This is the mail archive of the
libc-alpha@sources.redhat.com
mailing list for the glibc project.
[patch] strncpy.S bug on ia64
- From: Randolph Chung <randolph at tausq dot org>
- To: libc-alpha at sources dot redhat dot com
- Cc: kenneth dot w dot chen at intel dot com
- Date: Mon, 2 Dec 2002 21:32:59 -0800
- Subject: [patch] strncpy.S bug on ia64
- Reply-to: Randolph Chung <randolph at tausq dot org>
Attached is a patch from Ken Chen to fix strncpy.S on ia64. The
ChangeLog entry below is adapted from Ken's email.
Ken posted this a few weeks ago, but it looks like it might not have
gone to the right place.
2002-11-19 Kenneth W. Chen <kenneth.w.chen@intel.com>
* sysdeps/ia64/strncpy.S: initialize ar.ec, ec is not
guaranteed to be zero upon function entry; fix
segfault in recovery 4 section when src length
ends exactly at a page boundary, and there are no
mapping after that page.
--- glibc/sysdeps/ia64/strncpy.S.orig Tue Nov 19 10:22:01 2002
+++ glibc/sysdeps/ia64/strncpy.S Tue Nov 19 10:29:21 2002
@@ -63,6 +63,7 @@
mov saved_pr = pr // save the predicate registers
.save ar.lc, saved_lc
mov saved_lc = ar.lc // save the loop counter
+ mov ar.ec = 0
.body
cmp.geu p6, p5 = 24, in2
(p6) br.cond.spnt .short_len
@@ -221,7 +222,9 @@
ld8 r[MEMLAT] = [tmp]
br.cond.sptk .back3
.recovery4:
+ cmp.eq p8,p9=0,len
add tmp = -MEMLAT * 8, src ;;
- ld8 r[MEMLAT - 1] = [tmp]
+(p8) mov r[MEMLAT - 1] = r0
+(p9) ld8 r[MEMLAT - 1] = [tmp]
br.cond.sptk .back4
END(strncpy)
----- Forwarded message from "Chen, Kenneth W" <kenneth.w.chen@intel.com> -----
Subject: RE: [Linux-ia64] IA64 strncpy in 2.2.4-30 - bug and patch
Date: Tue, 19 Nov 2002 10:35:44 -0800
From: "Chen, Kenneth W" <kenneth.w.chen@intel.com>
To: "Randolph Chung" <randolph@tausq.org>
Cc: <bug-glibc@gnu.org>, <linux-ia64@linuxia64.org>
Here is the updated patch against current glibc cvs strncpy.S v1.9.
There are two hunks in this patch. The first hunk initialize ar.ec, ec is not guaranteed to be zero upon function entry, although most likely it will be zero. But such assumption is functionally broken.
The second hunk fixes the seg fault in recovery 4 section. The case of seg fault is that when src length ends exactly at a page boundary, and there are no mapping after that page. In recovery 4, it is trying to access an invalid address due to earlier loop that src pointer got post incremented pass beyond current page.
- Ken
--
Randolph Chung
Debian GNU/Linux Developer, hppa/ia64 ports
http://www.tausq.org/