undefined | Better HN

0 pointsuserbinator8y ago0 comments

I missed that it was indirect jumps too, which means switch statements also get affected. That's even worse.

0 comments

6 comments · 1 top-level

revelation8y ago· 5 in thread

Here is an example with the very common programming patterns that result in indirect jumps/calls:

Every single call rax and jump rax that you see on the right will be replaced with the following:

    push rax
    jmp .indirect_thunk

And indirect_thunk does an lfence and a call to another function that gets rax from the stack and jumps there in a very roundabout way that interacts terribly with CPU prediction. I can see why they somehow didn't get around to benchmarking this yet, because they are not going to like the results. And it doesn't end with the kernel. Every JIT is going to need the treatment.

mikeash8y ago

That has to be crazy slow. They probably haven’t published benchmarks yet because they’re still waiting for it to finish running!

rst8y ago

Interacting terribly with CPU branch prediction is the whole point -- Spectre attacks work by messing with the branch predictor, to misdirect speculative execution onto paths that reveal information useful to the attacker. So, the point of this whole crazy dance is to effectively disable the branch predictor.

revelation8y ago

Of course. But it needs spelling out, because branch prediction is essential to good performance and why todays CPUs can be much faster despite not reaching higher clocks. It's much more than just the cost of a few more instructions.

mike_hearn8y ago

Apparently the perf impact isn't so bad outside of microbenchmarks actually. 10% for real world programs ... as long as you use profile guided optimisation to devirt as many calls as possible!

https://support.google.com/faqs/answer/7625886

http://webcache.googleusercontent.com/search?q=cache%3Ahttps...

(some websites with info on this are DoSd and down right now, including the Arm website and LLVM code review site so switched to a cache link)

Pretty painful for C++ but fixable with build changes. JVM users and other JIT-compiled languages will probably be fixable without any serious impact, as HotSpot and other advanced runtimes devirtualise calls (convert indirect to direct) as much as they can anyway, meaning most calls won't be indirect when finished and once the code has warmed up.

smitherfield8y ago

The above example compiled with optimizations and with `indirect_jump` altered so the compiler actually emits a jump table instead of an array lookup:

https://godbolt.org/g/MPs43x

j / k navigate · click thread line to collapse