7: the *actual* $a instructions, pt. 1

(0 comments)

Today I'll attempt to look at the channel switch microcode. Its only tasks should be loading/storing the context data and some administrative stuff.

Since so far we've only worked on NV50, let's look at the NV50 version.

00000000: 6a0000c7     mov $y0 $a0
00000000: 6a0840c7     mov $y1 $a1
00000000: 6a1080c7     mov $y2 $a2
00000000: 6a18c0c7     mov $y3 $a3
00000001: 6b0fc047     mov $a1 $sr31
00000001: 62104010     and $a2 $c0 $a1 0x2
00000001: 62104021     and $a2 $c1 $a1 0x4
00000001: 6210400a     and $a2 $c2 $a1 0x1
00000002: e200ba27     bra not $c0 zf 0x5f
00000002: ef0001ff     bnop
00000002: e202122f     bra not $c1 zf 0x10b
00000002: ef0001ff     bnop
00000003: e2000a37     bra not $c2 zf 0x8
00000003: ef0001ff     bnop
00000003: ef0001ff     bnop
00000003: ef0001ff     bnop
00000004: ef0001ff     bnop
00000004: ef0001ff     bnop
00000004: ef0001ff     bnop
00000004: ef0001ff     bnop
00000005: ef0001ff     bnop
00000005: ef0001ff     bnop
00000005: fff80000     exit 0
00000005: ef0001ff     bnop
00000006: ef0001ff     bnop
00000006: ef0001ff     bnop
00000006: ef0001ff     bnop
00000006: ef0001ff     bnop
00000007: ef0001ff     bnop
00000007: ef0001ff     bnop
00000007: ef0001ff     bnop
00000007: ef0001ff     bnop

So far so good: $sr31 is the "tasks expected from channel switch microcode" RO bitmask register. This explains what we saw back in episode 3. But for some reason it has three bits, while we were expecting only two (channel save and channel load). Hm. Ok, let's look at the three branches. First, bit 1, which apparently has priority:

0000005f: 6b000067   B mov $a0 $r0
0000005f: 6a2000c7     mov $y4 $a0
0000005f: 6b084067     mov $a1 $r1
0000005f: 6a2840c7     mov $y5 $a1
00000060: 6b108067     mov $a2 $r2
00000060: 6a3080c7     mov $y6 $a2
00000060: 6b18c067     mov $a3 $r3
00000060: 6a38c0c7     mov $y7 $a3
00000061: cd000000     ??? [unknown: cd000000]
00000061: cc000000     ??? [unknown: cc000000]
00000061: cd081f7f     ??? [unknown: cd081f7f]
00000061: cc080080     ??? [unknown: cc080080]
00000062: cd10c000     ??? [unknown: cd10c000]
00000062: cc100000     ??? [unknown: cc100000]
00000062: c700a000     ??? [unknown: c700a000]
00000062: cd000000     ??? [unknown: cd000000]
00000063: cc001000     ??? [unknown: cc001000]
00000063: cc101000     ??? [unknown: cc101000]
00000063: c700a000     ??? [unknown: c700a000]
00000063: ce090000     ??? [unknown: ce090000]
00000064: cf090000     ??? [unknown: cf090000]
00000064: cd00c000     ??? [unknown: cd00c000]
00000064: cc000000     ??? [unknown: cc000000]
00000064: ef0001ff     bnop
00000065: 6b0100c7     mov $a0 $y4
00000065: d6000027     ??? [unknown: d6000027]
00000065: bf000007     vnop
00000065: ef0001ff     bnop
00000066: 6b0140c7     mov $a0 $y5
00000066: d6000027     ??? [unknown: d6000027]
00000066: bf000007     vnop
00000066: ef0001ff     bnop
00000067: 6b0180c7     mov $a0 $y6
00000067: d6000027     ??? [unknown: d6000027]
00000067: bf000007     vnop
00000067: ef0001ff     bnop
00000068: 6b01c0c7     mov $a0 $y7
00000068: d6000027     ??? [unknown: d6000027]
00000068: bf000007     vnop
00000068: ef0001ff     bnop
00000069: 6b010067     mov $a0 $r4
00000069: d6000027     ??? [unknown: d6000027]
00000069: bf000007     vnop
00000069: ef0001ff     bnop
0000006a: 6b014067     mov $a0 $r5
0000006a: d6000027     ??? [unknown: d6000027]
0000006a: bf000007     vnop
0000006a: ef0001ff     bnop
[...]
00000084: 6b07c067     mov $a0 $r31
00000084: d6000027     ??? [unknown: d6000027]
00000084: bf000007     vnop
00000084: ef0001ff     bnop
00000085: 6b0000c7     mov $a0 $y0
00000085: d6000027     ??? [unknown: d6000027]
00000085: bf000007     vnop
00000085: ef0001ff     bnop
00000086: 6b0040c7     mov $a0 $y1
00000086: d6000027     ??? [unknown: d6000027]
00000086: bf000007     vnop
00000086: ef0001ff     bnop
00000087: 6b0080c7     mov $a0 $y2
00000087: d6000027     ??? [unknown: d6000027]
00000087: bf000007     vnop
00000087: ef0001ff     bnop
00000088: 6b00c0c7     mov $a0 $y3
00000088: d6000027     ??? [unknown: d6000027]
00000088: bf000007     vnop
00000088: ef0001ff     bnop
00000089: d6010027     ??? [unknown: d6010027]
00000089: d6014027     ??? [unknown: d6014027]
00000089: d6018027     ??? [unknown: d6018027]
[...]
0000008f: d6078027     ??? [unknown: d6078027]
0000008f: d607c027     ??? [unknown: d607c027]
00000090: 6b00005f     mov $a0 $l0
00000090: d6000027     ??? [unknown: d6000027]
00000090: bf000007     vnop
00000090: ef0001ff     bnop
00000091: 6b00405f     mov $a0 $l1
00000091: d6000027     ??? [unknown: d6000027]
00000091: bf000007     vnop
00000091: ef0001ff     bnop
00000092: 6b00805f     mov $a0 $l2
00000092: d6000027     ??? [unknown: d6000027]
00000092: bf000007     vnop
00000092: ef0001ff     bnop
00000093: 6b00c05f     mov $a0 $l3
00000093: d6000027     ??? [unknown: d6000027]
00000093: bf000007     vnop
00000093: ef0001ff     bnop
00000094: d607c027     ??? [unknown: d607c027]
00000094: d607c027     ??? [unknown: d607c027]
00000094: d607c027     ??? [unknown: d607c027]
00000094: d607c027     ??? [unknown: d607c027]
00000095: d607c027     ??? [unknown: d607c027]
00000095: d607c027     ??? [unknown: d607c027]
00000095: d607c027     ??? [unknown: d607c027]
00000095: d607c027     ??? [unknown: d607c027]
00000096: d607c027     ??? [unknown: d607c027]
00000096: d607c027     ??? [unknown: d607c027]
00000096: d607c027     ??? [unknown: d607c027]
00000096: d607c027     ??? [unknown: d607c027]
00000097: d607c027     ??? [unknown: d607c027]
00000097: d607c027     ??? [unknown: d607c027]
00000097: d607c027     ??? [unknown: d607c027]
00000097: d607c027     ??? [unknown: d607c027]
00000098: d607c027     ??? [unknown: d607c027]
00000098: d607c027     ??? [unknown: d607c027]
00000098: d607c027     ??? [unknown: d607c027]
00000098: d607c027     ??? [unknown: d607c027]
00000099: d607c027     ??? [unknown: d607c027]
00000099: d607c027     ??? [unknown: d607c027]
00000099: d607c027     ??? [unknown: d607c027]
00000099: d607c027     ??? [unknown: d607c027]
0000009a: d607c027     ??? [unknown: d607c027]
0000009a: d607c027     ??? [unknown: d607c027]
0000009a: d607c027     ??? [unknown: d607c027]
0000009a: d607c027     ??? [unknown: d607c027]
0000009b: d4000087     ??? [unknown: d4000087]
0000009b: d4004087     ??? [unknown: d4004087]
[...]
000000a2: d4078087     ??? [unknown: d4078087]
000000a2: d407c087     ??? [unknown: d407c087]
000000a3: f000001f     mov $l0 $c0 0x1f
000000a3: 4fffffff     anop
000000a3: bf000007     vnop
000000a3: ef0001ff     bnop
000000a4: 6b0840bf   B mov $a1 $z1
000000a4: d6004027     ??? [unknown: d6004027]
000000a4: 6b0000bf     mov $a0 $z0
000000a4: e30001a0     bra loop $l0 $c0 $l0 not $c0 lz 0xa4
000000a5: d6000027     ??? [unknown: d6000027]
000000a5: ef0001ff     bnop
000000a5: bf000007     vnop
000000a5: ef0001ff     bnop
000000a6: 6b0000a7     mov $a0 $x0
000000a6: d6000027     ??? [unknown: d6000027]
000000a6: bf000007     vnop
000000a6: ef0001ff     bnop
000000a7: 6b0040a7     mov $a0 $x1
000000a7: d6000027     ??? [unknown: d6000027]
000000a7: bf000007     vnop
000000a7: ef0001ff     bnop
000000a8: 6b0080a7     mov $a0 $x2
000000a8: d6000027     ??? [unknown: d6000027]
000000a8: bf000007     vnop
000000a8: ef0001ff     bnop
[...]
000000e4: 6b0780af     mov $a0 $x62
000000e4: d6000027     ??? [unknown: d6000027]
000000e4: bf000007     vnop
000000e4: ef0001ff     bnop
000000e5: 6b07c0af     mov $a0 $x63
000000e5: d6000027     ??? [unknown: d6000027]
000000e5: bf000007     vnop
000000e5: ef0001ff     bnop
000000e6: 6b0000b7     mov $a0 $d0
000000e6: d6000027     ??? [unknown: d6000027]
000000e6: bf000007     vnop
000000e6: ef0001ff     bnop
000000e7: 6b0040b7     mov $a0 $d1
000000e7: d6000027     ??? [unknown: d6000027]
000000e7: bf000007     vnop
000000e7: ef0001ff     bnop
[...]
000000ed: 6b01c0b7     mov $a0 $d7
000000ed: d6000027     ??? [unknown: d6000027]
000000ed: bf000007     vnop
000000ed: ef0001ff     bnop
000000ee: 6b00c047     mov $a0 $sr3
000000ee: d6000027     ??? [unknown: d6000027]
000000ee: bf000007     vnop
000000ee: ef0001ff     bnop
000000ef: 6b00004f     mov $a0 $sr32
000000ef: d6000027     ??? [unknown: d6000027]
000000ef: bf000007     vnop
000000ef: ef0001ff     bnop
000000f0: 6b00404f     mov $a0 $sr33
000000f0: d6000027     ??? [unknown: d6000027]
000000f0: bf000007     vnop
000000f0: ef0001ff     bnop
000000f1: 6b02404f     mov $a0 $sr41
000000f1: d6000027     ??? [unknown: d6000027]
000000f1: bf000007     vnop
000000f1: ef0001ff     bnop
000000f2: 6b04404f     mov $a0 $sr49
000000f2: d6000027     ??? [unknown: d6000027]
000000f2: bf000007     vnop
000000f2: ef0001ff     bnop
000000f3: 6b06404f     mov $a0 $sr57
000000f3: d6000027     ??? [unknown: d6000027]
000000f3: bf000007     vnop
000000f3: ef0001ff     bnop
000000f4: 6b00804f     mov $a0 $sr34
000000f4: d6000027     ??? [unknown: d6000027]
000000f4: bf000007     vnop
000000f4: ef0001ff     bnop
000000f5: 6b00c04f     mov $a0 $sr35
000000f5: d6000027     ??? [unknown: d6000027]
000000f5: bf000007     vnop
000000f5: ef0001ff     bnop
000000f6: 6b02c04f     mov $a0 $sr43
000000f6: d6000027     ??? [unknown: d6000027]
000000f6: bf000007     vnop
000000f6: ef0001ff     bnop
000000f7: 6b04c04f     mov $a0 $sr51
000000f7: d6000027     ??? [unknown: d6000027]
000000f7: bf000007     vnop
000000f7: ef0001ff     bnop
000000f8: 6b06c04f     mov $a0 $sr59
000000f8: d6000027     ??? [unknown: d6000027]
000000f8: bf000007     vnop
000000f8: ef0001ff     bnop
000000f9: 6b01004f     mov $a0 $sr36
000000f9: d6000027     ??? [unknown: d6000027]
000000f9: bf000007     vnop
000000f9: ef0001ff     bnop
000000fa: 6b01404f     mov $a0 $sr37
000000fa: d6000027     ??? [unknown: d6000027]
000000fa: bf000007     vnop
000000fa: ef0001ff     bnop
000000fb: 6b03404f     mov $a0 $sr45
000000fb: d6000027     ??? [unknown: d6000027]
000000fb: bf000007     vnop
000000fb: ef0001ff     bnop
000000fc: 6b05404f     mov $a0 $sr53
000000fc: d6000027     ??? [unknown: d6000027]
000000fc: bf000007     vnop
000000fc: ef0001ff     bnop
000000fd: 6b07404f     mov $a0 $sr61
000000fd: d6000027     ??? [unknown: d6000027]
000000fd: bf000007     vnop
000000fd: ef0001ff     bnop
000000fe: 6b01804f     mov $a0 $sr38
000000fe: d6000027     ??? [unknown: d6000027]
000000fe: bf000007     vnop
000000fe: ef0001ff     bnop
000000ff: 6b01c04f     mov $a0 $sr39
000000ff: d6000027     ??? [unknown: d6000027]
000000ff: bf000007     vnop
000000ff: ef0001ff     bnop
00000100: 6b03c04f     mov $a0 $sr47
00000100: d6000027     ??? [unknown: d6000027]
00000100: bf000007     vnop
00000100: ef0001ff     bnop
00000101: 6b05c04f     mov $a0 $sr55
00000101: d6000027     ??? [unknown: d6000027]
00000101: bf000007     vnop
00000101: ef0001ff     bnop
00000102: 6b07c04f     mov $a0 $sr63
00000102: d6000027     ??? [unknown: d6000027]
00000102: bf000007     vnop
00000102: ef0001ff     bnop
00000103: 6b03c0c7     mov $a0 $y15
00000103: d6000027     ??? [unknown: d6000027]
00000103: bf000007     vnop
00000103: ef0001ff     bnop
00000104: cd000000     ??? [unknown: cd000000]
00000104: cc002000     ??? [unknown: cc002000]
00000104: cd081f7f     ??? [unknown: cd081f7f]
00000104: cc080080     ??? [unknown: cc080080]
00000105: cd10c000     ??? [unknown: cd10c000]
00000105: cc100000     ??? [unknown: cc100000]
00000105: c700a000     ??? [unknown: c700a000]
00000105: ce090000     ??? [unknown: ce090000]
00000106: cf090000     ??? [unknown: cf090000]
00000106: ef0001ff     bnop
00000106: ef0001ff     bnop
00000106: ef0001ff     bnop
00000107: ef0001ff     bnop
00000107: ef0001ff     bnop
00000107: ef0001ff     bnop
00000107: ef0001ff     bnop
00000108: ef0001ff     bnop
00000108: fff80000     exit 0
00000108: ef0001ff     bnop
00000108: ef0001ff     bnop
00000109: ef0001ff     bnop
00000109: ef0001ff     bnop
00000109: ef0001ff     bnop
00000109: ef0001ff     bnop
0000010a: ef0001ff     bnop
0000010a: ef0001ff     bnop
0000010a: bf000007     vnop
0000010a: ef0001ff     bnop

Yeah, looks like a save, which rightfully should have priority: [almost] all registers are moved into $a0, then d6 opcode is executed, which is apparently a store to memory. Note that the opcode is always the same when storing $a0 - which implies the address is somehow autoincremented. It also seems that the source $a reg to be stored is selected by the usual 14-18 bitfield.

There's also a series of 32 d4 instructions, which look like stores too. Since we see all other register files saved elsewhere, the only possibility is $v. Also note how bits 3+ of d4/d6 instructions are always 4 for d6, 0x10 for d4. This is likely the autoincrement offset.

But, there are a couple things that should be pointed out here:

  • the load/stores operate on $a and $v, not on $r and $v that we expected
  • the $a file isn't touched before the save/restore sequence, $r is
  • the only $a register that could be selected for addressing by the d4/d6 opcodes is $a0 (since they have so many 0 bits), but it's also used as data
  • even the vector d4 store is in the c0-df unit, which is supposed to be scalar

There can only be one conclusion. We got the register files wrong and swapped $a with $r. Looking back at episode 1, the only reason we guessed that this register file was $a was that 6c looked like a load instruction. Since that's known to be wrong already, we can safely ditch it.

How about the sequence for bit 2, which we already know to be a load?

0000010b: cd000000   B ??? [unknown: cd000000]
0000010b: cc000000     ??? [unknown: cc000000]
0000010b: cc180000     ??? [unknown: cc180000]
0000010b: cd180000     ??? [unknown: cd180000]
0000010c: 65000000     mov $r0 0
0000010c: 75000000     sethi $r0 0
0000010c: 6a000007     mov $v0 0 $r0
0000010c: 6a00000f     mov $v0 0x1 $r0
0000010d: 6a000017     mov $v0 0x2 $r0
0000010d: 6a00001f     mov $v0 0x3 $r0
0000010d: d4000007     ??? [unknown: d4000007]
0000010d: c80001e7     ??? [unknown: c80001e7]
0000010e: cd000000     ??? [unknown: cd000000]
0000010e: cc002000     ??? [unknown: cc002000]
0000010e: cd081f7f     ??? [unknown: cd081f7f]
0000010e: cc080080     ??? [unknown: cc080080]
0000010f: cd10c000     ??? [unknown: cd10c000]
0000010f: cc100000     ??? [unknown: cc100000]
0000010f: c3102000     ??? [unknown: c3102000]
0000010f: ad07c000     ??? [unknown: ad07c000]
00000110: ad07c001     ??? [unknown: ad07c001]
00000110: ad07c002     ??? [unknown: ad07c002]
00000110: ad07c003     ??? [unknown: ad07c003]
00000110: 80000000     ??? [unknown: 80000000]
00000111: d3000030     ??? [unknown: d3000030]
00000111: ca07c1c0     ??? [unknown: ca07c1c0]
00000111: d3000031     ??? [unknown: d3000031]
00000111: ca07c1c1     ??? [unknown: ca07c1c1]
00000112: d3000032     ??? [unknown: d3000032]
00000112: ca07c1c2     ??? [unknown: ca07c1c2]
00000112: d3000033     ??? [unknown: d3000033]
00000112: ca07c1c3     ??? [unknown: ca07c1c3]
00000113: f000b6db     mov $l0 $c0 0xb6db
00000113: f008246d     mov $l1 $c1 0x246d
00000113: f0102f76     mov $l2 $c2 0x2f76
00000113: f0185cdf     mov $l3 $c3 0x5cdf
00000114: 4cffffc0     add 0 $c0 0 0
00000114: 4cffffc1     add 0 $c1 0 0
00000114: 4cffffc2     add 0 $c2 0 0
00000114: 4cffffc3     add 0 $c3 0 0
00000115: ce090001     ??? [unknown: ce090001]
00000115: cf090001     ??? [unknown: cf090001]
00000115: df000007     snop
00000115: df000007     snop
00000116: df000007     snop
00000116: cd00c000     ??? [unknown: cd00c000]
00000116: cc000000     ??? [unknown: cc000000]
00000116: df000007     snop
00000117: d2000027     ??? [unknown: d2000027]
00000117: bf000007     vnop
00000117: ef0001ff     bnop
00000117: 6a2000c7     mov $y4 $r0
00000118: d2000027     ??? [unknown: d2000027]
00000118: bf000007     vnop
00000118: ef0001ff     bnop
00000118: 6a2800c7     mov $y5 $r0
00000119: d2000027     ??? [unknown: d2000027]
00000119: bf000007     vnop
00000119: ef0001ff     bnop
00000119: 6a3000c7     mov $y6 $r0
0000011a: d2000027     ??? [unknown: d2000027]
0000011a: bf000007     vnop
0000011a: ef0001ff     bnop
0000011a: 6a3800c7     mov $y7 $r0
0000011b: d2000027     ??? [unknown: d2000027]
0000011b: bf000007     vnop
0000011b: ef0001ff     bnop
0000011b: 6a200067     mov $a4 $r0
0000011c: d2000027     ??? [unknown: d2000027]
0000011c: bf000007     vnop
0000011c: ef0001ff     bnop
0000011c: 6a280067     mov $a5 $r0
0000011d: d2000027     ??? [unknown: d2000027]
0000011d: bf000007     vnop
0000011d: ef0001ff     bnop
[...]
00000135: 6af00067     mov $a30 $r0
00000136: d2000027     ??? [unknown: d2000027]
00000136: bf000007     vnop
00000136: ef0001ff     bnop
00000136: 6af80067     mov $a31 $r0
00000137: d2000027     ??? [unknown: d2000027]
00000137: bf000007     vnop
00000137: ef0001ff     bnop
00000137: 6a0000c7     mov $y0 $r0
00000138: d2000027     ??? [unknown: d2000027]
00000138: bf000007     vnop
00000138: ef0001ff     bnop
00000138: 6a0800c7     mov $y1 $r0
00000139: d2000027     ??? [unknown: d2000027]
00000139: bf000007     vnop
00000139: ef0001ff     bnop
00000139: 6a1000c7     mov $y2 $r0
0000013a: d2000027     ??? [unknown: d2000027]
0000013a: bf000007     vnop
0000013a: ef0001ff     bnop
0000013a: 6a1800c7     mov $y3 $r0
0000013b: d2200027     ??? [unknown: d2200027]
0000013b: d2280027     ??? [unknown: d2280027]
0000013b: d2300027     ??? [unknown: d2300027]
0000013b: d2380027     ??? [unknown: d2380027]
[...]
00000141: d2f00027     ??? [unknown: d2f00027]
00000141: d2f80027     ??? [unknown: d2f80027]
00000142: d2000027     ??? [unknown: d2000027]
00000142: bf000007     vnop
00000142: ef0001ff     bnop
00000142: 6a00005f     mov $l0 $r0
00000143: d2000027     ??? [unknown: d2000027]
00000143: bf000007     vnop
00000143: ef0001ff     bnop
00000143: 6a08005f     mov $l1 $r0
00000144: d2000027     ??? [unknown: d2000027]
00000144: bf000007     vnop
00000144: ef0001ff     bnop
00000144: 6a10005f     mov $l2 $r0
00000145: d2000027     ??? [unknown: d2000027]
00000145: bf000007     vnop
00000145: ef0001ff     bnop
00000145: 6a18005f     mov $l3 $r0
00000146: d2000027     ??? [unknown: d2000027]
00000146: d2000027     ??? [unknown: d2000027]
[...]
0000014c: d2000027     ??? [unknown: d2000027]
0000014c: d2000027     ??? [unknown: d2000027]
0000014d: d0000087     ??? [unknown: d0000087]
0000014d: d0080087     ??? [unknown: d0080087]
0000014d: d0100087     ??? [unknown: d0100087]
0000014d: d0180087     ??? [unknown: d0180087]
0000014e: d0200087     ??? [unknown: d0200087]
0000014e: d0280087     ??? [unknown: d0280087]
[...]
00000154: d0f00087     ??? [unknown: d0f00087]
00000154: d0f80087     ??? [unknown: d0f80087]
00000155: 65100020     mov $r2 0x20
00000155: 4fffffff     anop
00000155: bf000007     vnop
00000155: ef0001ff     bnop
00000156: d2080027   B ??? [unknown: d2080027]
00000156: 6c10bff8     add $r2 $c0 $r2 -0x1
00000156: bf000007     vnop
00000156: ef0001ff     bnop
00000157: d2000027     ??? [unknown: d2000027]
00000157: 6a0840bf     mov $z1 $r1
00000157: bf000007     vnop
00000157: e2fffe27     bra not $c0 zf 0x156
00000158: 6a0000bf     mov $z0 $r0
00000158: ef0001ff     bnop
00000158: bf000007     vnop
00000158: ef0001ff     bnop
00000159: d2000027     ??? [unknown: d2000027]
00000159: bf000007     vnop
00000159: ef0001ff     bnop
00000159: 6a0000a7     mov $x0 $r0
0000015a: d2000027     ??? [unknown: d2000027]
0000015a: bf000007     vnop
0000015a: ef0001ff     bnop
0000015a: 6a0800a7     mov $x1 $r0
0000015b: d2000027     ??? [unknown: d2000027]
0000015b: bf000007     vnop
0000015b: ef0001ff     bnop
[...]
00000198: 6af800af     mov $x63 $r0
00000199: d2000027     ??? [unknown: d2000027]
00000199: bf000007     vnop
00000199: ef0001ff     bnop
00000199: 6a0000b7     mov $d0 $r0
0000019a: d2000027     ??? [unknown: d2000027]
0000019a: bf000007     vnop
0000019a: ef0001ff     bnop
0000019a: 6a0800b7     mov $d1 $r0
0000019b: d2000027     ??? [unknown: d2000027]
0000019b: bf000007     vnop
0000019b: ef0001ff     bnop
[...]
000001a0: 6a3800b7     mov $d7 $r0
000001a1: d2000027     ??? [unknown: d2000027]
000001a1: bf000007     vnop
000001a1: ef0001ff     bnop
000001a1: 6a180047     mov $sr3 $r0
000001a2: d2000027     ??? [unknown: d2000027]
000001a2: bf000007     vnop
000001a2: ef0001ff     bnop
000001a2: 6a4800c7     mov $y9 $r0
000001a3: d2000027     ??? [unknown: d2000027]
000001a3: bf000007     vnop
000001a3: ef0001ff     bnop
000001a3: 6a4000c7     mov $y8 $r0
000001a4: d2000027     ??? [unknown: d2000027]
000001a4: bf000007     vnop
000001a4: ef0001ff     bnop
000001a4: 6a48004f     mov $sr41 $r0
000001a5: d2000027     ??? [unknown: d2000027]
000001a5: bf000007     vnop
000001a5: ef0001ff     bnop
000001a5: 6a88004f     mov $sr49 $r0
000001a6: d2000027     ??? [unknown: d2000027]
000001a6: bf000007     vnop
000001a6: ef0001ff     bnop
000001a6: 6ac8004f     mov $sr57 $r0
000001a7: d2000027     ??? [unknown: d2000027]
000001a7: bf000007     vnop
000001a7: ef0001ff     bnop
000001a7: 6a10004f     mov $sr34 $r0
000001a8: d2000027     ??? [unknown: d2000027]
000001a8: bf000007     vnop
000001a8: ef0001ff     bnop
000001a8: 6a18004f     mov $sr35 $r0
000001a9: d2000027     ??? [unknown: d2000027]
000001a9: bf000007     vnop
000001a9: ef0001ff     bnop
000001a9: 6a58004f     mov $sr43 $r0
000001aa: d2000027     ??? [unknown: d2000027]
000001aa: bf000007     vnop
000001aa: ef0001ff     bnop
000001aa: 6a98004f     mov $sr51 $r0
000001ab: d2000027     ??? [unknown: d2000027]
000001ab: bf000007     vnop
000001ab: ef0001ff     bnop
000001ab: 6ad8004f     mov $sr59 $r0
000001ac: d2000027     ??? [unknown: d2000027]
000001ac: bf000007     vnop
000001ac: ef0001ff     bnop
000001ac: 6a20004f     mov $sr36 $r0
000001ad: d2000027     ??? [unknown: d2000027]
000001ad: bf000007     vnop
000001ad: ef0001ff     bnop
000001ad: 6a28004f     mov $sr37 $r0
000001ae: d2000027     ??? [unknown: d2000027]
000001ae: bf000007     vnop
000001ae: ef0001ff     bnop
000001ae: 6a68004f     mov $sr45 $r0
000001af: d2000027     ??? [unknown: d2000027]
000001af: bf000007     vnop
000001af: ef0001ff     bnop
000001af: 6aa8004f     mov $sr53 $r0
000001b0: d2000027     ??? [unknown: d2000027]
000001b0: bf000007     vnop
000001b0: ef0001ff     bnop
000001b0: 6ae8004f     mov $sr61 $r0
000001b1: d2000027     ??? [unknown: d2000027]
000001b1: bf000007     vnop
000001b1: ef0001ff     bnop
000001b1: 6a30004f     mov $sr38 $r0
000001b2: d2000027     ??? [unknown: d2000027]
000001b2: bf000007     vnop
000001b2: ef0001ff     bnop
000001b2: 6a38004f     mov $sr39 $r0
000001b3: d2000027     ??? [unknown: d2000027]
000001b3: bf000007     vnop
000001b3: ef0001ff     bnop
000001b3: 6a78004f     mov $sr47 $r0
000001b4: d2000027     ??? [unknown: d2000027]
000001b4: bf000007     vnop
000001b4: ef0001ff     bnop
000001b4: 6ab8004f     mov $sr55 $r0
000001b5: d2000027     ??? [unknown: d2000027]
000001b5: bf000007     vnop
000001b5: ef0001ff     bnop
000001b5: 6af8004f     mov $sr63 $r0
000001b6: d2000027     ??? [unknown: d2000027]
000001b6: bf000007     vnop
000001b6: ef0001ff     bnop
000001b6: 6a7800c7     mov $y15 $r0
000001b7: cd000000     ??? [unknown: cd000000]
000001b7: cc000000     ??? [unknown: cc000000]
000001b7: cd081f7f     ??? [unknown: cd081f7f]
000001b7: cc080080     ??? [unknown: cc080080]
000001b8: cd10c000     ??? [unknown: cd10c000]
000001b8: cc100000     ??? [unknown: cc100000]
000001b8: c3102000     ??? [unknown: c3102000]
000001b8: cd000000     ??? [unknown: cd000000]
000001b9: cc001000     ??? [unknown: cc001000]
000001b9: cc101000     ??? [unknown: cc101000]
000001b9: c3102000     ??? [unknown: c3102000]
000001b9: ce090001     ??? [unknown: ce090001]
000001ba: cf090001     ??? [unknown: cf090001]
000001ba: df000007     snop
000001ba: df000007     snop
000001ba: df000007     snop
000001bb: df000007     snop
000001bb: 6b0200c7     mov $r0 $y8
000001bb: 6a08004f     mov $sr33 $r0
000001bb: 6b0240c7     mov $r0 $y9
000001bc: 6a00004f     mov $sr32 $r0
000001bc: 6b0100c7     mov $r0 $y4
000001bc: 6a000067     mov $a0 $r0
000001bc: 6b0000c7     mov $r0 $y0
000001bd: 6b0940c7     mov $r1 $y5
000001bd: 6a084067     mov $a1 $r1
000001bd: 6b0840c7     mov $r1 $y1
000001bd: 6b1180c7     mov $r2 $y6
000001be: 6a108067     mov $a2 $r2
000001be: 6b1080c7     mov $r2 $y2
000001be: 6b19c0c7     mov $r3 $y7
000001be: 6a18c067     mov $a3 $r3
000001bf: 6b18c0c7     mov $r3 $y3
000001bf: ef0001ff     bnop
000001bf: ef0001ff     bnop
000001bf: ef0001ff     bnop
000001c0: ef0001ff     bnop
000001c0: ef0001ff     bnop
000001c0: ef0001ff     bnop
000001c0: ef0001ff     bnop
000001c1: ef0001ff     bnop
000001c1: fff80000     exit 0
000001c1: ef0001ff     bnop
000001c1: ef0001ff     bnop
000001c2: ef0001ff     bnop
000001c2: ef0001ff     bnop
000001c2: ef0001ff     bnop
000001c2: ef0001ff     bnop
[...]

Seems to be the same as save, only with d0/d2 loads instead of stores. Let's summarise the sequences for now:

  • $y0-$y3 used as save area for $r0-$r3
  • $y4-$y7 used as save area for $a0-$a3
  • a pre-load/save sequence with lots of unknown address-class opcodes, probably operating on $a0-$a3
  • included in context save/restore: $a, $r, $l, 28 0s, $v, ($z0, $z1) 32 times, $x, $d, $sr3, lots of $sr's from $sr32-$sr63 range, $y15
  • $sr32 and $sr33 are not restored immediately on load - they're stored in $y8/$y9 until the load is complete
  • $z0 and $z1, if VP2 is any indication, could be the FIFO method queue

Time to get around to REing the real $a registers, I suppose. Let's start with the easy ones, from the "zero all regs" sequence.

0000000f: cd001fff     ??? [unknown: cd001fff]
00000010: cc000010     ??? [unknown: cc000010]
00000010: 4fffffff     snop
00000010: bf000007     vnop
00000010: ef0001ff     bnop
00000011: d4000081   B ??? [unknown: d4000081]
00000011: df000007     anop
00000011: e200014f     bra not $c1 unk10 0x11
00000011: ef0001ff     bnop
00000012: d3000007     ??? [unknown: d3000007]
00000012: cb0801c0     ??? [unknown: cb0801c0]
00000012: cb1001c1     ??? [unknown: cb1001c1]
[...]
00000019: cbf001c7     ??? [unknown: cbf001c7]
00000019: cbf801c7     ??? [unknown: cbf801c7]
0000001a: ca07c1c0     ??? [unknown: ca07c1c0]
0000001a: ca07c1c1     ??? [unknown: ca07c1c1]
0000001a: ca07c1c2     ??? [unknown: ca07c1c2]
0000001a: ca07c1c3     ??? [unknown: ca07c1c3]

These first few instructions look suspiciously like a memory clear sequence, actually... the $v store is executed in a loop. And cd001fff could be an instruction setting $a0 to 0x1fff, which is the max 13-bit number - which the diagram says is the size of pointers.

Let's try out that cd opcode. 0xcd00cafe:

0000f600: cafebe20 deadbe21 deadbe22 deadbe23
0000f610: deadbe24 deadbe25 deadbe26 deadbe27
0000f620: deadbe28 deadbe29 deadbe2a deadbe2b
0000f630: deadbe2c deadbe2d deadbe2e deadbe2f
0000f640: deadbe30 deadbe31 deadbe32 deadbe33
0000f650: deadbe34 deadbe35 deadbe36 deadbe37
0000f660: deadbe38 deadbe39 deadbe3a deadbe3b
0000f670: deadbe3c deadbe3d deadbe3e deadbe3f

Uh. That was... unexpected. How about cc opcode? 0xcc00cafe:

0000f600: deadcafe deadbe21 deadbe22 deadbe23
0000f610: deadbe24 deadbe25 deadbe26 deadbe27
0000f620: deadbe28 deadbe29 deadbe2a deadbe2b
0000f630: deadbe2c deadbe2d deadbe2e deadbe2f
0000f640: deadbe30 deadbe31 deadbe32 deadbe33
0000f650: deadbe34 deadbe35 deadbe36 deadbe37
0000f660: deadbe38 deadbe39 deadbe3a deadbe3b
0000f670: deadbe3c deadbe3d deadbe3e deadbe3f
0000f680: 00008000 00008000 00008000 00008000

So, sethi and setlo opcodes. Huh. But that's not strange, the values that the program stuffs into the registers are strange.

Let's verify the d4 opcode while we're at it. 0xd4000081:

0000f600: deadbe30 deadbe21 deadbe22 deadbe23
0000f610: deadbe24 deadbe25 deadbe26 deadbe27
0000f620: deadbe28 deadbe29 deadbe2a deadbe2b
0000f630: deadbe2c deadbe2d deadbe2e deadbe2f
0000f640: deadbe30 deadbe31 deadbe32 deadbe33
0000f650: deadbe34 deadbe35 deadbe36 deadbe37
0000f660: deadbe38 deadbe39 deadbe3a deadbe3b
0000f670: deadbe3c deadbe3d deadbe3e deadbe3f
0000f680: 00008000 00008400 00008000 00008000

We see that autoincrement is happening as expected and $c bit 10 is set. First let's see how exactly the autoincrement works. 0xd4002aa8:

0000f600: deadbb75 deadbe21 deadbe22 deadbe23
0000f610: deadbe24 deadbe25 deadbe26 deadbe27
0000f620: deadbe28 deadbe29 deadbe2a deadbe2b
0000f630: deadbe2c deadbe2d deadbe2e deadbe2f
0000f640: deadbe30 deadbe31 deadbe32 deadbe33
0000f650: deadbe34 deadbe35 deadbe36 deadbe37
0000f660: deadbe38 deadbe39 deadbe3a deadbe3b
0000f670: deadbe3c deadbe3d deadbe3e deadbe3f
0000f680: 00008400 00008000 00008000 00008000

Yeah, signed bitfield, same as the immediate in $r ops with immediate. As for the $c flags, a good bet is that the flags are set by the autoncrement addition. Let's look at this.

00000000+00000000: 00000000 flags 00008400
00000001+00000000: 00000001 flags 00008400
deadbeef+00000000: deadbeef flags 00008400
ffffffff+00000000: ffffffff flags 00008400
ffffffff+00000001: ffff0000 flags 00008000

Hmm, the addition affects only low bits... I wonder if the high bits are somehow separate.

ffffffff+00000000: ffffffff flags 00008400
ffff0000+00000000: ffff0000 flags 00008000
ffff0001+00000000: ffff0001 flags 00008000
ffff0002+00000000: ffff0002 flags 00008000
0000ffff+00000000: 0000ffff flags 00008400
00000000+00000000: 00000000 flags 00008400
00000001+00000000: 00000001 flags 00008400
00000002+00000000: 00000002 flags 00008400
0001ffff+00000000: 0001ffff flags 00008400
00010000+00000000: 00010000 flags 00008000
00010001+00000000: 00010001 flags 00008400
00010002+00000000: 00010002 flags 00008400
0002ffff+00000000: 0002ffff flags 00008400
00020000+00000000: 00020000 flags 00008000
00020001+00000000: 00020001 flags 00008000
00020002+00000000: 00020002 flags 00008400

So flag 10 is apparently set when the low half is <= the high part, treated as unsigned numbers. Or is it?

00010000+00000000: 00010000 flags 00008000
00020000+00000000: 00020000 flags 00008000
[...]
20000000+00000000: 20000000 flags 00008000
40000000+00000000: 40000000 flags 00008400
80000000+00000000: 80000000 flags 00008400

Only low 14 bits of the high part are taken into account for the comparison, apparently. How about the low part?

ffffffff+00000000: ffffffff flags 00008400
ffff7fff+00000000: ffff7fff flags 00008400
ffff3fff+00000000: ffff3fff flags 00008400
ffff1fff+00000000: ffff1fff flags 00008000

Ok, so $c bit 10 is set when bits 0-13 are <= bits 16-29 of the result. Sounds quite useful.

Looking at the opcode behavior reveals that d0, d1, d2, d4, d5, d6 have the postincrement behavior, while d3 and d7 don't.

Moving on. The next opcode used is 0xd3. 0xd300dead:

0000f600: 350141d0 cafebe21 cafebe22 cafebe23
0000f610: cafebe24 cafebe25 cafebe26 cafebe27
0000f620: cafebe28 cafebe29 cafebe2a cafebe2b
0000f630: cafebe2c cafebe2d cafebe2e cafebe2f
0000f640: cafebe30 cafebe31 cafebe32 cafebe33
0000f650: cafebe34 cafebe35 cafebe36 cafebe37
0000f660: cafebe38 cafebe39 cafebe3a cafebe3b
0000f670: cafebe3c cafebe3d cafebe3e cafebe3f
0000f680: 00008000 00008000 00008000 00008000

Looks like a negation. Could that be a logop again?

Yeah, testing confirms that. Let's just look at the flags.

00000000 00000000 logop 0: 00000000 flags 00008200
00000000 00000001 logop e: 00000001 flags 00008000
ffffffff 00000000 logop e: ffffffff flags 00008100
80000000 00000000 logop e: 80000000 flags 00008100
7fffffff 00000000 logop e: 7fffffff flags 00008000
00000000 ffffffff logop e: ffffffff flags 00008100

So bit 8 is plain sign flag for $a, bit 9 is zero flag. On to opcode cb. 0xcb000000 writes 0x95fd7c40 to $a0, which is equal to $a0+$a0. A quick test confirms that it works exactly like the 0x4c opcode, but for $a.

Opcode 0xca. Initial tests show it works like 0xcb, except it sets $c bit 10, not bits 8-9, and uses the destination as first source, while bits 14-18 are ignored. A good guess would be that it does the limitted 16-bit add instead of full 32-bit add. Another few tests confirm that.

0xc0     65      35
0xc1     67      67
0xc2    136       8
0xc3    253     217
0xc4     50      50
0xc5     49      49
0xc6    134       6
0xc7    724     141
0xc8    640     481
0xc9    618     466
0xca    528     502     hadd $a [$c] (slct)
0xcb   2396    1550     add $a [$c] $a (slct)
0xcc   2486    1483     setlo $a imm
0xcd   1960    1058     sethi $a imm
0xce    449     372
0xcf    507     369
0xd0    928     869     ld $v []
0xd1    655     575
0xd2    176     368     ld $r []
0xd3    359     414     logop $a [$c] $a $a
0xd4   1021     844     st [] $v
0xd5    963     694
0xd6    142     409     st [] $r
0xd8    712     484
0xd9     98      93
0xda   4221    2967
0xdb      -      12
0xdc    800     552
0xdd    204     116
0xde   7836   26102
0xdf   9333    4072     anop

To be continued...

Elapsed time: 5h

Currently unrated

Comments

There are currently no comments

New Comment

required

required (not published)

optional

required