public inbox for gcc-bugs@sourceware.org
help / color / mirror / Atom feed
* [Bug target/45843] New: [4.3/4.4/4.5/4.6 Regression] __builtin_va_arg overwrites into adjacent stack location
@ 2010-09-30 11:47 jakub at gcc dot gnu.org
  2010-09-30 11:48 ` [Bug target/45843] " jakub at gcc dot gnu.org
                   ` (5 more replies)
  0 siblings, 6 replies; 7+ messages in thread
From: jakub at gcc dot gnu.org @ 2010-09-30 11:47 UTC (permalink / raw)
  To: gcc-bugs

http://gcc.gnu.org/bugzilla/show_bug.cgi?id=45843

           Summary: [4.3/4.4/4.5/4.6 Regression] __builtin_va_arg
                    overwrites into adjacent stack location
           Product: gcc
           Version: 4.3.6
            Status: UNCONFIRMED
          Keywords: wrong-code
          Severity: normal
          Priority: P3
         Component: target
        AssignedTo: unassigned@gcc.gnu.org
        ReportedBy: jakub@gcc.gnu.org
                CC: gcc-bugs@gcc.gnu.org, hubicka@gcc.gnu.org,
                    hjl.tools@gmail.com, matz@gcc.gnu.org,
                    eraman@google.com
        Depends on: 44575
              Host: x86_64-unknown-linux-gnu
            Target: x86_64-unknown-linux-gnu
             Build: x86_64-unknown-linux-gnu


+++ This bug was initially created as a clone of Bug #44575 +++

This is a variation of the same problem where __builtin_va_arg overwrites into
adjacent stack location [Not sure if I should reopen this bug or file a new
one]:

$ cat vararg.cc

#include <stdarg.h>
#include <stdlib.h>
struct S933 { struct{struct{}b[6];union{}c[7];}a;char d;char e; };

struct S933 arg;
void check933va (int z, ...) {
  char c;
  va_list ap;
  __builtin_va_start(ap,z);
  c = 'a';
  arg = __builtin_va_arg(ap,struct S933);
  if (c != 'a')
    abort();

}
int main() {
  struct S933 s933;
  check933va (1, s933);
}

$ ./trunk-g++  -O0  vararg.cc && ./a.out
Aborted

./trunk-g++ is GNU C++  version 4.6.0 20100924 (experimental)
(x86_64-unknown-linux-gnu)

The relevant portion of the gimple is below:
  D.2773_4 = ap.reg_save_area;
  D.2774_5 = ap.gp_offset;
  D.2775_6 = (long unsigned int) D.2774_5;
  int_addr.1_7 = D.2773_4 + D.2775_6;
  addr.0_8 = &va_arg_tmp.3;
  D.2777_9 = addr.0_8 + 8;
  D.2778_10 = MEM[(long unsigned int *)int_addr.1_7];
  *D.2777_9 = D.2778_10;    <--- Bad move

The move to address D.2777_9 is the problem

For this struct type, construct_container returns the following:

(parallel:BLK [
        (expr_list:REG_DEP_TRUE (reg:DI 0 ax)
            (const_int 8 [0x8]))
    ])

The destination of the move is at offset 8 (INTVAL (XEXP (slot, 1))) of the
temporary created. The size of the temp (sizeof(S933)) is 15 bytes and the move
is in DI mode. I think the problem is the check  if (prev_size + cur_size >
size) doesn't really check if the destination is overwritten.


^ permalink raw reply	[flat|nested] 7+ messages in thread
end of thread, other threads:[~2011-06-27 12:02 UTC | newest]

Thread overview: 7+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2010-09-30 11:47 [Bug target/45843] New: [4.3/4.4/4.5/4.6 Regression] __builtin_va_arg overwrites into adjacent stack location jakub at gcc dot gnu.org
2010-09-30 11:48 ` [Bug target/45843] " jakub at gcc dot gnu.org
2010-09-30 11:49 ` jakub at gcc dot gnu.org
2010-09-30 11:52 ` rguenth at gcc dot gnu.org
2010-10-01 13:13 ` [Bug target/45843] [4.3/4.4 " jakub at gcc dot gnu.org
2010-10-01 13:25 ` [Bug target/45843] [4.3 " jakub at gcc dot gnu.org
2011-06-27 12:02 ` rguenth at gcc dot gnu.org

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).