From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: (qmail 24047 invoked by alias); 16 Oct 2013 04:18:55 -0000 Mailing-List: contact gcc-bugs-help@gcc.gnu.org; run by ezmlm Precedence: bulk List-Id: List-Archive: List-Post: List-Help: Sender: gcc-bugs-owner@gcc.gnu.org Received: (qmail 24019 invoked by uid 48); 16 Oct 2013 04:18:51 -0000 From: "marcovanotti15+gcc at gmail dot com" To: gcc-bugs@gcc.gnu.org Subject: [Bug c/58744] New: Illegal Memory Access on 3-byte packed struct ARCH: x86_64 Date: Wed, 16 Oct 2013 04:18:00 -0000 X-Bugzilla-Reason: CC X-Bugzilla-Type: new X-Bugzilla-Watch-Reason: None X-Bugzilla-Product: gcc X-Bugzilla-Component: c X-Bugzilla-Version: 4.8.1 X-Bugzilla-Keywords: X-Bugzilla-Severity: minor X-Bugzilla-Who: marcovanotti15+gcc at gmail dot com X-Bugzilla-Status: UNCONFIRMED X-Bugzilla-Priority: P3 X-Bugzilla-Assigned-To: unassigned at gcc dot gnu.org X-Bugzilla-Target-Milestone: --- X-Bugzilla-Flags: X-Bugzilla-Changed-Fields: bug_id short_desc product version bug_status bug_severity priority component assigned_to reporter attachments.created Message-ID: Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: 7bit X-Bugzilla-URL: http://gcc.gnu.org/bugzilla/ Auto-Submitted: auto-generated MIME-Version: 1.0 X-SW-Source: 2013-10/txt/msg00939.txt.bz2 http://gcc.gnu.org/bugzilla/show_bug.cgi?id=58744 Bug ID: 58744 Summary: Illegal Memory Access on 3-byte packed struct ARCH: x86_64 Product: gcc Version: 4.8.1 Status: UNCONFIRMED Severity: minor Priority: P3 Component: c Assignee: unassigned at gcc dot gnu.org Reporter: marcovanotti15+gcc at gmail dot com Created attachment 31016 --> http://gcc.gnu.org/bugzilla/attachment.cgi?id=31016&action=edit Minimum test case. Compile it and look at the assembly. There is a illegal memory access while trying to access an array of packed struct with 3 unsigned chars as members. If you have an array of such elems, and want to call a function with one of its elems (a copy, not a pointer), while copying it to RDI, it moves a QWORD instead of just 3 bytes. This could end in an illegal memory access (valgrind detects it). Example assembly output (rax is a pointer to the struct elem): mov rdi, QWORD PTR [rax] call apply_filter Attached File: The attached file has a minimal test-case, tested in multiple gcc versions (described below). It defines a pixel struct, and two functions, one that receives a pointer to pixel and another that receives a pixel (not a pointer). The function is called for each pixel, dereferencing it on the function call. How to reproduce: Compile file. Look at the assembly output before the call to apply_filter If it moves more than 3 bytes from [RAX] to RDI, it's a bug. Workaround: If you copy the elem to a local variable before the function call, and then call apply_filter with that variable, it works, because the variable is copied byte by byte. For example (change line 11 for these two lines): k = src[i]; dst[i] = apply_filter(k); Related Notes: If the struct is of 4 chars instead of 3, it moves a DWORD, not a QWORD, if the struct is of 5 o 6, it moves a QWORD again. With 2 chars and 1 chars it moves WORD and BYTE respectively. Compiler Flags: gcc -std=c99 -Wall -Wextra -O0 -c color_filter_c.c -pedantic -o color_filter_bug.asm -S -masm=intel Architecture: x86_64 Tested this bug in: gcc (GCC) 4.8.1 20130725 (prerelease) gcc (Ubuntu/Linaro 4.7.2-2ubuntu1) 4.7.2 gcc (Debian 4.7.2-5) 4.7.2 gcc (Ubuntu/Linaro 4.6.3-1ubuntu5) 4.6.3 Output of gcc -v (for the latest version): Using built-in specs. COLLECT_GCC=gcc COLLECT_LTO_WRAPPER=/usr/lib/gcc/x86_64-unknown-linux-gnu/4.8.1/lto-wrapper Target: x86_64-unknown-linux-gnu Configured with: /build/gcc/src/gcc-4.8-20130725/configure --prefix=/usr --libdir=/usr/lib --libexecdir=/usr/lib --mandir=/usr/share/man --infodir=/usr/share/info --with-bugurl=https://bugs.archlinux.org/ --enable-languages=c,c++,ada,fortran,go,lto,objc,obj-c++ --enable-shared --enable-threads=posix --with-system-zlib --enable-__cxa_atexit --disable-libunwind-exceptions --enable-clocale=gnu --disable-libstdcxx-pch --enable-gnu-unique-object --enable-linker-build-id --enable-cloog-backend=isl --disable-cloog-version-check --enable-lto --enable-gold --enable-ld=default --enable-plugin --with-plugin-ld=ld.gold --with-linker-hash-style=gnu --disable-install-libiberty --disable-multilib --disable-libssp --disable-werror --enable-checking=release Thread model: posix gcc version 4.8.1 20130725 (prerelease) (GCC)