c++/1920: g++ -O1 optimization bug in casting a reference argument

mdejong@redhat.com mdejong@redhat.com
Fri Feb 9 01:26:00 GMT 2001 

>Number:         1920
>Category:       c++
>Synopsis:       g++ -O1 optimization bug in casting a reference argument
>Confidential:   no
>Severity:       critical
>Priority:       medium
>Responsible:    unassigned
>State:          open
>Class:          sw-bug
>Submitter-Id:   net
>Arrival-Date:   Fri Feb 09 01:26:01 PST 2001
>Closed-Date:
>Last-Modified:
>Originator:     mdejong@redhat.com
>Release:        unknown-1.0
>Organization:
>Environment:
I ran into this bug on a Red Hat Linux 6.2 (Intel) box.
>Description:
I tested this with older gccs (like 2.95.2) and with
a CVS snapshot from 02-04-2001, both display problems
when -O1 is used.

% g++ -v
Reading specs from /mnt/image/install_egcs/bin/../lib/gcc-lib/i686-pc-linux-gnu/2.97/specs
Configured with: ../egcs/configure --prefix=/export/home/mdejong/jazz/install_egcs --enable-shared --enable-haifa --enable-threads=posix --enable-languages=c,c++,java --enable-java-gc=boehm --enable-fast-character
gcc version 2.97 20010204 (experimental)

>How-To-Repeat:
Compile without optimization, the compile
with optimization to see the bug in action.

% g++ -g -o foo foo.cc
% ./foo 
OK

% g++ -O1 -o foo foo.cc
% ./foo
ERROR : 40000000 80, should be 800000 80


When compiled with -O1, the following
asm code is generated for Foo::bar()

1	0x8048620	<Foo::bar(unsigned&)>:		        push   %ebp
2	0x8048621	<Foo::bar(unsigned&)+1>:		mov    %esp,%ebp
3	0x8048623	<Foo::bar(unsigned&)+3>:		mov    0xc(%ebp),%eax
4	0x8048626	<Foo::bar(unsigned&)+6>:		movl   $0x800000,(%eax)
5	0x804862c	<Foo::bar(unsigned&)+12>:		mov    $0x80,%eax
6	0x8048631	<Foo::bar(unsigned&)+17>:		pop    %ebp
7	0x8048632	<Foo::bar(unsigned&)+18>:		ret    


The ptr %eax was 0xbffff4a0, printing out this memory before
and after step 4 shows that it was changed from 0x40000000
to 0x00800000.

The problem is, the memory written to does not seem
to be the same memory location where the calling frame
thinks a lives. The calling frame seems to keep
a in the %ebx register, when returning from the
function you can see that the original a has
not been modified but the memory has.

(gdb) printf "%x",a
40000000
(gdb) printf "%x",*0xbffff4a0
800000
(gdb) print &a
Error: Address requested for identifier "a" which is in a register.

>Fix:

>Release-Note:
>Audit-Trail:
>Unformatted:
----gnatsweb-attachment----
Content-Type: application/octet-stream; name="foo.cc"
Content-Transfer-Encoding: base64
Content-Disposition: attachment; filename="foo.cc"

I2luY2x1ZGUgPHN0ZGlvLmg+CmNsYXNzIEZvbyB7CnB1YmxpYzoKICAgIGludCBiYXIodW5zaWdu
ZWQgJik7Cn07CgppbnQgRm9vOjpiYXIodW5zaWduZWQgJmJsYWgpIHsKICAgIGJsYWggPSAweDAw
ODAwMDAwOwogICAgcmV0dXJuIDEyODsKfQoKaW50IG1haW4gKGludCBhcmdjLCBjaGFyICoqYXJn
dikgewogICAgRm9vIGZvbzsKICAgIGludCBhID0gMHg0MDAwMDAwMDsKICAgIGludCBiID0gMDsK
ICAgIGIgPSBmb28uYmFyKCh1bnNpZ25lZCkgYSk7CiAgICBpZiAoYSA9PSAweDAwODAwMDAwICYm
CiAgICAgICAgYiA9PSAweDgwKSB7CiAgICAgICAgcHJpbnRmKCJPS1xuIik7CiAgICAgICAgcmV0
dXJuIDA7CiAgICB9IGVsc2UgewogICAgICAgIHByaW50ZigiRVJST1IgOiAleCAleCwgc2hvdWxk
IGJlICV4ICV4XG4iLCBhLCBiLCAweDAwODAwMDAwLCAweDgwKTsKICAgICAgICByZXR1cm4gMTsK
ICAgIH0KfQoK

More information about the Gcc-bugs mailing list