It was only detected under Windows.
bug_tcc.c:
typedef unsigned char* byteptr;
typedef unsigned char u8;
struct string {
u8* str;
int len;
};
typedef struct string string;
#define _SLIT(s) ((string){ \
.str=(byteptr)("" s), \
.len=(sizeof(s)-1)})
int _v_dump_expr_int(string fpath, int dump_arg) {
return 0;
}
void main() {
int a = 1;
_v_dump_expr_int(_SLIT("gg.v"), (a==0 ? (0) : (1)));
}
compile it with following command:
tcc.exe -bt bug_tcc.c
run it, will cause an Error:
bug_tcc.c:19: at main: RUNTIME ERROR: invalid memory access
By disassemble the bug_tcc.exe file, it is shown that the compiler generate a
wrong instruction sequence:
.text:0000000000401024 var_30 = byte ptr -30h
.text:0000000000401024 var_18 = qword ptr -18h
.text:0000000000401024 var_10 = dword ptr -10h
.text:0000000000401024 var_4 = dword ptr -4
.text:0000000000401024
.text:0000000000401024 push rbp
.text:0000000000401025 mov rbp, rsp
.text:0000000000401028 sub rsp, 50h
.text:000000000040102F mov eax, 1
.text:0000000000401034 mov [rbp+var_4], eax
.text:0000000000401037 mov eax, 10h
.text:000000000040103C mov r8, rax ; Size
.text:000000000040103F mov eax, 0
.text:0000000000401044 mov r11, rax
.text:0000000000401047 lea rax, [rbp+var_18]
.text:000000000040104B mov r10, rax
.text:000000000040104E mov rcx, r10 ; void *
.text:0000000000401051 mov rdx, r11 ; Val
.text:0000000000401054 call memset
.text:0000000000401059 lea rax, aGgV ; "gg.v"
.text:0000000000401060 mov [rbp+var_18], rax
.text:0000000000401064 mov eax, 4
.text:0000000000401069 mov [rbp+var_10], eax
.text:000000000040106C mov eax, [rbp+var_4]
.text:000000000040106F cmp eax, 0
.text:0000000000401072 jnz loc_40107D
.text:0000000000401078 jmp loc_401082
.text:000000000040107D ;
---------------------------------------------------------------------------
.text:000000000040107D
.text:000000000040107D loc_40107D: ; CODE XREF:
sub_401024+4E↑j
.text:000000000040107D jmp loc_40108E
.text:0000000000401082 ;
---------------------------------------------------------------------------
.text:0000000000401082
.text:0000000000401082 loc_401082: ; CODE XREF:
sub_401024+54↑j
.text:0000000000401082 lea rax, [rsp+50h+var_30]
// this instruction should move outside...
.text:0000000000401087 mov eax, 0
// BUG!!! overwrite the rax/eax,
this will cause invalid memory access
.text:000000000040108C jmp short loc_401093
.text:000000000040108E ;
---------------------------------------------------------------------------
.text:000000000040108E
.text:000000000040108E loc_40108E: ; CODE XREF:
sub_401024:loc_40107D↑j
.text:000000000040108E mov eax, 1
.text:0000000000401093
.text:0000000000401093 loc_401093: ; CODE XREF:
sub_401024+68↑j
.text:0000000000401093 push rsi
.text:0000000000401094 push rdi
.text:0000000000401095 lea rsi, [rbp+var_18]
.text:0000000000401099 mov rdi, rax
// Because rax was overwrite to zero,
it will fail at movsq
.text:000000000040109C movsq
.text:000000000040109E movsq
.text:00000000004010A0 pop rdi
.text:00000000004010A1 pop rsi
.text:00000000004010A2 mov r11, rax
.text:00000000004010A5 lea r10, [rsp+50h+var_30]
.text:00000000004010AA mov rcx, r10
.text:00000000004010AD mov rdx, r11
.text:00000000004010B0 call sub_401000
.text:00000000004010B5 leave
.text:00000000004010B6 retn
.text:00000000004010B6 sub_401024 endp
Hope someone can fix it.
_______________________________________________
Tinycc-devel mailing list
Tinycc-devel@nongnu.org
https://lists.nongnu.org/mailman/listinfo/tinycc-devel
