SpecFuzz icon indicating copy to clipboard operation
SpecFuzz copied to clipboard

Published 20 hours ago verified publisher icon OleksiiOleksenko

Handle MFENCE instructions appropriately

Open zbrid opened this issue 4 years ago • 2 comments

At the time of this report, SpecFuzz crashes when instrumenting code that uses MFENCEs.

Reproduction instructions mfence.ll

define void @mfence() {
  call void @llvm.x86.sse2.mfence()
  ret void
}

declare void @llvm.x86.sse2.mfence()

./bin/llc -x86-specfuzz mfence.ll

Output:

SpecFuzzPass.cpp:604: bool {anonymous}::X86SpecFuzzPass::visitWrite(llvm::MachineInstr&, llvm::MachineBasicBlock&): Assertion `MemRefBegin >= 0 && "Not a write instruction"' failed.
Stack dump:
0.	Program arguments: bin/llc -x86-specfuzz -disable-tail-calls -O3 utils.sf.bc -o utils.sf.s 
1.	Running pass 'Function Pass Manager' on module 'utils.sf.bc'.
2.	Running pass 'SpecFuzz' on function '@_Z18FlushFromDataCachePKvS0_'
#0 0x00007f8348758cae llvm::sys::PrintStackTrace(llvm::raw_ostream&) src/lib/Support/Unix/Signals.inc:490:22
#1 0x00007f8348758d41 PrintStackTraceSignalHandler(void*) src/lib/Support/Unix/Signals.inc:554:1
#2 0x00007f8348756d73 llvm::sys::RunSignalHandlers() src/lib/Support/Signals.cpp:67:20
#3 0x00007f8348758773 SignalHandler(int) src/lib/Support/Unix/Signals.inc:353:1
#4 0x00007f8348108e30 (/lib/x86_64-linux-gnu/libc.so.6+0x3be30)
#5 0x00007f8348108db1 gsignal (/lib/x86_64-linux-gnu/libc.so.6+0x3bdb1)
#6 0x00007f83480f2537 abort (/lib/x86_64-linux-gnu/libc.so.6+0x25537)
#7 0x00007f83480f240f __tls_get_addr (/lib/x86_64-linux-gnu/libc.so.6+0x2540f)
#8 0x00007f83481015b2 (/lib/x86_64-linux-gnu/libc.so.6+0x345b2)
#9 0x00007f834cd5e240 (anonymous namespace)::X86SpecFuzzPass::visitWrite(llvm::MachineInstr&, llvm::MachineBasicBlock&) src/lib/Target/X86/SpecFuzzPass.cpp:605:41
#10 0x00007f834cd5cae3 (anonymous namespace)::X86SpecFuzzPass::visitFunction(llvm::MachineFunction&) src/lib/Target/X86/SpecFuzzPass.cpp:283:26
#11 0x00007f834cd5c5f3 (anonymous namespace)::X86SpecFuzzPass::runOnMachineFunction(llvm::MachineFunction&) src/lib/Target/X86/SpecFuzzPass.cpp:223:25

Workarounds:

  • Skip instrumenting MFENCE. I'll put up a pull request for this shortly.
  • Remove MFENCE from the code I want to compile.

Longer term solution

  • Not sure. Would it be useful for SpecFuzz to take into account the effects of MFENCEs on the state it stores during speculative execution simulation?

zbrid avatar Sep 14 '20 17:09 zbrid

Closed by 46141efd0ba5b2f51d1bcb4674797a828e508573

OleksiiOleksenko avatar Dec 26 '20 16:12 OleksiiOleksenko

I got the same error. I don't see the error after editing SpecFuzzPass.cpp line 282 from this: https://github.com/OleksiiOleksenko/SpecFuzz/blob/46141efd0ba5b2f51d1bcb4674797a828e508573/src/SpecFuzzPass.cpp#L282 to this: if (MI->mayStore() && MI->getOpcode()!=2546 && MI->getOpcode()!=1) {

I couldn't figure out what opcode 2546 and 1 are but they cause the same problem.

canertol avatar Feb 24 '21 00:02 canertol