On Tue, Oct 11, 2016 at 10:38:42PM +0200, Arnd Bergmann wrote: > On Tuesday, October 11, 2016 10:51:46 AM CEST Josh Poimboeuf wrote: > > Notice how it just falls off the end of the function. We had a similar > > bug before: > > > > https://lkml.kernel.org/r/20160413033649.7r3msnmo3trtq47z@treble > > I remember that nightmare :( > > > https://gcc.gnu.org/bugzilla/show_bug.cgi?id=70646 > > > > I'm not sure yet if this is the same gcc bug or a different one. Maybe > > it's related to the new GCC_PLUGIN_SANCOV? > > I've reduced one of the test cases to this now: > > /* gcc-6 -O2 -fno-strict-aliasing -fno-reorder-blocks > -fno-omit-frame-pointer -Wno-pointer-sign -fsanitize-coverage=trace-pc -Wall > -Werror -c snic_res.c -o snic_res.o */ > typedef int spinlock_t; > extern unsigned int ioread32(void *); > struct vnic_wq_ctrl { > unsigned int error_status; > }; > struct vnic_wq { > struct vnic_wq_ctrl *ctrl; > } mempool_t; > struct snic { > unsigned int wq_count; > __attribute__ ((__aligned__)) struct vnic_wq wq[1]; > spinlock_t wq_lock[1]; > }; > unsigned int snic_log_q_error_err_status; > void snic_log_q_error(struct snic *snic) > { > unsigned int i; > for (i = 0; i < snic->wq_count; i++) > snic_log_q_error_err_status = > ioread32(&snic->wq[i].ctrl->error_status); > } > > which gets compiled into > > 0000000000000000 <snic_log_q_error>: > 0: 55 push %rbp > 1: 48 89 e5 mov %rsp,%rbp > 4: 53 push %rbx > 5: 48 89 fb mov %rdi,%rbx > 8: 48 83 ec 08 sub $0x8,%rsp > c: e8 00 00 00 00 callq 11 <snic_log_q_error+0x11> > d: R_X86_64_PC32 __sanitizer_cov_trace_pc-0x4 > 11: 8b 03 mov (%rbx),%eax > 13: 85 c0 test %eax,%eax > 15: 75 11 jne 28 <snic_log_q_error+0x28> > 17: 48 83 c4 08 add $0x8,%rsp > 1b: 5b pop %rbx > 1c: 5d pop %rbp > 1d: e9 00 00 00 00 jmpq 22 <snic_log_q_error+0x22> > 1e: R_X86_64_PC32 __sanitizer_cov_trace_pc-0x4 > 22: 66 0f 1f 44 00 00 nopw 0x0(%rax,%rax,1) > 28: e8 00 00 00 00 callq 2d <snic_log_q_error+0x2d> > 29: R_X86_64_PC32 __sanitizer_cov_trace_pc-0x4 > 2d: 48 8b 7b 10 mov 0x10(%rbx),%rdi > 31: e8 00 00 00 00 callq 36 <snic_log_q_error+0x36> > 32: R_X86_64_PC32 ioread32-0x4 > 36: 89 05 00 00 00 00 mov %eax,0x0(%rip) # 3c > <snic_log_q_error+0x3c> > 38: R_X86_64_PC32 snic_log_q_error_err_status-0x4 > 3c: 83 3b 01 cmpl $0x1,(%rbx) > 3f: 76 d6 jbe 17 <snic_log_q_error+0x17> > 41: e8 00 00 00 00 callq 46 <snic_log_q_error+0x46> > 42: R_X86_64_PC32 __sanitizer_cov_trace_pc-0x4
I opened a bug: https://gcc.gnu.org/bugzilla/show_bug.cgi?id=77966 -- Josh