NetBSD Problem Report #45837
From martin@aprisoft.de Sun Jan 15 08:03:21 2012
Return-Path: <martin@aprisoft.de>
Received: from mail.netbsd.org (mail.netbsd.org [204.152.190.11])
by www.NetBSD.org (Postfix) with ESMTP id 3347C63B9EB
for <gnats-bugs@gnats.NetBSD.org>; Sun, 15 Jan 2012 08:03:21 +0000 (UTC)
Message-Id: <20120115080312.8CC33AF580F@emmas.aprisoft.de>
Date: Sun, 15 Jan 2012 09:03:12 +0100 (CET)
From: martin@NetBSD.org
Reply-To: martin@NetBSD.org
To: gnats-bugs@gnats.NetBSD.org
Subject: perl is miscompiled on sparc64-current
X-Send-Pr-Version: 3.95
>Number: 45837
>Category: toolchain
>Synopsis: perl is miscompiled on sparc64-current
>Confidential: no
>Severity: serious
>Priority: medium
>Responsible: toolchain-manager
>State: closed
>Class: sw-bug
>Submitter-Id: net
>Arrival-Date: Sun Jan 15 08:05:00 +0000 2012
>Closed-Date: Sun Jun 24 16:53:15 +0000 2012
>Last-Modified: Sun Jun 24 16:53:15 +0000 2012
>Originator: Martin Husemann
>Release: NetBSD 5.99.59
>Organization:
The NetBSD Foundation, Inc.
>Environment:
System: NetBSD nelly.aprisoft.de 5.99.59 NetBSD 5.99.59 (NELLY.MP) #186: Fri Jan 13 12:43:00 CET 2012 martin@emmas.aprisoft.de:/nelly/usr/src/sys/arch/sparc64/compile/NELLY.MP sparc64
Architecture: sparc64
Machine: sparc64
>Description:
When perl compiles a perl regexp and midway finds a UTF8 encoded part inside
the pattern it dies with a core dump due to a NULL pointer dereference.
The problem hits in perl regcomp.s line 4563:
4560 /****************** LONG JUMP TARGET HERE***********************/
4561 /* Longjmp back to here if have to switch in midstream to utf8 */
4562 if (! RExC_orig_utf8) {
4563 JMPENV_PUSH(jump_ret);
4564 used_setjump = TRUE;
4565 }
The macro JMPENV_PUSH is used in excepiton handling/unwinding and does
this:
#define JMPENV_PUSH(v) \
STMT_START { \
DEBUG_l({ \
int i = 0; JMPENV *p = PL_top_env; \
while (p) { i++; p = p->je_prev; } \
Perl_deb(aTHX_ "JUMPENV_PUSH level=%d at %s:%d\n", \
i, __FILE__, __LINE__);}) \
cur_env.je_prev = PL_top_env; \
OP_REG_TO_MEM; \
cur_env.je_ret = PerlProc_setjmp(cur_env.je_buf, SCOPE_SAVES_SIGNAL_M$
OP_MEM_TO_REG; \
PL_top_env = &cur_env; \
cur_env.je_mustcatch = FALSE; \
(v) = cur_env.je_ret; \
} STMT_END
Finally PerlProc_setjmp is a sigsetjmp(). Now the compiler generates this
code for the above invocation:
0x4058f89c <Perl_re_compile+988>: ldx [ %i0 + 0x270 ], %g1
0x4058f8a0 <Perl_re_compile+992>: add %fp, 0x69f, %o0
0x4058f8a4 <Perl_re_compile+996>: clr %o1
0x4058f8a8 <Perl_re_compile+1000>: call 0x40780520 <__sigsetjmp14@plt>
0x4058f8ac <Perl_re_compile+1004>: stx %g1, [ %fp + 0x697 ]
0x4058f8b0 <Perl_re_compile+1008>: add %fp, 0x697, %g1
0x4058f8b4 <Perl_re_compile+1012>: st %o0, [ %fp + 0x717 ]
0x4058f8b8 <Perl_re_compile+1016>: andcc %o0, 0xff, %o1
=> 0x4058f8bc <Perl_re_compile+1020>: stx %g1, [ %i0 + 0x270 ]
All fine, but after calling sigsetjmp, %i0 should be considered clobbered
as it is caller-saved. Still it just uses it in the marked instructions
and dies - because it is NULL now.
Am I missing something?
>How-To-Repeat:
Try to build mail/spamassasin from pkgsrc, watch perl dump core in the
middle of the build.
>Fix:
n/a
>Release-Note:
>Audit-Trail:
State-Changed-From-To: open->closed
State-Changed-By: martin@NetBSD.org
State-Changed-When: Sun, 15 Jan 2012 09:21:08 +0000
State-Changed-Why:
should not file PRs early in the morning when waiting for the coffee maker
to finish descale. %i0 != %o0, of course it should be valid after the call.
From: David Laight <david@l8s.co.uk>
To: gnats-bugs@NetBSD.org
Cc: toolchain-manager@netbsd.org, netbsd-bugs@netbsd.org,
gnats-admin@netbsd.org, martin@NetBSD.org
Subject: Re: toolchain/45837 (perl is miscompiled on sparc64-current)
Date: Sun, 15 Jan 2012 12:10:44 +0000
On Sun, Jan 15, 2012 at 09:21:09AM +0000, martin@NetBSD.org wrote:
> Synopsis: perl is miscompiled on sparc64-current
>
> State-Changed-From-To: open->closed
> State-Changed-By: martin@NetBSD.org
> State-Changed-When: Sun, 15 Jan 2012 09:21:08 +0000
> State-Changed-Why:
> should not file PRs early in the morning when waiting for the coffee maker
> to finish descale. %i0 != %o0, of course it should be valid after the call.
Doesn't that mean there is something wrong with the longjmp()
processing instead?
David
--
David Laight: david@l8s.co.uk
From: Martin Husemann <martin@duskware.de>
To: gnats-bugs@NetBSD.org, toolchain-manager@netbsd.org,
netbsd-bugs@netbsd.org, gnats-admin@netbsd.org, martin@NetBSD.org
Cc:
Subject: Re: toolchain/45837 (perl is miscompiled on sparc64-current)
Date: Sun, 15 Jan 2012 13:19:42 +0100
On Sun, Jan 15, 2012 at 12:10:44PM +0000, David Laight wrote:
> Doesn't that mean there is something wrong with the longjmp()
> processing instead?
Yes, probably.
Martin
State-Changed-From-To: closed->open
State-Changed-By: dholland@NetBSD.org
State-Changed-When: Sun, 15 Jan 2012 15:18:55 +0000
State-Changed-Why:
If it crashes, it's still a bug...
From: christos@zoulas.com (Christos Zoulas)
To: gnats-bugs@NetBSD.org, toolchain-manager@netbsd.org,
gnats-admin@netbsd.org, netbsd-bugs@netbsd.org
Cc:
Subject: Re: toolchain/45837: perl is miscompiled on sparc64-current
Date: Sun, 15 Jan 2012 11:20:45 -0500
On Jan 15, 8:05am, martin@NetBSD.org (martin@NetBSD.org) wrote:
-- Subject: toolchain/45837: perl is miscompiled on sparc64-current
| >Number: 45837
| >Category: toolchain
| >Synopsis: perl is miscompiled on sparc64-current
| >Confidential: no
| >Severity: serious
| >Priority: medium
| >Responsible: toolchain-manager
| >State: open
| >Class: sw-bug
| >Submitter-Id: net
| >Arrival-Date: Sun Jan 15 08:05:00 +0000 2012
| >Originator: Martin Husemann
| >Release: NetBSD 5.99.59
| >Organization:
| The NetBSD Foundation, Inc.
| >Environment:
| System: NetBSD nelly.aprisoft.de 5.99.59 NetBSD 5.99.59 (NELLY.MP) #186: Fri Jan 13 12:43:00 CET 2012 martin@emmas.aprisoft.de:/nelly/usr/src/sys/arch/sparc64/compile/NELLY.MP sparc64
| Architecture: sparc64
| Machine: sparc64
| >Description:
|
| When perl compiles a perl regexp and midway finds a UTF8 encoded part inside
| the pattern it dies with a core dump due to a NULL pointer dereference.
|
| The problem hits in perl regcomp.s line 4563:
|
| 4560 /****************** LONG JUMP TARGET HERE***********************/
| 4561 /* Longjmp back to here if have to switch in midstream to utf8 */
| 4562 if (! RExC_orig_utf8) {
| 4563 JMPENV_PUSH(jump_ret);
| 4564 used_setjump = TRUE;
| 4565 }
|
| The macro JMPENV_PUSH is used in excepiton handling/unwinding and does
| this:
|
| #define JMPENV_PUSH(v) \
| STMT_START { \
| DEBUG_l({ \
| int i = 0; JMPENV *p = PL_top_env; \
| while (p) { i++; p = p->je_prev; } \
| Perl_deb(aTHX_ "JUMPENV_PUSH level=%d at %s:%d\n", \
| i, __FILE__, __LINE__);}) \
| cur_env.je_prev = PL_top_env; \
| OP_REG_TO_MEM; \
| cur_env.je_ret = PerlProc_setjmp(cur_env.je_buf, SCOPE_SAVES_SIGNAL_M$
| OP_MEM_TO_REG; \
| PL_top_env = &cur_env; \
| cur_env.je_mustcatch = FALSE; \
| (v) = cur_env.je_ret; \
| } STMT_END
|
|
| Finally PerlProc_setjmp is a sigsetjmp(). Now the compiler generates this
| code for the above invocation:
|
| 0x4058f89c <Perl_re_compile+988>: ldx [ %i0 + 0x270 ], %g1
| 0x4058f8a0 <Perl_re_compile+992>: add %fp, 0x69f, %o0
| 0x4058f8a4 <Perl_re_compile+996>: clr %o1
| 0x4058f8a8 <Perl_re_compile+1000>: call 0x40780520 <__sigsetjmp14@plt>
| 0x4058f8ac <Perl_re_compile+1004>: stx %g1, [ %fp + 0x697 ]
| 0x4058f8b0 <Perl_re_compile+1008>: add %fp, 0x697, %g1
| 0x4058f8b4 <Perl_re_compile+1012>: st %o0, [ %fp + 0x717 ]
| 0x4058f8b8 <Perl_re_compile+1016>: andcc %o0, 0xff, %o1
| => 0x4058f8bc <Perl_re_compile+1020>: stx %g1, [ %i0 + 0x270 ]
|
| All fine, but after calling sigsetjmp, %i0 should be considered clobbered
| as it is caller-saved. Still it just uses it in the marked instructions
| and dies - because it is NULL now.
|
| Am I missing something?
Try sprinking volatile...
christos
Responsible-Changed-From-To: toolchain-manager->martin
Responsible-Changed-By: martin@NetBSD.org
Responsible-Changed-When: Mon, 16 Jan 2012 16:28:12 +0000
Responsible-Changed-Why:
I'll handle it
From: Martin Husemann <martin@duskware.de>
To: gnats-bugs@NetBSD.org
Cc:
Subject: Re: toolchain/45837 (perl is miscompiled on sparc64-current)
Date: Tue, 1 May 2012 13:29:39 +0200
It seems like
perl -e '/(?{"{"})/'
trigers the same failure (a "make test" for the perl pkg does this, and a
few similar others).
Martin
From: Martin Husemann <martin@duskware.de>
To: gnats-bugs@NetBSD.org
Cc:
Subject: Re: pkg/45837 (perl is miscompiled on sparc64-current)
Date: Wed, 2 May 2012 12:27:51 +0200
Turns out to be a bug in perl, I have a patch upcoming...
Martin
Responsible-Changed-From-To: martin->toolchain-manager
Responsible-Changed-By: martin@NetBSD.org
Responsible-Changed-When: Thu, 03 May 2012 19:44:02 +0000
Responsible-Changed-Why:
Turns out to be gcc bug after all
From: Martin Husemann <martin@duskware.de>
To: gnats-bugs@NetBSD.org
Cc:
Subject: Re: toolchain/45837 (perl is miscompiled on sparc64-current)
Date: Thu, 3 May 2012 21:47:01 +0200
After a lot more digging around, I have identified it as a gcc bug and
filed upstream bug report http://gcc.gnu.org/bugzilla/show_bug.cgi?id=53219
for it.
Basically gcc inlines a small function, not creating a new register window,
then overwrites %i0 and does not restore it.
In the simple test, this ends up with %i0 (which should be my_perl, the
context for the whole function) as NULL. On next deref, we crash.
Martin
From: Martin Husemann <martin@duskware.de>
To: gnats-bugs@NetBSD.org
Cc: mrg@NetBSD.org
Subject: Re: toolchain/45837: perl tests crash on sparc64
Date: Sun, 17 Jun 2012 15:22:49 +0200
Apparently we need to backport the fix from
http://gcc.gnu.org/bugzilla/show_bug.cgi?id=48542
to fix this.
Martin
From: "Martin Husemann" <martin@netbsd.org>
To: gnats-bugs@gnats.NetBSD.org
Cc:
Subject: PR/45837 CVS commit: src/external/gpl3/gcc/dist/gcc
Date: Sun, 17 Jun 2012 13:43:30 +0000
Module Name: src
Committed By: martin
Date: Sun Jun 17 13:43:30 UTC 2012
Modified Files:
src/external/gpl3/gcc/dist/gcc: ChangeLog reload.c reload1.c
Log Message:
Apply upstream revision 175141: setjmp vs. unchanged register values;
should fix PR toolchain/45837.
To generate a diff of this commit:
cvs rdiff -u -r1.2 -r1.3 src/external/gpl3/gcc/dist/gcc/ChangeLog
cvs rdiff -u -r1.1.1.1 -r1.2 src/external/gpl3/gcc/dist/gcc/reload.c \
src/external/gpl3/gcc/dist/gcc/reload1.c
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
State-Changed-From-To: open->pending-pullups
State-Changed-By: martin@NetBSD.org
State-Changed-When: Sun, 17 Jun 2012 18:42:07 +0000
State-Changed-Why:
Fixed in -current, waiting for [pullup-6 #352]
From: "Julian Coleman" <jdc@netbsd.org>
To: gnats-bugs@gnats.NetBSD.org
Cc:
Subject: PR/45837 CVS commit: [netbsd-6] src/external/gpl3/gcc/dist/gcc
Date: Sun, 24 Jun 2012 16:41:23 +0000
Module Name: src
Committed By: jdc
Date: Sun Jun 24 16:41:23 UTC 2012
Modified Files:
src/external/gpl3/gcc/dist/gcc [netbsd-6]: ChangeLog reload.c reload1.c
Log Message:
Pull up revisions:
src/external/gpl3/gcc/dist/gcc/ChangeLog revision 1.3
src/external/gpl3/gcc/dist/gcc/reload.c revision 1.2
src/external/gpl3/gcc/dist/gcc/reload1.c revision 1.2
(requested by martin in ticket #352).
Apply upstream revision 175141: setjmp vs. unchanged register values;
should fix PR toolchain/45837.
To generate a diff of this commit:
cvs rdiff -u -r1.2 -r1.2.2.1 src/external/gpl3/gcc/dist/gcc/ChangeLog
cvs rdiff -u -r1.1.1.1 -r1.1.1.1.4.1 src/external/gpl3/gcc/dist/gcc/reload.c \
src/external/gpl3/gcc/dist/gcc/reload1.c
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
State-Changed-From-To: pending-pullups->closed
State-Changed-By: jdc@NetBSD.org
State-Changed-When: Sun, 24 Jun 2012 16:53:15 +0000
State-Changed-Why:
Pull up #352 applied.
>Unformatted:
(Contact us)
$NetBSD: query-full-pr,v 1.39 2013/11/01 18:47:49 spz Exp $
$NetBSD: gnats_config.sh,v 1.8 2006/05/07 09:23:38 tsutsui Exp $
Copyright © 1994-2007
The NetBSD Foundation, Inc. ALL RIGHTS RESERVED.