From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <gcc-bugs-return-321982-listarch-gcc-bugs=gcc.gnu.org@gcc.gnu.org>
Received: (qmail 27586 invoked by alias); 18 Jun 2010 00:00:59 -0000
Received: (qmail 27397 invoked by uid 48); 18 Jun 2010 00:00:34 -0000
Date: Fri, 18 Jun 2010 00:00:00 -0000
Subject: [Bug target/44575]  New: __builtin_va_arg overwrites into adjacent stack location
X-Bugzilla-Reason: CC
Message-ID: <bug-44575-19342@http.gcc.gnu.org/bugzilla/>
Reply-To: gcc-bugzilla@gcc.gnu.org
To: gcc-bugs@gcc.gnu.org
From: "eraman at google dot com" <gcc-bugzilla@gcc.gnu.org>
Mailing-List: contact gcc-bugs-help@gcc.gnu.org; run by ezmlm
Precedence: bulk
List-Id: <gcc-bugs.gcc.gnu.org>
List-Archive: <http://gcc.gnu.org/ml/gcc-bugs/>
List-Post: <mailto:gcc-bugs@gcc.gnu.org>
List-Help: <mailto:gcc-bugs-help@gcc.gnu.org>
Sender: gcc-bugs-owner@gcc.gnu.org
X-SW-Source: 2010-06/txt/msg01817.txt.bz2

$ cat vararg.c
#include <stdlib.h>
#include <stdarg.h>
#include <string.h>

int fails = 0;
struct S116 { float a[3]; } ;
struct S116 a116[5];

void check116va (int z, ...)
{ struct S116 arg, *p;
  va_list ap;
  int j=0,k=0;
  int i;
  __builtin_va_start(ap,z);
  for (i = 2; i < 4; ++i) {
    p = NULL;
    j++;
    k+=2;
    switch ((z << 4) | i) {
      case 0x12: case 0x13: p = &a116[2]; arg = __builtin_va_arg(ap,struct
S116); break;
      default: ++fails; break;
    }
    if (p && p->a[2] != arg.a[2]) {
      ++fails;
    }
    if (fails)
      break;
  }
  __builtin_va_end(ap);
}
int main()
{
  memset (a116, '\0', sizeof (a116));
  a116[2].a[2] = -49026.625000;
  check116va (1, a116[2], a116[2]);
  if (fails)
    abort();
}

$ ./trunk-gcc -O0  vararg.c && ./a.out
Aborted

./trunk-gcc is gcc 4.6.0  configured with --target=x86_64-unknown-linux-gnu
--disable-nls --enable-threads=posix --enable-symvers=gnu --enable-__cxa_atexit
--enable-c99 --enable-long-long --with-gnu-as --with-gnu-ld
--build=x86_64-unknown-linux-gnu --host=x86_64-unknown-linux-gnu
--enable-checking=release --enable-multilib --enable-targets=all
--with-arch-32=pentium3 --with-tune-32=pentium4 
--enable-shared=libgcc,libmudflap,libssp,libstdc++,libgfortran
--with-pic=libgfortran --enable-languages=c,c++,fortran 
--with-native-system-header-dir=/include  --enable-linker-build-id 
--with-host-libstdcxx=-lstdc++ FCFLAGS='-g -O2 ' 

The test cases passes with gcc 4.2.4 and 4.4.3.  

The gimple for __builtin_va_arg (from vararg.c.004t.gimple ) contains

  addr.1 = &va_arg_tmp.4;
  addr.5 = (long unsigned int * {ref-all}) addr.1;
  sse_addr.6 = (long unsigned int *) sse_addr.3;
  D.3520 = *sse_addr.6;
  *addr.5 = D.3520;          ---> (1)      
  addr.7 = (long unsigned int * {ref-all}) addr.1;
  D.3522 = addr.7 + 8;
  sse_addr.8 = (long unsigned int *) sse_addr.3;
  D.3524 = sse_addr.8 + 16;
  D.3525 = *D.3524;
  *D.3522 = D.3525;         ---> (2)

The assignments  (1) and (2) above are 8 byte moves, one at offset 0 and
another at offset 8, into va_arg_tmp.4. But the size of va_arg_tmp.4 is 12
bytes (sizeof (struct S116)) resulting in overwriting of adjacent stack
location ( variable i in this case) leading to the failure.


-- 
           Summary: __builtin_va_arg overwrites into adjacent stack location
           Product: gcc
           Version: 4.6.0
            Status: UNCONFIRMED
          Severity: normal
          Priority: P3
         Component: target
        AssignedTo: unassigned at gcc dot gnu dot org
        ReportedBy: eraman at google dot com
 GCC build triplet: x86_64-unknown-linux-gnu
  GCC host triplet: x86_64-unknown-linux-gnu
GCC target triplet: x86_64-unknown-linux-gnu


http://gcc.gnu.org/bugzilla/show_bug.cgi?id=44575