[prev in list] [next in list] [prev in thread] [next in thread] 

List:       gcc
Subject:    Bogus gcc.c-torture/execute/20071018-1.c testcase?
From:       Mark Kettenis <mark.kettenis () xs4all ! nl>
Date:       2011-12-31 21:43:18
Message-ID: 201112312143.pBVLhIsm005884 () glazunov ! sibelius ! xs4all ! nl
[Download RAW message or body]

Execution of the test randomly fails for me on OpenBSD/amd64.  Looking
at the code, it seems it is doing an out-of-bounds array access.  For
refernce I've copied the code of the testcase below.  As you can see
there's a foo(0) call in main().  Therefore

  struct foo **upper = &as->x[rank * 8 - 1];

becomes

  struct foo **upper = &as->x[-1];

so upper points to an address before the malloc()'ed memory.  Then
when the code does

  *upper = 0;

this generates a SIGSEGV, if the malloc()'ed memory happens to lie
right at the start of a page.  I suppose that may never happen on some
platforms (Linux?) since many malloc() implementations will use the
start of a page for their own bookkeeping.

I don't really understand what the testcase is testing.  Richard, can
you perhaps shed some light on this?

Thanks,

Mark

---

extern void abort(void);

struct foo {
  int rank;
  char *name;
};

struct mem {
  struct foo *x[4];
};

void __attribute__((noinline)) bar(struct foo **f)
{
  *f = __builtin_malloc(sizeof(struct foo));
}
struct foo * foo(int rank)
{
  void *x = __builtin_malloc(sizeof(struct mem));
  struct mem *as = x;
  struct foo **upper = &as->x[rank * 8 - 1];
  *upper = 0;
  bar(upper);
  return *upper;
}

int main()
{
  if (foo(0) == 0)
    abort ();
  return 0;
}
[prev in list] [next in list] [prev in thread] [next in thread]