http://gcc.gnu.org/bugzilla/show_bug.cgi?id=45843
Summary: [4.3/4.4/4.5/4.6 Regression] __builtin_va_arg
overwrites into adjacent stack location
Product: gcc
Version: 4.3.6
Status: UNCONFIRMED
Keywords: wrong-code
Severity: normal
Priority: P3
Component: target
AssignedTo: unassig...@gcc.gnu.org
ReportedBy: ja...@gcc.gnu.org
CC: gcc-bugs@gcc.gnu.org, hubi...@gcc.gnu.org,
hjl.to...@gmail.com, m...@gcc.gnu.org,
era...@google.com
Depends on: 44575
Host: x86_64-unknown-linux-gnu
Target: x86_64-unknown-linux-gnu
Build: x86_64-unknown-linux-gnu
+++ This bug was initially created as a clone of Bug #44575 +++
This is a variation of the same problem where __builtin_va_arg overwrites into
adjacent stack location [Not sure if I should reopen this bug or file a new
one]:
$ cat vararg.cc
#include <stdarg.h>
#include <stdlib.h>
struct S933 { struct{struct{}b[6];union{}c[7];}a;char d;char e; };
struct S933 arg;
void check933va (int z, ...) {
char c;
va_list ap;
__builtin_va_start(ap,z);
c = 'a';
arg = __builtin_va_arg(ap,struct S933);
if (c != 'a')
abort();
}
int main() {
struct S933 s933;
check933va (1, s933);
}
$ ./trunk-g++ -O0 vararg.cc && ./a.out
Aborted
./trunk-g++ is GNU C++ version 4.6.0 20100924 (experimental)
(x86_64-unknown-linux-gnu)
The relevant portion of the gimple is below:
D.2773_4 = ap.reg_save_area;
D.2774_5 = ap.gp_offset;
D.2775_6 = (long unsigned int) D.2774_5;
int_addr.1_7 = D.2773_4 + D.2775_6;
addr.0_8 = &va_arg_tmp.3;
D.2777_9 = addr.0_8 + 8;
D.2778_10 = MEM[(long unsigned int *)int_addr.1_7];
*D.2777_9 = D.2778_10; <--- Bad move
The move to address D.2777_9 is the problem
For this struct type, construct_container returns the following:
(parallel:BLK [
(expr_list:REG_DEP_TRUE (reg:DI 0 ax)
(const_int 8 [0x8]))
])
The destination of the move is at offset 8 (INTVAL (XEXP (slot, 1))) of the
temporary created. The size of the temp (sizeof(S933)) is 15 bytes and the move
is in DI mode. I think the problem is the check if (prev_size + cur_size >
size) doesn't really check if the destination is overwritten.
