Bug 222625 - egcs compiler bug
egcs compiler bug
Status: CLOSED CANTFIX
Product: Red Hat Enterprise Linux 2.1
Classification: Red Hat
Component: redhat-release (Show other bugs)
2.1
i386 Linux
medium Severity medium
: ---
: ---
Assigned To: Dennis Gregorovic
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2007-01-15 06:18 EST by Pramila
Modified: 2007-11-30 17:06 EST (History)
0 users

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2007-01-15 10:58:53 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Pramila 2007-01-15 06:18:24 EST
Description of problem:

The following small C-program shows this egcs compiler bug.
It happens with egcs optoins -O2 and -O3.
egcs -O1 and gcc -O3 are fine.
Result is overwriting large chunk of memory.



Version-Release number of selected component (if applicable):


How reproducible:


Steps to Reproduce:
1.
 *egcs_loop_bug.c*
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 #define SIZE    0x60000000      /* Test showed that alloc of
                                   large size results in chunk
                                    that includes address 0x8000 0000
                                */

 main()
 {
          char *ptr;
          int *d1, *d2;
          int i;

          d1 = (int *)calloc(4, sizeof(int));

          /* Try to allocate chunk that includes address 0x8000 0000. */
          ptr = (char *)malloc(SIZE);

          printf("ptr: %p end: %p\n", ptr, ptr + SIZE);

          if (ptr < (char *)0x80000000 && ptr + SIZE > (char *)0x80000000)
          {
                  printf("Address 0x8000 0000 in ptr\n");
                  d2 = (int *)0x80000000 - 4;
          }
          else
          {
                  d2 = (int *)ptr;
          }

         printf("d1: %p d2: %p\n", d1, d2);

         for (i = 0; i < 4; i++)
         {
                  d2[i] = d1[i];
          }
 }
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 

2./usr/bin/egcs egcs_loop_bug.c -O3 -o egcs_loop_bug

3.
 pinkfloyd-c> egcs_loop_bug
 ptr: 0x4016f008 end: 0xa016f008
 Address 0x8000 0000 in ptr
 d1: 0x8049680 d2: 0x7ffffff0
 Segmentation fault (core dumped)    <======

 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

 The for(;;) loop above results in:
 0x8048497 <main+87>:    call   0x804834c <printf>
 0x804849c <main+92>:    mov    %ebx,%edx
 0x804849e <main+94>:    mov    %edi,%ecx
 0x80484a0 <main+96>:    lea    0xc(%edx),%ebx    <== %ebx has end pointer
 0x80484a3 <main+99>:    mov    (%ecx),%eax
 0x80484a5 <main+101>:   mov    %eax,(%edx)
 0x80484a7 <main+103>:   add    $0x4,%edx
 0x80484aa <main+106>:   add    $0x4,%ecx
 0x80484ad <main+109>:   cmp    %ebx,%edx
 0x80484af <main+111>:   jle    0x80484a3 <main+99>  <== loop

 (gdb) break *0x80484a7
 Breakpoint 1 at 0x80484a7
 Breakpoint 1, 0x080484a7 in main ()
 2: $ebx = 2147483644
 1: $edx = 2147483632
 (gdb) nexti
 0x080484aa in main ()
 2: $ebx = 2147483644
 1: $edx = 2147483636
 (gdb) cont
 Continuing.

 Breakpoint 1, 0x080484a7 in main ()
 2: $ebx = 2147483644
 1: $edx = 2147483636
 (gdb) cont
 Continuing.

 Breakpoint 1, 0x080484a7 in main ()
 2: $ebx = 2147483644
 1: $edx = 2147483640
 (gdb) cont
 Continuing.

 Breakpoint 1, 0x080484a7 in main ()
 2: $ebx = 2147483644
 1: $edx = 2147483644
 (gdb) nexti
 0x080484aa in main ()
 2: $ebx = 2147483644
 1: $edx = -2147483648
 (gdb) nexti
 0x080484ad in main ()
 2: $ebx = 2147483644
 1: $edx = -2147483648
 (gdb) nexti
 0x080484af in main ()    <== Loop should end here
 2: $ebx = 2147483644
 1: $edx = -2147483648
 (gdb) nexti
 0x080484a3 in main ()    <== but we continue
 2: $ebx = 2147483644
 1: $edx = -2147483648
 (gdb) cont
 Continuing.

 Breakpoint 1, 0x080484a7 in main ()
 2: $ebx = 2147483644
 1: $edx = -2147483648
 (gdb)
 Continuing.

 Breakpoint 1, 0x080484a7 in main ()
 2: $ebx = 2147483644
 1: $edx = -2147483644
 (gdb)
 Continuing.

 Breakpoint 1, 0x080484a7 in main ()
 2: $ebx = 2147483644
 1: $edx = -2147483640
 (gdb)
 Continuing.
 ......
 Potentially overwriting large chunks of memory!!

 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 

Actual results: endless loop.


Expected results: 


Additional info:
Comment 1 Dennis Gregorovic 2007-01-15 10:58:53 EST
This is an issue with the egcs package, which isn't included in RHEL 2.1.  

Note You need to log in before you can comment on or make changes to this bug.