[Bug c/49016] New: always_inline causes references below the current stack pointer

[Bug c/49016] New: always_inline causes references below the current stack pointer

[merrill_707_1 at yahoo dot com]

http://gcc.gnu.org/bugzilla/show_bug.cgi?id=49016

           Summary: always_inline causes references below the current
                    stack pointer
           Product: gcc
           Version: 4.3.4
            Status: UNCONFIRMED
          Severity: normal
          Priority: P3
         Component: c
        AssignedTo: unassigned@gcc.gnu.org
        ReportedBy: merrill_707_1@yahoo.com


Created attachment 24256
  --> http://gcc.gnu.org/bugzilla/attachment.cgi?id=24256
A script to run to compile t.c

When "inline __attribute__((always_inline))" is used, as is set up in some
Linux 2.6 kernel builds in gcc-compiler.h / compiler.h etc., then references to
memory below the current stack pointer can be made, when optimization is turned
off.

In fact, such references can also occur with -O2, but that is not such a simple
test program to generate. Here is a test program which generates the problem
with no optimization turned on.

To compile, run the "rc" script.

[Bug c/49016] always_inline causes references below the current stack pointer

[merrill_707_1 at yahoo dot com]

http://gcc.gnu.org/bugzilla/show_bug.cgi?id=49016

--- Comment #1 from Lee Merrill <merrill_707_1 at yahoo dot com> 2011-05-16 22:45:58 UTC ---
Created attachment 24257
  --> http://gcc.gnu.org/bugzilla/attachment.cgi?id=24257
The source file which generates the problem

This file, when compiled via the attached "rc" script, will have references
below the current stack pointer.

[Bug c/49016] always_inline causes references below the current stack pointer

[merrill_707_1 at yahoo dot com]

http://gcc.gnu.org/bugzilla/show_bug.cgi?id=49016

--- Comment #2 from Lee Merrill <merrill_707_1 at yahoo dot com> 2011-05-16 22:49:14 UTC ---
Created attachment 24258
  --> http://gcc.gnu.org/bugzilla/attachment.cgi?id=24258
The output of running rc with "-v -save-temps" added.

This is the output from running the "rc" script, with gcc parameters "-v
-save-temps" added to the command line.

[Bug c/49016] always_inline causes references below the current stack pointer

[merrill_707_1 at yahoo dot com]

http://gcc.gnu.org/bugzilla/show_bug.cgi?id=49016

--- Comment #3 from Lee Merrill <merrill_707_1 at yahoo dot com> 2011-05-16 22:51:33 UTC ---
A disassembly snippet to show the problem:

0000000000000000 <fcPostWrite>:
   0:   55                      push   %rbp
   1:   48 89 e5                mov    %rsp,%rbp
# Note that these statements reference memory below the
#   current stack pointer. So any interrupt which occurs
#   here will corrupt these variables.
   4:   48 89 7d e8             mov    %rdi,-0x18(%rbp)
   8:   89 75 e4                mov    %esi,-0x1c(%rbp)
   b:   8b 45 e4                mov    -0x1c(%rbp),%eax
   e:   89 45 fc                mov    %eax,-0x4(%rbp)
  11:   48 8b 45 e8             mov    -0x18(%rbp),%rax
  15:   48 89 45 f0             mov    %rax,-0x10(%rbp)
  19:   48 8b 55 f0             mov    -0x10(%rbp),%rdx
  1d:   8b 45 fc                mov    -0x4(%rbp),%eax
  20:   89 02                   mov    %eax,(%rdx)
  22:   c9                      leaveq
  23:   c3                      retq

[Bug c/49016] always_inline causes references below the current stack pointer

[pinskia at gcc dot gnu.org]

http://gcc.gnu.org/bugzilla/show_bug.cgi?id=49016

--- Comment #4 from Andrew Pinski <pinskia at gcc dot gnu.org> 2011-05-16 23:09:13 UTC ---
Well x86_64 ABI has a red zone which allows for these references to happen if
they are under 128 bytes.

[Bug c/49016] always_inline causes references below the current stack pointer

[jakub at gcc dot gnu.org]

http://gcc.gnu.org/bugzilla/show_bug.cgi?id=49016

Jakub Jelinek <jakub at gcc dot gnu.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|UNCONFIRMED                 |RESOLVED
                 CC|                            |jakub at gcc dot gnu.org
         Resolution|                            |INVALID

--- Comment #5 from Jakub Jelinek <jakub at gcc dot gnu.org> 2011-05-17 05:22:06 UTC ---
Yeah, 128 bytes below %rsp can be freely used on x86_64, interrupts must not
clobber those.

[Bug c/49016] always_inline causes references below the current stack pointer

[merrill_707_1 at yahoo dot com]

http://gcc.gnu.org/bugzilla/show_bug.cgi?id=49016

--- Comment #6 from Lee Merrill <merrill_707_1 at yahoo dot com> 2011-05-17 13:29:56 UTC ---
(In reply to comment #5)
> Yeah, 128 bytes below %rsp can be freely used on x86_64, interrupts must not
> clobber those.

I should have mentioned that this is kernel driver code, so then the interrupt
does not change privilege level, and a stack switch will not occur. When an
interrupt happens, the flags / cs / ip are stored at the next 24 bytes of
stack, overwriting the variables in view here. I've seen this happen on a
standard Suse 10 x86_64 Linux machine, so this would not be just theoretical...

[Bug c/49016] always_inline causes references below the current stack pointer

[merrill_707_1 at yahoo dot com]

http://gcc.gnu.org/bugzilla/show_bug.cgi?id=49016

--- Comment #7 from Lee Merrill <merrill_707_1 at yahoo dot com> 2011-05-17 13:42:23 UTC ---
I think what is happening in the compiler BTW is that a "sub $XX, %rsp" is
dropping out, perhaps as an optimization. If for example, you comment out the
"#define inline" line in the test code, a stack adjustment appears:

   0:   55                      push   %rbp
   1:   48 89 e5                mov    %rsp,%rbp
   4:   48 83 ec 10             sub    $0x10,%rsp       # SP adjustment here
   8:   48 89 7d f8             mov    %rdi,-0x8(%rbp)
   c:   89 75 f4                mov    %esi,-0xc(%rbp)
etc.

And as far as using stack space below your stack pointer, suppose someone has
an operating system that runs applications at the same privilege level as the
OS?

[Bug c/49016] always_inline causes references below the current stack pointer

[jakub at gcc dot gnu.org]

http://gcc.gnu.org/bugzilla/show_bug.cgi?id=49016

--- Comment #8 from Jakub Jelinek <jakub at gcc dot gnu.org> 2011-05-17 14:01:51 UTC ---
It is of course fine if an interrupt uses the same stack, after all, user
interrupts do that too.  But the ABI says that 128 bytes below the %rsp are
reserved, so the interrupt code first needs to subtract 128 from %rsp before
calling any functions and must not modify that area.
You can compile with -mno-red-zone to force no red zone.
Apparently that's a flag x86_64-linux kernel uses during compilation and
therefore
probably doesn't bother to preserve the red zone during interrupts except when
creating a user interrupt:
arch/x86/Makefile has:
        KBUILD_CFLAGS += -mno-red-zone
        KBUILD_CFLAGS += -mcmodel=kernel
Thus if you are compiling Linux kernel x86_64 code or modules without
-mno-red-zone, it would be a user error.

[Bug c/49016] always_inline causes references below the current stack pointer

[merrill_707_1 at yahoo dot com]

http://gcc.gnu.org/bugzilla/show_bug.cgi?id=49016

--- Comment #10 from Lee Merrill <merrill_707_1 at yahoo dot com> 2011-05-17 14:49:33 UTC ---
And the compile (and the compile in the "rc" script here) is indeed specifying
-mcmodel=kernel in the flags.

[Bug c/49016] always_inline causes references below the current stack pointer

[merrill_707_1 at yahoo dot com]

http://gcc.gnu.org/bugzilla/show_bug.cgi?id=49016

--- Comment #9 from Lee Merrill <merrill_707_1 at yahoo dot com> 2011-05-17 14:47:34 UTC ---
(In reply to comment #8)
> ... the ABI says that 128 bytes below the %rsp are
> reserved, so the interrupt code first needs to subtract 128 from %rsp before
> calling any functions and must not modify that area.

Thanks for your reply, yet the interrupt itself will modify the next 24 bytes
below %rsp, in storing flags / cs / rip. So then this area would be corrupted,
which indeed I am seeing.

[Bug c/49016] always_inline causes references below the current stack pointer

[mikpe at it dot uu.se]

http://gcc.gnu.org/bugzilla/show_bug.cgi?id=49016

--- Comment #11 from Mikael Pettersson <mikpe at it dot uu.se> 2011-05-17 16:58:02 UTC ---
(In reply to comment #10)
> And the compile (and the compile in the "rc" script here) is indeed specifying
> -mcmodel=kernel in the flags.

-mcmodel=kernel isn't enough, you're still failing to pass -mno-red-zone.

[Bug c/49016] always_inline causes references below the current stack pointer

[merrill_707_1 at yahoo dot com]

http://gcc.gnu.org/bugzilla/show_bug.cgi?id=49016

--- Comment #12 from Lee Merrill <merrill_707_1 at yahoo dot com> 2011-05-17 18:42:47 UTC ---
(In reply to comment #11)
> (In reply to comment #10)
> > And the compile (and the compile in the "rc" script here) is indeed specifying
> > -mcmodel=kernel in the flags.
> 
> -mcmodel=kernel isn't enough, you're still failing to pass -mno-red-zone.

That works, thanks! It does seem odd to tell it not to use the red zone, in
order for it to um, properly use the red zone. :)

[Bug c/49016] always_inline causes references below the current stack pointer

[matz at gcc dot gnu.org]

http://gcc.gnu.org/bugzilla/show_bug.cgi?id=49016

Michael Matz <matz at gcc dot gnu.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |matz at gcc dot gnu.org

--- Comment #13 from Michael Matz <matz at gcc dot gnu.org> 2011-05-18 11:51:35 UTC ---
The flag is for the compiler and tells it to no use (as in clobber) the
red-zone.