[Bug c/48597] New: x86-64 unwind register save location misses half-register write?

lat at cern dot ch Wed, 13 Apr 2011 17:10:09 -0700

http://gcc.gnu.org/bugzilla/show_bug.cgi?id=48597


           Summary: x86-64 unwind register save location misses
                    half-register write?
           Product: gcc
           Version: 4.6.1
            Status: UNCONFIRMED
          Severity: normal
          Priority: P3
         Component: c
        AssignedTo: unassig...@gcc.gnu.org
        ReportedBy: l...@cern.ch


On RHEL6 x86-64, GCC compiled libm has inaccurate unwind info for
__ieee754_rem_pio2f() as called by tanf(). The problem is GCC knows %rbp is
saved, and correctly describes the save location, but delays emitting the info
from actual register save to a later address, missing write to half-size
register alias %ebp in between. If unwinding starts in the in-between region,
%rbp is not restored correctly off the stack, leading to problems later in a
stack frame with CFA defined as offset off %rbp.

The start of assembly and unwind info for __ieee754_rem_pio2f follows.

Dump of assembler code for function __ieee754_rem_pio2f:
  0x00007ffff35b1080 <+0>:  push   %rbp
  0x00007ffff35b1081 <+1>:  movd   %xmm0,%ebp
  0x00007ffff35b1085 <+5>:  push   %rbx
  0x00007ffff35b1086 <+6>:  mov    %ebp,%ecx
  0x00007ffff35b1088 <+8>:  mov    %rdi,%rbx
  0x00007ffff35b108b <+11>: and    $0x7fffffff,%ecx
  0x00007ffff35b1091 <+17>: sub    $0x18,%rsp

00001d30 0000003c 00001d34 FDE cie=00000000 pc=0002c080..0002c3ba
  DW_CFA_advance_loc: 1 to 0002c081
  DW_CFA_def_cfa_offset: 16
  DW_CFA_advance_loc: 5 to 0002c086
  DW_CFA_def_cfa_offset: 24
  DW_CFA_advance_loc: 5 to 0002c08b
  DW_CFA_offset: r3 (rbx) at cfa-24
  DW_CFA_offset: r6 (rbp) at cfa-16

As you can see at 0x2c081 / 0x00007ffff35b1081 a "movd %xmm0, %ebp" instruction
writes to %rbp, but the unwind info describes the save location for the
register only at 0x2c08b / 0x00007ffff35b108b.

It's easiest to demo the effect in GDB; the original problem occurred in a
sampling profiler which uses libunwind. See (1) for the full GDB session trace.
To replicate this, you need a) a call to tanf() with an argument requiring
__ieee754_rem_pio2f() call, b) a function above tanf() with CFA based on %rbp
(SimpleNavigableLayer::wellInside() in (1)), and c) a stack walk within the
three instructions with inaccurate unwind info.

RHEL6 glibc seems to be built with GCC 4.4.4 (2). The entire libm has just four
instances of 'movd %xmmN,%ebp', in __ieee754_asinf, __ieee754_j1f,
__ieee754_lgammaf_r, __ieee754_rem_pio2f; all with the same unwind info issue.
In GLIBC 2.13 compiled with GCC 4.6.x pre-release (3), the first three still
have a 'vmovd %xmmN,%ebp', plus there's one in cprojf, but none in
__ieee754_rem_pio2f. Of these only __ieee754_lgammaf_r is incorrect (4), all
others have correct unwind info - though I am not sure if they are just
'different' rather than 'fixed', see how __ieee754_rem_pio2f changed in (5).

If there is easy enough a fix, we have some interest in back-port to 4.4.x in
case we have any luck convincing RHEL to pick up the patch and rebuild
libc/libm.

(1)

$ gdb --args cmsRun
/home/data/runPU/TTbar_Tauola_RAW2DIGI_L1Reco_RECO_PU_lto5.py
GNU gdb (GDB) 7.1
Copyright (C) 2010 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.  Type "show copying"
and "show warranty" for details.
This GDB was configured as "x86_64-unknown-linux-gnu".
For bug reporting instructions, please see:
<http://www.gnu.org/software/gdb/bugs/>...
Reading symbols from /data/CMSSW_4_2_0_pre6/bin/slc5_amd64_gcc451/cmsRun...(no
debugging symbols found)...done.
(gdb) b __ieee754_rem_pio2f
Function "__ieee754_rem_pio2f" not defined.
Make breakpoint pending on future shared library load? (y or [n]) y
Breakpoint 1 (__ieee754_rem_pio2f) pending.
(gdb) b 'SimpleNavigableLayer::wellInside(FreeTrajectoryState const&,
PropagationDirection, ForwardDetLayer const*, std::vector<DetLayer const*,
std::allocator<DetLayer const*> >&) const' 
Function "SimpleNavigableLayer::wellInside(FreeTrajectoryState const&,
PropagationDirection, ForwardDetLayer const*, std::vector<DetLayer const*,
std::allocator<DetLayer const*> >&) const" not defined.
Make breakpoint pending on future shared library load? (y or [n]) y
Breakpoint 2 ('SimpleNavigableLayer::wellInside(FreeTrajectoryState const&,
PropagationDirection, ForwardDetLayer const*, std::vector<DetLayer const*,
std::allocator<DetLayer const*> >&) const') pending.
(gdb) disa 1
(gdb) commands 2
Type commands for when breakpoint 2 is hit, one per line.
End with a line saying just "end".
>ena 1
>cont
>end
(gdb) r
Starting program: /data/CMSSW_4_2_0_pre6/bin/slc5_amd64_gcc451/cmsRun
/home/data/runPU/TTbar_Tauola_RAW2DIGI_L1Reco_RECO_PU_lto5.py
[Thread debugging using libthread_db enabled]
14-Apr-2011 01:22:27 CEST  Initiating request to open file
file:0E1B7BC9-7E2C-E011-A37B-0018F3D096B6.root
14-Apr-2011 01:22:29 CEST  Successfully opened file
file:0E1B7BC9-7E2C-E011-A37B-0018F3D096B6.root
Begin processing the 1st record. Run 1, Event 1401, LumiSection 666694 at
14-Apr-2011 01:22:43.145 CEST
%MSG-w SiStripQuality:  SiStripZeroSuppression:siStripZeroSuppression 
14-Apr-2011 01:22:45 CEST Run: 1 Event: 1401
The cabling should always include the active feds in runInfo and possibly have
some morethere are instead 59 feds only active in runInfo
%MSG

Breakpoint 2, 0x00007fffe9e00414 in
SimpleNavigableLayer::wellInside(FreeTrajectoryState const&,
PropagationDirection, ForwardDetLayer const*, std::vector<DetLayer const*,
std::allocator<DetLayer const*> >&) const ()
   from
/data/CMSSW_4_2_0_pre6/lib/slc5_amd64_gcc451/libRecoTrackerTkNavigation.so

Breakpoint 1, 0x00007ffff37c5080 in __ieee754_rem_pio2f () from
/lib64/libm.so.6(gdb) x/i $pc
=> 0x7ffff37c5080 <__ieee754_rem_pio2f>:    push   %rbp
(gdb) bt 10
#0  0x00007ffff37c5080 in __ieee754_rem_pio2f () from /lib64/libm.so.6
#1  0x00007ffff37c836a in tanf () from /lib64/libm.so.6
#2  0x00007fffe9e00ef5 in SimpleNavigableLayer::wellInside(FreeTrajectoryState
const&, PropagationDirection, BarrelDetLayer const*, std::vector<DetLayer
const*, std::allocator<DetLayer const*> >&) const () from
/data/CMSSW_4_2_0_pre6/lib/slc5_amd64_gcc451/libRecoTrackerTkNavigation.so
#3  0x00007fffe9e10257 in SimpleNavigableLayer::wellInside(FreeTrajectoryState
const&, PropagationDirection, std::vector<DetLayer const*,
std::allocator<DetLayer const*> > const&, std::vector<DetLayer const*,
std::allocator<DetLayer const*> >&) const ()
   from
/data/CMSSW_4_2_0_pre6/lib/slc5_amd64_gcc451/libRecoTrackerTkNavigation.so
#4  0x00007fffe9dfe78a in
SimpleBarrelNavigableLayer::nextLayers(FreeTrajectoryState const&,
PropagationDirection) const ()
   from
/data/CMSSW_4_2_0_pre6/lib/slc5_amd64_gcc451/libRecoTrackerTkNavigation.so
#5  0x00007fffe76ccf9c in DetLayer::nextLayers(FreeTrajectoryState const&,
PropagationDirection) const ()
   from
/data/CMSSW_4_2_0_pre6/lib/slc5_amd64_gcc451/libTrackingToolsDetLayers.so
#6  0x00007fffea4d373f in
BaseCkfTrajectoryBuilder::findStateAndLayers(TempTrajectory const&) const ()
   from
/data/CMSSW_4_2_0_pre6/lib/slc5_amd64_gcc451/libRecoTrackerCkfPattern.so
#7  0x00007fffea4eaab2 in
GroupedCkfTrajectoryBuilder::advanceOneLayer(TempTrajectory&, TrajectoryFilter
const*, Propagator const*, bool, std::vector<TempTrajectory,
std::allocator<TempTrajectory> >&, std::vector<TempTrajectory,
std::allocator<TempTrajectory> >&) const ()
   from
/data/CMSSW_4_2_0_pre6/lib/slc5_amd64_gcc451/libRecoTrackerCkfPattern.so
#8  0x00007fffea4e7f8c in
GroupedCkfTrajectoryBuilder::groupedLimitedCandidates(TempTrajectory&,
TrajectoryFilter const*, Propagator const*, bool, std::vector<TempTrajectory,
std::allocator<TempTrajectory> >&) const ()
   from
/data/CMSSW_4_2_0_pre6/lib/slc5_amd64_gcc451/libRecoTrackerCkfPattern.so
#9  0x00007fffea4e90b1 in GroupedCkfTrajectoryBuilder::buildTrajectories ()
   from
/data/CMSSW_4_2_0_pre6/lib/slc5_amd64_gcc451/libRecoTrackerCkfPattern.so
(More stack frames follow...)

(gdb) si 2
0x00007ffff37c5085 in __ieee754_rem_pio2f () from /lib64/libm.so.6
(gdb) x/i $pc
=> 0x7ffff37c5085 <__ieee754_rem_pio2f+5>:    push   %rbx
(gdb) bt 10
#0  0x00007ffff37c5085 in __ieee754_rem_pio2f () from /lib64/libm.so.6
#1  0x00007ffff37c836a in tanf () from /lib64/libm.so.6
#2  0x00007fffe9e00ef5 in SimpleNavigableLayer::wellInside(FreeTrajectoryState
const&, PropagationDirection, BarrelDetLayer const*, std::vector<DetLayer
const*, std::allocator<DetLayer const*> >&) const () from
/data/CMSSW_4_2_0_pre6/lib/slc5_amd64_gcc451/libRecoTrackerTkNavigation.so
Backtrace stopped: previous frame inner to this frame (corrupt stack?)

(gdb) si 3
0x00007ffff37c508b in __ieee754_rem_pio2f () from /lib64/libm.so.6
(gdb) x/i $pc
=> 0x7ffff37c508b <__ieee754_rem_pio2f+11>:    and    $0x7fffffff,%ecx
(gdb) bt 10
#0  0x00007ffff37c508b in __ieee754_rem_pio2f () from /lib64/libm.so.6
#1  0x00007ffff37c836a in tanf () from /lib64/libm.so.6
#2  0x00007fffe9e00ef5 in SimpleNavigableLayer::wellInside(FreeTrajectoryState
const&, PropagationDirection, BarrelDetLayer const*, std::vector<DetLayer
const*, std::allocator<DetLayer const*> >&) const () from
/data/CMSSW_4_2_0_pre6/lib/slc5_amd64_gcc451/libRecoTrackerTkNavigation.so
#3  0x00007fffe9e10257 in SimpleNavigableLayer::wellInside(FreeTrajectoryState
const&, PropagationDirection, std::vector<DetLayer const*,
std::allocator<DetLayer const*> > const&, std::vector<DetLayer const*,
std::allocator<DetLayer const*> >&) const ()
   from
/data/CMSSW_4_2_0_pre6/lib/slc5_amd64_gcc451/libRecoTrackerTkNavigation.so
#4  0x00007fffe9dfe78a in
SimpleBarrelNavigableLayer::nextLayers(FreeTrajectoryState const&,
PropagationDirection) const ()
   from
/data/CMSSW_4_2_0_pre6/lib/slc5_amd64_gcc451/libRecoTrackerTkNavigation.so
#5  0x00007fffe76ccf9c in DetLayer::nextLayers(FreeTrajectoryState const&,
PropagationDirection) const ()
   from
/data/CMSSW_4_2_0_pre6/lib/slc5_amd64_gcc451/libTrackingToolsDetLayers.so
#6  0x00007fffea4d373f in
BaseCkfTrajectoryBuilder::findStateAndLayers(TempTrajectory const&) const ()
   from
/data/CMSSW_4_2_0_pre6/lib/slc5_amd64_gcc451/libRecoTrackerCkfPattern.so
#7  0x00007fffea4eaab2 in
GroupedCkfTrajectoryBuilder::advanceOneLayer(TempTrajectory&, TrajectoryFilter
const*, Propagator const*, bool, std::vector<TempTrajectory,
std::allocator<TempTrajectory> >&, std::vector<TempTrajectory,
std::allocator<TempTrajectory> >&) const ()
   from
/data/CMSSW_4_2_0_pre6/lib/slc5_amd64_gcc451/libRecoTrackerCkfPattern.so
#8  0x00007fffea4e7f8c in
GroupedCkfTrajectoryBuilder::groupedLimitedCandidates(TempTrajectory&,
TrajectoryFilter const*, Propagator const*, bool, std::vector<TempTrajectory,
std::allocator<TempTrajectory> >&) const ()
   from
/data/CMSSW_4_2_0_pre6/lib/slc5_amd64_gcc451/libRecoTrackerCkfPattern.so
#9  0x00007fffea4e90b1 in GroupedCkfTrajectoryBuilder::buildTrajectories ()
   from
/data/CMSSW_4_2_0_pre6/lib/slc5_amd64_gcc451/libRecoTrackerCkfPattern.so
(More stack frames follow...)
(gdb) quit
A debugging session is active.

    Inferior 1 [process 32154] will be killed.

Quit anyway? (y or n) y


(2)

$ /usr/bin/gcc -v
Using built-in specs.
Target: x86_64-redhat-linux
Configured with: ../configure --prefix=/usr --mandir=/usr/share/man
--infodir=/usr/share/info --with-bugurl=http://bugzilla.redhat.com/bugzilla
--enable-bootstrap --enable-shared --enable-threads=posix
--enable-checking=release --with-system-zlib --enable-__cxa_atexit
--disable-libunwind-exceptions --enable-gnu-unique-object
--enable-languages=c,c++,objc,obj-c++,java,fortran,ada --enable-java-awt=gtk
--disable-dssi --with-java-home=/usr/lib/jvm/java-1.5.0-gcj-1.5.0.0/jre
--enable-libgcj-multifile --enable-java-maintainer-mode
--with-ecj-jar=/usr/share/java/eclipse-ecj.jar --disable-libjava-multilib
--with-ppl --with-cloog --with-tune=generic --with-arch_32=i686
--build=x86_64-redhat-linux
Thread model: posix
gcc version 4.4.4 20100726 (Red Hat 4.4.4-13) (GCC) 

$ /lib64/libc.so.6 --version
GNU C Library stable release version 2.12, by Roland McGrath et al.
Copyright (C) 2010 Free Software Foundation, Inc.
This is free software; see the source for copying conditions.
There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A
PARTICULAR PURPOSE.
Compiled by GNU CC version 4.4.4 20100726 (Red Hat 4.4.4-13).
Compiled on a Linux 2.6.32 system on 2011-04-04.
Available extensions:
    The C stubs add-on version 2.1.2.
    crypt add-on version 2.1 by Michael Glad and others
    GNU Libidn by Simon Josefsson
    Native POSIX Threads Library by Ulrich Drepper et al
    BIND-8.2.3-T5B
    RT using linux kernel aio
libc ABIs: UNIQUE IFUNC
For bug reporting instructions, please see:
<http://www.gnu.org/software/libc/bugs.html>.

(3)

$ /opt/lib/libc.so.6 --version
GNU C Library stable release version 2.13, by Roland McGrath et al.
Copyright (C) 2011 Free Software Foundation, Inc.
This is free software; see the source for copying conditions.
There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A
PARTICULAR PURPOSE.
Compiled by GNU CC version 4.6.1 20110408 (prerelease).
Compiled on a Linux 2.6.32 system on 2011-04-13.
Available extensions:
    crypt add-on version 2.1 by Michael Glad and others
    GNU Libidn by Simon Josefsson
    Native POSIX Threads Library by Ulrich Drepper et al
    BIND-8.2.3-T5B
libc ABIs: UNIQUE IFUNC
For bug reporting instructions, please see:
<http://www.gnu.org/software/libc/bugs.html>.

(4)

0000000000025af0 <__ieee754_lgammaf_r>:
   25af0:       48 89 5c 24 e8          mov    %rbx,-0x18(%rsp)
   25af5:       c5 f8 28 d0             vmovaps %xmm0,%xmm2
   25af9:       48 89 6c 24 f0          mov    %rbp,-0x10(%rsp)
   25afe:       c5 f9 7e c5             vmovd  %xmm0,%ebp
   25b02:       89 eb                   mov    %ebp,%ebx
   25b04:       4c 89 64 24 f8          mov    %r12,-0x8(%rsp)
   25b09:       48 81 ec 88 00 00 00    sub    $0x88,%rsp
   25b10:       81 e3 ff ff ff 7f       and    $0x7fffffff,%ebx

00001ac0 00000024 00001ac4 FDE cie=00000000 pc=00025af0..000263db
  DW_CFA_advance_loc: 20 to 00025b04
  DW_CFA_offset: r6 (rbp) at cfa-24
  DW_CFA_offset: r3 (rbx) at cfa-32
  DW_CFA_advance_loc: 12 to 00025b10
  DW_CFA_def_cfa_offset: 144
  DW_CFA_offset: r12 (r12) at cfa-16
  DW_CFA_advance_loc1: 92 to 00025b6c
  DW_CFA_remember_state
  DW_CFA_def_cfa_offset: 8
  DW_CFA_advance_loc: 4 to 00025b70
  DW_CFA_restore_state
  DW_CFA_nop
  DW_CFA_nop
  DW_CFA_nop
  DW_CFA_nop
  DW_CFA_nop

(5)

0000000000026e70 <__ieee754_rem_pio2f>:
   26e70:       55                      push   %rbp
   26e71:       48 89 e5                mov    %rsp,%rbp
   26e74:       41 54                   push   %r12
   26e76:       53                      push   %rbx
   26e77:       48 89 fb                mov    %rdi,%rbx
   26e7a:       c4 c1 79 7e c4          vmovd  %xmm0,%r12d
   26e7f:       44 89 e1                mov    %r12d,%ecx
   26e82:       48 83 e4 e0             and    $0xffffffffffffffe0,%rsp
   26e86:       81 e1 ff ff ff 7f       and    $0x7fffffff,%ecx
   26e8c:       48 83 ec 20             sub    $0x20,%rsp

00001b58 0000002c 00001b5c FDE cie=00000000 pc=00026e70..000271ca
  DW_CFA_advance_loc: 1 to 00026e71
  DW_CFA_def_cfa_offset: 16
  DW_CFA_offset: r6 (rbp) at cfa-16
  DW_CFA_advance_loc: 3 to 00026e74
  DW_CFA_def_cfa_register: r6 (rbp)
  DW_CFA_advance_loc: 6 to 00026e7a
  DW_CFA_offset: r3 (rbx) at cfa-32
  DW_CFA_offset: r12 (r12) at cfa-24
  DW_CFA_advance_loc1: 121 to 00026ef3
  DW_CFA_remember_state
  DW_CFA_def_cfa: r7 (rsp) ofs 8
  DW_CFA_advance_loc: 5 to 00026ef8
  DW_CFA_restore_state
  DW_CFA_advance_loc1: 197 to 00026fbd
  DW_CFA_remember_state
  DW_CFA_def_cfa: r7 (rsp) ofs 8
  DW_CFA_advance_loc: 3 to 00026fc0
  DW_CFA_restore_state
  DW_CFA_nop
  DW_CFA_nop

[Bug c/48597] New: x86-64 unwind register save location misses half-register write?

Reply via email to