[Issue 9677] New: Crash on setting length property of array VC 2012 64 bit

Mar 09, 2013

Michael

Mar 10, 2013

Rainer Schuetze

Mar 10, 2013

Mar 10, 2013

Mar 10, 2013

Mar 10, 2013

Mar 10, 2013

github-bugzilla@puremagic.com

Mar 10, 2013

github-bugzilla@puremagic.com

Mar 10, 2013

github-bugzilla@puremagic.com

Mar 10, 2013

Walter Bright

http://d.puremagic.com/issues/show_bug.cgi?id=9677 Summary: Crash on setting length property of array VC 2012 64 bit Product: D Version: D2 Platform: x86_64 OS/Version: Windows Status: NEW Severity: normal Priority: P2 Component: druntime AssignedTo: nobody@puremagic.com ReportedBy: pr@m1xa.com --- Comment #0 from Michael <pr@m1xa.com> 2013-03-09 11:39:56 PST --- Exception code: 0xc0000005 Fault offset: 0x0000000000002112 Compiles, but crashes. Sample: // dmd -m64 sample.d int main(string[] args) { int[] a; a.length = 10; return 0; } Win 8 Pro 64 bit Dmd 2.062 Visual Studio 2012 Express for Windows Desktop; Update 2 CTP (Update 1) -- Configure issuemail: http://d.puremagic.com/issues/userprefs.cgi?tab=email ------- You are receiving this mail because: -------

March 10, 2013

[Issue 9677] Crash on setting length property of array VC 2012 64 bit

Posted by Rainer Schuetze
in reply to Michael

Permalink

Rainer Schuetze

Posted in reply to Michael

Permalink

http://d.puremagic.com/issues/show_bug.cgi?id=9677


Rainer Schuetze <r.sagitario@gmx.de> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
           Keywords|                            |wrong-code
                 CC|                            |r.sagitario@gmx.de
           Severity|normal                      |critical


--- Comment #1 from Rainer Schuetze <r.sagitario@gmx.de> 2013-03-10 01:15:51 PST ---
This is actually a codegen bug that just happens to be exposed by TLS memory being in memory above 4GB with VS2012.

Reduced test case:

/////////////////////// 8< //////////
module lifetime;

int *__blkcache_storage;
size_t __nextBlkIdx;

/**
 * Resize dynamic arrays with 0 initializers.
 */
void _d_arraysetlengthT(size_t newlength)
{
    asm
    {
        mov RAX, newlength;
    }

    auto cache = __blkcache_storage;
    int *curpos = cache + __nextBlkIdx;
    *curpos = 0;
}
/////////////////////// >8 //////////

"dmd -c -O -m64 lifetime.d" creates this code:

_D8lifetime18_d_arraysetlengthTFmZv:
  0000000000000000: 55                 push        rbp
  0000000000000001: 48 8B EC           mov         rbp,rsp
  0000000000000004: 48 83 EC 10        sub         rsp,10h
  0000000000000008: 53                 push        rbx
  0000000000000009: 48 89 4D 10        mov         qword ptr [rbp+10h],rcx
  000000000000000D: 48 8B 45 10        mov         rax,qword ptr [rbp+10h]
  0000000000000011: 8B 05 00 00 00 00  mov         eax,dword ptr [_tls_index]
  0000000000000017: 65 48 8B 14 25 58  mov         rdx,qword ptr gs:[58h]
                    00 00 00
  0000000000000020: 48 8D 04 C2        lea         eax,[rdx+rax*8]
  0000000000000024: 48 8B 10           mov         rdx,qword ptr [rax]
  0000000000000027: BB 00 00 00 00     mov         ebx,offset
_D8lifetime18__blkcache_storagePi
  000000000000002C: 48 8B 14 1A        mov         rdx,qword ptr [rdx+rbx]
  0000000000000030: 48 89 55 F8        mov         qword ptr [rbp-8],rdx
  0000000000000034: 48 8B 00           mov         rax,qword ptr [rax]
  0000000000000037: BA 00 00 00 00     mov         edx,offset
_D8lifetime12__nextBlkIdxm
  000000000000003C: 48 8B 04 10        mov         rax,qword ptr [rax+rdx]
  0000000000000040: 48 8B 55 F8        mov         rdx,qword ptr [rbp-8]
  0000000000000044: 48 8D 04 82        lea         rax,[rdx+rax*4]
  0000000000000048: 48 89 45 F0        mov         qword ptr [rbp-10h],rax
  000000000000004C: 48 8B 45 F0        mov         rax,qword ptr [rbp-10h]
  0000000000000050: C7 00 00 00 00 00  mov         dword ptr [rax],0
  0000000000000056: 5B                 pop         rbx
  0000000000000057: 48 8D 65 00        lea         rsp,[rbp]
  000000000000005B: 5D                 pop         rbp
  000000000000005C: C3                 ret

Note the "eax" assignment at offset 0x20, it should be rax.

-- 
Configure issuemail: http://d.puremagic.com/issues/userprefs.cgi?tab=email
------- You are receiving this mail because: -------

http://d.puremagic.com/issues/show_bug.cgi?id=9677 --- Comment #2 from Rainer Schuetze <r.sagitario@gmx.de> 2013-03-10 01:18:18 PST --- *** Issue 9678 has been marked as a duplicate of this issue. *** -- Configure issuemail: http://d.puremagic.com/issues/userprefs.cgi?tab=email ------- You are receiving this mail because: -------

http://d.puremagic.com/issues/show_bug.cgi?id=9677 Rainer Schuetze <r.sagitario@gmx.de> changed: What |Removed |Added ---------------------------------------------------------------------------- Keywords| |patch --- Comment #3 from Rainer Schuetze <r.sagitario@gmx.de> 2013-03-10 03:34:06 PDT --- https://github.com/D-Programming-Language/dmd/pull/1733 -- Configure issuemail: http://d.puremagic.com/issues/userprefs.cgi?tab=email ------- You are receiving this mail because: -------

http://d.puremagic.com/issues/show_bug.cgi?id=9677 --- Comment #4 from Rainer Schuetze <r.sagitario@gmx.de> 2013-03-10 03:38:56 PDT --- Arg, I modified the disassembly after trying the fix, so please don't be confused by the generated code bytes, the original code did not have the 0x48 prefix: 0000000000000020: 8D 04 C2 lea eax,[rdx+rax*8] -- Configure issuemail: http://d.puremagic.com/issues/userprefs.cgi?tab=email ------- You are receiving this mail because: -------

http://d.puremagic.com/issues/show_bug.cgi?id=9677 Maxim Fomin <maxim@maxim-fomin.ru> changed: What |Removed |Added ---------------------------------------------------------------------------- Keywords|patch |pull CC| |maxim@maxim-fomin.ru --- Comment #5 from Maxim Fomin <maxim@maxim-fomin.ru> 2013-03-10 04:01:34 PDT --- Github pull requests are usually marked as pull, not patch. -- Configure issuemail: http://d.puremagic.com/issues/userprefs.cgi?tab=email ------- You are receiving this mail because: -------

http://d.puremagic.com/issues/show_bug.cgi?id=9677 --- Comment #6 from github-bugzilla@puremagic.com 2013-03-10 13:23:47 PDT --- Commit pushed to master at https://github.com/D-Programming-Language/dmd https://github.com/D-Programming-Language/dmd/commit/a90fa90bf975cf5db5f1f490735692abafc9be92 Merge pull request #1733 from rainers/tls_array_pvoid fix issue 9677: Crash on setting length property of array 64 bit -- Configure issuemail: http://d.puremagic.com/issues/userprefs.cgi?tab=email ------- You are receiving this mail because: -------

http://d.puremagic.com/issues/show_bug.cgi?id=9677 --- Comment #7 from github-bugzilla@puremagic.com 2013-03-10 13:27:41 PDT --- Commit pushed to 2.062 at https://github.com/D-Programming-Language/dmd https://github.com/D-Programming-Language/dmd/commit/e7489b375a3cf80179ab678ccdea2d1a0a6491d7 Merge pull request #1733 from rainers/tls_array_pvoid fix issue 9677: Crash on setting length property of array 64 bit -- Configure issuemail: http://d.puremagic.com/issues/userprefs.cgi?tab=email ------- You are receiving this mail because: -------

http://d.puremagic.com/issues/show_bug.cgi?id=9677 --- Comment #8 from github-bugzilla@puremagic.com 2013-03-10 13:28:37 PDT --- Commit pushed to dmd-1.x at https://github.com/D-Programming-Language/dmd https://github.com/D-Programming-Language/dmd/commit/73162f3008cbe2842c32f9e6ac9bdb0a0c155bf2 Merge pull request #1733 from rainers/tls_array_pvoid fix issue 9677: Crash on setting length property of array 64 bit -- Configure issuemail: http://d.puremagic.com/issues/userprefs.cgi?tab=email ------- You are receiving this mail because: -------

Forums