[Issue 9438] Strange RefCounted stack overflow

d-bugmail at puremagic.com d-bugmail at puremagic.com
Fri Feb 1 13:24:51 PST 2013 

http://d.puremagic.com/issues/show_bug.cgi?id=9438



--- Comment #8 from Maxim Fomin <maxim at maxim-fomin.ru> 2013-02-01 13:24:49 PST ---
It really seems to be codegen bug. The problem is that presence of code like in
main function (struct temporary + simple stack struct) makes dmd generate wrong
exception handler table.

If you compile main.d one version with -release -O -noboundcheck and other
version with the same switches and additionally with -g, you will have
absolutely identical asm (obj2asm output) except the single difference is in
data segment.

In segfaulting version you have 

.data    segment
_HandlerTable0:
    db    050h,000h,000h,000h,063h,000h,000h,000h    ;P...c...
    db    002h,000h,000h,000h,000h,000h,000h,000h    ;........
    db    019h,000h,000h,000h,048h,000h,000h,000h    ;....H...
    db    0ffffffffh,0ffffffffh,0ffffffffh,0ffffffffh,000h,000h,000h,000h   
;........
    db    057h,000h,000h,000h,000h,000h,000h,000h    ;W.......
    db    02bh,000h,000h,000h,037h,000h,000h,000h    ;+...7...
    db    000h,000h,000h,000h,000h,000h,000h,000h    ;........
    db    042h,000h,000h,000h,000h,000h,000h,000h    ;B....... // 42h

and in throwing version you will have

_HandlerTable0:
    db    050h,000h,000h,000h,063h,000h,000h,000h    ;P...c...
    db    002h,000h,000h,000h,000h,000h,000h,000h    ;........
    db    019h,000h,000h,000h,048h,000h,000h,000h    ;....H...
    db    0ffffffffh,0ffffffffh,0ffffffffh,0ffffffffh,000h,000h,000h,000h   
;........
    db    057h,000h,000h,000h,000h,000h,000h,000h    ;W.......
    db    02bh,000h,000h,000h,037h,000h,000h,000h    ;+...7...
    db    000h,000h,000h,000h,000h,000h,000h,000h    ;........
    db    03eh,000h,000h,000h,000h,000h,000h,000h    ;>....... //3eh

If you patch incorrect binary, the bug goes away.

Corrupted handler table leads to following problem (asm snippet from main):

0x0000000000418888 <+60>:    jmp    <_Dmain+72>
0x000000000041888a <+62>:    lea    -0x10(%rbp),%rdi //3Eh
0x000000000041888e <+66>:    callq  <_D4main1S11__fieldDtorMFZv> //42h
0x0000000000418893 <+71>:    retq   
0x0000000000418894 <+72>:    sub    $0x8,%rsp
0x0000000000418898 <+76>:    callq  0x4188a3 <_Dmain+87>
0x000000000041889d <+81>:    add    $0x8,%rsp
0x00000000004188a1 <+85>:    jmp    0x4188ad <_Dmain+97>
0x00000000004188a3 <+87>:    lea    -0x18(%rbp),%rdi
0x00000000004188a7 <+91>:    callq  0x418810 <_D4main1S11__fieldDtorMFZv>
0x00000000004188ac <+96>:    retq   
0x00000000004188ad <+97>:    xor    %eax,%eax
0x00000000004188af <+99>:    pop    %r15

In segfaulting version druntime unwinds up to _Dmain+66, after instruction
which sets into %rdi this reference, hence dtor receives corrupted pointer. In
correct version druntime unwinds up to _Dmain+62, so the this pointer is
correct.

-- 
Configure issuemail: http://d.puremagic.com/issues/userprefs.cgi?tab=email
------- You are receiving this mail because: -------

More information about the Digitalmars-d-bugs mailing list