Fighting with "speculative execution" as the root cause of CPU vulnerability problem has existed since the Xbox 360 era

Meltdown (Meltdown) and Specter (Specter) which became a big problem from the report that "there is a structural vulnerability in the CPU made by Intel"Responding to vulnerabilitiesAre being advanced in each software, there is concern that the performance will be degraded. The technology which is regarded as the cause of this CPU vulnerability problem "Speculative executionAbout game machines Xbox 360 age game developers have revealed that there was a bug based on speculative execution.

Finding a CPU Design Bug in the Xbox 360 | Random ASCII
https://randomascii.wordpress.com/2018/01/07/finding-a-cpu-design-bug-in-the-xbox-360/

Bruce Dawson, a software engineer working at Google, recounts CPU bugs that he had struggled with in the former Xbox 360 at his blog "Random ASCII". Dawson says that this bug has basically the same structure as the topic meltdown and Spector now.

The IBM CPU "PowerPC" adopted in Xbox 360 had three CPU cores and one L2 cache memory. An optional "xDCBT" instruction has been added to PowerPC that has a unique structure of 3 cores + 1 MB L2 cache, bypassing the L2 cache and directly prefetching data to the L1 cache. Since data prefetch has a big influence on performance, there seems to be a lot of game developers trying to actively use the xDCBT command option, but he sometimes causes heap crash frequently, Mr. Dawson said that the game It is said that the xDCBT command was removed from the code inside.


However, even code not using the xDCBT instruction suffered from a serious crash phenomenon Mr. Dawson asked IBM for an explanation of the internal structure of the CPU by e-mail, as a result PowerPC adopted a very long CPU pipeline It seems that she knew that she was there.

The schematic below is the PowerPC CPU pipeline. Mr. Dawson says it is a pipeline that is too long, even though it is an in-order executable CPU that executes orders in order.


"Branch Predictor" in the above schematic shows "prediction" and its prediction is fetched, decoded and executed. However, the forecast is kept without being discarded until it is confirmed that it is correct. This is almost the same structure as meltdown and speculative execution in Spector. According to Mr. Dawson, the compatibility of Branch Predictor and xDCBT order proved to be extremely bad.

Mr. Dawson experimented with his colleagues to replace all xDCBT related codes in the game with breakpoints, and confirmed two phenomena: "No breakpoints are executed" and "No crash". In other words, it became clear that Branch Predictor had a negative effect on game code stability.