Crash Dump Analysis: Sparc V9

Crash Dump Analysis
SPARC V9
Jakub Jerm
Martin Dck
Crash Dump Analysis MFF UK SPARC V9 2
SPARC V9 overview
64-bit RISC architecture
Each instruction is four bytes long
Only load/store instructions with memory operands
Orthogonal instruction set
32 GPRs, more in register windows
Big-endian
SPARC V9 overview (2)
Branch delay slots
Mandatory alignment of memory accesses
Register windows
Somewhat explicit memory stack

SPARC V9 manuals
The SPARC Architecture Manual, Version 9

www.sparc.org/specificationsDownload.html
SPARC Joint Programming Specification

(JPS1): Commonality
www.fujitsu.com/downloads/PRMPWR/JPS1-R1.0.4-Common-pub.pdf
UltraSPARC Architecture 2005

www.opensparc.net/publications/specifications/ultrasparc-architecture-2005-specification.html
Processor supplements
SPARC V9 ABI
SPARC COMPLIANCE DEFINITION 2.4

www.sparc.org/standards/SCD.2.4.ps.Z
This is the authoritative source of information
We will use and present a simplified view

which is sufficient for simple integer cases
SPARC V9 registers
32 64-bit GPRs
r0 r31
r0 reads as zero, writes ignored
r0 r7 g0 g7 (Globals)
r8 r15 o0 o7 (Outs)
r16 r23 l0 l7 (Locals)
r24 r31 i0 i7 (Ins)

SPARC V9 registers (2)
Program counter
pc current instruction
npc next instruction if no trap occurs
Address of the target for branches
Integer Condition Codes Register
ccr
icc codes for 32-bit interpretation
xcc codes for 64-bit interpretation

Register Windows
NWINDOW sets (8 on UltraSPARC)
At any time, only one is active (current)
Registers r8 r31 alias Outs, Locals and Ins of

the current window
Window n's Outs overlap with window

((n + 1) % NWINDOW)'s Ins
Register Windows (2)
CWP, CANSAVE, CANRESTORE and

(OTHERWIN and CLEARWIN) are registers
which define the state of the windowing
mechanism
Invariant:
NWINDOW 2
=
CANSAVE + CANRESTORE + OTHERWIN
CWP - Current Window Pointer
Corresponds to the current function
CWP (CWP + 1) % NWINDOW on

function call (instruction SAVE)
CWP (CWP 1) % NWINDOW on

function return (instruction RESTORE)
CANSAVE - number of momentarily available

windows for function call nesting
CANSAVE CANSAVE 1 on SAVE
CANSAVE CANSAVE + 1 on RESTORE
CANSAVE = 0 on SAVE =>

window spill TRAP
CANRESTORE - number of momentarily

available windows for function call returning
CANRESTORE CANRESTORE 1
on RESTORE
CANRESTORE CANRESTORE + 1
on SAVE
CANRESTORE = 0 on RESTORE =>

window fill TRAP
During a window spill trap, the OS will save the

window's Ins and Locals on the stack
During a window fill trap, the OS will restore the

window's Ins and Locals from the stack
The stack is a backing store for register

windows and register windows are caching
parts of the stack
Flat Mode
It is theoretically possible to pretend there is

only one register window
Simpler design
More deterministic function duration times
Poorer performance
Up to version 4.0.2
gcc -mflat
Flat Mode (2)
Compiler generates an alternative function

prologues and epilogues
No SAVE and RESTORE instructions
32 GPRs registers, much like e.g. MIPS
We will not assume this mode

ABI in a Nutshell
First 6 integer arguments passed in %o0 %o5
Other or additional arguments passed on stack
Return value in %i0
Return address in %i7, but need to add 8
Stack pointer is in %sp, but need to add 2047
Frame pointer is in %fp, but need to add 2047

ABI in a Nutshell (2)
Stack frame needs to be 16B aligned
Stack frame has a special format
window save area for Ins and Locals
Stack bias of 2047
Larger stack frames can be efficiently accessed

using 13-bit signed immediate offsets in instructions
ABI in a Nutshell (3)
Volatile (scratch, caller-saved) registers

o0 o5, o7, g1, g4 g5
Non-volatile (preserved, callee-saved) registers

i0 i7, l0 l7, o6
Registers reserved for system

g6 g7
Registers reserved for application

g2 g3
SPARC V9 instructions
Only few hundreds of instructions
Every instruction is 4B long, 4B-aligned
Variants with register or immediate operand
Informal classification
General purpose (arithmetic, logic, branch, etc.)
System instructions (privileged operations)
FPU instructions
SIMD instructions (VIS I, VIS II)

SPARC V9 instructions (2)
Most general purpose instructions have three

operands
register register register
register immediate register
INST rs1, rs2, rd
rd rs1 INST rs2
ADD %i0, %i1, %l3
%l3 %i0 ADD %i1

Load / Store instructions
LD [%rs1 + simm13], %rd
LD [%rs1 + %rs2], %rd
ST %rd, [%rs1 + simm13]
ST %rd, [%rs1 + %rs2]
Size suffixes (load / store instructions)
UB/SB (unsigned/signed byte), UH/SH

(unsigned/signed halfword), UW/SW
(unsigned/signed word), X (extended word)
Logical instructions
Instructions with cc suffix modifies %icc and %xcc
Also with addition and subtraction instructions
Instructions with n suffix negate %rs2 before

applying
Synthetic instructions
Not real instructions
Understood by the assembler
Aliases for common uses of the real instructions

Common instructions
CALL, JMPL, Bcccond, BRrcond, RET, RETL
SAVE, RESTORE, RETURN, NOP
MOV, ADD, XOR, OR, AND, ANDcc, INC, DEC,

CMP, SUB, SUBcc, SLLX, SRLX
LDX, STX, CLRX
SETHI
Common instructions (2)
CALL
Call function
Both real and synthetic instruction
Synthetic: JMPL address, %o7
JMPL address, %rd
Jump and link
%npc address
%pc %pc + 4 ( delay slot)

Bccond
(delayed) Branch on Integer Condition Code
Bccond{,a}{,pt|,pn} %icc, address
Bccond{,a}{,pt|,pn} %xcc, address
ccond is A (always), N (never), [N]E ([not] equal), G (greater),

LE (less or equal), GE (greater or equal), L (less), etc.
Prediction bit
pn probably not taken
pt probably taken
Anul bit
a whether or not to cancel the delay instruction

BRrcond
(delayed) Branch on Register Condition
BRrcond{,a}{,pt|,pn} %rs1, address
BRrcond{,a}{,pt|,pn} %rs1, address
rcond is [N]Z ([not] zero), LEZ (<= 0), LZ (< 0), GZ (>0),
GEZ (>= 0)
Prediction bit
pn probably not taken
pt probably taken
Anul bit
a whether or not to cancel the delay instruction

RET
Return from function
Synthetic
JMPL %i7+8, %g0
RETL
Return from leaf function
Synthetic
JMPL %o7+8, %g0

SAVE
Allocate a new register

window
Current Outs become

new Ins
ADD %rs1, imm, %rd
%rs1 is from the current

window
%rd is from the new

window
SAVE %sp, -192, %sp
RESTORE
Inverse operation to SAVE
RESTORE %rs1,imm,%rd
RESTORE %i0, %l1, %o0
like ADD
Can be used to perform last-

minute arithmetics on the
result
%sp reverted by virtue of

switching to the previous
window
RETURN
Combination of RET and RESTORE
Mind the delay slot
NOP
No operation
MOV
Move register or simm13 to register
Synthetic
ADD, XOR, OR, AND, ANDcc, INC, DEC, CMP,

SUB, SUBcc, SLLX, SRLX
Add, exclusive OR, logical OR, logical AND,

increment, decrement, compare, subtract, shift left
logical, shift right logical
LDX, STX, CLRX
Load from Memory, Store to Memory, Clear Memory

SETHI
Set high 22 bits of the source to result
sethi %hi(variable), %g1
ldx [%g1 + %lo(variable)], %g4
or %g1, %lo(variable), %g1

Function Prologue
save %sp, -imm, %sp
...
Function Epilogue
...
ret
restore R1, imm, R2
...
return %i7 + 0x8
nop
Stack and Code Example
Remember the foo(), bar() and foobar()

from previous lessons?
Compile using gcc -O1 -m64
Disassemble and single step main() and foo()
Observe the stack

Stack and Code Example (2)
main: save %sp, -0xc0, %sp
main+4: call -0x34 <foo>
main+8: mov %i0, %o0
main+0xc: ret
main+0x10: restore %g0, %o0, %o0
foo: save %sp, -0xc0, %sp
foo+4: call +0x10 <bar>
foo+8: mov %i0, %o0
foo+0xc: ret
foo+0x10: restore %g0, %o0, %o0
main+0xc: ret
0xffffffff7ffffc60: 1
Initial state
No instructions
executed
Inherited stack
pointer from
main()'s caller
main+0xc: ret
0xffffffff7ffffba0: 0
0xffffffff7ffffbb0: 0
0xffffffff7ffffbc0: 0
0xffffffff7ffffbd0: 0
0xffffffff7ffffbe0: 1
0xffffffff7ffffbe8: 0xffffffff7ffffd18
0xffffffff7ffffbf0: 0xffffffff7ffffd28
0xffffffff7ffffbf8: test.sparc`environ
0xffffffff7ffffc00: 0x100000000
0xffffffff7ffffc08: 0x1c00
0xffffffff7ffffc10: 0xffffffff7ffff461
0xffffffff7ffffc18: _start+0x7c
0xffffffff7ffffc28: 0xffffffff7ffffd28
0xffffffff7ffffc38: 0xffffffff7ffffda8
Allocate a new
register window
192 bytes of
stack space
allocated
Old Outs
became new
Ins
main+0xc: ret
Call foo()
No control
transfer yet
%o7 main+4
%npc foo
%pc main+8
main+0xc: ret
Delay slot
instruction
Copy incoming
argument to
outgoing
argument
0xffffffff7ffffae0: 0
0xffffffff7ffffaf0: 0
0xffffffff7ffffb00: 0
0xffffffff7ffffb50: 0xffffffff7ffff3a1
0xffffffff7ffffb58: main+4
0xffffffff7ffffb98: 0xffffffff7f736c90
Allocate a new
register window
192 bytes of
stack space
allocated
Old Outs
became new
Ins
foo+8: mov %i0, %o0
foo+0xc: ret
Call bar()
No control
transfer yet
%o7 foo+4
%npc bar
%pc foo+8
foo+8: mov %i0, %o0
foo+0xc: ret
Delay slot
instruction
Copy incoming
argument to
outgoing
argument
foo+8: mov %i0, %o0
foo+0xc: ret
Step through
and return from
bar()
foo+8: mov %i0, %o0
foo+0xc: ret
Return from
foo()
No control
transfer yet
%npc %i7+8
%pc
foo+0x10
foo+8: mov %i0, %o0
foo+0xc: ret
Restore the
previous
register window
Free 192 bytes

of stack space
Old Ins become

current Outs
foo+8: mov %i0, %o0
foo+0xc: ret
main+0xc: ret
Return from
main()
No control
transfer yet
%npc %i7+8
%pc
main+0x10
main+0xc: ret
Restore the
previous
register window
Free 192 bytes

of stack space
Old Ins become

current Outs
SPARC V9 ABI cheat sheet
i0 o0
i1 o1
i2 o2
i3 o3
i4 o4
i5 o5
frame pointer stack pointer
i7 o7
l0 g0 always 0
l1 g1
l2 g2
l3 g3
l4 g4
l5 g5
l6 g6
l7 g7 cur. thread In Solaris kernel
non-volatile registers
1
st
argument / ret. val 1
st
argument for callee
2
nd
argument 2
nd
argument for callee
3
rd
argument 3
rd
argument for callee
4
th
argument 4
th
argument for callee
5
th
argument 5
th
argument for callee
6
th
argument 6
th
argument for callee
i6/fp o6/sp
return addr 8 where callee will return 8
volatile registers
SPARC V9 ABI cheat sheet (2)

Crash Dump Analysis: Sparc V9

Uploaded by

Copyright:

Available Formats

Crash Dump Analysis: Sparc V9

Uploaded by

Document Information

Original Description:

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Crash Dump Analysis: Sparc V9

Uploaded by

Copyright:

Available Formats

Crash Dump Analysis

64-bit RISC architecture

Each instruction is four bytes long

Only load/store instructions with memory operands

Orthogonal instruction set

32 GPRs, more in register windows

Branch delay slots

Mandatory alignment of memory accesses

Somewhat explicit memory stack

The SPARC Architecture Manual, Version 9

SPARC Joint Programming Specification

UltraSPARC Architecture 2005

SPARC COMPLIANCE DEFINITION 2.4

This is the authoritative source of information

We will use and present a simplified view

r0 reads as zero, writes ignored

r16 r23 l0 l7 (Locals)

r24 r31 i0 i7 (Ins)

npc next instruction if no trap occurs

Address of the target for branches

Integer Condition Codes Register

icc codes for 32-bit interpretation

xcc codes for 64-bit interpretation

NWINDOW sets (8 on UltraSPARC)

At any time, only one is active (current)

Registers r8 r31 alias Outs, Locals and Ins of

Window n's Outs overlap with window

CWP, CANSAVE, CANRESTORE and

CWP - Current Window Pointer

Corresponds to the current function

CWP (CWP + 1) % NWINDOW on

CWP (CWP 1) % NWINDOW on

CANSAVE - number of momentarily available

CANSAVE CANSAVE 1 on SAVE

CANSAVE CANSAVE + 1 on RESTORE

CANSAVE = 0 on SAVE =>

CANRESTORE - number of momentarily

CANRESTORE = 0 on RESTORE =>

During a window spill trap, the OS will save the

During a window fill trap, the OS will restore the

The stack is a backing store for register

It is theoretically possible to pretend there is

More deterministic function duration times

Compiler generates an alternative function

No SAVE and RESTORE instructions

32 GPRs registers, much like e.g. MIPS

We will not assume this mode

First 6 integer arguments passed in %o0 %o5

Other or additional arguments passed on stack

Return value in %i0

Return address in %i7, but need to add 8

Stack pointer is in %sp, but need to add 2047

Frame pointer is in %fp, but need to add 2047

Stack frame needs to be 16B aligned

Stack frame has a special format

window save area for Ins and Locals

Stack bias of 2047

Larger stack frames can be efficiently accessed