{"id":99425,"date":"2018-08-06T07:00:00","date_gmt":"2018-08-06T21:00:00","guid":{"rendered":"https:\/\/blogs.msdn.microsoft.com\/oldnewthing\/?p=99425"},"modified":"2019-03-13T00:37:53","modified_gmt":"2019-03-13T07:37:53","slug":"20180806-00","status":"publish","type":"post","link":"https:\/\/devblogs.microsoft.com\/oldnewthing\/20180806-00\/?p=99425","title":{"rendered":"The PowerPC 600 series, part 1: Introduction"},"content":{"rendered":"

The PowerPC is a RISC processor architecture which grew out of IBM’s POWER<\/a> architecture. Windows NT support was introduced in Windows NT 3.51, and it didn’t last long; the last version to support it was Windows NT 4.0. Despite not being supported by the flagship operating system, it continued to be supported by Windows CE, and a later version of the PowerPC was chosen as the processor for the Xbox 360. <\/p>\n

As with all the processor retrospective series, I’m going to focus on how Windows NT used the PowerPC in user mode because the original audience for all of these discussions was user-mode developers trying to get up to speed debugging their programs on PowerPC. <\/p>\n

The PowerPC 600 series started out as a 32-bit processor, with 64-bit support arriving in the 620. The earliest record I can find (not that I looked very hard) shows Windows NT supporting the 603 and 604 processors. I guess this makes sense, because Wikipedia says that the 603 was the first processor to support the full PowerPC instruction set<\/a>. The 603 could complete a maximum of two instructions per cycle; the 604 could do up to four. The 603 did not have a dynamic branch predictor, but the 604 did. Both could forward arithmetic operations into the next arithmetic operation, so consecutive integer arithmetic operations did not stall, even if the second depended on the result of the first. <\/p>\n

The PowerPC 600 series processors are natively big-endian, with an option for little-endian operation. Windows NT uses the processor in 32-bit little-endian mode.¹ Even though the processor can be put into little-endian mode, this affects only how bytes are swapped when they are read from or written to memory; the instructions themselves still operate in a big-endian way, Among other things, the bits in a register are numbered from most-significant to least-significant: Bit 0 is the high-order bit, and bit 31 is the low-order bit. <\/p>\n

The PowerPC has 32 integer registers, each 32 bits wide. They are officially named GPR0<\/var> through GPR31<\/var>, but the assembler just calls them 0<\/var> through 31<\/var>. This is ridiculously confusing,² so nobody uses the purely numeric names. People call them r0<\/var> through r31<\/var>. (Some assemblers call them r.0<\/var> through r.31<\/var>.) <\/p>\n\n\n\n\n\n\n\n\n\n\n
Register<\/th>\nMnemonic<\/th>\nMeaning<\/th>\nPreserved?<\/th>\nNotes<\/th>\n<\/tr>\n
gpr0<\/var><\/td>\nr0<\/var><\/td>\n<\/td>\nNo<\/td>\nOf limited use<\/td>\n<\/tr>\n
gpr1<\/var><\/td>\nr1<\/var><\/td>\nstack pointer<\/td>\nYes<\/td>\nIncludes 232-byte negative red zone<\/td>\n<\/tr>\n
gpr2<\/var><\/td>\nr2<\/var><\/td>\ntable of contents<\/td>\nYes, mostly<\/td>\nAccess to global variables<\/td>\n<\/tr>\n
gpr3<\/var>…gpr10<\/var><\/td>\nr3<\/var>…r10<\/var><\/td>\nargument<\/td>\nNo<\/td>\nOn function entry, contains function parameters<\/td>\n<\/tr>\n
gpr11<\/var><\/var><\/td>\nr11<\/var><\/td>\ntemporary<\/td>\nNo<\/td>\nFor function glue<\/td>\n<\/tr>\n
gpr12<\/var><\/td>\nr12<\/var><\/td>\ntemporary<\/td>\nNo<\/td>\nprologue and epilogue helper<\/td>\n<\/tr>\n
gpr13<\/var><\/td>\nr13<\/td>\nread-only<\/td>\nYes<\/td>\nTEB<\/td>\n<\/tr>\n
gpr14<\/var>…gpr31<\/var><\/td>\nr14<\/var>…r31<\/var><\/td>\nsaved<\/td>\nYes<\/td>\n<\/td>\n<\/tr>\n<\/table>\n

Note that this does not exactly line up with the PowerPC register conventions for other platforms. (Many other platforms assign special meanings to gpr11<\/var> through gpr13<\/var>.) <\/p>\n

The stack must be kept on an 8-byte boundary. There is a large red zone of 232 bytes at negative offsets from the stack pointer. We’ll see the importance of this when we look at function prologues. <\/p>\n

The function return value is placed in r3<\/var>. <\/p>\n

The r0<\/var> register is of limited use because many instructions cannot use a source of r0<\/var>. We’ll see more about that later. <\/p>\n

We’ll learn about the table of contents, function glue, and epilogue\/prologue helpers later when we cover Windows NT software conventions. <\/p>\n

In addition to the general-purpose integer registers, there are a number of special-purpose 32-bit integer registers. There are only nineteen of these special-purpose registers, but the numbers range from spr1<\/var> to spr1013<\/var>. (The number space is very sparsely populated, but I guess they reserved room for adding more registers in the future.) These are the ones you’re likely to see in user-mode code: <\/p>\n\n\n\n\n\n\n
Register<\/th>\nMnemonic<\/th>\nMeaning<\/th>\nPreserved?<\/th>\nNotes<\/th>\n<\/tr>\n
spr1<\/var><\/td>\nxer<\/var><\/td>\nStatus bits<\/td>\nNo<\/td>\nInteger exception register<\/td>\n<\/tr>\n
spr8<\/var><\/td>\nlr<\/var><\/td>\nlink register<\/td>\nNo<\/td>\nOn function entry, contains return address<\/td>\n<\/tr>\n
spr9<\/var><\/td>\nctr<\/var><\/td>\ncounter<\/td>\nNo<\/td>\nDedicated counter or jump target<\/td>\n<\/tr>\n
fpscr<\/var><\/td>\nfpscr<\/var><\/td>\nStatus bits<\/td>\n?<\/td>\nFloating point status and control register<\/td>\n<\/tr>\n<\/table>\n

I’ve never had to deal with floating point on the PowerPC, so I don’t know what parts of fpscr<\/var> need to be preserved and what parts don’t. <\/p>\n

We’ll learn more about the other special registers as the need arises. <\/p>\n

Remember how the Itanium, MIPS, and Alpha don’t have a flags register? Well, the PowerPC scoffs at them. “Flags register? You say you want a flags register? I’ve got your flags register right here. In fact, I’ve got eight sets<\/i> of flags registers.” They are named cr0<\/var> through cr7<\/var>, each four bits wide. (The “cr” stands for condition register<\/i>.) The pseudo-register cr<\/var> can be used to treat them as one giant 32-bit register.³ Remember that the PowerPC is a big-endian processor, so cr0<\/var> occupies the most significant bits of cr<\/var>, and so cr7<\/var> occupies the least significant bits. <\/p>\n

Condition register cr0<\/var> is the implicit target of integer operations, and condition register cr1<\/var> is the implicit target of floating point operations. I don’t know which condition registers must be preserved across calls, because I’ve never found any code that needed to. <\/p>\n

The PowerPC also has 32 floating-point double-precision registers, officially named FPR0<\/var> through FPR31<\/var>. <\/p>\n\n\n\n\n\n
Register<\/th>\nMnemonic<\/th>\nPreserved?<\/th>\nNotes<\/th>\n<\/tr>\n
fpr0<\/var><\/td>\nf0<\/var><\/td>\nNo<\/td>\ntemporary<\/td>\n<\/tr>\n
fpr1<\/var>…fpr13<\/var><\/td>\nf1<\/var>…f13<\/var><\/td>\nNo<\/td>\nFunction parameters<\/td>\n<\/tr>\n
fpr14<\/var>…fpr31<\/var><\/td>\nf14<\/var>…f31<\/var><\/td>\nYes<\/td>\n<\/td>\n<\/tr>\n<\/table>\n

As for instruction encoding, each instruction is 32 bits wide and must be aligned on a four-byte boundary. The instruction whose encoding is 0x00000000<\/code> is reserved as an invalid instruction, so trying to execute a page of zeros will instantly fault. <\/p>\n

The general syntax for multi-operand opcodes is <\/p>\n

\n    opcode  destination, source1, source2, source3...\n<\/pre>\n
with the notable exception of store instructions, which put the source register on the left and the address destination on the right. <\/p>\n
The architectural terms for operand sizes are byte<\/i>, halfword<\/i> (2 bytes), word<\/i> (4 bytes), doubleword<\/i> (8 bytes), and quadword<\/i> (16 bytes). In 32-bit operation, the largest unit that can be operated on directly is the word. <\/p>\n
In opcode names, the word arithmetic<\/i> is used to emphasize that the operands are treated as signed (usually abbreviated a<\/code>), and the words logical<\/i> (l<\/code>) and unsigned<\/i> (u<\/code>) or sometimes zero-extended<\/i> (z<\/code>) are used to emphasize that the operands are treated as unsigned. I guess they couldn’t make up their mind what to call it unsigned operations, so they chose one at random each time they needed one. Note further that these conventions are not uniformly applied, so stay alert. <\/p>\n
The processor maintains the fiction that every instruction is retired completely before the next one starts. Consequently, there are no architectural branch delay slots or load delay slots. It also means that when an exception is raised, all instructions preceding the exception have run to completion, and no instructions after the exception will appear to have started. <\/p>\n
Internally, the processor may perform operations out of order or in parallel or speculatively, and it may introduce stalls if your dependencies are too close together, but the processor does its best to hide this from the code being executed. <\/p>\n
There are two notable exceptions to the principle of sequential operation: <\/p>\n