Re: [hatari-devel] regression in debugger / disasm ? -> tricky out of li

Re: [hatari-devel] regression in debugger / disasm ? -> tricky out of limit memory access

[ Thread Index | Date Index | More lists.tuxfamily.org/hatari-devel Archives ]

To: hatari-devel@xxxxxxxxxxxxxxxxxxx
Subject: Re: [hatari-devel] regression in debugger / disasm ? -> tricky out of limit memory access
From: Nicolas Pomarède <npomarede@xxxxxxxxxxxx>
Date: Wed, 25 Dec 2013 15:33:21 +0100

Le 25/12/2013 13:31, Nicolas Pomarède a écrit :

So, I don't think it's a config problem. I will try to look at the ext
disasm sources, sthg seems wrong here.

Took some time, it was a nasty bug due to out of limit memory access ;why it triggers with gcc 4.8.2, I don't know, different data structure /internal optimisations in gcc certainly.

So, in 68kDisass.c / Disass68k, we have a loop to look for the decodingof the EA of the opcode, around line 2020 :


                // Parse the EAs for all operands
                ea = opcode[0] & 0x3F;
                dbuf = operandBuffer;

                for(i=0; i<(sizeof(ots->op)/sizeof(ots->op[0])); ++i)

In that case, sizeof(ots->op)/sizeof(ots->op[0]) = 5 (see op[5] in thedefinition of OpcodeTableStruct) ; so the for loop should stop after 5iterations ? Well, in my case it doesn't ! It goes on to 7 or 8, untilop[i] is a non recognized enum in Disass68kOpcodeFormat, which createsthe "DC.W" output as, the instruction in considered unknown.

I tried replacing the loop by a simple "for (i=0;i<5;i++)", but eventhen, the loop doesn't stop at 5 ...

After a lot of printf to try to follow the instruction flow, I saw theselines around 2420 :


         // does another operand follow => add separator
         if(ots->op[i+1] != ofNone)
              *dbuf++ = ',';

The problem is that when i=4, we test op[5], which is outside of thelimit. In that case, a ',' is added to dbuf ; but dbuf is very large, weshould not overwrite anything, so I don't see why it alter theprocessing of the for loop... (certainly the way gcc handles the stackfor local variable or sthg like that)


Still, by doing :

        if ( (i+1<5) && ( ots->op[i+1] != ofNone) )
                  *dbuf++ = ',';

Then everything works again as before ; so I will commit a patch to thislater.

In the meantime, if someones wants to try with mudflap or similar toolsto see if an access error is reported with proper debugging flags, itcould be interesting to see (is this error really detected by mudflap orothers ?)



Nicolas

Follow-Ups:
- Re: [hatari-devel] regression in debugger / disasm ? -> tricky out of limit memory access
  - From: Eero Tamminen

References:
- [hatari-devel] regression in debugger / disasm ?
  - From: Nicolas Pomarède
- Re: [hatari-devel] regression in debugger / disasm ?
  - From: Nicolas Pomarède
- Re: [hatari-devel] regression in debugger / disasm ?
  - From: Thomas Huth
- Re: [hatari-devel] regression in debugger / disasm ?
  - From: Nicolas Pomarède

Messages sorted by: [ date | thread ]
Prev by Date: Re: [hatari-devel] regression in debugger / disasm ?
Next by Date: Re: [hatari-devel] regression in debugger / disasm ?
Previous by thread: Re: [hatari-devel] regression in debugger / disasm ?
Next by thread: Re: [hatari-devel] regression in debugger / disasm ? -> tricky out of limit memory access

Mail converted by MHonArc 2.6.19+

http://listengine.tuxfamily.org/