[Bug libc/10107] New: 32-bit PowerPC POWER6 memcpy uses erroneous cmpldi but should use cmplwi

[Bug libc/10107] New: 32-bit PowerPC POWER6 memcpy uses erroneous cmpldi but should use cmplwi

[rsa at us dot ibm dot com]

The 32-bit PowerPC POWER6 memcpy uses the cmpldi insn when it should use a cmplwi.

    /* Compare the contents of register 'r5' to the value '16' where r5 */
    /* holds '12'.  */
    cmpldi      cr1,5,16

This doesn't normally prove to be a problem except when the 'length' parameter
to memcpy, held in register r5 is a computed value and the result has the high
32-bits of the register populated with junk due 64-bit operation (in the error
case a rlwinm insn),e.g.

0x1007c240 <r_gset+152>:        rlwinm  r9,r0,0,0,29
0x1007c244 <r_gset+156>:        addi    r5,r9,16
0x1007c248 <r_gset+160>:        bl      0x100dc750 <memcpy@plt>

This causes the cmpldi to result in 'greater' than when comparing '12' to '16'
which is erroneous.

The correction instruction is cmplwi which ignores the high 32-bits or 'r5':

    cmplwi      cr1,5,16

I'll supply a patch and a testcase shortly.

-- 
           Summary: 32-bit PowerPC POWER6 memcpy uses erroneous cmpldi but
                    should use cmplwi
           Product: glibc
           Version: 2.9
            Status: NEW
          Severity: normal
          Priority: P1
         Component: libc
        AssignedTo: rsa at us dot ibm dot com
        ReportedBy: rsa at us dot ibm dot com
                CC: glibc-bugs at sources dot redhat dot com
 GCC build triplet: powerpc-linux
  GCC host triplet: powerpc-linux
GCC target triplet: powerpc-linux


http://sourceware.org/bugzilla/show_bug.cgi?id=10107

------- You are receiving this mail because: -------
You are on the CC list for the bug, or are watching someone who is.

[Bug libc/10107] 32-bit PowerPC POWER6 memcpy uses erroneous cmpldi but should use cmplwi

[rsa at us dot ibm dot com]

------- Additional Comments From rsa at us dot ibm dot com  2009-04-27 17:08 -------
Created an attachment (id=3911)
 --> (http://sourceware.org/bugzilla/attachment.cgi?id=3911&action=view)
cmpldi-to-cmplwi.diff

This is a fix to correct usage of cmpldi to cmplwi in the 32-bit POWER6
mem[cpy|set].  I'll attach a testcase shortly.

-- 


http://sourceware.org/bugzilla/show_bug.cgi?id=10107

------- You are receiving this mail because: -------
You are on the CC list for the bug, or are watching someone who is.

[Bug libc/10107] 32-bit PowerPC POWER6 memcpy uses erroneous cmpldi but should use cmplwi

[rsa at us dot ibm dot com]

-- 
           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|NEW                         |ASSIGNED
   Last reconfirmed|0000-00-00 00:00:00         |2009-04-27 17:09:38
               date|                            |


http://sourceware.org/bugzilla/show_bug.cgi?id=10107

------- You are receiving this mail because: -------
You are on the CC list for the bug, or are watching someone who is.

[Bug libc/10107] 32-bit PowerPC POWER6 memcpy uses erroneous cmpldi but should use cmplwi

[rsa at us dot ibm dot com]

-- 
           What    |Removed                     |Added
----------------------------------------------------------------------------
         AssignedTo|rsa at us dot ibm dot com   |drepper at redhat dot com


http://sourceware.org/bugzilla/show_bug.cgi?id=10107

------- You are receiving this mail because: -------
You are on the CC list for the bug, or are watching someone who is.

[Bug libc/10107] 32-bit PowerPC POWER6 memcpy uses erroneous cmpldi but should use cmplwi

[rsa at us dot ibm dot com]

------- Additional Comments From rsa at us dot ibm dot com  2009-04-30 15:38 -------
I attempted to produce a standalone testcase that would pass the high-word bits
of r5 as non-zero to the power6 memcpy but I was unable to get the compiler to
cooperate and reproduce the failure that I originally debugged.

Regardless, using cmpldi in 32-bit code is erroneous and in this case can cause
an overwrite of an array if r5 (length) parameter has bits set in the high-word
of the register.

Please check-in.

-- 
           What    |Removed                     |Added
----------------------------------------------------------------------------
   Target Milestone|---                         |2.10


http://sourceware.org/bugzilla/show_bug.cgi?id=10107

------- You are receiving this mail because: -------
You are on the CC list for the bug, or are watching someone who is.

[Bug libc/10107] 32-bit PowerPC POWER6 memcpy uses erroneous cmpldi but should use cmplwi

[drepper at redhat dot com]

------- Additional Comments From drepper at redhat dot com  2009-06-16 15:30 -------
Patch applied to git.

-- 
           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|ASSIGNED                    |RESOLVED
         Resolution|                            |FIXED


http://sourceware.org/bugzilla/show_bug.cgi?id=10107

------- You are receiving this mail because: -------
You are on the CC list for the bug, or are watching someone who is.

[Bug libc/10107] 32-bit PowerPC POWER6 memcpy uses erroneous cmpldi but should use cmplwi

[fweimer at redhat dot com]

https://sourceware.org/bugzilla/show_bug.cgi?id=10107

Florian Weimer <fweimer at redhat dot com> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
              Flags|                            |security-

-- 
You are receiving this mail because:
You are on the CC list for the bug.