-
Notifications
You must be signed in to change notification settings - Fork 10
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
CSetBoundsRoundDown #74
Conversation
0d2c6b6
to
8ad5dfc
Compare
This copies "the TLS stack buffer trick" into the base RTOS for broader use. The implementation can be replaced with [CSetBoundsRoundDown](CHERIoT-Platform/cheriot-sail#74) if and when that lands in the ISA.
@rmn30 can this be accomplished by making smaller changes to setCapBounds, for example by removing the T=T+1 part of the following code? If we implement this instruction using the same way it is defined in PR, the new length has to be computed before the setCapBounds logic. This would impact both critical path timing and area. |
I think it might take a little more than just eliminating the T increment (because we also want to avoid rounding base down) but I think we should be able to come up with an implementation. It may even be a bit simpler than existing CSetBounds. |
So, musing aloud... given |
Not quite sure I am following - wouldn't we want to compute the exponent of length (rs2) first and round the length down? |
I think we could use I've not thought this through entirely and would need to do formal checks once we have it in Sail. Edit: definitely needs more thought. base can be made more than After more thought: Since e_l is the smallest exponent that can represent the requested length if we have to use the smaller e_b to align the base we know we have to return a max length cap. The only other thing we have to deal with if is e_l is 24 (max e) and |
Attempt at Sail for above: 823e75b |
That (comment and 823e75b) looks sensible to me and corrects a bug in my original attempt (I'd missed the |
Ok this looks good. I am still mulling ways to merge this with the existing setCapBounds logic to save some area (a little tricky there since setCapBounds is also the critical timing path). But even if that doesn't work out it may not be too bad (maybe adding additional 2% of area or so?). |
@rmn30 also want to confirm - looks like the inCapBounds check is the still the same, i.e., compare the "requested" top vs the cs1.top and the new base (cs1.address) vs cs1.base? |
Yes, this should never return a length that is greater than the requested length so the existing check works fine. Would like to have a proof of this, though. |
Could you look at the last commit in this branch that combines this with some encoding changes? I think this simplifies setCapBounds (both versions) as well as making the encoding more efficient. |
Hmm I can see the good things but also a bit nervous about changing encoding at this stage. The previous commit is incremental so it is less risk (worst case we just don't use the new instruction) and relatively easy to verify by adding new tests/properties. On the other hand, an encoding change impacts the behavior of existing instructions and requires more extensive changes in verification test cases and formal checks. Also the area/timing impacts (even though they might be positive) need to be evaluated as well. So, I would say the better way is to decouple those two and just get the csetboundsrounddown to work here. After this round of changes we can spend sometime on evaluating the encoding change and update the DV infrastructure. |
Also one potential issue about the proposed encoding is that it may take a little longer to calculate top correction.. Currently we only do T<B and A < B comparison. With this change we need to figure out T[8] based on E first.. May not be a huge deal but it is on the memory critical path (since we calculate the correction right after the cap bits are loaded from the memory, before it is written into the register file (corrections are part of the register file). |
Yeah, the encoding change is potentially risky and not necessary for this change but I wanted to see how they would work together. Would be good to chat with you about it as there a few options to potentially help with timing.
Actually, the worst case is we accidentally introduce non-monotonic capability manipulation... I think it's unlikely but would like to do some proof to check. We could have a chicken bit just in case but hopefully unnecessary. |
8ad5dfc
to
716ad2c
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM if @kliuMsft is happy.
716ad2c
to
db662a3
Compare
Looks good to me. We can experiment more with encoding after this. Chicken bit sounds a good idea but we need to figure out a way to control the chicken bit - perhaps just use a memory-mapped register input (the same way we use to control the revoker)? |
I've written some |
db662a3
to
3990ca5
Compare
3990ca5
to
222b1fb
Compare
OK, here (222b1fb, and in particular 7805dcb, to be squashed if correct) is an attempt at fixing the "rounding down saturated exponents might round to zero" issue. The three SMT properties seem like they might be useful ones. |
1962218
to
e9ff9ff
Compare
8b1e714
to
f0f8758
Compare
9777b89
to
06ab4be
Compare
FIXES #72 Co-authored-by: Nathaniel Wesley Filardo <wes.filardo@scisemi.com>
Co-authored-by: Robert Norton <robert.norton@microsoft.com>
06ab4be
to
1c5b948
Compare
See #72.