Open
Description
Component: Target - MIPS
Version: GCC 12.2.0 (Zephyr SDK 0.17.1-rc1)
Target: MIPS32, ELF32 big-endian, O32 ABI
Severity: Critical (Stack corruption in embedded systems)
Keywords: MIPS, MIPS16, stack overflow, codegen, Zephyr, O32 ABI, no optimization
Summary
The mips-zephyr-elf-gcc compiler (GCC 12.2.0, Zephyr SDK 0.17.1-rc1) generates incorrect MIPS assembly code for a function (test) when compiled with -O0, potentially under MIPS16 mode. The generated code stores parameters (a0 and a1) outside the allocated stack frame, causing stack overflow.
Steps to Reproduce
int test1(int a, int b)
{
return a + b;
}
void test(int a, int b)
{
int c = test1(a, b);
}$ ~/.local/zephyr-sdk/mips-zephyr-elf/bin/mips-zephyr-elf-gcc -O0 -c test.c -mips16
$ ~/.local/zephyr-sdk/mips-zephyr-elf/bin/mips-zephyr-elf-objdump -S test.otest.o: file format elf32-bigmips
Disassembly of section .text:
00000000 <test1>:
0: 63ff addiu sp,-8
2: d101 sw s1,4(sp)
4: 673d move s1,sp
6: d982 sw a0,8(s1)
8: d9a3 sw a1,12(s1)
a: 9962 lw v1,8(s1)
c: 9943 lw v0,12(s1)
e: e349 addu v0,v1,v0
10: 65b9 move sp,s1
12: 9101 lw s1,4(sp)
14: 6301 addiu sp,8
16: e820 jr ra
18: 6500 nop
1a: 6500 nop
0000001c <test>:
1c: 63fc addiu sp,-32
1e: 677f move v1,ra
20: d307 sw v1,28(sp)
22: d106 sw s1,24(sp)
24: 0104 addiu s1,sp,16
26: d984 sw a0,16(s1)
28: d9a5 sw a1,20(s1)
2a: 9965 lw v1,20(s1)
2c: 9944 lw v0,16(s1)
2e: 67a3 move a1,v1
30: 6782 move a0,v0
32: 1800 0000 jal 0 <test1>
36: 6500 nop
38: d940 sw v0,0(s1)
3a: 6500 nop
3c: 65b9 move sp,s1
3e: 9703 lw a3,12(sp)
40: 9102 lw s1,8(sp)
42: 6302 addiu sp,16
44: ef00 jr a3
46: 6500 nop
Actual Behavior
- The function allocates a 32-byte stack frame (
addiu sp,-32). - It sets
s1 = sp + 16and stores parametersa0anda1ats1 + 16(i.e.,sp + 32) ands1 + 20(i.e.,sp + 36). - These addresses are outside the allocated stack frame (valid range:
sp to sp + 31), causing stack overflow.
Metadata
Metadata
Assignees
Labels
No labels
Type
Projects
Status
No status