* Bug in memmove
@ 2001-06-06 13:11 Gleb O. Raiko
2001-06-22 18:21 ` Maciej W. Rozycki
0 siblings, 1 reply; 5+ messages in thread
From: Gleb O. Raiko @ 2001-06-06 13:11 UTC (permalink / raw)
To: linux-mips
Hello,
It seems there is a bug in our memmove routine. The condition is rare
though, for example, memmove copies incorrectly, if src=5, dst=4, len=9.
I guess, exact condition is:
len > 8, 0 < src - dst < 8, src isn't aligned on qw (8 bytes), src - dst
!= 4
I may be wrong on exact condition, but at least the example works.
Briefly, memmove calls memcpy if src > dst. Then, when memcpy aligns src
on qw, it copies qw to dst. So, after src is aligned, it is overwritten
as well. In the example, memcpy copies qw at 4 (so, new data ends on
4+8=12), but aligned src is at address 8, so a word at address 8 is
overwritten.
Two questions here. First, do we have a pattern that satisfies the
condition, i.e. is the bug showstopper? My guess, it's not. Second, does
somebody have ideas how to fix the bug? Well, I have, but want to hear
somebody else.
Regards,
Gleb.
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: Bug in memmove
2001-06-06 13:11 Bug in memmove Gleb O. Raiko
@ 2001-06-22 18:21 ` Maciej W. Rozycki
2001-06-23 14:22 ` Ralf Baechle
2001-06-25 12:03 ` Gleb O. Raiko
0 siblings, 2 replies; 5+ messages in thread
From: Maciej W. Rozycki @ 2001-06-22 18:21 UTC (permalink / raw)
To: Gleb O. Raiko, Ralf Baechle; +Cc: linux-mips
On Wed, 6 Jun 2001, Gleb O. Raiko wrote:
> It seems there is a bug in our memmove routine. The condition is rare
> though, for example, memmove copies incorrectly, if src=5, dst=4, len=9.
[...]
> Two questions here. First, do we have a pattern that satisfies the
> condition, i.e. is the bug showstopper? My guess, it's not. Second, does
> somebody have ideas how to fix the bug? Well, I have, but want to hear
> somebody else.
Here is a quick fix I developed after reading your report. It fixes the
case you described. Now memcpy() is invoked only if there is no overlap
at all -- the approach is taken from the Alpha port.
The copy loop begs for optimization (the original memmove() bits do as
well), but at least it works correctly. The patch applies cleanly to
2.4.5 as of today.
Ralf, I think it should get applied unless someone cooks up a better
solution, i.e. optimizes it. I'll optimize it myself, eventually, if no
one else does, but don't hold your breath.
--
+ Maciej W. Rozycki, Technical University of Gdansk, Poland +
+--------------------------------------------------------------+
+ e-mail: macro@ds2.pg.gda.pl, PGP key available +
patch-mips-2.4.0-test12-20010110-memmove-1
diff -up --recursive --new-file linux-mips-2.4.0-test12-20010110.macro/arch/mips/lib/memcpy.S linux-mips-2.4.0-test12-20010110/arch/mips/lib/memcpy.S
--- linux-mips-2.4.0-test12-20010110.macro/arch/mips/lib/memcpy.S Wed Dec 6 05:27:02 2000
+++ linux-mips-2.4.0-test12-20010110/arch/mips/lib/memcpy.S Sun Jun 10 17:50:55 2001
@@ -402,16 +402,20 @@ u_end_bytes:
.align 5
LEAF(memmove)
- sltu t0, a0, a1 # dst < src -> memcpy
- bnez t0, memcpy
- addu v0, a0, a2
- sltu t0, v0, a1 # dst + len < src -> non-
- bnez t0, __memcpy # overlapping, can use memcpy
+ addu t0, a0, a2
+ sltu t0, a1, t0 # dst + len <= src -> memcpy
+ addu t1, a1, a2
+ sltu t1, a0, t1 # dst >= src + len -> memcpy
+ and t0, t1
+ beqz t0, __memcpy
move v0, a0 /* return value */
beqz a2, r_out
END(memmove)
LEAF(__rmemcpy) /* a0=dst a1=src a2=len */
+ sltu t0, a1, a0
+ beqz t0, r_end_bytes_up # src >= dst
+ nop
addu a0, a2 # dst = dst + len
addu a1, a2 # src = src + len
@@ -563,6 +567,17 @@ r_end_bytes:
subu a0, a0, 0x1
r_out:
+ jr ra
+ move a2, zero
+
+r_end_bytes_up:
+ lb t0, (a1)
+ subu a2, a2, 0x1
+ sb t0, (a0)
+ addu a1, a1, 0x1
+ bnez a2, r_end_bytes_up
+ addu a0, a0, 0x1
+
jr ra
move a2, zero
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: Bug in memmove
2001-06-22 18:21 ` Maciej W. Rozycki
@ 2001-06-23 14:22 ` Ralf Baechle
2001-06-25 12:03 ` Gleb O. Raiko
1 sibling, 0 replies; 5+ messages in thread
From: Ralf Baechle @ 2001-06-23 14:22 UTC (permalink / raw)
To: Maciej W. Rozycki; +Cc: Gleb O. Raiko, linux-mips
On Fri, Jun 22, 2001 at 08:21:30PM +0200, Maciej W. Rozycki wrote:
> > It seems there is a bug in our memmove routine. The condition is rare
> > though, for example, memmove copies incorrectly, if src=5, dst=4, len=9.
> [...]
> > Two questions here. First, do we have a pattern that satisfies the
> > condition, i.e. is the bug showstopper? My guess, it's not. Second, does
> > somebody have ideas how to fix the bug? Well, I have, but want to hear
> > somebody else.
>
> Here is a quick fix I developed after reading your report. It fixes the
> case you described. Now memcpy() is invoked only if there is no overlap
> at all -- the approach is taken from the Alpha port.
>
> The copy loop begs for optimization (the original memmove() bits do as
> well), but at least it works correctly. The patch applies cleanly to
> 2.4.5 as of today.
>
> Ralf, I think it should get applied unless someone cooks up a better
> solution, i.e. optimizes it. I'll optimize it myself, eventually, if no
> one else does, but don't hold your breath.
Applied to my working tree. I'll commit it in a few hours once I found
time to implement the same fix for 2.2 and mips64.
Ralf
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: Bug in memmove
2001-06-22 18:21 ` Maciej W. Rozycki
2001-06-23 14:22 ` Ralf Baechle
@ 2001-06-25 12:03 ` Gleb O. Raiko
2001-06-25 12:13 ` Maciej W. Rozycki
1 sibling, 1 reply; 5+ messages in thread
From: Gleb O. Raiko @ 2001-06-25 12:03 UTC (permalink / raw)
To: Maciej W. Rozycki; +Cc: Ralf Baechle, linux-mips
Maciej,
"Maciej W. Rozycki" wrote:
>
> Ralf, I think it should get applied unless someone cooks up a better
> solution, i.e. optimizes it. I'll optimize it myself, eventually, if no
> one else does, but don't hold your breath.
>
Great! Optimized memmove is in todos of several MIPS developers.
Considering your patch and my investigation though, it's not
showstopper. In fact, there are a few places that call memmove, all of
them aren't on "common path". However, I would consider that common path
certainly depends on the way Linux is used. I may imagine the
configuration where the bug may trigger.
Perhaps, eliminating that known "horror fix" (you know) is more
important.
Regards,
Gleb.
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: Bug in memmove
2001-06-25 12:03 ` Gleb O. Raiko
@ 2001-06-25 12:13 ` Maciej W. Rozycki
0 siblings, 0 replies; 5+ messages in thread
From: Maciej W. Rozycki @ 2001-06-25 12:13 UTC (permalink / raw)
To: Gleb O. Raiko; +Cc: Ralf Baechle, linux-mips
On Mon, 25 Jun 2001, Gleb O. Raiko wrote:
> Considering your patch and my investigation though, it's not
> showstopper. In fact, there are a few places that call memmove, all of
> them aren't on "common path". However, I would consider that common path
> certainly depends on the way Linux is used. I may imagine the
> configuration where the bug may trigger.
Note that the non-optimal code gets only invoked if the areas do really
overlap.
> Perhaps, eliminating that known "horror fix" (you know) is more
> important.
Let's just let it remain in place until working optimization is done.
--
+ Maciej W. Rozycki, Technical University of Gdansk, Poland +
+--------------------------------------------------------------+
+ e-mail: macro@ds2.pg.gda.pl, PGP key available +
^ permalink raw reply [flat|nested] 5+ messages in thread
end of thread, other threads:[~2001-06-25 12:16 UTC | newest]
Thread overview: 5+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2001-06-06 13:11 Bug in memmove Gleb O. Raiko
2001-06-22 18:21 ` Maciej W. Rozycki
2001-06-23 14:22 ` Ralf Baechle
2001-06-25 12:03 ` Gleb O. Raiko
2001-06-25 12:13 ` Maciej W. Rozycki
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox