Bug 50757

Summary: gcc 2.96 bad codegen with an unused argument in a vararg function
Product: [Retired] Red Hat Linux Reporter: Martin Sebor <sebor>
Component: gccAssignee: Jakub Jelinek <jakub>
Status: CLOSED NEXTRELEASE QA Contact: David Lawrence <dkl>
Severity: medium Docs Contact:
Priority: medium    
Version: 7.1   
Target Milestone: ---   
Target Release: ---   
Hardware: ia64   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2004-10-05 18:32:07 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Martin Sebor 2001-08-02 21:02:39 UTC 
The program below dumps core when compiled with 2.96 on IA64. The second (unused) argument seems to throw the compiler for a loop. A 
noteworthy datapoint might be that using the 2nd (size_t) argument in foo (or simply removing it) gets rid of the error.

Regards
Martin

$ cat t.cpp ; gcc -g t.cpp && ./a.out || gdb -q a.out core
#include <stdarg.h>
#include <stdio.h>

void foo (char *buf, size_t, const char *fmt, ...)
{
    va_list list;
    va_start (list, fmt);
    vsprintf (buf, fmt, list);
    va_end (list);
}

int main ()
{
    char buf [80];
    foo (buf, sizeof buf, "\"%s\"", "blah blah blah");
}

Segmentation fault (core dumped)
Core was generated by `./a.out'.
Program terminated with signal 11, Segmentation fault.
Reading symbols from /lib/libc.so.6.1...done.
Loaded symbols for /lib/libc.so.6.1
Reading symbols from /lib/ld-linux-ia64.so.2...done.
Loaded symbols for /lib/ld-linux-ia64.so.2
#0  0x20000000001504d1 in strlen () at soinit.c:56
56      soinit.c: No such file or directory.
        in soinit.c
(gdb) bt
#0  0x20000000001504d1 in strlen () at soinit.c:56
#1  0x20000000000fc5c0 in _IO_vfprintf (s=0x80000fffffffb6b0, 
    format=0x1 <Address 0x1 out of bounds>, ap=0x80000fffffffb800)
    at vfprintf.c:1524
#2  0x200000000012bd20 in _IO_vsprintf (
    string=0x1 <Address 0x1 out of bounds>, 
    format=0x40000000000009a0 "\"%s\"", args=0x80000fffffffb7f8)
    at iovsprintf.c:47
#3  0x4000000000000790 in foo (buf=0x80000fffffffb830 "\"", 
    fmt=0x40000000000009a0 "\"%s\"") at t.cpp:8
#4  0x20000000000fc5c0 in _IO_vfprintf (s=0x6000000000000b00, 
    format=0x200000000008c6b0 "\002\b", ap=0xc00000000000050d)
    at vfprintf.c:1524
#5  0x20000000000fc5c0 in _IO_vfprintf (s=Cannot access memory at address 0x80000fff7ffffe78
) at vfprintf.c:1524
#6  0x20000000002984b0 in environ () from /lib/libc.so.6.1
#7  0x20000000000fc5c0 in _IO_vfprintf (s=Cannot access memory at address 0x80000fff7ffffc50
) at vfprintf.c:1524
Cannot access memory at address 0x80000fff7ffffe20


Another testcase for the same bug:

$ cat t.cpp ; gcc t.cpp ; ./a.out
#include <stdarg.h>
#include <stdio.h>

void foo (void *p1, size_t, void *p2, ...)
{
    va_list list;
    va_start (list, p2);
    vprintf ("%p\n", list);
    va_end (list);
}

void bar (void *p1, size_t n, void *p2, ...)
{
    va_list list;
    va_start (list, p2);
    vprintf ("%p\n", list);
    va_end (list);
}

int main ()
{
    foo (0, 1, (void*)2);
    bar (0, 1, (void*)2);
}

0x1
0xc000000000000183
Comment 1 Jakub Jelinek 2001-08-20 14:33:18 UTC 
This bug is in gcc 3.0 and CVS trunk too.
See http://gcc.gnu.org/ml/gcc-patches/2001-08/msg01172.html
for a fix (waiting for review).
Comment 2 Jakub Jelinek 2001-08-23 13:59:17 UTC 
Should be fixed in gcc-2.96-97.
Comment 3 Vladimir Makarov 2004-10-05 18:32:07 UTC 
gcc-2.96 is too old.  Its relase cycle was finished long ago.  Also
Jakub wrote about fixing the bug in gcc-2.96-97.  I can also confirm
that it is fixed in gcc-3.2.  Therefore I am closing the case.  If it
is still important, the customer could reopen it.