[Bug target/101188] [AVR] Miscompilation and function pointers

Fri, 25 Jun 2021 01:09:42 -0700 

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=101188

Senthil Kumar Selvaraj <saaadhu at gcc dot gnu.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|UNCONFIRMED                 |NEW
                 CC|                            |saaadhu at gcc dot gnu.org
     Ever confirmed|0                           |1
   Last reconfirmed|                            |2021-06-25

--- Comment #1 from Senthil Kumar Selvaraj <saaadhu at gcc dot gnu.org> ---
Confirmed with 12.0.0 20210625

Here's a reduced testcase that hangs indefinitely with avrtest - the log shows
call to address 0.

$ cat fail.c
#include <stdint.h>
#include <stdlib.h>

typedef uint8_t (*fn1)(void *a);
typedef void (*fn2)(void *a, const uint32_t *arg);

struct S {
    uint8_t buffer[64];
    uint16_t n;
    fn2 f2;
    void *a;
    fn1 f1;
};

volatile uint16_t x;
void __attribute__((noinline))
foo(uint16_t n)
{
  x = n;
}

void __attribute__((noinline)) testfn(struct S *self)
{
    uint32_t arg;

    foo(self->n);
    self->n++;
    self->f2(self->a, &arg);
    self->buffer[0] = self->f1(self->a);
}

static unsigned char myfn2_called = 0;
static void
myfn2(void *a, const uint32_t * arg)
{
  myfn2_called = 1;  
}

static uint8_t
myfn1(void *a)
{ }

int main() {
  struct S s;
  s.n = 0; s.f2 = myfn2; s.f1 = myfn1;
  testfn(&s);
  if (myfn2_called != 1)
    abort();
  return 0;
}

$ avr-gcc -mmcu=atmega128 fail.c -O2 ~/code/avrtest/exit-atmega128.o --version
avr-gcc (GCC) 12.0.0 20210625 (experimental)
Copyright (C) 2021 Free Software Foundation, Inc.
This is free software; see the source for copying conditions.  There is NO
warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.

$ ~/code/avrtest/avrtest -mmcu=avr51 a.out 
^C

The below code is at fault - there's an ldi to r31, followed by a load to Z
using R31:R30, and then an icall. The clobbering of r31 at 0x138 causes junk
values (0) to be read into Z, and icall calls address 0. 

 138:   f4 e4           ldi     r31, 0x44       ; 68
 13a:   ef 0e           add     r14, r31
 13c:   f1 1c           adc     r15, r1
 13e:   32 96           adiw    r30, 0x02       ; 2
 140:   01 90           ld      r0, Z+
 142:   f0 81           ld      r31, Z
 144:   e0 2d           mov     r30, r0
 146:   be 01           movw    r22, r28
 148:   6f 5f           subi    r22, 0xFF       ; 255
 14a:   7f 4f           sbci    r23, 0xFF       ; 255
 14c:   d7 01           movw    r26, r14
 14e:   8d 91           ld      r24, X+
 150:   9c 91           ld      r25, X
 152:   09 95           icall

Reply via email to