Jonathan Kuhn

When you read the title if you said to yourself "sure you did" you're probably not alone.  In fact I would probably have the same reaction myself reading that title.  I can remember when I first was learning to program I would occasionally want to blame problems I was having with my code on one of the tools or libraries I was using.  I think this is an experience many programmers have when they start out -- then you learn to blame yourself for problems.  The answer to the question "Why isn't the computer do what I want it to?" is almost always "Because it is doing what I am telling it to do."  However about a year ago, while I was working on the firmware for my USB Password Manager project, I had my first experience where that was not the answer...

So the bug I found wasn't in a big name compiler or anything.  It was in SDCC, a great open source C compiler that targets several different microcontroller architectures.  I used SDCC to develop the firmware for my USB Password Manager project.

I hadn't done a lot of embedded development before, so throughout my work on this project I ran into many normal bugs that were explained by something I was overlooking or misunderstanding about the 8051 architecture or the capabilities of the microcontroller I was using.  So while tracking down this bug I was quite skeptical that the code generation was actually incorrect.  However, after closely examining the assembly code the compiler was generating I was convinced that I was actually telling the compiler (in C code) to do exactly what I wanted the microcontroller to do, but the compiler was generating machine code that told the microcontroller to do something different. 

After I was convinced, I filed a bug report with the SDCC developers.  I was very impressed with how quickly the developers responded, fixing the problem in a little over 3 hours!

So, what fun would this blog entry be if I didn't dissect the technical details of the bug and explain it? I found it very interesting to understand the details of the bug an why it was happening, so I am hoping others will be interested too and learn something from my explanation of it here.

So let's get started, here is the C code that I submitted with my bug report that would reproduce the problem:

The problem occurs in the code generated for the second for loop (lines 20-23).  This loop should copy elements from b (starting at index 0) to buffer (starting at index 64).  What happens is that instead of copying from b[0] it will effectively try to copy data from b[256] (obviously overrunning the length of b).  As the comment says, if an equivalent loop is written that is indexed from 0 the bug doesn't happen.  While this workaround would fix the problem, there is no reason why this C code should not work correctly as is.

So lets dive into a snippet of the assembly code SDCC was generating for this loop.  This assembly code is what is generated for the entire second loop in the C code.  Don't be overwhelmed as I will only be focusing on a small portion of it.

First a couple of notes about the assembly code:

• a is the accumulator (it is 8-bits wide)
• dptr is a data pointer register used to access data memory (it is 16-bits wide)
• dph is the high-order byte of dptr and dpl is the low-order byte of dptr.
• _b is the address of the array b from the C code.  In the following discussion I will use _b even when referring to this array using C syntax since the 8051 has a register called b.

The instructions in lines 217-224 are supposed to load the address of _b[i-64] into the dptr register so that the value of _b[i-64] can be retrieved.  For my description here I will assume that we are executing the first iteration of the loop so that i=64.  Note that on line 209 a is set to the value of i (the compiler chose to store the value of i in r2).  Lines 217-224 should set dptr to the address of _b[64-64] or _b[0] (which is 0x121).  However what actually happens is that it is set to 0x221.

The bug originates on line 217 of the listing.  The intention of this line is to set calculate the low-order byte of the address of _b[64-64] and store it in a.  So after line 217 executes a=0x21, which is correct.  However because the addition that is done is 0x40 + 0xE1 the result 0x121 does not fit in 8-bits so a is set to 0x21 and the carry bit is set.

This carry bit causes a problem on line 223 when the addc instruction is executed to set a to the high-order byte of the address of _b[0] (the high-order byte should be 0x01).  Since a is currently 0, the addc is setting a to the high-order byte of _b (0x01) plus any carry.  In this case the carry bit is set, so a is set to 0x02 instead of 0x01.  There are circumstances where the carry would need to be set to calculate the correct high-order byte.  For example if we _b were a larger array and were calculating _b[0xdf] (which in this case would be at address 0x121 + 0xdf = 0x200).  In this example the first add instruction would calculate that the low-order byte is 0x00 and set the carry bit.  The carry bit would cause the high-order byte to incremented by 1 when the addc executes, causing the high byte to be 0x02.  When calculating _b[0xdf] this would be correct, but having the carry set when calculating _b[0] is not correct.

So the code that is incorrect is line 217.  It makes an assumption that the carry will only be set if the addition of the loop index and the address of the array causes a carry.  This seems correct at first, but what is happening in this case is that this single add instruction has two "jobs".  Its "first job" is to calculate the loop index from the expression (i - 64).  Its "second job" is to take that loop index and add it to the address of the array.  The assumption the code makes is really that the carry bit will only be set as a consequence of the "second job".  However in our case it is really the first job that causes the carry bit to be set.

To further illustrate this idea that line 217 performs two "jobs" we can split it up into two lines that each perform only one of the "jobs".  This looks like this:

Since the (i-64) subtraction is done by adding the 2s complement, the first instruction causes the carry bit to be set (0x40 + 0xC0 = 0x100).  However, the second instruction causes the carry bit to be cleared.  So if this code were used in place of line 217 the addc instruction at 223 would result in 0x01 which would be correct.

As it turns out the fix the SDCC developers made was to disable an optimization rule that replaced two add instructions with a single add instruction where the operand is the sum of the operands to the original two instructions.  This replacement would not always be valid because in the case of two add instructions only the carry from the second addition matters to subsequent carry-sensitive instructions.  So there is a subtle difference in using one add instruction versus two.  So the two add instructions I illustrated above is actually what the compiler originally generated and then during an optimization step these two add instructions were replaced by one.

I hope that you found this article interesting and maybe even learned something from it.  I think that digging into this bug and understanding it provides a small illustration of what a C compiler's job is and how much of the details of the underlying machine it really it hides from you.