NetBSD Problem Report #56311
From www@netbsd.org Thu Jul 15 07:51:32 2021
Return-Path: <www@netbsd.org>
Received: from mail.netbsd.org (mail.netbsd.org [199.233.217.200])
(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits))
(Client CN "mail.NetBSD.org", Issuer "mail.NetBSD.org CA" (not verified))
by mollari.NetBSD.org (Postfix) with ESMTPS id C66CF1A921F
for <gnats-bugs@gnats.NetBSD.org>; Thu, 15 Jul 2021 07:51:32 +0000 (UTC)
Message-Id: <20210715075131.B574D1A924E@mollari.NetBSD.org>
Date: Thu, 15 Jul 2021 07:51:31 +0000 (UTC)
From: rokuyama.rk@gmail.com
Reply-To: rokuyama.rk@gmail.com
To: gnats-bugs@NetBSD.org
Subject: GCC 9 and 10 miscompile lint1 for sh3 (improper use of scratch register)
X-Send-Pr-Version: www-1.0
>Number: 56311
>Category: port-sh3
>Synopsis: GCC 9 and 10 miscompile lint1 for sh3 (by mischoice of register)
>Confidential: no
>Severity: serious
>Priority: medium
>Responsible: port-sh3-maintainer
>State: closed
>Class: sw-bug
>Submitter-Id: net
>Arrival-Date: Thu Jul 15 07:55:00 +0000 2021
>Closed-Date: Fri Jul 21 08:42:52 +0000 2023
>Last-Modified: Fri Jul 21 08:42:52 +0000 2023
>Originator: Rin Okuyama
>Release: 9.99.86
>Organization:
Department of Physics, Meiji University
>Environment:
NetBSD hdlu 9.99.86 NetBSD 9.99.86 (HDL-U) #19: Thu Jul 15 14:37:34 JST 2021 rin@latipes:/sys/arch/landisk/compile/HDL-U landisk
>Description:
GCC 9 and 10 miscompile lint1 for sh3, which results in SIGSEGV:
----
$ lint hello.c
hello.c:
lint: /usr/libexec/lint1 got SIGSEGV
----
This turned out to be due to initdecl() in src/usr.bin/xlint/lint1/decl.c:
----
88 void
89 initdecl(void)
90 {
91 int i;
92
93 /* declaration stack */
94 dcs = xcalloc(1, sizeof(*dcs));
95 dcs->d_ctx = EXTERN;
96 dcs->d_ldlsym = &dcs->d_dlsyms;
97
98 /* type information and classification */
99 inittyp();
...
----
Here, compiled binary fails to initialize dcs->d_ldlsym:
----
$ gdb lint1
...
Reading symbols from ./lint1...
Reading symbols from /home/rin/lint1.debug...
(gdb) b decl.c:130
Breakpoint 1 at 0x407f8a: file /usr/src/usr.bin/xlint/lint1/decl.c, line 130.
(gdb) r hello.c out
Starting program: /home/rin/lint1 hello.c out
Breakpoint 1, initdecl () at /usr/src/usr.bin/xlint/lint1/decl.c:130
130 typetab[UNSIGN].t_tspec = UNSIGN;
(gdb) p dcs
$1 = (dinfo_t *) 0x76fb6000
(gdb) p dcs->d_ldlsym
$2 = (sym_t **) 0x0
----
Note that if initdecl() is compiled with -O0, dcs->d_ldlsym is correctly
initialized.
This failure occurs as follows. objdump for initdecl() is:
----
00407eae <initdecl>:
407eae: c6 2f mov.l r12,@-r15
407eb0: 40 c7 mova 407fb4 <initdecl+0x106>,r0
407eb2: 40 dc mov.l 407fb4 <initdecl+0x106>,r12 ! 3a9b8
407eb4: 22 4f sts.l pr,@-r15
407eb6: 0c 3c add r0,r12
407eb8: 3f d1 mov.l 407fb8 <initdecl+0x10a>,r1 ! 96d4
407eba: 50 e5 mov #80,r5
407ebc: 03 01 bsrf r1
407ebe: 01 e4 mov #1,r4
407ec0: 3e d1 mov.l 407fbc <initdecl+0x10e>,r1 ! 2f0
407ec2: 03 62 mov r0,r2
407ec4: c3 60 mov r12,r0
407ec6: 26 01 mov.l r2,@(r0,r1)
407ec8: 01 e1 mov #1,r1
407eca: 19 12 mov.l r1,@(36,r2)
(1) 407ecc: 40 72 add #64,r2
407ece: 3c d1 mov.l 407fc0 <initdecl+0x112>,r1 ! 7954
(a) 407ed0: 03 01 bsrf r1
(2) 407ed2: 21 1c mov.l r2,@(4,r12)
...
----
Here, &dcs->d_dlsyms is prepared to r2 at (1), and r2 is stored to
dcs->ldlsym at (2). However, GCC arranges function call to inittyp() at (a).
Since r2 is scratch register, its value is not conserved after return from
inittyp().
>How-To-Repeat:
``lint hello.c'' on sh3.
>Fix:
Not known. As a workaround, compile initdecl() with -O0, with which lint(1)
works just fine on sh3.
>Release-Note:
>Audit-Trail:
From: "Rin Okuyama" <rin@netbsd.org>
To: gnats-bugs@gnats.NetBSD.org
Cc:
Subject: PR/56311 CVS commit: src/usr.bin/xlint/lint1
Date: Thu, 15 Jul 2021 07:58:05 +0000
Module Name: src
Committed By: rin
Date: Thu Jul 15 07:58:05 UTC 2021
Modified Files:
src/usr.bin/xlint/lint1: decl.c
Log Message:
PR port-sh3/56311
As a workaround for GCC bug, compile initdecl() with -O0 for sh3.
To generate a diff of this commit:
cvs rdiff -u -r1.199 -r1.200 src/usr.bin/xlint/lint1/decl.c
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
From: "Rin Okuyama" <rin@netbsd.org>
To: gnats-bugs@gnats.NetBSD.org
Cc:
Subject: PR/56311 CVS commit: src/doc
Date: Thu, 15 Jul 2021 08:02:48 +0000
Module Name: src
Committed By: rin
Date: Thu Jul 15 08:02:47 UTC 2021
Modified Files:
src/doc: HACKS
Log Message:
PR port-sh3/56311
Document -O0 workaround for initdecl() in doc/HACKS.
To generate a diff of this commit:
cvs rdiff -u -r1.222 -r1.223 src/doc/HACKS
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
From: Rin Okuyama <rokuyama.rk@gmail.com>
To: "gnats-bugs@NetBSD.org" <gnats-bugs@NetBSD.org>
Cc: Valery Ushakov <uwe@stderr.spb.ru>
Subject: Re: port-sh3/56311: GCC 9 and 10 miscompile lint1 for sh3 (by
mischoice of register)
Date: Fri, 16 Jul 2021 17:34:30 +0900
In my previous analysis, I carelessly forgot delay slots!
Please ignore that (I've corrected wrong title of the PR).
I've examined objdump again, more carefully this time ;)
Source code and dump for initdecl() with comments are:
----
void
initdecl(void)
{
int i;
/* declaration stack */
dcs = xcalloc(1, sizeof(*dcs));
dcs->d_ctx = EXTERN;
dcs->d_ldlsym = &dcs->d_dlsyms;
/* type information and classification */
inittyp();
...
----
----
00407eae <initdecl>:
407eae: mov.l r12,@-r15 ! push r12
407eb0: mova 407fb4 <initdecl+0x106>,r0 ! r0 = 0x407fb4
407eb2: mov.l 407fb4 <initdecl+0x106>,r12 ! r12 = 0x03a9b8
407eb4: sts.l pr,@-r15 ! push pr
407eb6: add r0,r12 ! r12 = .got
407eb8: mov.l 407fb8 <initdecl+0x10a>,r1 ! r1 = 0x96d4
407eba: mov #80,r5 ! r5 = 80
407ebc: bsrf r1 ! r0 = xcalloc(1, 80)
407ebe: mov #1,r4 ! r4 = 1
407ec0: mov.l 407fbc <initdecl+0x10e>,r1 ! r1 = 0x02f0
407ec2: mov r0,r2 ! r2 = r0
407ec4: mov r12,r0 ! r0 = .got
407ec6: mov.l r2,@(r0,r1) ! @(.got, 0x02f0) = dcs = r2
407ec8: mov #1,r1 ! r1 = EXTERN
407eca: mov.l r1,@(36,r2) ! @(36, r2) = dcs->d_ctx = r1
407ecc: add #64,r2 ! r2 = &dcs + 64 = &dcs->d_dlsyms
407ece: mov.l 407fc0 <initdecl+0x112>,r1 ! r1 = 0x7954
407ed0: bsrf r1 ! inittyp()
407ed2: mov.l r2,@(4,r12) ! @(4, .got) = ??? = r2
...
----
GCC seems to make a mistake at the last line; if it were
----
407ed2: mov.l r2,@(4,r2)
----
it would work as expected, i.e.,
----
@(4, &dcs->d_dlsyms) = dcs->d_ldlsym = r2 = &dcs->d_dlsyms
----
However, since it mistakes r12 (= .got) for r2, dcs->d_ldlsym is not
correctly initialized, and .got becomes broken.
I think this is what happens with the default optimization level.
Thanks uwe@ for kind advice offlist!
rin
From: Rin Okuyama <rokuyama.rk@gmail.com>
To: gnats-bugs@netbsd.org
Cc: Valery Ushakov <uwe@stderr.spb.ru>
Subject: Re: port-sh3/56311: GCC 9 and 10 miscompile lint1 for sh3 (by
mischoice of register)
Date: Fri, 16 Jul 2021 18:52:05 +0900
I've found a simple reproducer, and reported it to upstream as
GCC Bug 101469:
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=101469
Thanks,
rin
From: "Rin Okuyama" <rin@netbsd.org>
To: gnats-bugs@gnats.NetBSD.org
Cc:
Subject: PR/56311 CVS commit: src/doc
Date: Fri, 16 Jul 2021 10:02:50 +0000
Module Name: src
Committed By: rin
Date: Fri Jul 16 10:02:50 UTC 2021
Modified Files:
src/doc: HACKS
Log Message:
PR port-sh3/56311
Correct misinterpretation for the cause of the problem, and link to
the bug report for upstream.
To generate a diff of this commit:
cvs rdiff -u -r1.223 -r1.224 src/doc/HACKS
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
State-Changed-From-To: open->suspended
State-Changed-By: dholland@NetBSD.org
State-Changed-When: Sat, 17 Jul 2021 03:33:01 +0000
State-Changed-Why:
awaiting gcc upstream
From: "Rin Okuyama" <rin@netbsd.org>
To: gnats-bugs@gnats.NetBSD.org
Cc:
Subject: PR/56311 CVS commit: src/external/gpl3/gcc/dist/gcc/config/sh
Date: Tue, 18 Jul 2023 02:50:18 +0000
Module Name: src
Committed By: rin
Date: Tue Jul 18 02:50:18 UTC 2023
Modified Files:
src/external/gpl3/gcc/dist/gcc/config/sh: sh.md
Log Message:
gcc: Fix peephole optimization bug for sh3 (PR port-sh3/56311)
Cherry-picked from upstream:
https://gcc.gnu.org/git/gitweb.cgi?p=gcc.git;h=4dbb3af1efe55174a714d15c2994cf2842ef8c28
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=101469
Now, the PR confirmed fixed. No regression observed for full ATF run on
landisk (compared with GCC built with this peephole optimization being
removed by hand).
We thank Oleg Endo, the author of the upstream commit.
Also thanks hgutch@ and uwe@ for analysis.
To generate a diff of this commit:
cvs rdiff -u -r1.2 -r1.3 src/external/gpl3/gcc/dist/gcc/config/sh/sh.md
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
From: "Rin Okuyama" <rin@netbsd.org>
To: gnats-bugs@gnats.NetBSD.org
Cc:
Subject: PR/56311 CVS commit: src/external/gpl3/gcc.old/dist/gcc/config/sh
Date: Tue, 18 Jul 2023 02:58:39 +0000
Module Name: src
Committed By: rin
Date: Tue Jul 18 02:58:38 UTC 2023
Modified Files:
src/external/gpl3/gcc.old/dist/gcc/config/sh: sh.md
Log Message:
Sync with external/gpl3/gcc:
https://mail-index.netbsd.org/source-changes/2023/07/18/msg146078.html
----
gcc: Fix peephole optimization bug for sh3 (PR port-sh3/56311)
Cherry-picked from upstream:
https://gcc.gnu.org/git/gitweb.cgi?p=gcc.git;h=4dbb3af1efe55174a714d15c2994cf2842ef8c28
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=101469
Now, the PR confirmed fixed. No regression observed for full ATF run on
landisk (compared with GCC built with this peephole optimization being
removed by hand).
We thank Oleg Endo, the author of the upstream commit.
Also thanks hgutch@ and uwe@ for analysis.
To generate a diff of this commit:
cvs rdiff -u -r1.12 -r1.13 src/external/gpl3/gcc.old/dist/gcc/config/sh/sh.md
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
From: "Rin Okuyama" <rin@netbsd.org>
To: gnats-bugs@gnats.NetBSD.org
Cc:
Subject: PR/56311 CVS commit: src/usr.bin/xlint/lint1
Date: Tue, 18 Jul 2023 03:00:42 +0000
Module Name: src
Committed By: rin
Date: Tue Jul 18 03:00:42 UTC 2023
Modified Files:
src/usr.bin/xlint/lint1: decl.c
Log Message:
lint1:initdecl(): Remove hack for now-fixed PR port-sh3/56311
To generate a diff of this commit:
cvs rdiff -u -r1.360 -r1.361 src/usr.bin/xlint/lint1/decl.c
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
From: "Rin Okuyama" <rin@netbsd.org>
To: gnats-bugs@gnats.NetBSD.org
Cc:
Subject: PR/56311 CVS commit: src/doc
Date: Tue, 18 Jul 2023 03:01:35 +0000
Module Name: src
Committed By: rin
Date: Tue Jul 18 03:01:35 UTC 2023
Modified Files:
src/doc: HACKS
Log Message:
doc/HACKS: PR port-sh3/56311 has been fixed.
To generate a diff of this commit:
cvs rdiff -u -r1.238 -r1.239 src/doc/HACKS
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
State-Changed-From-To: suspended->pending-pullups
State-Changed-By: rin@NetBSD.org
State-Changed-When: Tue, 18 Jul 2023 03:15:02 +0000
State-Changed-Why:
- [pullup-10 #236] for gcc
- [pullup-10 #237] for lint and doc
Note that fix for gcc can be applicable to older versions of gcc.
Please feel free to request pullups to older branches.
From: "Martin Husemann" <martin@netbsd.org>
To: gnats-bugs@gnats.NetBSD.org
Cc:
Subject: PR/56311 CVS commit: [netbsd-10] src/external/gpl3/gcc/dist/gcc/config/sh
Date: Wed, 19 Jul 2023 14:11:14 +0000
Module Name: src
Committed By: martin
Date: Wed Jul 19 14:11:14 UTC 2023
Modified Files:
src/external/gpl3/gcc/dist/gcc/config/sh [netbsd-10]: sh.md
Log Message:
Pull up following revision(s) (requested by rin in ticket #236):
external/gpl3/gcc/dist/gcc/config/sh/sh.md: revision 1.3
gcc: Fix peephole optimization bug for sh3 (PR port-sh3/56311)
Cherry-picked from upstream:
https://gcc.gnu.org/git/gitweb.cgi?p=gcc.git;h=4dbb3af1efe55174a714d15c2994cf2842ef8c28
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=101469
Now, the PR confirmed fixed. No regression observed for full ATF run on
landisk (compared with GCC built with this peephole optimization being
removed by hand).
We thank Oleg Endo, the author of the upstream commit.
Also thanks hgutch@ and uwe@ for analysis.
To generate a diff of this commit:
cvs rdiff -u -r1.2 -r1.2.2.1 src/external/gpl3/gcc/dist/gcc/config/sh/sh.md
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
From: "Martin Husemann" <martin@netbsd.org>
To: gnats-bugs@gnats.NetBSD.org
Cc:
Subject: PR/56311 CVS commit: [netbsd-10] src
Date: Wed, 19 Jul 2023 14:15:29 +0000
Module Name: src
Committed By: martin
Date: Wed Jul 19 14:15:29 UTC 2023
Modified Files:
src/doc [netbsd-10]: HACKS
src/usr.bin/xlint/lint1 [netbsd-10]: decl.c
Log Message:
Pull up following revision(s) (requested by rin in ticket #237):
usr.bin/xlint/lint1/decl.c: revision 1.361
doc/HACKS: revision 1.239
lint1:initdecl(): Remove hack for now-fixed PR port-sh3/56311
doc/HACKS: PR port-sh3/56311 has been fixed.
To generate a diff of this commit:
cvs rdiff -u -r1.232 -r1.232.2.1 src/doc/HACKS
cvs rdiff -u -r1.302 -r1.302.2.1 src/usr.bin/xlint/lint1/decl.c
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
State-Changed-From-To: pending-pullups->closed
State-Changed-By: rin@NetBSD.org
State-Changed-When: Fri, 21 Jul 2023 08:42:52 +0000
State-Changed-Why:
pulled up to netbsd-10
>Unformatted:
(Contact us)
$NetBSD: query-full-pr,v 1.47 2022/09/11 19:34:41 kim Exp $
$NetBSD: gnats_config.sh,v 1.9 2014/08/02 14:16:04 spz Exp $
Copyright © 1994-2023
The NetBSD Foundation, Inc. ALL RIGHTS RESERVED.
Home