[Bug target/113073] New: [14] RISC-V: segfault from out of bounds memory access in gcc.dg/torture/pr112736.c

public inbox for gcc-bugs@sourceware.org
help / color / mirror / Atom feed

From: "ewlu at rivosinc dot com" <gcc-bugzilla@gcc.gnu.org>
To: gcc-bugs@gcc.gnu.org
Subject: [Bug target/113073] New: [14] RISC-V: segfault from out of bounds memory access in gcc.dg/torture/pr112736.c
Date: Mon, 18 Dec 2023 21:15:30 +0000	[thread overview]
Message-ID: <bug-113073-4@http.gcc.gnu.org/bugzilla/> (raw)

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=113073

            Bug ID: 113073
           Summary: [14] RISC-V: segfault from out of bounds memory access
                    in gcc.dg/torture/pr112736.c
           Product: gcc
           Version: 14.0
            Status: UNCONFIRMED
          Severity: normal
          Priority: P3
         Component: target
          Assignee: unassigned at gcc dot gnu.org
          Reporter: ewlu at rivosinc dot com
  Target Milestone: ---

The testcase from pr112736

#include <sys/mman.h>
#include <unistd.h>

int a, c[3][5];

void __attribute__((noipa))
fn1 (int * __restrict b)
{
  int e;
  for (a = 2; a >= 0; a--)
    for (e = 0; e < 4; e++)
      c[a][e] = b[a];
}

int main()
{
  long pgsz = sysconf (_SC_PAGESIZE);
  void *p = mmap (NULL, pgsz * 2, PROT_READ|PROT_WRITE,
                  MAP_ANONYMOUS|MAP_PRIVATE, 0, 0);
  if (p == MAP_FAILED)
    return 0;
  mprotect (p, pgsz, PROT_NONE);
  fn1 (p + pgsz);
  return 0;
}

generates out of bound memory access on linux vector targets 

Program received signal SIGSEGV, Segmentation fault.
0x000000000001067c in fn1 (b=b@entry=0x2aaaab4be000) at
../gcc/gcc/testsuite/gcc.dg/torture/pr112736.c:14
14            c[a][e] = b[a];
(gdb) disass fn1
Dump of assembler code for function fn1:
   0x000000000001066c <+0>:     addi    a1,a0,-4
   0x0000000000010670 <+4>:     vsetivli        zero,4,e32,m1,ta,ma
   0x0000000000010674 <+8>:     addi    a5,gp,-1968
   0x0000000000010678 <+12>:    addi    a2,a0,-12
=> 0x000000000001067c <+16>:    vle32.v v1,(a1)
   0x0000000000010680 <+20>:    vrgather.vi     v2,v1,3
   0x0000000000010684 <+24>:    li      a7,-1
   0x0000000000010686 <+26>:    addi    a3,a5,40
   0x000000000001068a <+30>:    addi    a0,a0,-8
   0x000000000001068c <+32>:    addi    a4,a5,20
   0x0000000000010690 <+36>:    vle32.v v3,(a2)
   0x0000000000010694 <+40>:    vrgather.vi     v1,v3,3
   0x0000000000010698 <+44>:    vse32.v v2,(a3)
   0x000000000001069c <+48>:    vse32.v v1,(a5)
   0x00000000000106a0 <+52>:    vle32.v v2,(a0)
   0x00000000000106a4 <+56>:    sw      a7,-1984(gp)
   0x00000000000106a8 <+60>:    vrgather.vi     v1,v2,3
   0x00000000000106ac <+64>:    vse32.v v1,(a4)
   0x00000000000106b0 <+68>:    ret
End of assembler dump.
(gdb) p /x $a1
$8 = 0x2aaaab4bdffc
(gdb) p /x *$a1
Cannot access memory at address 0x2aaaab4bdffc

first appeared: https://github.com/patrick-rivos/gcc-postcommit-ci/issues/282

compile command: ./build-gcc-linux-stage2/gcc/xgcc
-B./build-gcc-linux-stage2/gcc/ ../gcc/gcc/testsuite/gcc.dg/torture/pr112736.c
-march=rv64gcv -mabi=lp64d -mcmodel=medlow -fdiagnostics-plain-output -O3 -g
-lm -o ./pr112736.exe

run command:
QEMU_CPU=rv64,vlen=128,v=true,vext_spec=v1.0,Zve32f=true,Zve64f=true
./bin/qemu-riscv64 ./pr112736.exe

next             reply	other threads:[~2023-12-18 21:15 UTC|newest]

Thread overview: 4+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2023-12-18 21:15 ewlu at rivosinc dot com [this message]
2023-12-19  8:57 ` [Bug target/113073] " rguenth at gcc dot gnu.org
2023-12-19 12:32 ` cvs-commit at gcc dot gnu.org
2023-12-19 12:33 ` rguenth at gcc dot gnu.org

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=bug-113073-4@http.gcc.gnu.org/bugzilla/ \
    --to=gcc-bugzilla@gcc.gnu.org \
    --cc=gcc-bugs@gcc.gnu.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).