Hi Intel P6 family of processors (Pentium Pro, 2, 3) have a bug in call *%esp instruction. The instruction should put current EIP to stack, decrement ESP by 4 and jump to a value of ESP before the decrement. P6 processors will jump to the address after the decrement (so the will execute return address as code). See Pentium Pro errata 70, Pentium 2 errata A33, Pentium 3 errata E17.
Gcc generates call *%esp for this example, when compiled with -O2 -fomit-frame-pointer -mpreferred-stack-boundary=2: int main() { volatile unsigned code = 0x000000c3; ((void (*)(void))&code)(); return 0; } The code crashes when executed on P6 processor and executes correctly on other processors. GCC shouldn't allow direct %esp register for call instruction. (addressing using %esp is fine). --- Note: this bug comes from a piece of code used to call an arbitrary interrupt. I coded it as this. The "call *%esp" bug looks weird but is not an artifical example, it comes from a real code that was written and used. static void INTR(unsigned int_no) { volatile unsigned code = 0xc300cd | (int_no << 8); ((void (*)(void))&code)(); } -- Summary: call *%esp shouldn't be generated because of CPU errata Product: gcc Version: 4.4.2 Status: UNCONFIRMED Severity: minor Priority: P3 Component: target AssignedTo: unassigned at gcc dot gnu dot org ReportedBy: mikulas at artax dot karlin dot mff dot cuni dot cz GCC build triplet: i486-linux-gnu GCC host triplet: i486-linux-gnu GCC target triplet: i486-linux-gnu http://gcc.gnu.org/bugzilla/show_bug.cgi?id=41900