[Bug middle-end/29166] New: broken unwind information for many life variables resulting in register corruption

[Bug middle-end/29166] New: broken unwind information for many life variables resulting in register corruption

[matz at gcc dot gnu dot org]

Attached is a testcase which shows that some registers are clobbered
over throwing/catching an exception:

bash>c++ unwind_test.cpp                
bash>./a.out                            
Checksum not OK ( 42895 != 58377 ).     
Register corruption in stack unwinding.

In the debugger you can see, that the fixed integer registers r4-r7 are 
not reset correctly during stack unwinding. The value of the            
callee-saved registers r4-r7 differ before and after the call to test() 
from main().

This error was reported against gcc-3.3.3 but still happens with gcc 4.1.


-- 
           Summary: broken unwind information for many life variables
                    resulting in register corruption
           Product: gcc
           Version: 4.1.2
            Status: UNCONFIRMED
          Keywords: EH
          Severity: normal
          Priority: P3
         Component: middle-end
        AssignedTo: unassigned at gcc dot gnu dot org
        ReportedBy: matz at gcc dot gnu dot org
  GCC host triplet: ia64-linux


http://gcc.gnu.org/bugzilla/show_bug.cgi?id=29166

[Bug middle-end/29166] broken unwind information for many life variables resulting in register corruption

[matz at gcc dot gnu dot org]

------- Comment #1 from matz at gcc dot gnu dot org  2006-09-21 13:35 -------
Created an attachment (id=12303)
 --> (http://gcc.gnu.org/bugzilla/attachment.cgi?id=12303&action=view)
Breaking testcase.


-- 


http://gcc.gnu.org/bugzilla/show_bug.cgi?id=29166

[Bug middle-end/29166] broken unwind information for many life variables resulting in register corruption

[matz at gcc dot gnu dot org]

------- Comment #2 from matz at gcc dot gnu dot org  2006-09-21 13:39 -------
Some more analysis of the original bugreport (
https://bugzilla.novell.com/show_bug.cgi?id=201157 ) :

For gcc version 4.1.2 20060731 (prerelease) (SUSE Linux),
r4-r7 contain before the call:
  86, 87, 88, 89
and after the call:
  87, 88, 89, 4611686018427403552
(gdb) p/x $r7
$2 = 0x4000000000003d20
(gdb) info symbol $r7
test() + 64 in section .text
(gdb) b *$r7
Breakpoint 4 at 0x4000000000003d20: file unw.cc, line 85.
(gdb) l 85
80      }
81
82      void test()
83      {
84      try {
85       doIt();
86      } catch( Ex& ) { }
87      }
88
89      int main(char** argv, int argc)

The address in r7 is the return address of the call.  I googled a bit for
"unwind ia64 r4" and found e.g. this:
  http://www.gelato.unsw.edu.au/archives/linux-ia64/0506/14430.html
This is a patch for the kernel, but it's about using some wrong code
in it's own unwinder leading to clobber r4-7, so perhaps similar code is
used in libunwind?

Looks like the unwind information is broken, the addresses for the register
contents for r4-r7 is off-by-8.


-- 


http://gcc.gnu.org/bugzilla/show_bug.cgi?id=29166

[Bug middle-end/29166] broken unwind information for many life variables resulting in register corruption

[matz at gcc dot gnu dot org]

------- Comment #3 from matz at gcc dot gnu dot org  2006-09-21 13:40 -------
Hmpf.  I wonder if there's any tool to really inspect the unwind info, like
it is possible for dwarf.  But readelf doesn't help very much:

% readelf -wf a.out
<nothing, no wonder, it's no dwarf>
% readelf -u a.out
...
<_Z4doItv>: [0x4000000000000b00-0x4000000000003ce0], info at +0x87b0
  v1, flags=0x0 (), len=40 bytes
    R2:prologue_gr(mask=[psp],grsave=r119,rlen=49)

P5:frgr_mem(grmask=[r4,r5,r6,r7],frmask=[f2,f3,f4,f5,f16,f17,f18,f19,f20,f21,f22,f23,f24,f25,f26,f27,f28,f29,f30,f31])

P4:spill_mask(imask=[---,---,---,---,rr-,rr-,-f-,ff-,ff-,ff-,ff-,ff-,ff-,ff-,ff-,ff-,f])
        P7:mem_stack_v(t=3)
        P7:unat_when(t=7)
        P7:unat_psprel(pspoff=0x10-0x180)
        P7:pfs_when(t=9)
        P7:pfs_psprel(pspoff=0x10-0x178)
        P7:rp_when(t=18)
        P7:rp_psprel(pspoff=0x10-0x148)
    R3:body(rlen=2345)
    R1:prologue(rlen=0)
    R1:prologue(rlen=0)

<_Z4testv>: [0x4000000000003ce0-0x4000000000003db0], info at +0x87e0
  v1, flags=0x3 ( ehandler uhandler), len=16 bytes
    R2:prologue_gr(mask=[rp,ar.pfs,psp],grsave=r32,rlen=5)
        P7:pfs_when(t=0)
        P7:mem_stack_v(t=1)
        P7:rp_when(t=4)
    R3:body(rlen=34)
        B2:epilogue(t=2,ecount=0)
    R1:prologue(rlen=0)
    R1:prologue(rlen=0)
    R1:prologue(rlen=0)

I traced the things in libunwind a bit, and know that the one writing the
wrong location of R4-7 into context->loc is the IA64_INSN_ADD_PSP_NAT
unwind script instruction, interpreted in _ULia64_find_save_locs (in
run_script actually).  And it happens while context still is set to the
doIt() function.  But I have no idea, how that script is generated,
or how it relates to the assembler file.  For instance, the start of doIt()
has this code:

        .save.g 0x1
        .mem.offset 344, 0      //
        st8.spill [r18] = r4, 16        //,
        ;;
        .save.g 0x2
        .mem.offset 336, 0      //
        st8.spill [r17] = r5, 16        //,
        .save.g 0x4
        .mem.offset 328, 0      //
        st8.spill [r18] = r6, 16        //,
        ;;
        .save.g 0x8
        .mem.offset 320, 0      //
        st8.spill [r17] = r7, 16        //,

I assume (because there are no explicit unwind sections in the assembler
source) that these .save.g and .mem.offset somehow are pseudo instructions
which somehow produce unwind info.  But I'm at a loss here.


-- 


http://gcc.gnu.org/bugzilla/show_bug.cgi?id=29166

[Bug target/29166] broken unwind information for many life variables resulting in register corruption

[matz at gcc dot gnu dot org]

------- Comment #4 from matz at gcc dot gnu dot org  2006-11-15 15:52 -------
Created an attachment (id=12623)
 --> (http://gcc.gnu.org/bugzilla/attachment.cgi?id=12623&action=view)
Assembler code

This is the assembler produced by gcc 4.1.0, in case someone needs the full
asm to determine something non-matching.


-- 


http://gcc.gnu.org/bugzilla/show_bug.cgi?id=29166

[Bug target/29166] broken unwind information for many life variables resulting in register corruption

[patchapp at dberlin dot org]

------- Comment #5 from patchapp at dberlin dot org  2006-11-24 22:20 -------
Subject: Bug number PR29166

A patch for this bug has been added to the patch tracker.
The mailing list url for the patch is
http://gcc.gnu.org/ml/gcc-patches/2006-11/msg01681.html


-- 


http://gcc.gnu.org/bugzilla/show_bug.cgi?id=29166

[Bug target/29166] broken unwind information for many life variables resulting in register corruption

[pinskia at gcc dot gnu dot org]

-- 

pinskia at gcc dot gnu dot org changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                URL|                            |http://gcc.gnu.org/ml/gcc-
                   |                            |patches/2006-
                   |                            |11/msg01681.html
             Status|UNCONFIRMED                 |NEW
     Ever Confirmed|0                           |1
           Keywords|                            |patch
   Last reconfirmed|0000-00-00 00:00:00         |2006-11-24 22:31:20
               date|                            |


http://gcc.gnu.org/bugzilla/show_bug.cgi?id=29166

[Bug target/29166] broken unwind information for many life variables resulting in register corruption

[schwab at gcc dot gnu dot org]

------- Comment #6 from schwab at gcc dot gnu dot org  2007-01-01 22:03 -------
Subject: Bug 29166

Author: schwab
Date: Mon Jan  1 22:03:23 2007
New Revision: 120319

URL: http://gcc.gnu.org/viewcvs?root=gcc&view=rev&rev=120319
Log:
        PR target/29166
        * config/ia64/ia64.c (ia64_compute_frame_size): Account space for
        save of BR0 in extra_spill_size instead of spill_size.
        (ia64_expand_prologue): Save BR0 outside of the gr/br/fr spill
        area.
        (ia64_expand_epilogue): Restore BR0 from its new location.

testsuite/:
        * g++.dg/eh/pr29166.C: New test.

Added:
    trunk/gcc/testsuite/g++.dg/eh/pr29166.C
Modified:
    trunk/gcc/ChangeLog
    trunk/gcc/config/ia64/ia64.c
    trunk/gcc/testsuite/ChangeLog


-- 


http://gcc.gnu.org/bugzilla/show_bug.cgi?id=29166

[Bug target/29166] broken unwind information for many life variables resulting in register corruption

[schwab at gcc dot gnu dot org]

------- Comment #7 from schwab at gcc dot gnu dot org  2007-01-01 22:07 -------
Subject: Bug 29166

Author: schwab
Date: Mon Jan  1 22:07:30 2007
New Revision: 120320

URL: http://gcc.gnu.org/viewcvs?root=gcc&view=rev&rev=120320
Log:
        PR target/29166
        * config/ia64/ia64.c (ia64_compute_frame_size): Account space for
        save of BR0 in extra_spill_size instead of spill_size.
        (ia64_expand_prologue): Save BR0 outside of the gr/br/fr spill
        area.
        (ia64_expand_epilogue): Restore BR0 from its new location.

testsuite/:
        * g++.dg/eh/pr29166.C: New test.

Added:
    branches/gcc-4_2-branch/gcc/testsuite/g++.dg/eh/pr29166.C
Modified:
    branches/gcc-4_2-branch/gcc/ChangeLog
    branches/gcc-4_2-branch/gcc/config/ia64/ia64.c
    branches/gcc-4_2-branch/gcc/testsuite/ChangeLog


-- 


http://gcc.gnu.org/bugzilla/show_bug.cgi?id=29166

[Bug target/29166] broken unwind information for many life variables resulting in register corruption

[schwab at suse dot de]

------- Comment #8 from schwab at suse dot de  2007-01-01 22:11 -------
Fixed for 4.2+.


-- 

schwab at suse dot de changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|NEW                         |RESOLVED
         Resolution|                            |FIXED
   Target Milestone|---                         |4.2.0


http://gcc.gnu.org/bugzilla/show_bug.cgi?id=29166