Original bug ID: 4424
Reporter: Antoine Mine
Assigned to: @xavierleroy
Status: closed (set by @xavierleroy on 2007-10-24T07:39:31Z)
Resolution: fixed
Priority: normal
Severity: major
Version: 3.10.0
Category: ~DO NOT USE (was: OCaml general)
Related to: #4516 #5319
Monitored by: @mmottl

Bug description

When compiling the Lswitch instruction on a Linux AMD64, the %r11 register is first assigned the address of the label table, and then the table is jumped into. However, %r11 is also considered in register allocation. I have encountered a case where %r11 is selected for storing the table index used in the subsequent Lswitch, resulting in an immediate segmentation fault.

The generated code is:

Program received signal SIGSEGV, Segmentation fault.
[Switching to Thread 47019237670160 (LWP 25174)]
0x0000000000561024 in XXX_cons_5199 ()
#0 0x0000000000561024 in XXX_cons_5199 ()

(gdb) disassemble
Dump of assembler code for function XXX_cons_5199:
0x0000000000560ff0 <XXX_cons_5199+0>: sub $0x38,%rsp
0x0000000000560ff4 <XXX_cons_5199+4>: mov %rax,0x18(%rsp)
0x0000000000560ff9 <XXX_cons_5199+9>: mov %rdi,%r10
0x0000000000560ffc <XXX_cons_5199+12>: mov %rdx,0x8(%rsp)
0x0000000000561001 <XXX_cons_5199+17>: mov %r9,0x10(%rsp)
0x0000000000561006 <XXX_cons_5199+22>: mov %rsi,0x0(%rsp)
0x000000000056100b <XXX_cons_5199+27>: cmp $0x1,%rsi
0x000000000056100f <XXX_cons_5199+31>: je 0x561404 <XXX_cons_5199+1044>
0x0000000000561015 <XXX_cons_5199+37>: mov (%rsi),%rdi
0x0000000000561018 <XXX_cons_5199+40>: movzbq 0xfffffffffffffff8(%rdi),%r11
0x000000000056101d <XXX_cons_5199+45>: lea 992996(%rip),%r11 # 0x653708
0x0000000000561024 <XXX_cons_5199+52>: jmpq *(%r11,%r11,8)
...

Unfortunately, I cannot provide right now the source code that produces this as it is part of a large non-publicly available program. If required, I can try and extract a slice exposing the behavior (also this is not easy as it is probably highly dependent upon register allocation).

Best regards