|
Re: Proposal: Supervisor Timer CSR and Virtual Supervisor Timer CSR
I haven't gone through all of sections 3.1 and 3.2 yet, but it seems like 3.1 starts off on the wrong foot. It states that "the current RISC-V spec states that vsie.STIE is an alias of hie.VSTIE". I believe this (and the subsequent observations) are flawed for a combination of reasons.
First, the Priv spec says "When bit 6 of hideleg is zero, vsip.STIP and vsie.STIE are read-only zeros. Else, vsip.STIP
and vsie.STIE are aliases of hip.VSTIP and hie.VSTIE." Not quite the same as vsie.STIE and hie.VSTIE always being aliases of each other. This will matter down below.
Second, note that the Priv spec says, regarding vsie.STIE, that:
"The vsip and vsie registers are VSXLEN-bit read/write registers that are VS-mode’s versions of supervisor CSRs sip and sie, formatted as shown in Figures 5.22 and 5.23 respectively. When V=1, vsip and vsie substitute for the usual sip and sie, so instructions that normally read or modify sip/sie actually access vsip/vsie instead."
In other words, vsie.STIE substitutes for sie.STIE when (and only when) V=1.
And sie.STIE is not an alias or anything else of hie.VSTIE. The spec says that "the nonzero bits in sie and hie are always mutually exclusive".
Thirdly, note that hie.VSTIE is the enable for hip.VSTIP and hip.VSTIP "is the logical-OR of hvip.VSTIP and any other
platform-specific timer interrupt signal directed to VS-level". A vstimecmp interrupt would fall in that latter category.
Fourthly, when hideleg
bit 6
is zero, then hip.VSTIP=1 is directed to be serviced by HS-mode. But when hideleg
bit 6
is one, then hip.VSTIP=1 is directed to be serviced by VS-mode - and then (and only then) is vsip.STIP an alias of hip.VSTIP (and
vsie.STIE an alias of hie.VSTIE).
So, in this latter case, since a vstimecmp interrupt factors into hip.VSTIP, it then also factors into vsip.STIP. And when the
vstimecmp
interrupt is recognized, it is taken in VS-mode and not in HS-mode (i.e. not into the hypervisor) due to hideleg.
Conversely, if hideleg directs the interrupt to the hypervisor, then vsie/vsip.STIP are not aliases of hie/hip.VSTIP. And hence clearing of hie.VSTIE does not not affect vsie.STIE (vsie.STIE, in fact, is read-only zeros).
So it seems like the stated problem case in section 3.1 cannot arise.
Greg
Hi Everyone,
This is an updated version of our previous proposal on the clock source and clock event source. We have aligned our ideas with the latest hypervisor extension specs, removed the redundant parts, and uncovered some issues
if we are going to implement this proposal with the current design. We give an analysis together with the proposed new CSRs in the attached document.
BTW, we have learned recently that there is an on-going work on an improved version of the PLIC which is virtualization-aware, is there any documents available?
Regards,
Siqi
|
|
|
Proposal: Supervisor Timer CSR and Virtual Supervisor Timer CSR
Hi Everyone,
This is an updated version of our previous proposal on the clock source and clock event source. We have aligned our ideas with the latest hypervisor extension specs, removed the redundant parts, and uncovered some issues
if we are going to implement this proposal with the current design. We give an analysis together with the proposed new CSRs in the attached document.
BTW, we have learned recently that there is an on-going work on an improved version of the PLIC which is virtualization-aware, is there any documents available?
Regards,
Siqi
|
|
|
Re: CSR address for debug scontext and hcontext
Allen Baum
toggle quoted message
Show quoted text
On Tue, Aug 25, 2020 at 12:52 PM Andrew Waterman < andrew@...> wrote: Any objections with merging Ernie’s PR that allocates addresses for the *context CSRs? Note, it has been pared back from the original request and is only allocating one CSR per privilege mode, rather than a large block. Hello,
Background:
You may be aware that the RISC-V Debug Specification 0.13 defines two CSRs, mcontext and scontext, that can be used to qualify hardware breakpoints in a particular OS process or thread. A modified S-mode OS kernel writes the process ID to scontext when switching processes. Breakpoint hardware can be set to trigger only when the process ID in scontext matches the desired process. Using ASID instead of scontext to qualify breakpoints has been suggested. However, many systems do not implement ASID or only implement a narrow field, forcing the OS to recycle ASID values. This makes ASID useless for breakpoint qualification.
For those familiar with ARM, the equivalent registers in that architecture are CONTEXTIDR_EL1 and CONTEXTIDR_EL2.
Problem:
Scontext is defined in the ratified Debug Spec at CSR 0x7aa which is in the "Machine Standard read/write debug CSR" region and so is, by convention, inaccessible from S-mode.
The Debug Spec was ratified before work on the hypervisor had gotten very far, so Debug Spec 0.13 does not provide full support for hypervisor-based systems. Among the missing items is a definition for an "hcontext" register to qualify breakpoints in a particular virtual machine. An argument could be made to use VMID for this, but the discussion above about ASID qualification would also apply to VMID.
Proposed Solution:
The Debug Task Group would like to suggest allocating a range of CSR addresses in one of the Supervisor Standard read/write regions and in one of the Hypervisor Standard read/write regions to use for debug registers. Our suggestion is 0x5A0-0x5AF for S-mode and 0x6A0-0x6AF for HS-mode, complementing the 0x7A0-0x7AF already defined for M-mode debug registers. Allocating more than just one address gives the Debug TG flexibility for the future.
Thanks, Ernie Edgar RISC-V Debug Task Group
|
|
|
Re: CSR address for debug scontext and hcontext
No objections from me.
Greg
On Tue, Aug 25, 2020 at 12:52 PM Andrew Waterman < andrew@...> wrote: Any objections with merging Ernie’s PR that allocates addresses for the *context CSRs? Note, it has been pared back from the original request and is only allocating one CSR per privilege mode, rather than a large block. Hello,
Background:
You may be aware that the RISC-V Debug Specification 0.13 defines two CSRs, mcontext and scontext, that can be used to qualify hardware breakpoints in a particular OS process or thread. A modified S-mode OS kernel writes the process ID to scontext when switching processes. Breakpoint hardware can be set to trigger only when the process ID in scontext matches the desired process. Using ASID instead of scontext to qualify breakpoints has been suggested. However, many systems do not implement ASID or only implement a narrow field, forcing the OS to recycle ASID values. This makes ASID useless for breakpoint qualification.
For those familiar with ARM, the equivalent registers in that architecture are CONTEXTIDR_EL1 and CONTEXTIDR_EL2.
Problem:
Scontext is defined in the ratified Debug Spec at CSR 0x7aa which is in the "Machine Standard read/write debug CSR" region and so is, by convention, inaccessible from S-mode.
The Debug Spec was ratified before work on the hypervisor had gotten very far, so Debug Spec 0.13 does not provide full support for hypervisor-based systems. Among the missing items is a definition for an "hcontext" register to qualify breakpoints in a particular virtual machine. An argument could be made to use VMID for this, but the discussion above about ASID qualification would also apply to VMID.
Proposed Solution:
The Debug Task Group would like to suggest allocating a range of CSR addresses in one of the Supervisor Standard read/write regions and in one of the Hypervisor Standard read/write regions to use for debug registers. Our suggestion is 0x5A0-0x5AF for S-mode and 0x6A0-0x6AF for HS-mode, complementing the 0x7A0-0x7AF already defined for M-mode debug registers. Allocating more than just one address gives the Debug TG flexibility for the future.
Thanks, Ernie Edgar RISC-V Debug Task Group
|
|
|
Re: CSR address for debug scontext and hcontext
Any objections with merging Ernie’s PR that allocates addresses for the *context CSRs? Note, it has been pared back from the original request and is only allocating one CSR per privilege mode, rather than a large block.
Hello,
Background:
You may be aware that the RISC-V Debug Specification 0.13 defines two CSRs, mcontext and scontext, that can be used to qualify hardware breakpoints in a particular OS process or thread. A modified S-mode OS kernel writes the process ID to scontext when switching processes. Breakpoint hardware can be set to trigger only when the process ID in scontext matches the desired process. Using ASID instead of scontext to qualify breakpoints has been suggested. However, many systems do not implement ASID or only implement a narrow field, forcing the OS to recycle ASID values. This makes ASID useless for breakpoint qualification.
For those familiar with ARM, the equivalent registers in that architecture are CONTEXTIDR_EL1 and CONTEXTIDR_EL2.
Problem:
Scontext is defined in the ratified Debug Spec at CSR 0x7aa which is in the "Machine Standard read/write debug CSR" region and so is, by convention, inaccessible from S-mode.
The Debug Spec was ratified before work on the hypervisor had gotten very far, so Debug Spec 0.13 does not provide full support for hypervisor-based systems. Among the missing items is a definition for an "hcontext" register to qualify breakpoints in a particular virtual machine. An argument could be made to use VMID for this, but the discussion above about ASID qualification would also apply to VMID.
Proposed Solution:
The Debug Task Group would like to suggest allocating a range of CSR addresses in one of the Supervisor Standard read/write regions and in one of the Hypervisor Standard read/write regions to use for debug registers. Our suggestion is 0x5A0-0x5AF for S-mode and 0x6A0-0x6AF for HS-mode, complementing the 0x7A0-0x7AF already defined for M-mode debug registers. Allocating more than just one address gives the Debug TG flexibility for the future.
Thanks, Ernie Edgar RISC-V Debug Task Group
|
|
|
Re: A proposal to enhance RISC-V HPM (Hardware Performance Monitor)
Allen Baum
To be fair, I said the same thing a month or so ago and had the same thing pointed out to me! -Allen
On Aug 21, 2020, at 10:25 AM, Bill Huffman < huffman@...> wrote:
You're right, Allen. I didn't think that one was true. Delegation bits are presumably part of the core dispatch area and not kept somewhere else. It would be different to have exceptions depend on operational performance
counter registers, though.
Bill
On 8/20/20 9:26 PM, Allen Baum wrote:
EXTERNAL MAIL
Prvi spec v1.12 sec 3.1.12:
When the CY, TM, IR, or HPMn
bit in the mcounteren
register is clear, attempts to read the
cycle,
time,
instret, or
hpmcountern
register while executing in S-mode or U-mode will cause an illegal instruction exception. When one of these bits is set, access to the corresponding register is permitted in the next implemented privilege
mode (S-mode if implemented, otherwise U-mode).
Well, I'd be a little bit more specific: access can be conditioned on more than the CSR number, as the existence of Mcounteren CSR proves.
But, in that case, the register bit that controls access is static, held in a CSR, not dynamic and selected by the instruction, as a GPR value would do.
On Thu, Aug 20, 2020 at 12:35 PM Bill Huffman < huffman@...> wrote:
Chuanhua,
The spec is set to determine writable (and required privilege) based entirely on CSR number. Anything that determined exceptions based on data or the current value of the register has been very carefully avoided. I expect
that avoidance to continue.
I'm not knowledgeable on the proposal. I'm just commenting on CSR instruction exceptions based on additional bits.
Bill
On 8/19/20 9:16 PM, Chuanhua Chang wrote:
EXTERNAL MAIL
Hi, Bill,
I understand your timing concern for generating an exception based on data values. However, the concern is for data values directly read out from the general registers (GPR/FPR) by the instruction itself and the exception is generated based on these values
or some computations of these values, so the timing is tight between the data read out and computation of an exception (such as divide by zero). The concern is usually not for using data values (1 or 2 bits as control) in CSRs written by a previous instruction
or even relaxed, by a previous instruction in a different privileged mode (i.e., relaxed in terms of the length of time between the write and the use).
The current mcounteren CSR value is already used to control the generation of an exception of the read operation of the hmpcounter CSRs for S and U-mode. The timing should be similar, if we have a mcounterwen CSR and use its value to control the generation
of an exception of the write operation of a counter CSR for S and U-mode.
This is a general discussion. I am fine with dropping the S-mode direct counter update proposal based on its limited use case.
Regards,
Chuanhua
|
|
|
Re: A proposal to enhance RISC-V HPM (Hardware Performance Monitor)
You're right, Allen. I didn't think that one was true. Delegation bits are presumably part of the core dispatch area and not kept somewhere else. It would be different to have exceptions depend on operational performance
counter registers, though.
Bill
On 8/20/20 9:26 PM, Allen Baum wrote:
toggle quoted message
Show quoted text
EXTERNAL MAIL
Prvi spec v1.12 sec 3.1.12:
When the CY, TM, IR, or HPMn
bit in the mcounteren
register is clear, attempts to read the
cycle,
time,
instret, or
hpmcountern
register while executing in S-mode or U-mode will cause an illegal instruction exception. When one of these bits is set, access to the corresponding register is permitted in the next implemented privilege
mode (S-mode if implemented, otherwise U-mode).
Well, I'd be a little bit more specific: access can be conditioned on more than the CSR number, as the existence of Mcounteren CSR proves.
But, in that case, the register bit that controls access is static, held in a CSR, not dynamic and selected by the instruction, as a GPR value would do.
On Thu, Aug 20, 2020 at 12:35 PM Bill Huffman < huffman@...> wrote:
Chuanhua,
The spec is set to determine writable (and required privilege) based entirely on CSR number. Anything that determined exceptions based on data or the current value of the register has been very carefully avoided. I expect
that avoidance to continue.
I'm not knowledgeable on the proposal. I'm just commenting on CSR instruction exceptions based on additional bits.
Bill
On 8/19/20 9:16 PM, Chuanhua Chang wrote:
EXTERNAL MAIL
Hi, Bill,
I understand your timing concern for generating an exception based on data values. However, the concern is for data values directly read out from the general registers (GPR/FPR) by the instruction itself and the exception is generated based on these values
or some computations of these values, so the timing is tight between the data read out and computation of an exception (such as divide by zero). The concern is usually not for using data values (1 or 2 bits as control) in CSRs written by a previous instruction
or even relaxed, by a previous instruction in a different privileged mode (i.e., relaxed in terms of the length of time between the write and the use).
The current mcounteren CSR value is already used to control the generation of an exception of the read operation of the hmpcounter CSRs for S and U-mode. The timing should be similar, if we have a mcounterwen CSR and use its value to control the generation
of an exception of the write operation of a counter CSR for S and U-mode.
This is a general discussion. I am fine with dropping the S-mode direct counter update proposal based on its limited use case.
Regards,
Chuanhua
|
|
|
Re: A proposal to enhance RISC-V HPM (Hardware Performance Monitor)
Allen Baum
Prvi spec v1.12 sec 3.1.12:
When the CY, TM, IR, or HPMn bit in the mcounteren register is clear, attempts to read the
cycle, time, instret, or hpmcountern register while executing in S-mode or U-mode will cause
an illegal instruction exception. When one of these bits is set, access to the corresponding register
is permitted in the next implemented privilege mode (S-mode if implemented, otherwise U-mode).
Well, I'd be a little bit more specific: access can be conditioned on more than the CSR number, as the existence of Mcounteren CSR proves. But, in that case, the register bit that controls access is static, held in a CSR, not dynamic and selected by the instruction, as a GPR value would do.
On Thu, Aug 20, 2020 at 12:35 PM Bill Huffman < huffman@...> wrote:
Chuanhua,
The spec is set to determine writable (and required privilege) based entirely on CSR number. Anything that determined exceptions based on data or the current value of the register has been very carefully avoided. I expect
that avoidance to continue.
I'm not knowledgeable on the proposal. I'm just commenting on CSR instruction exceptions based on additional bits.
Bill
On 8/19/20 9:16 PM, Chuanhua Chang wrote:
EXTERNAL MAIL
Hi, Bill,
I understand your timing concern for generating an exception based on data values. However, the concern is for data values directly read out from the general registers (GPR/FPR) by the instruction itself and the exception is generated based on these values
or some computations of these values, so the timing is tight between the data read out and computation of an exception (such as divide by zero). The concern is usually not for using data values (1 or 2 bits as control) in CSRs written by a previous instruction
or even relaxed, by a previous instruction in a different privileged mode (i.e., relaxed in terms of the length of time between the write and the use).
The current mcounteren CSR value is already used to control the generation of an exception of the read operation of the hmpcounter CSRs for S and U-mode. The timing should be similar, if we have a mcounterwen CSR and use its value to control the generation
of an exception of the write operation of a counter CSR for S and U-mode.
This is a general discussion. I am fine with dropping the S-mode direct counter update proposal based on its limited use case.
Regards,
Chuanhua
|
|
|
Re: A proposal to enhance RISC-V HPM (Hardware Performance Monitor)
The CSRs can determine what happens on a write and what is read on a read. But they cannot control whether a read or write is legal as far as I know.
Bill
On 8/20/20 3:28 PM, Allen Baum wrote:
toggle quoted message
Show quoted text
EXTERNAL MAIL
Well, I'd be a little bit more specific: access can be conditioned on more than the CSR number, as the existence of Mcounteren CSR proves.
But, in that case, the register bit that controls access is static, held in a CSR, not dynamic and selected by the instruction, as a GPR value would do.
On Thu, Aug 20, 2020 at 12:35 PM Bill Huffman < huffman@...> wrote:
Chuanhua,
The spec is set to determine writable (and required privilege) based entirely on CSR number. Anything that determined exceptions based on data or the current value of the register has been very carefully avoided. I expect
that avoidance to continue.
I'm not knowledgeable on the proposal. I'm just commenting on CSR instruction exceptions based on additional bits.
Bill
On 8/19/20 9:16 PM, Chuanhua Chang wrote:
EXTERNAL MAIL
Hi, Bill,
I understand your timing concern for generating an exception based on data values. However, the concern is for data values directly read out from the general registers (GPR/FPR) by the instruction itself and the exception is generated based on these values
or some computations of these values, so the timing is tight between the data read out and computation of an exception (such as divide by zero). The concern is usually not for using data values (1 or 2 bits as control) in CSRs written by a previous instruction
or even relaxed, by a previous instruction in a different privileged mode (i.e., relaxed in terms of the length of time between the write and the use).
The current mcounteren CSR value is already used to control the generation of an exception of the read operation of the hmpcounter CSRs for S and U-mode. The timing should be similar, if we have a mcounterwen CSR and use its value to control the generation
of an exception of the write operation of a counter CSR for S and U-mode.
This is a general discussion. I am fine with dropping the S-mode direct counter update proposal based on its limited use case.
Regards,
Chuanhua
|
|
|
Re: A proposal to enhance RISC-V HPM (Hardware Performance Monitor)
Allen Baum
Well, I'd be a little bit more specific: access can be conditioned on more than the CSR number, as the existence of Mcounteren CSR proves. But, in that case, the register bit that controls access is static, held in a CSR, not dynamic and selected by the instruction, as a GPR value would do.
On Thu, Aug 20, 2020 at 12:35 PM Bill Huffman < huffman@...> wrote:
Chuanhua,
The spec is set to determine writable (and required privilege) based entirely on CSR number. Anything that determined exceptions based on data or the current value of the register has been very carefully avoided. I expect
that avoidance to continue.
I'm not knowledgeable on the proposal. I'm just commenting on CSR instruction exceptions based on additional bits.
Bill
On 8/19/20 9:16 PM, Chuanhua Chang wrote:
EXTERNAL MAIL
Hi, Bill,
I understand your timing concern for generating an exception based on data values. However, the concern is for data values directly read out from the general registers (GPR/FPR) by the instruction itself and the exception is generated based on these values
or some computations of these values, so the timing is tight between the data read out and computation of an exception (such as divide by zero). The concern is usually not for using data values (1 or 2 bits as control) in CSRs written by a previous instruction
or even relaxed, by a previous instruction in a different privileged mode (i.e., relaxed in terms of the length of time between the write and the use).
The current mcounteren CSR value is already used to control the generation of an exception of the read operation of the hmpcounter CSRs for S and U-mode. The timing should be similar, if we have a mcounterwen CSR and use its value to control the generation
of an exception of the write operation of a counter CSR for S and U-mode.
This is a general discussion. I am fine with dropping the S-mode direct counter update proposal based on its limited use case.
Regards,
Chuanhua
|
|
|
Re: A proposal to enhance RISC-V HPM (Hardware Performance Monitor)
Chuanhua,
The spec is set to determine writable (and required privilege) based entirely on CSR number. Anything that determined exceptions based on data or the current value of the register has been very carefully avoided. I expect
that avoidance to continue.
I'm not knowledgeable on the proposal. I'm just commenting on CSR instruction exceptions based on additional bits.
Bill
On 8/19/20 9:16 PM, Chuanhua Chang wrote:
toggle quoted message
Show quoted text
EXTERNAL MAIL
Hi, Bill,
I understand your timing concern for generating an exception based on data values. However, the concern is for data values directly read out from the general registers (GPR/FPR) by the instruction itself and the exception is generated based on these values
or some computations of these values, so the timing is tight between the data read out and computation of an exception (such as divide by zero). The concern is usually not for using data values (1 or 2 bits as control) in CSRs written by a previous instruction
or even relaxed, by a previous instruction in a different privileged mode (i.e., relaxed in terms of the length of time between the write and the use).
The current mcounteren CSR value is already used to control the generation of an exception of the read operation of the hmpcounter CSRs for S and U-mode. The timing should be similar, if we have a mcounterwen CSR and use its value to control the generation
of an exception of the write operation of a counter CSR for S and U-mode.
This is a general discussion. I am fine with dropping the S-mode direct counter update proposal based on its limited use case.
Regards,
Chuanhua
|
|
|
Re: A proposal to enhance RISC-V HPM (Hardware Performance Monitor)
Hi, Bill,
I understand your timing concern for generating an exception based on data values. However, the concern is for data values directly read out from the general registers (GPR/FPR) by the instruction itself and the exception is generated based on these values or some computations of these values, so the timing is tight between the data read out and computation of an exception (such as divide by zero). The concern is usually not for using data values (1 or 2 bits as control) in CSRs written by a previous instruction or even relaxed, by a previous instruction in a different privileged mode (i.e., relaxed in terms of the length of time between the write and the use).
The current mcounteren CSR value is already used to control the generation of an exception of the read operation of the hmpcounter CSRs for S and U-mode. The timing should be similar, if we have a mcounterwen CSR and use its value to control the generation of an exception of the write operation of a counter CSR for S and U-mode.
This is a general discussion. I am fine with dropping the S-mode direct counter update proposal based on its limited use case.
Regards,
Chuanhua
|
|
|
Re: A proposal to enhance RISC-V HPM (Hardware Performance Monitor)
Hi, Anup,
I am fine with dropping the proposal of letting the S-mode write HPMCOUNTER CSRs directly based on its limited use cases in debugging and analysis.
Regards,
Chuanhua
|
|
|
Re: Small tweak to Privileged spec regarding PMP management?
On Sun, Aug 9, 2020 at 11:45 PM Greg Favor < gfavor@...> wrote: In section 3.6.2 of the Privileged spec discussing changing PMP settings, it currently says: "If page-based virtual memory is not implemented, or when it is disabled, memory accesses check
the PMP settings synchronously, so no fence is needed."
I would like to suggest removing "or when it is disabled" and just say: "If page-based virtual memory is not implemented, memory accesses check
the PMP settings synchronously, so no fence is needed."
The motivation is that high-performance implementations that support page-based virtual memory have TLBs and want to use them to handle all fetch/load/store memory accesses as they go down load/store execution pipelines during all modes of execution - including while in M-mode.
In the case of M mode, they would effectively just be caching PMA/PMP permission/access control info (as well as identity address mappings).
For designs that implement page-based virtual memory and use their TLBs as described (which is generally true in high-performance designs), not requiring that M-mode software do an sfence.vma after a series of PMP CSR writes means that these CSR writes cannot simply be implemented as CSR writes, but instead each PMP CSR write needs to also perform a heavyweight sfence.vma operation. This is both heavily redundant (across a series of PMP writes) and is unnatural for an aggressive o-o-o design RISC design in which an sfence.vma operation really is a very strong fencing operation as well as TLB invalidation operation. (Put differently, a key point of RISC architecture is to simplify hardware in ways that software can easily and efficiently support.)
Given that M-mode software runs a lot of implementation-specific code (including code related with PMA and PMP management), this spec tweak allows for some implementations to
simplify their hardware design and include an sfence.vma in their M-mode PMP CSR writing code (while other implementations can choose to not include an sfence.vma in their M-mode code). But also note that all designs need to at least selectively do an sfence.vma (per section
3.6.2), so this essentially means that the M-mode code would simply always do an sfence.vma after a series of PMP writes.
Lastly note that this change is backward compatible in that software that does do an sfence.vma after PMP changes will run on "old" designs that support page-based virtual memory yet access PMA's and PMP's inline with load/store execution while in M-mode.
The potentially problematic case is that if one attempts to run M-mode-only code on a core that supports VM, it might not know that it needs to execute SFENCE.VMA at all. (This is not an especially esoteric use case; sometimes people run an RTOS on one of the (symmetric) cores in a multicore complex.)
But you can argue that the M-mode-only code probably needs to be tailored at least somewhat to the system it's running on. And it is possible to handle this case portably, e.g., `if (misa.S) sfence_vma();`. And if the RTOS has an untrusted piece that runs in U-mode, then the M-mode piece already needs to know about the existence of S-mode for other reasons: it needs to make sure to initialize the satp and m*deleg registers to zero, for example. The SFENCE.VMA seems no worse. So I don't object.
Any objections to this
simple
accomodation for high-performance CPU designs?
Greg
|
|
|
Re: Small tweak to Privileged spec regarding PMP management?
toggle quoted message
Show quoted text
On Sun, Aug 9, 2020 at 11:45 PM Greg Favor < gfavor@...> wrote: In section 3.6.2 of the Privileged spec discussing changing PMP settings, it currently says: "If page-based virtual memory is not implemented, or when it is disabled, memory accesses check
the PMP settings synchronously, so no fence is needed."
I would like to suggest removing "or when it is disabled" and just say: "If page-based virtual memory is not implemented, memory accesses check
the PMP settings synchronously, so no fence is needed."
The motivation is that high-performance implementations that support page-based virtual memory have TLBs and want to use them to handle all fetch/load/store memory accesses as they go down load/store execution pipelines during all modes of execution - including while in M-mode.
In the case of M mode, they would effectively just be caching PMA/PMP permission/access control info (as well as identity address mappings).
For designs that implement page-based virtual memory and use their TLBs as described (which is generally true in high-performance designs), not requiring that M-mode software do an sfence.vma after a series of PMP CSR writes means that these CSR writes cannot simply be implemented as CSR writes, but instead each PMP CSR write needs to also perform a heavyweight sfence.vma operation. This is both heavily redundant (across a series of PMP writes) and is unnatural for an aggressive o-o-o design RISC design in which an sfence.vma operation really is a very strong fencing operation as well as TLB invalidation operation. (Put differently, a key point of RISC architecture is to simplify hardware in ways that software can easily and efficiently support.)
Given that M-mode software runs a lot of implementation-specific code (including code related with PMA and PMP management), this spec tweak allows for some implementations to
simplify their hardware design and include an sfence.vma in their M-mode PMP CSR writing code (while other implementations can choose to not include an sfence.vma in their M-mode code). But also note that all designs need to at least selectively do an sfence.vma (per section
3.6.2), so this essentially means that the M-mode code would simply always do an sfence.vma after a series of PMP writes.
Lastly note that this change is backward compatible in that software that does do an sfence.vma after PMP changes will run on "old" designs that support page-based virtual memory yet access PMA's and PMP's inline with load/store execution while in M-mode.
Any objections to this
simple
accomodation for high-performance CPU designs?
Greg
|
|
|
Re: A proposal to enhance RISC-V HPM (Hardware Performance Monitor)
On 8/18/20 8:19 AM, Chuanhua Chang wrote:
EXTERNAL MAIL
Hi, Anup,
Regarding the aspect of a "read-only" CSR, in the RISC-V PMP design, a control bit "L" in the pmpcfg CSR, once set, will change the corresponding read/write pmpaddr CSR to a "read-only" CSR.
They're not the same idea. The PMP L bit changes the meaning of a write. Rather than becoming a read-only register, it remains read-write, but writes behave differently and do nothing. Registers with read-only numbers always
take an exception on write. The idea behind this is that exceptions do not depend on data in CSR registers to avoid difficult timing/layout issues.
Bill
So fundamentally, I do not see any reason why a control bit cannot change a "read-only" CSR to a "read/write" CSR. It should be similar to the above case in terms of implementation complexity.
And regarding the aspect of a "user" CSR, I also do not see any reason why a higher privileged mode such as S-mode cannot write to a user register, once the write permission is allowed by M-mode.
Regards,
Chuanhua
|
|
|
Re: A proposal to enhance RISC-V HPM (Hardware Performance Monitor)
Anup Patel
Hi Chuanhua,
Even if we ignore the RISC-V CSR range violation in allowing writes to HPMCOUNTER CSR from S-mode, still the “bypass-sbi” DT property is not an acceptable solution.
The “bypass-sbi” DT property will make Linux PMU driver do things differently for HS-mode and VS-mode. Further, it is totally unclear how “bypass-sbi” DT property should be used in nested virtualization because here we will have virtual
VS-mode (Guest OS) running on virtual HS-mode (Guest Hypervisor) which in-turn runs on real HS-mode (Host Hypervisor). For a clean nested virtualization, both HS-mode (Hypervisor) and VS-mode (Guest) should write HPMCOUNTER CSR in the same way.
Further, the “bypass-sbi” DT property cannot be used for existing RISC-V platforms (SiFive Unleashed, Microchip PolarFire, etc) because existing HARDWARE don’t have proposed “write-enable” bit in HPMEVENT CSR. This means Linux PMU driver
will again have to do things differently for existing RISC-V platforms.
I think if we want to allow S-mode direct writes to HPMCOUNTER CSRs along with clean nested virtualization then it is better to add separate HS-mode and VS-mode CSRs. Although, I am still wondering why we should allow S-mode direct writes
to HPMCOUNTER CSRs considering Linux perf tools are only used for debugging and analysis.
Regards,
Anup
toggle quoted message
Show quoted text
From: tech-privileged@... <tech-privileged@...>
On Behalf Of Chuanhua Chang
Sent: 18 August 2020 20:49
To: tech-privileged@...
Subject: Re: [RISC-V] [tech-privileged] A proposal to enhance RISC-V HPM (Hardware Performance Monitor)
Hi, Anup,
Regarding the aspect of a "read-only" CSR, in the RISC-V PMP design, a control bit "L" in the pmpcfg CSR, once set, will change the corresponding read/write pmpaddr CSR to a "read-only" CSR.
So fundamentally, I do not see any reason why a control bit cannot change a "read-only" CSR to a "read/write" CSR. It should be similar to the above case in terms of implementation complexity.
And regarding the aspect of a "user" CSR, I also do not see any reason why a higher privileged mode such as S-mode cannot write to a user register, once the write permission is allowed by M-mode.
Regards,
Chuanhua
|
|
|
Re: A proposal to enhance RISC-V HPM (Hardware Performance Monitor)
Hi, Anup,
Regarding the aspect of a "read-only" CSR, in the RISC-V PMP design, a control bit "L" in the pmpcfg CSR, once set, will change the corresponding read/write pmpaddr CSR to a "read-only" CSR.
So fundamentally, I do not see any reason why a control bit cannot change a "read-only" CSR to a "read/write" CSR. It should be similar to the above case in terms of implementation complexity.
And regarding the aspect of a "user" CSR, I also do not see any reason why a higher privileged mode such as S-mode cannot write to a user register, once the write permission is allowed by M-mode.
Regards,
Chuanhua
|
|
|
Re: A proposal to enhance RISC-V HPM (Hardware Performance Monitor)
Anup Patel
Hi Chuanhua,
The fact that “write-enable” bit in HPMEVENT CSR makes corresponding HPMCOUNTER as writeable violates the RISC-V CSR numbering scheme of RISC-V privilege spec because it allows S-mode writing to a CSR from “User-read-only” range.
Regards,
Anup
toggle quoted message
Show quoted text
From: tech-privileged@... <tech-privileged@...>
On Behalf Of Chuanhua Chang
Sent: 18 August 2020 15:35
To: tech-privileged@...
Subject: Re: [RISC-V] [tech-privileged] A proposal to enhance RISC-V HPM (Hardware Performance Monitor)
The idea of adding write enable bit without adding extra CSR in the read/write register range is that the setting of the write enable bit will change the read-only CSR to a read/write CSR.
Chuanhua
|
|
|
Re: A proposal to enhance RISC-V HPM (Hardware Performance Monitor)
Anup Patel
Hi Alan,
Like mentioned previously, having different mechanism for HS-mode and VS-mode to write HPMCOUNTER CSR is not acceptable. The “bypass-sbi” DT property only means that Linux PMU driver is now aware whether it is running natively or running
inside Guest/VM. This is totally hacky and won’t be acceptable.
Regards,
Anup
toggle quoted message
Show quoted text
From: tech-privileged@... <tech-privileged@...>
On Behalf Of alankao
Sent: 18 August 2020 15:17
To: tech-privileged@...
Subject: Re: [RISC-V] [tech-privileged] A proposal to enhance RISC-V HPM (Hardware Performance Monitor)
Hi Anup,
We did the experiment based on our own settings and not yet consider the SBI extension proposal.
Please consider the approach in #278 with one additional condition: Any platform that supports configurations more than M-S-U should not provide a PMU with "bypass-sbi" attribute, like QEMU virt. Neither VS- nor HS- usage will be affected by this bit. Then,
you ask, what about emulating a platform that aims to only runs on M-S-U machines? Well, the one who ports the platform to QEMU/other simulators should put some warning message when the attempt to write happens, rather than implement the whole save-restore
just for the PMU status.
We don't need to add many CSRs. Just one bit in hpmevent*.
Regards,
Alan
|
|
|
