[Bug ld/27016] x86-64: GOTPCREL relaxation with abs symbol and REX byte creates incorrect code
https://sourceware.org/bugzilla/show_bug.cgi?id=27016 H.J. Lu changed: What|Removed |Added Status|NEW |RESOLVED Target Milestone|--- |2.36 Resolution|--- |FIXED --- Comment #6 from H.J. Lu --- Fixed for 2.36 and 2.35 branch. -- You are receiving this mail because: You are on the CC list for the bug.
[Bug ld/27016] x86-64: GOTPCREL relaxation with abs symbol and REX byte creates incorrect code
https://sourceware.org/bugzilla/show_bug.cgi?id=27016 --- Comment #5 from cvs-commit at gcc dot gnu.org --- The binutils-2_35-branch branch has been updated by H.J. Lu : https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=e539c8303ff871dda6ea95c5ec3da9ea6f3609ae commit e539c8303ff871dda6ea95c5ec3da9ea6f3609ae Author: H.J. Lu Date: Fri Dec 4 18:54:47 2020 -0800 x86-64: Convert load to mov only for GOTPCRELX relocations Since converting load to mov needs to rewrite the REX byte and we don't know if there is a REX byte with GOTPCREL relocation, do it only for GOTPCRELX relocations. bfd/ PR ld/27016 * elf64-x86-64.c (elf_x86_64_convert_load_reloc): Convert load to mov only for GOTPCRELX relocations. ld/ PR ld/27016 * testsuite/ld-x86-64/x86-64.exp: Run pr27016a and pr27016b. * testsuite/ld-x86-64/pr27016a.d: New file. * testsuite/ld-x86-64/pr27016a.s: Likewise. * testsuite/ld-x86-64/pr27016b.d: Likewise. * testsuite/ld-x86-64/pr27016b.s: Likewise. (cherry picked from commit 7e45e7a9ab38ee904ca62ed9934e933fdb1d6e9c) -- You are receiving this mail because: You are on the CC list for the bug.
[Bug ld/27016] x86-64: GOTPCREL relaxation with abs symbol and REX byte creates incorrect code
https://sourceware.org/bugzilla/show_bug.cgi?id=27016 --- Comment #4 from cvs-commit at gcc dot gnu.org --- The master branch has been updated by H.J. Lu : https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=7e45e7a9ab38ee904ca62ed9934e933fdb1d6e9c commit 7e45e7a9ab38ee904ca62ed9934e933fdb1d6e9c Author: H.J. Lu Date: Fri Dec 4 18:54:47 2020 -0800 x86-64: Convert load to mov only for GOTPCRELX relocations Since converting load to mov needs to rewrite the REX byte and we don't know if there is a REX byte with GOTPCREL relocation, do it only for GOTPCRELX relocations. bfd/ PR ld/27016 * elf64-x86-64.c (elf_x86_64_convert_load_reloc): Convert load to mov only for GOTPCRELX relocations. ld/ PR ld/27016 * testsuite/ld-x86-64/x86-64.exp: Run pr27016a and pr27016b. * testsuite/ld-x86-64/pr27016a.d: New file. * testsuite/ld-x86-64/pr27016a.s: Likewise. * testsuite/ld-x86-64/pr27016b.d: Likewise. * testsuite/ld-x86-64/pr27016b.s: Likewise. -- You are receiving this mail because: You are on the CC list for the bug.
[Bug ld/27016] x86-64: GOTPCREL relaxation with abs symbol and REX byte creates incorrect code
https://sourceware.org/bugzilla/show_bug.cgi?id=27016 H.J. Lu changed: What|Removed |Added Status|WAITING |NEW --- Comment #3 from H.J. Lu --- Never mind. I can reproduce it. -- You are receiving this mail because: You are on the CC list for the bug.
[Bug ld/27016] x86-64: GOTPCREL relaxation with abs symbol and REX byte creates incorrect code
https://sourceware.org/bugzilla/show_bug.cgi?id=27016 H.J. Lu changed: What|Removed |Added Status|NEW |WAITING CC||hjl.tools at gmail dot com --- Comment #2 from H.J. Lu --- I can't reproduce it with binutils master branch: [hjl@gnu-cfl-2 pr27016]$ cat pr27016a.s .text .comm global_int,4,4 .globl main .type main, @function main: .cfi_startproc pushq %rbp .cfi_def_cfa_offset 16 .cfi_offset 6, -16 movq%rsp, %rbp .cfi_def_cfa_register 6 movqthesym@GOTPCREL(%rip), %r11 movl(%r11), %eax leal1(%rax), %edx movqthesym@GOTPCREL(%rip), %r11 movl%edx, (%r11) movl$0, %eax popq%rbp .cfi_def_cfa 7, 8 ret .cfi_endproc .size main, .-main .section.note.GNU-stack,"",@progbits [hjl@gnu-cfl-2 pr27016]$ cat pr27016b.s .globl thesym thesym = 0x40402c .section.note.GNU-stack,"",@progbits [hjl@gnu-cfl-2 pr27016]$ make as -mrelax-relocations=no -o pr27016a.o pr27016a.s as -mrelax-relocations=no -o pr27016b.o pr27016b.s /usr/gcc-9.3.1-x32/bin/gcc -B./ -o x pr27016a.o pr27016b.o -Wl,-R,. objdump -dwr pr27016a.o pr27016a.o: file format elf64-x86-64 Disassembly of section .text: : 0: 55 push %rbp 1: 48 89 e5mov%rsp,%rbp 4: 4c 8b 1d 00 00 00 00mov0x0(%rip),%r11# b 7: R_X86_64_GOTPCRELthesym-0x4 b: 41 8b 03mov(%r11),%eax e: 8d 50 01lea0x1(%rax),%edx 11: 4c 8b 1d 00 00 00 00mov0x0(%rip),%r11# 18 14: R_X86_64_GOTPCREL thesym-0x4 18: 41 89 13mov%edx,(%r11) 1b: b8 00 00 00 00 mov$0x0,%eax 20: 5d pop%rbp 21: c3 ret objdump --disassemble=main x x: file format elf64-x86-64 Disassembly of section .init: Disassembly of section .text: 00400596 : 400596: 55 push %rbp 400597: 48 89 e5mov%rsp,%rbp 40059a: 4c 8d 1d 8b 3a 00 00lea0x3a8b(%rip),%r11# 40402c 4005a1: 41 8b 03mov(%r11),%eax 4005a4: 8d 50 01lea0x1(%rax),%edx 4005a7: 4c 8d 1d 7e 3a 00 00lea0x3a7e(%rip),%r11# 40402c 4005ae: 41 89 13mov%edx,(%r11) 4005b1: b8 00 00 00 00 mov$0x0,%eax 4005b6: 5d pop%rbp 4005b7: c3 ret Disassembly of section .fini: [hjl@gnu-cfl-2 pr27016]$ -- You are receiving this mail because: You are on the CC list for the bug.
[Bug ld/27016] x86-64: GOTPCREL relaxation with abs symbol and REX byte creates incorrect code
https://sourceware.org/bugzilla/show_bug.cgi?id=27016 --- Comment #1 from Michael Matz --- This also happen in 2.35 of course. -- You are receiving this mail because: You are on the CC list for the bug.
[Bug ld/27016] New: x86-64: GOTPCREL relaxation with abs symbol and REX byte creates incorrect code
https://sourceware.org/bugzilla/show_bug.cgi?id=27016
Bug ID: 27016
Summary: x86-64: GOTPCREL relaxation with abs symbol and REX
byte creates incorrect code
Product: binutils
Version: 2.36 (HEAD)
Status: NEW
Severity: normal
Priority: P2
Component: ld
Assignee: unassigned at sourceware dot org
Reporter: matz at suse dot de
Target Milestone: ---
Since the fix for PR ld/25749 and PR ld/25754, i.e. commit 382aae0632 ld
generates incorrect code in the following situation:
a) there's a GOTPCREL relocation (not REX_GOTPCRELX!)
b) the REX byte is necessary
c) the instruction is a mov
d) the relocation is against an absolute symbol
Due to the need of an absolute symbol an executable testcase is a bit
difficult, but this happens in the wild with old object files steming from
enterprise software linked during installation. Can be reproduced with this:
% cat x.s
.file "x.c"
.text
.comm global_int,4,4
.globl main
.type main, @function
main:
.LFB0:
.cfi_startproc
pushq %rbp
.cfi_def_cfa_offset 16
.cfi_offset 6, -16
movq%rsp, %rbp
.cfi_def_cfa_register 6
movqthesym@GOTPCREL(%rip), %r11
movl(%r11), %eax
leal1(%rax), %edx
movqthesym@GOTPCREL(%rip), %r11
movl%edx, (%r11)
movl$0, %eax
popq%rbp
.cfi_def_cfa 7, 8
ret
.cfi_endproc
.LFE0:
.size main, .-main
.ident "GCC: (SUSE Linux) 9.2.1 20190903 [gcc-9-branch revision
275330]"
.section.note.GNU-stack,"",@progbits
% cat y.s
.globl thesym
thesym = 0x40402c
I've chose the value of this abs symbol to be the address of "global_int" in
the finally linked executable, so that it can be run. Note how the main
function uses %r11 as destination register, i.e. the REX byte will be required
and must be correct in the rewritten instruction.
% as -mrelax-relocations=no -o x.o x.s
% as -mrelax-relocations=no -o y.o y.s
% ld-new --build-id --eh-frame-hdr -m elf_x86_64 -dynamic-linker
/lib64/ld-linux-x86-64.so.2 /usr/lib64/crt1.o /usr/lib64/crti.o
/usr/lib64/gcc/x86_64-suse-linux/9/crtbegin.o x.o y.o -lc
/usr/lib64/gcc/x86_64-suse-linux/9/crtend.o /usr/lib64/crtn.o
% ./a.out
Segmentation fault
This is because the input .o file has this:
4: 4c 8b 1d 00 00 00 00mov0x0(%rip),%r11# b
7: R_X86_64_GOTPCRELthesym-0x4
(Note: not REX_GOTPCREL). And the output a.out has this:
004010f2 :
4010f2: 55 push %rbp
4010f3: 48 89 e5mov%rsp,%rbp
4010f6: 4c c7 c3 2c 40 40 00rex.WR mov $0x40402c,%rbx
4010fd: 41 8b 03mov(%r11),%eax
Note how the destination of insn main+4 is %rbx and there's an invalid REX
byte.
This is all because of this hunk in elf_x86_64_convert_load_reloc:
if (r_type == R_X86_64_REX_GOTPCRELX)
rex = bfd_get_8 (abfd, contents + roff - 3);
else
rex = 0;
if (opcode == 0x8b)
{
if (abs_symbol && local_ref)
to_reloc_pc32 = FALSE;
if (to_reloc_pc32)
// just rewrite into lea, don't touch REX byte
else
// rewrite into mov, and fiddle with REX byte
So, with an absolute symbol the code expect to be able to change the REX byte,
but with mere GOTPCREL relocs as here, it can't. Possible patch for this:
Fix for bsc#1179341
the movload->movconst relaxation can be done only with REX
rewriting, and hence needs a GOTPCRELX relocation. With old object
files we might still see GOTPCREL relocs, even with REX bytes available.
We still can't do such rewriting and hence need to stay with the old
rewriting into a lea.
diff --git a/bfd/elf64-x86-64.c b/bfd/elf64-x86-64.c
index 549a8be6a6..b89b0023db 100644
--- a/bfd/elf64-x86-64.c
+++ b/bfd/elf64-x86-64.c
@@ -1731,7 +1731,7 @@ elf_x86_64_convert_load_reloc (bfd *abfd,
if (opcode == 0x8b)
{
- if (abs_symbol && local_ref)
+ if (abs_symbol && local_ref && rex)
to_reloc_pc32 = FALSE;
if (to_reloc_pc32)
--
You are receiving this mail because:
You are on the CC list for the bug.
