c:61:52
   58  	    assert( bu   58  	    assert( bufferId >= 0 );
   59  	    // remap cells
   60  	    assert( p->vGates == NULL );
-> 61  	    p->vGates = Vec_IntStartFull( Abc_NtkObjNumMax(p) );
   62  	    Abc_NtkForEachNodeNotBarBuf1( p, pObj, i )
   63  	    {
   64  	        gateId = Abc_SclCellFind( pLib, Mio_GateReadName((Mio_Gate_t *)pObj->pData) );
Target 0: (abc) stopped.
(lldb) n
Process 62222 stopped
* thread #1, queue = 'com.apple.main-thread', stop reason = step over
    frame #0: 0x000000010061ef40 abc`Abc_SclMioGates2SclGates(pLib=0x00006000024a8000, p=0x0000000139ed2a90) at sclUtil.c:62:5
   59  	    // remap cells
   60  	    assert( p->vGates == NULL );
   61  	    p->vGates = Vec_IntStartFull( Abc_NtkObjNumMax(p) );
-> 62  	    Abc_NtkForEachNodeNotBarBuf1( p, pObj, i )
   63  	    {
   64  	        gateId = Abc_SclCellFind( pLib, Mio_GateReadName((Mio_Gate_t *)pObj->pData) );
   65  	        assert( gateId >= 0 );
Target 0: (abc) stopped.
(lldb) parray 10 p->vGates->pArray
(int *) $0 = 0x0000000119e04080 {
  [0] = -1
  [1] = -1
  [2] = -1
  [3] = -1
  [4] = -1
  [5] = -1
  [6] = -1
  [7] = -1
  [8] = -1
  [9] = -1
}
(lldb) n
Process 62222 stopped
* thread #1, queue = 'com.apple.main-thread', stop reason = step over
    frame #0: 0x000000010061f094 abc`Abc_SclMioGates2SclGates(pLib=0x00006000024a8000, p=0x0000000139ed2a90) at sclUtil.c:68:17
   65  	        assert( gateId >= 0 );
   66  	        Vec_IntWriteEntry( p->vGates, i, gateId );
   67  	    }
-> 68  	    p->pSCLib = pLib;
   69  	}
   70  	void Abc_SclSclGates2MioGates( SC_Lib * pLib, Abc_Ntk_t * p )
   71  	{
Target 0: (abc) stopped.
(lldb) parray 10 p->vGates->pArray
(int *) $1 = 0x0000000119e04080 {
  [0] = -1
  [1] = -1
  [2] = -1
  [3] = -1
  [4] = -1
  [5] = -1
  [6] = -1
  [7] = -1
  [8] = -1
  [9] = -1
}

So the cell id is -1 and Abc_SclObjCell(pObj) returns NULL here in nLength = Abc_MaxInt( nLength, strlen(Abc_SclObjCell(pObj)->pName) );
Maybe a warning could be given here?