[Bug target/90346] New: gcc generates the "lfence" instruction on CPUs that don't support it

mikulas at artax dot karlin.mff.cuni.cz gcc-bugzilla@gcc.gnu.org
Sat May 4 17:19:00 GMT 2019 

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=90346

            Bug ID: 90346
           Summary: gcc generates the "lfence" instruction on CPUs that
                    don't support it
           Product: gcc
           Version: 9.1.0
            Status: UNCONFIRMED
          Severity: normal
          Priority: P3
         Component: target
          Assignee: unassigned at gcc dot gnu.org
          Reporter: mikulas at artax dot karlin.mff.cuni.cz
  Target Milestone: ---
              Host: x86_64-pc-linux-gnu
            Target: x86_64-pc-linux-gnu
             Build: x86_64-pc-linux-gnu

The built-in function __builtin_speculation_safe_value generates a "lfence"
instruction. Unfortunatelly, it doesn't check that the target CPU supports the
lfence instruction.

GCC should use dummy atomic instruction (such as "lock addl $0, (%esp)" - or
some other serializing instruction on CPUs that don't have lfence.

Compile this program with "-O3 -m32 -march=pentium2"

#include <stddef.h>

int array[500];

int f1 (unsigned untrusted_index)
{
        if (untrusted_index < 500)
                return array[untrusted_index];
        return 0;
}

int f2 (unsigned untrusted_index)
{
        if (untrusted_index < 500)
                return
array[__builtin_speculation_safe_value(untrusted_index)];
        return 0;
}

int f3 (unsigned untrusted_index)
{
        if (untrusted_index < 500)
                return
*__builtin_speculation_safe_value(&array[untrusted_index], NULL);
        return 0;
}

The result:

00000000 <f1>:
   0:   8b 54 24 04             mov    0x4(%esp),%edx
   4:   31 c0                   xor    %eax,%eax
   6:   81 fa f3 01 00 00       cmp    $0x1f3,%edx
   c:   76 02                   jbe    10 <f1+0x10>
   e:   c3                      ret
   f:   90                      nop
  10:   8b 04 95 00 00 00 00    mov    0x0(,%edx,4),%eax
  17:   c3                      ret
  18:   90                      nop
  19:   8d b4 26 00 00 00 00    lea    0x0(%esi,%eiz,1),%esi

00000020 <f2>:
  20:   31 c0                   xor    %eax,%eax
  22:   81 7c 24 04 f3 01 00    cmpl   $0x1f3,0x4(%esp)
  29:   00
  2a:   76 04                   jbe    30 <f2+0x10>
  2c:   c3                      ret
  2d:   8d 76 00                lea    0x0(%esi),%esi
  30:   0f ae e8                lfence
  33:   8b 44 24 04             mov    0x4(%esp),%eax
  37:   8b 04 85 00 00 00 00    mov    0x0(,%eax,4),%eax
  3e:   c3                      ret
  3f:   90                      nop

00000040 <f3>:
  40:   31 c0                   xor    %eax,%eax
  42:   81 7c 24 04 f3 01 00    cmpl   $0x1f3,0x4(%esp)
  49:   00
  4a:   76 04                   jbe    50 <f3+0x10>
  4c:   c3                      ret
  4d:   8d 76 00                lea    0x0(%esi),%esi
  50:   8b 44 24 04             mov    0x4(%esp),%eax
  54:   c1 e0 02                shl    $0x2,%eax
  57:   0f ae e8                lfence
  5a:   8b 80 00 00 00 00       mov    0x0(%eax),%eax
  60:   c3                      ret

More information about the Gcc-bugs mailing list