CS 3410 Fall 2016
Due: 11:59pm, Monday, November 7th, 2016
Reminder: you must work in a group of two for this project. You don't need to have the same partner as the earlier projects.
This assignment will help you and your partner further hone your skills as elite programmers. Your goal is to program a multicore candidate bot who will race against an opponent to fill memory. This game simultaneously tests your knowledge of computer systems, your programming skills, and your ability to protect programs from being hacked.
At the end of the project we will hold a tournament pitting all your candidates against each other, and the winner will receive not only bragging rights but actual bonus points on the assignment. Plus we will be holding a banquet (read: pizza and soda) for all while we watch the tournament!
The commander-in-chief D.R. Java of the Griesian party is about to leave office, leaving a power vacuuum which can only be filled by the hero who is able to unite our nation.
As the United Finite States of America readies itself for this transition of power, the divide between the two dominant parties, the Logismats and Mallocans, has thrown the nation into chaos. Both parties have launched campaigns against each other, hoping to win over the feeble-minded voters. Equipped with cold, hard cache in hand, each must convince the public that they have created the nation's fastest memory writing algorithm.
Across the country, people are tuning in to the last cache race of this election season, ready to decide who will be the next the leader of the free world. Bracy yourselves, because broadcasting LIVE tonight is the most anticipated throwdown of the century...
The game is played by two candidates, each with four cores (campaign staff members). All eight cores are in a single shared memory space, running on a simulated 8-core MIPS machine using a small, partitioned, direct-mapped data memory cache. To simulate 8 MIPS CPUs simultaneously, one instruction of core 0 is executed, then one instruction of core 1, and so forth.
Each candidate is assigned a payload, a particular byte
of data. The goal of the game is to fill as much memory with their
candidate's payload, while simultaneously trying to impede the progress of the
other candidate. All access to data memory goes through a very small cache,
and there is a large penalty for missing the cache, so a clever team
will need to carefully optimize its algorithms for filling
memory. Each core can normally only read and write its own team's half
of the memory space using its own half of the data cache. However, a
core can Wiretap the opponent's headquarters, which enables the core to
take advantage and read and write the opponent's half of memory space and data cache.
The candidate has several resources at their disposal to aid
in their mission. Each candidate can use any of its four cores to send out an AttackAd,
which paralyzes the opposing candidate and stalls its cores for a short
period of time. A core can also send out FerventSupporters to different memory locations-
these are passionate citizens who hide out in different spots and, if encountered by a core of
either candidate, will pester and stall the core for a long period of time, demanding
tax returns, wall street transcripts and birth certificates from the candidate.
Each candidate supplies a single MIPS executable program. At the beginning of the game, the simulator starts each by calling the function
void __start(int core_id, int num_crashed, unsigned char payload);
Each of the four cores devoted to one candidate will invoke the function
when it first boots, passing its core ID (a number from 0 to 3), and
the candidate's payload (from 0 to 239). If a core ever crashes, it
will simply reset and invoke the function again.
The num_crashes parameter is 0 when a core first boots, and
is incremented each time the core crashes.
A core can Wiretap the opponent's headquarters by calling
void Wiretap();
and can stop listening in by calling
void retreat();
Invoking Wiretap can potentially let a candidate garner more votes and fill memory
more quickly, because it can take advantage of the opponent's memory
cache, and can also be used to impede the progress of the opponent by
interfering with their use of that same cache. However, these tactics
come with risks. Whenever a core is in Wiretap mode, its core
ID is written into a taunt[] array that is available to its
opponent. Additionally, it is possible to detect the presence of a snooper by looking at cache usage statistics and timing
information. A core can accuse one of its opponent's cores
of wiretapping by calling:
int Start_FBI_Investigation(int opponent_core_id);
If an opponent's core is caught by the FBI while wiretapping, the media will find out and reveal the scandal to
the whole nation, and the core will permanently lose all its credibility (aka, essentially locking up the core for the rest of the game).
If a core attempts to Start_FBI_Investigation on a core that is not in wiretapping mode, the accusing core stalls for
100,000 (STALL_ON_FALSE_ACCUSATION) cycles because of the time it takes to bring in the FBI.
A core can plant a FerventSupporter by writing 0xF0 to a
location in memory. FerventSupporters are set up immediately once 0xF0 is
written to a memory address, but due to the intense work to train and equip the individuals, the core will rest for 100
(STALL_TO_PLANT_FERVENT_SUPPORTER) cycles before executing the next
instruction. FerventSupporters are triggered when any core attempts to
write to a memory location that currently holds the trap byte (even cores of the candidate who planted them--these supporters are known to be swing voters). Such an
attempt causes the write to fail and the writing core to be stalled
for 1,000,000 (STALL_ON_FERVENT_SUPPORTER) cycles. Since the write
fails, multiple cores can plant supporters at the same memory
location. FerventSupporters are not triggered by reading memory. Due to
the effort required to send out a supporter, each team's candidate can set
up at most 15 (FERVENT_SUPPORTERS_PER_TEAM) FerventSupporters.
The upper 4 MB (4 * STACK_SIZE) of memory is protected from FerventSupporters.
A core can neutralize a FerventSupporter by convincing them to join their cause. It does so by writing 0xF2 to the FerventSupporter memory location. However, it takes some time to convince these fanatics, so it requires 100
(STALL_TO_CONVINCE_FERVENT_SUPPORTER) cycles. This will not
retroactively un-stall any core that has already fallen victim to a FerventSupporter
at that location, but will of course save you from being pestered there in the future.
Candidates can also temporarily stun their opponents by using
AttackAd. This is done by writing the byte 0xF1 into a
location in memory. When the AttackAd is aired in one half of
memory, any opponent cores who try to write to that half of memory
during the next 100 (ATTACK_AD_DURATION) cycles will be
pinned down for 300 (STALL_WHEN_SLANDERED) cycles. Since campaign teams only have the funds to broadcast a limited number of attack ads, each candidate's cores can make at most 30 (ATTACK_ADS_PER_TEAM) attack ad calls.
The race ends when one candidate manages to fill the equivalent of half
of its data memory with its payload, or after a fixed number of
cycles, whichever comes first. The team having the most memory filled
with its payload wins the match and the rights to proceed in
the Cache Wars tournament. But beware...for if
you do win the tournament, a great challenge awaits.
The simulator makes it seem like all four of your candidate's cores live in the lower half of the memory address space (addresses below 0x80000000). The first 1 MB of this memory is read-only, and is where the text segment of your MIPS executable is loaded. The next 31 MB is read-write memory, where global variables and stacks are placed. Global variables are typically placed near the bottom of this segment by the compiler, and the stacks are initialized to near the top of the segment and grow down. All four of the cores of a candidate share this same space, and share the same global variables. Your opponent is mapped into the upper half of the memory address space (addresses starting at 0x80000000), with an identical layout.
Program stacks: The four program stacks for the four cores on a team are initially spaced evenly near the top of the 31 MB read-write segment (though your code can set $sp to anything you like once it starts executing). The stacks are spaced 1 MB apart; this is plenty of space for most programs, but if you invoke a deeply recursive function, the call stacks can overwrite each other.
Status and cores: The simulator keeps track of the
information about each team and each core, and maps this data into
part of the 1 MB read-only memory region, where your candidate can access
it, and where your opponent can access it when it is
in Wiretap mode. This includes information about your
current score (how many bytes of memory currently contain your
team's payload), how many cycles are left remaining in the
game, the contents of all four of your core's register files, and
statistics about cache misses and stalls for each of your four
cores. Some of this information is available in other places as
well: your team's payload is passed to __start(), for
example; and cache statistics are also accessible via a system
call.
Physical addresses: Both candidates view the lower half of memory as their own, and both access their own code, data, and stacks using addresses below 0x80000000. These, of course, are virtual addresses. In actuality, the first player's virtual addresses correspond directly to physical memory addresses, while the second player's virtual addresses are mapped in reverse: virtual address 0x00001234, for example, is mapped to physical addresses 0x80001234, and virtual address 0x80001234 is mapped to physical address 0x00001234. This virtual to physical mapping is completely transparent to the program.
Caches: Instruction fetch is assumed to use an infinitely
large cache with no miss penalty. All loads and stores to memory done
by the program use a data cache. Cache hits are serviced in a single
cycle, with no processor stalls. Cache misses cause roughly 100 cycles
of processor stalling. The data cache is direct-mapped and physically
tagged, with 4 cache lines, and a 256 byte block size, for a total of
1024 bytes of cache. However, the data cache is
partitioned, with the first 2 lines used to cache the lower half of
physical memory (the first player's half), and the last 2 lines used to cache
the upper half of physical memory (the second player's half).
Cache Management: The version of MIPS we are using (MIPS-I) lacks instructions to manage the cache, but we have provided system calls instead. A candidate can call
void invalidate(void *ptr);
to remove from the cache any block containing the data pointed to
by ptr. This only works if the candidate has access to the
memory in question at the time the call is made. Similarly, when a
team calls
void prefetch(void *ptr);
the cache will start to fetch the block containing the given address into the cache. The call returns immediately with no stalling, and roughly 100 cycles later the data will arrive in the cache and be available for use. This call only works if the candidate actually has access to the specified block of memory. For each cache line, there can be at most one outstanding fetch in progress. Prefetch requests are ignored if a fetch is already in progress for that line (in this context, "fetch" means either an earlier prefetch, or a core waiting on the cache line to fill because of a cache miss), and actual data fetch requests (e.g. from load/store instructions, rather than prefetch requests) supersede any prefetch requests that are in progress. There are additional system calls to read the current cache tags and the tags for lines that are being fetched. This same information is also available in the memory mapped data-structures.
We have provided a header file (described below) containing various useful macros for accessing your own code and data segments, and those of your opponent. The header also describes in detail the memory layout, cache organization, and available system calls.
Pointer arithmetic in C: When performing pointer arithmetic in C, the compiler implicitly multiplies by the size of the data type that is pointed to. For instance:
char *byteptr = (char *)0x1000; byteptr[3] = 0xFF; // store one byte at memory three BYTES after ptr, so address 0x1000+3 = 0x1003 byteptr += 5; // increments pointer by five BYTES, to address 0x1005 int *wordptr = (int *)0x1000; wordptr[3] = 0xFFFFFFFF; // store one word at memory three WORDS after ptr, so address 0x1000+12 = 0x100c wordptr += 5; // increments pointer by five WORDS, to address 0x1000+20 = 0x1014
From this, we can see that the following code is almost certainly a bug (two bugs, in fact), since the first statement advances by 12 cache lines instead of 3 cache lines, and the second statement advances by 8 cache lines instead of 2 cache lines:
int *ptr = (int *)HOME_DATA_START + 3*CACHE_LINE; pre += 2*CACHE_LINE;
To advance by 3 cache lines (first statement) or 2 cache lines (second statement) when using integer pointers, one could do:
int *ptr = (int *)(HOME_DATA_START + 3*CACHE_LINE); pre = (int *)((int)pre + 2*CACHE_LINE);
Or:
int *ptr = (int *)HOME_DATA_START + (3*CACHE_LINE)/4; pre += (2*CACHE_LINE)/4;
Design code that makes efficient use of the data cache to fill
memory quickly, and find clever ways to beat your opponents, stop them
from posting their payload, and interfere with your opponent's
cache usage. And although you cannot directly modify your opponent's
registers, you can modify their call stack and global
variables. Coupled with what you know about exploiting programs, you
may even be able to get your opponent to work for you. At the same
time, you need to be on the lookout for cores from your opponent's
team. Because all of these tasks require processing time and access to
memory, you will need to carefully plan how to coordinate use of these
scarce resources.
To get started, we will supply several example teams that employ some basic strategies. Their source code can be found in the same directory as the Cache Wars simulator. The example teams are:
Note: these teams do not do a particularly good job making effective use of the cache. For instance, most write a single byte at a time to memory, and take only a little care to ensure that their candidates don't compete with each other for cache lines.
Perform the environment setup from Lab 8 if you haven't already. Once your environment is setup, download Project 6 with the following commands inside your VM:
$ cd ~/3410 $ wget http://www.cs.cornell.edu/courses/cs3410/2016fa/projects/p6/p6.zip $ unzip p6.zip
Inside the p6 directory is two executables, cachedballots and cachevall,
and a directory candidates/. Within candidates/ should be a Makefile
and the folder src/. Within src/, you will
find sample course candidates that are described above. You will code
your own candidate's tactic within this folder.
Each team should create a single program, written in C and compiled
into a MIPS binary executable. The four cores on a team all share the
same code (though your program can obviously do different things
depending on the core_id parameter it receives from the
simulator). Going up from the src/ directory
(cd ..), and typing make will compile all
the candidates within the src/ directory.
**Important!** By default, your new candidate will not be optimized
by the compiler. You can (and should) tell the Makefile to compile your
candidate with optimizations enabled. We recommend using the -O3 optimization
flag (the letter "O", not the number "0"). For example, if my candidate is
named XYZ, I would add the following line to the Makefile.
FLAGS_XYZ = -O3
We have already included these optimizations in the Makefile for the course candidates, so you can look at those to make sure you're doing it correctly
In the main directory you will also find cachedballots, the
simulator used to play the game. The simulator cachedballots
takes two arguments, the names of the teams in the match, for
example:
$ ./cachedballots candidates/bin/greedy candidates/bin/fbi
You will also find simple shell script cachevall which
takes the name of a single team and pits it against every other team
in turn. This lets you compare how one team does in comparison to all
the others:
$ ./cachevall candidates/bin/greedy candidates/bin
Compilers don't always produce the code you expect them to, so you will likely want to read the compiled assembly. As you have seen before, you can decompile compiled code using objdump:
$ mipsel-linux-objdump -xdl candidates/bin/greedy
Finally you have two tools at your disposition. First, you will
want to read the cachedballots.h header file in
the candidates/src directory. It is the only header file you
should import into your candidate programs, besides any you might write
yourself, but it is designed to be all you will need. It contains the
basic functions Wiretap , Start_FBI_Investigation,
retreat and so on, along with various other system calls
like printf and rand(). But more importantly, its
comment describes in detail how your program is laid out in memory and
how simulator statistics and other data is mapped into your address
space.
Your second major tool is the cachedballots simulator which
has several useful command line options. Type ./cachedballots
with no arguments to see a list.
The cache is write-allocate: If you want to write to an address, it must be in the cache first (and therefore you suffer a cache miss if it wasn't in there already).
The cache is write-through: Once a line is in the cache, any writes to it immediately appear in memory (and therefore immediately increase your score).
Finally, the cache automatically updates from memory: In particular, if you have the taunt array in cache, and a new candidate enters Wiretap mode, the taunt array in cache updates immediately.
It's possible to prefetch too early, such that the line you prefetch arrives in the cache while you're still working on a different line. In this case, you'll doubly penalize yourself, as you'll suffer a miss for the line you're currently accessing, and then miss on the line you meant to prefetch in the first place. Oops! Don't do that.
If you prefetch slightly late, you only lose the difference. If address
0x01000000 is not in the cache, but you prefetch it, wait 50 cycles, then try
to write to/read from it, you'll still miss but only stall 50 cycles instead of
the usual 100, since 50 of the cycles were alerady taken up by the prefetch.
This is why prefetching is beneficial. If you run the simulator in "very
verbose mode" via simulate -vvvv, you'll see messages like "upgrades existing
prefetch", and this is the meaning of that message.
On the other hand, if address 0x01000400 is in the cache, you prefetch 0x01000200, then try to read/write 0x01000000, the prefetch is canceled, You miss 0x01000000, and stall the full 100 cycles, no matter how far along the prefetch was.
prefetch(ptr) does not automatically call invalidate(ptr); that's why they're separate function calls. The line currently in the cache is still valid until the prefetch finishes.The earlier one sticks. The writeup states "prefetch requests are ignored if a fetch is already in progress for that line", and in this context "fetch" means either an earlier prefetch or a core waiting on the cache line to fill due to a cache miss.
Traps are triggered when any core attempts to write to a memory location that currently holds the trap byte.
Such an attempt causes the write to fail and the writing core to be stalled for 1,000,000 (STALL_ON_FERVENT_SUPPORTER) cycles.
Since the write fails, multiple cores can be trapped at the same memory location.
Traps are not triggered by reading memory.
Your grade for this assignment will have three parts.
The source code for your candidate with comments and a Makefile so we can build it.
Good luck!