Red Hat Bugzilla – Bug 169845
"short" accessed as a 32-bit word with -O1
Last modified: 2007-11-30 17:07:08 EST
Description of problem:
The attached test case (derived from doset () in sh.set.c from tcsh)
should read "val = *ptr" using a 16-bit read, but it uses a 32-bit read.
When *ptr is located at end of a page, this can cause a SIGSEGV.
Version-Release number of selected component (if applicable):
gcc -S -O1 foo2.c && less foo2.s
Steps to Reproduce:
Created attachment 119594 [details]
Created attachment 119595 [details]
Output - note line 15
*** Bug 169842 has been marked as a duplicate of this bug. ***
*** Bug 169843 has been marked as a duplicate of this bug. ***
The problem from quick look at it seems to be in register %rbp being used
and although it is not the hard frame pointer in that function, it is assumed
to have some properties of hard frame pointer, particularly alignment.
The movhi_1 insn will use movl rather than movw or movzw if it knows the
memory is 4 byte aligned.
Created attachment 119632 [details]
Backported patch that seems to fix it.
I applied the patch at comment#6 and compiled the test case and tcsh by it.
# cat foo2.s
subq $24, %rsp
movq %rbx, 8(%rsp)
movq %rbp, 16(%rsp)
movq %rdi, %rbx
movq (%rdi), %rbp
movzwl (%rbp), %eax
testw %ax, %ax
movl $0, %eax
# gdb ./tcsh
(gdb) disas doset
0x00000000004260af <doset+444>: lea 0x14(%rsp),%rsi
0x00000000004260b4 <doset+449>: mov %rbp,%rdi
0x00000000004260b7 <doset+452>: callq 0x42623b <getinx>
0x00000000004260bc <doset+457>: mov %rax,%rbp
0x00000000004260bf <doset+460>: movzwl 0x0(%rbp),%ebx
0x00000000004260c3 <doset+464>: test %bx,%bx
In both cases, movzwl is used instead of mov. Does this fact mean the problem is
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on the solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.