public inbox for gcc-bugs@sourceware.org
help / color / mirror / Atom feed
* [Bug c++/51759] New: miscompile writes past end of bitfield
@ 2012-01-05 9:35 nobled at dreamwidth dot org
2012-01-05 9:36 ` [Bug c++/51759] " nobled at dreamwidth dot org
` (8 more replies)
0 siblings, 9 replies; 10+ messages in thread
From: nobled at dreamwidth dot org @ 2012-01-05 9:35 UTC (permalink / raw)
To: gcc-bugs
http://gcc.gnu.org/bugzilla/show_bug.cgi?id=51759
Bug #: 51759
Summary: miscompile writes past end of bitfield
Classification: Unclassified
Product: gcc
Version: 4.5.2
Status: UNCONFIRMED
Severity: normal
Priority: P3
Component: c++
AssignedTo: unassigned@gcc.gnu.org
ReportedBy: nobled@dreamwidth.org
Compiling the attached preprocessed file with this:
g++-4.5 -Os -fPIC -g -pedantic -Wno-long-long -fno-exceptions -o Type2.cpp.o -c
Type2.ii
Results in writing 32 bits to a 24-bit bitfield, overwriting the first byte of
the next member variable.
These two members of class Type are (on x86_64) at offset 0x8:
TypeID ID : 8;
unsigned SubclassData : 24;
When setSubclassData() isn't inlined, it's called (from StructType::setBody()
and PointerType's constructor) with the address of 'SubclassData' in %rdi...:
0x00007ffff76d684f <+71>: lea 0x9(%rdi),%r12
0x00007ffff76d6853 <+75>: or $0x1,%esi
0x00007ffff76d6856 <+78>: mov %r12,%rdi
0x00007ffff76d6859 <+81>: callq 0x7ffff76d6774
<llvm::Type::setSubclassData(unsigned int)>
...but then, setSubclassData writes more than 24 bits to that address:
0x00007ffff76d6774 <+0>: mov %esi,%eax
0x00007ffff76d6776 <+2>: sub $0x8,%rsp
0x00007ffff76d677a <+6>: and $0xffffff,%eax
0x00007ffff76d677f <+11>: cmp %esi,%eax
0x00007ffff76d6781 <+13>: mov %eax,(%rdi) # corruption
^ permalink raw reply [flat|nested] 10+ messages in thread
* [Bug c++/51759] miscompile writes past end of bitfield
2012-01-05 9:35 [Bug c++/51759] New: miscompile writes past end of bitfield nobled at dreamwidth dot org
@ 2012-01-05 9:36 ` nobled at dreamwidth dot org
2012-01-05 9:39 ` nobled at dreamwidth dot org
` (7 subsequent siblings)
8 siblings, 0 replies; 10+ messages in thread
From: nobled at dreamwidth dot org @ 2012-01-05 9:36 UTC (permalink / raw)
To: gcc-bugs
http://gcc.gnu.org/bugzilla/show_bug.cgi?id=51759
--- Comment #1 from nobled at dreamwidth dot org 2012-01-05 09:35:51 UTC ---
Created attachment 26244
--> http://gcc.gnu.org/bugzilla/attachment.cgi?id=26244
output of `gcc -v -save-temps`
^ permalink raw reply [flat|nested] 10+ messages in thread
* [Bug c++/51759] miscompile writes past end of bitfield
2012-01-05 9:35 [Bug c++/51759] New: miscompile writes past end of bitfield nobled at dreamwidth dot org
2012-01-05 9:36 ` [Bug c++/51759] " nobled at dreamwidth dot org
@ 2012-01-05 9:39 ` nobled at dreamwidth dot org
2012-01-05 10:00 ` [Bug tree-optimization/51759] [4.5 Regression] " rguenth at gcc dot gnu.org
` (6 subsequent siblings)
8 siblings, 0 replies; 10+ messages in thread
From: nobled at dreamwidth dot org @ 2012-01-05 9:39 UTC (permalink / raw)
To: gcc-bugs
http://gcc.gnu.org/bugzilla/show_bug.cgi?id=51759
--- Comment #2 from nobled at dreamwidth dot org 2012-01-05 09:38:45 UTC ---
Created attachment 26245
--> http://gcc.gnu.org/bugzilla/attachment.cgi?id=26245
pre-processed file (gzip-compressed)
^ permalink raw reply [flat|nested] 10+ messages in thread
* [Bug tree-optimization/51759] [4.5 Regression] miscompile writes past end of bitfield
2012-01-05 9:35 [Bug c++/51759] New: miscompile writes past end of bitfield nobled at dreamwidth dot org
2012-01-05 9:36 ` [Bug c++/51759] " nobled at dreamwidth dot org
2012-01-05 9:39 ` nobled at dreamwidth dot org
@ 2012-01-05 10:00 ` rguenth at gcc dot gnu.org
2012-01-05 13:39 ` jamborm at gcc dot gnu.org
` (5 subsequent siblings)
8 siblings, 0 replies; 10+ messages in thread
From: rguenth at gcc dot gnu.org @ 2012-01-05 10:00 UTC (permalink / raw)
To: gcc-bugs
http://gcc.gnu.org/bugzilla/show_bug.cgi?id=51759
Richard Guenther <rguenth at gcc dot gnu.org> changed:
What |Removed |Added
----------------------------------------------------------------------------
Status|UNCONFIRMED |NEW
Known to work| |4.4.6, 4.6.0
Keywords| |wrong-code
Last reconfirmed| |2012-01-05
Component|c++ |tree-optimization
CC| |jamborm at gcc dot gnu.org
Ever Confirmed|0 |1
Summary|miscompile writes past end |[4.5 Regression] miscompile
|of bitfield |writes past end of bitfield
Target Milestone|--- |4.5.4
--- Comment #3 from Richard Guenther <rguenth at gcc dot gnu.org> 2012-01-05 10:00:37 UTC ---
It's a bug in IPA-SRA that creates non-mode-size stores:
void llvm::Type::_ZN4llvm4Type15setSubclassDataEj.clone.1(unsigned int:24*,
unsigned int) (<unnamed-unsigned:24> * ISRA.6, unsigned int val)
{
...
<bb 2>:
D.87358_2 = (<unnamed-unsigned:24>) val_1(D);
*ISRA.6_8(D) = D.87358_2;
I think this has been fixed in 4.6 (not on the 4.5 branch though) which
no longer performs this substitution. You can work around this using
-fno-ipa-sra.
The following is a simplified testcase:
extern "C" void abort (void);
struct S
{
void __attribute__((noinline)) set(unsigned val)
{
data = val;
if (data != val)
abort ();
}
int pad0;
unsigned pad1 : 8;
unsigned data : 24;
int pad2;
};
int main()
{
S s;
s.pad2 = -1;
s.set(0);
if (s.pad2 != -1)
abort ();
}
Where 4.6 says:
Candidate (2069): this
! Disqualifying this - Encountered a bit-field access.
which hints at what needs backporting.
Martin?
^ permalink raw reply [flat|nested] 10+ messages in thread
* [Bug tree-optimization/51759] [4.5 Regression] miscompile writes past end of bitfield
2012-01-05 9:35 [Bug c++/51759] New: miscompile writes past end of bitfield nobled at dreamwidth dot org
` (2 preceding siblings ...)
2012-01-05 10:00 ` [Bug tree-optimization/51759] [4.5 Regression] " rguenth at gcc dot gnu.org
@ 2012-01-05 13:39 ` jamborm at gcc dot gnu.org
2012-01-06 13:33 ` jamborm at gcc dot gnu.org
` (4 subsequent siblings)
8 siblings, 0 replies; 10+ messages in thread
From: jamborm at gcc dot gnu.org @ 2012-01-05 13:39 UTC (permalink / raw)
To: gcc-bugs
http://gcc.gnu.org/bugzilla/show_bug.cgi?id=51759
Martin Jambor <jamborm at gcc dot gnu.org> changed:
What |Removed |Added
----------------------------------------------------------------------------
Status|NEW |ASSIGNED
AssignedTo|unassigned at gcc dot |jamborm at gcc dot gnu.org
|gnu.org |
--- Comment #4 from Martin Jambor <jamborm at gcc dot gnu.org> 2012-01-05 13:39:22 UTC ---
(In reply to comment #3)
> Where 4.6 says:
>
> Candidate (2069): this
> ! Disqualifying this - Encountered a bit-field access.
>
> which hints at what needs backporting.
>
> Martin?
Right, this seems to be PR 45644, for some reason I did not backport
the fix to 4.5. It should be fixed by committing
http://gcc.gnu.org/viewcvs?view=revision&revision=164313
I'll do the backport and test it today.
^ permalink raw reply [flat|nested] 10+ messages in thread
* [Bug tree-optimization/51759] [4.5 Regression] miscompile writes past end of bitfield
2012-01-05 9:35 [Bug c++/51759] New: miscompile writes past end of bitfield nobled at dreamwidth dot org
` (3 preceding siblings ...)
2012-01-05 13:39 ` jamborm at gcc dot gnu.org
@ 2012-01-06 13:33 ` jamborm at gcc dot gnu.org
2012-01-09 18:40 ` jamborm at gcc dot gnu.org
` (3 subsequent siblings)
8 siblings, 0 replies; 10+ messages in thread
From: jamborm at gcc dot gnu.org @ 2012-01-06 13:33 UTC (permalink / raw)
To: gcc-bugs
http://gcc.gnu.org/bugzilla/show_bug.cgi?id=51759
Martin Jambor <jamborm at gcc dot gnu.org> changed:
What |Removed |Added
----------------------------------------------------------------------------
URL| |http://gcc.gnu.org/ml/gcc-p
| |atches/2012-01/msg00300.htm
| |l
--- Comment #5 from Martin Jambor <jamborm at gcc dot gnu.org> 2012-01-06 13:33:14 UTC ---
Patch backporting the fix has been posted to the mailing list:
http://gcc.gnu.org/ml/gcc-patches/2012-01/msg00300.html
^ permalink raw reply [flat|nested] 10+ messages in thread
* [Bug tree-optimization/51759] [4.5 Regression] miscompile writes past end of bitfield
2012-01-05 9:35 [Bug c++/51759] New: miscompile writes past end of bitfield nobled at dreamwidth dot org
` (4 preceding siblings ...)
2012-01-06 13:33 ` jamborm at gcc dot gnu.org
@ 2012-01-09 18:40 ` jamborm at gcc dot gnu.org
2012-01-09 19:52 ` jamborm at gcc dot gnu.org
` (2 subsequent siblings)
8 siblings, 0 replies; 10+ messages in thread
From: jamborm at gcc dot gnu.org @ 2012-01-09 18:40 UTC (permalink / raw)
To: gcc-bugs
http://gcc.gnu.org/bugzilla/show_bug.cgi?id=51759
--- Comment #6 from Martin Jambor <jamborm at gcc dot gnu.org> 2012-01-09 18:40:16 UTC ---
Author: jamborm
Date: Mon Jan 9 18:40:09 2012
New Revision: 183023
URL: http://gcc.gnu.org/viewcvs?root=gcc&view=rev&rev=183023
Log:
2012-01-09 Martin Jambor <mjambor@suse.cz>
PR tree-optimization/51759
Backport from mainline
2010-09-15 Martin Jambor <mjambor@suse.cz>
PR middle-end/45644
* tree-sra.c (create_access): Check for bit-fields directly.
* testsuite/gcc.dg/ipa/pr45644.c: New test.
* testsuite/g++.dg/ipa/pr51759.C: Likewise.
Added:
branches/gcc-4_5-branch/gcc/testsuite/g++.dg/ipa/pr51759.C
branches/gcc-4_5-branch/gcc/testsuite/gcc.dg/ipa/pr45644.c
Modified:
branches/gcc-4_5-branch/gcc/ChangeLog
branches/gcc-4_5-branch/gcc/testsuite/ChangeLog
branches/gcc-4_5-branch/gcc/tree-sra.c
^ permalink raw reply [flat|nested] 10+ messages in thread
* [Bug tree-optimization/51759] [4.5 Regression] miscompile writes past end of bitfield
2012-01-05 9:35 [Bug c++/51759] New: miscompile writes past end of bitfield nobled at dreamwidth dot org
` (5 preceding siblings ...)
2012-01-09 18:40 ` jamborm at gcc dot gnu.org
@ 2012-01-09 19:52 ` jamborm at gcc dot gnu.org
2012-01-09 20:03 ` jamborm at gcc dot gnu.org
2012-01-09 20:06 ` jamborm at gcc dot gnu.org
8 siblings, 0 replies; 10+ messages in thread
From: jamborm at gcc dot gnu.org @ 2012-01-09 19:52 UTC (permalink / raw)
To: gcc-bugs
http://gcc.gnu.org/bugzilla/show_bug.cgi?id=51759
--- Comment #7 from Martin Jambor <jamborm at gcc dot gnu.org> 2012-01-09 19:52:13 UTC ---
Author: jamborm
Date: Mon Jan 9 19:52:06 2012
New Revision: 183029
URL: http://gcc.gnu.org/viewcvs?root=gcc&view=rev&rev=183029
Log:
2012-01-09 Martin Jambor <mjambor@suse.cz>
PR tree-optimization/51759
* g++.dg/ipa/pr51759.C: New test.
Added:
trunk/gcc/testsuite/g++.dg/ipa/pr51759.C
Modified:
trunk/gcc/testsuite/ChangeLog
^ permalink raw reply [flat|nested] 10+ messages in thread
* [Bug tree-optimization/51759] [4.5 Regression] miscompile writes past end of bitfield
2012-01-05 9:35 [Bug c++/51759] New: miscompile writes past end of bitfield nobled at dreamwidth dot org
` (6 preceding siblings ...)
2012-01-09 19:52 ` jamborm at gcc dot gnu.org
@ 2012-01-09 20:03 ` jamborm at gcc dot gnu.org
2012-01-09 20:06 ` jamborm at gcc dot gnu.org
8 siblings, 0 replies; 10+ messages in thread
From: jamborm at gcc dot gnu.org @ 2012-01-09 20:03 UTC (permalink / raw)
To: gcc-bugs
http://gcc.gnu.org/bugzilla/show_bug.cgi?id=51759
--- Comment #8 from Martin Jambor <jamborm at gcc dot gnu.org> 2012-01-09 20:03:15 UTC ---
Author: jamborm
Date: Mon Jan 9 20:03:08 2012
New Revision: 183031
URL: http://gcc.gnu.org/viewcvs?root=gcc&view=rev&rev=183031
Log:
2012-01-09 Martin Jambor <mjambor@suse.cz>
PR tree-optimization/51759
* g++.dg/ipa/pr51759.C: New test.
Added:
branches/gcc-4_6-branch/gcc/testsuite/g++.dg/ipa/pr51759.C
Modified:
branches/gcc-4_6-branch/gcc/testsuite/ChangeLog
^ permalink raw reply [flat|nested] 10+ messages in thread
* [Bug tree-optimization/51759] [4.5 Regression] miscompile writes past end of bitfield
2012-01-05 9:35 [Bug c++/51759] New: miscompile writes past end of bitfield nobled at dreamwidth dot org
` (7 preceding siblings ...)
2012-01-09 20:03 ` jamborm at gcc dot gnu.org
@ 2012-01-09 20:06 ` jamborm at gcc dot gnu.org
8 siblings, 0 replies; 10+ messages in thread
From: jamborm at gcc dot gnu.org @ 2012-01-09 20:06 UTC (permalink / raw)
To: gcc-bugs
http://gcc.gnu.org/bugzilla/show_bug.cgi?id=51759
Martin Jambor <jamborm at gcc dot gnu.org> changed:
What |Removed |Added
----------------------------------------------------------------------------
Status|ASSIGNED |RESOLVED
Resolution| |DUPLICATE
--- Comment #9 from Martin Jambor <jamborm at gcc dot gnu.org> 2012-01-09 20:05:27 UTC ---
I have backported the fix to the 4.5 branch and also committed the testcase to
the the 4.6 branch and trunk. Still it is a duplicate of PR 45644 and so I'm
closing this as such.
*** This bug has been marked as a duplicate of bug 45644 ***
^ permalink raw reply [flat|nested] 10+ messages in thread
end of thread, other threads:[~2012-01-09 20:06 UTC | newest]
Thread overview: 10+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2012-01-05 9:35 [Bug c++/51759] New: miscompile writes past end of bitfield nobled at dreamwidth dot org
2012-01-05 9:36 ` [Bug c++/51759] " nobled at dreamwidth dot org
2012-01-05 9:39 ` nobled at dreamwidth dot org
2012-01-05 10:00 ` [Bug tree-optimization/51759] [4.5 Regression] " rguenth at gcc dot gnu.org
2012-01-05 13:39 ` jamborm at gcc dot gnu.org
2012-01-06 13:33 ` jamborm at gcc dot gnu.org
2012-01-09 18:40 ` jamborm at gcc dot gnu.org
2012-01-09 19:52 ` jamborm at gcc dot gnu.org
2012-01-09 20:03 ` jamborm at gcc dot gnu.org
2012-01-09 20:06 ` jamborm at gcc dot gnu.org
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).