Bug 445354 - arm64 backend: incorrect code emitted for doubleword CAS
Summary: arm64 backend: incorrect code emitted for doubleword CAS
Status: RESOLVED FIXED
Alias: None
Product: valgrind
Classification: Developer tools
Component: vex (show other bugs)
Version: unspecified
Platform: Other Linux
: NOR normal
Target Milestone: ---
Assignee: Julian Seward
URL:
Keywords:
Depends on:
Blocks: 444399
  Show dependency treegraph
 
Reported: 2021-11-11 21:13 UTC by Julian Seward
Modified: 2021-11-12 09:49 UTC (History)
1 user (show)

See Also:
Latest Commit:
Version Fixed In:
Sentry Crash Report:

Attachments
Add an attachment

Note You need to log in before you can comment on or make changes to this bug.
Description Julian Seward 2021-11-11 21:13:47 UTC 
The sequence of instructions emitted by the arm64 backend for doubleword
compare-and-swap is incorrect.  This could lead to incorrect simulation of the
AArch8.1 atomic instructions (CASP, at least), and causes failures in the
upcoming fix for v8.0 support for LD{,A}XP/ST{,L}XP in bug 444399.  In the
worst case it can cause segfaulting in the generated code, because it could
jump backwards unexpectedly far.

The problem is the sequence emitted for ARM64in_CASP:

* the jump offsets are incorrect, both for `bne out` (x 2) and `cbnz w1, loop`.

* using w1 to hold the success indication of the stxp instruction trashes the
  previous value in x1.  But the value in x1 is an output of ARM64in_CASP,
  hence one of the two output registers is corrupted.  That confuses any code
  downstream that want to inspect those values to find out if the transaction
  succeeded or not.

The fixes are to

* fix the branch offsets

* use a different register to hold the stxp success indication.  w3 is a
  convenient check.
Comment 1 Julian Seward 2021-11-12 09:49:54 UTC 
Fixed, 7dbe2fed72886874f2eaf57dc07929542ae55b58.