gcc accesses elements of a stack-frame after having destructed it.
Source-File:
---------------------------------------------------
typedef unsigned char uint8;
typedef unsigned short uint16;
typedef unsigned long uint32;
#define completeHeaderCRC(nHeaderCRC) \
((nHeaderCRC) & ((1 << 11) - 1))
#define partialCRC_nibble(nHeaderCRC,nInput) \
((((nHeaderCRC) << 4) & 0x7ffU) ^ \
headercrctable[(((nHeaderCRC) >> 7) & 0xffU) ^ (uint16)(nInput)] \
)
uint16 CalcHeaderCRC(
uint16 nFrameID,
uint16 nPayloadLengthWords
)
{
const uint16 headercrctable[16] =
{
0x0000U, 0x0385U, 0x070AU, 0x048FU, 0x0591U, 0x0614U, 0x029BU, 0x011EU,
0x00A7U, 0x0322U, 0x07ADU, 0x0428U, 0x0536U, 0x06B3U, 0x023CU, 0x01B9U
};
uint16 nHeaderCRC = 0x1a;
uint32 nHeader = 0;
uint8 nInput;
nHeader |=
((nFrameID & 0x7ffU) << 7
) | (nPayloadLengthWords & 0x7fU);
nInput = ((nHeader & 0xf0000U) >> 16);
nHeaderCRC = partialCRC_nibble(nHeaderCRC, nInput);
nInput = ((nHeader & 0x0f000U) >> 12);
nHeaderCRC = partialCRC_nibble(nHeaderCRC, nInput);
nInput = ((nHeader & 0x00f00U) >> 8);
nHeaderCRC = partialCRC_nibble(nHeaderCRC, nInput);
nInput = ((nHeader & 0x000f0U) >> 4);
nHeaderCRC = partialCRC_nibble(nHeaderCRC, nInput);
nInput = (nHeader & 0x0000fU);
nHeaderCRC = partialCRC_nibble(nHeaderCRC, nInput);
nHeaderCRC = completeHeaderCRC(nHeaderCRC);
return nHeaderCRC;
}
-----------------------------------
Generated assembler output:
-----------------------------------
.file "StackFrameBug.c"
.section .rodata
.align 1
.LC0:
.short 0
.short 901
.short 1802
.short 1167
.short 1425
.short 1556
.short 667
.short 286
.short 167
.short 802
.short 1965
.short 1064
.short 1334
.short 1715
.short 572
.short 441
.section ".text"
.align 2
.globl CalcHeaderCRC
.type CalcHeaderCRC, @function
CalcHeaderCRC:
stwu %r1,-56(%r1) # (1) <- construct stack frame
lis %r11,[EMAIL PROTECTED]
la %r9,[EMAIL PROTECTED](%r11)
rlwinm %r4,%r4,0,25,31
stw %r28,40(%r1)
rlwinm %r3,%r3,7,14,24
stw %r29,44(%r1)
or %r3,%r3,%r4
lwz %r29,[EMAIL PROTECTED](%r11)
addi %r10,%r1,8
lwz %r28,28(%r9)
rlwinm %r4,%r3,17,29,30
lwz %r0,20(%r9)
rlwinm %r12,%r3,20,28,31
lwz %r11,24(%r9)
lwz %r5,4(%r9)
lwz %r6,8(%r9)
lwz %r7,12(%r9)
lwz %r8,16(%r9)
stw %r29,8(%r1)
stw %r0,28(%r1)
stw %r11,32(%r1)
stw %r28,36(%r1)
stw %r5,12(%r1)
stw %r6,16(%r1)
stw %r7,20(%r1)
stw %r8,24(%r1)
lwz %r28,40(%r1)
lhzx %r9,%r4,%r10
lwz %r29,44(%r1)
addi %r1,%r1,56 # (2) <- destruct stack frame
xori %r9,%r9,416
rlwinm %r0,%r9,25,24,31
rlwinm %r11,%r9,4,21,27
xor %r0,%r0,%r12
rlwinm %r12,%r3,24,28,31
slwi %r0,%r0,1
lhzx %r9,%r10,%r0 # (3) <- access data on stack frame
xor %r9,%r9,%r11
rlwinm %r0,%r9,25,24,31
rlwinm %r11,%r9,4,21,27
xor %r0,%r0,%r12
rlwinm %r12,%r3,28,28,31
slwi %r0,%r0,1
lhzx %r9,%r10,%r0 # (3) <- access data on stack frame
xor %r9,%r9,%r11
rlwinm %r0,%r9,25,24,31
rlwinm %r11,%r9,4,21,27
xor %r0,%r0,%r12
rlwinm %r12,%r3,0,28,31
slwi %r0,%r0,1
lhzx %r9,%r10,%r0 # (3) <- access data on stack frame
xor %r9,%r9,%r11
rlwinm %r0,%r9,25,24,31
rlwinm %r11,%r9,4,21,27
xor %r0,%r0,%r12
slwi %r0,%r0,1
lhzx %r9,%r10,%r0 # (3) <- access data on stack frame
xor %r9,%r9,%r11
rlwinm %r9,%r9,0,21,31
mr %r3,%r9
blr
.size CalcHeaderCRC, .-CalcHeaderCRC
.ident "GCC: (GNU) 3.3.1"
-------------------------------------
command-line: powerpc-eabi-gcc -c -save-temps -O2 -mregnames StackFrameBug.c
-------------------------------------
The bug does not occur with -O3
--
Summary: Stack frame destructed too early with -O2
Product: gcc
Version: 3.3.1
Status: UNCONFIRMED
Severity: major
Priority: P3
Component: c
AssignedTo: unassigned at gcc dot gnu dot org
ReportedBy: reisinger at decomsys dot com
GCC host triplet: cygwin, linux-i386
GCC target triplet: powerpc-eabi
http://gcc.gnu.org/bugzilla/show_bug.cgi?id=31898
