[tor-bugs] #10259 [Tor]: smartlist_ensure_capacity() issue with gcc 4.8
Tor Bug Tracker & Wiki
blackhole at torproject.org
Sun Dec 1 04:22:08 UTC 2013
#10259: smartlist_ensure_capacity() issue with gcc 4.8
----------------------+------------------------------------
Reporter: zougloub | Owner: nick
Type: defect | Status: new
Priority: normal | Milestone:
Component: Tor | Version: Tor: 0.2.5.1-alpha
Keywords: compiler | Actual Points:
Parent ID: | Points:
----------------------+------------------------------------
Tested on x86_64 with gcc 4.8.2.
CFLAGS="-march=native -Os"
gcc generates the {{{smartlist_ensure_capacity()}}} function code:
{{{
Dump of assembler code for function smartlist_ensure_capacity:
0x00000000004c2ad1 <+0>: push %rbx
0x00000000004c2ad2 <+1>: mov %rdi,%rbx
0x00000000004c2ad5 <+4>: cmp 0xc(%rdi),%esi
0x00000000004c2ad8 <+7>: jle 0x4c2b00
<smartlist_ensure_capacity+47>
0x00000000004c2ada <+9>: cmp $0x3fffffff,%esi
0x00000000004c2ae0 <+15>: jg 0x4c2ae4
<smartlist_ensure_capacity+19>
0x00000000004c2ae2 <+17>: jmp 0x4c2ae2
<smartlist_ensure_capacity+17>
0x00000000004c2ae4 <+19>: movl $0x7fffffff,0xc(%rdi)
0x00000000004c2aeb <+26>: mov (%rdi),%rdi
0x00000000004c2aee <+29>: movabs $0x3fffffff8,%rsi
0x00000000004c2af8 <+39>: callq 0x4ca268 <tor_realloc_>
0x00000000004c2afd <+44>: mov %rax,(%rbx)
0x00000000004c2b00 <+47>: pop %rbx
0x00000000004c2b01 <+48>: retq
End of assembler dump.
}}}
We can clearly see that {{{ 0x00000000004c2ae2 <+17>: jmp 0x4c2ae2
<smartlist_ensure_capacity+17>}}} is an infinite loop.
If now, we *use* the size parameter, for instance by doing the following
at the beginning of the function:
{{{
sl->trick = size;
}}}
Then gcc generates correct code:
{{{
Dump of assembler code for function smartlist_ensure_capacity:
0x00000000004c2ad1 <+0>: push %rbx
0x00000000004c2ad2 <+1>: mov %rdi,%rbx
0x00000000004c2ad5 <+4>: mov 0xc(%rdi),%eax
0x00000000004c2ad8 <+7>: mov %esi,0x10(%rdi)
0x00000000004c2adb <+10>: cmp %eax,%esi
0x00000000004c2add <+12>: jle 0x4c2b0c
<smartlist_ensure_capacity+59>
0x00000000004c2adf <+14>: cmp $0x3fffffff,%esi
0x00000000004c2ae5 <+20>: jg 0x4c2aef
<smartlist_ensure_capacity+30>
0x00000000004c2ae7 <+22>: add %eax,%eax
0x00000000004c2ae9 <+24>: cmp %eax,%esi
0x00000000004c2aeb <+26>: jg 0x4c2ae7
<smartlist_ensure_capacity+22>
0x00000000004c2aed <+28>: jmp 0x4c2af4
<smartlist_ensure_capacity+35>
0x00000000004c2aef <+30>: mov $0x7fffffff,%eax
0x00000000004c2af4 <+35>: mov (%rbx),%rdi
0x00000000004c2af7 <+38>: mov %eax,0xc(%rbx)
0x00000000004c2afa <+41>: cltq
0x00000000004c2afc <+43>: lea 0x0(,%rax,8),%rsi
0x00000000004c2b04 <+51>: callq 0x4ca274 <tor_realloc_>
0x00000000004c2b09 <+56>: mov %rax,(%rbx)
0x00000000004c2b0c <+59>: pop %rbx
0x00000000004c2b0d <+60>: retq
End of assembler dump.
}}}
Here, no infinite loop anymore.
As of 2013-11-30T23:19:42 EST I'm trying to dig further.
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/10259>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
More information about the tor-bugs
mailing list