cmd/compile: prevent 387+float32+pie from clobbering registers

The 387 port needs to load a floating-point control word from a
global location to implement float32 arithmetic.
When compiling with -pie, loading that control word clobbers an
integer register. If that register had something important in it, boom.

Fix by using LEAL to materialize the address of the global location
first. LEAL with -pie works because the destination register is
used as the scratch register.

387 support is about to go away (#40255), so this will need to be
backported to have any effect.

No test. I have one, but it requires building with -pie, which
requires cgo. Our testing infrastructure doesn't make that easy.
Not worth it for a port which is about to vanish.

Fixes #41503

Change-Id: I140f9fc8fdce4e74a52c2c046e2bd30ae476d295
Reviewed-on: https://go-review.googlesource.com/c/go/+/257277
Run-TryBot: Keith Randall <[email protected]>
Reviewed-by: Cherry Zhang <[email protected]>
Reviewed-by: Matthew Dempsky <[email protected]>
TryBot-Result: Go Bot <[email protected]>
Trust: Keith Randall <[email protected]>

Author: randall77

src/cmd/compile/internal/x86/387.go

@@ -139,12 +139,18 @@ func ssaGenValue387(s *gc.SSAGenState, v *ssa.Value) {
 		// Set precision if needed.  64 bits is the default.
 		switch v.Op {
 		case ssa.Op386ADDSS, ssa.Op386SUBSS, ssa.Op386MULSS, ssa.Op386DIVSS:
-			p := s.Prog(x86.AFSTCW)
+			// Save AX so we can use it as scratch space.
+			p := s.Prog(x86.AMOVL)
+			p.From.Type = obj.TYPE_REG
+			p.From.Reg = x86.REG_AX
 			s.AddrScratch(&p.To)
-			p = s.Prog(x86.AFLDCW)
-			p.From.Type = obj.TYPE_MEM
-			p.From.Name = obj.NAME_EXTERN
-			p.From.Sym = gc.ControlWord32
+			// Install a 32-bit version of the control word.
+			installControlWord(s, gc.ControlWord32, x86.REG_AX)
+			// Restore AX.
+			p = s.Prog(x86.AMOVL)
+			s.AddrScratch(&p.From)
+			p.To.Type = obj.TYPE_REG
+			p.To.Reg = x86.REG_AX
 		}
 
 		var op obj.As
@@ -167,8 +173,7 @@ func ssaGenValue387(s *gc.SSAGenState, v *ssa.Value) {
 		// Restore precision if needed.
 		switch v.Op {
 		case ssa.Op386ADDSS, ssa.Op386SUBSS, ssa.Op386MULSS, ssa.Op386DIVSS:
-			p := s.Prog(x86.AFLDCW)
-			s.AddrScratch(&p.From)
+			restoreControlWord(s)
 		}
 
 	case ssa.Op386UCOMISS, ssa.Op386UCOMISD:
@@ -225,19 +230,11 @@ func ssaGenValue387(s *gc.SSAGenState, v *ssa.Value) {
 	case ssa.Op386CVTTSD2SL, ssa.Op386CVTTSS2SL:
 		push(s, v.Args[0])
 
-		// Save control word.
-		p := s.Prog(x86.AFSTCW)
-		s.AddrScratch(&p.To)
-		p.To.Offset += 4
-
 		// Load control word which truncates (rounds towards zero).
-		p = s.Prog(x86.AFLDCW)
-		p.From.Type = obj.TYPE_MEM
-		p.From.Name = obj.NAME_EXTERN
-		p.From.Sym = gc.ControlWord64trunc
+		installControlWord(s, gc.ControlWord64trunc, v.Reg())
 
 		// Now do the conversion.
-		p = s.Prog(x86.AFMOVLP)
+		p := s.Prog(x86.AFMOVLP)
 		p.From.Type = obj.TYPE_REG
 		p.From.Reg = x86.REG_F0
 		s.AddrScratch(&p.To)
@@ -247,9 +244,7 @@ func ssaGenValue387(s *gc.SSAGenState, v *ssa.Value) {
 		p.To.Reg = v.Reg()
 
 		// Restore control word.
-		p = s.Prog(x86.AFLDCW)
-		s.AddrScratch(&p.From)
-		p.From.Offset += 4
+		restoreControlWord(s)
 
 	case ssa.Op386CVTSS2SD:
 		// float32 -> float64 is a nop
@@ -373,3 +368,36 @@ func ssaGenBlock387(s *gc.SSAGenState, b, next *ssa.Block) {
 
 	ssaGenBlock(s, b, next)
 }
+
+// installControlWord saves the current floating-point control
+// word and installs a new one loaded from cw.
+// scratchReg must be an unused register.
+// This call must be paired with restoreControlWord.
+// Bytes 4-5 of the scratch space (s.AddrScratch) are used between
+// this call and restoreControlWord.
+func installControlWord(s *gc.SSAGenState, cw *obj.LSym, scratchReg int16) {
+	// Save current control word.
+	p := s.Prog(x86.AFSTCW)
+	s.AddrScratch(&p.To)
+	p.To.Offset += 4
+
+	// Materialize address of new control word.
+	// Note: this must be a seperate instruction to handle PIE correctly.
+	// See issue 41503.
+	p = s.Prog(x86.ALEAL)
+	p.From.Type = obj.TYPE_MEM
+	p.From.Name = obj.NAME_EXTERN
+	p.From.Sym = cw
+	p.To.Type = obj.TYPE_REG
+	p.To.Reg = scratchReg
+
+	// Load replacement control word.
+	p = s.Prog(x86.AFLDCW)
+	p.From.Type = obj.TYPE_MEM
+	p.From.Reg = scratchReg
+}
+func restoreControlWord(s *gc.SSAGenState) {
+	p := s.Prog(x86.AFLDCW)
+	s.AddrScratch(&p.From)
+	p.From.Offset += 4
+}