From tege@swox.se  Sat Dec 14 08:29:35 2002
Return-Path: <tege@swox.se>
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 8974837B401
	for <FreeBSD-gnats-submit@freebsd.org>; Sat, 14 Dec 2002 08:29:35 -0800 (PST)
Received: from king.swox.se (king.swox.se [212.247.3.130])
	by mx1.FreeBSD.org (Postfix) with ESMTP id DABF243ED1
	for <FreeBSD-gnats-submit@freebsd.org>; Sat, 14 Dec 2002 08:29:34 -0800 (PST)
	(envelope-from tege@swox.se)
Received: by king.swox.se (Postfix, from userid 1001)
	id 50E3D491; Sat, 14 Dec 2002 17:29:33 +0100 (CET)
Message-Id: <20021214162933.50E3D491@king.swox.se>
Date: Sat, 14 Dec 2002 17:29:33 +0100 (CET)
From: Torbjorn Granlund <tege@swox.com>
Reply-To: Torbjorn Granlund <tege@swox.com>
To: FreeBSD-gnats-submit@freebsd.org
Cc:
Subject: PLT code causes skewed return hint stack
X-Send-Pr-Version: 3.113
X-GNATS-Notify:

>Number:         46258
>Category:       i386
>Synopsis:       PLT code causes skewed return hint stack
>Confidential:   no
>Severity:       non-critical
>Priority:       medium
>Responsible:    freebsd-bugs
>State:          closed
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          change-request
>Submitter-Id:   current-users
>Arrival-Date:   Sat Dec 14 08:30:01 PST 2002
>Closed-Date:    Sat Nov 01 17:15:40 PST 2003
>Last-Modified:  Sat Nov 01 17:15:40 PST 2003
>Originator:     Torbjorn Granlund
>Release:        FreeBSD 4.7-RELEASE i386
>Organization:
Swox AB
>Environment:
System: FreeBSD king.swox.se 4.7-RELEASE FreeBSD 4.7-RELEASE #0: Wed Nov 13 18:18:04 CET 2002 tege@king.swox.se:/usr/src/sys/compile/KING i386

>Description:
Modern x86 processors have internal return address hint
stacks.  To avoid confusing them, it is important to pair
calls and returns.

PIC code sometimes wants the PC value, and using a call
improperly here can confuse the return hint stack.

The FreeBSD PLT code looks to me as another example of such
code.  Ideally, a jmp should be used instead for the ret to
jump to the target routine.  Hmm, can we really do that,
there isn't a place to store the target address?

If using a jmp is impossible, we could live with getting one
return hint stack miss, but we don't want the entire hint stack
to become skewed.  Shouldn't the code look like the
following instead?

_rtld_bind_start:
	pushf				# Save eflags
	pushl	%eax			# Save %eax
	pushl	%edx			# Save %edx
	pushl	%ecx			# Save %ecx
	pushl	20(%esp)		# Copy reloff argument
	pushl	20(%esp)		# Copy obj argument

	call	_rtld_bind@PLT		# Transfer control to the binder
	/* Now %eax contains the entry point of the function being called. */
	call	1f
1:
	addl	$12,%esp		# Discard binder arguments and L1 addr
	movl	%eax,20(%esp)		# Store target over obj argument
	popl	%ecx			# Restore %ecx
	popl	%edx			# Restore %edx
	popl	%eax			# Restore %eax
	popf				# Restore eflags
	leal	4(%esp),%esp		# Discard reloff, do not change eflags
	ret				# "Return" to target address

>How-To-Repeat:
>Fix:


>Release-Note:
>Audit-Trail:

From: David Malone <dwmalone@maths.tcd.ie>
To: Torbjorn Granlund <tege@swox.com>
Cc: freebsd-gnats-submit@FreeBSD.org
Subject: Re: i386/46258: PLT code causes skewed return hint stack
Date: Sat, 21 Dec 2002 15:16:41 +0000

 On Sat, Dec 14, 2002 at 05:29:33PM +0100, Torbjorn Granlund wrote:
 > If using a jmp is impossible, we could live with getting one
 > return hint stack miss, but we don't want the entire hint stack
 > to become skewed.  Shouldn't the code look like the
 > following instead?
 
 I turned your suggestion into a patch, to make it clearer what
 it changes. Can you suggest some code to measure if this makes
 a measurable difference?
 
 	David.
 
 
 diff -u -r1.3 rtld_start.S
 --- i386/rtld_start.S	28 Aug 1999 00:10:15 -0000	1.3
 +++ i386/rtld_start.S	21 Dec 2002 15:11:06 -0000
 @@ -77,8 +77,9 @@
  
  	call	_rtld_bind@PLT		# Transfer control to the binder
  	/* Now %eax contains the entry point of the function being called. */
 -
 -	addl	$8,%esp			# Discard binder arguments
 +	call	1f			# Balance call stack for return hinting
 +1:
 +	addl	$12,%esp		# Discard binder arguments
  	movl	%eax,20(%esp)		# Store target over obj argument
  	popl	%ecx			# Restore %ecx
  	popl	%edx			# Restore %edx
State-Changed-From-To: open->feedback 
State-Changed-By: kris 
State-Changed-When: Mon Jul 14 04:28:45 PDT 2003 
State-Changed-Why:  
Awaiting suggestions for benchmarking 

http://www.freebsd.org/cgi/query-pr.cgi?pr=46258 
State-Changed-From-To: feedback->closed 
State-Changed-By: kris 
State-Changed-When: Sat Nov 1 17:15:31 PST 2003 
State-Changed-Why:  
Feedback timeout 

http://www.freebsd.org/cgi/query-pr.cgi?pr=46258 
>Unformatted:
