c/6884: Gcc for NEC v850 over writes return address
veikko.turkia@enermet.fi
veikko.turkia@enermet.fi
Fri May 31 03:46:00 GMT 2002
>Number: 6884
>Category: c
>Synopsis: Gcc for NEC v850 over writes return address
>Confidential: no
>Severity: serious
>Priority: medium
>Responsible: unassigned
>State: open
>Class: sw-bug
>Submitter-Id: net
>Arrival-Date: Fri May 31 03:46:01 PDT 2002
>Closed-Date:
>Last-Modified:
>Originator: veikko.turkia@enermet.fi
>Release: 2.96-xscale-010827
>Organization:
>Environment:
cross compiler for NEC v850,
running at Red Hat linux release 7.1 (seawolf)
Kernel 2.4.2-2 on an i686
>Description:
Function has one parameter and pass the pointer of this parameter
to next function.
The parameter lies in register, so it must be saved to stack
and the address is past to next function.
The saving of parameter over writes the lp (the return address)
>How-To-Repeat:
compile partest.c with v850-gcc -O2 and
objdump -d a.out to see the assembler output
the partest.c is at begin of partest.txt
>Fix:
Local help parameter:
The parameter is put to local parameter and the address of
this local parameter is passed to next function; Seems to
avoid the bug.
>Release-Note:
>Audit-Trail:
>Unformatted:
----gnatsweb-attachment----
Content-Type: text/plain; name="partest.txt"
Content-Disposition: inline; filename="partest.txt"
int readf( int *toPtr, int *fromPtr, int cnt, int mode )
{
int j;
j = 0;
while ( cnt-- )
{
*toPtr++ = *fromPtr++;
j++;
} /* while */
return j;
}
int writef( int *to1Ptr, int *to2Ptr, int *fromPtr, int cnt )
{
while ( cnt-- )
{
*to1Ptr++ = *fromPtr;
*to2Ptr++ = *fromPtr++;
} /* while */
return 0;
}
int sum, par2, par3;
int test1( int par )
{
int rc; // the return code
int cnt;
int buffer[ 8 ];
readf( buffer, ( int* )0x300000, sizeof( buffer ) / sizeof( int ), 0 );
for ( sum = 0, cnt = 0; cnt < 8; cnt++ )
{
sum += buffer[ cnt ];
}
rc = writef( &par2, &par3, &par, sizeof( par2 ) / sizeof( int ) );
return rc;
}
int main( void )
{
test1( 95 );
}
a.out: file format elf32-v850
Disassembly of section .text:
00100000 <_start>:
100000: 20 a6 ff 00 movea 255, r0, r20
100004: 00 a8 mov r0, r21
100006: 80 ae ff ff ori 65535, r0, r21
10000a: 40 1e 20 00 movhi 32, r0, sp
10000e: 23 1e 00 00 movea 0, sp, sp
100012: 40 f6 10 00 movhi 16, r0, ep
100016: 3e f6 a8 05 movea 1448, ep, ep
10001a: 40 26 11 00 movhi 17, r0, gp
10001e: 24 26 a8 85 movea -31320, gp, gp
100022: 40 36 10 00 movhi 16, r0, r6
100026: 26 36 b4 02 movea 692, r6, r6
10002a: e6 a7 20 00 ldsr r6, ctbp
10002e: 40 36 10 00 movhi 16, r0, r6
100032: 26 36 ac 05 movea 1452, r6, r6
100036: 40 3e 10 00 movhi 16, r0, r7
10003a: 27 3e c0 05 movea 1472, r7, r7
10003e: 46 07 00 00 st.b r0, 0[r6]
100042: 06 36 01 00 addi 1, r6, r6
100046: e7 31 cmp r7, r6
100048: b1 fd bl 10003e <_start+0x3e>
10004a: 80 ff 2e 01 jarl 100178 <___main>, lp
10004e: 03 1e f4 ff addi -12, sp, sp
100052: 00 32 mov 0, r6
100054: 00 3a mov 0, r7
100056: 00 42 mov 0, r8
100058: 80 ff b0 00 jarl 100108 <_main>, lp
10005c: 0a 30 mov r10, r6
10005e: 80 ff 5c 01 jarl 1001ba <_exit>, lp
00100062 <_readf>:
100062: 5f 42 add -1, r8
100064: 00 5a mov 0, r11
100066: 7f 42 cmp -1, r8
100068: b2 0d be 10007e <_readf+0x1c>
10006a: 27 57 01 00 ld.w 0[r7],r10
10006e: 41 5a add 1, r11
100070: 66 57 01 00 st.w r10, 0[r6]
100074: 44 3a add 4, r7
100076: 44 32 add 4, r6
100078: 5f 42 add -1, r8
10007a: 7f 42 cmp -1, r8
10007c: fa f5 bne 10006a <_readf+0x8>
10007e: 0b 50 mov r11, r10
100080: 7f 00 jmp [lp]
00100082 <_writef>:
100082: 5f 4a add -1, r9
100084: 7f 4a cmp -1, r9
100086: f2 0d be 1000a4 <_writef+0x22>
100088: 28 57 01 00 ld.w 0[r8],r10
10008c: 5f 4a add -1, r9
10008e: 66 57 01 00 st.w r10, 0[r6]
100092: 28 5f 01 00 ld.w 0[r8],r11
100096: 44 32 add 4, r6
100098: 67 5f 01 00 st.w r11, 0[r7]
10009c: 44 42 add 4, r8
10009e: 44 3a add 4, r7
1000a0: 7f 4a cmp -1, r9
1000a2: ba f5 bne 100088 <_writef+0x6>
1000a4: 00 52 mov 0, r10
1000a6: 7f 00 jmp [lp]
- Lets say here before save_r28_r31 the sp has value SP
001000a8 <_test1>:
1000a8: 80 57 70 00 jarl 100118 <__save_r28_r31>, r10
- at this point the lp lies at SP-4 and the sp has value SP-28
1000ac: 03 1e e0 ff addi -32, sp, sp
- sp has value SP-60
1000b0: 63 37 39 00 st.w r6, 56[sp]
- the parameter at r6 is stored to SP-60+56 = SP-4
- so the r6 over writes the lp
1000b4: 03 e6 10 00 addi 16, sp, r28
1000b8: 1c 30 mov r28, r6
1000ba: 40 3e 30 00 movhi 48, r0, r7
1000be: 08 42 mov 8, r8
1000c0: 00 4a mov 0, r9
1000c2: bf ff a0 ff jarl 100062 <_readf>, lp
1000c6: 40 5e 10 00 movhi 16, r0, r11
1000ca: 6b 07 b9 05 st.w r0, 1464[r11]
1000ce: 00 6a mov 0, r13
1000d0: 07 62 mov 7, r12
1000d2: 3c 57 01 00 ld.w 0[r28],r10
1000d6: 5f 62 add -1, r12
1000d8: ca 69 add r10, r13
1000da: 44 e2 add 4, r28
1000dc: e0 61 cmp r0, r12
1000de: ae fd bge 1000d2 <_test1+0x2a>
1000e0: 03 56 38 00 addi 56, sp, r10
1000e4: 40 36 10 00 movhi 16, r0, r6
1000e8: 40 3e 10 00 movhi 16, r0, r7
1000ec: 6b 6f b9 05 st.w r13, 1464[r11]
1000f0: 26 36 b4 05 movea 1460, r6, r6
1000f4: 27 3e b0 05 movea 1456, r7, r7
1000f8: 0a 40 mov r10, r8
1000fa: 01 4a mov 1, r9
1000fc: bf ff 86 ff jarl 100082 <_writef>, lp
100100: 03 1e 20 00 addi 32, sp, sp
100104: 80 07 28 00 jr 10012c <__return_r28_r31>
00100108 <_main>:
100108: 80 57 38 00 jarl 100140 <__save_r31>, r10
10010c: 20 36 5f 00 movea 95, r0, r6
100110: bf ff 98 ff jarl 1000a8 <_test1>, lp
100114: 80 07 38 00 jr 10014c <__return_r31>
00100118 <__save_r28_r31>:
100118: 03 1e e4 ff addi -28, sp, sp
10011c: 63 ef 11 00 st.w r29, 16[sp]
100120: 63 e7 15 00 st.w r28, 20[sp]
100124: 63 ff 19 00 st.w lp, 24[sp]
100128: 6a 00 jmp [r10]
...
0010012c <__return_r28_r31>:
10012c: 23 ef 11 00 ld.w 16[sp],r29
100130: 23 e7 15 00 ld.w 20[sp],r28
100134: 23 ff 19 00 ld.w 24[sp],lp
100138: 03 1e 1c 00 addi 28, sp, sp
10013c: 7f 00 jmp [lp]
...
00100140 <__save_r31>:
100140: 03 1e ec ff addi -20, sp, sp
100144: 63 ff 11 00 st.w lp, 16[sp]
100148: 6a 00 jmp [r10]
...
0010014c <__return_r31>:
10014c: 23 ff 11 00 ld.w 16[sp],lp
100150: 03 1e 14 00 addi 20, sp, sp
100154: 7f 00 jmp [lp]
...
00100158 <__save_r29_r31>:
100158: 03 1e e8 ff addi -24, sp, sp
10015c: 63 ef 11 00 st.w r29, 16[sp]
100160: 63 ff 15 00 st.w lp, 20[sp]
100164: 6a 00 jmp [r10]
...
00100168 <__return_r29_r31>:
100168: 23 ef 11 00 ld.w 16[sp],r29
10016c: 23 ff 15 00 ld.w 20[sp],lp
100170: 03 1e 18 00 addi 24, sp, sp
100174: 7f 00 jmp [lp]
...
00100178 <___main>:
100178: bf 57 a0 ff jarl 100118 <__save_r28_r31>, r10
10017c: 40 6e 10 00 movhi 16, r0, r13
100180: 2d 57 ad 05 ld.w 1452[r13],r10
100184: e0 51 cmp r0, r10
100186: 8a 1d bne 1001b6 <___main+0x3e>
100188: 01 52 mov 1, r10
10018a: 40 5e 10 00 movhi 16, r0, r11
10018e: 40 66 10 00 movhi 16, r0, r12
100192: 6d 57 ad 05 st.w r10, 1452[r13]
100196: 2b ee a8 05 movea 1448, r11, r29
10019a: 2c 66 a8 05 movea 1448, r12, r12
10019e: ec e9 cmp r12, r29
1001a0: b3 0d bnh 1001b6 <___main+0x3e>
1001a2: 0c e0 mov r12, r28
1001a4: 5c ea add -4, r29
1001a6: 3d 57 01 00 ld.w 0[r29],r10
1001aa: 80 ff 04 00 jarl 1001ae <___main+0x36>, lp
1001ae: 44 fa add 4, lp
1001b0: 6a 00 jmp [r10]
1001b2: fc e9 cmp r28, r29
1001b4: 8b fd bh 1001a4 <___main+0x2c>
1001b6: bf 07 76 ff jr 10012c <__return_r28_r31>
001001ba <_exit>:
1001ba: 80 57 ca 00 jarl 100284 <__save_r26_r31>, r10
1001be: 24 57 01 80 ld.w -32768[gp],r10
1001c2: 06 d0 mov r6, r26
1001c4: 2a df 49 01 ld.w 328[r10],r27
1001c8: e0 d9 cmp r0, r27
1001ca: b2 1d be 100200 <_exit+0x46>
1001cc: 3b ef 05 00 ld.w 4[r27],r29
1001d0: 5f ea add -1, r29
1001d2: e0 e9 cmp r0, r29
1001d4: 86 15 blt 1001f4 <_exit+0x3a>
1001d6: 1d e0 mov r29, r28
1001d8: 1b 56 08 00 addi 8, r27, r10
1001dc: c2 e2 shl 2, r28
1001de: ca e1 add r10, r28
1001e0: 3c 57 01 00 ld.w 0[r28],r10
1001e4: 80 ff 04 00 jarl 1001e8 <_exit+0x2e>, lp
1001e8: 44 fa add 4, lp
1001ea: 6a 00 jmp [r10]
1001ec: 5c e2 add -4, r28
1001ee: 5f ea add -1, r29
1001f0: e0 e9 cmp r0, r29
1001f2: fe f5 bge 1001e0 <_exit+0x26>
1001f4: 3b df 01 00 ld.w 0[r27],r27
1001f8: e0 d9 cmp r0, r27
1001fa: 9a ed bne 1001cc <_exit+0x12>
1001fc: 24 57 01 80 ld.w -32768[gp],r10
100200: 2a 5f 3d 00 ld.w 60[r10],r11
100204: e0 59 cmp r0, r11
100206: e2 05 be 100212 <_exit+0x58>
100208: 0a 30 mov r10, r6
10020a: 80 ff 04 00 jarl 10020e <_exit+0x54>, lp
10020e: 44 fa add 4, lp
100210: 6b 00 jmp [r11]
100212: 1a 30 mov r26, r6
100214: 80 ff 42 00 jarl 100256 <__exit>, lp
00100218 <__do_dtors>:
100218: bf 57 00 ff jarl 100118 <__save_r28_r31>, r10
10021c: 40 66 10 00 movhi 16, r0, r12
100220: 40 56 10 00 movhi 16, r0, r10
100224: 2c 5f a5 05 ld.w 1444[r12],r11
100228: 2a 56 a8 05 movea 1448, r10, r10
10022c: ea 59 cmp r10, r11
10022e: a9 15 bnl 100252 <__do_dtors+0x3a>
100230: 0c e8 mov r12, r29
100232: 0a e0 mov r10, r28
100234: 3d 57 a5 05 ld.w 1444[r29],r10
100238: 2a 5f 01 00 ld.w 0[r10],r11
10023c: 44 52 add 4, r10
10023e: 7d 57 a5 05 st.w r10, 1444[r29]
100242: 80 ff 04 00 jarl 100246 <__do_dtors+0x2e>, lp
100246: 44 fa add 4, lp
100248: 6b 00 jmp [r11]
10024a: 3d 57 a5 05 ld.w 1444[r29],r10
10024e: fc 51 cmp r28, r10
100250: a1 f5 bl 100234 <__do_dtors+0x1c>
100252: bf 07 da fe jr 10012c <__return_r28_r31>
00100256 <__exit>:
100256: bf 57 c2 fe jarl 100118 <__save_r28_r31>, r10
10025a: 06 e0 mov r6, r28
10025c: bf ff bc ff jarl 100218 <__do_dtors>, lp
100260: 1c 38 mov r28, r7
100262: 01 32 mov 1, r6
100264: 00 42 mov 0, r8
100266: 00 4a mov 0, r9
100268: 80 ff 08 00 jarl 100270 <___trap0>, lp
10026c: bf 07 c0 fe jr 10012c <__return_r28_r31>
00100270 <___trap0>:
100270: ff 07 00 01 trap 31
100274: 6a 51 tst r10, r10
100276: d2 05 be 100280 <___trap0+0x10>
100278: 40 36 10 00 movhi 16, r0, r6
10027c: 66 57 bd 05 st.w r10, 1468[r6]
100280: 7f 00 jmp [lp]
...
00100284 <__save_r26_r31>:
100284: 1e 08 mov ep, r1
100286: 03 1e dc ff addi -36, sp, sp
10028a: 03 f0 mov sp, ep
10028c: 09 ed sst.w r29, 16[ep]
10028e: 0b e5 sst.w r28, 20[ep]
100290: 0d dd sst.w r27, 24[ep]
100292: 0f d5 sst.w r26, 28[ep]
100294: 11 fd sst.w lp, 32[ep]
100296: 01 f0 mov r1, ep
100298: 6a 00 jmp [r10]
...
0010029c <__return_r26_r31>:
10029c: 1e 08 mov ep, r1
10029e: 03 f0 mov sp, ep
1002a0: 08 ed sld.w 16[ep],r29
1002a2: 0a e5 sld.w 20[ep],r28
1002a4: 0c dd sld.w 24[ep],r27
1002a6: 0e d5 sld.w 28[ep],r26
1002a8: 10 fd sld.w 32[ep],lp
1002aa: 03 1e 24 00 addi 36, sp, sp
1002ae: 01 f0 mov r1, ep
1002b0: 7f 00 jmp [lp]
...
Disassembly of section .call_table_text:
More information about the Gcc-bugs
mailing list