8340241: RISC-V: Returns mispredicted

Reviewed-by: fyang, luhenry

Author: robehn

src/hotspot/cpu/riscv/assembler_riscv.hpp

@@ -2892,8 +2892,9 @@ enum Nf {
 // Unconditional branch instructions
 // --------------------------
  protected:
-  // All calls and jumps must go via MASM.
+  // All calls and jumps must go via MASM. Only use x1 (aka ra) as link register for now.
   void jalr(Register Rd, Register Rs, const int32_t offset) {
+    assert(Rd != x5 && Rs != x5, "Register x5 must not be used for calls/jumps.");
     /* jalr -> c.jr/c.jalr */
     if (do_compress() && (offset == 0 && Rs != x0)) {
       if (Rd == x1) {
@@ -2908,14 +2909,14 @@ enum Nf {
   }
 
   void jal(Register Rd, const int32_t offset) {
+    assert(Rd != x5, "Register x5 must not be used for calls/jumps.");
     /* jal -> c.j, note c.jal is RV32C only */
     if (do_compress() &&
         Rd == x0 &&
         is_simm12(offset) && ((offset % 2) == 0)) {
       c_j(offset);
       return;
     }
-
     _jal(Rd, offset);
   }
 

src/hotspot/cpu/riscv/c1_CodeStubs_riscv.cpp

@@ -93,7 +93,7 @@ void RangeCheckStub::emit_code(LIR_Assembler* ce) {
     stub_id = C1StubId::throw_range_check_failed_id;
   }
   // t0 and t1 are used as args in generate_exception_throw，
-  // so use ra as the tmp register for rt_call.
+  // so use x1/ra as the tmp register for rt_call.
   __ rt_call(Runtime1::entry_for(stub_id), ra);
   ce->add_call_info_here(_info);
   ce->verify_oop_map(_info);
@@ -275,7 +275,7 @@ void SimpleExceptionStub::emit_code(LIR_Assembler* ce) {
   if (_obj->is_cpu_register()) {
     __ mv(t0, _obj->as_register());
   }
-  __ far_call(RuntimeAddress(Runtime1::entry_for(_stub)), t1);
+  __ far_call(RuntimeAddress(Runtime1::entry_for(_stub)));
   ce->add_call_info_here(_info);
   debug_only(__ should_not_reach_here());
 }

src/hotspot/cpu/riscv/gc/g1/g1BarrierSetAssembler_riscv.cpp

@@ -271,8 +271,8 @@ static void generate_c2_barrier_runtime_call(MacroAssembler* masm, G1BarrierStub
     __ mv(c_rarg0, arg);
   }
   __ mv(c_rarg1, xthread);
-  __ mv(t0, runtime_path);
-  __ jalr(t0);
+  __ mv(t1, runtime_path);
+  __ jalr(t1);
 }
 
 void G1BarrierSetAssembler::g1_write_barrier_pre_c2(MacroAssembler* masm,

src/hotspot/cpu/riscv/gc/x/xBarrierSetAssembler_riscv.cpp

@@ -339,8 +339,8 @@ void XBarrierSetAssembler::generate_c2_load_barrier_stub(MacroAssembler* masm, X
     XSaveLiveRegisters save_live_registers(masm, stub);
     XSetupArguments setup_arguments(masm, stub);
 
-    __ mv(t0, stub->slow_path());
-    __ jalr(t0);
+    __ mv(t1, stub->slow_path());
+    __ jalr(t1);
   }
 
   // Stub exit

src/hotspot/cpu/riscv/gc/z/zBarrierSetAssembler_riscv.cpp

@@ -724,8 +724,8 @@ void ZBarrierSetAssembler::generate_c2_load_barrier_stub(MacroAssembler* masm, Z
   {
     SaveLiveRegisters save_live_registers(masm, stub);
     ZSetupArguments setup_arguments(masm, stub);
-    __ mv(t0, stub->slow_path());
-    __ jalr(t0);
+    __ mv(t1, stub->slow_path());
+    __ jalr(t1);
   }
 
   // Stub exit
@@ -758,15 +758,15 @@ void ZBarrierSetAssembler::generate_c2_store_barrier_stub(MacroAssembler* masm,
     __ la(c_rarg0, stub->ref_addr());
 
     if (stub->is_native()) {
-      __ la(t0, RuntimeAddress(ZBarrierSetRuntime::store_barrier_on_native_oop_field_without_healing_addr()));
+      __ la(t1, RuntimeAddress(ZBarrierSetRuntime::store_barrier_on_native_oop_field_without_healing_addr()));
     } else if (stub->is_atomic()) {
-      __ la(t0, RuntimeAddress(ZBarrierSetRuntime::store_barrier_on_oop_field_with_healing_addr()));
+      __ la(t1, RuntimeAddress(ZBarrierSetRuntime::store_barrier_on_oop_field_with_healing_addr()));
     } else if (stub->is_nokeepalive()) {
-      __ la(t0, RuntimeAddress(ZBarrierSetRuntime::no_keepalive_store_barrier_on_oop_field_without_healing_addr()));
+      __ la(t1, RuntimeAddress(ZBarrierSetRuntime::no_keepalive_store_barrier_on_oop_field_without_healing_addr()));
     } else {
-      __ la(t0, RuntimeAddress(ZBarrierSetRuntime::store_barrier_on_oop_field_without_healing_addr()));
+      __ la(t1, RuntimeAddress(ZBarrierSetRuntime::store_barrier_on_oop_field_without_healing_addr()));
     }
-    __ jalr(t0);
+    __ jalr(t1);
   }
 
   // Stub exit

src/hotspot/cpu/riscv/interp_masm_riscv.cpp

@@ -421,13 +421,13 @@ void InterpreterMacroAssembler::jump_from_interpreted(Register method) {
     // interp_only_mode if these events CAN be enabled.
     lwu(t0, Address(xthread, JavaThread::interp_only_mode_offset()));
     beqz(t0, run_compiled_code);
-    ld(t0, Address(method, Method::interpreter_entry_offset()));
-    jr(t0);
+    ld(t1, Address(method, Method::interpreter_entry_offset()));
+    jr(t1);
     bind(run_compiled_code);
   }
 
-  ld(t0, Address(method, Method::from_interpreted_offset()));
-  jr(t0);
+  ld(t1, Address(method, Method::from_interpreted_offset()));
+  jr(t1);
 }
 
 // The following two routines provide a hook so that an implementation

src/hotspot/cpu/riscv/macroAssembler_riscv.cpp

@@ -457,8 +457,8 @@ void MacroAssembler::call_VM_base(Register oop_result,
     RuntimeAddress target(StubRoutines::forward_exception_entry());
     relocate(target.rspec(), [&] {
       int32_t offset;
-      la(t0, target.target(), offset);
-      jr(t0, offset);
+      la(t1, target.target(), offset);
+      jr(t1, offset);
     });
     bind(ok);
   }
@@ -760,21 +760,21 @@ void MacroAssembler::emit_static_call_stub() {
 
   // Jump to the entry point of the c2i stub.
   int32_t offset = 0;
-  movptr(t0, 0, offset, t1); // lui + lui + slli + add
-  jr(t0, offset);
+  movptr(t1, 0, offset, t0); // lui + lui + slli + add
+  jr(t1, offset);
 }
 
 void MacroAssembler::call_VM_leaf_base(address entry_point,
                                        int number_of_arguments,
                                        Label *retaddr) {
   int32_t offset = 0;
-  push_reg(RegSet::of(t0, xmethod), sp);   // push << t0 & xmethod >> to sp
-  mv(t0, entry_point, offset);
-  jalr(t0, offset);
+  push_reg(RegSet::of(t1, xmethod), sp);   // push << t1 & xmethod >> to sp
+  mv(t1, entry_point, offset);
+  jalr(t1, offset);
   if (retaddr != nullptr) {
     bind(*retaddr);
   }
-  pop_reg(RegSet::of(t0, xmethod), sp);   // pop << t0 & xmethod >> from sp
+  pop_reg(RegSet::of(t1, xmethod), sp);   // pop << t1 & xmethod >> from sp
 }
 
 void MacroAssembler::call_VM_leaf(address entry_point, int number_of_arguments) {
@@ -941,6 +941,7 @@ void MacroAssembler::li(Register Rd, int64_t imm) {
 
 void MacroAssembler::load_link_jump(const address source, Register temp) {
   assert(temp != noreg && temp != x0, "expecting a register");
+  assert(temp != x5, "temp register must not be x5.");
   assert_cond(source != nullptr);
   int64_t distance = source - pc();
   assert(is_simm32(distance), "Must be");
@@ -968,7 +969,8 @@ void MacroAssembler::j(const address dest, Register temp) {
   if (is_simm21(distance) && ((distance % 2) == 0)) {
     Assembler::jal(x0, distance);
   } else {
-    assert(temp != noreg && temp != x0, "expecting a register");
+    assert(temp != noreg && temp != x0, "Expecting a register");
+    assert(temp != x1 && temp != x5, "temp register must not be x1/x5.");
     int32_t offset = 0;
     la(temp, dest, offset);
     jr(temp, offset);
@@ -1006,23 +1008,27 @@ void MacroAssembler::j(Label &lab, Register temp) {
 
 void MacroAssembler::jr(Register Rd, int32_t offset) {
   assert(Rd != noreg, "expecting a register");
+  assert(Rd != x1 && Rd != x5, "Rd register must not be x1/x5.");
   Assembler::jalr(x0, Rd, offset);
 }
 
 void MacroAssembler::call(const address dest, Register temp) {
   assert_cond(dest != nullptr);
   assert(temp != noreg, "expecting a register");
+  assert(temp != x5, "temp register must not be x5.");
   int32_t offset = 0;
   la(temp, dest, offset);
   jalr(temp, offset);
 }
 
 void MacroAssembler::jalr(Register Rs, int32_t offset) {
   assert(Rs != noreg, "expecting a register");
+  assert(Rs != x5, "Rs register must not be x5.");
   Assembler::jalr(x1, Rs, offset);
 }
 
 void MacroAssembler::rt_call(address dest, Register tmp) {
+  assert(tmp != x5, "tmp register must not be x5.");
   CodeBlob *cb = CodeCache::find_blob(dest);
   RuntimeAddress target(dest);
   if (cb) {
@@ -1762,7 +1768,7 @@ void MacroAssembler::pop_CPU_state(bool restore_vectors, int vector_size_in_byte
 
 static int patch_offset_in_jal(address branch, int64_t offset) {
   assert(Assembler::is_simm21(offset) && ((offset % 2) == 0),
-         "offset is too large to be patched in one jal instruction!\n");
+         "offset (%ld) is too large to be patched in one jal instruction!\n", offset);
   Assembler::patch(branch, 31, 31, (offset >> 20) & 0x1);                       // offset[20]    ==> branch[31]
   Assembler::patch(branch, 30, 21, (offset >> 1)  & 0x3ff);                     // offset[10:1]  ==> branch[30:21]
   Assembler::patch(branch, 20, 20, (offset >> 11) & 0x1);                       // offset[11]    ==> branch[20]
@@ -3658,6 +3664,7 @@ void MacroAssembler::far_jump(const Address &entry, Register tmp) {
 }
 
 void MacroAssembler::far_call(const Address &entry, Register tmp) {
+  assert(tmp != x5, "tmp register must not be x5.");
   assert(CodeCache::find_blob(entry.target()) != nullptr,
          "destination of far call not found in code cache");
   assert(entry.rspec().type() == relocInfo::external_word_type
@@ -4072,7 +4079,7 @@ void MacroAssembler::verify_secondary_supers_table(Register r_sub_klass,
                                                    Register tmp1,
                                                    Register tmp2,
                                                    Register tmp3) {
-  assert_different_registers(r_sub_klass, r_super_klass, tmp1, tmp2, tmp3, result, t0);
+  assert_different_registers(r_sub_klass, r_super_klass, tmp1, tmp2, tmp3, result, t0, t1);
 
   const Register
     r_array_base   = tmp1,  // X11
@@ -4139,8 +4146,8 @@ void MacroAssembler::get_thread(Register thread) {
                       RegSet::range(x28, x31) + ra - thread;
   push_reg(saved_regs, sp);
 
-  mv(ra, CAST_FROM_FN_PTR(address, Thread::current));
-  jalr(ra);
+  mv(t1, CAST_FROM_FN_PTR(address, Thread::current));
+  jalr(t1);
   if (thread != c_rarg0) {
     mv(thread, c_rarg0);
   }
@@ -4187,8 +4194,8 @@ void MacroAssembler::reserved_stack_check() {
   // We have already removed our own frame.
   // throw_delayed_StackOverflowError will think that it's been
   // called by our caller.
-  la(t0, RuntimeAddress(SharedRuntime::throw_delayed_StackOverflowError_entry()));
-  jr(t0);
+  la(t1, RuntimeAddress(SharedRuntime::throw_delayed_StackOverflowError_entry()));
+  jr(t1);
   should_not_reach_here();
 
   bind(no_reserved_zone_enabling);
@@ -4299,7 +4306,7 @@ address MacroAssembler::load_and_call(Address entry) {
   }
 #endif
   relocate(entry.rspec(), [&] {
-    load_link_jump(target);
+    load_link_jump(target, t1);
   });
 
   postcond(pc() != badAddress);
@@ -4309,7 +4316,7 @@ address MacroAssembler::load_and_call(Address entry) {
 address MacroAssembler::ic_call(address entry, jint method_index) {
   RelocationHolder rh = virtual_call_Relocation::spec(pc(), method_index);
   IncompressibleRegion ir(this);  // relocations
-  movptr(t1, (address)Universe::non_oop_word(), t0);
+  movptr(t0, (address)Universe::non_oop_word(), t1);
   assert_cond(entry != nullptr);
   return reloc_call(Address(entry, rh));
 }
@@ -4323,9 +4330,9 @@ int MacroAssembler::ic_check_size() {
 int MacroAssembler::ic_check(int end_alignment) {
   IncompressibleRegion ir(this);
   Register receiver = j_rarg0;
-  Register data = t1;
+  Register data = t0;
 
-  Register tmp1 = t0; // t0 always scratch
+  Register tmp1 = t1; // scratch
   // t2 is saved on call, thus should have been saved before this check.
   // Hence we can clobber it.
   Register tmp2 = t2;
@@ -4423,8 +4430,8 @@ address MacroAssembler::emit_trampoline_stub(int insts_call_instruction_offset,
     // - load the call
     // - call
     Label target;
-    ld(t0, target);  // auipc + ld
-    jr(t0);          // jalr
+    ld(t1, target);  // auipc + ld
+    jr(t1);          // jalr
     bind(target);
     assert(offset() - stub_start_offset == MacroAssembler::NativeShortCall::trampoline_data_offset,
            "should be");
@@ -5148,11 +5155,11 @@ const int MacroAssembler::zero_words_block_size = 8;
 // ptr:   Address of a buffer to be zeroed.
 // cnt:   Count in HeapWords.
 //
-// ptr, cnt, and t0 are clobbered.
+// ptr, cnt, t1, and t0 are clobbered.
 address MacroAssembler::zero_words(Register ptr, Register cnt) {
   assert(is_power_of_2(zero_words_block_size), "adjust this");
   assert(ptr == x28 && cnt == x29, "mismatch in register usage");
-  assert_different_registers(cnt, t0);
+  assert_different_registers(cnt, t0, t1);
 
   BLOCK_COMMENT("zero_words {");
 
@@ -5170,6 +5177,7 @@ address MacroAssembler::zero_words(Register ptr, Register cnt) {
         return nullptr;
       }
     } else {
+      // Clobbers t1
       rt_call(zero_blocks.target());
     }
   }

src/hotspot/cpu/riscv/macroAssembler_riscv.hpp

@@ -627,34 +627,59 @@ class MacroAssembler: public Assembler {
   void bgtz(Register Rs, const address dest);
 
  private:
-  void load_link_jump(const address source, Register temp = t0);
+  void load_link_jump(const address source, Register temp);
   void jump_link(const address dest, Register temp);
  public:
   // We try to follow risc-v asm menomics.
   // But as we don't layout a reachable GOT,
   // we often need to resort to movptr, li <48imm>.
   // https://github.com/riscv-non-isa/riscv-asm-manual/blob/master/riscv-asm.md
 
+  // Hotspot only use the standard calling convention using x1/ra.
+  // The alternative calling convection using x5/t0 is not used.
+  // Using x5 as a temp causes the CPU to mispredict returns.
+
+  // JALR, return address stack updates:
+  // | rd is x1/x5 | rs1 is x1/x5 | rd=rs1 | RAS action
+  // | ----------- | ------------ | ------ |-------------
+  // |     No      |      No      |   —    | None
+  // |     No      |      Yes     |   —    | Pop
+  // |     Yes     |      No      |   —    | Push
+  // |     Yes     |      Yes     |   No   | Pop, then push
+  // |     Yes     |      Yes     |   Yes  | Push
+  //
+  // JAL, return address stack updates:
+  // | rd is x1/x5 | RAS action
+  // | ----------- | ----------
+  // |     Yes     | Push
+  // |     No      | None
+  //
+  // JUMPs   uses Rd = x0/zero and Rs = x6/t1 or imm
+  // CALLS   uses Rd = x1/ra   and Rs = x6/t1 or imm (or x1/ra*)
+  // RETURNS uses Rd = x0/zero and Rs = x1/ra
+  // *use of x1/ra should not normally be used, special case only.
+
   // jump: jal x0, offset
   // For long reach uses temp register for:
   // la + jr
-  void j(const address dest, Register temp = t0);
-  void j(const Address &adr, Register temp = t0);
-  void j(Label &l, Register temp = t0);
+  void j(const address dest, Register temp = t1);
+  void j(const Address &adr, Register temp = t1);
+  void j(Label &l, Register temp = noreg);
 
   // jump register: jalr x0, offset(rs)
   void jr(Register Rd, int32_t offset = 0);
 
   // call: la + jalr x1
-  void call(const address dest, Register temp = t0);
+  void call(const address dest, Register temp = t1);
 
   // jalr: jalr x1, offset(rs)
   void jalr(Register Rs, int32_t offset = 0);
 
   // Emit a runtime call. Only invalidates the tmp register which
   // is used to keep the entry address for jalr/movptr.
   // Uses call() for intra code cache, else movptr + jalr.
-  void rt_call(address dest, Register tmp = t0);
+  // Clobebrs t1
+  void rt_call(address dest, Register tmp = t1);
 
   // ret: jalr x0, 0(x1)
   inline void ret() {
@@ -1165,8 +1190,9 @@ class MacroAssembler: public Assembler {
   // - relocInfo::external_word_type
   // - relocInfo::runtime_call_type
   // - relocInfo::none
-  void far_call(const Address &entry, Register tmp = t0);
-  void far_jump(const Address &entry, Register tmp = t0);
+  // Clobbers t1 default.
+  void far_call(const Address &entry, Register tmp = t1);
+  void far_jump(const Address &entry, Register tmp = t1);
 
   static int far_branch_size() {
       return 2 * 4;  // auipc + jalr, see far_call() & far_jump()