Project

General

Profile

Actions

Bug #1165

closed

GCC-aspectator fails with fatal error: incorrect reference code

Added by Pavel Shved over 13 years ago. Updated about 12 years ago.

Status:
Closed
Priority:
High
Category:
-
Start date:
05/03/2011
Due date:
% Done:

0%

Estimated time:
Detected in build:
svn
Platform:
Published in build:
d8d3c5a

Description

Steps to reproduce:

LDV_DEBUG=30 ldv-manager rule_models=32_1a "envs=linux-2.6.31.6.tar.bz2" drivers=drivers/ieee1394/eth1394.ko kernel_driver=1 name=ri13

Excerpt from the error message:

/home/pavel/work/ldv/test/work/current--X--drivers/ieee1394/eth1394.ko--X--ri13linux-2.6.31.6--X--32_1a/linux-2.6.31.6/csd_deg_dscv/11/dscv_tempdir/dscv/ri/32_1a/drivers/ieee1394/eth1394.c.p:1721:1: fatal error: incorrect reference code
compilation terminated.
Aspectator fails on the 3d stage

Excerpt from the code:

1716 static void ether1394_get_drvinfo(struct net_device *dev,
1717           struct ethtool_drvinfo *info)
1718 {
1719   strcpy(info->driver, driver_name);
1720   strcpy(info->bus_info, "ieee1394"); /* FIXME provide more detail? */
1721 }
1722

Files

reprod.tgz (2.4 MB) reprod.tgz reproduce package for mem_ref and reference_type Pavel Shved, 06/13/2011 06:45 PM

Related issues 3 (2 open1 closed)

Related to Linux Driver Verification - Bug #1167: Bugs related with 32_1a modelOpen05/03/2011

Actions
Related to Linux Driver Verification - Bug #1323: CIL doesn't appear to know GNU extension 'asm goto'OpenVadim Mutilin06/07/2011

Actions
Related to C Instrumentation Framework - Bug #1258: C back-end processes typedefs on arrays incorrectlyClosedEvgeny Novikov05/20/2011

Actions
Actions #1

Updated by Pavel Shved over 13 years ago

There are only 7 drivers affected. Not that important, I guess.

Actions #2

Updated by Evgeny Novikov over 13 years ago

As well as #1158 issue.

Actions #3

Updated by Evgeny Novikov over 13 years ago

  • Status changed from New to Open

As I understand just mem_ref tree node isn't supported at the moment.

Actions #4

Updated by Evgeny Novikov over 13 years ago

Eugene Novikov wrote:

As I understand just mem_ref tree node isn't supported at the moment.

And this is the case! 9 drivers of linux-2.6.37 aren't processed because of the given reason.

Actions #5

Updated by Alexey Khoroshilov over 13 years ago

  • Priority changed from Normal to High

ldv-git shows that only 10% of drivers reach RCV stage with the new aspectator. The main problems are:
reference_type - 80% fails
mem_ref - 46% fails

Actions #6

Updated by Evgeny Novikov over 13 years ago

  • Status changed from Open to Feedback

Alexey could you provide description of reference_type problem since I have never seen it...

Actions #7

Updated by Alexey Khoroshilov over 13 years ago

  • Status changed from Feedback to New

Eugene Novikov wrote:

Alexey could you provide description of reference_type problem since I have never seen it...

I do not know what is it. I just see a column in stats server.

Actions #8

Updated by Alexey Khoroshilov over 13 years ago

For example:

.../artificial_env_1/csd_deg_dscv/11/dscv_tempdir/dscv/ri/43_1a/drivers/base/core.c.p: In function 'dev_set_name': 
.../artificial_env_1/csd_deg_dscv/11/dscv_tempdir/dscv/ri/43_1a/drivers/base/core.c.p:825:1: error: LDV:
/home/tester/ldv/ldv-tools/rule-instrumentor/aspectator/gcc-4.6/__install/aspectator-core-src/gcc/c-family/ldv-convert.c: 5214: tree node 'reference_type' isn't supported

Actions #9

Updated by Evgeny Novikov over 13 years ago

Moreover, because of the given issue, aspectator doesn't like constructions intended for new gcc. For instance, from arch/x86/include/asm/string_64.h:

#if (__GNUC__ == 4 && __GNUC_MINOR__ >= 3) || __GNUC__ > 4
extern void *memcpy(void *to, const void *from, size_t len);
#else
extern void *__memcpy(void *to, const void *from, size_t len);
#define memcpy(dst, src, len)                                   \
({                                                              \
        size_t __len = (len);                                   \
        void *__ret;                                            \
        if (__builtin_constant_p(len) && __len >= 64)           \
                __ret = __memcpy((dst), (src), __len);          \
        else                                                    \
                __ret = __builtin_memcpy((dst), (src), __len);  \
        __ret;                                                  \
})
#endif

After all leads to mem_ref problem:
work/current--X--online-drivers--from_oldserv--wl12xx.tar.bz2.tar.bz2--X--defaultlinux-2.6.31.6--X--29_1/linux-2.6.31.6/csd_deg_dscv/2/dscv_tempdir/dscv/ri/29_1/main.c.p: In function 'wl12xx_build_null_data':
work/current--X--online-drivers--from_oldserv--wl12xx.tar.bz2.tar.bz2--X--defaultlinux-2.6.31.6--X--29_1/linux-2.6.31.6/csd_deg_dscv/2/dscv_tempdir/dscv/ri/29_1/main.c.p:485:1: error: LDV: aspectator-core-src/gcc/ldv-pointcut-matcher.c: 310: tree node 'mem_ref' isn't supported

(here you can see an example having the given problem).
Temporary workaround turn on options intended for old llvm-based aspectator.

Actions #10

Updated by Alexey Khoroshilov over 13 years ago

Is it difficult to fix in c-backend/aspectator?

Actions #11

Updated by Evgeny Novikov over 13 years ago

Alexey Khoroshilov wrote:

Is it difficult to fix in c-backend/aspectator?

We should do it this week because of we have corresponding user story :) But nevertheless we have to keep options that hide actual gcc version used because of #1323 issue.

Actions #12

Updated by Evgeny Novikov over 13 years ago

At the moment because of #1323 bug "resolution" the issue has gone away, but we should fix it as well as the original one (since they are simply the same indeed).

Actions #13

Updated by Evgeny Novikov over 13 years ago

  • Status changed from New to Open

The problem is clear. Work to eliminate it.

Actions #14

Updated by Pavel Shved over 13 years ago

I prepared a package to easily reproduce both bugs. But the strange thing is that one of them reproduces on Alexey's machine only! Does it have something to do with 32-bit arch?

Steps to reproduce:

Download Linux Kernel 3.0-rc1, unpack it and prepare

mkdir -p /tmp/reproduce_kernel
tar -xaf linux-3.0-rc1.tar.bz2  -C /tmp/reproduce_kernel
cd /tmp/reproduce_kernel/linux-3.0-rc1/
make allmodconfig && make init

Delete line 822 in file /tmp/reproduce_kernel/linux-3.0-rc1/include/linux/rcupdate.h (or build will be failing with message about negative array size)

Download reprod.tgz and unpack it:

tar -xaf reprod.tgz  -C /

Adjust <opt> in /tmp/reproduce/*/cmd.xml to point to GCC includes.

Now you can launch rule instrumentor:

LDV_DEBUG=100 WORK_DIR=`pwd` rule-instrumentor.pl --basedir=/tmp/reproduce/ref_type/driver --rule-model=43_1a --cmdfile=/tmp/reproduce/ref_type/cmd.xml --cmdfile-out=out.xml

or mem_ref/cmd.xml for the other bug.

There's a prepared version of these tools at tester@falcon in the ~/shved_tmp_bug1165. change dir there and launch ./fail.sh.

Actions #15

Updated by Evgeny Novikov over 13 years ago

After all, the problem with mem_ref was fixed by adding option -fno-builtin to the aspectator core (i.e. modified gcc) ones. This prevents changes of functions like strcpy, memcpy and a lot of others to gcc builtin functions (__builtin_strcpy, __builtin_memcpy and so on). Moreover, it leaded to total absence of MEM_REF.

The problem connected with reference_type is the architecture problem indeed. After thorough investigation I have found that it comes from gcc/config/i386/i386.c:

static tree
ix86_build_builtin_va_list_abi (enum calling_abi abi)
{
  tree f_gpr, f_fpr, f_ovf, f_sav, record, type_decl;

  /* For i386 we use plain pointer to argument area.  */
  if (!TARGET_64BIT || abi == MS_ABI)
    return build_pointer_type (char_type_node);

  ...

  /* The correct type is an array type of one element.  */
  return build_array_type (record, build_index_type (size_zero_node));
}

that in turn leads to generation of reference type in C in gcc/c-family/c-common.c:
void
c_common_nodes_and_builtins (void)
{
  ...

  if (TREE_CODE (va_list_type_node) == ARRAY_TYPE)
    {
      va_list_arg_type_node = va_list_ref_type_node =
    build_pointer_type (TREE_TYPE (va_list_type_node));
    }
  else
    {
      va_list_arg_type_node = va_list_type_node;
      va_list_ref_type_node = build_reference_type (va_list_type_node);
    }
  ...
}

So, when C backend prints calls to (for instance) __builtin_va_start function it should insert cast to reference type but it cannot do this:
  __builtin_va_start ( ( /* LDV: /home/tester/ldv/ldv-tools/rule-instrumentor/aspectator/gcc-4.6/__install/aspectator-core-src/gcc/c-family/ldv-pretty-print.c: 3600: specifier qualifier list of type name wasn't printed */ ) ( __builtin_va_list **) & vargs , fmt );

Actions #16

Updated by Evgeny Novikov over 13 years ago

Eugene Novikov wrote:

After all, the problem with mem_ref was fixed by adding option -fno-builtin to the aspectator core (i.e. modified gcc) ones. This prevents changes of functions like strcpy, memcpy and a lot of others to gcc builtin functions (__builtin_strcpy, __builtin_memcpy and so on). Moreover, it leaded to total absence of MEM_REF.

The fix is available in master commit:b542cb99e

Actions #17

Updated by Evgeny Novikov over 13 years ago

  • Status changed from Open to Resolved
  • Published in build set to 301fbf8

After yesterday discussion we decided to overcome the problem with reference type arising at x86 architecture in functions like __builtin_va_start simply by ignoring it. So at the moment we obtain uncompilable but checkable sources:

/tmp/reproduce/ref_type/driver/drivers/base/core.c.p: In function ‘dev_crit’:                                                 
/tmp/reproduce/ref_type/driver/drivers/base/core.c.p:1830: error: incompatible type for argument 1 of ‘__builtin_va_start’    
#‘reference_type’ not supported by pp_c_direct_abstract_declarator#’‘char ***’/tmp/reproduce/ref_type/driver/drivers/base/core.c.p:1830: note: expected  but argument is of type

As for me, I don't know exactly how to deal with the given issue, but there is separate #1258 bug that covers it.

Actions #18

Updated by Alexey Khoroshilov over 13 years ago

  • Status changed from Resolved to Open
  • Published in build deleted (301fbf8)

After checking ~200 drivers it looks like reference_type issue is fixed, while mem_ref is still a significant one (~45% fails).

For example drivers/char/random.ko fails with the following message:

drivers/char/random.c.p: In function 'extract_entropy': 
drivers/char/random.c.p:902:1: error: LDV: ldv-pointcut-matcher.c: 310: tree node 'mem_ref' isn't supported
drivers/char/random.c.p:902:1: error: LDV: ldv-pointcut-matcher.c: 310: tree node 'mem_ref' isn't supported

Actions #19

Updated by Pavel Shved over 13 years ago

I do not see any memref errors on my machine. Perhaps, it's the x86 issue again.

Actions #20

Updated by Evgeny Novikov over 13 years ago

Pavel Shved wrote:

I do not see any memref errors on my machine. Perhaps, it's the x86 issue again.

Absolutely correctly! Again the issue presents just on x86 architecture and it is connected with hard coded __builtin_memcpy:

# 181 "/home/tester/ldv/workdir/envs/1/shadows/arch/x86/include/asm/string_32.h" 
#if (__GNUC__ >= 4)
#define memcpy(t, f, n) __builtin_memcpy(t, f, n)
#else
#define memcpy(t, f, n)> \
 (__builtin_constant_p((n)) \
 ? __constant_memcpy((t), (f), (n)) \
 : __memcpy((t), (f), (n)))
#endif

So I suggest that we should also prevent __builtin_* functions changes (that in particular leads to MEM_REF) or I can try to implement MEM_REF processing by returning back a call to __builtin_ function. I think that the first way is preferable since the second may be doesn't give the initial representation...

Actions #21

Updated by Evgeny Novikov over 13 years ago

This is a problem also for non x86 architecture (e.g. for x86_64) since nevertheless somebody can use __builtin_memcpy directly for instance. I can reproduce the problem by means of the following short example:

struct AAA
{
 char name[100];
};
int f(struct AAA *DDD)
{
 unsigned char tmp[10];
 __builtin_memcpy(DDD->name, tmp, 10);
}

But I don't know exactly the field of mapped to MEM_REF constructions and I suggest that the easiest way to fix it is to disable so called built-in functions folding just in aspectator mode of gcc.

Actions #22

Updated by Evgeny Novikov over 13 years ago

  • Status changed from Open to Resolved

After a couple of attempts it becomes clear that folding should be ignored just for those built-in functions that leads to MEM_REF. It's interesting that just functions mem{{,p}cpy,move} contain the given "problem". So, eventually I have disabled these functions folding just in C source code generation (that's why object code will be the same as earlier). It's under test now.

Actions #23

Updated by Pavel Shved over 13 years ago

So the generated code will just contain "memcpy" calls et al, and won't unroll it into built-in functions?

Actions #24

Updated by Evgeny Novikov over 13 years ago

Pavel Shved wrote:

So the generated code will just contain "memcpy" calls et al, and won't unroll it into built-in functions?

It will contain just those things that were originally. For instance, on x86 there is a macro that convert memcpy into __builtin_memcpy (see comment 20), so after aspectator we should also obtain a call to __builtin_memcpy (instead of current problems with MEM_REF) if somebody doesn't prohibit the macro expansion above (e.g. by means of aspect file).

Actions #25

Updated by Evgeny Novikov over 13 years ago

  • Status changed from Resolved to Open

Unfortunately, it is not enough just to disable folding in C backend since aspectator also doesn't like MEM_REF. So at the moment I disable these functions folding in both tools.

Actions #26

Updated by Evgeny Novikov over 13 years ago

  • Status changed from Open to Resolved
  • Published in build set to d8d3c5a

At last, it seems that the problem was fixed. The issue should be closed after huge testing with git.

Actions #27

Updated by Alexey Khoroshilov over 13 years ago

  • Status changed from Resolved to Closed

I do not see mem_ref problems anymore.

Actions #28

Updated by Evgeny Novikov about 12 years ago

  • Project changed from Linux Driver Verification to C Instrumentation Framework
  • Category deleted (15)
Actions

Also available in: Atom PDF