[Bug target/41900] New: call *%esp shouldn't be generated because of CPU errata

Hi

Intel P6 family of processors (Pentium Pro, 2, 3) have a bug in call *%esp
instruction. The instruction should put current EIP to stack, decrement ESP by
4 and jump to a value of ESP before the decrement. P6 processors will jump to
the address after the decrement (so the will execute return address as code).
See Pentium Pro errata 70, Pentium 2 errata A33, Pentium 3 errata E17.

Gcc generates call *%esp for this example, when compiled with -O2
-fomit-frame-pointer -mpreferred-stack-boundary=2:
int main()
{
        volatile unsigned code = 0x000000c3;
        ((void (*)(void))&code)();
        return 0;
}

The code crashes when executed on P6 processor and executes correctly on other
processors.

GCC shouldn't allow direct %esp register for call instruction. (addressing
using %esp is fine).

---

Note: this bug comes from a piece of code used to call an arbitrary interrupt.
I coded it as this. The "call *%esp" bug looks weird but is not an artifical
example, it comes from a real code that was written and used.

static void INTR(unsigned int_no)
{
        volatile unsigned code = 0xc300cd | (int_no << 8);
        ((void (*)(void))&code)();
}


--
           Summary: call *%esp shouldn't be generated because of CPU errata
           Product: gcc
           Version: 4.4.2
            Status: UNCONFIRMED
          Severity: minor
          Priority: P3
         Component: target
        AssignedTo: unassigned at gcc dot gnu dot org
        ReportedBy: mikulas at artax dot karlin dot mff dot cuni dot cz
 GCC build triplet: i486-linux-gnu
  GCC host triplet: i486-linux-gnu
GCC target triplet: i486-linux-gnu


http://gcc.gnu.org/bugzilla/show_bug.cgi?id=41900

------- Comment #1 from ubizjak at gmail dot com  2009-11-02 09:36 -------
This prototype patch should reject %esp from call operand:

Index: predicates.md
===================================================================
--- predicates.md       (revision 153803)
+++ predicates.md       (working copy)
@@ -561,7 +561,8 @@
 ;; Test for a valid operand for a call instruction.
 (define_predicate "call_insn_operand"
   (ior (match_operand 0 "constant_call_address_operand")
-       (ior (match_operand 0 "register_no_elim_operand")
+       (ior (and (match_operand 0 "register_no_elim_operand")
+                (match_operand 0 "index_register_operand"))
            (match_operand 0 "memory_operand"))))

 ;; Similarly, but for tail calls, in which we cannot allow memory references.


--


http://gcc.gnu.org/bugzilla/show_bug.cgi?id=41900

------- Comment #2 from uros at gcc dot gnu dot org  2009-11-03 07:53 -------
Subject: Bug 41900

Author: uros
Date: Tue Nov  3 07:53:05 2009
New Revision: 153838

URL: http://gcc.gnu.org/viewcvs?root=gcc&view=rev&rev=153838
Log:
        PR target/41900
        * config/i386/i386.h (ix86_arch_indices) <X86_ARCH_CALL_ESP>: New.
        (TARGET_CALL_ESP): New define.
        * config/i386/i386.c (initial_ix86_tune_features): Initialize
        X86_ARCH_CALL_ESP.
        * config/i386/i386.md
        (*call_pop_1_esp, *call_1_esp, *call_value_pop_1_esp,
        *call_value_1_esp): Rename from *call_pop_1, *call_1,
        *call_value_pop_1 and *call_value_1.  Depend on TARGET_CALL_ESP.
        (*call_pop_1, *call_1, *call_value_pop_1, *call_value_1):
        New patterns, use "lsm" as operand 1 constraint.
        * config/i386/predicates.md (call_insn_operand): Depend on
        index_register_operand for !TARGET_CALL_ESP to avoid %esp register.

testsuite/ChangeLog:

        PR target/41900
        * gcc.target/i386/pr41900.c: New test.


Added:
    trunk/gcc/testsuite/gcc.target/i386/pr41900.c
Modified:
    trunk/gcc/ChangeLog
    trunk/gcc/config/i386/i386.c
    trunk/gcc/config/i386/i386.h
    trunk/gcc/config/i386/i386.md
    trunk/gcc/config/i386/predicates.md
    trunk/gcc/testsuite/ChangeLog


--


http://gcc.gnu.org/bugzilla/show_bug.cgi?id=41900

------- Comment #3 from uros at gcc dot gnu dot org  2009-11-04 14:15 -------
Subject: Bug 41900

Author: uros
Date: Wed Nov  4 14:14:49 2009
New Revision: 153896

URL: http://gcc.gnu.org/viewcvs?root=gcc&view=rev&rev=153896
Log:
        PR target/41900
        * config/i386/i386.h (ix86_arch_indices) <X86_ARCH_CALL_ESP>: New.
        (TARGET_CALL_ESP): New define.
        * config/i386/i386.c (initial_ix86_tune_features): Initialize
        X86_ARCH_CALL_ESP.
        * config/i386/i386.md
        (*call_pop_1_esp, *call_1_esp, *call_value_pop_1_esp,
        *call_value_1_esp): Rename from *call_pop_1, *call_1,
        *call_value_pop_1 and *call_value_1.  Depend on TARGET_CALL_ESP.
        (*call_pop_1, *call_1, *call_value_pop_1, *call_value_1):
        New patterns, use "lsm" as operand 1 constraint.
        * config/i386/predicates.md (call_insn_operand): Depend on
        index_register_operand for !TARGET_CALL_ESP to avoid %esp register.

testsuite/ChangeLog:

        PR target/41900
        * gcc.target/i386/pr41900.c: New test.


Added:
    branches/gcc-4_4-branch/gcc/testsuite/gcc.target/i386/pr41900.c
Modified:
    branches/gcc-4_4-branch/gcc/ChangeLog
    branches/gcc-4_4-branch/gcc/config/i386/i386.c
    branches/gcc-4_4-branch/gcc/config/i386/i386.h
    branches/gcc-4_4-branch/gcc/config/i386/i386.md
    branches/gcc-4_4-branch/gcc/config/i386/predicates.md
    branches/gcc-4_4-branch/gcc/testsuite/ChangeLog


--


http://gcc.gnu.org/bugzilla/show_bug.cgi?id=41900

------- Comment #4 from uros at gcc dot gnu dot org  2009-11-05 08:01 -------
Subject: Bug 41900

Author: uros
Date: Thu Nov  5 08:01:18 2009
New Revision: 153932

URL: http://gcc.gnu.org/viewcvs?root=gcc&view=rev&rev=153932
Log:
        PR target/41900
        * config/i386/i386.h (ix86_arch_indices) <X86_ARCH_CALL_ESP>: New.
        (TARGET_CALL_ESP): New define.
        * config/i386/i386.c (initial_ix86_tune_features): Initialize
        X86_ARCH_CALL_ESP.
        * config/i386/i386.md (*call_pop_1_esp, *call_1_esp,
        *call_value_pop_1_esp, *call_value_1_esp): Rename from *call_pop_1,
        *call_1, *call_value_pop_1 and *call_value_1.  Depend on
        TARGET_CALL_ESP.
        (*call_pop_1, *call_1, *call_value_pop_1, *call_value_1):
        New patterns, use "lsm" as operand 1 constraint.
        * config/i386/predicates.md (call_insn_operand): Depend on
        index_register_operand for !TARGET_CALL_ESP to avoid %esp register.

testsuite/ChangeLog:

        PR target/41900
        * gcc.target/i386/pr41900.c: New test.


Added:
    branches/gcc-4_3-branch/gcc/testsuite/gcc.target/i386/pr41900.c
Modified:
    branches/gcc-4_3-branch/gcc/ChangeLog
    branches/gcc-4_3-branch/gcc/config/i386/i386.c
    branches/gcc-4_3-branch/gcc/config/i386/i386.h
    branches/gcc-4_3-branch/gcc/config/i386/i386.md
    branches/gcc-4_3-branch/gcc/config/i386/predicates.md
    branches/gcc-4_3-branch/gcc/testsuite/ChangeLog


--


http://gcc.gnu.org/bugzilla/show_bug.cgi?id=41900

------- Comment #5 from ubizjak at gmail dot com  2009-11-05 08:06 -------
Fixed, but please also read [1] about executable stack.

[1] http://gcc.gnu.org/ml/gcc-patches/2009-11/msg00126.html


--

ubizjak at gmail dot com changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|UNCONFIRMED                 |RESOLVED
         Resolution|                            |FIXED
   Target Milestone|---                         |4.3.5


http://gcc.gnu.org/bugzilla/show_bug.cgi?id=41900

------- Comment #6 from uros at gcc dot gnu dot org  2009-11-13 18:33 -------
Subject: Bug 41900

Author: uros
Date: Fri Nov 13 18:33:37 2009
New Revision: 154160

URL: http://gcc.gnu.org/viewcvs?root=gcc&view=rev&rev=154160
Log:
2009-11-13  Uros Bizjak  <ubizjak@...>

        PR target/41900
        (*call_pop_1, *call_1, *call_value_pop_1, *call_value_1): Use "lsm"
        as operand 1 constraint.
        * config/i386/predicates.md (call_insn_operand): Depend on
        index_register_operand to avoid %esp register.

2009-11-13  Uros Bizjak  <ubizjak@...>

        Revert:
        2009-11-03  Uros Bizjak  <ubizjak@...>

        PR target/41900
        * config/i386/i386.h (ix86_arch_indices) <X86_ARCH_CALL_ESP>: New.
        (TARGET_CALL_ESP): New define.
        * config/i386/i386.c (initial_ix86_tune_features): Initialize
        X86_ARCH_CALL_ESP.
        * config/i386/i386.md (*call_pop_1_esp, *call_1_esp,
        *call_value_pop_1_esp, *call_value_1_esp): Rename from *call_pop_1,
        *call_1, *call_value_pop_1 and *call_value_1.  Depend on
        TARGET_CALL_ESP.
        (*call_pop_1, *call_1, *call_value_pop_1, *call_value_1):
        New patterns, use "lsm" as operand 1 constraint.
        * config/i386/predicates.md (call_insn_operand): Depend on
        index_register_operand for !TARGET_CALL_ESP to avoid %esp register.


Modified:
    trunk/gcc/ChangeLog
    trunk/gcc/config/i386/i386.c
    trunk/gcc/config/i386/i386.h
    trunk/gcc/config/i386/i386.md
    trunk/gcc/config/i386/predicates.md


--


http://gcc.gnu.org/bugzilla/show_bug.cgi?id=41900

------- Comment #7 from uros at gcc dot gnu dot org  2009-11-13 19:13 -------
Subject: Bug 41900

Author: uros
Date: Fri Nov 13 19:13:16 2009
New Revision: 154169

URL: http://gcc.gnu.org/viewcvs?root=gcc&view=rev&rev=154169
Log:
2009-11-13  Uros Bizjak  <ubizjak@...>

        PR target/41900
        (*call_pop_1, *call_1, *call_value_pop_1, *call_value_1): Use "lsm"
        as operand 1 constraint.
        * config/i386/predicates.md (call_insn_operand): Depend on
        index_register_operand to avoid %esp register.

2009-11-13  Uros Bizjak  <ubizjak@...>

        Revert:
        2009-11-04  Uros Bizjak  <ubizjak@...>

        PR target/41900
        * config/i386/i386.h (ix86_arch_indices) <X86_ARCH_CALL_ESP>: New.
        (TARGET_CALL_ESP): New define.
        * config/i386/i386.c (initial_ix86_tune_features): Initialize
        X86_ARCH_CALL_ESP.
        * config/i386/i386.md (*call_pop_1_esp, *call_1_esp,
        *call_value_pop_1_esp, *call_value_1_esp): Rename from *call_pop_1,
        *call_1, *call_value_pop_1 and *call_value_1.  Depend on
        TARGET_CALL_ESP.
        (*call_pop_1, *call_1, *call_value_pop_1, *call_value_1):
        New patterns, use "lsm" as operand 1 constraint.
        * config/i386/predicates.md (call_insn_operand): Depend on
        index_register_operand for !TARGET_CALL_ESP to avoid %esp register.


Modified:
    branches/gcc-4_4-branch/gcc/ChangeLog
    branches/gcc-4_4-branch/gcc/config/i386/i386.c
    branches/gcc-4_4-branch/gcc/config/i386/i386.h
    branches/gcc-4_4-branch/gcc/config/i386/i386.md
    branches/gcc-4_4-branch/gcc/config/i386/predicates.md


--


http://gcc.gnu.org/bugzilla/show_bug.cgi?id=41900

------- Comment #8 from uros at gcc dot gnu dot org  2009-11-13 19:52 -------
Subject: Bug 41900

Author: uros
Date: Fri Nov 13 19:51:52 2009
New Revision: 154171

URL: http://gcc.gnu.org/viewcvs?root=gcc&view=rev&rev=154171
Log:
2009-11-13  Uros Bizjak  <ubizjak@...>

        PR target/41900
        (*call_pop_1, *call_1, *call_value_pop_1, *call_value_1): Use "lsm"
        as operand 1 constraint.
        * config/i386/predicates.md (call_insn_operand): Depend on
        index_register_operand to avoid %esp register.

2009-11-13  Uros Bizjak  <ubizjak@...>

        Revert:
        2009-11-05  Uros Bizjak  <ubizjak@...>

        PR target/41900
        * config/i386/i386.h (ix86_arch_indices) <X86_ARCH_CALL_ESP>: New.
        (TARGET_CALL_ESP): New define.
        * config/i386/i386.c (initial_ix86_tune_features): Initialize
        X86_ARCH_CALL_ESP.
        * config/i386/i386.md (*call_pop_1_esp, *call_1_esp,
        *call_value_pop_1_esp, *call_value_1_esp): Rename from *call_pop_1,
        *call_1, *call_value_pop_1 and *call_value_1.  Depend on
        TARGET_CALL_ESP.
        (*call_pop_1, *call_1, *call_value_pop_1, *call_value_1):
        New patterns, use "lsm" as operand 1 constraint.
        * config/i386/predicates.md (call_insn_operand): Depend on
        index_register_operand for !TARGET_CALL_ESP to avoid %esp register.


Modified:
    branches/gcc-4_3-branch/gcc/ChangeLog
    branches/gcc-4_3-branch/gcc/config/i386/i386.c
    branches/gcc-4_3-branch/gcc/config/i386/i386.h
    branches/gcc-4_3-branch/gcc/config/i386/i386.md
    branches/gcc-4_3-branch/gcc/config/i386/predicates.md


--


http://gcc.gnu.org/bugzilla/show_bug.cgi?id=41900