可以分支prediction崩溃我的程序？ [英] Can branch prediction crash my program?

问题描述

走这本书，叫计算机系统结构的低谷第3章：一个程序员的角度来看，更说明了像执行

Going trough chapter 3 of this book called Computer Systems Architecture: A programmer's perspective, it is stated that an implementation like

testl %eax, %eax
cmovne (%eax), %edx

是无效的，因为如果prediction失败，那么我们将不得不取消引用NULL。它也指出，我们应该使用分支code。

is invalid because if the prediction fails, then we'll have NULL dereferencing. It is also stated that we should use branching code.

然而，将未使用条件跳转导致相同的结果？例如：

Still, wouldn't using conditional jumps lead to the same result? For example:

.L1:
jmp *%eax

testl %eax, %eax
jne .L1

是否有可能欺骗GCC输出类似的东西为X86-32？假设我有一个指针数组的功能，其中有些是有效的，有些则不是。我呼吁每一个不为空。

Is it possible to trick gcc to output something like that for an x86-32? Suppose I have an array of pointers to functions of which some are valid and some aren't and I call each one that's not NULL.

推荐答案

没有。你不应该能够检测到外的顺序操作取一个 JMP 指令，如果它是一个推测执行，由于测试和跳转证明无效的一部分。

No. You should not be able to detect out-of-order operand fetch of a jmp instruction if it is part of a speculative execution that proves invalid due to a test and jump.

的 cmove __ 指令 precisely记录以引起故障，如果存储器访问操作数将导致故障时，即使条件没有得到满足。换句话说，这不是推测性执行。它的指令语义的一部分。这是的移动应用于desination这是有条件的，不是取。

The cmove__ instruction is precisely documented to cause a fault if a memory access operand would cause a fault, even if the condition is not met. In other words, this is not speculative execution. It's part of the instruction semantics. It's the move to desination that's conditional, not the fetch.

的 JMP 指令没有如此记载。

我没有得到你的榜样，code的点，因为没有对内存操作没有条件 *％EAX 。如果％EAX 包含零，肯定是在 JMP无条件取出执行*％EAX 将导致故障。这是正确的行为。如果测试％EAX 和周围的坏参考跳。

I'm not getting the point of your example code because there is no condition on the memory operation *%eax. If %eax contains zero, certainly the fetch in the unconditional execution of jmp *%eax will cause a fault. This is correct behavior. If you test %eax and jump around the bad reference.

testl %eax, %eax
je .L1
jmp *%eax
.L1:

有可能不会成为一个问题。在 *％EAX 的推测执行，除非猜测被证明是有效的，即真正的控制路径不能引起故障。这类似于行为坏运codeS，被零除之类的：正常的程序的语义不受投机执行

There can't be a problem. Speculative execution of the *%eax cannot cause a fault unless the speculation turns out to be valid, i.e. the true control path. This is similar to behavior for bad opcodes, division by zero and the like: normal program semantics are not affected by speculative execution.

在哪里出的顺序读取和存储真正的不的导致各种有趣的问题是在多任务处理。 本文以及它的第一部分在preceeding问题是这个话题的讨论，很大

Where out-of-order fetches and stores really do cause all kinds of interesting problems is in multi-processing. This article and also its first part in the preceeding issue are great discussions of this topic.

这篇关于可以分支prediction崩溃我的程序？的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！