wacked
/
blog
Sledovat 1
Oblíbit 0
Rozštěpit 0
Zdrojový kód Úkoly 0 Požadavky na natažení 0 Vydání 0 Wiki Aktivita
Nelze vybrat více než 25 témat Téma musí začínat písmenem nebo číslem, může obsahovat pomlčky („-“) a může být dlouhé až 35 znaků.
9 Revize
1 Větev
Strom: 25d9ab9bcc
Větve Značky
${ item.name }
Vytvořit větev ${ searchTerm }
z „25d9ab9bcc“
${ noResults }
blog/content/posts/arm-glibc-strlen.md

arm-glibc-strlen.md 6.8KB
Surový Normální zobrazení Historie

add the content i already wrote
před 4 roky
 123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102 
  1. ---

  2. title: "Arm Glibc Strlen"

  3. date: 2019-07-03T22:14:20+01:00

  4. draft: false

  5. ---

  6. # Intro

  7. I wanted to get back into ARM assembler so I wrote my own strlen. And then I looked at the strlen() glibc uses and did not understand

  8. a single thing. So I sat down and figured it out.

  9. 

  10. XXX IMG HERE XXX

  11. 

  12. On the left you see a flow diagram of the building blocks of my naive implementation. On the right you see glibc's. You might

  13. notice that it is more complex. (How much faster it is, and which optimization exactly makes it fast is an interesting topic.

  14. maybe another time)

  15. 

  16. I want to go through the function with a focus on two things:

  17. - the actual counting (d'uh)

  18. - the optimization if the string does not start on a word[0] boundary

  19. 

  20. # 1. The actual counting / the inner loop

  21. The first thing I noticed about the inner loop is that it is unrolled. That is a fairly obvious optimization, made a bit harder

  22. because strlen does not clearly unroll as the input is cleanly divisible by word size. So on the end of every basic block there

  23. is a check which skips out of the loop and to the end where the result is calculated and returned.

  24. 

  25. XXX IMG HERE XXX

  26. 

  27. The basic blocks are basically identical. First the registers r2 and r3 are populated with the next two words to be checked for

  28. the null byte. Now r2 and r3 each contain one word (i.e. 4 bytes). How do you check whether there is a null byte *somewhere* in them?

  29. Without going through the bytes seperatly of course.

  30. 

  31. ARM processors have a status word called Application Program Status Register (APSR). It contains the result of ALU operations,

  32. for example if the operation overflowed, if it was zero, ... It also has 4 bits corrosponding to the "Greater or Equal" (GE) result of

  33. the ARM SIMD[1] instructions. But every possible value is "greater or equal" to zero. So how does that help?

  34. 

  35. The bitwise opposite of 0 is 0xFF or 255 in decimal. Because it is the biggest possible value representable in one byte a GE

  36. comparion will only match if 0xFF is compared with 0xFF itself. The code already set up r12 to the value of 0xFFFFFFFF so one

  37. part of the equation is available. However the usual compare instructions do not set the 4 GE bits. They are only set by

  38. ADD16, ASX, SAX, SUB16, ADD8 and SUB8.

  39. 

  40. One possible way to turn a 0 into an 0xFF is to just add 0xFF. For all other values the result will overflow and be less.

  41. Luckily r12 already contains 4 bytes of 0xFF. And that is the second step in every basic block of the inner loop.

  42. 

  43. So for example if you had

  44. `r2 = 0x30313200`, `r12 = 0xffffff` and `ASPR.GE = [0, 0, 0, 0]`

  45. after `r2 = r2 + r12` `r2` contains `0x293031FF` and `ASPR.GE = [0, 0, 0, 1]`.

  46. 

  47. While it is great to know that where used to be a 0 now is a 0xFF it did not actually help. Instead of trying to figure out

  48. where a zero byte was now we have to figure out where a 0xFF is. So we did not actually gain anything.

  49. 

  50. The arm manual for the GE flags contains this little sentence:

  51. > These flags can control a later SEL instruction. For more information, see SEL on page A8-602.

  52. 

  53. 

  54. The SEL opcode "selects each byte of its result from either its first operand or its second operand, according to the

  55. values of the GE flags". So this is a way to quickly eliminate all non zero (well non 0xFF) bytes.

  56. SEL r2, r4, r12

  57. r4 contains all zeros, so if the GE flag for this byte is false, the value from r4 is taken. r2 now contains a zero. Else it still contains the 0xFF.

  58. Now you could just reverse that value and count the leading zeros to get the position of the null byte. However the `ldrd`

  59. instruction did not only read one word into r2 but also one into r3. Since zero bytes are rare it would be a waste to not

  60. also check if there maybe wasn't one in the second word -- which we already read anyway.

  61. 

  62. It also adds r12 to turn all zero bytes into 0xFF. However it can't then do the exact same thing, because that would destroy

  63. the information from the previous word. So instead it SEL with r2 instead of an all zero register. That means that in the case

  64. that there was a null byte (and thus the GE flag is set) at this position in r3 the 0xFF from r12 is taken. If not however the

  65. value from r2 is. Which might or might not be a 0xFF.

  66. 

  67. If no zero byte was in those two words r3 will now be all zero. If not it will be something else. So the last instruction of

  68. the basic block is a `cbnz r3` skipping the next two unrolled blocks. This completes the inner loop.

  69. 

  70. # 2. Alignment

  71. The `ldrd` instruction can not do unaligned accesses. But a string might be unaligned, for all sorts of reasons. (And POSIX probably mandates

  72. that strlen() should handle unaligned strings). So like in all SIMD cases, there need to be a couple steps before the actual work begins. OFten

  73. that is going through the data one byte at a time until it is aligned. However this implementation does something much smarter.

  74. 

  75. First it checks whether the string is unaligned by checking if the lower three bits are zero using straightforward bit twiddeling. But if they are not,

  76. the code actually puts the argument into r1 and rounds down. So from now on it is safe to load from there. While doing that it puts by how much it rounded

  77. down into r4 and then sets r0 to `-r4`. So effectively the result is that this string starts with a length of -4 instead of 0.

  78. 

  79. # 3. Other cute features

  80. When calculating the end result, there is a problem. In every basic block (but the first one obv) the code already incremented the length. But now the null byte could be in either r2 or r3

  81. -- which is it? The code firstly checks if r2 is all zeros. If that is the case the it has to be r3. So there is a conditial move `r2 = r3` and incrementing the length by 4.

  82. (if you recall the length started counting at -4 also for unaligned access, so now the length would be zero)

  83. 

  84. It is reasonable to assume that every strlen() implementation will be memory bound. So at the beginning of the inner loop,

  85. there is a preload instruction to load the next cacheline. As there are 4 unrolled basic block, each checking 2 words the loop in total checks 64bits.

  86. which is exactly a cacheline. This ensure that the data to be checked should always be there, minimising waiting time.

  87. 

  88. # 4. Wrap up

  89. Going through this was a valuable learning experience. I learned some new instructions, learned some new tricks (`rev r2, r2` then `clz r2, r2` to get the index in a word).

  90. 

  91. There are a couple obvious further topics just with this function:

  92. 

  93.     is it even worth it? How much faster is this? Which trick contributed how much?

  94.     do those changes break anything? If it reads two words at a time, what happens if it reads into un-allocated memory?

  95.     how would it look with NEON instructions?

  96.     wait... i never even looked at a real life AMD64 implementation of strlen

  97.     it doesn't look like the code in glibc. What gives?

  98. 

  99. 

  100. Footnotes

  101. [0] word as in machine width (32bit in this case), not the windows.h #define WORD.

  102. [1] Not NEON (Advanced SIMD).