-
Notifications
You must be signed in to change notification settings - Fork 54
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Require arm_new_za to set ZA to zero #268
Conversation
400f81a
to
59530c8
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Looks like a sensible change to me. As the commit message describes, this doesn't impact the expectedly common case where PSTATE.ZA==0 on entry to the function and it helps avoid possibly hard to find bugs for the case where a lazy-save needs to be committed. The cost of the extra zeroing of ZA is probably not something to worry about when considering the cost of committing the lazy-save.
main/acle.md
Outdated
@@ -8852,6 +8854,8 @@ following: | |||
on return from the function. That is, the function does not use ZA | |||
to receive data from callers or to pass data back to callers. | |||
|
|||
* Every byte of the function's ZA state is initially zero. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
nit: s/initially/initialized to/ ?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I'd prefer to avoid the passive tense. I reworded things a bit instead — does the new version look better?
The arm_new_za attribute creates new ZA state. The initial contents of this state were previously left unspecified. In practice, there were two cases: 1. PSTATE.ZA==0 on entry to the function. In this case, doing an SMSTART ZA would clear ZA, and so the initial contents of the ZA state would be zero. 2. PSTATE.ZA==1 on entry to the function, due to an uncommitted lazy save. In this case, the SMSTART ZA (if executed) would have no effect, and so without explicit action to the contrary, the initial contents of the ZA state could be carried over from the lazily-saved contents. Case 1 is expected to be much more common than case 2. It would therefore be easy for code to rely (perhaps accidentally) on ZA starting out as zero and pass testing, with case 2 only showing up rarely, and in hard-to-debug ways. Also, not offering a guarantee might cause code to have a defensive zvzero_za that is executed unconditionally, even when it isn't needed. Finally, carrying over old contents is bad from a data isolation/ leakage point of view. This patch therefore requires the initial contents of ZA to be zero. Implementations can ensure this by adding a ZERO { ZA } instruction on code paths that commit a lazy save. Since those paths should be rarely executed, there should be little effect on performance. I've prototyped this in GCC and it seems to work OK.
59530c8
to
65e0d38
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks, the new description is more clear!
[The ACLE](ARM-software/acle#268) Demands that functions with the aarch64_pstate_za_new attribute set all bits of the ZA register to zero upon entry.
[The ACLE](ARM-software/acle#268) Demands that functions with the aarch64_pstate_za_new attribute set all bits of the ZA register to zero upon entry.
The arm_new_za attribute creates new ZA state. The initial contents of this state were previously left unspecified. In practice, there were two cases: 1. PSTATE.ZA==0 on entry to the function. In this case, doing an SMSTART ZA would clear ZA, and so the initial contents of the ZA state would be zero. 2. PSTATE.ZA==1 on entry to the function, due to an uncommitted lazy save. In this case, the SMSTART ZA (if executed) would have no effect, and so without explicit action to the contrary, the initial contents of the ZA state could be carried over from the lazily-saved contents. Case 1 is expected to be much more common than case 2. It would therefore be easy for code to rely (perhaps accidentally) on ZA starting out as zero and pass testing, with case 2 only showing up rarely, and in hard-to-debug ways. Also, not offering a guarantee might cause code to have a defensive svzero_za that is executed unconditionally, even when it isn't needed. Finally, carrying over old contents is bad from a data isolation/ leakage point of view. This patch therefore requires the initial contents of ZA to be zero. Implementations can ensure this by adding a ZERO { ZA } instruction on code paths that commit a lazy save. Since those paths should be rarely executed, there should be little effect on performance. I've prototyped this in GCC and it seems to work OK.
name: Pull request
about: Technical issues, document format problems, bugs in scripts or feature proposal.
Thank you for submitting a pull request!
If this PR is about a bugfix:
Please use the bugfix label and make sure to go through the checklist below.
If this PR is about a proposal:
We are looking forward to evaluate your proposal, and if possible to
make it part of the Arm C Language Extension (ACLE) specifications.
We would like to encourage you reading through the contribution
guidelines, in particular the section on submitting
a proposal.
Please use the proposal label.
As for any pull request, please make sure to go through the below
checklist.
Checklist: (mark with
X
those which apply)PR (do not bother creating the issue if all you want to do is
fixing the bug yourself).
SPDX-FileCopyrightText
lines on topof any file I have edited. Format is
SPDX-FileCopyrightText: Copyright {year} {entity or name} <{contact informations}>
(Please update existing copyright lines if applicable. You can
specify year ranges with hyphen , as in
2017-2019
, and usecommas to separate gaps, as in
2018-2020, 2022
).Copyright
section of the sources of thespecification I have edited (this will show up in the text
rendered in the PDF and other output format supported). The
format is the same described in the previous item.
tricky to set up on non-*nix machines). The sequence can be
found in the contribution
guidelines. Don't
worry if you cannot run these scripts on your machine, your
patch will be automatically checked in the Actions of the pull
request.
introduced in this PR in the section Changes for next
release of the section Change Control/Document history
of the document. Create Changes for next release if it does
not exist. Notice that changes that are not modifying the
content and rendering of the specifications (both HTML and PDF)
do not need to be listed.
correctness of the result in the PDF output (please refer to the
instructions on how to build the PDFs
locally).
draftversion
is set totrue
in the YAML headerof the sources of the specifications I have modified.
in the README page of the project.