Incorrect semantic computation for MULX when first and second argument are same
#525
Comments
|
Thanks for finding and reporting this issue. Might it be that the results are written (in the semantics) in the wrong order, so that the low half overwrites the high half? I think that the compiler cannot produce code that witnesses this error: the liveness analysis used during register allocation is not precise enough. |
|
That is possible. However, I don't think I saw a special case when the 1st and 2nd arguments are same. |
|
Just to resume, the discussion with Vincent. We are agree that this is a bug in the semantics. |
|
bgregoir ***@***.***> wrote:
Hi Benjamin,
Just to resume, the discussion with Vincent. We are agree that this is a bug in the semantics.
There is a simple way to fix it, say that mulx return (lo, hi) instead of (hi, lo). In that case the pb is solve but
this require to fix the jasmin program, and certainly to do the same kind of change for similar instructions.
like (hi, lo) = x * y --> (lo, hi) = x * y.
The EC model need to be changed to.
So we think it is not reasonable...
The other way to fix it is to ensure that the semantic reject such a program were both destination are equals.
So the semantics will be incomplete compare to the architecture but it is correct.
In any case, the compiler never generate code where both destination are the same register. Both destination are marked to be in conflict.
If you prevent the compiler to ever generating such code, wouldn't it
still be possible to write such code using intrinsics? If yes, then
wouldn't the EasyCrypt semantics need to change anyway?
Cheers,
Peter
|
|
It is already the case that the compiler cannot emit code that witness the bug: two outputs of an instruction are considered live after this instruction, hence conflict, i.e., cannot be allocated to the same register. |
|
So there is a room for improving the live analysis and maybe do better allocation in the future. (Depending on whether this instruction will help in some special case). So, is it going to be a semantic bug which will not be fixed? |
|
According to me, a better and probably correct solution to implement in the future would be to track if those two registers are same and then return |
|
I agree that the best solution will be to change the order of elements in the return (i.e. (lo,hi) instead of (hi,lo)). |
|
bgregoir ***@***.***> wrote:
I agree that the best solution will be to change the order of elements
in the return (i.e. (lo,hi) instead of (hi,lo)). The question is are
we agree to pay the cost of this change.
@peter, I think the compiler will fail to generate code like (hi,hi) =
#mulx(x,y) (I have not tested, I think this come from what was
explained by Vincent). This does not means that it will still true in
the futur.
This is probably the biggest risk: if we accept wrong semantics and make
sure in other components of the compiler that the special cases are
never triggered, there is a risk that at some point in the future those
other parts of the compiler change and actually *do* trigger the special
case. This wouldn't then be caught by anything really, right?
|
|
It was the point of rejecting mulx r r, if this has no semantic if the compiler generates a mulx r r at some point |
|
Ok, I think the current solution will not require to do any change in libjade. |
Add MULX_lo_hi and MULX_hi pseudo instructions. Fixes #525
Found through random fuzz-test. this is true for both size variants of 32 and 64.
Bug: When the first and second argument are same, Jasmin semantics and hardware semantics differ.
Size=64
Executing instruction
MULX R14 R14 RDI->mulxq %rdi, %r14, %r14Before:
Jasmin After:
H/W After:
Size = 32
Executing instruction
MULX_32 R14 R14 RDI->mulxl %edi, %r14d, %r14dBefore:
Jasmin After:
H/W After:
CC: @vbgl @bgregoir @gbarthe @cryptojedi
The text was updated successfully, but these errors were encountered: