[Bug tree-optimization/68537] New: Vectorizer possibly miscompiles dynamic linker with -O3

Wed, 25 Nov 2015 02:56:12 -0800 

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=68537

            Bug ID: 68537
           Summary: Vectorizer possibly miscompiles dynamic linker with
                    -O3
           Product: gcc
           Version: unknown
               URL: https://sourceware.org/bugzilla/show_bug.cgi?id=19289
            Status: UNCONFIRMED
          Severity: normal
          Priority: P3
         Component: tree-optimization
          Assignee: unassigned at gcc dot gnu.org
          Reporter: trippels at gcc dot gnu.org
  Target Milestone: ---

Created attachment 36833
  --> https://gcc.gnu.org/bugzilla/attachment.cgi?id=36833&action=edit
unreduced testcase

Since r230091 gcc apparently miscompiles the glibc dynmanic linker when using
-O3:

 markus@x4 glibc-build % gdb --args
/var/tmp/glibc-build/elf/ld-linux-x86-64.so.2 /home/markus/bin/xmonad
Reading symbols from /var/tmp/glibc-build/elf/ld-linux-x86-64.so.2...done.
(gdb) run
Starting program: /var/tmp/glibc-build/elf/ld-linux-x86-64.so.2
/home/markus/bin/xmonad
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/libthread_db.so.1".

Program received signal SIGSEGV, Segmentation fault.
_dl_lookup_symbol_x (undef_name=0x7ffff75cb3c5 "__gmpn_invert_limb",
undef_map=0x7ffff76494d0, ref=ref@entry=0x7fffffffa170,
symbol_scope=0x7ffff7649828, version=0x0, 
    type_class=type_class@entry=1, flags=1, skip_map=0x0) at dl-lookup.c:809
809       struct sym_val current_value = { NULL, NULL };
(gdb) bt
#0  _dl_lookup_symbol_x (undef_name=0x7ffff75cb3c5 "__gmpn_invert_limb",
undef_map=0x7ffff76494d0, ref=ref@entry=0x7fffffffa170,
symbol_scope=0x7ffff7649828, version=0x0, 
    type_class=type_class@entry=1, flags=1, skip_map=0x0) at dl-lookup.c:809
#1  0x0000555555564413 in _dl_fixup (l=<optimized out>, reloc_arg=<optimized
out>) at ../elf/dl-runtime.c:111
#2  0x000055555556ce1f in _dl_runtime_resolve_sse () at
../sysdeps/x86_64/dl-trampoline.h:112
#3  0x00007ffff762093a in __gmpn_divrem_1 () from /usr/lib/libgmp.so.10
#4  0xee6b280000000000 in ?? ()
#5  0x00007ffff6b0b138 in ?? ()
#6  0x00007ffff6b057d0 in ?? ()
#7  0x00000000ffffffe2 in ?? ()
#8  0x00007ffff6b057b8 in ?? ()
#9  0x00007ffff6b051b0 in ?? ()
#10 0x00007ffff6b0b1b0 in ?? ()
#11 0x00000000006b47d8 in ?? ()
#12 0x00000000006142a9 in ?? ()
#13 0x0000000000000000 in ?? ()
(gdb) disass
Dump of assembler code for function _dl_lookup_symbol_x:
...
   0x000055555555e915 <+117>:   jne    0x55555555e900 <_dl_lookup_symbol_x+96>
   0x000055555555e917 <+119>:   mov    %eax,%eax
   0x000055555555e919 <+121>:   mov    %rax,-0xb0(%rbp)
   0x000055555555e920 <+128>:   pxor   %xmm0,%xmm0
   0x000055555555e924 <+132>:   mov    $0xffffffff,%eax
   0x000055555555e929 <+137>:   incq   0x21d048(%rip)        # 0x55555577b978
<_rtld_local+2424>
   0x000055555555e930 <+144>:   test   %r12,%r12
   0x000055555555e933 <+147>:   mov    %rax,-0xa0(%rbp)
=> 0x000055555555e93a <+154>:   movaps %xmm0,-0x90(%rbp)
   0x000055555555e941 <+161>:   je     0x55555555e950 <_dl_lookup_symbol_x+176>

rax            0xffffffff       4294967295
rbx            0x7ffff763c360   140737343898464
rcx            0x7ffff75cb3d7   140737343435735
rdx            0x0      0
rsi            0x33f9b936d4fb49a0       3745228210287888800
rdi            0x7ffff75cb3c5   140737343435717
rbp            0x7fffffffa148   0x7fffffffa148
rsp            0x7fffffffa058   0x7fffffffa058
r8             0x0      0
r9             0x1      1
r10            0x7ffff76494d0   140737343952080
r11            0x7ffff7620840   140737343785024
r12            0x0      0
r13            0x0      0
r14            0x7ffff76494d0   140737343952080
r15            0x7fffffffa170   140737488331120
rip            0x55555555e93a   0x55555555e93a <_dl_lookup_symbol_x+154>
eflags         0x10246  [ PF ZF IF RF ]
cs             0x33     51
ss             0x2b     43
ds             0x0      0
es             0x0      0
fs             0x0      0
gs             0x0      0

Comparison of disassembly of the function in question left with __attribute__
((__target__ ("no-mmx,no-sse"))) right without (segfaulting).  

  add    %rsi,%rax                        | add    %rsi,%rax
  add    %rdx,%rax                        | add    %rdx,%rax
  movzbl (%rcx),%edx                      | movzbl (%rcx),%edx
  test   %dl,%dl                          | test   %dl,%dl
  jne    da0 <_dl_lookup_symbol_x+0x60>   | jne    da0
<_dl_lookup_symbol_x+0x60>
  mov    %eax,%ebx                        | mov    %eax,%ebx
  mov    $0xffffffff,%eax                 | pxor   %xmm0,%xmm0
  test   %r13,%r13                        | mov    $0xffffffff,%eax
  movq   $0x0,-0x80(%rbp)                 | test   %r13,%r13
                                          | mov    %rax,-0x88(%rbp)
  mov    %rax,-0x88(%rbp)                 | movaps %xmm0,-0x80(%rbp)
  movq   $0x0,-0x78(%rbp)                 | je     ddf
<_dl_lookup_symbol_x+0x9f>
                                          | testl  $0xfffffffa,0x10(%rbp)
  je     de7 <_dl_lookup_symbol_x+0xa7>   | jne    18e4
<_dl_lookup_symbol_x+0xba4>
  testl  $0xfffffffa,0x10(%rbp)           | mov    -0xb8(%rbp),%rax
  jne    196c <_dl_lookup_symbol_x+0xc2c> | test   %r14,%r14
  mov    -0xb8(%rbp),%rax                 | mov    (%rax),%r9
  test   %r14,%r14                        | jne    1000
<_dl_lookup_symbol_x+0x2c0>
  mov    (%rax),%r9                       | test   %r9,%r9
  jne    1040 <_dl_lookup_symbol_x+0x300> | movq   $0x0,-0xc0(%rbp)


markus@x4 elf % gcc -O3 -c dl-lookup.i
markus@x4 elf % objdump -dr dl-lookup.o | grep movaps
    14f4:       0f 29 45 80             movaps %xmm0,-0x80(%rbp)
    163b:       0f 29 45 90             movaps %xmm0,-0x70(%rbp)

With -fno-vect-cost-model even 4.9 generates the segfaulting instruction.

Reply via email to