Description of problem: The following small C-program shows this egcs compiler bug. It happens with egcs optoins -O2 and -O3. egcs -O1 and gcc -O3 are fine. Result is overwriting large chunk of memory. Version-Release number of selected component (if applicable): How reproducible: Steps to Reproduce: 1. *egcs_loop_bug.c* ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ #define SIZE 0x60000000 /* Test showed that alloc of large size results in chunk that includes address 0x8000 0000 */ main() { char *ptr; int *d1, *d2; int i; d1 = (int *)calloc(4, sizeof(int)); /* Try to allocate chunk that includes address 0x8000 0000. */ ptr = (char *)malloc(SIZE); printf("ptr: %p end: %p\n", ptr, ptr + SIZE); if (ptr < (char *)0x80000000 && ptr + SIZE > (char *)0x80000000) { printf("Address 0x8000 0000 in ptr\n"); d2 = (int *)0x80000000 - 4; } else { d2 = (int *)ptr; } printf("d1: %p d2: %p\n", d1, d2); for (i = 0; i < 4; i++) { d2[i] = d1[i]; } } ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 2./usr/bin/egcs egcs_loop_bug.c -O3 -o egcs_loop_bug 3. pinkfloyd-c> egcs_loop_bug ptr: 0x4016f008 end: 0xa016f008 Address 0x8000 0000 in ptr d1: 0x8049680 d2: 0x7ffffff0 Segmentation fault (core dumped) <====== ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ The for(;;) loop above results in: 0x8048497 <main+87>: call 0x804834c <printf> 0x804849c <main+92>: mov %ebx,%edx 0x804849e <main+94>: mov %edi,%ecx 0x80484a0 <main+96>: lea 0xc(%edx),%ebx <== %ebx has end pointer 0x80484a3 <main+99>: mov (%ecx),%eax 0x80484a5 <main+101>: mov %eax,(%edx) 0x80484a7 <main+103>: add $0x4,%edx 0x80484aa <main+106>: add $0x4,%ecx 0x80484ad <main+109>: cmp %ebx,%edx 0x80484af <main+111>: jle 0x80484a3 <main+99> <== loop (gdb) break *0x80484a7 Breakpoint 1 at 0x80484a7 Breakpoint 1, 0x080484a7 in main () 2: $ebx = 2147483644 1: $edx = 2147483632 (gdb) nexti 0x080484aa in main () 2: $ebx = 2147483644 1: $edx = 2147483636 (gdb) cont Continuing. Breakpoint 1, 0x080484a7 in main () 2: $ebx = 2147483644 1: $edx = 2147483636 (gdb) cont Continuing. Breakpoint 1, 0x080484a7 in main () 2: $ebx = 2147483644 1: $edx = 2147483640 (gdb) cont Continuing. Breakpoint 1, 0x080484a7 in main () 2: $ebx = 2147483644 1: $edx = 2147483644 (gdb) nexti 0x080484aa in main () 2: $ebx = 2147483644 1: $edx = -2147483648 (gdb) nexti 0x080484ad in main () 2: $ebx = 2147483644 1: $edx = -2147483648 (gdb) nexti 0x080484af in main () <== Loop should end here 2: $ebx = 2147483644 1: $edx = -2147483648 (gdb) nexti 0x080484a3 in main () <== but we continue 2: $ebx = 2147483644 1: $edx = -2147483648 (gdb) cont Continuing. Breakpoint 1, 0x080484a7 in main () 2: $ebx = 2147483644 1: $edx = -2147483648 (gdb) Continuing. Breakpoint 1, 0x080484a7 in main () 2: $ebx = 2147483644 1: $edx = -2147483644 (gdb) Continuing. Breakpoint 1, 0x080484a7 in main () 2: $ebx = 2147483644 1: $edx = -2147483640 (gdb) Continuing. ...... Potentially overwriting large chunks of memory!! ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Actual results: endless loop. Expected results: Additional info:
This is an issue with the egcs package, which isn't included in RHEL 2.1.