Bug#52419: x86 assembly based atomic CAS causes test failures

Davi Arnaut · Davi Arnaut · commit be348787eb4a · 2010-09-17T17:34:15.000-03:00
The problem was that the x86 assembly based atomic CAS
(compare and swap) implementation could copy the wrong
value to the ebx register, where the cmpxchg8b expects
to see part of the "comparand" value. Since the original
value in the ebx register is saved in the stack (that is,
the push instruction causes the stack pointer to change),
a wrong offset could be used if the compiler decides to
put the source of the comparand value in the stack.

The solution is to copy the comparand value directly from
memory. Since the comparand value is 64-bits wide, it is
copied in two steps over to the ebx and ecx registers.
diff --git a/include/atomic/x86-gcc.h b/include/atomic/x86-gcc.h
@@ -111,21 +111,23 @@
   On some platforms (e.g. Mac OS X and Solaris) the ebx register
   is held as a pointer to the global offset table. Thus we're not
   allowed to use the b-register on those platforms when compiling
-  PIC code, to avoid this we push ebx and pop ebx and add a movl
-  instruction to avoid having ebx in the interface of the assembler
-  instruction.
+  PIC code, to avoid this we push ebx and pop ebx. The new value
+  is copied directly from memory to avoid problems with a implicit
+  manipulation of the stack pointer by the push.
 
   cmpxchg8b works on both 32-bit platforms and 64-bit platforms but
   the code here is only used on 32-bit platforms, on 64-bit
   platforms the much simpler make_atomic_cas_body32 will work
   fine.
 */
 #define make_atomic_cas_body64                                    \
-  int32 ebx=(set & 0xFFFFFFFF), ecx=(set >> 32);                  \
-  asm volatile ("push %%ebx; movl %3, %%ebx;"                     \
-                LOCK_prefix "; cmpxchg8b %0; setz %2; pop %%ebx"  \
-                : "=m" (*a), "+A" (*cmp), "=c" (ret)               \
-                : "m" (ebx), "c" (ecx), "m" (*a)                  \
+  asm volatile ("push %%ebx;"                                     \
+                "movl (%%ecx), %%ebx;"                            \
+                "movl 4(%%ecx), %%ecx;"                           \
+                LOCK_prefix "; cmpxchg8b %0;"                     \
+                "setz %2; pop %%ebx"                              \
+                : "=m" (*a), "+A" (*cmp), "=c" (ret)              \
+                : "c" (&set), "m" (*a)                            \
                 : "memory", "esp")
 #endif
 
