[Bug 273] New: Unexplained crash in generated binary

gdc-bugzilla at gdcproject.org gdc-bugzilla at gdcproject.org
Fri Sep 29 17:09:27 UTC 2017


https://bugzilla.gdcproject.org/show_bug.cgi?id=273

            Bug ID: 273
           Summary: Unexplained crash in generated binary
           Product: GDC
           Version: development
          Hardware: All
                OS: Linux
            Status: NEW
          Severity: normal
          Priority: Normal
         Component: gdc
          Assignee: ibuclaw at gdcproject.org
          Reporter: sebastien.alaiwan at gmail.com

// crash.d

int main()
{
  auto box = DubiousFunction(0);

  auto buf = new ubyte[2048];

  search(box);
  return 0;
}

void search(Base box)
{
  foreach(b; box.children)
    search(b); // crash at execution occurs here
}

// any modification to the below code makes the crash disappear
Base DubiousFunction(int)
{
  int a, b, c;

  auto box = new Derived;

  foreach(i; 0 .. 2)
    box.children ~= new Derived;

  char[1] tab = void;
  foreach(cc; tab)
  {
  }

  return box;
}

class Derived : Base { }

class Base
{
  Base[] children;
}

I'm running an up-to-date GNU/Debian testing:

$ gdc-6 --version | head -n 1
gdc-6 (Debian 6.4.0-7) 6.4.0 20170920

$ gdc-7 --version | head -n 1 
gdc-7 (Debian 7.2.0-7) 7.2.0

$ gdc-6 crash.d -o crash-6 && ./crash-6 && echo OK
OK

$ gdc-7 crash.d -o crash-7 && ./crash-7 && echo OK
[1]    20610 segmentation fault  ./crash-7

Replacing the first "new Derived" with "new Base" is specially interesting, as
it makes the crash disappear, but the generated code is only slightly modified:

--- crash-7.s   2017-09-29 19:05:51.800263642 +0200
+++ crash-7b.s  2017-09-29 19:06:01.469764349 +0200
@@ -147,7 +147,7 @@
        movl    $0, -52(%rbp)
        movl    $0, -56(%rbp)
        movl    $0, -60(%rbp)
-       leaq    _D5crash7Derived7__ClassZ(%rip), %rdi
+       leaq    _D5crash4Base7__ClassZ(%rip), %rdi
        call    _d_newclass at PLT
        movq    %rax, -72(%rbp)
        movl    $0, -36(%rbp)
@@ -310,7 +310,7 @@
        .quad   _D6Object7__ClassZ
        .quad   0
        .quad   0
-       .long   52
+       .long   116
        .zero   4
        .quad   0
        .quad   0

The first diff corresponds to the call to new, the second is the "flags" field
for the TypeInfo_Class initializer for "Base" type, which gets its flag
"isAbstract" set ...
This difference is enough to trigger the crash or not.


Here's, for reference, the full (crashing) generated code with gdc-7:


        .file   "crash.d"
        .text
        .globl  main
        .type   main, @function
main:
.LFB0:
        .cfi_startproc
        pushq   %rbp
        .cfi_def_cfa_offset 16
        .cfi_offset 6, -16
        movq    %rsp, %rbp
        .cfi_def_cfa_register 6
        subq    $16, %rsp
        movl    %edi, -4(%rbp)
        movq    %rsi, -16(%rbp)
        movq    -16(%rbp), %rcx
        movl    -4(%rbp), %eax
        movq    _Dmain at GOTPCREL(%rip), %rdx
        movq    %rcx, %rsi
        movl    %eax, %edi
        call    _d_run_main at PLT
        leave
        .cfi_def_cfa 7, 8
        ret
        .cfi_endproc
.LFE0:
        .size   main, .-main
        .globl  _Dmain
        .type   _Dmain, @function
_Dmain:
.LFB1:
        .cfi_startproc
        pushq   %rbp
        .cfi_def_cfa_offset 16
        .cfi_offset 6, -16
        movq    %rsp, %rbp
        .cfi_def_cfa_register 6
        subq    $32, %rsp
        movl    $0, %edi
        call    _D5crash15DubiousFunctionFiZC5crash4Base
        movq    %rax, -8(%rbp)
        movl    $2048, %esi
        movq    _D11TypeInfo_Ah6__initZ at GOTPCREL(%rip), %rax
        movq    %rax, %rdi
        call    _d_newarrayT at PLT
        movq    %rax, -32(%rbp)
        movq    %rdx, -24(%rbp)
        movq    -8(%rbp), %rax
        movq    %rax, %rdi
        call    _D5crash6searchFC5crash4BaseZv
        movl    $0, %eax
        leave
        .cfi_def_cfa 7, 8
        ret
        .cfi_endproc
.LFE1:
        .size   _Dmain, .-_Dmain
        .section        .rodata
.LC0:
        .string "crash.d"
        .text
        .globl  _D5crash6searchFC5crash4BaseZv
        .type   _D5crash6searchFC5crash4BaseZv, @function
_D5crash6searchFC5crash4BaseZv:
.LFB2:
        .cfi_startproc
        pushq   %rbp
        .cfi_def_cfa_offset 16
        .cfi_offset 6, -16
        movq    %rsp, %rbp
        .cfi_def_cfa_register 6
        pushq   %r13
        pushq   %r12
        pushq   %rbx
        subq    $56, %rsp
        .cfi_offset 13, -24
        .cfi_offset 12, -32
        .cfi_offset 3, -40
        movq    %rdi, -72(%rbp)
        movq    -72(%rbp), %rax
        movq    24(%rax), %rdx
        movq    16(%rax), %rax
        movq    %rax, -64(%rbp)
        movq    %rdx, -56(%rbp)
        movq    $0, -40(%rbp)
.L8:
        movq    -64(%rbp), %rax
        cmpq    %rax, -40(%rbp)
        jnb     .L9
        movq    -56(%rbp), %rdx
        movq    -64(%rbp), %rax
        cmpq    %rax, -40(%rbp)
        jb      .L7
        movl    $7, %r12d
        leaq    .LC0(%rip), %r13
        movq    %r12, %rcx
        movq    %r13, %rbx
        movq    %r12, %rax
        movq    %r13, %rdx
        movq    %rdx, %rax
        movl    $13, %edx
        movq    %rcx, %rdi
        movq    %rax, %rsi
        call    _d_arraybounds at PLT
.L7:
        movq    -40(%rbp), %rax
        salq    $3, %rax
        addq    %rdx, %rax
        movq    (%rax), %rax
        movq    %rax, -48(%rbp)
        movq    -48(%rbp), %rax
        movq    %rax, %rdi
        call    _D5crash6searchFC5crash4BaseZv
        addq    $1, -40(%rbp)
        jmp     .L8
.L9:
        nop
        nop
        addq    $56, %rsp
        popq    %rbx
        popq    %r12
        popq    %r13
        popq    %rbp
        .cfi_def_cfa 7, 8
        ret
        .cfi_endproc
.LFE2:
        .size   _D5crash6searchFC5crash4BaseZv,
.-_D5crash6searchFC5crash4BaseZv
        .globl  _D5crash15DubiousFunctionFiZC5crash4Base
        .type   _D5crash15DubiousFunctionFiZC5crash4Base, @function
_D5crash15DubiousFunctionFiZC5crash4Base:
.LFB3:
        .cfi_startproc
        pushq   %rbp
        .cfi_def_cfa_offset 16
        .cfi_offset 6, -16
        movq    %rsp, %rbp
        .cfi_def_cfa_register 6
        pushq   %r13
        pushq   %r12
        pushq   %rbx
        subq    $104, %rsp
        .cfi_offset 13, -24
        .cfi_offset 12, -32
        .cfi_offset 3, -40
        movl    %edi, -116(%rbp)
        movl    $0, -52(%rbp)
        movl    $0, -56(%rbp)
        movl    $0, -60(%rbp)
        leaq    _D5crash7Derived7__ClassZ(%rip), %rdi
        call    _d_newclass at PLT
        movq    %rax, -72(%rbp)
        movl    $0, -36(%rbp)
        movl    $2, -76(%rbp)
.L12:
        movl    -36(%rbp), %eax
        cmpl    -76(%rbp), %eax
        jge     .L17
        movl    -36(%rbp), %eax
        movl    %eax, -80(%rbp)
        leaq    _D5crash7Derived7__ClassZ(%rip), %rdi
        call    _d_newclass at PLT
        movq    %rax, %rbx
        movq    -72(%rbp), %rax
        addq    $16, %rax
        movl    $1, %edx
        movq    %rax, %rsi
        leaq    _D22TypeInfo_AC5crash4Base6__initZ(%rip), %rdi
        call    _d_arrayappendcTX at PLT
        movq    %rdx, %rcx
        subq    $1, %rax
        salq    $3, %rax
        addq    %rcx, %rax
        movq    %rbx, (%rax)
        addl    $1, -36(%rbp)
        jmp     .L12
.L17:
        nop
        movq    $1, -112(%rbp)
        leaq    -82(%rbp), %rax
        movq    %rax, -104(%rbp)
        movq    $0, -48(%rbp)
.L15:
        movq    -112(%rbp), %rax
        cmpq    %rax, -48(%rbp)
        jnb     .L18
        movq    -104(%rbp), %rdx
        movq    -112(%rbp), %rax
        cmpq    %rax, -48(%rbp)
        jb      .L14
        movl    $7, %r12d
        leaq    .LC0(%rip), %r13
        movq    %r12, %rcx
        movq    %r13, %rbx
        movq    %r12, %rax
        movq    %r13, %rdx
        movq    %rdx, %rax
        movl    $27, %edx
        movq    %rcx, %rdi
        movq    %rax, %rsi
        call    _d_arraybounds at PLT
.L14:
        movq    -48(%rbp), %rax
        addq    %rdx, %rax
        movzbl  (%rax), %eax
        movb    %al, -81(%rbp)
        addq    $1, -48(%rbp)
        jmp     .L15
.L18:
        nop
        movq    -72(%rbp), %rax
        addq    $104, %rsp
        popq    %rbx
        popq    %r12
        popq    %r13
        popq    %rbp
        .cfi_def_cfa 7, 8
        ret
        .cfi_endproc
.LFE3:
        .size   _D5crash15DubiousFunctionFiZC5crash4Base,
.-_D5crash15DubiousFunctionFiZC5crash4Base
        .weak   _D22TypeInfo_AC5crash4Base6__initZ
        .section       
.data.rel.ro._D22TypeInfo_AC5crash4Base6__initZ,"awG", at progbits,_D22TypeInfo_AC5crash4Base6__initZ,comdat
        .align 16
        .type   _D22TypeInfo_AC5crash4Base6__initZ, @object
        .size   _D22TypeInfo_AC5crash4Base6__initZ, 24
_D22TypeInfo_AC5crash4Base6__initZ:
        .quad   _D14TypeInfo_Array6__vtblZ
        .quad   0
        .quad   _D5crash4Base7__ClassZ
        .globl  _D5crash7Derived6__initZ
        .section        .data.rel.ro.local,"aw", at progbits
        .align 32
        .type   _D5crash7Derived6__initZ, @object
        .size   _D5crash7Derived6__initZ, 32
_D5crash7Derived6__initZ:
        .quad   _D5crash7Derived6__vtblZ
        .zero   8
        .quad   0
        .quad   0
        .globl  _D5crash7Derived7__ClassZ
        .section        .rodata
.LC1:
        .string "crash.Derived"
        .section        .data.rel,"aw", at progbits
        .align 32
        .type   _D5crash7Derived7__ClassZ, @object
        .size   _D5crash7Derived7__ClassZ, 152
_D5crash7Derived7__ClassZ:
        .quad   _D14TypeInfo_Class6__vtblZ
        .quad   0
        .quad   32
        .quad   _D5crash7Derived6__initZ
        .quad   13
        .quad   .LC1
        .quad   5
        .quad   _D5crash7Derived6__vtblZ
        .quad   0
        .quad   0
        .quad   _D5crash4Base7__ClassZ
        .quad   0
        .quad   0
        .long   118
        .zero   4
        .quad   0
        .quad   0
        .quad   0
        .quad   0
        .quad   0
        .globl  _D5crash7Derived6__vtblZ
        .section        .data.rel.ro,"aw", at progbits
        .align 8
        .type   _D5crash7Derived6__vtblZ, @object
        .size   _D5crash7Derived6__vtblZ, 40
_D5crash7Derived6__vtblZ:
        .quad   _D5crash7Derived7__ClassZ
        .quad   _D6object6Object8toStringMFZAya
        .quad   _D6object6Object6toHashMFNbNeZm
        .quad   _D6object6Object5opCmpMFC6ObjectZi
        .quad   _D6object6Object8opEqualsMFC6ObjectZb
        .globl  _D5crash4Base6__initZ
        .section        .data.rel.ro.local
        .align 32
        .type   _D5crash4Base6__initZ, @object
        .size   _D5crash4Base6__initZ, 32
_D5crash4Base6__initZ:
        .quad   _D5crash4Base6__vtblZ
        .zero   8
        .quad   0
        .quad   0
        .globl  _D5crash4Base7__ClassZ
        .section        .rodata
.LC2:
        .string "crash.Base"
        .section        .data.rel
        .align 32
        .type   _D5crash4Base7__ClassZ, @object
        .size   _D5crash4Base7__ClassZ, 152
_D5crash4Base7__ClassZ:
        .quad   _D14TypeInfo_Class6__vtblZ
        .quad   0
        .quad   32
        .quad   _D5crash4Base6__initZ
        .quad   10
        .quad   .LC2
        .quad   5
        .quad   _D5crash4Base6__vtblZ
        .quad   0
        .quad   0
        .quad   _D6Object7__ClassZ
        .quad   0
        .quad   0
        .long   52
        .zero   4
        .quad   0
        .quad   0
        .quad   0
        .quad   0
        .quad   0
        .globl  _D5crash4Base6__vtblZ
        .section        .data.rel.ro
        .align 8
        .type   _D5crash4Base6__vtblZ, @object
        .size   _D5crash4Base6__vtblZ, 40
_D5crash4Base6__vtblZ:
        .quad   _D5crash4Base7__ClassZ
        .quad   _D6object6Object8toStringMFZAya
        .quad   _D6object6Object6toHashMFNbNeZm
        .quad   _D6object6Object5opCmpMFC6ObjectZi
        .quad   _D6object6Object8opEqualsMFC6ObjectZb
        .globl  _D5crash12__ModuleInfoZ
        .section        .data.rel.local,"aw", at progbits
        .align 32
        .type   _D5crash12__ModuleInfoZ, @object
        .size   _D5crash12__ModuleInfoZ, 38
_D5crash12__ModuleInfoZ:
        .long   6148
        .long   0
        .quad   2
        .quad   _D5crash7Derived7__ClassZ
        .quad   _D5crash4Base7__ClassZ
        .string "crash"
        .globl  __mod_ref__D5crash12__ModuleInfoZ
        .section        minfo,"aw", at progbits
        .align 8
        .type   __mod_ref__D5crash12__ModuleInfoZ, @object
        .size   __mod_ref__D5crash12__ModuleInfoZ, 8
__mod_ref__D5crash12__ModuleInfoZ:
        .quad   _D5crash12__ModuleInfoZ
        .hidden gdc_dso_slot
        .weak   gdc_dso_slot
        .section        .bss.gdc_dso_slot,"awG", at nobits,gdc_dso_slot,comdat
        .align 8
        .type   gdc_dso_slot, @gnu_unique_object
        .size   gdc_dso_slot, 8
gdc_dso_slot:
        .zero   8
        .hidden gdc_dso_initialized
        .weak   gdc_dso_initialized
        .section       
.bss.gdc_dso_initialized,"awG", at nobits,gdc_dso_initialized,comdat
        .type   gdc_dso_initialized, @gnu_unique_object
        .size   gdc_dso_initialized, 1
gdc_dso_initialized:
        .zero   1
        .section        .text.gdc_dso_ctor,"axG", at progbits,gdc_dso_ctor,comdat
        .weak   gdc_dso_ctor
        .hidden gdc_dso_ctor
        .type   gdc_dso_ctor, @function
gdc_dso_ctor:
.LFB4:
        .cfi_startproc
        pushq   %rbp
        .cfi_def_cfa_offset 16
        .cfi_offset 6, -16
        movq    %rsp, %rbp
        .cfi_def_cfa_register 6
        subq    $48, %rsp
        movzbl  gdc_dso_initialized(%rip), %eax
        xorl    $1, %eax
        testb   %al, %al
        je      .L21
        movq    $0, -48(%rbp)
        movq    $0, -40(%rbp)
        movq    $0, -32(%rbp)
        movq    $0, -24(%rbp)
        movq    $0, -16(%rbp)
        movq    $0, -8(%rbp)
        movq    $1, -48(%rbp)
        leaq    gdc_dso_slot(%rip), %rax
        movq    %rax, -40(%rbp)
        leaq    __start_minfo(%rip), %rax
        movq    %rax, -32(%rbp)
        leaq    __stop_minfo(%rip), %rax
        movq    %rax, -24(%rbp)
        movb    $1, gdc_dso_initialized(%rip)
        leaq    -48(%rbp), %rax
        movq    %rax, %rdi
        call    _d_dso_registry at PLT
.L21:
        nop
        leave
        .cfi_def_cfa 7, 8
        ret
        .cfi_endproc
.LFE4:
        .size   gdc_dso_ctor, .-gdc_dso_ctor
        .section        .init_array,"aw"
        .align 8
        .quad   gdc_dso_ctor
        .section        .text.gdc_dso_dtor,"axG", at progbits,gdc_dso_dtor,comdat
        .weak   gdc_dso_dtor
        .hidden gdc_dso_dtor
        .type   gdc_dso_dtor, @function
gdc_dso_dtor:
.LFB5:
        .cfi_startproc
        pushq   %rbp
        .cfi_def_cfa_offset 16
        .cfi_offset 6, -16
        movq    %rsp, %rbp
        .cfi_def_cfa_register 6
        subq    $48, %rsp
        movzbl  gdc_dso_initialized(%rip), %eax
        testb   %al, %al
        je      .L24
        movq    $0, -48(%rbp)
        movq    $0, -40(%rbp)
        movq    $0, -32(%rbp)
        movq    $0, -24(%rbp)
        movq    $0, -16(%rbp)
        movq    $0, -8(%rbp)
        movq    $1, -48(%rbp)
        leaq    gdc_dso_slot(%rip), %rax
        movq    %rax, -40(%rbp)
        leaq    __start_minfo(%rip), %rax
        movq    %rax, -32(%rbp)
        leaq    __stop_minfo(%rip), %rax
        movq    %rax, -24(%rbp)
        movb    $0, gdc_dso_initialized(%rip)
        leaq    -48(%rbp), %rax
        movq    %rax, %rdi
        call    _d_dso_registry at PLT
.L24:
        nop
        leave
        .cfi_def_cfa 7, 8
        ret
        .cfi_endproc
.LFE5:
        .size   gdc_dso_dtor, .-gdc_dso_dtor
        .section        .fini_array,"aw"
        .align 8
        .quad   gdc_dso_dtor
        .hidden __stop_minfo
        .hidden __start_minfo
        .hidden __stop_minfo
        .hidden __start_minfo
        .ident  "GCC: (Debian 7.2.0-7) 7.2.0"
        .section        .note.GNU-stack,"", at progbits

-- 
You are receiving this mail because:
You are watching all bug changes.


More information about the D.gnu mailing list