From owner-freebsd-bugs@FreeBSD.ORG  Thu Apr  4 02:10:03 2013
Return-Path: <owner-freebsd-bugs@FreeBSD.ORG>
Delivered-To: freebsd-bugs@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org
 [IPv6:2001:1900:2254:206a::19:1])
 by hub.freebsd.org (Postfix) with ESMTP id 24B54A0E
 for <freebsd-bugs@freebsd.org>; Thu,  4 Apr 2013 02:10:03 +0000 (UTC)
 (envelope-from bdemsky@uci.edu)
Received: from mda3.es.uci.edu (mda3.es.uci.edu [128.200.80.6])
 by mx1.freebsd.org (Postfix) with ESMTP id 0FCB8F69
 for <freebsd-bugs@freebsd.org>; Thu,  4 Apr 2013 02:10:02 +0000 (UTC)
Received: from ismtp1.es.uci.edu (ismtp1.es.uci.edu [128.195.153.31])
 by mda3.es.uci.edu (8.13.8/8.13.8) with ESMTP id r3425JjZ257077
 for <freebsd-bugs@freebsd.org>; Wed, 3 Apr 2013 19:05:19 -0700
Received: from dhcp-v000-160.mobile.uci.edu (dhcp-v000-160.mobile.uci.edu
 [169.234.0.160]) (authenticated bits=0)
 by ismtp1.es.uci.edu (8.13.8/8.13.8) with ESMTP id r3425CJQ283512
 (version=TLSv1/SSLv3 cipher=AES128-SHA bits=128 verify=NOT)
 for <freebsd-bugs@freebsd.org>; Wed, 3 Apr 2013 19:05:13 -0700
X-UCInetID: bdemsky
From: Brian Demsky <bdemsky@uci.edu>
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: quoted-printable
Subject: Bug in swapcontext method
Date: Wed, 3 Apr 2013 19:05:18 -0700
Message-Id: <F99A8507-A452-4FFD-BC73-544578DE812D@uci.edu>
To: freebsd-bugs@freebsd.org
Mime-Version: 1.0 (Apple Message framework v1283)
X-Mailer: Apple Mail (2.1283)
X-BeenThere: freebsd-bugs@freebsd.org
X-Mailman-Version: 2.1.14
Precedence: list
List-Id: Bug reports <freebsd-bugs.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/options/freebsd-bugs>,
 <mailto:freebsd-bugs-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-bugs>
List-Post: <mailto:freebsd-bugs@freebsd.org>
List-Help: <mailto:freebsd-bugs-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-bugs>,
 <mailto:freebsd-bugs-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Thu, 04 Apr 2013 02:10:03 -0000

Here is the code for swap context:

int
swapcontext(ucontext_t *oucp, const ucontext_t *ucp)
{
        int ret;

        if ((oucp =3D=3D NULL) || (ucp =3D=3D NULL)) {
                errno =3D EINVAL;
                return (-1);
        }
        oucp->uc_flags &=3D ~UCF_SWAPPED;
        ret =3D getcontext(oucp);
        if ((ret =3D=3D 0) && !(oucp->uc_flags & UCF_SWAPPED)) {
                oucp->uc_flags |=3D UCF_SWAPPED;
                ret =3D setcontext(ucp);
        }
        return (ret);
}

On the OS X port of libc, this gets compiled as:

0x00007fff901e86b2 <swapcontext+0>:     push   %r14
0x00007fff901e86b4 <swapcontext+2>:     push   %rbx
0x00007fff901e86b5 <swapcontext+3>:     sub    $0x8,%rsp
0x00007fff901e86b9 <swapcontext+7>:     test   %rdi,%rdi
0x00007fff901e86bc <swapcontext+10>:    je     0x7fff901e86c6 =
<swapcontext+20>
0x00007fff901e86be <swapcontext+12>:    mov    %rsi,%rbx
0x00007fff901e86c1 <swapcontext+15>:    test   %rbx,%rbx
0x00007fff901e86c4 <swapcontext+18>:    jne    0x7fff901e86d8 =
<swapcontext+38>
0x00007fff901e86c6 <swapcontext+20>:    callq  0x7fff90262c88 <__error>
0x00007fff901e86cb <swapcontext+25>:    movl   $0x16,(%rax)
0x00007fff901e86d1 <swapcontext+31>:    mov    $0xffffffff,%eax
0x00007fff901e86d6 <swapcontext+36>:    jmp    0x7fff901e86f3 =
<swapcontext+65>
0x00007fff901e86d8 <swapcontext+38>:    mov    %rdi,%r14
0x00007fff901e86db <swapcontext+41>:    andb   $0x7f,0x3(%r14)
0x00007fff901e86e0 <swapcontext+46>:    mov    %r14,%rdi
0x00007fff901e86e3 <swapcontext+49>:    callq  0x7fff901e87af =
<getcontext>
0x00007fff901e86e8 <swapcontext+54>:    test   %eax,%eax
0x00007fff901e86ea <swapcontext+56>:    jne    0x7fff901e86f3 =
<swapcontext+65>
0x00007fff901e86ec <swapcontext+58>:    mov    (%r14),%ecx
0x00007fff901e86ef <swapcontext+61>:    test   %ecx,%ecx
0x00007fff901e86f1 <swapcontext+63>:    jns    0x7fff901e86fb =
<swapcontext+73>
0x00007fff901e86f3 <swapcontext+65>:    add    $0x8,%rsp
0x00007fff901e86f7 <swapcontext+69>:    pop    %rbx
0x00007fff901e86f8 <swapcontext+70>:    pop    %r14
0x00007fff901e86fa <swapcontext+72>:    retq  =20
0x00007fff901e86fb <swapcontext+73>:    or     $0x80000000,%ecx
0x00007fff901e8701 <swapcontext+79>:    mov    %ecx,(%r14)
0x00007fff901e8704 <swapcontext+82>:    mov    %rbx,%rdi
0x00007fff901e8707 <swapcontext+85>:    add    $0x8,%rsp
0x00007fff901e870b <swapcontext+89>:    pop    %rbx
0x00007fff901e870c <swapcontext+90>:    pop    %r14
0x00007fff901e870e <swapcontext+92>:    jmpq   0x7fff90262855 =
<setcontext>

The problem is that rbx is callee saved by compiled version of =
swapcontext and then reused before getcontext is called.  Getcontext =
then stores the wrong value for rbx and setcontext later restores the =
wrong value for rbx.  If the caller had any value in rbx, it has been =
trashed at this point.

Brian=