Bug#458745: arm-only miscompilation of alloca code

Fri, 04 Jan 2008 05:26:10 -0800 

On Wed, Jan 02, 2008 at 10:09:39AM -0500, Camm Maguire wrote:
> Package: gcc-4.2
> Version: 4.2.2-4
> Severity: important
> 
> /tmp/foo.c:
> =============================================================================
> #include <stdio.h>
> #include <alloca.h>
> #include <stdarg.h>
> #define object void *
> 
> int VFUN_NARGS;
> void *alloca_val;
> struct cons {
>   object c_cdr;
>   object c_car;
> };
> 
> #define Cnil 0
> 
> static void
> foo(object first,...) {
>   va_list ap;
>   int narg = VFUN_NARGS;
>   struct cons *V1128;
>   object V1129;
> 
>   va_start(ap,first);
>   V1129 = 
>     !narg? Cnil : (alloca_val=alloca((narg)*sizeof(struct 
> cons)+sizeof(object)),
>                  ({object _b=(void *)alloca_val;if (((unsigned 
> long)_b)&sizeof(_b)) _b++;
>                  {register struct cons *_p=(void *)_b;
>                  {struct cons *_e=_p+(narg-1);
>                  for (;_p<_e;_p++) {_p->c_car=({object 
> _t=first;first=va_arg(ap,object);_t;});_p->c_cdr=(object)(_p+1);}}
>                  _p->c_car=first;_p->c_cdr=Cnil;}_b;}));
>   va_end(ap);
>   V1128= V1129;
>   for (;V1128!=Cnil;V1128=V1128->c_cdr)
>     printf("%p\n",V1128->c_car);
> 
> }
> 
> int
> main(int argc,char * argv[]) {
> 
>   VFUN_NARGS=4;
>   foo(&argc,1,2,3);
>   return 0;
> 
> }
> =============================================================================
> i386 sid:
> =============================================================================
> cc -g /tmp/foo.c -o /tmp/foo
> /tmp/foo
> 0xbf867bd0
> 0x1
> 0x2
> 0x3
> =============================================================================
> leisner dchroot sid:
> =============================================================================
> cc -g foo.c -o foo
> ./foo
> 0x18beed5d

This address looks highly  suspicious as it is not aligned while the type
is a (void*).

On ARM unaligned access are not guaranteed to work and actually
depends on the CPU. On some of them it works as on i386, while usually
you get the aligned word, but rotated depending on the mis-alignement.

In short non-aligned accesses do not generate a SIGBUS, but rather
return "corrupted" data, so here a wrong address that could lead to a
segfault.

If you look at the bug log, all tests with aligned address work. The
others segfault or return (nil) as on tbm's machine.

-- 
  .''`.  Aurelien Jarno             | GPG: 1024D/F1BCDB73
 : :' :  Debian developer           | Electrical Engineer
 `. `'   [EMAIL PROTECTED]         | [EMAIL PROTECTED]
   `-    people.debian.org/~aurel32 | www.aurel32.net



-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Reply via email to