Michael Hope michael.hope@linaro.org wrote:
Hi Ramana, Ulrich. Could I have some help with an unexpected testsuite failure while backporting Carrot's adddi patch? testsuite/gcc.misc-tests/gcov-7.c builds and runs but aborts during leave() due to unexpected results.
The failing and working versions are on tcpanda02 as ~/gcov-7.exe and ~/gcov-7-ok.
OK, so I understand why ~/gcov-7.exe aborts. What actually happens is: - The program runs through its test sucessfully, until the final exit. - Within exit, gcov_exit processing is done. - Within the gcov_exit subroutine __gcov_rewrite, a *tail* call to fseek is done (which is translated into a branch). - This branch is supposed to go to a PLT stub, but instead goes haywire. - Execution gets rerouted to somewhere in the main code. - This is turn leads it to *again* check its proper exit conditions. - This test now fails, leading to the abort.
In the good case ~/gcov-7-ok, the fseek PLT is called correctly. This (good case) looks like:
00008f70 <__gcov_rewrite>: 8f70: b538 push {r3, r4, r5, lr} 8f72: 4b0a ldr r3, [pc, #40] ; (8f9c <__gcov_rewrite+0x2c>) 8f74: 447b add r3, pc 8f76: 699a ldr r2, [r3, #24] 8f78: 2a00 cmp r2, #0 8f7a: dd0c ble.n 8f96 <__gcov_rewrite+0x26> 8f7c: 2400 movs r4, #0 8f7e: f04f 35ff mov.w r5, #4294967295 8f82: 4621 mov r1, r4 8f84: 6818 ldr r0, [r3, #0] 8f86: 4622 mov r2, r4 8f88: 605c str r4, [r3, #4] 8f8a: 609c str r4, [r3, #8] 8f8c: 619d str r5, [r3, #24] 8f8e: e8bd 4038 ldmia.w sp!, {r3, r4, r5, lr} 8f92: f7ff bc1d b.w 87d0 <_init+0xc4> 8f96: f7ff ebd6 blx 8744 <_init+0x38>
00008718 <.plt>: 8718: e52de004 push {lr} ; (str lr, [sp, #-4]!) 871c: e59fe004 ldr lr, [pc, #4] ; 8728 <_init+0x1c> 8720: e08fe00e add lr, pc, lr 8724: e5bef008 ldr pc, [lr, #8]! 8728: 000099d8 ldrdeq r9, [r0], -r8 [snip] 87d0: 4778 bx pc 87d2: 46c0 nop ; (mov r8, r8) 87d4: e28fc600 add ip, pc, #0 87d8: e28cca09 add ip, ip, #36864 ; 0x9000 87dc: e5bcf964 ldr pc, [ip, #2404]! ; 0x964
Note how at 0x8f92 (Thumb mode!) we have a branch to 0x87d0, which is a Thumb stub that switches to ARM mode and calls into the main ARM PLT stub at 0x87d4.
In the bad case we have instead:
00008fdc <__gcov_rewrite>: 8fdc: b538 push {r3, r4, r5, lr} 8fde: 4b0a ldr r3, [pc, #40] ; (9008 <__gcov_rewrite+0x2c>) 8fe0: 447b add r3, pc 8fe2: 699a ldr r2, [r3, #24] 8fe4: 2a00 cmp r2, #0 8fe6: dd0c ble.n 9002 <__gcov_rewrite+0x26> 8fe8: 2400 movs r4, #0 8fea: f04f 35ff mov.w r5, #4294967295 8fee: 4621 mov r1, r4 8ff0: 6818 ldr r0, [r3, #0] 8ff2: 4622 mov r2, r4 8ff4: 605c str r4, [r3, #4] 8ff6: 609c str r4, [r3, #8] 8ff8: 619d str r5, [r3, #24] 8ffa: e8bd 4038 ldmia.w sp!, {r3, r4, r5, lr} 8ffe: f000 bec7 b.w 9d90 <__fstat+0x10> 9002: f7ff ebd6 blx 87b0 <_init+0x38>
9d90: f7fe bd56 b.w 8840 <_init+0xc8>
00008784 <.plt>: 8784: e52de004 push {lr} ; (str lr, [sp, #-4]!) 8788: e59fe004 ldr lr, [pc, #4] ; 8794 <_init+0x1c> 878c: e08fe00e add lr, pc, lr 8790: e5bef008 ldr pc, [lr, #8]! [snip] 883c: 4778 bx pc 883e: 46c0 nop ; (mov r8, r8) 8840: e28fc600 add ip, pc, #0 8844: e28cca09 add ip, ip, #36864 ; 0x9000 8848: e5bcf94c ldr pc, [ip, #2380]! ; 0x94c
Here, the branch at 0x8ffe first goes to an extra stub at 0x9d90, which in turn branches directly to 0x8840 -- but this is the ARM version of the PLT stub, which now gets executed in Thumb mode!
The reason for this extra stub turns out to be a Cortex-A8 chip erratum: note how the b.w is a Thumb-2 4-byte instruction where its first two bytes are in a different page than its last two?
Such instructions are apparently not executed correctly if the branch goes to a target in the first of those pages. The linker therefore has code to check for this case, and insert an extra branch stub to compensate for this problem. When adding this extra stub, in the special case that the target was a PLT stub, the code forgot to check whether we need to also compensate for Thumb mode.
This bug actually was fixed by Richard Sandiford here: http://cygwin.com/ml/binutils/2011-04/msg00177.html
The fix got included into mainline here:
2011-05-06 Richard Sandiford richard.sandiford@linaro.org
* elf32-arm.c (cortex_a8_erratum_scan): If the stub is a Thumb branch to a PLT entry, redirect it to the PLT's Thumb entry point.
binutils 2.21 still has the bug, but binutils 2.22 is fixed.
Therefore I don't understand this:
- The fault persists with binutils 2.22
Did you perform the final link step creating the gcov-7.exe with the linker from binutils 2.22 ?
Do you have a version of that executable built this way that still shows the problem? I'd like to have a look at that ...
Mit freundlichen Gruessen / Best Regards
Ulrich Weigand
-- Dr. Ulrich Weigand | Phone: +49-7031/16-3727 STSM, GNU compiler and toolchain for Linux on System z and Cell/B.E. IBM Deutschland Research & Development GmbH Vorsitzende des Aufsichtsrats: Martina Koederitz | Geschäftsführung: Dirk Wittkopp Sitz der Gesellschaft: Böblingen | Registergericht: Amtsgericht Stuttgart, HRB 243294