[Bug 910363] Re: miscompile writing to bitfield at -Os
Bug Watch Updater
910363 at bugs.launchpad.net
Thu Jan 5 11:14:31 UTC 2012
Launchpad has imported 4 comments from the remote bug at
http://gcc.gnu.org/bugzilla/show_bug.cgi?id=51759.
If you reply to an imported comment from within Launchpad, your comment
will be sent to the remote bug automatically. Read more about
Launchpad's inter-bugtracker facilities at
https://help.launchpad.net/InterBugTracking.
------------------------------------------------------------------------
On 2012-01-05T09:34:50+00:00 dn wrote:
Compiling the attached preprocessed file with this:
g++-4.5 -Os -fPIC -g -pedantic -Wno-long-long -fno-exceptions -o Type2.cpp.o -c Type2.ii
Results in writing 32 bits to a 24-bit bitfield, overwriting the first
byte of the next member variable.
These two members of class Type are (on x86_64) at offset 0x8:
TypeID ID : 8;
unsigned SubclassData : 24;
When setSubclassData() isn't inlined, it's called (from
StructType::setBody() and PointerType's constructor) with the address of
'SubclassData' in %rdi...:
0x00007ffff76d684f <+71>: lea 0x9(%rdi),%r12
0x00007ffff76d6853 <+75>: or $0x1,%esi
0x00007ffff76d6856 <+78>: mov %r12,%rdi
0x00007ffff76d6859 <+81>: callq 0x7ffff76d6774 <llvm::Type::setSubclassData(unsigned int)>
...but then, setSubclassData writes more than 24 bits to that address:
0x00007ffff76d6774 <+0>: mov %esi,%eax
0x00007ffff76d6776 <+2>: sub $0x8,%rsp
0x00007ffff76d677a <+6>: and $0xffffff,%eax
0x00007ffff76d677f <+11>: cmp %esi,%eax
0x00007ffff76d6781 <+13>: mov %eax,(%rdi) # corruption
Reply at: https://bugs.launchpad.net/gcc/+bug/910363/comments/4
------------------------------------------------------------------------
On 2012-01-05T09:35:51+00:00 dn wrote:
Created attachment 26244
output of `gcc -v -save-temps`
Reply at: https://bugs.launchpad.net/gcc/+bug/910363/comments/5
------------------------------------------------------------------------
On 2012-01-05T09:38:45+00:00 dn wrote:
Created attachment 26245
pre-processed file (gzip-compressed)
Reply at: https://bugs.launchpad.net/gcc/+bug/910363/comments/6
------------------------------------------------------------------------
On 2012-01-05T10:00:37+00:00 Rguenth wrote:
It's a bug in IPA-SRA that creates non-mode-size stores:
void llvm::Type::_ZN4llvm4Type15setSubclassDataEj.clone.1(unsigned int:24*, unsigned int) (<unnamed-unsigned:24> * ISRA.6, unsigned int val)
{
...
<bb 2>:
D.87358_2 = (<unnamed-unsigned:24>) val_1(D);
*ISRA.6_8(D) = D.87358_2;
I think this has been fixed in 4.6 (not on the 4.5 branch though) which
no longer performs this substitution. You can work around this using
-fno-ipa-sra.
The following is a simplified testcase:
extern "C" void abort (void);
struct S
{
void __attribute__((noinline)) set(unsigned val)
{
data = val;
if (data != val)
abort ();
}
int pad0;
unsigned pad1 : 8;
unsigned data : 24;
int pad2;
};
int main()
{
S s;
s.pad2 = -1;
s.set(0);
if (s.pad2 != -1)
abort ();
}
Where 4.6 says:
Candidate (2069): this
! Disqualifying this - Encountered a bit-field access.
which hints at what needs backporting.
Martin?
Reply at: https://bugs.launchpad.net/gcc/+bug/910363/comments/7
** Changed in: gcc
Status: Unknown => Confirmed
** Changed in: gcc
Importance: Unknown => Medium
--
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to gcc-4.5 in Ubuntu.
https://bugs.launchpad.net/bugs/910363
Title:
miscompile writing to bitfield at -Os
Status in The GNU Compiler Collection:
Confirmed
Status in “gcc-4.5” package in Ubuntu:
New
Bug description:
The attached preprocessed file was extracted out of a file from LLVM. When it was compiled by g++-4.5 at -Os, and LLVM's test suite was run, it resulted in the assert in PointerType's constructor firing:
llvm::PointerType::PointerType(llvm::Type*, unsigned int): Assertion `oldNCT == NumContainedTys && "bitfield written out of bounds?"' failed.
This was the invocation I used:
g++-4.5 -Os -fPIC -g -pedantic -Wno-long-long -fno-exceptions -o lib/VMCore/CMakeFiles/LLVMCore.dir/Type2.cpp.o -c Type2.ii
Further details here:
http://llvm.org/PR11652
ProblemType: Bug
DistroRelease: Ubuntu 11.04
Package: g++-4.5 4.5.2-8ubuntu4
Uname: Linux 3.1.0-custom x86_64
Architecture: amd64
Date: Tue Dec 27 22:11:40 2011
InstallationMedia: Ubuntu 11.04 "Natty Narwhal" - Release amd64 (20110427.1)
ProcEnviron:
LANGUAGE=en_US:en
PATH=(custom, user)
LANG=en_US.UTF-8
SHELL=/bin/bash
SourcePackage: gcc-4.5
UpgradeStatus: No upgrade log present (probably fresh install)
To manage notifications about this bug go to:
https://bugs.launchpad.net/gcc/+bug/910363/+subscriptions
More information about the foundations-bugs
mailing list