I have discussed this issue with Andrew Pinski on IRC, but I figured it should be logged here as well. I have been investigating some crashes in Eclipse, a Java application which uses GTK+. The crashes are reproducable using the Sun 1.5 VM when GTK+ is compiled with -march=pentium4, and go away with -march=pentium3 or -march=pentium4 -mno-sse2. gcc 3.4.x. Below are the registers and a disassembly I extracted from the bytes of the code at the current PC (this information is included in the VM crash logs). Note that ESP is not properly aligned. Andrew's theory on IRC was that this is a duplicate of bug 10395, and may be caused by the Sun VM not aligning its stack when calling into JNI code. Are there any other options? Does the disassembly of the instructions below provide any further insight or help to confirm this theory? Crash 1: EAX=0x00000001, EBX=0x4e4888e4, ECX=0x0859fb38, EDX=0x0859eda8 ESP=0xbfffb32c, EBP=0x083b2270, ESI=0x0859fae8, EDI=0x4e3a2cd6 EIP=0x4e3a2b3d, CR2=0x00000000, EFLAGS=0x00210202 00894424 add [bx+di+2444],cl 08F2 or dl,dh 0F108B6C6F movups xmm1,[bp+di+6F6C] F6FF idiv (b) bh 8B5124 mov dx,[bx+di+24] 660F294C24 movapd [si+24],xmm1 10F2 adc dl,dh 0F105220 movups xmm2,[bp+si+20] 660F57D1 xorpd xmm2,xmm1 F2 ... Crash 2: EAX=0x08486ef8, EBX=0x4e454880, ECX=0x4e577bd5, EDX=0x08480f70 ESP=0xbfffaddc, EBP=0x08480da0, ESI=0x08480df0, EDI=0x08480da0 EIP=0x4e373c03, CR2=0x00000000, EFLAGS=0x00210202 00894424 add [bx+di+2444],cl 08F2 or dl,dh 0F108B5063 movups xmm1,[bp+di+6350] F6FF idiv (b) bh 8B4624 mov ax,[bp+24] 660F294C24 movapd [si+24],xmm1 10F2 adc dl,dh 0F105020 movups xmm2,[bx+si+20] 660F57D1 xorpd xmm2,xmm1 F2 ... Crash 3 and 4: EAX=0x00000017, EBX=0xb14bd1d8, ECX=0x086c3db8, EDX=0x086c9860 ESP=0xbfffbb24, EBP=0xbfffbb9c, ESI=0x086c99d0, EDI=0x086c3db8 EIP=0xb13c7b4d, CR2=0x00000008, EFLAGS=0x00010202 00894424 add [bx+di+2444],cl 08F2 or dl,dh 0F108B283E movups xmm1,[bp+di+3E28] F6FF idiv (b) bh 8B4A24 mov cx,[bp+si+24] 660F294DA8 movapd [di-58],xmm1 F20F105120 movsd xmm2,[bx+di+20] 660F57D1 xorpd xmm2,xmm1 F20F ... The Eclipse bug is here: https://bugs.eclipse.org/bugs/show_bug.cgi?id=79618
Of course, right after I post this someone comes up with a log where the disassembly doesn't make as much sense, but still at least shows some SSE2 :) EAX=0x00000001, EBX=0xa971c0e8, ECX=0xa91f4860, EDX=0x085922b8 ESP=0xbfffacbc, EBP=0x08595730, ESI=0x08595780, EDI=0x08595730 EIP=0xa962ff8f, CR2=0x00000000, EFLAGS=0x00210202 8B5624 mov dx,[bp+24] F20F108BD842 movsd xmm1,[bp+di+42D8] F6FF idiv (b) bh F20F105220 movsd xmm2,[bp+si+20] 660F294C24 movapd [si+24],xmm1 10660F adc [bp+0F],ah 57 push di D1F2 RESERVED (w) dx,1 0F2CC2 cvttps2pi mm0,xmm2 8944 ...
As it is not clear above, the PC at the crash is always on this instruction: 660F294C24 movapd [si+24],xmm1
Of course, it seems that my disassembler has been defaulting to 16 bit and not 32 bit. Here is the correct disassembly from one of the crashes. It's reading from [esp+0x10] which is clearly an unaligned stack read. 00000000 0089442408F2 add [ecx+0xf2082444],cl 00000006 0F108B6C6FF6FF umov [ebx+0xfff66f6c],cl 0000000D 8B5124 mov edx,[ecx+0x24] 00000010 660F294C2410 o16 movaps [esp+0x10],xmm1 00000016 F20F105220 repne umov [edx+0x20],dl 0000001B 660F57D1 o16 xorps xmm2,xmm1 0000001F F2 db 0xF2
Old, no version, no activity, Eclipse bug closed as WONTFIX, so we do the same.