[Bug target/58854] [4.8 regression] "sub sp, fp, #40" hoisted above frame accesses

mikpelinux at gmail dot com Thu, 24 Oct 2013 15:50:51 -0700

http://gcc.gnu.org/bugzilla/show_bug.cgi?id=58854


Mikael Pettersson <mikpelinux at gmail dot com> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |mikpelinux at gmail dot com

--- Comment #2 from Mikael Pettersson <mikpelinux at gmail dot com> ---
Started with r188742.  The code generation difference at that revision is:

@@ -115,16 +115,17 @@
        bne     .L6
 .L9:
        ldr     r3, [fp, #-56]
+       sub     sp, fp, #40
        ldr     r2, [fp, #-60]
+       mov     r0, sl
        str     r6, [r3, #0]
        ldr     r3, [fp, #-52]
        str     r2, [r3, #0]
-       b       .L8
+       ldmfd   sp, {r4, r5, r6, r7, r8, r9, sl, fp, sp, pc}
 .L2:
+       sub     sp, fp, #40
        mov     sl, #0
-.L8:
        mov     r0, sl
-       sub     sp, fp, #40
        ldmfd   sp, {r4, r5, r6, r7, r8, r9, sl, fp, sp, pc}
 .L28:
        b       .L23

Hoisting "sub sp, fp, #40" causes several loads, via FP minus an offset, to
access locations below SP, and thus be vulnerable to clobbers from asynchronous
calls (signal handles in user-space, exception handlers in the kernel as is the
case here).

[Bug target/58854] [4.8 regression] "sub sp, fp, #40" hoisted above frame accesses

Reply via email to