[Bug c/79235] New: x86 - Can't read stack transferred parameters when using one of the parameters in a nested function

Wed, 25 Jan 2017 13:21:44 -0800 

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=79235

            Bug ID: 79235
           Summary: x86 - Can't read stack transferred parameters when
                    using one of the parameters in a nested function
           Product: gcc
           Version: 6.3.0
            Status: UNCONFIRMED
          Severity: normal
          Priority: P3
         Component: c
          Assignee: unassigned at gcc dot gnu.org
          Reporter: oren.twaig at gmail dot com
  Target Milestone: ---

Created attachment 40582
  --> https://gcc.gnu.org/bugzilla/attachment.cgi?id=40582&action=edit
example code + save-temp output + asm output

x86-64 standard calling convention supports passing more than six parameters
using the stack. The caller places the extra params on the stack which the
callee is expected to read from. As so, if we deference the first on-stack
param, we can get access to all the others.

Example (Full example + full asm are attached)::

function a(int a, int b, int c, int d, int e, int f, int on_stack)
{
    int* pvargs = &on_stack;
    int second=pvargs[1];

    printf("second on_stack param=%d\n", second);
}

So far, all good.

However, There is a weird bug. If we use one of the stack-transfered parameters
in a nested function (of the function with expects more than six parameters)
the assembler of the callee (which contains the nested function) is no longer
correct and doesn't read the extra parameters from the correct place in the
stack.

Example (Full example + full asm are attached):


function a(int a, int b, int c, int d, int e, int f, int on_stack)
{
    int* pvargs = &on_stack;
    int second=pvargs[1];

    no-inline _nested(void) {
        printf("on_stack=%d\n", on_stack);  ->> referncing on_stack will cause
the bug.

        printf("second on_stack param=%d\n", second); --> second will no longer
be printed correctly.
    }   

}


In my more-adanced attached code, I did just that. Below is what happens when I
pass three '0xdeadbee[012]' on-stack. When DO_BUG is defined, I add a reference
to the on-stack variable as described earlier.



 comp="/tmp/6.3.0-gcc-bin/bin/gcc"; $comp --version |head -n 1; echo ----
TESTING ----  &&echo && echo without: && $comp -o main -O3 a.c  b.c && ./main 
&& echo &&  echo "with:   -DDO_BUG" && $comp -o main -O3 a.c  b.c -DDO_BUG  &&
./main
gcc (GCC) 6.3.0


---- TESTING ----

without:
  0=0xdeadbee0 1=0xdeadbee1 2=0xdeadbee2

with:   -DDO_BUG
  0=0xdeadbee0 1=0x8857fd60 2=0x5560fba0   --->> BUG, what happend to '1' and
'2' ???



We can clearly see the diff in the ASM. The callee changed! Instead of the
'72','80' and '88' correct offsets, we get some weird 'random' like offsets of
'48', '80', and '64'. Which obviously result in the wrong print.

diff b_good.s b_bad.s  -u

 #APP
 # 14 "b.c" 1
        nop;nop;nop
 # 0 "" 2
 #NO_APP
-       movq    72(%rsp), %rax
-       movl    %eax, 28(%rsp)
-       movq    80(%rsp), %rax
-       movl    %eax, 24(%rsp)
-       movq    88(%rsp), %rax
-       movl    %eax, 20(%rsp)
+       movq    48(%rsp), %rax
+       movl    %eax, 44(%rsp)
+       leaq    80(%rsp), %rax
+       movq    %rax, 8(%rsp)
+       movl    8(%rsp), %eax
+       movl    %eax, 40(%rsp)
+       movq    64(%rsp), %rax
+       movl    %eax, 36(%rsp)
 #APP
 # 18 "b.c" 1
        nop;nop;nop
 # 0 "" 2
 #NO_APP

Reply via email to