[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Tinycc-devel] Bug: malloc + function returning double + comparison betw
From: |
ghe |
Subject: |
[Tinycc-devel] Bug: malloc + function returning double + comparison between doubles |
Date: |
Sat, 9 Jun 2012 19:24:29 +0200 (CEST) |
User-agent: |
Alpine 2.00 (NEB 1167 2008-08-23) |
Hi list,
Here is another simple program demonstrating a bizarre bug in TCC (on
amd64, both with TCC 0.9.25 and with the latest sources; it works on
i386).
This program should loop forever (or at least until the memory is
exhausted), but it does not: starting at given size of the dynamically
allocated array 'd', it segfaults in the two comparisons. (On my
computer, that given size is 135136 bytes for "tcc", and 134432 for "tcc
-run").
#include <stdlib.h>
#include <stdio.h>
double f () { return 100.0; }
int main ()
{
int i, s; double *d; double t;
for (s = sizeof (double); 1; s += sizeof (double)) {
printf ("%d\n", s);
d = malloc (s);
d[0] = 10.0;
i = d[0] > f ();
free (d);
}
return 0;
}
This program would run fine:
- if the size of the array is declared instead of using malloc()
- if the "d = malloc (s);" is replaced by "d = malloc (s); free (d); d = malloc
(s);"
- if the "i = d[0] > f ();" is replaced by "i = f () < d[0];"
- if the "i = d[0] > f ();" is replaced by "t = d[0] + f();"
- if the "i = d[0] > f ();" is replaced by "i = d[0] > 100.0;"
- if ints are used instead of doubles
Here is a GDB session log after the segfault:
Program received signal SIGSEGV, Segmentation fault.
0x00000000080483e7 in main ()
(gdb) disassemble
Dump of assembler code for function main:
0x000000000804835d <+0>: push %rbp
0x000000000804835e <+1>: mov %rsp,%rbp
0x0000000008048361 <+4>: sub $0x30,%rsp
0x0000000008048368 <+11>: mov $0x8,%eax
0x000000000804836d <+16>: mov %eax,-0x8(%rbp)
0x0000000008048370 <+19>: jmpq 0x8048380 <main+35>
0x0000000008048375 <+24>: mov -0x8(%rbp),%eax
0x0000000008048378 <+27>: add $0x8,%eax
0x000000000804837b <+30>: mov %eax,-0x8(%rbp)
0x000000000804837e <+33>: jmp 0x8048370 <main+19>
0x0000000008048380 <+35>: mov -0x8(%rbp),%eax
0x0000000008048383 <+38>: mov %rax,%rsi
0x0000000008048386 <+41>: lea 0x1223(%rip),%rax # 0x80495b0
<L.25>
0x000000000804838d <+48>: mov %rax,%rdi
0x0000000008048390 <+51>: mov $0x0,%eax
0x0000000008048395 <+56>: callq 0x8048560 <printf>
0x000000000804839a <+61>: mov -0x8(%rbp),%eax
0x000000000804839d <+64>: mov %rax,%rdi
0x00000000080483a0 <+67>: mov $0x0,%eax
0x00000000080483a5 <+72>: callq 0x8048570 <malloc>
0x00000000080483aa <+77>: mov %rax,-0x10(%rbp)
0x00000000080483ae <+81>: mov -0x10(%rbp),%rax
0x00000000080483b2 <+85>: movq 0x120e(%rip),%xmm0 # 0x80495c8
<L.26>
0x00000000080483ba <+93>: movq %xmm0,(%rax)
0x00000000080483be <+97>: lea 0x120b(%rip),%rax # 0x80495d0
<L.27>
0x00000000080483c5 <+104>: mov %rax,%rdi
0x00000000080483c8 <+107>: mov $0x0,%eax
0x00000000080483cd <+112>: callq 0x8048560 <printf>
0x00000000080483d2 <+117>: mov -0x10(%rbp),%rax
0x00000000080483d6 <+121>: mov %rax,-0x28(%rbp)
0x00000000080483da <+125>: mov $0x0,%eax
0x00000000080483df <+130>: callq 0x8048343 <f>
0x00000000080483e4 <+135>: mov -0x28(%rbp),%eax
=> 0x00000000080483e7 <+138>: movq (%rax),%xmm1
0x00000000080483eb <+142>: ucomisd %xmm0,%xmm1
0x00000000080483ef <+146>: mov $0x0,%eax
0x00000000080483f4 <+151>: seta %al
0x00000000080483f7 <+154>: mov %eax,-0x4(%rbp)
0x00000000080483fa <+157>: lea 0x11d2(%rip),%rax # 0x80495d3
<L.28>
0x0000000008048401 <+164>: mov %rax,%rdi
0x0000000008048404 <+167>: mov $0x0,%eax
0x0000000008048409 <+172>: callq 0x8048560 <printf>
0x000000000804840e <+177>: mov -0x10(%rbp),%rax
0x0000000008048412 <+181>: mov %rax,%rdi
0x0000000008048415 <+184>: mov $0x0,%eax
0x000000000804841a <+189>: callq 0x8048580 <free>
0x000000000804841f <+194>: jmpq 0x8048375 <main+24>
0x0000000008048424 <+199>: mov $0x0,%eax
0x0000000008048429 <+204>: jmpq 0x804842e <main+209>
0x000000000804842e <+209>: leaveq
0x000000000804842f <+210>: retq
End of assembler dump.
(gdb) info registers
rax 0xf7fb8010 4160454672
rbx 0x0 0
rcx 0x80495d2 134518226
rdx 0x7ffff7dd8e10 140737351880208
rsi 0x7ffff7ff8000 140737354104832
rdi 0xffffffff 4294967295
rbp 0x7fffffffe210 0x7fffffffe210
rsp 0x7fffffffe1e0 0x7fffffffe1e0
r8 0x7ffff7ff8002 140737354104834
r9 0x0 0
r10 0x22 34
r11 0x246 582
r12 0x8048300 134513408
r13 0x7fffffffe2f0 140737488347888
r14 0x0 0
r15 0x0 0
rip 0x80483e7 0x80483e7 <main+138>
eflags 0x10202 [ IF RF ]
cs 0x33 51
ss 0x2b 43
ds 0x0 0
es 0x0 0
fs 0x0 0
gs 0x0 0
(gdb)
Thanks,
--ghe
- [Tinycc-devel] Bug: malloc + function returning double + comparison between doubles,
ghe <=
- Re: [Tinycc-devel] Bug: malloc + function returning double + comparison between doubles, Michael Matz, 2012/06/10
- Re: [Tinycc-devel] Bug: malloc + function returning double + comparison between doubles, Daniel Glöckner, 2012/06/10
- Re: [Tinycc-devel] Bug: malloc + function returning double + comparison between doubles, Thomas Preud'homme, 2012/06/10
- Re: [Tinycc-devel] Bug: malloc + function returning double + comparison between doubles, Michael Matz, 2012/06/10
- Re: [Tinycc-devel] Bug: malloc + function returning double + comparison between doubles, Thomas Preud'homme, 2012/06/10
- Re: [Tinycc-devel] Bug: malloc + function returning double + comparison between doubles, Daniel Glöckner, 2012/06/10
- Re: [Tinycc-devel] Bug: malloc + function returning double + comparison between doubles, Michael Matz, 2012/06/10