On the wave of public interest in the vulnerabilities of Meltdown and the Spectre programmer Bruce Dawson (Bruce Dawson), who now in Google on performance optimization and reliability testing of the algorithms decided to tell the story of how discovered a similar architectural vulnerability of processor the Xbox 360. In 2005, he recognized to be lived and breathed this chip trying to figure out how his pipeline to identify possible faults and errors before launch.
The CPU of the Xbox 360 includes three cores with the IBM PowerPC architecture — they are located on three quarters of occupied CPU chip area, and the last quarter is reserved for 1 MB of L2 cache. Each core includes a 32 KB cache for instructions and 32 KB data cache. The problem of the chip was to long delays, especially when dealing with memory. In addition, 1 MB of L2 cache (all that could fit in a given area) was not enough for a 3-core processor. So optimizing the use of cache memory was very important.
The cache memory improves CPU performance by using spatial and temporal locality. Spatial locality means that if the algorithm used a byte of data at a certain address, it is likely that he will soon be using the bytes of data from neighbouring locations. Temporal locality means that if used a certain stored in the cache information, it probably will be used again in the near future.
If processing a large data array once per frame, it is expected that they will disappear from the L2 cache to the time reuse in the next frame. Sometimes data is still needed in the L1 cache, but despite the fact they consume valuable space in the L2 cache, displacing valuable data and, perhaps, slowing down the other two cores. The MESI Protocol is used for memory coherency requires that when one core modifies a cache line, any other engine with its copy could not use the cached data.
But it was the processor for game consoles, and performance was in the first place. Therefore, we added a new manual — xdcbt. And if the standard dcbt in the PowerPC was a typical instruction prefetch, xdcbt allowed to sample directly from the memory to the data cache L1, skipping L2. As a result, the coherence of the memory was no longer guaranteed, but the developers of the games knew what they were doing and all should be well. However, experience has revealed problems with prefetching xdcbt: when the statement is applied to the cache lines, the last of which was part related data structures, experience crashes. So use xdcbt have been extremely careful not to leave any bytes outside of the buffer.
But then the same problem began to manifest itself even in places where games have not used manual xdcbt — it was a very serious obstacle to the launch platform. Bruce Dawson fought in vain to identify the reasons of error, until it dawned on me. After the letter to IBM fears were confirmed — it was the intricacies of the design of the CPU, which few people thought.
Although the chip of the Xbox 360, unlike most modern chip — processor with serial execution of instructions, based primarily on high frequency to achieve good performance, it also has foreteller of branchings is caused by very long lines (which correctly predicted the user could even accelerate the sequential execution of commands).
Now, sometimes block branch prediction the long delays caused speculative instruction prefetch xdcbt, which worked identically to real and could cause the same problems as in the real call to the same statement. A similar difficulty with speculative execution of instructions by the processor, enhancing productivity is the basis of recently disclosed vulnerabilities Meltdown and the Spectre.
The principle of operation of the unit branch prediction has shown that manual xdcbt too unsafe from the point of view of stability of the system to engage in any segments of code any games for the Xbox 360. The ability to reduce the risks were, but completely avoiding them is hardly possible and therefore Bruce Dawson doubts that left at least one game, which used xdcbt, although in the discussions on the architecture of the Xbox 360, it continues to be referred to.