Testcase:
#include <stdio.h>
#include <stdarg.h>
static void argy (int foo, ...) {
va_list arg;
char **sp;
va_start(arg, foo);
sp = va_arg(arg,char **);
/* WHAM. */
*sp = "foo";
}
int main (void)
{
char *foo;
/* Comment the next line out for instant crash. */
/* (fprintf) (stderr, "&foo: %p\n", &foo); */
argy(0, &foo);
return 0;
}
It still crashes if the #include of <stdio.h> is removed, so glibc version is
immaterial. If the fprintf() call is uncommented, it no longer crashes. Only
the 64-bit version crashes.
The tree dumps show no significant differences, so this is presumably an
RTL-or-later problem. Only the caller differs: GDB output confirms that what is
put on the stack is wrong in the crashing case. I have no idea if the problem
is middle-end or target, I'm afraid.
(I find myself wondering how *scanf() is still working in the presence of this
bug. Presumably we're saved by the circumstance that *scanf() use is relatively
rare and that its users tend to use the variable again in non-stdargs context
in the same function?)
Originally spotted in libquvi:
<http://code.google.com/p/quvi/issues/detail?id=1>.
Preprocessed testcase (of still-crashing version without #include <stdio.h>)
follows.
--
Summary: varargs of pointer types triggers coredump
Product: gcc
Version: 4.4.3
Status: UNCONFIRMED
Severity: normal
Priority: P3
Component: middle-end
AssignedTo: unassigned at gcc dot gnu dot org
ReportedBy: nix at esperi dot org dot uk
GCC build triplet: x86_64-pc-linux-gnu
GCC host triplet: x86_64-pc-linux-gnu
GCC target triplet: x86_64-pc-linux-gnu
http://gcc.gnu.org/bugzilla/show_bug.cgi?id=43020
