D.gnu - [Bug 273] New: Unexplained crash in generated binary
- gdc-bugzilla gdcproject.org (546/546) Sep 29 2017 https://bugzilla.gdcproject.org/show_bug.cgi?id=273
gdc-bugzilla gdcproject.org https://bugzilla.gdcproject.org/show_bug.cgi?id=273 Bug ID: 273 Summary: Unexplained crash in generated binary Product: GDC Version: development Hardware: All OS: Linux Status: NEW Severity: normal Priority: Normal Component: gdc Assignee: ibuclaw gdcproject.org Reporter: sebastien.alaiwan gmail.com // crash.d int main() { auto box = DubiousFunction(0); auto buf = new ubyte[2048]; search(box); return 0; } void search(Base box) { foreach(b; box.children) search(b); // crash at execution occurs here } // any modification to the below code makes the crash disappear Base DubiousFunction(int) { int a, b, c; auto box = new Derived; foreach(i; 0 .. 2) box.children ~= new Derived; char[1] tab = void; foreach(cc; tab) { } return box; } class Derived : Base { } class Base { Base[] children; } I'm running an up-to-date GNU/Debian testing: $ gdc-6 --version | head -n 1 gdc-6 (Debian 6.4.0-7) 6.4.0 20170920 $ gdc-7 --version | head -n 1 gdc-7 (Debian 7.2.0-7) 7.2.0 $ gdc-6 crash.d -o crash-6 && ./crash-6 && echo OK OK $ gdc-7 crash.d -o crash-7 && ./crash-7 && echo OK [1] 20610 segmentation fault ./crash-7 Replacing the first "new Derived" with "new Base" is specially interesting, as it makes the crash disappear, but the generated code is only slightly modified: --- crash-7.s 2017-09-29 19:05:51.800263642 +0200 +++ crash-7b.s 2017-09-29 19:06:01.469764349 +0200 -147,7 +147,7 movl $0, -52(%rbp) movl $0, -56(%rbp) movl $0, -60(%rbp) - leaq _D5crash7Derived7__ClassZ(%rip), %rdi + leaq _D5crash4Base7__ClassZ(%rip), %rdi call _d_newclass PLT movq %rax, -72(%rbp) movl $0, -36(%rbp) -310,7 +310,7 .quad _D6Object7__ClassZ .quad 0 .quad 0 - .long 52 + .long 116 .zero 4 .quad 0 .quad 0 The first diff corresponds to the call to new, the second is the "flags" field for the TypeInfo_Class initializer for "Base" type, which gets its flag "isAbstract" set ... This difference is enough to trigger the crash or not. Here's, for reference, the full (crashing) generated code with gdc-7: .file "crash.d" .text .globl main .type main, function main: .LFB0: .cfi_startproc pushq %rbp .cfi_def_cfa_offset 16 .cfi_offset 6, -16 movq %rsp, %rbp .cfi_def_cfa_register 6 subq $16, %rsp movl %edi, -4(%rbp) movq %rsi, -16(%rbp) movq -16(%rbp), %rcx movl -4(%rbp), %eax movq _Dmain GOTPCREL(%rip), %rdx movq %rcx, %rsi movl %eax, %edi call _d_run_main PLT leave .cfi_def_cfa 7, 8 ret .cfi_endproc .LFE0: .size main, .-main .globl _Dmain .type _Dmain, function _Dmain: .LFB1: .cfi_startproc pushq %rbp .cfi_def_cfa_offset 16 .cfi_offset 6, -16 movq %rsp, %rbp .cfi_def_cfa_register 6 subq $32, %rsp movl $0, %edi call _D5crash15DubiousFunctionFiZC5crash4Base movq %rax, -8(%rbp) movl $2048, %esi movq _D11TypeInfo_Ah6__initZ GOTPCREL(%rip), %rax movq %rax, %rdi call _d_newarrayT PLT movq %rax, -32(%rbp) movq %rdx, -24(%rbp) movq -8(%rbp), %rax movq %rax, %rdi call _D5crash6searchFC5crash4BaseZv movl $0, %eax leave .cfi_def_cfa 7, 8 ret .cfi_endproc .LFE1: .size _Dmain, .-_Dmain .section .rodata .LC0: .string "crash.d" .text .globl _D5crash6searchFC5crash4BaseZv .type _D5crash6searchFC5crash4BaseZv, function _D5crash6searchFC5crash4BaseZv: .LFB2: .cfi_startproc pushq %rbp .cfi_def_cfa_offset 16 .cfi_offset 6, -16 movq %rsp, %rbp .cfi_def_cfa_register 6 pushq %r13 pushq %r12 pushq %rbx subq $56, %rsp .cfi_offset 13, -24 .cfi_offset 12, -32 .cfi_offset 3, -40 movq %rdi, -72(%rbp) movq -72(%rbp), %rax movq 24(%rax), %rdx movq 16(%rax), %rax movq %rax, -64(%rbp) movq %rdx, -56(%rbp) movq $0, -40(%rbp) .L8: movq -64(%rbp), %rax cmpq %rax, -40(%rbp) jnb .L9 movq -56(%rbp), %rdx movq -64(%rbp), %rax cmpq %rax, -40(%rbp) jb .L7 movl $7, %r12d leaq .LC0(%rip), %r13 movq %r12, %rcx movq %r13, %rbx movq %r12, %rax movq %r13, %rdx movq %rdx, %rax movl $13, %edx movq %rcx, %rdi movq %rax, %rsi call _d_arraybounds PLT .L7: movq -40(%rbp), %rax salq $3, %rax addq %rdx, %rax movq (%rax), %rax movq %rax, -48(%rbp) movq -48(%rbp), %rax movq %rax, %rdi call _D5crash6searchFC5crash4BaseZv addq $1, -40(%rbp) jmp .L8 .L9: nop nop addq $56, %rsp popq %rbx popq %r12 popq %r13 popq %rbp .cfi_def_cfa 7, 8 ret .cfi_endproc .LFE2: .size _D5crash6searchFC5crash4BaseZv, .-_D5crash6searchFC5crash4BaseZv .globl _D5crash15DubiousFunctionFiZC5crash4Base .type _D5crash15DubiousFunctionFiZC5crash4Base, function _D5crash15DubiousFunctionFiZC5crash4Base: .LFB3: .cfi_startproc pushq %rbp .cfi_def_cfa_offset 16 .cfi_offset 6, -16 movq %rsp, %rbp .cfi_def_cfa_register 6 pushq %r13 pushq %r12 pushq %rbx subq $104, %rsp .cfi_offset 13, -24 .cfi_offset 12, -32 .cfi_offset 3, -40 movl %edi, -116(%rbp) movl $0, -52(%rbp) movl $0, -56(%rbp) movl $0, -60(%rbp) leaq _D5crash7Derived7__ClassZ(%rip), %rdi call _d_newclass PLT movq %rax, -72(%rbp) movl $0, -36(%rbp) movl $2, -76(%rbp) .L12: movl -36(%rbp), %eax cmpl -76(%rbp), %eax jge .L17 movl -36(%rbp), %eax movl %eax, -80(%rbp) leaq _D5crash7Derived7__ClassZ(%rip), %rdi call _d_newclass PLT movq %rax, %rbx movq -72(%rbp), %rax addq $16, %rax movl $1, %edx movq %rax, %rsi leaq _D22TypeInfo_AC5crash4Base6__initZ(%rip), %rdi call _d_arrayappendcTX PLT movq %rdx, %rcx subq $1, %rax salq $3, %rax addq %rcx, %rax movq %rbx, (%rax) addl $1, -36(%rbp) jmp .L12 .L17: nop movq $1, -112(%rbp) leaq -82(%rbp), %rax movq %rax, -104(%rbp) movq $0, -48(%rbp) .L15: movq -112(%rbp), %rax cmpq %rax, -48(%rbp) jnb .L18 movq -104(%rbp), %rdx movq -112(%rbp), %rax cmpq %rax, -48(%rbp) jb .L14 movl $7, %r12d leaq .LC0(%rip), %r13 movq %r12, %rcx movq %r13, %rbx movq %r12, %rax movq %r13, %rdx movq %rdx, %rax movl $27, %edx movq %rcx, %rdi movq %rax, %rsi call _d_arraybounds PLT .L14: movq -48(%rbp), %rax addq %rdx, %rax movzbl (%rax), %eax movb %al, -81(%rbp) addq $1, -48(%rbp) jmp .L15 .L18: nop movq -72(%rbp), %rax addq $104, %rsp popq %rbx popq %r12 popq %r13 popq %rbp .cfi_def_cfa 7, 8 ret .cfi_endproc .LFE3: .size _D5crash15DubiousFunctionFiZC5crash4Base, .-_D5crash15DubiousFunctionFiZC5crash4Base .weak _D22TypeInfo_AC5crash4Base6__initZ .section .data.rel.ro._D22TypeInfo_AC5crash4Base6__initZ,"awG", progbits,_D22TypeInfo_AC5crash4Base6__initZ,comdat .align 16 .type _D22TypeInfo_AC5crash4Base6__initZ, object .size _D22TypeInfo_AC5crash4Base6__initZ, 24 _D22TypeInfo_AC5crash4Base6__initZ: .quad _D14TypeInfo_Array6__vtblZ .quad 0 .quad _D5crash4Base7__ClassZ .globl _D5crash7Derived6__initZ .section .data.rel.ro.local,"aw", progbits .align 32 .type _D5crash7Derived6__initZ, object .size _D5crash7Derived6__initZ, 32 _D5crash7Derived6__initZ: .quad _D5crash7Derived6__vtblZ .zero 8 .quad 0 .quad 0 .globl _D5crash7Derived7__ClassZ .section .rodata .LC1: .string "crash.Derived" .section .data.rel,"aw", progbits .align 32 .type _D5crash7Derived7__ClassZ, object .size _D5crash7Derived7__ClassZ, 152 _D5crash7Derived7__ClassZ: .quad _D14TypeInfo_Class6__vtblZ .quad 0 .quad 32 .quad _D5crash7Derived6__initZ .quad 13 .quad .LC1 .quad 5 .quad _D5crash7Derived6__vtblZ .quad 0 .quad 0 .quad _D5crash4Base7__ClassZ .quad 0 .quad 0 .long 118 .zero 4 .quad 0 .quad 0 .quad 0 .quad 0 .quad 0 .globl _D5crash7Derived6__vtblZ .section .data.rel.ro,"aw", progbits .align 8 .type _D5crash7Derived6__vtblZ, object .size _D5crash7Derived6__vtblZ, 40 _D5crash7Derived6__vtblZ: .quad _D5crash7Derived7__ClassZ .quad _D6object6Object8toStringMFZAya .quad _D6object6Object6toHashMFNbNeZm .quad _D6object6Object5opCmpMFC6ObjectZi .quad _D6object6Object8opEqualsMFC6ObjectZb .globl _D5crash4Base6__initZ .section .data.rel.ro.local .align 32 .type _D5crash4Base6__initZ, object .size _D5crash4Base6__initZ, 32 _D5crash4Base6__initZ: .quad _D5crash4Base6__vtblZ .zero 8 .quad 0 .quad 0 .globl _D5crash4Base7__ClassZ .section .rodata .LC2: .string "crash.Base" .section .data.rel .align 32 .type _D5crash4Base7__ClassZ, object .size _D5crash4Base7__ClassZ, 152 _D5crash4Base7__ClassZ: .quad _D14TypeInfo_Class6__vtblZ .quad 0 .quad 32 .quad _D5crash4Base6__initZ .quad 10 .quad .LC2 .quad 5 .quad _D5crash4Base6__vtblZ .quad 0 .quad 0 .quad _D6Object7__ClassZ .quad 0 .quad 0 .long 52 .zero 4 .quad 0 .quad 0 .quad 0 .quad 0 .quad 0 .globl _D5crash4Base6__vtblZ .section .data.rel.ro .align 8 .type _D5crash4Base6__vtblZ, object .size _D5crash4Base6__vtblZ, 40 _D5crash4Base6__vtblZ: .quad _D5crash4Base7__ClassZ .quad _D6object6Object8toStringMFZAya .quad _D6object6Object6toHashMFNbNeZm .quad _D6object6Object5opCmpMFC6ObjectZi .quad _D6object6Object8opEqualsMFC6ObjectZb .globl _D5crash12__ModuleInfoZ .section .data.rel.local,"aw", progbits .align 32 .type _D5crash12__ModuleInfoZ, object .size _D5crash12__ModuleInfoZ, 38 _D5crash12__ModuleInfoZ: .long 6148 .long 0 .quad 2 .quad _D5crash7Derived7__ClassZ .quad _D5crash4Base7__ClassZ .string "crash" .globl __mod_ref__D5crash12__ModuleInfoZ .section minfo,"aw", progbits .align 8 .type __mod_ref__D5crash12__ModuleInfoZ, object .size __mod_ref__D5crash12__ModuleInfoZ, 8 __mod_ref__D5crash12__ModuleInfoZ: .quad _D5crash12__ModuleInfoZ .hidden gdc_dso_slot .weak gdc_dso_slot .section .bss.gdc_dso_slot,"awG", nobits,gdc_dso_slot,comdat .align 8 .type gdc_dso_slot, gnu_unique_object .size gdc_dso_slot, 8 gdc_dso_slot: .zero 8 .hidden gdc_dso_initialized .weak gdc_dso_initialized .section .bss.gdc_dso_initialized,"awG", nobits,gdc_dso_initialized,comdat .type gdc_dso_initialized, gnu_unique_object .size gdc_dso_initialized, 1 gdc_dso_initialized: .zero 1 .section .text.gdc_dso_ctor,"axG", progbits,gdc_dso_ctor,comdat .weak gdc_dso_ctor .hidden gdc_dso_ctor .type gdc_dso_ctor, function gdc_dso_ctor: .LFB4: .cfi_startproc pushq %rbp .cfi_def_cfa_offset 16 .cfi_offset 6, -16 movq %rsp, %rbp .cfi_def_cfa_register 6 subq $48, %rsp movzbl gdc_dso_initialized(%rip), %eax xorl $1, %eax testb %al, %al je .L21 movq $0, -48(%rbp) movq $0, -40(%rbp) movq $0, -32(%rbp) movq $0, -24(%rbp) movq $0, -16(%rbp) movq $0, -8(%rbp) movq $1, -48(%rbp) leaq gdc_dso_slot(%rip), %rax movq %rax, -40(%rbp) leaq __start_minfo(%rip), %rax movq %rax, -32(%rbp) leaq __stop_minfo(%rip), %rax movq %rax, -24(%rbp) movb $1, gdc_dso_initialized(%rip) leaq -48(%rbp), %rax movq %rax, %rdi call _d_dso_registry PLT .L21: nop leave .cfi_def_cfa 7, 8 ret .cfi_endproc .LFE4: .size gdc_dso_ctor, .-gdc_dso_ctor .section .init_array,"aw" .align 8 .quad gdc_dso_ctor .section .text.gdc_dso_dtor,"axG", progbits,gdc_dso_dtor,comdat .weak gdc_dso_dtor .hidden gdc_dso_dtor .type gdc_dso_dtor, function gdc_dso_dtor: .LFB5: .cfi_startproc pushq %rbp .cfi_def_cfa_offset 16 .cfi_offset 6, -16 movq %rsp, %rbp .cfi_def_cfa_register 6 subq $48, %rsp movzbl gdc_dso_initialized(%rip), %eax testb %al, %al je .L24 movq $0, -48(%rbp) movq $0, -40(%rbp) movq $0, -32(%rbp) movq $0, -24(%rbp) movq $0, -16(%rbp) movq $0, -8(%rbp) movq $1, -48(%rbp) leaq gdc_dso_slot(%rip), %rax movq %rax, -40(%rbp) leaq __start_minfo(%rip), %rax movq %rax, -32(%rbp) leaq __stop_minfo(%rip), %rax movq %rax, -24(%rbp) movb $0, gdc_dso_initialized(%rip) leaq -48(%rbp), %rax movq %rax, %rdi call _d_dso_registry PLT .L24: nop leave .cfi_def_cfa 7, 8 ret .cfi_endproc .LFE5: .size gdc_dso_dtor, .-gdc_dso_dtor .section .fini_array,"aw" .align 8 .quad gdc_dso_dtor .hidden __stop_minfo .hidden __start_minfo .hidden __stop_minfo .hidden __start_minfo .ident "GCC: (Debian 7.2.0-7) 7.2.0" .section .note.GNU-stack,"", progbits -- You are receiving this mail because: You are watching all bug changes.
Sep 29 2017