I am using a performance counter of Intel. I’m trying to use ‘BR_MISP_EXEC.TAKEN_RETURN_NEAR’ this event, and the description in the Manual says ‘This event counts taken speculative and retired mispredicted indirect branches that have a return mnemonic’. I don't understand what 'that have a return mnemonic' means. Could you please let me know
I might not get this exactly right, but this should help get you started....
In Intel's terminology, an "indirect branch" is any branch whose target address is not hard-coded as an argument to the instruction. A "RET" instruction is an indirect branch because the address that it jumps to an address pulled from the top of the stack.
Intel processor implementations use aggressive and sophisticated "branch prediction" implementations that apply to both conditional branches and indirect branches:
- For conditional branches, the target is always directly specified as an argument to the instruction, so the speculation decision is "branch taken" or "branch not taken".
- For indirect branches, there is no condition, but the address of the branch target itself is not available with the instruction, so the speculation is on the branch target address. If a function is usually called from a single place in your program, the branch predictor will quickly learn the return address. When subsequent function calls hit their RET statements, the branch predictor will use the program counter of the RET instruction to predict that "typical" return address and begin fetching instructions from that location. When the processor pipeline actually completes popping the return address off the top of the stack, it will be compared to the predicted address to see if the speculation was correct.
A very interesting discussion of implementation details is at https://blog.stuffedcow.net/2018/04/ras-microbenchmarks/
So pulling it all together, this event increments when a RET instruction is executed and the speculation of the indirect branch target is incorrect. The event will increment if the RET instruction is executed and retired, or if the RET instruction itself is speculatively executed (i.e., beyond another incorrectly speculated branch).
All of this fits into Intel's work on trying to reduce security exposures due to control flow speculation. This is a large topic, with many issues discussed in Chapter 18 of Volume 1 of the Intel Architecture SW Developer's Manual (document 253665, revision 071, October 2019) on "Control-flow Enforcement Technology" (CET).