o3 may follow the wrong execution path
Opening the post so I remember to push a fix when I get some time.
This is a fairy nasty issue that I just ran into. Planets need to be aligned for it to happen but it was not trivial to debug in FS mode...The root cause is that the o3 BTB deals in PCState objects, and not just targets.
The problem is as follows :
Assume cond/uncond direct branch jumping to next branch (PC + 4 in ARM). From the point of view of the PCState object, the instruction is not branching (PCState::branching() will return false). This gets cached in the BTB.
Now assume a conflict in the BTB where a new cond branch is predicted taken and uses the aforementioned PCState object from the BTB.
At decode, the mistarget will be detected, however, to determine what PC to send to fetch, decode looks at
inst->pcState().branching() (decode_impl.hh:305, currently), which is false, and fetch actually gets the fallthrough PC even though the branch is (correctly, in this case) predicted taken.
The fix is simply to look at inst->readPredTaken()since this will always have the correct predicted direction.
This can happen on master given the code in decode_impl.hh and the fact that btb still uses PCState objects to store targets rather than plain Addr (uint64_t)
Happened in Aarch64 on a 2k17 simpoint, FS mode.