Description of problem: The attached test case (derived from doset () in sh.set.c from tcsh) should read "val = *ptr" using a 16-bit read, but it uses a 32-bit read. When *ptr is located at end of a page, this can cause a SIGSEGV. Version-Release number of selected component (if applicable): gcc-3.2.3-53 How reproducible: gcc -S -O1 foo2.c && less foo2.s Steps to Reproduce: 1. 2. 3. Actual results: Expected results: Additional info:
Created attachment 119594 [details] Simplified reproducer
Created attachment 119595 [details] Output - note line 15
*** Bug 169842 has been marked as a duplicate of this bug. ***
*** Bug 169843 has been marked as a duplicate of this bug. ***
The problem from quick look at it seems to be in register %rbp being used and although it is not the hard frame pointer in that function, it is assumed to have some properties of hard frame pointer, particularly alignment. The movhi_1 insn will use movl rather than movw or movzw if it knows the memory is 4 byte aligned.
Created attachment 119632 [details] gcc32-pr13041.patch Backported patch that seems to fix it.
I applied the patch at comment#6 and compiled the test case and tcsh by it. # cat foo2.s .file "foo2.c" .text .globl doset .type doset,@function doset: .LFB2: subq $24, %rsp .LCFI0: movq %rbx, 8(%rsp) .LCFI1: movq %rbp, 16(%rsp) .LCFI2: movq %rdi, %rbx movq (%rdi), %rbp vvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvv movzwl (%rbp), %eax ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ testw %ax, %ax je .L3 je .L3 movl $0, %eax call fn # gdb ./tcsh (gdb) disas doset ... 0x00000000004260af <doset+444>: lea 0x14(%rsp),%rsi 0x00000000004260b4 <doset+449>: mov %rbp,%rdi 0x00000000004260b7 <doset+452>: callq 0x42623b <getinx> 0x00000000004260bc <doset+457>: mov %rax,%rbp vvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvv 0x00000000004260bf <doset+460>: movzwl 0x0(%rbp),%ebx ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ 0x00000000004260c3 <doset+464>: test %bx,%bx ... In both cases, movzwl is used instead of mov. Does this fact mean the problem is fixed ?
An advisory has been issued which should help the problem described in this bug report. This report is therefore being closed with a resolution of ERRATA. For more information on the solution and/or where to find the updated files, please follow the link below. You may reopen this bug report if the solution does not work for you. http://rhn.redhat.com/errata/RHBA-2006-0147.html