http://gcc.gnu.org/bugzilla/show_bug.cgi?id=50678
--- Comment #31 from Eric Botcazou <ebotcazou at gcc dot gnu.org> 2011-10-15 21:34:32 UTC --- There is some suspicious code in #0 0x00007fff85c75d48 in libunwind::DwarfInstructions<libunwind::LocalAddressSpace, libunwind::Registers_x86_64>::stepWithDwarf(libunwind::LocalAddressSpace&, unsigned long long, unsigned long long, libunwind::Registers_x86_64&) () from /usr/lib/libSystem.B.dylib (gdb) disass Dump of assembler code for function _ZN9libunwind17DwarfInstructionsINS_17LocalAddressSpaceENS_16Registers_x86_64EE13stepWithDwarfERS1_yyRS2_: 0x00007fff85c75990 <+0>: push %rbp 0x00007fff85c75c81 <+753>: mov -0x860(%rbp),%rax 0x00007fff85c75c88 <+760>: mov %rax,0xa0(%r13) 0x00007fff85c75c8f <+767>: mov -0x868(%rbp),%rdx 0x00007fff85c75c96 <+774>: mov %rdx,0x98(%r13) 0x00007fff85c75c9d <+781>: mov -0x870(%rbp),%rcx 0x00007fff85c75ca4 <+788>: mov %rcx,0x90(%r13) 0x00007fff85c75cab <+795>: mov -0x878(%rbp),%rax 0x00007fff85c75cb2 <+802>: mov %rax,0x88(%r13) 0x00007fff85c75cb9 <+809>: mov -0x8e8(%rbp),%rdx 0x00007fff85c75cc0 <+816>: mov %rdx,0x78(%r13) 0x00007fff85c75cc4 <+820>: mov -0x8e0(%rbp),%rcx 0x00007fff85c75ccb <+827>: mov %rcx,0x70(%r13) 0x00007fff85c75ccf <+831>: mov -0x8d8(%rbp),%rax 0x00007fff85c75cd6 <+838>: mov %rax,0x68(%r13) 0x00007fff85c75cda <+842>: mov -0x8d0(%rbp),%rdx 0x00007fff85c75ce1 <+849>: mov %rdx,0x60(%r13) 0x00007fff85c75ce5 <+853>: mov -0x8c8(%rbp),%rcx 0x00007fff85c75cec <+860>: mov %rcx,0x58(%r13) 0x00007fff85c75cf0 <+864>: mov -0x8c0(%rbp),%rax 0x00007fff85c75cf7 <+871>: mov %rax,0x50(%r13) 0x00007fff85c75cfb <+875>: mov -0x8b8(%rbp),%rdx 0x00007fff85c75d02 <+882>: mov %rdx,0x48(%r13) 0x00007fff85c75d06 <+886>: mov -0x8b0(%rbp),%rcx 0x00007fff85c75d0d <+893>: mov %rcx,0x40(%r13) 0x00007fff85c75d11 <+897>: mov -0x8a8(%rbp),%rax 0x00007fff85c75d18 <+904>: mov %rax,0x30(%r13) 0x00007fff85c75d1c <+908>: mov -0x8a0(%rbp),%rdx 0x00007fff85c75d23 <+915>: mov %rdx,0x20(%r13) 0x00007fff85c75d27 <+919>: mov -0x898(%rbp),%rcx 0x00007fff85c75d2e <+926>: mov %rcx,0x28(%r13) 0x00007fff85c75d32 <+930>: mov -0x890(%rbp),%rax 0x00007fff85c75d39 <+937>: mov %rax,0x8(%r13) 0x00007fff85c75d3d <+941>: mov -0x888(%rbp),%rdx 0x00007fff85c75d44 <+948>: mov %rdx,0x10(%r13) 0x00007fff85c75d48 <+952>: mov -0x880(%rbp),%rcx 0x00007fff85c75d4f <+959>: mov %rcx,0x18(%r13) 0x00007fff85c75d53 <+963>: mov %r15,0x0(%r13) 0x00007fff85c75d57 <+967>: mov %r12,0x38(%r13) 0x00007fff85c75d5b <+971>: mov %rbx,0x80(%r13) -0x860(%rbp) seems to be a saved context: (gdb) x/gx (-0x860 + $rbp - 8 * 4) 0x100036900: 0x00007fff5fbff9f0 (gdb) x/gx (-0x860 + $rbp - 8 * 5) 0x1000368f8: 0x00007fff5f3ff9f0 (gdb) x/gx (-0x860 + $rbp - 8 * 6) 0x1000368f0: 0x0000000000000000 (gdb) x/gx (-0x860 + $rbp - 8 * 7) 0x1000368e8: 0x00007fff5fbff9f0 (gdb) x/gx (-0x860 + $rbp - 8 * 8) 0x1000368e0: 0x00007fff4fbfc9f0 (gdb) x/gx (-0x860 + $rbp - 8 * 9) 0x1000368d8: 0x00007fff5fbffa30 (gdb) x/gx (-0x860 + $rbp - 8 * 10) 0x1000368d0: 0x0000000080000002 (gdb) x/gx (-0x860 + $rbp - 8 * 11) 0x1000368c8: 0x0000000010000000 (gdb) x/gx (-0x860 + $rbp - 8 * 12) 0x1000368c0: 0x0000000080000002 (gdb) x/gx (-0x860 + $rbp - 8 * 13) 0x1000368b8: 0x0000000010000001 (gdb) x/gx (-0x860 + $rbp - 8 * 14) 0x1000368b0: 0xfffffffffffffffa (gdb) x/gx (-0x860 + $rbp - 8 * 15) 0x1000368a8: 0x000000000000000d (gdb) x/gx (-0x860 + $rbp - 8 * 16) 0x1000368a0: 0x0000000000000000 (gdb) x/gx (-0x860 + $rbp - 8 * 17) 0x100036898: 0x0000000000000001 This is the same context as the one displayed by GDB when the probe hits: (gdb) info reg rax 0x10000010 268435472 rbx 0x7fff5fbff9f0 140734799804912 rcx 0x7fff5f3ff9f0 140734791416304 rdx 0x0 0 rsi 0x7fff5fbff9f0 140734799804912 rdi 0x7fff4fbfc9f0 140734531357168 rbp 0x7fff5fbffa30 0x7fff5fbffa30 rsp 0x7fff5fbff9f0 0x7fff5fbff9f0 r8 0x80000002 2147483650 r9 0x10000000 268435456 r10 0x80000002 2147483650 r11 0x10000001 268435457 r12 0xfffffffffffffffa -6 r13 0xd 13 r14 0x0 0 r15 0x1 1 Now, at the end of the code sequence, the context pointed to by %r13 is: (gdb) x/gx ($r13 + 8 * 0) 0x1000372b0: 0x0000000010000010 (gdb) x/gx ($r13 + 8 * 1) 0x1000372b8: 0x0000000000000000 (gdb) x/gx ($r13 + 8 * 2) 0x1000372c0: 0x00007fff5f3ff9f0 (gdb) x/gx ($r13 + 8 * 3) 0x1000372c8: 0x00007fff5fbff9f0 (gdb) x/gx ($r13 + 8 * 4) 0x1000372d0: 0x00007fff4fbfc9f0 (gdb) x/gx ($r13 + 8 * 5) 0x1000372d8: 0x00007fff5fbff9f0 (gdb) x/gx ($r13 + 8 * 6) 0x1000372e0: 0x00007fff5fbffa30 (gdb) x/gx ($r13 + 8 * 7) 0x1000372e8: 0x00007fff5fbff9f0 (gdb) x/gx ($r13 + 8 * 8) 0x1000372f0: 0x0000000080000002 (gdb) x/gx ($r13 + 8 * 9) 0x1000372f8: 0x0000000010000000 (gdb) x/gx ($r13 + 8 * 10) 0x100037300: 0x0000000080000002 (gdb) x/gx ($r13 + 8 * 11) 0x100037308: 0x0000000010000001 (gdb) x/gx ($r13 + 8 * 12) 0x100037310: 0xfffffffffffffffa (gdb) x/gx ($r13 + 8 * 13) 0x100037318: 0x000000000000000d (gdb) x/gx ($r13 + 8 * 14) 0x100037320: 0x0000000000000000 (gdb) x/gx ($r13 + 8 * 15) 0x100037328: 0x0000000000000001 which will be the context restored when the execution resumes. Note how the lines of %rbx and %rdx have been swapped. Looking at the end of the code: 0x00007fff85c75d27 <+919>: mov -0x898(%rbp),%rcx 0x00007fff85c75d2e <+926>: mov %rcx,0x28(%r13) 0x00007fff85c75d32 <+930>: mov -0x890(%rbp),%rax 0x00007fff85c75d39 <+937>: mov %rax,0x8(%r13) 0x00007fff85c75d3d <+941>: mov -0x888(%rbp),%rdx 0x00007fff85c75d44 <+948>: mov %rdx,0x10(%r13) 0x00007fff85c75d48 <+952>: mov -0x880(%rbp),%rcx 0x00007fff85c75d4f <+959>: mov %rcx,0x18(%r13) it seems that the 0x8(%r13) and the 0x18(%r13) have been swapped.
