Groups | Search | Server Info | Keyboard shortcuts | Login | Register [http] [https] [nntp] [nntps]


Groups > muc.lists.netbsd.tech.toolchain > #3594

Re: netbsd-11 gcc bug

From Manuel Bouyer <bouyer@antioche.eu.org>
Newsgroups muc.lists.netbsd.tech.toolchain
Subject Re: netbsd-11 gcc bug
Date 2026-05-23 12:55 +0200
Organization Newsgate at muc.de e.V.
Message-ID <ahGHlgSY-CcScwUG@antioche.eu.org> (permalink)
References <ahFseBt1-iumbm_G@antioche.eu.org>

Show all headers | View raw


[Multipart message — attachments visible in raw view] - view raw

On Sat, May 23, 2026 at 10:59:36AM +0200, Manuel Bouyer wrote:
> Hello,
> I tried upgrading a server to netbsd-11 and quickly got a panic
> in ipf:
> [ 150.0240120] fatal page fault in supervisor mode
> [ 150.0586271] trap type 6 code 0 rip 0xffffffff8056dffa cs 0x8 rflags 0x10286 cr2 0xec ilevel 0x4 rsp 0xffff870268a63a50
> [ 150.1225901] curlwp 0xffff869617c47400 pid 0.3 lowest kstack 0xffff870268a5f2c0
> [ 150.1657501] panic: trap
> [ 150.1803103] cpu0: Begin traceback...
> [ 150.2016313] vpanic() at netbsd:vpanic+0x171
> [ 150.2257081] panic() at netbsd:panic+0x3c
> [ 150.2473911] trap() at netbsd:trap+0xb43
> [ 150.2743808] --- trap (number 6) ---
> [ 150.2951811] ipf_fastroute() at netbsd:ipf_fastroute+0x6ea
> [ 150.3266935] ipf_send_ip() at netbsd:ipf_send_ip+0x127
> [ 150.3544099] ipf_check() at netbsd:ipf_check+0xfd5
> [ 150.3859226] pfil_run_hooks() at netbsd:pfil_run_hooks+0x11e
> [ 150.4164994] ipintr() at netbsd:ipintr+0x21e
> [ 150.4451003] softint_dispatch() at netbsd:softint_dispatch+0x112
> 
> ipf_fastroute+0x6ea points to external/bsd/ipf/netinet/ip_fil_netbsd.c
> line 1200:
>                 if (!fr || !(fr->fr_flags & FR_RETMASK)) {
> 
> 0xec matches the offset of fr_flags in struct frentry_t
> This code shouldn't dereference fr_flags if fr is NULL.
> 
> The assembly code matching this part of ipf_fastroute() is:
> 1219                    fin->fin_fr = NULL;
>    0xffffffff8056dfeb <+1755>:  movq   $0x0,0x10(%r15)
> 
> 1220                    if (!fr || !(fr->fr_flags & FR_RETMASK)) {
>    0xffffffff8056dff3 <+1763>:  mov    -0xd8(%rbp),%r8
> --Type <RET> for more, q to quit, c to continue without paging--
>    0xffffffff8056dffa <+1770>:  testl  $0x3000,0xec(%r8)
>    0xffffffff8056e005 <+1781>:  mov    -0xf0(%rbp),%r9
>    0xffffffff8056e00c <+1788>:  je     0xffffffff8056e326 <ipf_fastroute+2582>
>    0xffffffff8056e012 <+1794>:  mov    %r9,-0xd8(%rbp)
> 
> 1224                    }
> 
> ipf_fastroute+2582 does the call to ipf_state_check() and jumps back to +1794
>  
> But it seems to assume that fr cannot be NULL here but I can't find
> on which basis. Any idea how I could force a NULL check here ?

More data point:
on netbsd-10, the same code is compiled as:
1217                    if (!fr || !(fr->fr_flags & FR_RETMASK)) {
   0xffffffff8056aaa0 <+1811>:  test   %r14,%r14
   0xffffffff8056aaa3 <+1814>:  je     0xffffffff8056aae2 <ipf_fastroute+1877>
   0xffffffff8056aaa5 <+1816>:  testl  $0x3000,0xec(%r14)
   0xffffffff8056aab0 <+1827>:  je     0xffffffff8056aae2 <ipf_fastroute+1877>

1221                    }

On netbsd-11, building ipf_fastroute() with O0 or O1 makes the NULL test
show up in assembly. With O2 is't not present.

I'm now running  a kernel with the attached patch, lets see how it works.

-- 
Manuel Bouyer <bouyer@antioche.eu.org>
     NetBSD: 26 ans d'experience feront toujours la difference
--

Back to muc.lists.netbsd.tech.toolchain | Previous | NextPrevious in thread | Next in thread | Find similar | Unroll thread


Thread

netbsd-11 gcc bug Manuel Bouyer <bouyer@antioche.eu.org> - 2026-05-23 10:59 +0200
  Re: netbsd-11 gcc bug Manuel Bouyer <bouyer@antioche.eu.org> - 2026-05-23 12:55 +0200
    Re: netbsd-11 gcc bug Manuel Bouyer <bouyer@antioche.eu.org> - 2026-05-23 20:45 +0200
  Re: netbsd-11 gcc bug Valery Ushakov <uwe@stderr.spb.ru> - 2026-05-23 14:22 +0300
    Re: netbsd-11 gcc bug Manuel Bouyer <bouyer@antioche.eu.org> - 2026-05-23 13:28 +0200
  Re: netbsd-11 gcc bug Roland Illig <roland.illig@gmx.de> - 2026-05-23 20:38 +0200
    Re: netbsd-11 gcc bug Manuel Bouyer <bouyer@antioche.eu.org> - 2026-05-23 20:47 +0200
      Re: netbsd-11 gcc bug Robert Elz <kre@munnari.OZ.AU> - 2026-05-24 02:29 +0700
        Re: netbsd-11 gcc bug Mouse <mouse@Rodents-Montreal.ORG> - 2026-05-23 19:11 -0400
          Re: netbsd-11 gcc bug Martin Husemann <martin@duskware.de> - 2026-05-24 10:44 +0200
            Re: netbsd-11 gcc bug Mouse <mouse@Rodents-Montreal.ORG> - 2026-05-24 08:33 -0400
              Re: netbsd-11 gcc bug Jason Thorpe <thorpej@me.com> - 2026-05-24 11:38 -0400
                Re: netbsd-11 gcc bug "Greg A. Woods" <woods@planix.ca> - 2026-05-24 16:53 -0700
              Re: netbsd-11 gcc bug David Holland <dholland-tech@netbsd.org> - 2026-05-25 00:02 +0000
                Re: netbsd-11 gcc bug Mouse <mouse@Rodents-Montreal.ORG> - 2026-05-25 08:23 -0400
                C compiler (over-)optimization (was: netbsd-11 gcc bug) Edgar Fuß <ef@math.uni-bonn.de> - 2026-05-29 19:12 +0200
                Re: C compiler (over-)optimization (was: netbsd-11 gcc bug) Mouse <mouse@Rodents-Montreal.ORG> - 2026-05-29 14:21 -0400
                Re: C compiler (over-)optimization (was: netbsd-11 gcc bug) "Greg A. Woods" <woods@planix.ca> - 2026-05-29 14:27 -0700
                Re: C compiler (over-)optimization Anders Magnusson <ragge@tethuvudet.se> - 2026-05-30 12:30 +0200
                Re: C compiler (over-)optimization (was: netbsd-11 gcc bug) Andrew Cagney <andrew.cagney@gmail.com> - 2026-05-31 13:02 -0400
                Re: C compiler (over-)optimization (was: netbsd-11 gcc bug) Jason Thorpe <thorpej@me.com> - 2026-05-31 14:29 -0500
                Re: netbsd-11 gcc bug "Greg A. Woods" <woods@planix.ca> - 2026-05-28 14:40 -0700
                Re: netbsd-11 gcc bug Mouse <mouse@Rodents-Montreal.ORG> - 2026-05-28 18:36 -0400
                Re: netbsd-11 gcc bug Jason Thorpe <thorpej@me.com> - 2026-05-28 19:04 -0400
                Re: netbsd-11 gcc bug "Greg A. Woods" <woods@planix.ca> - 2026-05-29 14:31 -0700
      Re: netbsd-11 gcc bug Jörg Sonnenberger <joerg@bec.de> - 2026-05-26 13:52 +0200
        Re: netbsd-11 gcc bug Jason Thorpe <thorpej@me.com> - 2026-05-26 10:02 -0400

csiph-web