Update specs to use semi-lazy FPU switching #819
Conversation
corlewis
force-pushed
the
fpu_context_switching
branch
from
de54aec to
1dbb4fc
Compare
spec/machine/AARCH64/MachineOps.thy
Outdated
| od" | ||
|
|
||
| definition enableFpu :: "unit machine_monad" where | ||
| "enableFpu \<equiv> modify (\<lambda>s. s\<lparr>fpu_enabled := True \<rparr>)" |
There was a problem hiding this comment.
Left over from internal review:
the (lack of) link between
enableFpuandenableFpuEL01confuses me... there's no machine op for disabling the FPU? AreenableFpuandenableFpuEL01called separately by the C, or is this only the abstract spec model?
I was confused also. In the C,
enableFpucalls eitherdisableTrapFpuorenableFpuEL01, depending on whether it is a configuration with hypervisor support (see https://github.com/seL4/seL4/blob/85aa104eb4d527bc9f0aac28f3e9c3a84eed1d7a/include/arch/arm/arch/64/mode/machine/fpu.h#L127). I was originally going to just haveenableFpuin the spec before realising thatenableFpuEL01is called directly fromvcpu_disable(https://github.com/seL4/seL4/blob/85aa104eb4d527bc9f0aac28f3e9c3a84eed1d7a/include/arch/arm/armv/armv8-a/64/armv/vcpu.h#L702)
That seems odd, because it is unconditionally enabling FPU for native threads with no VCPU on hyp configurations. Doesn't that effectively ignore the native thread's configured flags?
There was a problem hiding this comment.
To answer this earlier question, our confusion was due to the fact that on AArch64 with hypervisor support there are two registers that control whether the FPU is enabled. The first, CPACR_EL1, is generally controlled by the VM and is used to enable or disable the FPU for virtualised threads. This register is the one being enabled by enableFpuEL01, which seL4 only calls when disabling the VCPU. For native threads seL4 instead uses CPTR_EL2, which it modifies with enableFpu and disableFpu.
| > type TcbFlags = Word | ||
|
|
||
| > data TcbFlag | ||
| > = NoFlag |
There was a problem hiding this comment.
I'm still not sure I understand the purpose of NoFlag, could you enlighten me?
There was a problem hiding this comment.
I can't speak about the original intentions in the C, but in my mind here it provides a way to abstract away the details of how the flags are implemented. For instance, we could say flags = NoFlag to say that no flags are set.
Having now said that, this is another argument for adding something like the flagSet helper function I mentioned in a different comment, since that would extend this abstraction and hide the details of the flags being implemented as a Word.
corlewis
force-pushed
the
fpu_context_switching
branch
from
1dbb4fc to
bfd342f
Compare
| definition isFpuEnable :: "bool machine_monad" where | ||
| "isFpuEnable \<equiv> return True" | ||
| "isFpuEnable \<equiv> gets fpu_enabled" |
There was a problem hiding this comment.
Does anyone remember why this is called isFpuEnable in C and not isFpuEnabled?
There was a problem hiding this comment.
Yeah, no idea beyond that. Should we give it the better name here?
There was a problem hiding this comment.
If you want to, but then it would be good to also rename it in C.
corlewis
force-pushed
the
fpu_context_switching
branch
2 times, most recently
from
3aaac5d to
285ecfc
Compare
corlewis
force-pushed
the
fpu_context_switching
branch
4 times, most recently
from
f1fb45c to
31b2feb
Compare
corlewis
changed the title
|
This PR has now been updated with a commit making equivalent changes to the FPU handling code in the x64 specification, and a commit making the required changes to the architectures that are not configured to have FPUs enabled so that they can still be built. |
corlewis
force-pushed
the
fpu_context_switching
branch
from
31b2feb to
c45b235
Compare
Good to see all tests passing up to AInvs. Nice work! |
corlewis
force-pushed
the
fpu_context_switching
branch
from
c45b235 to
f2100f6
Compare
|
This has been rebased and had a few additional changes included following the earlier discussions. |
There was a problem hiding this comment.
I think we're mostly ok, one or two comment chains did not resolve.
On the commits, why is "x64 spec: update specifications for semi-lazy FPU changes" not merged in with the others? It's a bit confusing, there's AARCH64 work split up across spec levels, then x64 not split up, and then everything else.
Also, subjective suggestion: there's no need to start commit comments with "This ", i.e. can say "Includes" instead of "This includes". Maybe we can also teach this novel idea to others :)
The X64 changes were kept separate because it has FPU enabled, the other architectures don't and their changes are mostly trivial to match the modified interface. I think the commit structure was just due to the way in which this work was developed; first for AArch64, which included changes to generic files, then copying required arch-specific changes to X64, and then doing required arch-specific changes for other architectures that don't support FPU. I have no strong preference here and see two obvious options, would you prefer something like the current structure but with the two AArch64 commits combined, or to make it all one big commit for all architectures? |
The question is whether you believe there is beneficial information in the extra commits. In my mind the aarch64+x64 are together because of FPU, and then the rest are not very interesting probably. Since it's all reviewed now, probably can squash them together, add a note in the commit message. |
corlewis
force-pushed
the
fpu_context_switching
branch
from
f2100f6 to
4c63b55
Compare
I think there's a little bit of use in keeping aarch64 and x64 separate from the less interesting architectures, so I've now squashed things into two commits. Have a look and let me know what you think |
corlewis
force-pushed
the
fpu_context_switching
branch
from
4c63b55 to
de4b958
Compare
| arch_requalify_consts (H) | ||
| archTcbFlagToWord | ||
|
|
||
| #INCLUDE_SETTINGS keep_constructor = tcb_flag |
There was a problem hiding this comment.
Do you happen to know why we tell it to keep constructors for tcb_flag when we're importing TcbFlag? Does a tcb_flag actually exist anywhere? It doesn't seem the most easily graspable interface, I'm glad you managed to figure it out.
There was a problem hiding this comment.
Another case of the translator being magic; TcbFlag is quietly translated to tcb_flag.
Commits make sense now, modulo squashes. I had one last bikeshed about comments and noFlag, but otherwise this is good to go from my side. |
|
All done now from my side. |
This includes extending the machine interface with new ops, adding the current owner of the FPU state to the kernel state, and adding the new seL4_TCB_Set_Flags syscall and related functions. Signed-off-by: Corey Lewis <[email protected]>
Signed-off-by: Corey Lewis <[email protected]>
These architectures do not have FPU enabled and so just need minor updates to match the changed interface. Signed-off-by: Corey Lewis <[email protected]>
corlewis
force-pushed
the
fpu_context_switching
branch
from
63f6219 to
56db827
Compare
These are the preliminary spec changes to seL4 to implement RFC-18. They include extending the machine interface with new ops, adding the current owner of the FPU state to the kernel state, and adding the new seL4_TCB_Set_Flags syscall and related functions.