This is the mail archive of the
gcc-bugs@gcc.gnu.org
mailing list for the GCC project.
egcs 1.1.2, sparc code generator bug
- To: egcs-bugs at egcs dot cygnus dot com
- Subject: egcs 1.1.2, sparc code generator bug
- From: Juergen Keil <jk at tools dot de>
- Date: Mon, 17 May 1999 16:40:02 +0200 (MET DST)
- Reply-To: Juergen Keil <jk at tools dot de>
Hi,
I'd like to report a bug with the sparc code generator in
gcc version egcs-2.91.66 19990314 (egcs-1.1.2 release)
egcs-1.1.2 was configured via './configure' (no options),
on a sparc solaris 7 system. egcs-1.1.2 was compiled with
'make bootstrap'.
The following programme demonstrates the bug. The problem
is inside the while loop, with the statement ``*p++ = data_tmp;''.
egcs-1.1.2 generates a call to memcpy to copy the data from
'data_tmp' to 'p', but increments the pointer 'p' to the
next array element before 'p' is passed as parameter to memcpy.
Expected output from the programme is '55555555' (the data set up in
the 'fetch' function) but an egcs-1.1.2 compiled version prints
'aaaaaaaa' (and corrupts the malloc heap).
% /home/leo/src/gnu/egcs-1.1.2/gcc/xgcc -B/home/leo/src/gnu/egcs-1.1.2/gcc/ -v
Reading specs from /home/leo/src/gnu/egcs-1.1.2/gcc/specs
gcc version egcs-2.91.66 19990314 (egcs-1.1.2 release)
% /home/leo/src/gnu/egcs-1.1.2/gcc/xgcc -B/home/leo/src/gnu/egcs-1.1.2/gcc/ -o bug2 bug2.c
% bug2
aaaaaaaa
%
(the problem does not occur with egcs-1.1.1)
----------------------------------------------------------
#include <stdlib.h>
struct {
long sqlcode;
} sqlca;
struct data_record {
int dummy;
int a[100];
} *data_ptr, data_tmp;
int
num_records()
{
return 1;
}
void
fetch()
{
static int fetch_count;
memset(&data_tmp, 0x55, sizeof(data_tmp));
sqlca.sqlcode = (++fetch_count > 1 ? 100 : 0);
}
void
load_data() {
struct data_record *p;
int num = num_records();
data_ptr = malloc(num * sizeof(struct data_record));
memset(data_ptr, 0xaa, num * sizeof(struct data_record));
fetch();
p = data_ptr;
while (sqlca.sqlcode == 0) {
*p++ = data_tmp;
fetch();
}
}
main()
{
load_data();
printf("%x\n", data_ptr[0].dummy);
}
----------------------------------------------------------
Here's the generated assembly code:
.stabn 68,0,37,.LM13-load_data
.LM13:
mov 170,%o1
call memset,0
mov %l0,%o2
.stabn 68,0,39,.LM14-load_data
.LM14:
call fetch,0
nop
.stabn 68,0,41,.LM15-load_data
.LM15:
sethi %hi(sqlca),%o0
ld [%o0+%lo(sqlca)],%o0
cmp %o0,0
bne .LL7
ld [%l1+%lo(data_ptr)],%l0
sethi %hi(data_tmp),%l2
sethi %hi(sqlca),%l1
.stabn 68,0,42,.LM16-load_data
.LM16:
add %l0,404,%l0 <-- 'p' is incremented before (!) it is
passed as parameter to memcpy
.LL10:
mov %l0,%o0
or %l2,%lo(data_tmp),%o1
call memcpy,0
mov 404,%o2
.stabn 68,0,43,.LM17-load_data
.LM17:
call fetch,0
nop
.stabn 68,0,44,.LM18-load_data
.LM18:
ld [%l1+%lo(sqlca)],%o0
cmp %o0,0
be .LL10
add %l0,404,%l0
.LL7:
.stabn 68,0,45,.LM19-load_data
.LM19:
.LLBE3:
--
Juergen Keil jk@tools.de
Tools GmbH +49 (228) 9858011