From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <gcc-bugs-return-432650-listarch-gcc-bugs=gcc.gnu.org@gcc.gnu.org>
Received: (qmail 2963 invoked by alias); 24 Oct 2013 22:50:09 -0000
Mailing-List: contact gcc-bugs-help@gcc.gnu.org; run by ezmlm
Precedence: bulk
List-Id: <gcc-bugs.gcc.gnu.org>
List-Archive: <http://gcc.gnu.org/ml/gcc-bugs/>
List-Post: <mailto:gcc-bugs@gcc.gnu.org>
List-Help: <mailto:gcc-bugs-help@gcc.gnu.org>
Sender: gcc-bugs-owner@gcc.gnu.org
Received: (qmail 2920 invoked by uid 48); 24 Oct 2013 22:50:06 -0000
From: "mikpelinux at gmail dot com" <gcc-bugzilla@gcc.gnu.org>
To: gcc-bugs@gcc.gnu.org
Subject: [Bug target/58854] [4.8 regression] "sub sp, fp, #40" hoisted above frame accesses
Date: Thu, 24 Oct 2013 22:50:00 -0000
X-Bugzilla-Reason: CC
X-Bugzilla-Type: changed
X-Bugzilla-Watch-Reason: None
X-Bugzilla-Product: gcc
X-Bugzilla-Component: target
X-Bugzilla-Version: 4.8.1
X-Bugzilla-Keywords: wrong-code
X-Bugzilla-Severity: normal
X-Bugzilla-Who: mikpelinux at gmail dot com
X-Bugzilla-Status: UNCONFIRMED
X-Bugzilla-Priority: P3
X-Bugzilla-Assigned-To: unassigned at gcc dot gnu.org
X-Bugzilla-Target-Milestone: 4.8.3
X-Bugzilla-Flags:
X-Bugzilla-Changed-Fields: cc
Message-ID: <bug-58854-4-18GzubPxok@http.gcc.gnu.org/bugzilla/>
In-Reply-To: <bug-58854-4@http.gcc.gnu.org/bugzilla/>
References: <bug-58854-4@http.gcc.gnu.org/bugzilla/>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: 7bit
X-Bugzilla-URL: http://gcc.gnu.org/bugzilla/
Auto-Submitted: auto-generated
MIME-Version: 1.0
X-SW-Source: 2013-10/txt/msg01794.txt.bz2

http://gcc.gnu.org/bugzilla/show_bug.cgi?id=58854

Mikael Pettersson <mikpelinux at gmail dot com> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |mikpelinux at gmail dot com

--- Comment #2 from Mikael Pettersson <mikpelinux at gmail dot com> ---
Started with r188742.  The code generation difference at that revision is:

@@ -115,16 +115,17 @@
        bne     .L6
 .L9:
        ldr     r3, [fp, #-56]
+       sub     sp, fp, #40
        ldr     r2, [fp, #-60]
+       mov     r0, sl
        str     r6, [r3, #0]
        ldr     r3, [fp, #-52]
        str     r2, [r3, #0]
-       b       .L8
+       ldmfd   sp, {r4, r5, r6, r7, r8, r9, sl, fp, sp, pc}
 .L2:
+       sub     sp, fp, #40
        mov     sl, #0
-.L8:
        mov     r0, sl
-       sub     sp, fp, #40
        ldmfd   sp, {r4, r5, r6, r7, r8, r9, sl, fp, sp, pc}
 .L28:
        b       .L23

Hoisting "sub sp, fp, #40" causes several loads, via FP minus an offset, to
access locations below SP, and thus be vulnerable to clobbers from asynchronous
calls (signal handles in user-space, exception handlers in the kernel as is the
case here).