From: Segher Boessenkool <segher@kernel.crashing.org>
To: Al Viro <viro@ZenIV.linux.org.uk>
Cc: Larry Finger <Larry.Finger@lwfinger.net>,
Linus Torvalds <torvalds@linux-foundation.org>,
Thorsten Leemhuis <regressions@leemhuis.info>,
linuxppc-dev@lists.ozlabs.org,
LKML <linux-kernel@vger.kernel.org>
Subject: Re: gcc 4.6.3 miscompile on ppc32 (was Re: Regression in kernel 4.12-rc1 for Powerpc 32 - bisected to commit 3448890c32c3)
Date: Sun, 25 Jun 2017 16:44:09 -0500 [thread overview]
Message-ID: <20170625214408.GT16550@gate.crashing.org> (raw)
In-Reply-To: <20170625205324.GW10672@ZenIV.linux.org.uk>
On Sun, Jun 25, 2017 at 09:53:24PM +0100, Al Viro wrote:
> Confirmed. It manages to bugger the loop immediately after the (successful)
> copying of iovec array in rw_copy_check_uvector(); both with and without
> INLINE_COPY_FROM_USER it has (just before the call of copy_from_user()) r27
> set to nr_segs * sizeof(struct iovec). The call is made, we check that it
> has succeeded and that's when it hits the fan: without INLINE_COPY_FROM_USER
> we have (interleaved with unrelated insns)
> addi 27,27,-8
> srwi 27,27,3
> addi 27,27,1
> mtctr 27
> Weird, but manages to pass nr_segs to mtctr.
This weirdosity is https://gcc.gnu.org/PR67288 . Those three instructions
are not the same as just srwi 27,27,3 in case r27 is 0; GCC does not
figure out this cannot happen here.
> _With_ INLINE_COPY_FROM_USER we
> get this:
> lis 9,0x2000
> mtctr 9
> In other words, the loop will try to go through 8192 iterations. No idea where
> that number has come from, but it sure as hell is wrong.
8192*65535, even. This is as if r27 was 0 always.
Do you have a short stand-alone testcase? 4.6 is ancient, of course, but
the actual problem may still exist in more recent compilers (if it _is_
a compiler problem; if it's not, you *really* want to know :-) )
Segher
next prev parent reply other threads:[~2017-06-25 21:44 UTC|newest]
Thread overview: 20+ messages / expand[flat|nested] mbox.gz Atom feed top
2017-06-01 16:39 Regression in kernel 4.12-rc1 for Powerpc 32 - partially bisected Larry Finger
2017-06-21 15:10 ` Regression in kernel 4.12-rc1 for Powerpc 32 - bisected to commit 3448890c32c3 Larry Finger
2017-06-21 21:22 ` Al Viro
2017-06-21 21:31 ` Larry Finger
2017-06-21 21:34 ` Al Viro
2017-06-21 21:49 ` Larry Finger
2017-06-22 14:12 ` Al Viro
2017-06-22 14:19 ` Larry Finger
2017-06-22 19:25 ` Al Viro
2017-06-22 21:41 ` Al Viro
2017-06-23 18:49 ` Larry Finger
2017-06-23 20:29 ` Al Viro
2017-06-24 17:29 ` Larry Finger
2017-06-25 9:53 ` Al Viro
2017-06-25 11:14 ` Al Viro
2017-06-25 20:53 ` gcc 4.6.3 miscompile on ppc32 (was Re: Regression in kernel 4.12-rc1 for Powerpc 32 - bisected to commit 3448890c32c3) Al Viro
2017-06-25 21:44 ` Segher Boessenkool [this message]
2017-06-25 22:21 ` Al Viro
2017-06-26 13:37 ` Michael Ellerman
2017-06-26 13:40 ` Regression in kernel 4.12-rc1 for Powerpc 32 - bisected to commit 3448890c32c3 Michael Ellerman
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20170625214408.GT16550@gate.crashing.org \
--to=segher@kernel.crashing.org \
--cc=Larry.Finger@lwfinger.net \
--cc=linux-kernel@vger.kernel.org \
--cc=linuxppc-dev@lists.ozlabs.org \
--cc=regressions@leemhuis.info \
--cc=torvalds@linux-foundation.org \
--cc=viro@ZenIV.linux.org.uk \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox