tinycc-devel
[Top][All Lists]
Advanced

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Tinycc-devel] Bug: malloc + function returning double + comparison betw


From: ghe
Subject: [Tinycc-devel] Bug: malloc + function returning double + comparison between doubles
Date: Sat, 9 Jun 2012 19:24:29 +0200 (CEST)
User-agent: Alpine 2.00 (NEB 1167 2008-08-23)


Hi list,

Here is another simple program demonstrating a bizarre bug in TCC (on amd64, both with TCC 0.9.25 and with the latest sources; it works on i386).

This program should loop forever (or at least until the memory is exhausted), but it does not: starting at given size of the dynamically allocated array 'd', it segfaults in the two comparisons. (On my computer, that given size is 135136 bytes for "tcc", and 134432 for "tcc -run").

#include <stdlib.h>
#include <stdio.h>

double f () { return 100.0; }

int main ()
{
  int i, s; double *d; double t;
  for (s = sizeof (double); 1; s += sizeof (double)) {
    printf ("%d\n", s);
    d = malloc (s);
    d[0] = 10.0;
    i = d[0] > f ();
    free (d);
  }
  return 0;
}

This program would run fine:

- if the size of the array is declared instead of using malloc()

- if the "d = malloc (s);" is replaced by "d = malloc (s); free (d); d = malloc 
(s);"

- if the "i = d[0] > f ();" is replaced by "i = f () < d[0];"

- if the "i = d[0] > f ();" is replaced by "t = d[0] + f();"

- if the "i = d[0] > f ();" is replaced by "i = d[0] > 100.0;"

- if ints are used instead of doubles

Here is a GDB session log after the segfault:

Program received signal SIGSEGV, Segmentation fault.
0x00000000080483e7 in main ()
(gdb) disassemble
Dump of assembler code for function main:
   0x000000000804835d <+0>:       push   %rbp
   0x000000000804835e <+1>:       mov    %rsp,%rbp
   0x0000000008048361 <+4>:       sub    $0x30,%rsp
   0x0000000008048368 <+11>:      mov    $0x8,%eax
   0x000000000804836d <+16>:      mov    %eax,-0x8(%rbp)
   0x0000000008048370 <+19>:      jmpq   0x8048380 <main+35>
   0x0000000008048375 <+24>:      mov    -0x8(%rbp),%eax
   0x0000000008048378 <+27>:      add    $0x8,%eax
   0x000000000804837b <+30>:      mov    %eax,-0x8(%rbp)
   0x000000000804837e <+33>:      jmp    0x8048370 <main+19>
   0x0000000008048380 <+35>:      mov    -0x8(%rbp),%eax
   0x0000000008048383 <+38>:      mov    %rax,%rsi
   0x0000000008048386 <+41>:      lea    0x1223(%rip),%rax        # 0x80495b0 
<L.25>
   0x000000000804838d <+48>:      mov    %rax,%rdi
   0x0000000008048390 <+51>:      mov    $0x0,%eax
   0x0000000008048395 <+56>:      callq  0x8048560 <printf>
   0x000000000804839a <+61>:      mov    -0x8(%rbp),%eax
   0x000000000804839d <+64>:      mov    %rax,%rdi
   0x00000000080483a0 <+67>:      mov    $0x0,%eax
   0x00000000080483a5 <+72>:      callq  0x8048570 <malloc>
   0x00000000080483aa <+77>:      mov    %rax,-0x10(%rbp)
   0x00000000080483ae <+81>:      mov    -0x10(%rbp),%rax
   0x00000000080483b2 <+85>:      movq   0x120e(%rip),%xmm0        # 0x80495c8 
<L.26>
   0x00000000080483ba <+93>:      movq   %xmm0,(%rax)
   0x00000000080483be <+97>:      lea    0x120b(%rip),%rax        # 0x80495d0 
<L.27>
   0x00000000080483c5 <+104>:     mov    %rax,%rdi
   0x00000000080483c8 <+107>:     mov    $0x0,%eax
   0x00000000080483cd <+112>:     callq  0x8048560 <printf>
   0x00000000080483d2 <+117>:     mov    -0x10(%rbp),%rax
   0x00000000080483d6 <+121>:     mov    %rax,-0x28(%rbp)
   0x00000000080483da <+125>:     mov    $0x0,%eax
   0x00000000080483df <+130>:     callq  0x8048343 <f>
   0x00000000080483e4 <+135>:     mov    -0x28(%rbp),%eax
=> 0x00000000080483e7 <+138>:  movq   (%rax),%xmm1
   0x00000000080483eb <+142>:     ucomisd %xmm0,%xmm1
   0x00000000080483ef <+146>:     mov    $0x0,%eax
   0x00000000080483f4 <+151>:     seta   %al
   0x00000000080483f7 <+154>:     mov    %eax,-0x4(%rbp)
   0x00000000080483fa <+157>:     lea    0x11d2(%rip),%rax        # 0x80495d3 
<L.28>
   0x0000000008048401 <+164>:     mov    %rax,%rdi
   0x0000000008048404 <+167>:     mov    $0x0,%eax
   0x0000000008048409 <+172>:     callq  0x8048560 <printf>
   0x000000000804840e <+177>:     mov    -0x10(%rbp),%rax
   0x0000000008048412 <+181>:     mov    %rax,%rdi
   0x0000000008048415 <+184>:     mov    $0x0,%eax
   0x000000000804841a <+189>:     callq  0x8048580 <free>
   0x000000000804841f <+194>:     jmpq   0x8048375 <main+24>
   0x0000000008048424 <+199>:     mov    $0x0,%eax
   0x0000000008048429 <+204>:     jmpq   0x804842e <main+209>
   0x000000000804842e <+209>:     leaveq
   0x000000000804842f <+210>:     retq
End of assembler dump.
(gdb) info registers
rax            0xf7fb8010       4160454672
rbx            0x0      0
rcx            0x80495d2        134518226
rdx            0x7ffff7dd8e10   140737351880208
rsi            0x7ffff7ff8000   140737354104832
rdi            0xffffffff       4294967295
rbp            0x7fffffffe210   0x7fffffffe210
rsp            0x7fffffffe1e0   0x7fffffffe1e0
r8             0x7ffff7ff8002   140737354104834
r9             0x0      0
r10            0x22     34
r11            0x246    582
r12            0x8048300        134513408
r13            0x7fffffffe2f0   140737488347888
r14            0x0      0
r15            0x0      0
rip            0x80483e7        0x80483e7 <main+138>
eflags         0x10202  [ IF RF ]
cs             0x33     51
ss             0x2b     43
ds             0x0      0
es             0x0      0
fs             0x0      0
gs             0x0      0
(gdb)

Thanks,

--ghe



reply via email to

[Prev in Thread] Current Thread [Next in Thread]