From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: by sourceware.org (Postfix, from userid 48) id EBBCF385E452; Wed, 14 Feb 2024 17:19:03 +0000 (GMT) DKIM-Filter: OpenDKIM Filter v2.11.0 sourceware.org EBBCF385E452 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gcc.gnu.org; s=default; t=1707931143; bh=+fK6bAzvgPoZu4Jl1xmr173ZIhjuCH5Y5IoZSidiafg=; h=From:To:Subject:Date:From; b=SP4u2pCza/ZpKKsgzP+xG1Hy7Jc7m9BpCleBsMbNJ6Dv4D7O4ThkAQkVTHHtENdQc edcZ/sHqf7/lz5sipfw2MClfcqH6BeROshNybq6VVHXAaAvKS3kaW0wUkSyMFCbht1 BXk6Q90hcX3V2pfAuVAijTXBqlPeRJavMGkV8sBI= From: "seanjc at google dot com" To: gcc-bugs@gcc.gnu.org Subject: [Bug c/113921] New: Output register of an "asm volatile goto" is incorrectly clobbered/discarded Date: Wed, 14 Feb 2024 17:19:01 +0000 X-Bugzilla-Reason: CC X-Bugzilla-Type: new X-Bugzilla-Watch-Reason: None X-Bugzilla-Product: gcc X-Bugzilla-Component: c X-Bugzilla-Version: 11.4.0 X-Bugzilla-Keywords: X-Bugzilla-Severity: normal X-Bugzilla-Who: seanjc at google dot com X-Bugzilla-Status: UNCONFIRMED X-Bugzilla-Resolution: X-Bugzilla-Priority: P3 X-Bugzilla-Assigned-To: unassigned at gcc dot gnu.org X-Bugzilla-Target-Milestone: --- X-Bugzilla-Flags: X-Bugzilla-Changed-Fields: bug_id short_desc product version bug_status bug_severity priority component assigned_to reporter cc target_milestone attachments.created Message-ID: Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Bugzilla-URL: http://gcc.gnu.org/bugzilla/ Auto-Submitted: auto-generated MIME-Version: 1.0 List-Id: https://gcc.gnu.org/bugzilla/show_bug.cgi?id=3D113921 Bug ID: 113921 Summary: Output register of an "asm volatile goto" is incorrectly clobbered/discarded Product: gcc Version: 11.4.0 Status: UNCONFIRMED Severity: normal Priority: P3 Component: c Assignee: unassigned at gcc dot gnu.org Reporter: seanjc at google dot com CC: jakub at redhat dot com, ndesaulniers at google dot com, torvalds@linux-foundation.org, ubizjak at gmail dot com Target Milestone: --- Created attachment 57428 --> https://gcc.gnu.org/bugzilla/attachment.cgi?id=3D57428&action=3Dedit Intermediate output of the miscompiled file gcc-11 appears to have a bug that results in gcc incorrectly clobbering the output register of an "asm volatile goto". The failing asm blob is a sequence of VMREADs in the Linux kernel, with the outputs stored into a dynamically allocated structure whose lifecycle is far beyond the scope of the code in question: vmcs12->guest_pdptr0 =3D vmcs_read64(GUEST_PDPTR0); vmcs12->guest_pdptr1 =3D vmcs_read64(GUEST_PDPTR1); vmcs12->guest_pdptr2 =3D vmcs_read64(GUEST_PDPTR2); vmcs12->guest_pdptr3 =3D vmcs_read64(GUEST_PDPTR3); where vmcs_read64() eventually becomes: asm volatile goto("1: vmread %[field], %[output]\n\t" "jna %l[do_fail]\n\t" _ASM_EXTABLE(1b, %l[do_exception]) : [output] "=3Dr" (value) : [field] "r" (field) : "cc" : do_fail, do_exception); return value; do_fail: instrumentation_begin(); vmread_error(field); instrumentation_end(); return 0; do_exception: kvm_spurious_fault(); return 0; The first three PDPTR VMREADs generate correctly, but the fourth effectively gets ignored, and '0' is written to vmcs12->guest_pdptr3. 3597: mov $0x280a,%r13d 359d: vmread %r13,%r13 35a1: jbe 3724 35a7: mov %r13,0xd8(%rbx) 35ae: jmp 396b 35b3: mov $0x280c,%r13d 35b9: vmread %r13,%r13 35bd: jbe 3705 35c3: mov %r13,0xe0(%rbx) 35ca: jmp 393a 35cf: mov $0x280e,%r13d 35d5: vmread %r13,%r13 35d9: jbe 36e6 35df: mov %r13,0xe8(%rbx) 35e6: jmp 3909 35eb: mov $0x2810,%eax 35f0: vmread %rax,%rax <=3D VMREAD to nowhere=20=20=20 35f3: jbe 36ca 35f9: xor %r12d,%r12d <=3D zeroing of output 35fc: mov %r12,0xf0(%rbx) <=3D store to vmcs12->guest_pdptr3 Replacing "asm volatile goto" with the following macro #define asm_goto(x...) \ do { asm volatile goto(x); asm (""); } while (0) to force a second barrier generates functional code, although the attempt to miscompile the sequence is still evident, as the output of the affected VMR= EAD is unnecessarily bounced through an extra register: 35f8: mov $0x280a,%r13d 35fe: vmread %r13,%r13 3602: jbe 36b2 3608: mov %r13,0xd8(%rbx) 360f: jmp 3925 3614: mov $0x280c,%r13d 361a: vmread %r13,%r13 361e: jbe 3693 3620: mov %r13,0xe0(%rbx) 3627: jmp 38f4 362c: mov $0x280e,%r13d 3632: vmread %r13,%r13 3636: jbe 367a 3638: mov %r13,0xe8(%rbx) 363f: jmp 38c3 3644: mov $0x2810,%eax 3649: vmread %rax,%rax 364c: jbe 3664 364e: mov %rax,%r12 3651: mov %r12,0xf0(%rbx) The bug reproduces with two different 11.4.0 builds, on three different sys= tems (Intel i7-9850H, Intel i7-13700K, AMD EPYC 7B12), all running Debian-based Linux. $ gcc -v Using built-in specs. COLLECT_GCC=3Dgcc COLLECT_LTO_WRAPPER=3D/usr/lib/gcc/x86_64-linux-gnu/11/lto-wrapper OFFLOAD_TARGET_NAMES=3Dnvptx-none:amdgcn-amdhsa OFFLOAD_TARGET_DEFAULT=3D1 Target: x86_64-linux-gnu Configured with: ../src/configure -v --with-pkgversion=3D'Ubuntu 11.4.0-1ubuntu1~22.04' --with-bugurl=3Dfile:///usr/share/doc/gcc-11/README.= Bugs --enable-languages=3Dc,ada,c++,go,brig,d,fortran,objc,obj-c++,m2 --prefix= =3D/usr --with-gcc-major-version-only --program-suffix=3D-11 --program-prefix=3Dx86_64-linux-gnu- --enable-shared --enable-linker-build-= id --libexecdir=3D/usr/lib --without-included-gettext --enable-threads=3Dposix --libdir=3D/usr/lib --enable-nls --enable-bootstrap --enable-clocale=3Dgnu --enable-libstdcxx-debug --enable-libstdcxx-time=3Dyes --with-default-libstdcxx-abi=3Dnew --enable-gnu-unique-object --disable-vtable-verify --enable-plugin --enable-default-pie --with-system-= zlib --enable-libphobos-checking=3Drelease --with-target-system-zlib=3Dauto --enable-objc-gc=3Dauto --enable-multiarch --disable-werror --enable-cet --with-arch-32=3Di686 --with-abi=3Dm64 --with-multilib-list=3Dm32,m64,mx32 --enable-multilib --with-tune=3Dgeneric --enable-offload-targets=3Dnvptx-none=3D/build/gcc-11-XeT9lY/gcc-11-11.4.0/= debian/tmp-nvptx/usr,amdgcn-amdhsa=3D/build/gcc-11-XeT9lY/gcc-11-11.4.0/deb= ian/tmp-gcn/usr --without-cuda-driver --enable-checking=3Drelease --build=3Dx86_64-linux-gnu --host=3Dx86_64-linux-gnu --target=3Dx86_64-linux-gnu --with-build-config=3Dbootstrap-lto-lean --enable-link-serialization=3D2 Thread model: posix Supported LTO compression algorithms: zlib zstd gcc version 11.4.0 (Ubuntu 11.4.0-1ubuntu1~22.04) $ gcc-11 -v Using built-in specs. COLLECT_GCC=3Dgcc-11 COLLECT_LTO_WRAPPER=3D/usr/lib/gcc/x86_64-linux-gnu/11/lto-wrapper OFFLOAD_TARGET_NAMES=3Dnvptx-none:amdgcn-amdhsa OFFLOAD_TARGET_DEFAULT=3D1 Target: x86_64-linux-gnu Configured with: ../src/configure -v --with-pkgversion=3D'Debian 11.4.0-4' --with-bugurl=3Dfile:///usr/share/doc/gcc-11/README.Bugs --enable-languages=3Dc,ada,c++,go,brig,d,fortran,objc,obj-c++,m2 --prefix= =3D/usr --with-gcc-major-version-only --program-suffix=3D-11 --program-prefix=3Dx86_64-linux-gnu- --enable-shared --enable-linker-build-= id --libexecdir=3D/usr/lib --without-included-gettext --enable-threads=3Dposix --libdir=3D/usr/lib --enable-nls --enable-bootstrap --enable-clocale=3Dgnu --enable-libstdcxx-debug --enable-libstdcxx-time=3Dyes --with-default-libstdcxx-abi=3Dnew --enable-gnu-unique-object --disable-vtable-verify --enable-plugin --enable-default-pie --with-system-= zlib --enable-libphobos-checking=3Drelease --with-target-system-zlib=3Dauto --enable-objc-gc=3Dauto --enable-multiarch --disable-werror --enable-cet --with-arch-32=3Di686 --with-abi=3Dm64 --with-multilib-list=3Dm32,m64,mx32 --enable-multilib --with-tune=3Dgeneric --enable-offload-targets=3Dnvptx-none=3D/build/gcc-11-IBEKnH/gcc-11-11.4.0/= debian/tmp-nvptx/usr,amdgcn-amdhsa=3D/build/gcc-11-IBEKnH/gcc-11-11.4.0/deb= ian/tmp-gcn/usr --without-cuda-driver --enable-checking=3Drelease --build=3Dx86_64-linux-gnu --host=3Dx86_64-linux-gnu --target=3Dx86_64-linux-gnu --with-build-config=3Dbootstrap-lto-lean --enable-link-serialization=3D28 Thread model: posix Supported LTO compression algorithms: zlib zstd gcc version 11.4.0 (Debian 11.4.0-4)=