Bug 51759 - [4.5 Regression] miscompile writes past end of bitfield
Summary: [4.5 Regression] miscompile writes past end of bitfield
Status: RESOLVED DUPLICATE of bug 45644
Alias: None
Product: gcc
Classification: Unclassified
Component: tree-optimization (show other bugs)
Version: 4.5.2
: P3 normal
Target Milestone: 4.5.4
Assignee: Martin Jambor
URL: http://gcc.gnu.org/ml/gcc-patches/201...
Keywords: wrong-code
Depends on:
Blocks:
 
Reported: 2012-01-05 09:34 UTC by nobled
Modified: 2012-01-09 20:05 UTC (History)
1 user (show)

See Also:
Host:
Target:
Build:
Known to work: 4.4.6, 4.6.0
Known to fail:
Last reconfirmed: 2012-01-05 00:00:00

Attachments
output of `gcc -v -save-temps` (1.33 KB, text/plain)
2012-01-05 09:35 UTC, nobled 		Details
pre-processed file (gzip-compressed) (178.66 KB, application/x-gzip)
2012-01-05 09:38 UTC, nobled 		Details
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description nobled 2012-01-05 09:34:50 UTC 
Compiling the attached preprocessed file with this:
g++-4.5 -Os -fPIC -g -pedantic -Wno-long-long -fno-exceptions -o Type2.cpp.o -c Type2.ii

Results in writing 32 bits to a 24-bit bitfield, overwriting the first byte of the next member variable.

These two members of class Type are (on x86_64) at offset 0x8:
  TypeID   ID : 8;
  unsigned SubclassData : 24;

When setSubclassData() isn't inlined, it's called (from StructType::setBody() and PointerType's constructor) with the address of 'SubclassData' in %rdi...:

   0x00007ffff76d684f <+71>:	lea 0x9(%rdi),%r12
   0x00007ffff76d6853 <+75>:	or $0x1,%esi
   0x00007ffff76d6856 <+78>:	mov %r12,%rdi
   0x00007ffff76d6859 <+81>:	callq 0x7ffff76d6774 <llvm::Type::setSubclassData(unsigned int)>

...but then, setSubclassData writes more than 24 bits to that address:

   0x00007ffff76d6774 <+0>:	mov %esi,%eax
   0x00007ffff76d6776 <+2>:	sub $0x8,%rsp
   0x00007ffff76d677a <+6>:	and $0xffffff,%eax
   0x00007ffff76d677f <+11>:	cmp %esi,%eax
   0x00007ffff76d6781 <+13>:	mov %eax,(%rdi) # corruption
Comment 1 nobled 2012-01-05 09:35:51 UTC 
Created attachment 26244 [details]
output of `gcc -v -save-temps`
Comment 2 nobled 2012-01-05 09:38:45 UTC 
Created attachment 26245 [details]
pre-processed file (gzip-compressed)
Comment 3 Richard Biener 2012-01-05 10:00:37 UTC 
It's a bug in IPA-SRA that creates non-mode-size stores:

void llvm::Type::_ZN4llvm4Type15setSubclassDataEj.clone.1(unsigned int:24*, unsigned int) (<unnamed-unsigned:24> * ISRA.6, unsigned int val)
{
...
<bb 2>:
  D.87358_2 = (<unnamed-unsigned:24>) val_1(D);
  *ISRA.6_8(D) = D.87358_2;

I think this has been fixed in 4.6 (not on the 4.5 branch though) which
no longer performs this substitution.  You can work around this using
-fno-ipa-sra.

The following is a simplified testcase:

extern "C" void abort (void);
struct S
{
  void __attribute__((noinline)) set(unsigned val)
    {
      data = val;
      if (data != val)
        abort ();
    }
  int pad0;
  unsigned pad1 : 8;
  unsigned data : 24;
  int pad2;
};
int main()
{
  S s;
  s.pad2 = -1;
  s.set(0);
  if (s.pad2 != -1)
    abort ();
}

Where 4.6 says:

Candidate (2069): this
! Disqualifying this - Encountered a bit-field access.

which hints at what needs backporting.

Martin?
Comment 4 Martin Jambor 2012-01-05 13:39:22 UTC 
(In reply to comment #3)
> Where 4.6 says:
> 
> Candidate (2069): this
> ! Disqualifying this - Encountered a bit-field access.
> 
> which hints at what needs backporting.
> 
> Martin?

Right, this seems to be PR 45644, for some reason I did not backport
the fix to 4.5.  It should be fixed by committing 
http://gcc.gnu.org/viewcvs?view=revision&revision=164313
I'll do the backport and test it today.
Comment 5 Martin Jambor 2012-01-06 13:33:14 UTC 
Patch backporting the fix has been posted to the mailing list:
http://gcc.gnu.org/ml/gcc-patches/2012-01/msg00300.html
Comment 6 Martin Jambor 2012-01-09 18:40:16 UTC 
Author: jamborm
Date: Mon Jan  9 18:40:09 2012
New Revision: 183023

URL: http://gcc.gnu.org/viewcvs?root=gcc&view=rev&rev=183023
Log:
2012-01-09  Martin Jambor  <mjambor@suse.cz>

	PR tree-optimization/51759

	Backport from mainline
	2010-09-15  Martin Jambor  <mjambor@suse.cz>

        PR middle-end/45644
        * tree-sra.c (create_access): Check for bit-fields directly.

        * testsuite/gcc.dg/ipa/pr45644.c: New test.
	* testsuite/g++.dg/ipa/pr51759.C: Likewise.


Added:
    branches/gcc-4_5-branch/gcc/testsuite/g++.dg/ipa/pr51759.C
    branches/gcc-4_5-branch/gcc/testsuite/gcc.dg/ipa/pr45644.c
Modified:
    branches/gcc-4_5-branch/gcc/ChangeLog
    branches/gcc-4_5-branch/gcc/testsuite/ChangeLog
    branches/gcc-4_5-branch/gcc/tree-sra.c
Comment 7 Martin Jambor 2012-01-09 19:52:13 UTC 
Author: jamborm
Date: Mon Jan  9 19:52:06 2012
New Revision: 183029

URL: http://gcc.gnu.org/viewcvs?root=gcc&view=rev&rev=183029
Log:
2012-01-09  Martin Jambor  <mjambor@suse.cz>

        PR tree-optimization/51759
	* g++.dg/ipa/pr51759.C: New test.


Added:
    trunk/gcc/testsuite/g++.dg/ipa/pr51759.C
Modified:
    trunk/gcc/testsuite/ChangeLog
Comment 8 Martin Jambor 2012-01-09 20:03:15 UTC 
Author: jamborm
Date: Mon Jan  9 20:03:08 2012
New Revision: 183031

URL: http://gcc.gnu.org/viewcvs?root=gcc&view=rev&rev=183031
Log:
2012-01-09  Martin Jambor  <mjambor@suse.cz>

        PR tree-optimization/51759
	* g++.dg/ipa/pr51759.C: New test.


Added:
    branches/gcc-4_6-branch/gcc/testsuite/g++.dg/ipa/pr51759.C
Modified:
    branches/gcc-4_6-branch/gcc/testsuite/ChangeLog
Comment 9 Martin Jambor 2012-01-09 20:05:27 UTC 
I have backported the fix to the 4.5 branch and also committed the testcase to the the 4.6 branch and trunk.  Still it is a duplicate of PR 45644 and so I'm closing this as such.

*** This bug has been marked as a duplicate of bug 45644 ***