Hi
Intel P6 family of processors (Pentium Pro, 2, 3) have a bug in call *%esp
instruction. The instruction should put current EIP to stack, decrement ESP by
4 and jump to a value of ESP before the decrement. P6 processors will jump to
the address after the decrement (so the will execute return address as code).
See Pentium Pro errata 70, Pentium 2 errata A33, Pentium 3 errata E17.
Gcc generates call *%esp for this example, when compiled with -O2
-fomit-frame-pointer -mpreferred-stack-boundary=2:
int main()
{
volatile unsigned code = 0x000000c3;
((void (*)(void))&code)();
return 0;
}
The code crashes when executed on P6 processor and executes correctly on other
processors.
GCC shouldn't allow direct %esp register for call instruction. (addressing
using %esp is fine).
---
Note: this bug comes from a piece of code used to call an arbitrary interrupt.
I coded it as this. The "call *%esp" bug looks weird but is not an artifical
example, it comes from a real code that was written and used.
static void INTR(unsigned int_no)
{
volatile unsigned code = 0xc300cd | (int_no << 8);
((void (*)(void))&code)();
}
--
Summary: call *%esp shouldn't be generated because of CPU errata
Product: gcc
Version: 4.4.2
Status: UNCONFIRMED
Severity: minor
Priority: P3
Component: target
AssignedTo: unassigned at gcc dot gnu dot org
ReportedBy: mikulas at artax dot karlin dot mff dot cuni dot cz
GCC build triplet: i486-linux-gnu
GCC host triplet: i486-linux-gnu
GCC target triplet: i486-linux-gnu
http://gcc.gnu.org/bugzilla/show_bug.cgi?id=41900
