Bug 10768

Summary: invalid code generated (affects modutils-2.4.27-alt8)
Product: Sisyphus Reporter: Sergey Vlasov <vsu>
Component: gcc4.1Assignee: Dmitry V. Levin <ldv>
Status: CLOSED FIXED QA Contact: qa-sisyphus
Severity: major    
Priority: P2 CC: glebfm
Version: unstable   
Hardware: all   
OS: Linux   
URL: http://gcc.gnu.org/bugzilla/show_bug.cgi?id=30708
Attachments:
Description Flags
obj_reloc.c - example code
none
obj_reloc.i - preprocessor output
none
obj_reloc.s - compiler output on x86_64
none
obj_reloc.c none

Description Sergey Vlasov 2007-02-04 19:35:26 MSK 
The attached code (reduced version of modutils-2.4.27/obj/obj_reloc.c:
obj_allocate_commons()) is miscompiled by gcc4.1-4.1.1-alt11 (both on x86_64 and
i586):

 - the common_head = NULL initialization is lost, therefore the code uses
uninitialized stack variables (this manifests in depmod crashes at runtime);

 - in the example the last block with calls to do_something() is optimized out
completely.

Compiled with: gcc -S -O2 -Wall -W -fverbose-asm -save-temps obj_reloc.c
Comment 1 Sergey Vlasov 2007-02-04 19:36:27 MSK 
Created attachment 1775 [details]
obj_reloc.c - example code
Comment 2 Sergey Vlasov 2007-02-04 19:36:57 MSK 
Created attachment 1776 [details]
obj_reloc.i - preprocessor output
Comment 3 Sergey Vlasov 2007-02-04 19:39:11 MSK 
Created attachment 1777 [details]
obj_reloc.s - compiler output on x86_64

Notice these problems:

1) The first usage of common head:

	movq	-16(%rbp), %rdx # common_head, temp.33
	testq	%rdx, %rdx	# temp.33
	je	.L14	#,

comes before its initialization (in fact, common_head initialization is not
present in the generated code at all).

2) There are no calls to do_something() - the second loop was optimized out
completely.
Comment 4 Sergey Vlasov 2007-02-04 20:53:35 MSK 
gcc4.1-4.1.1-alt4 on i586 also had the same bug - the result of compiling
modutils-2.4.27-alt8 is:

000003c5 <obj32_allocate_commons>:
 3c5:   55                      push   %ebp
 3c6:   89 e5                   mov    %esp,%ebp
 3c8:   57                      push   %edi
 3c9:   56                      push   %esi
 3ca:   53                      push   %ebx
 3cb:   83 ec 2c                sub    $0x2c,%esp
 3ce:   31 ff                   xor    %edi,%edi
 3d0:   8b 45 08                mov    0x8(%ebp),%eax
 3d3:   8b 4c b8 5c             mov    0x5c(%eax,%edi,4),%ecx
 3d7:   85 c9                   test   %ecx,%ecx
 3d9:   75 08                   jne    3e3 <obj32_allocate_commons+0x1e>
 3db:   eb 53                   jmp    430 <obj32_allocate_commons+0x6b>
 3dd:   8b 09                   mov    (%ecx),%ecx
 3df:   85 c9                   test   %ecx,%ecx
 3e1:   74 4d                   je     430 <obj32_allocate_commons+0x6b>
 3e3:   81 79 10 f2 ff 00 00    cmpl   $0xfff2,0x10(%ecx)
 3ea:   75 f1                   jne    3dd <obj32_allocate_commons+0x18>
 3ec:   8b 55 f0                mov    0xfffffff0(%ebp),%edx
 3ef:   85 d2                   test   %edx,%edx
 3f1:   0f 84 26 01 00 00       je     51d <obj32_allocate_commons+0x158>
...

0xfffffff0(%ebp) is used, but never initialized.

==30744== Conditional jump or move depends on uninitialised value(s)
==30744==    at 0x8057511: obj32_allocate_commons (obj_reloc.c:146)
==30744==    by 0x804A7B2: loadobj (depmod.c:977)
==30744==    by 0x804C680: depmod_main_32 (depmod.c:1727)
==30744==    by 0x804FC02: main (depmod.c:1750)
Comment 5 Dmitry V. Levin 2007-02-05 00:13:50 MSK 
Created attachment 1779 [details]
obj_reloc.c

Even more reduced sample which still gets miscompiled:

$ gcc -S -O2 -Wall -W -fno-stack-protector -fverbose-asm obj_reloc.c
$ fgrep head obj_reloc.s 
	movl	-8(%ebp), %eax	# head, temp.31
$ gcc -S -O1 -Wall -W -fno-stack-protector -fverbose-asm obj_reloc.c
$ fgrep head obj_reloc.s 
	movl	$0, -8(%ebp)	#, head
	movl	-8(%ebp), %eax	# head, temp.29
Comment 6 Dmitry V. Levin 2008-10-18 16:34:01 MSD 
wontfix for gcc4.1
fixed upstream, available in gcc4.3-4.3.2-alt1