Bug 28749 - Miscompilation of glibc/stdio-common/vfprintf.c, invalid delay slot fill.
Summary: Miscompilation of glibc/stdio-common/vfprintf.c, invalid delay slot fill.
Status: RESOLVED INVALID
Alias: None
Product: gcc
Classification: Unclassified
Component: middle-end (show other bugs)
Version: 4.2.0
: P3 normal
Target Milestone: ---
Assignee: Not yet assigned to anyone
URL:
Keywords: wrong-code
Depends on:
Blocks:
 
Reported: 2006-08-16 05:20 UTC by Carlos O'Donell
Modified: 2006-11-15 08:06 UTC (History)
3 users (show)

See Also:
Host: hppa-linux
Target: hppa-linux
Build: hppa-linux
Known to work:
Known to fail:
Last reconfirmed:


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Carlos O'Donell 2006-08-16 05:20:02 UTC
This is a regression since 4.1 and 4.0 compile vfprintf.c correctly.

I am using gcc trunk to build libc / libc-ports head. I have a regression in tst-printfsz which is part of the glibc testsuite. The problem is a miscompilation of glibc/stdio-common/vfprintf.c by GCC.

The bug is as follows:
Location 1 jumps to location 2.
Compiler moves first insn at location 2 to location 1's branch delay slot.
Location 3 computes a goto to location 2.
Because the first insn at location 2 was moved, the program now crashes.

The concrete debugging example:

The first insn "ldil L%4000,r21" is moved to location 1's branch delay slot.

Location 3:
   468cc:       ea a0 c0 02     bv,n r0(r21)
 
   r21 == (0x403d3000 + 0x4928c) and is part of "goto *ptr"

Location 1:
   478b4:       82 9c 93 a4     cmpb,<< ret0,r20,4928c <_IO_vfprintf+0x322c>
   478b8:       22 a2 00 00     ldil L%4000,r21

Location 2:                      
   4928c:       36 b5 0a d9     ldo -1a94(r21),r21
   49290:       08 75 0a 15     add,l r21,r3,r21
   49294:       0e a0 10 95     ldw 0(r21),r21
   49298:       92 a0 30 00     cmpiclr,<> 0,r21,r0
   4929c:       e8 1e 0f 45     b,l 46a44 <_IO_vfprintf+0x9e4>,r0
   492a0:       34 15 3f ff     ldi -1,r21

The code at location 3 jumps to location 2, and does not execute the required "ldil L%4000,r21"

The computed goto should create edges to all the label addresses taken by &&, and that should prevent the branch delay slot from fill from occuring.

I am recompiling glibc with CFLAGS-vfprintf.c += -fno-delayed-branch to see if it passes the tst-printfsz test.

How should I proceed on this issue? I have tried to create a testcase, but I haven't been successfull.
Comment 1 Andrew Pinski 2006-08-16 05:22:17 UTC
Yes a testcase is needed.
Comment 2 Carlos O'Donell 2006-08-16 05:56:21 UTC
Building vfprintf.c with -fno-delayed-branch is a workaround.
Comment 3 Carlos O'Donell 2006-08-16 06:48:49 UTC
Dumping vfprintf.c compile with -S and -da

        ; basic block 131
.LBE379:
.LBB380:
.LBB380:
        ; vfprintf.c:1448
        .loc 2 1448 0
        ldw 8(%r3),%r28
        ldil L'16384,%r22
        ldb 0(%r28),%r21
.LVL339:
        ldo -6804(%r22),%r22
        extrs %r21,31,8,%r28
        addl %r22,%r3,%r22
        stw %r28,0(%r22)
        ldo -32(%r21),%r20
        ldi 90,%r28 
        extru %r20,31,8,%r20
        ; vfprintf.c:1562
        .loc 2 1562 0
        ; vfprintf.c:1448
        .loc 2 1448 0
        comb,<< %r28,%r20,.L1104
        ldil L'16384,%r21
        ^^^^^^^^^^^^^^^^^^^^^^^^^^^^ Incorrect delay slot fill.

        ; basic block 313
.LVL557:
.L1104:
.LBE425:
.LBE418:
.LBE417:
.LBB426:
        ; vfprintf.c:1562
        .loc 2 1562 0
        ldo -6804(%r21),%r21
        addl %r21,%r3,%r21
        ldw 0(%r21),%r21

bb 313 is missing the first insn.

The output of vfprintf.c.157r.dbr shows:

(barrier 18544 18543 2803)

(note 2803 18544 14801 ("vfprintf.c") 1561)

(note 14801 2803 14802 ( size (expr_list:REG_DEP_TRUE (reg/v:SI 5 %r5 [orig:281 size ] [281])
    (const_int 0 [0x0]))) NOTE_INSN_VAR_LOCATION)

(note 14802 14801 14803 ( function_done (nil)) NOTE_INSN_VAR_LOCATION)

(note 14803 14802 14804 ( size (expr_list:REG_DEP_TRUE (reg/v:SI 5 %r5 [orig:280 size ] [280])
    (const_int 0 [0x0]))) NOTE_INSN_VAR_LOCATION)

(note 14804 14803 14805 ( __self (expr_list:REG_DEP_TRUE (reg/v/f:SI 5 %r5 [orig:364 __self ] [364])
    (const_int 0 [0x0]))) NOTE_INSN_VAR_LOCATION)

(note 14805 14804 14806 ( ptr (expr_list:REG_DEP_TRUE (reg/v/f:SI 21 %r21 [orig:346 ptr ] [346])
    (const_int 0 [0x0]))) NOTE_INSN_VAR_LOCATION)

(note 14806 14805 2804 ( size (expr_list:REG_DEP_TRUE (reg/v:SI 5 %r5 [orig:282 size ] [282])
    (const_int 0 [0x0]))) NOTE_INSN_VAR_LOCATION)

(code_label/s 2804 14806 2805 242 ("do_form_unknown") [1 uses])

(note 2805 2804 2806 [bb 313] NOTE_INSN_BASIC_BLOCK)

(note 2806 2805 14807 ("vfprintf.c") 1562)

(note 14807 2806 19223 ( ptr (nil)) NOTE_INSN_VAR_LOCATION)

(code_label 19223 14807 8862 1104 "" [2 uses])

(insn 8862 19223 8863 vfprintf.c:1562 (set (reg/f:SI 21 %r21)
        (plus:SI (reg/f:SI 21 %r21)
            (const_int -6804 [0xffffe56c]))) 114 {addsi3} (nil)
    (expr_list:REG_EQUAL (const_int 9580 [0x256c])
        (nil))) 

And the set has been moved into bb 131

(insn 19224 831 14145 vfprintf.c:1562 (sequence [
            (jump_insn:TI 833 831 8861 vfprintf.c:1448 (set (pc)
                    (if_then_else (gtu (reg:SI 20 %r20 [782])
                            (reg:SI 28 %r28 [783]))
                        (label_ref:SI 19223)
                        (pc))) -1 (nil)
                (expr_list:REG_BR_PRED (const_int 4 [0x4])
                    (expr_list:REG_DEAD (reg:SI 20 %r20 [782])
                        (expr_list:REG_DEAD (reg:SI 28 %r28 [783])
                            (expr_list:REG_EQUAL (if_then_else (gtu (reg:SI 20 %r20 [782])
                                        (const_int 90 [0x5a]))
                                    (label_ref:SI 19223)
                                    (pc))
                                (expr_list:REG_BR_PROB (const_int 5000 [0x1388])
                                    (nil)))))))
            (insn/s:TI 8861 833 14145 (set (reg/f:SI 21 %r21)
                    (const_int 16384 [0x4000])) 37 {*pa.md:2482} (nil)
                (nil))
        ]) -1 (nil)
    (nil)) 

While vfprintf.c.156r.barriers shows:

(barrier 12266 12265 2803)
(note 2803 12266 14801 ("vfprintf.c") 1561)
(note 14801 2803 14802 ( size (expr_list:REG_DEP_TRUE (reg/v:SI 5 %r5 [orig:281 size ] [281])
    (const_int 0 [0x0]))) NOTE_INSN_VAR_LOCATION)
(note 14802 14801 14803 ( function_done (nil)) NOTE_INSN_VAR_LOCATION)
(note 14803 14802 14804 ( size (expr_list:REG_DEP_TRUE (reg/v:SI 5 %r5 [orig:280 size ] [280])
    (const_int 0 [0x0]))) NOTE_INSN_VAR_LOCATION)
(note 14804 14803 14805 ( __self (expr_list:REG_DEP_TRUE (reg/v/f:SI 5 %r5 [orig:364 __self ] [364])
    (const_int 0 [0x0]))) NOTE_INSN_VAR_LOCATION)
(note 14805 14804 14806 ( ptr (expr_list:REG_DEP_TRUE (reg/v/f:SI 21 %r21 [orig:346 ptr ] [346])
    (const_int 0 [0x0]))) NOTE_INSN_VAR_LOCATION)
(note 14806 14805 2804 ( size (expr_list:REG_DEP_TRUE (reg/v:SI 5 %r5 [orig:282 size ] [282])
    (const_int 0 [0x0]))) NOTE_INSN_VAR_LOCATION)
(code_label/s 2804 14806 2805 242 ("do_form_unknown") [5 uses])
(note 2805 2804 2806 [bb 313] NOTE_INSN_BASIC_BLOCK)
(note 2806 2805 8861 ("vfprintf.c") 1562)
(insn:TI 8861 2806 14807 vfprintf.c:1562 (set (reg/f:SI 21 %r21)
        (const_int 16384 [0x4000])) 37 {*pa.md:2482} (nil)
    (nil))  

That is is still present in the correct basic block before dbr, and the label and barriers are present.
Comment 4 Andrew Pinski 2006-11-15 08:06:10 UTC
No testcase in 3 months so closing.