|
From: <raf...@gm...> - 2006-11-07 02:47:38
Attachments:
psi.log.bz2
|
Hi, I believe that I have found another false positive. A log is
attached, and the reduced code is
------------------------------------------
movl 4(%esp), %ecx
.LCFI202:
fldz
fldz
fxch %st(1)
fucompp
fnstsw %ax
sahf
je .L334
.L334:
jp .L335
.L335:
andb $-2, 68(%ecx)
fldz
fldz
fxch %st(1)
fucompp
fnstsw %ax
sahf
je .L345
.L345:
jp .L344
.L344:
ret
-----------------------------------------
Best Regards,
Rafael
|
|
From: Julian S. <js...@ac...> - 2006-11-17 13:38:15
|
Rafael, I am trying but failing to reproduce this. Can you send a complete program that demonstrates it? The fragment below isn't=20 runnable (what args should I pass to this function?) and despite trying out variants of a test for your previous false-positive report I can't make it fail. J On Tuesday 07 November 2006 02:47, Rafael Esp=EDndola wrote: > Hi, I believe that I have found another false positive. A log is > attached, and the reduced code is > > ------------------------------------------ > movl 4(%esp), %ecx > .LCFI202: > > fldz > fldz > fxch %st(1) > fucompp > fnstsw %ax > sahf > je .L334 > .L334: > jp .L335 > .L335: > andb $-2, 68(%ecx) > fldz > fldz > fxch %st(1) > fucompp > fnstsw %ax > sahf > je .L345 > .L345: > jp .L344 > .L344: > ret > ----------------------------------------- > > Best Regards, > Rafael |
|
From: <raf...@gm...> - 2006-11-19 00:18:51
Attachments:
test.s
|
On 11/17/06, Julian Seward <js...@ac...> wrote: > > Rafael, I am trying but failing to reproduce this. Can you send a > complete program that demonstrates it? The fragment below isn't > runnable (what args should I pass to this function?) and despite > trying out variants of a test for your previous false-positive > report I can't make it fail. I have reduced the program to the attached assembly. It was a bit hard because the original code was in qt4, which is very large... > J Best Regards, Rafael |
|
From: Julian S. <js...@ac...> - 2006-11-19 01:20:05
|
> I have reduced the program to the attached assembly. It was a bit > hard because the original code was in qt4, which is very large... Thanks. I managed to reduce it further to the program below, but unfortunately I cannot think of a simple way to fix it. The problem is that 'andl $-2, 8(%esp)' sets %eflags to undefined. Then 'fucompp; fnstsw %ax; sahf' makes all %eflags except the O (overflow) flag defined. Neither the following 'jp' nor 'je' depend on O, and V's dataflow analysis can see that for the 'jp'. However, the 'je' is in a different basic block and the dataflow analysis does not work well across blocks. Hence it believes 'je' depends on the O flag, which is undefined, when in fact it does not. What optimisation level was this code compiled at? J .file "test.c" .text .globl main .type main, @function main: subl $24, %esp andl $-2, 8(%esp) fldz fldz fucompp fnstsw %ax sahf jp .L5 je .L5 .L5: movl $0, %eax addl $24, %esp ret .size main, .-main .ident "GCC: (GNU) 4.1.2 20060928 (prerelease) (Ubuntu 4.1.1-13ubuntu5)" .section .note.GNU-stack,"",@progbits |
> The problem is that 'andl $-2, 8(%esp)' sets %eflags to undefined. The fact that 8(%esp) is undefined implies only that the PF [parity], SF [sign], and ZF [zero] flags become logically undefined. On x86 each integer AND instruction clears both the CF [carry] and OF [overflow] flags unconditionally, regardless of operands. Also regardless of operands, on x86 an integer AND instruction sets AF [ASCII Carry out of bit 3] to undefined. > main: > subl $24, %esp > andl $-2, 8(%esp) Note that if the constant operand were -256 then the PF would be defined [to be Even parity] because the PF is computed on the low-order 8 bits only, and the low-order 8 bits would become all zero even if 8(%esp) is undefined. Similarly, if the constant operand did not have its high bit set, then the SF would become 0 regardless of 8(%esp) being undefined. The definedness of each bit of %eflags must be tracked separately, or bugs such as this probably will arise for a long time. -- |
|
From: <raf...@gm...> - 2006-11-19 13:26:50
|
> What optimisation level was this code compiled at? The reduced test case was compile with -O0 and then hand optimized (O2 would constant propagate and remove the if). The original source code in qt4 was compiled with g++ -O2. Thanks! Rafael |