public inbox for gcc-bugs@sourceware.org
help / color / mirror / Atom feed
* [Bug target/44575] [4.5 Regression] __builtin_va_arg overwrites into adjacent stack location
[not found] <bug-44575-4@http.gcc.gnu.org/bugzilla/>
@ 2010-09-30 9:25 ` eraman at google dot com
2010-10-01 13:13 ` jakub at gcc dot gnu.org
1 sibling, 0 replies; 5+ messages in thread
From: eraman at google dot com @ 2010-09-30 9:25 UTC (permalink / raw)
To: gcc-bugs
http://gcc.gnu.org/bugzilla/show_bug.cgi?id=44575
--- Comment #7 from Easwaran Raman <eraman at google dot com> 2010-09-30 00:21:17 UTC ---
This is a variation of the same problem where __builtin_va_arg overwrites into
adjacent stack location [Not sure if I should reopen this bug or file a new
one]:
$ cat vararg.cc
#include <stdarg.h>
#include <stdlib.h>
struct S933 { struct{struct{}b[6];union{}c[7];}a;char d;char e; };
struct S933 arg;
void check933va (int z, ...) {
char c;
va_list ap;
__builtin_va_start(ap,z);
c = 'a';
arg = __builtin_va_arg(ap,struct S933);
if (c != 'a')
abort();
}
int main() {
struct S933 s933;
check933va (1, s933);
}
$ ./trunk-g++ -O0 vararg.cc && ./a.out
Aborted
./trunk-g++ is GNU C++ version 4.6.0 20100924 (experimental)
(x86_64-unknown-linux-gnu)
The relevant portion of the gimple is below:
D.2773_4 = ap.reg_save_area;
D.2774_5 = ap.gp_offset;
D.2775_6 = (long unsigned int) D.2774_5;
int_addr.1_7 = D.2773_4 + D.2775_6;
addr.0_8 = &va_arg_tmp.3;
D.2777_9 = addr.0_8 + 8;
D.2778_10 = MEM[(long unsigned int *)int_addr.1_7];
*D.2777_9 = D.2778_10; <--- Bad move
The move to address D.2777_9 is the problem
For this struct type, construct_container returns the following:
(parallel:BLK [
(expr_list:REG_DEP_TRUE (reg:DI 0 ax)
(const_int 8 [0x8]))
])
The destination of the move is at offset 8 (INTVAL (XEXP (slot, 1))) of the
temporary created. The size of the temp (sizeof(S933)) is 15 bytes and the move
is in DI mode. I think the problem is the check if (prev_size + cur_size >
size) doesn't really check if the destination is overwritten.
^ permalink raw reply [flat|nested] 5+ messages in thread
* [Bug target/44575] [4.5 Regression] __builtin_va_arg overwrites into adjacent stack location
[not found] <bug-44575-4@http.gcc.gnu.org/bugzilla/>
2010-09-30 9:25 ` [Bug target/44575] [4.5 Regression] __builtin_va_arg overwrites into adjacent stack location eraman at google dot com
@ 2010-10-01 13:13 ` jakub at gcc dot gnu.org
1 sibling, 0 replies; 5+ messages in thread
From: jakub at gcc dot gnu.org @ 2010-10-01 13:13 UTC (permalink / raw)
To: gcc-bugs
http://gcc.gnu.org/bugzilla/show_bug.cgi?id=44575
--- Comment #8 from Jakub Jelinek <jakub at gcc dot gnu.org> 2010-10-01 13:13:36 UTC ---
Author: jakub
Date: Fri Oct 1 13:13:31 2010
New Revision: 164884
URL: http://gcc.gnu.org/viewcvs?root=gcc&view=rev&rev=164884
Log:
Backport from mainline
2010-09-30 Jakub Jelinek <jakub@redhat.com>
PR target/45843
* config/i386/i386.c (ix86_gimplify_va_arg): Use
INTVAL (XEXP (slot, 1)) as prev_size.
2010-06-21 Jakub Jelinek <jakub@redhat.com>
PR target/44575
* config/i386/i386.c (ix86_gimplify_va_arg): When copying
va_arg from a set of register save slots into a temporary,
if the container is bigger than type size, do the copying
using smaller mode or using memcpy.
Backport from mainline
2010-09-30 Jakub Jelinek <jakub@redhat.com>
* g++.dg/torture/pr45843.C: New test.
2010-06-21 Jakub Jelinek <jakub@redhat.com>
PR target/44575
* gcc.c-torture/execute/pr44575.c: New test.
Added:
branches/gcc-4_4-branch/gcc/testsuite/g++.dg/torture/pr45843.C
branches/gcc-4_4-branch/gcc/testsuite/gcc.c-torture/execute/pr44575.c
Modified:
branches/gcc-4_4-branch/gcc/ChangeLog
branches/gcc-4_4-branch/gcc/config/i386/i386.c
branches/gcc-4_4-branch/gcc/testsuite/ChangeLog
^ permalink raw reply [flat|nested] 5+ messages in thread
* [Bug target/44575] [4.5 Regression] __builtin_va_arg overwrites into adjacent stack location
2010-06-18 0:00 [Bug target/44575] New: " eraman at google dot com
2010-06-24 21:43 ` [Bug target/44575] [4.5 Regression] " rguenth at gcc dot gnu dot org
2010-07-01 11:02 ` jakub at gcc dot gnu dot org
@ 2010-07-01 11:06 ` jakub at gcc dot gnu dot org
2 siblings, 0 replies; 5+ messages in thread
From: jakub at gcc dot gnu dot org @ 2010-07-01 11:06 UTC (permalink / raw)
To: gcc-bugs
------- Comment #6 from jakub at gcc dot gnu dot org 2010-07-01 11:06 -------
Fixed.
--
jakub at gcc dot gnu dot org changed:
What |Removed |Added
----------------------------------------------------------------------------
Status|ASSIGNED |RESOLVED
Resolution| |FIXED
http://gcc.gnu.org/bugzilla/show_bug.cgi?id=44575
^ permalink raw reply [flat|nested] 5+ messages in thread
* [Bug target/44575] [4.5 Regression] __builtin_va_arg overwrites into adjacent stack location
2010-06-18 0:00 [Bug target/44575] New: " eraman at google dot com
2010-06-24 21:43 ` [Bug target/44575] [4.5 Regression] " rguenth at gcc dot gnu dot org
@ 2010-07-01 11:02 ` jakub at gcc dot gnu dot org
2010-07-01 11:06 ` jakub at gcc dot gnu dot org
2 siblings, 0 replies; 5+ messages in thread
From: jakub at gcc dot gnu dot org @ 2010-07-01 11:02 UTC (permalink / raw)
To: gcc-bugs
------- Comment #5 from jakub at gcc dot gnu dot org 2010-07-01 11:02 -------
Subject: Bug 44575
Author: jakub
Date: Thu Jul 1 11:01:58 2010
New Revision: 161660
URL: http://gcc.gnu.org/viewcvs?root=gcc&view=rev&rev=161660
Log:
Backport from mainline
2010-06-21 Jakub Jelinek <jakub@redhat.com>
PR target/44575
* config/i386/i386.c (ix86_gimplify_va_arg): When copying
va_arg from a set of register save slots into a temporary,
if the container is bigger than type size, do the copying
using smaller mode or using memcpy.
* gcc.c-torture/execute/pr44575.c: New test.
Added:
branches/gcc-4_5-branch/gcc/testsuite/gcc.c-torture/execute/pr44575.c
Modified:
branches/gcc-4_5-branch/gcc/ChangeLog
branches/gcc-4_5-branch/gcc/config/i386/i386.c
branches/gcc-4_5-branch/gcc/testsuite/ChangeLog
--
http://gcc.gnu.org/bugzilla/show_bug.cgi?id=44575
^ permalink raw reply [flat|nested] 5+ messages in thread
* [Bug target/44575] [4.5 Regression] __builtin_va_arg overwrites into adjacent stack location
2010-06-18 0:00 [Bug target/44575] New: " eraman at google dot com
@ 2010-06-24 21:43 ` rguenth at gcc dot gnu dot org
2010-07-01 11:02 ` jakub at gcc dot gnu dot org
2010-07-01 11:06 ` jakub at gcc dot gnu dot org
2 siblings, 0 replies; 5+ messages in thread
From: rguenth at gcc dot gnu dot org @ 2010-06-24 21:43 UTC (permalink / raw)
To: gcc-bugs
--
rguenth at gcc dot gnu dot org changed:
What |Removed |Added
----------------------------------------------------------------------------
Known to work| |4.6.0
Priority|P3 |P2
http://gcc.gnu.org/bugzilla/show_bug.cgi?id=44575
^ permalink raw reply [flat|nested] 5+ messages in thread
end of thread, other threads:[~2010-10-01 13:13 UTC | newest]
Thread overview: 5+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
[not found] <bug-44575-4@http.gcc.gnu.org/bugzilla/>
2010-09-30 9:25 ` [Bug target/44575] [4.5 Regression] __builtin_va_arg overwrites into adjacent stack location eraman at google dot com
2010-10-01 13:13 ` jakub at gcc dot gnu.org
2010-06-18 0:00 [Bug target/44575] New: " eraman at google dot com
2010-06-24 21:43 ` [Bug target/44575] [4.5 Regression] " rguenth at gcc dot gnu dot org
2010-07-01 11:02 ` jakub at gcc dot gnu dot org
2010-07-01 11:06 ` jakub at gcc dot gnu dot org
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).