11136 – segmentaion fault while processing NEON arithmetric instructions

Bug 11136 - segmentaion fault while processing NEON arithmetric instructions

Summary: segmentaion fault while processing NEON arithmetric instructions

Status:	RESOLVED FIXED

Alias:	None

Product:	binutils
Classification:	Unclassified
Component:	gas (show other bugs)
Version:	unspecified

Importance:	P2 normal
Target Milestone:	---
Assignee:	unassigned

URL:
Keywords:

Depends on:
Blocks:

Reported:	2010-01-05 13:50 UTC by André Bergner
Modified:	2010-01-29 16:04 UTC (History)
CC List:	1 user (show)

See Also:
Host:	arm-linux-gnueabi
Target:	arm-linux-gnueabi
Build:	arm-linux-gnueabi
Last reconfirmed:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description André Bergner 2010-01-05 13:50:00 UTC

The following one-line-program can reproduce the bug:

main()  { asm("  vmul.f32   q0,q1,q2  "); }

Compiling and assembling this code will result in a 'Segmentation fault" caused 
by gas. However the seg.fault seems to appear only when assembling directly on 
an ARM device (in my case Nokia N900) or within the scratchbox developing 
environment as well, here not using the cross-assembler, but an native ARM 
version. I compiles gas with configure -target=arm-linux-gnueabi

Using gdb I found the error producing code in file gas/config/tc-arm.c in 
function neon_check_type(), line 12055 (version from beginning Jan 2010):
    unsigned regwidth = neon_shape_el_size[regshape], match;
Here regshape has a random value causing unpredictable memory access via 
neon_shape_el_size[]. One line before regshape is assigned a value from 
neon_shape_tab[ns] with ns=40=NS_NULL, but neon_shape_tab[] has 40 entries only
[0..39], thus accessing the 41st entry will return the random value (64 in my 
case) for regshape.

The invalid value ns=NS_NULL=40 is passed to neon_check_type() by function 
try_vfp_nsyn() which got this wrong value in before from a call to 
neon_select_shape(). This function should catch a value of NS_NULL as error 
"invalid instruction shape" but somehow does not. Besides from the uncaught 
error the code is valid.

Comment 1 Sourceware Commits 2010-01-29 16:02:59 UTC

Subject: Bug 11136

CVSROOT:	/cvs/src
Module name:	src
Changes by:	nickc@sourceware.org	2010-01-29 16:02:41

Modified files:
	gas            : ChangeLog 
	gas/config     : tc-arm.c 
	gas/testsuite  : ChangeLog 
	gas/testsuite/gas/arm: neon-omit.d neon-omit.s 

Log message:
	PR 11136
	* config/tc-arm.c (neon_check_type): Handle a neon_shape value of
	NS_NULL.
	* gas/arm/neon-omit.s: Add instruction that causes crash.
	* gas/arm/neon-omit.d: Add expected disassembly.

Patches:
http://sources.redhat.com/cgi-bin/cvsweb.cgi/src/gas/ChangeLog.diff?cvsroot=src&r1=1.4075&r2=1.4076
http://sources.redhat.com/cgi-bin/cvsweb.cgi/src/gas/config/tc-arm.c.diff?cvsroot=src&r1=1.427&r2=1.428
http://sources.redhat.com/cgi-bin/cvsweb.cgi/src/gas/testsuite/ChangeLog.diff?cvsroot=src&r1=1.1628&r2=1.1629
http://sources.redhat.com/cgi-bin/cvsweb.cgi/src/gas/testsuite/gas/arm/neon-omit.d.diff?cvsroot=src&r1=1.6&r2=1.7
http://sources.redhat.com/cgi-bin/cvsweb.cgi/src/gas/testsuite/gas/arm/neon-omit.s.diff?cvsroot=src&r1=1.4&r2=1.5

Comment 2 Nick Clifton 2010-01-29 16:04:46 UTC

Hi André Bergner,

  Thanks for the bug report and analysis.  I decided that it would be safer to
handle an ns value of NS_NULL inside the neon_check_type() function, as it is
called from more places than just the try_vfp_nsyn() function.  But apart from
that the patch that I checked in in basically the one that you suggested.

Cheers
  Nick