[Bug 273] New: Unexplained crash in generated binary
gdc-bugzilla at gdcproject.org
gdc-bugzilla at gdcproject.org
Fri Sep 29 17:09:27 UTC 2017
https://bugzilla.gdcproject.org/show_bug.cgi?id=273
Bug ID: 273
Summary: Unexplained crash in generated binary
Product: GDC
Version: development
Hardware: All
OS: Linux
Status: NEW
Severity: normal
Priority: Normal
Component: gdc
Assignee: ibuclaw at gdcproject.org
Reporter: sebastien.alaiwan at gmail.com
// crash.d
int main()
{
auto box = DubiousFunction(0);
auto buf = new ubyte[2048];
search(box);
return 0;
}
void search(Base box)
{
foreach(b; box.children)
search(b); // crash at execution occurs here
}
// any modification to the below code makes the crash disappear
Base DubiousFunction(int)
{
int a, b, c;
auto box = new Derived;
foreach(i; 0 .. 2)
box.children ~= new Derived;
char[1] tab = void;
foreach(cc; tab)
{
}
return box;
}
class Derived : Base { }
class Base
{
Base[] children;
}
I'm running an up-to-date GNU/Debian testing:
$ gdc-6 --version | head -n 1
gdc-6 (Debian 6.4.0-7) 6.4.0 20170920
$ gdc-7 --version | head -n 1
gdc-7 (Debian 7.2.0-7) 7.2.0
$ gdc-6 crash.d -o crash-6 && ./crash-6 && echo OK
OK
$ gdc-7 crash.d -o crash-7 && ./crash-7 && echo OK
[1] 20610 segmentation fault ./crash-7
Replacing the first "new Derived" with "new Base" is specially interesting, as
it makes the crash disappear, but the generated code is only slightly modified:
--- crash-7.s 2017-09-29 19:05:51.800263642 +0200
+++ crash-7b.s 2017-09-29 19:06:01.469764349 +0200
@@ -147,7 +147,7 @@
movl $0, -52(%rbp)
movl $0, -56(%rbp)
movl $0, -60(%rbp)
- leaq _D5crash7Derived7__ClassZ(%rip), %rdi
+ leaq _D5crash4Base7__ClassZ(%rip), %rdi
call _d_newclass at PLT
movq %rax, -72(%rbp)
movl $0, -36(%rbp)
@@ -310,7 +310,7 @@
.quad _D6Object7__ClassZ
.quad 0
.quad 0
- .long 52
+ .long 116
.zero 4
.quad 0
.quad 0
The first diff corresponds to the call to new, the second is the "flags" field
for the TypeInfo_Class initializer for "Base" type, which gets its flag
"isAbstract" set ...
This difference is enough to trigger the crash or not.
Here's, for reference, the full (crashing) generated code with gdc-7:
.file "crash.d"
.text
.globl main
.type main, @function
main:
.LFB0:
.cfi_startproc
pushq %rbp
.cfi_def_cfa_offset 16
.cfi_offset 6, -16
movq %rsp, %rbp
.cfi_def_cfa_register 6
subq $16, %rsp
movl %edi, -4(%rbp)
movq %rsi, -16(%rbp)
movq -16(%rbp), %rcx
movl -4(%rbp), %eax
movq _Dmain at GOTPCREL(%rip), %rdx
movq %rcx, %rsi
movl %eax, %edi
call _d_run_main at PLT
leave
.cfi_def_cfa 7, 8
ret
.cfi_endproc
.LFE0:
.size main, .-main
.globl _Dmain
.type _Dmain, @function
_Dmain:
.LFB1:
.cfi_startproc
pushq %rbp
.cfi_def_cfa_offset 16
.cfi_offset 6, -16
movq %rsp, %rbp
.cfi_def_cfa_register 6
subq $32, %rsp
movl $0, %edi
call _D5crash15DubiousFunctionFiZC5crash4Base
movq %rax, -8(%rbp)
movl $2048, %esi
movq _D11TypeInfo_Ah6__initZ at GOTPCREL(%rip), %rax
movq %rax, %rdi
call _d_newarrayT at PLT
movq %rax, -32(%rbp)
movq %rdx, -24(%rbp)
movq -8(%rbp), %rax
movq %rax, %rdi
call _D5crash6searchFC5crash4BaseZv
movl $0, %eax
leave
.cfi_def_cfa 7, 8
ret
.cfi_endproc
.LFE1:
.size _Dmain, .-_Dmain
.section .rodata
.LC0:
.string "crash.d"
.text
.globl _D5crash6searchFC5crash4BaseZv
.type _D5crash6searchFC5crash4BaseZv, @function
_D5crash6searchFC5crash4BaseZv:
.LFB2:
.cfi_startproc
pushq %rbp
.cfi_def_cfa_offset 16
.cfi_offset 6, -16
movq %rsp, %rbp
.cfi_def_cfa_register 6
pushq %r13
pushq %r12
pushq %rbx
subq $56, %rsp
.cfi_offset 13, -24
.cfi_offset 12, -32
.cfi_offset 3, -40
movq %rdi, -72(%rbp)
movq -72(%rbp), %rax
movq 24(%rax), %rdx
movq 16(%rax), %rax
movq %rax, -64(%rbp)
movq %rdx, -56(%rbp)
movq $0, -40(%rbp)
.L8:
movq -64(%rbp), %rax
cmpq %rax, -40(%rbp)
jnb .L9
movq -56(%rbp), %rdx
movq -64(%rbp), %rax
cmpq %rax, -40(%rbp)
jb .L7
movl $7, %r12d
leaq .LC0(%rip), %r13
movq %r12, %rcx
movq %r13, %rbx
movq %r12, %rax
movq %r13, %rdx
movq %rdx, %rax
movl $13, %edx
movq %rcx, %rdi
movq %rax, %rsi
call _d_arraybounds at PLT
.L7:
movq -40(%rbp), %rax
salq $3, %rax
addq %rdx, %rax
movq (%rax), %rax
movq %rax, -48(%rbp)
movq -48(%rbp), %rax
movq %rax, %rdi
call _D5crash6searchFC5crash4BaseZv
addq $1, -40(%rbp)
jmp .L8
.L9:
nop
nop
addq $56, %rsp
popq %rbx
popq %r12
popq %r13
popq %rbp
.cfi_def_cfa 7, 8
ret
.cfi_endproc
.LFE2:
.size _D5crash6searchFC5crash4BaseZv,
.-_D5crash6searchFC5crash4BaseZv
.globl _D5crash15DubiousFunctionFiZC5crash4Base
.type _D5crash15DubiousFunctionFiZC5crash4Base, @function
_D5crash15DubiousFunctionFiZC5crash4Base:
.LFB3:
.cfi_startproc
pushq %rbp
.cfi_def_cfa_offset 16
.cfi_offset 6, -16
movq %rsp, %rbp
.cfi_def_cfa_register 6
pushq %r13
pushq %r12
pushq %rbx
subq $104, %rsp
.cfi_offset 13, -24
.cfi_offset 12, -32
.cfi_offset 3, -40
movl %edi, -116(%rbp)
movl $0, -52(%rbp)
movl $0, -56(%rbp)
movl $0, -60(%rbp)
leaq _D5crash7Derived7__ClassZ(%rip), %rdi
call _d_newclass at PLT
movq %rax, -72(%rbp)
movl $0, -36(%rbp)
movl $2, -76(%rbp)
.L12:
movl -36(%rbp), %eax
cmpl -76(%rbp), %eax
jge .L17
movl -36(%rbp), %eax
movl %eax, -80(%rbp)
leaq _D5crash7Derived7__ClassZ(%rip), %rdi
call _d_newclass at PLT
movq %rax, %rbx
movq -72(%rbp), %rax
addq $16, %rax
movl $1, %edx
movq %rax, %rsi
leaq _D22TypeInfo_AC5crash4Base6__initZ(%rip), %rdi
call _d_arrayappendcTX at PLT
movq %rdx, %rcx
subq $1, %rax
salq $3, %rax
addq %rcx, %rax
movq %rbx, (%rax)
addl $1, -36(%rbp)
jmp .L12
.L17:
nop
movq $1, -112(%rbp)
leaq -82(%rbp), %rax
movq %rax, -104(%rbp)
movq $0, -48(%rbp)
.L15:
movq -112(%rbp), %rax
cmpq %rax, -48(%rbp)
jnb .L18
movq -104(%rbp), %rdx
movq -112(%rbp), %rax
cmpq %rax, -48(%rbp)
jb .L14
movl $7, %r12d
leaq .LC0(%rip), %r13
movq %r12, %rcx
movq %r13, %rbx
movq %r12, %rax
movq %r13, %rdx
movq %rdx, %rax
movl $27, %edx
movq %rcx, %rdi
movq %rax, %rsi
call _d_arraybounds at PLT
.L14:
movq -48(%rbp), %rax
addq %rdx, %rax
movzbl (%rax), %eax
movb %al, -81(%rbp)
addq $1, -48(%rbp)
jmp .L15
.L18:
nop
movq -72(%rbp), %rax
addq $104, %rsp
popq %rbx
popq %r12
popq %r13
popq %rbp
.cfi_def_cfa 7, 8
ret
.cfi_endproc
.LFE3:
.size _D5crash15DubiousFunctionFiZC5crash4Base,
.-_D5crash15DubiousFunctionFiZC5crash4Base
.weak _D22TypeInfo_AC5crash4Base6__initZ
.section
.data.rel.ro._D22TypeInfo_AC5crash4Base6__initZ,"awG", at progbits,_D22TypeInfo_AC5crash4Base6__initZ,comdat
.align 16
.type _D22TypeInfo_AC5crash4Base6__initZ, @object
.size _D22TypeInfo_AC5crash4Base6__initZ, 24
_D22TypeInfo_AC5crash4Base6__initZ:
.quad _D14TypeInfo_Array6__vtblZ
.quad 0
.quad _D5crash4Base7__ClassZ
.globl _D5crash7Derived6__initZ
.section .data.rel.ro.local,"aw", at progbits
.align 32
.type _D5crash7Derived6__initZ, @object
.size _D5crash7Derived6__initZ, 32
_D5crash7Derived6__initZ:
.quad _D5crash7Derived6__vtblZ
.zero 8
.quad 0
.quad 0
.globl _D5crash7Derived7__ClassZ
.section .rodata
.LC1:
.string "crash.Derived"
.section .data.rel,"aw", at progbits
.align 32
.type _D5crash7Derived7__ClassZ, @object
.size _D5crash7Derived7__ClassZ, 152
_D5crash7Derived7__ClassZ:
.quad _D14TypeInfo_Class6__vtblZ
.quad 0
.quad 32
.quad _D5crash7Derived6__initZ
.quad 13
.quad .LC1
.quad 5
.quad _D5crash7Derived6__vtblZ
.quad 0
.quad 0
.quad _D5crash4Base7__ClassZ
.quad 0
.quad 0
.long 118
.zero 4
.quad 0
.quad 0
.quad 0
.quad 0
.quad 0
.globl _D5crash7Derived6__vtblZ
.section .data.rel.ro,"aw", at progbits
.align 8
.type _D5crash7Derived6__vtblZ, @object
.size _D5crash7Derived6__vtblZ, 40
_D5crash7Derived6__vtblZ:
.quad _D5crash7Derived7__ClassZ
.quad _D6object6Object8toStringMFZAya
.quad _D6object6Object6toHashMFNbNeZm
.quad _D6object6Object5opCmpMFC6ObjectZi
.quad _D6object6Object8opEqualsMFC6ObjectZb
.globl _D5crash4Base6__initZ
.section .data.rel.ro.local
.align 32
.type _D5crash4Base6__initZ, @object
.size _D5crash4Base6__initZ, 32
_D5crash4Base6__initZ:
.quad _D5crash4Base6__vtblZ
.zero 8
.quad 0
.quad 0
.globl _D5crash4Base7__ClassZ
.section .rodata
.LC2:
.string "crash.Base"
.section .data.rel
.align 32
.type _D5crash4Base7__ClassZ, @object
.size _D5crash4Base7__ClassZ, 152
_D5crash4Base7__ClassZ:
.quad _D14TypeInfo_Class6__vtblZ
.quad 0
.quad 32
.quad _D5crash4Base6__initZ
.quad 10
.quad .LC2
.quad 5
.quad _D5crash4Base6__vtblZ
.quad 0
.quad 0
.quad _D6Object7__ClassZ
.quad 0
.quad 0
.long 52
.zero 4
.quad 0
.quad 0
.quad 0
.quad 0
.quad 0
.globl _D5crash4Base6__vtblZ
.section .data.rel.ro
.align 8
.type _D5crash4Base6__vtblZ, @object
.size _D5crash4Base6__vtblZ, 40
_D5crash4Base6__vtblZ:
.quad _D5crash4Base7__ClassZ
.quad _D6object6Object8toStringMFZAya
.quad _D6object6Object6toHashMFNbNeZm
.quad _D6object6Object5opCmpMFC6ObjectZi
.quad _D6object6Object8opEqualsMFC6ObjectZb
.globl _D5crash12__ModuleInfoZ
.section .data.rel.local,"aw", at progbits
.align 32
.type _D5crash12__ModuleInfoZ, @object
.size _D5crash12__ModuleInfoZ, 38
_D5crash12__ModuleInfoZ:
.long 6148
.long 0
.quad 2
.quad _D5crash7Derived7__ClassZ
.quad _D5crash4Base7__ClassZ
.string "crash"
.globl __mod_ref__D5crash12__ModuleInfoZ
.section minfo,"aw", at progbits
.align 8
.type __mod_ref__D5crash12__ModuleInfoZ, @object
.size __mod_ref__D5crash12__ModuleInfoZ, 8
__mod_ref__D5crash12__ModuleInfoZ:
.quad _D5crash12__ModuleInfoZ
.hidden gdc_dso_slot
.weak gdc_dso_slot
.section .bss.gdc_dso_slot,"awG", at nobits,gdc_dso_slot,comdat
.align 8
.type gdc_dso_slot, @gnu_unique_object
.size gdc_dso_slot, 8
gdc_dso_slot:
.zero 8
.hidden gdc_dso_initialized
.weak gdc_dso_initialized
.section
.bss.gdc_dso_initialized,"awG", at nobits,gdc_dso_initialized,comdat
.type gdc_dso_initialized, @gnu_unique_object
.size gdc_dso_initialized, 1
gdc_dso_initialized:
.zero 1
.section .text.gdc_dso_ctor,"axG", at progbits,gdc_dso_ctor,comdat
.weak gdc_dso_ctor
.hidden gdc_dso_ctor
.type gdc_dso_ctor, @function
gdc_dso_ctor:
.LFB4:
.cfi_startproc
pushq %rbp
.cfi_def_cfa_offset 16
.cfi_offset 6, -16
movq %rsp, %rbp
.cfi_def_cfa_register 6
subq $48, %rsp
movzbl gdc_dso_initialized(%rip), %eax
xorl $1, %eax
testb %al, %al
je .L21
movq $0, -48(%rbp)
movq $0, -40(%rbp)
movq $0, -32(%rbp)
movq $0, -24(%rbp)
movq $0, -16(%rbp)
movq $0, -8(%rbp)
movq $1, -48(%rbp)
leaq gdc_dso_slot(%rip), %rax
movq %rax, -40(%rbp)
leaq __start_minfo(%rip), %rax
movq %rax, -32(%rbp)
leaq __stop_minfo(%rip), %rax
movq %rax, -24(%rbp)
movb $1, gdc_dso_initialized(%rip)
leaq -48(%rbp), %rax
movq %rax, %rdi
call _d_dso_registry at PLT
.L21:
nop
leave
.cfi_def_cfa 7, 8
ret
.cfi_endproc
.LFE4:
.size gdc_dso_ctor, .-gdc_dso_ctor
.section .init_array,"aw"
.align 8
.quad gdc_dso_ctor
.section .text.gdc_dso_dtor,"axG", at progbits,gdc_dso_dtor,comdat
.weak gdc_dso_dtor
.hidden gdc_dso_dtor
.type gdc_dso_dtor, @function
gdc_dso_dtor:
.LFB5:
.cfi_startproc
pushq %rbp
.cfi_def_cfa_offset 16
.cfi_offset 6, -16
movq %rsp, %rbp
.cfi_def_cfa_register 6
subq $48, %rsp
movzbl gdc_dso_initialized(%rip), %eax
testb %al, %al
je .L24
movq $0, -48(%rbp)
movq $0, -40(%rbp)
movq $0, -32(%rbp)
movq $0, -24(%rbp)
movq $0, -16(%rbp)
movq $0, -8(%rbp)
movq $1, -48(%rbp)
leaq gdc_dso_slot(%rip), %rax
movq %rax, -40(%rbp)
leaq __start_minfo(%rip), %rax
movq %rax, -32(%rbp)
leaq __stop_minfo(%rip), %rax
movq %rax, -24(%rbp)
movb $0, gdc_dso_initialized(%rip)
leaq -48(%rbp), %rax
movq %rax, %rdi
call _d_dso_registry at PLT
.L24:
nop
leave
.cfi_def_cfa 7, 8
ret
.cfi_endproc
.LFE5:
.size gdc_dso_dtor, .-gdc_dso_dtor
.section .fini_array,"aw"
.align 8
.quad gdc_dso_dtor
.hidden __stop_minfo
.hidden __start_minfo
.hidden __stop_minfo
.hidden __start_minfo
.ident "GCC: (Debian 7.2.0-7) 7.2.0"
.section .note.GNU-stack,"", at progbits
--
You are receiving this mail because:
You are watching all bug changes.
More information about the D.gnu
mailing list