Bug#458745: arm-only miscompilation of alloca code

To: Camm Maguire <camm@enhanced.com>
Cc: Martin Michlmayr <tbm@cyrius.com>, Herbert Valerio Riedel <hvr@gnu.org>, Martin Guy <martinwguy@yahoo.it>, 458745@bugs.debian.org
Subject: Bug#458745: arm-only miscompilation of alloca code
From: Aurelien Jarno <aurelien@aurel32.net>
Date: Fri, 4 Jan 2008 13:35:04 +0100
Message-id: <[🔎] 20080104123504.GA23851@hall.aurel32.net>
Reply-to: Aurelien Jarno <aurelien@aurel32.net>, 458745@bugs.debian.org
In-reply-to: <[🔎] 20080102150939.21667.65742.reportbug@intech30.enhanced.com>
References: <[🔎] 20080102150939.21667.65742.reportbug@intech30.enhanced.com>

On Wed, Jan 02, 2008 at 10:09:39AM -0500, Camm Maguire wrote:
> Package: gcc-4.2
> Version: 4.2.2-4
> Severity: important
> 
> /tmp/foo.c:
> =============================================================================
> #include <stdio.h>
> #include <alloca.h>
> #include <stdarg.h>
> #define object void *
> 
> int VFUN_NARGS;
> void *alloca_val;
> struct cons {
>   object c_cdr;
>   object c_car;
> };
> 
> #define Cnil 0
> 
> static void
> foo(object first,...) {
>   va_list ap;
>   int narg = VFUN_NARGS;
>   struct cons *V1128;
>   object V1129;
> 
>   va_start(ap,first);
>   V1129 = 
>     !narg? Cnil : (alloca_val=alloca((narg)*sizeof(struct cons)+sizeof(object)),
> 		   ({object _b=(void *)alloca_val;if (((unsigned long)_b)&sizeof(_b)) _b++;
> 		   {register struct cons *_p=(void *)_b;
> 		   {struct cons *_e=_p+(narg-1);
> 		   for (;_p<_e;_p++) {_p->c_car=({object _t=first;first=va_arg(ap,object);_t;});_p->c_cdr=(object)(_p+1);}}
> 		   _p->c_car=first;_p->c_cdr=Cnil;}_b;}));
>   va_end(ap);
>   V1128= V1129;
>   for (;V1128!=Cnil;V1128=V1128->c_cdr)
>     printf("%p\n",V1128->c_car);
> 
> }
> 
> int
> main(int argc,char * argv[]) {
> 
>   VFUN_NARGS=4;
>   foo(&argc,1,2,3);
>   return 0;
> 
> }
> =============================================================================
> i386 sid:
> =============================================================================
> cc -g /tmp/foo.c -o /tmp/foo
> /tmp/foo
> 0xbf867bd0
> 0x1
> 0x2
> 0x3
> =============================================================================
> leisner dchroot sid:
> =============================================================================
> cc -g foo.c -o foo
> ./foo
> 0x18beed5d

This address looks highly  suspicious as it is not aligned while the type
is a (void*).

On ARM unaligned access are not guaranteed to work and actually
depends on the CPU. On some of them it works as on i386, while usually
you get the aligned word, but rotated depending on the mis-alignement.

In short non-aligned accesses do not generate a SIGBUS, but rather
return "corrupted" data, so here a wrong address that could lead to a
segfault.

If you look at the bug log, all tests with aligned address work. The
others segfault or return (nil) as on tbm's machine.

-- 
  .''`.  Aurelien Jarno	            | GPG: 1024D/F1BCDB73
 : :' :  Debian developer           | Electrical Engineer
 `. `'   aurel32@debian.org         | aurelien@aurel32.net
   `-    people.debian.org/~aurel32 | www.aurel32.net

Reply to:

References:
- Bug#458745: arm-only miscompilation of alloca code
  - From: Camm Maguire <camm@enhanced.com>

Prev by Date: gcc-4.2_4.2.2-5_powerpc.changes ACCEPTED
Next by Date: Bug#459101: gnat-4.1: FTBFS with dash: CANNOT FIND debian/*FFI*
Previous by thread: Bug#458745: arm-only miscompilation of alloca code
Next by thread: Bug#85535: completely incapable of pleasing a woman?
Index(es):
- Date
- Thread