Bug 27192 - call through function pointer goes to wrong address
Summary: call through function pointer goes to wrong address
Status: RESOLVED FIXED
Alias: None
Product: gcc
Classification: Unclassified
Component: target (show other bugs)
Version: 4.1.0
: P3 normal
Target Milestone: 4.5.0
Assignee: Not yet assigned to anyone
URL:
Keywords: wrong-code
Depends on:
Blocks:
 
Reported: 2006-04-18 05:32 UTC by John Regehr
Modified: 2009-12-29 21:25 UTC (History)
4 users (show)

See Also:
Host: i686-linux-gnu
Target: avr
Build:
Known to work:
Known to fail: 4.1.0 4.1.1 4.1.2 4.2.0
Last reconfirmed: 2007-05-30 19:23:35


Attachments
Pre-processed testcase. (219 bytes, text/plain)
2007-04-04 00:24 UTC, Eric Weddington
Details
Disassembly of the shifty3.i test case. (879 bytes, text/plain)
2007-04-04 00:25 UTC, Eric Weddington
Details

Note You need to log in before you can comment on or make changes to this bug.
Description John Regehr 2006-04-18 05:32:23 UTC
The program below confuses gcc in such a way that it generates code loading the byte-address of bar() into the Z register, which causes icall to jump off to neverneverland.  Rather, the double-byte address of bar() should be loaded into Z before the indirect call.

This bug is also present in gcc 4.0.3 and 3.4.3.

avr-gcc -v gives:

Target: avr
Configured with: ../gcc-4.1.0/configure --prefix=/home/regehr/gcc-4.1.0-avr-bin --disable-libssp --disable-nls --target=avr
Thread model: single
gcc version 4.1.0

Compile with:

  avr-gcc -Os -Wall shifty.c -o shifty.elf

Program:

struct fseqp_void
{
    void (*p) (void);
    char *e;
};

struct fseqp_void c[2];

void bar (void)
{
}

void foo (void)
{
    int i;
    for (i=0; i<32; i++);
}

int main (void)
{
    c[0].e = (char *)bar + 2;
    c[0].p = bar;
    foo ();
    struct fseqp_void x = c[0];
    void (*start) (void) = x.p;
    (*start)();
    return 0;
}
Comment 1 Eric Weddington 2007-03-30 19:55:05 UTC
Dr. John,

Can you provide additional information:
- What AVR processor was this compiled for? You don't have the required -mmcu= flag in your command line.

- Can you provide a disassembly listing showing the problem?

I don't necessarily see the problem with my 4.1.1 compiler, -mmcu=atmega128. Maybe I'm just dense.

Eric

Comment 2 Eric Weddington 2007-04-04 00:24:34 UTC
Created attachment 13324 [details]
Pre-processed testcase.
Comment 3 Eric Weddington 2007-04-04 00:25:42 UTC
Created attachment 13325 [details]
Disassembly of the shifty3.i test case.
Comment 4 Eric Weddington 2007-04-04 00:38:35 UTC
Confirmed bug.

shifty3.i is a test case showing the problem. Compiled with avr-gcc 4.1.2, with:
avr-gcc -Os shifty.c -o shifty.o

shifty3.dis is a disassembly of shifty.o (with avr-objdump -d shifty.o).

The problem is exhibited here:

0000005a <main>:
  5a:	89 e2       	ldi	r24, 0x29	; 41
  5c:	90 e0       	ldi	r25, 0x00	; 0
  5e:	90 93 61 00 	sts	0x0061, r25
  62:	80 93 60 00 	sts	0x0060, r24
  66:	82 e5       	ldi	r24, 0x52	; 82
  68:	92 e0       	ldi	r25, 0x02	; 2
  6a:	90 93 64 00 	sts	0x0064, r25
  6e:	80 93 63 00 	sts	0x0063, r24
  72:	e0 91 60 00 	lds	r30, 0x0060
  76:	f0 91 61 00 	lds	r31, 0x0061
  7a:	09 95       	icall
  7c:	e0 91 63 00 	lds	r30, 0x0063
  80:	f0 91 64 00 	lds	r31, 0x0064
  84:	09 95       	icall

The correct word address of the function foo is taken and stored (address 5a to 62), but then the *byte* address of the function foo is taken, and an offset added, and stored (address 66 to 6e). The following indirect call (address 7c to 84) is then incorrect. The PC has to be a *word* address.

Adding a fixed offset to a function pointer, and then doing an indirect call, is valid in an AVR application as it is possible to copy or place functions at fixed offsets like this.

Please mark this bug as NEW.
Known to fail: 4.1.1, 4.1.2
Comment 5 Eric Weddington 2007-05-30 19:23:34 UTC
Bug still present in 4.2.0, and 4.3-20070525.

To test bug (fixed from last comment):
avr-gcc -Os shifty3.i -o shifty3.o
avr-objdump -d shifty3.o > shifty3.dis
Compare output.
Comment 6 Wouter van Gulik 2008-01-20 19:30:32 UTC
Bug is still present in 4.2.2.

Some more info:

I rewrote the example to (atleast for me) little more clear example.

struct fseqp_void
{
    void (*p) (void);
    char *e;
};

struct fseqp_void c;

void bar (void){}

int main (void)
{
    c.e = (char *)bar + 2;
    c.p = bar;
    c.p();
    return 0;
}

The problem is the re-use after loading bar into the struct:

	ldi r24,lo8(bar+2)          <<Hmm this should need gs() I guess
	ldi r25,hi8(bar+2)
	sts (c+2)+1,r25
	sts c+2,r24
	sbiw r24,2                  <<Sub 2, but we also need a shift!
	sts (c)+1,r25
	sts c,r24

However if comment out the dump the load off the variable e, then all is well

int main (void)
{
    //c.e = (char *)bar + 2;
    c.p = bar;
    c.p();
    return 0;
}

	ldi r24,lo8(gs(bar))
	ldi r25,hi8(gs(bar))
	sts (c)+1,r25
	sts c,r24
	ldi r24,lo8(0)
	ldi r25,hi8(0)

And if the order of assigment is reverted then all is well also

    c.e = (char *)bar + 2;
    c.p = bar;
    c.p();
    return 0;

	ldi r24,lo8(gs(bar))
	ldi r25,hi8(gs(bar))
	sts (c)+1,r25
	sts c,r24
	adiw r24,2
	sts (c+2)+1,r25
	sts c+2,r24
	ldi r24,lo8(0)
	ldi r25,hi8(0)

So the problem is the optimizer, which forget that the 16-bit program address is different from the data address.
Comment 7 Andy Hutchinson 2009-12-24 20:01:34 UTC
Fixed 4.5