From owner-freebsd-bugs@FreeBSD.ORG Thu Apr 4 02:40:00 2013 Return-Path: Delivered-To: freebsd-bugs@smarthost.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by hub.freebsd.org (Postfix) with ESMTP id BBFD0E21 for ; Thu, 4 Apr 2013 02:40:00 +0000 (UTC) (envelope-from gnats@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:1900:2254:206c::16:87]) by mx1.freebsd.org (Postfix) with ESMTP id A2AFE7D for ; Thu, 4 Apr 2013 02:40:00 +0000 (UTC) Received: from freefall.freebsd.org (localhost [127.0.0.1]) by freefall.freebsd.org (8.14.6/8.14.6) with ESMTP id r342e0kn029689 for ; Thu, 4 Apr 2013 02:40:00 GMT (envelope-from gnats@freefall.freebsd.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.14.6/8.14.6/Submit) id r342e0L7029688; Thu, 4 Apr 2013 02:40:00 GMT (envelope-from gnats) Resent-Date: Thu, 4 Apr 2013 02:40:00 GMT Resent-Message-Id: <201304040240.r342e0L7029688@freefall.freebsd.org> Resent-From: FreeBSD-gnats-submit@FreeBSD.org (GNATS Filer) Resent-To: freebsd-bugs@FreeBSD.org Resent-Reply-To: FreeBSD-gnats-submit@FreeBSD.org, Brian Demsky Received: from mx1.freebsd.org (mx1.FreeBSD.org [8.8.178.115]) by hub.freebsd.org (Postfix) with ESMTP id 7368DD86 for ; Thu, 4 Apr 2013 02:32:16 +0000 (UTC) (envelope-from nobody@FreeBSD.org) Received: from red.freebsd.org (red.freebsd.org [IPv6:2001:4f8:fff6::22]) by mx1.freebsd.org (Postfix) with ESMTP id 643D2FF2 for ; Thu, 4 Apr 2013 02:32:16 +0000 (UTC) Received: from red.freebsd.org (localhost [127.0.0.1]) by red.freebsd.org (8.14.5/8.14.5) with ESMTP id r342WFf8020055 for ; Thu, 4 Apr 2013 02:32:15 GMT (envelope-from nobody@red.freebsd.org) Received: (from nobody@localhost) by red.freebsd.org (8.14.5/8.14.5/Submit) id r342WFTC020054; Thu, 4 Apr 2013 02:32:15 GMT (envelope-from nobody) Message-Id: <201304040232.r342WFTC020054@red.freebsd.org> Date: Thu, 4 Apr 2013 02:32:15 GMT From: Brian Demsky To: freebsd-gnats-submit@FreeBSD.org X-Send-Pr-Version: www-3.1 Subject: misc/177624: Swapcontext can get compiled incorrectly X-BeenThere: freebsd-bugs@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: Bug reports List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 04 Apr 2013 02:40:00 -0000 >Number: 177624 >Category: misc >Synopsis: Swapcontext can get compiled incorrectly >Confidential: no >Severity: non-critical >Priority: low >Responsible: freebsd-bugs >State: open >Quarter: >Keywords: >Date-Required: >Class: sw-bug >Submitter-Id: current-users >Arrival-Date: Thu Apr 04 02:40:00 UTC 2013 >Closed-Date: >Last-Modified: >Originator: Brian Demsky >Release: OS X distribution of libc >Organization: UCI >Environment: >Description: Here is the code for swap context: int swapcontext(ucontext_t *oucp, const ucontext_t *ucp) { int ret; if ((oucp == NULL) || (ucp == NULL)) { errno = EINVAL; return (-1); } oucp->uc_flags &= ~UCF_SWAPPED; ret = getcontext(oucp); if ((ret == 0) && !(oucp->uc_flags & UCF_SWAPPED)) { oucp->uc_flags |= UCF_SWAPPED; ret = setcontext(ucp); } return (ret); } On the OS X port of libc in Mac OSX 10.7.5, this gets compiled as: 0x00007fff901e86b2 : push %r14 0x00007fff901e86b4 : push %rbx 0x00007fff901e86b5 : sub $0x8,%rsp 0x00007fff901e86b9 : test %rdi,%rdi 0x00007fff901e86bc : je 0x7fff901e86c6 0x00007fff901e86be : mov %rsi,%rbx 0x00007fff901e86c1 : test %rbx,%rbx 0x00007fff901e86c4 : jne 0x7fff901e86d8 0x00007fff901e86c6 : callq 0x7fff90262c88 <__error> 0x00007fff901e86cb : movl $0x16,(%rax) 0x00007fff901e86d1 : mov $0xffffffff,%eax 0x00007fff901e86d6 : jmp 0x7fff901e86f3 0x00007fff901e86d8 : mov %rdi,%r14 0x00007fff901e86db : andb $0x7f,0x3(%r14) 0x00007fff901e86e0 : mov %r14,%rdi 0x00007fff901e86e3 : callq 0x7fff901e87af 0x00007fff901e86e8 : test %eax,%eax 0x00007fff901e86ea : jne 0x7fff901e86f3 0x00007fff901e86ec : mov (%r14),%ecx 0x00007fff901e86ef : test %ecx,%ecx 0x00007fff901e86f1 : jns 0x7fff901e86fb 0x00007fff901e86f3 : add $0x8,%rsp 0x00007fff901e86f7 : pop %rbx 0x00007fff901e86f8 : pop %r14 0x00007fff901e86fa : retq 0x00007fff901e86fb : or $0x80000000,%ecx 0x00007fff901e8701 : mov %ecx,(%r14) 0x00007fff901e8704 : mov %rbx,%rdi 0x00007fff901e8707 : add $0x8,%rsp 0x00007fff901e870b : pop %rbx 0x00007fff901e870c : pop %r14 0x00007fff901e870e : jmpq 0x7fff90262855 The problem is that rbx is callee saved by compiled version of swapcontext and then reused before getcontext is called. Getcontext then stores the wrong value for rbx and setcontext later restores the wrong value for rbx. If the caller had any value in rbx, it has been trashed at this point. Brian >How-To-Repeat: >Fix: >Release-Note: >Audit-Trail: >Unformatted: