Require arm_new_za to set ZA to zero #268
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
rsandifo-arm
force-pushed
the
sme-new-za-zero
branch
from
400f81a
to
59530c8
Compare
There was a problem hiding this comment.
Looks like a sensible change to me. As the commit message describes, this doesn't impact the expectedly common case where PSTATE.ZA==0 on entry to the function and it helps avoid possibly hard to find bugs for the case where a lazy-save needs to be committed. The cost of the extra zeroing of ZA is probably not something to worry about when considering the cost of committing the lazy-save.
main/acle.md
Outdated
| @@ -8852,6 +8854,8 @@ following: | |||
| on return from the function. That is, the function does not use ZA | |||
| to receive data from callers or to pass data back to callers. | |||
|
|
|||
| * Every byte of the function's ZA state is initially zero. | |||
There was a problem hiding this comment.
nit: s/initially/initialized to/ ?
There was a problem hiding this comment.
I'd prefer to avoid the passive tense. I reworded things a bit instead — does the new version look better?
The arm_new_za attribute creates new ZA state. The initial contents of
this state were previously left unspecified. In practice, there were
two cases:
1. PSTATE.ZA==0 on entry to the function. In this case, doing an
SMSTART ZA would clear ZA, and so the initial contents of the
ZA state would be zero.
2. PSTATE.ZA==1 on entry to the function, due to an uncommitted
lazy save. In this case, the SMSTART ZA (if executed) would
have no effect, and so without explicit action to the contrary,
the initial contents of the ZA state could be carried over from
the lazily-saved contents.
Case 1 is expected to be much more common than case 2. It would
therefore be easy for code to rely (perhaps accidentally) on ZA
starting out as zero and pass testing, with case 2 only showing
up rarely, and in hard-to-debug ways.
Also, not offering a guarantee might cause code to have a defensive
zvzero_za that is executed unconditionally, even when it isn't
needed.
Finally, carrying over old contents is bad from a data isolation/
leakage point of view.
This patch therefore requires the initial contents of ZA to be zero.
Implementations can ensure this by adding a ZERO { ZA } instruction
on code paths that commit a lazy save. Since those paths should be
rarely executed, there should be little effect on performance.
I've prototyped this in GCC and it seems to work OK.
rsandifo-arm
force-pushed
the
sme-new-za-zero
branch
from
59530c8
to
65e0d38
Compare
sdesmalen-arm
approved these changes
Aug 3, 2023
MDevereau
added a commit
to llvm/llvm-project
that referenced
this pull request
Sep 15, 2023
[The ACLE](ARM-software/acle#268) Demands that functions with the aarch64_pstate_za_new attribute set all bits of the ZA register to zero upon entry.
ZijunZhaoCCK
pushed a commit
to ZijunZhaoCCK/llvm-project
that referenced
this pull request
Sep 19, 2023
[The ACLE](ARM-software/acle#268) Demands that functions with the aarch64_pstate_za_new attribute set all bits of the ZA register to zero upon entry.
CarolineConcatto
pushed a commit
to CarolineConcatto/acle
that referenced
this pull request
Dec 6, 2023
The arm_new_za attribute creates new ZA state. The initial contents of
this state were previously left unspecified. In practice, there were
two cases:
1. PSTATE.ZA==0 on entry to the function. In this case, doing an
SMSTART ZA would clear ZA, and so the initial contents of the
ZA state would be zero.
2. PSTATE.ZA==1 on entry to the function, due to an uncommitted
lazy save. In this case, the SMSTART ZA (if executed) would
have no effect, and so without explicit action to the contrary,
the initial contents of the ZA state could be carried over from
the lazily-saved contents.
Case 1 is expected to be much more common than case 2. It would
therefore be easy for code to rely (perhaps accidentally) on ZA
starting out as zero and pass testing, with case 2 only showing
up rarely, and in hard-to-debug ways.
Also, not offering a guarantee might cause code to have a defensive
svzero_za that is executed unconditionally, even when it isn't
needed.
Finally, carrying over old contents is bad from a data isolation/
leakage point of view.
This patch therefore requires the initial contents of ZA to be zero.
Implementations can ensure this by adding a ZERO { ZA } instruction
on code paths that commit a lazy save. Since those paths should be
rarely executed, there should be little effect on performance.
I've prototyped this in GCC and it seems to work OK.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
name: Pull request
about: Technical issues, document format problems, bugs in scripts or feature proposal.
Thank you for submitting a pull request!
If this PR is about a bugfix:
Please use the bugfix label and make sure to go through the checklist below.
If this PR is about a proposal:
We are looking forward to evaluate your proposal, and if possible to
make it part of the Arm C Language Extension (ACLE) specifications.
We would like to encourage you reading through the contribution
guidelines, in particular the section on submitting
a proposal.
Please use the proposal label.
As for any pull request, please make sure to go through the below
checklist.
Checklist: (mark with
Xthose which apply)PR (do not bother creating the issue if all you want to do is
fixing the bug yourself).
SPDX-FileCopyrightTextlines on topof any file I have edited. Format is
SPDX-FileCopyrightText: Copyright {year} {entity or name} <{contact informations}>(Please update existing copyright lines if applicable. You can
specify year ranges with hyphen , as in
2017-2019, and usecommas to separate gaps, as in
2018-2020, 2022).Copyrightsection of the sources of thespecification I have edited (this will show up in the text
rendered in the PDF and other output format supported). The
format is the same described in the previous item.
tricky to set up on non-*nix machines). The sequence can be
found in the contribution
guidelines. Don't
worry if you cannot run these scripts on your machine, your
patch will be automatically checked in the Actions of the pull
request.
introduced in this PR in the section Changes for next
release of the section Change Control/Document history
of the document. Create Changes for next release if it does
not exist. Notice that changes that are not modifying the
content and rendering of the specifications (both HTML and PDF)
do not need to be listed.
correctness of the result in the PDF output (please refer to the
instructions on how to build the PDFs
locally).
draftversionis set totruein the YAML headerof the sources of the specifications I have modified.
in the README page of the project.