From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <gcc-bugs-return-264652-listarch-gcc-bugs=gcc.gnu.org@gcc.gnu.org>
Received: (qmail 470 invoked by alias); 22 Oct 2008 02:26:27 -0000
Received: (qmail 31712 invoked by uid 48); 22 Oct 2008 02:25:05 -0000
Date: Wed, 22 Oct 2008 02:26:00 -0000
Subject: [Bug middle-end/37889]  New: SEGV, conditional execution proactively executed the false arm.
X-Bugzilla-Reason: CC
Message-ID: <bug-37889-507@http.gcc.gnu.org/bugzilla/>
Reply-To: gcc-bugzilla@gcc.gnu.org
To: gcc-bugs@gcc.gnu.org
From: "hp at gcc dot gnu dot org" <gcc-bugzilla@gcc.gnu.org>
Mailing-List: contact gcc-bugs-help@gcc.gnu.org; run by ezmlm
Precedence: bulk
List-Id: <gcc-bugs.gcc.gnu.org>
List-Archive: <http://gcc.gnu.org/ml/gcc-bugs/>
List-Post: <mailto:gcc-bugs@gcc.gnu.org>
List-Help: <mailto:gcc-bugs-help@gcc.gnu.org>
Sender: gcc-bugs-owner@gcc.gnu.org
X-SW-Source: 2008-10/txt/msg01379.txt.bz2

The following executable testcase, reduced from the CRIS port of an old
3.2.x-based version of gcc, is miscompiled at -O2 with
"gcc-4_3-branch revision 141262" and
"trunk revision 141281" configured with --prefix=/usr --enable-languages=c
--with-cpu=generic.  When run, it catches a SEGV.  It is known to work with at
least the Fedora "gcc-4.1.2-33" release.

gcc.c-torture/execute/prNNNNN-1.c:
int flag_pic;
const char * reg_names[(16 + 1 + 1 + 1)] = {"x", "y", "z"};
extern void abort (void) __attribute__ ((__noreturn__));
extern void exit (int) __attribute__ ((__noreturn__));
void __attribute__ ((__noinline__)) asm_fprintf (void *a, const char *b, const
char *c, const char *d)
{
  if (a == 0 || *c != 'x' || *d != 'x' || b == 0)
    abort ();
  asm volatile ("");
}

void __attribute__ ((__noinline__))
cris_target_asm_function_prologue (void *file, long got_really_used)
{
  if (got_really_used)
    {
      asm_fprintf (file, "%s %s\n",
       reg_names[(flag_pic ? 0 : (~(unsigned int) 0))],
       reg_names[(flag_pic ? 0 : (~(unsigned int) 0))]);
    }
  asm_fprintf (file, "", "x", "x");
}

int main (void)
{
  flag_pic = 2;
  cris_target_asm_function_prologue ("", 1);
  exit (0);
}

There's a spurious warning emitted with -Wall:
x.c: In function 'cris_target_asm_function_prologue':
x.c:17: warning: array subscript is above array bounds
and a tell-tale SEGV-causing instruction:
 movabsq reg_names+34359738360, %rax
(corresponding to a read of reg_names[~(unsigned int) 0] into %rax)
which is wrongly moved *before* the flag_pic test.


-- 
           Summary: SEGV, conditional execution proactively executed the
                    false arm.
           Product: gcc
           Version: 4.3.3
            Status: UNCONFIRMED
          Keywords: wrong-code
          Severity: normal
          Priority: P3
         Component: middle-end
        AssignedTo: unassigned at gcc dot gnu dot org
        ReportedBy: hp at gcc dot gnu dot org
  GCC host triplet: x86_64-unknown-linux-gnu


http://gcc.gnu.org/bugzilla/show_bug.cgi?id=37889