xref: /freebsd/crypto/openssl/crypto/bn/asm/ia64.S (revision e17f5b1d) 
1.explicit
2.text
3.ident	"ia64.S, Version 2.1"
4.ident	"IA-64 ISA artwork by Andy Polyakov <appro@openssl.org>"
5
6// Copyright 2001-2019 The OpenSSL Project Authors. All Rights Reserved.
7//
8// Licensed under the OpenSSL license (the "License").  You may not use
9// this file except in compliance with the License.  You can obtain a copy
10// in the file LICENSE in the source distribution or at
11// https://www.openssl.org/source/license.html
12
13//
14// ====================================================================
15// Written by Andy Polyakov <appro@openssl.org> for the OpenSSL
16// project.
17//
18// Rights for redistribution and usage in source and binary forms are
19// granted according to the OpenSSL license. Warranty of any kind is
20// disclaimed.
21// ====================================================================
22//
23// Version 2.x is Itanium2 re-tune. Few words about how Itanium2 is
24// different from Itanium to this module viewpoint. Most notably, is it
25// "wider" than Itanium? Can you experience loop scalability as
26// discussed in commentary sections? Not really:-( Itanium2 has 6
27// integer ALU ports, i.e. it's 2 ports wider, but it's not enough to
28// spin twice as fast, as I need 8 IALU ports. Amount of floating point
29// ports is the same, i.e. 2, while I need 4. In other words, to this
30// module Itanium2 remains effectively as "wide" as Itanium. Yet it's
31// essentially different in respect to this module, and a re-tune was
32// required. Well, because some instruction latencies has changed. Most
33// noticeably those intensively used:
34//
35//			Itanium	Itanium2
36//	ldf8		9	6		L2 hit
37//	ld8		2	1		L1 hit
38//	getf		2	5
39//	xma[->getf]	7[+1]	4[+0]
40//	add[->st8]	1[+1]	1[+0]
41//
42// What does it mean? You might ratiocinate that the original code
43// should run just faster... Because sum of latencies is smaller...
44// Wrong! Note that getf latency increased. This means that if a loop is
45// scheduled for lower latency (as they were), then it will suffer from
46// stall condition and the code will therefore turn anti-scalable, e.g.
47// original bn_mul_words spun at 5*n or 2.5 times slower than expected
48// on Itanium2! What to do? Reschedule loops for Itanium2? But then
49// Itanium would exhibit anti-scalability. So I've chosen to reschedule
50// for worst latency for every instruction aiming for best *all-round*
51// performance.
52
53// Q.	How much faster does it get?
54// A.	Here is the output from 'openssl speed rsa dsa' for vanilla
55//	0.9.6a compiled with gcc version 2.96 20000731 (Red Hat
56//	Linux 7.1 2.96-81):
57//
58//	                  sign    verify    sign/s verify/s
59//	rsa  512 bits   0.0036s   0.0003s    275.3   2999.2
60//	rsa 1024 bits   0.0203s   0.0011s     49.3    894.1
61//	rsa 2048 bits   0.1331s   0.0040s      7.5    250.9
62//	rsa 4096 bits   0.9270s   0.0147s      1.1     68.1
63//	                  sign    verify    sign/s verify/s
64//	dsa  512 bits   0.0035s   0.0043s    288.3    234.8
65//	dsa 1024 bits   0.0111s   0.0135s     90.0     74.2
66//
67//	And here is similar output but for this assembler
68//	implementation:-)
69//
70//	                  sign    verify    sign/s verify/s
71//	rsa  512 bits   0.0021s   0.0001s    549.4   9638.5
72//	rsa 1024 bits   0.0055s   0.0002s    183.8   4481.1
73//	rsa 2048 bits   0.0244s   0.0006s     41.4   1726.3
74//	rsa 4096 bits   0.1295s   0.0018s      7.7    561.5
75//	                  sign    verify    sign/s verify/s
76//	dsa  512 bits   0.0012s   0.0013s    891.9    756.6
77//	dsa 1024 bits   0.0023s   0.0028s    440.4    376.2
78//
79//	Yes, you may argue that it's not fair comparison as it's
80//	possible to craft the C implementation with BN_UMULT_HIGH
81//	inline assembler macro. But of course! Here is the output
82//	with the macro:
83//
84//	                  sign    verify    sign/s verify/s
85//	rsa  512 bits   0.0020s   0.0002s    495.0   6561.0
86//	rsa 1024 bits   0.0086s   0.0004s    116.2   2235.7
87//	rsa 2048 bits   0.0519s   0.0015s     19.3    667.3
88//	rsa 4096 bits   0.3464s   0.0053s      2.9    187.7
89//	                  sign    verify    sign/s verify/s
90//	dsa  512 bits   0.0016s   0.0020s    613.1    510.5
91//	dsa 1024 bits   0.0045s   0.0054s    221.0    183.9
92//
93//	My code is still way faster, huh:-) And I believe that even
94//	higher performance can be achieved. Note that as keys get
95//	longer, performance gain is larger. Why? According to the
96//	profiler there is another player in the field, namely
97//	BN_from_montgomery consuming larger and larger portion of CPU
98//	time as keysize decreases. I therefore consider putting effort
99//	to assembler implementation of the following routine:
100//
101//	void bn_mul_add_mont (BN_ULONG *rp,BN_ULONG *np,int nl,BN_ULONG n0)
102//	{
103//	int      i,j;
104//	BN_ULONG v;
105//
106//	for (i=0; i<nl; i++)
107//		{
108//		v=bn_mul_add_words(rp,np,nl,(rp[0]*n0)&BN_MASK2);
109//		nrp++;
110//		rp++;
111//		if (((nrp[-1]+=v)&BN_MASK2) < v)
112//			for (j=0; ((++nrp[j])&BN_MASK2) == 0; j++) ;
113//		}
114//	}
115//
116//	It might as well be beneficial to implement even combaX
117//	variants, as it appears as it can literally unleash the
118//	performance (see comment section to bn_mul_comba8 below).
119//
120//	And finally for your reference the output for 0.9.6a compiled
121//	with SGIcc version 0.01.0-12 (keep in mind that for the moment
122//	of this writing it's not possible to convince SGIcc to use
123//	BN_UMULT_HIGH inline assembler macro, yet the code is fast,
124//	i.e. for a compiler generated one:-):
125//
126//	                  sign    verify    sign/s verify/s
127//	rsa  512 bits   0.0022s   0.0002s    452.7   5894.3
128//	rsa 1024 bits   0.0097s   0.0005s    102.7   2002.9
129//	rsa 2048 bits   0.0578s   0.0017s     17.3    600.2
130//	rsa 4096 bits   0.3838s   0.0061s      2.6    164.5
131//	                  sign    verify    sign/s verify/s
132//	dsa  512 bits   0.0018s   0.0022s    547.3    459.6
133//	dsa 1024 bits   0.0051s   0.0062s    196.6    161.3
134//
135//	Oh! Benchmarks were performed on 733MHz Lion-class Itanium
136//	system running Redhat Linux 7.1 (very special thanks to Ray
137//	McCaffity of Williams Communications for providing an account).
138//
139// Q.	What's the heck with 'rum 1<<5' at the end of every function?
140// A.	Well, by clearing the "upper FP registers written" bit of the
141//	User Mask I want to excuse the kernel from preserving upper
142//	(f32-f128) FP register bank over process context switch, thus
143//	minimizing bus bandwidth consumption during the switch (i.e.
144//	after PKI operation completes and the program is off doing
145//	something else like bulk symmetric encryption). Having said
146//	this, I also want to point out that it might be good idea
147//	to compile the whole toolkit (as well as majority of the
148//	programs for that matter) with -mfixed-range=f32-f127 command
149//	line option. No, it doesn't prevent the compiler from writing
150//	to upper bank, but at least discourages to do so. If you don't
151//	like the idea you have the option to compile the module with
152//	-Drum=nop.m in command line.
153//
154
155#if defined(_HPUX_SOURCE) && !defined(_LP64)
156#define	ADDP	addp4
157#else
158#define	ADDP	add
159#endif
160#ifdef __VMS
161.alias abort, "decc$abort"
162#endif
163
164#if 1
165//
166// bn_[add|sub]_words routines.
167//
168// Loops are spinning in 2*(n+5) ticks on Itanium (provided that the
169// data reside in L1 cache, i.e. 2 ticks away). It's possible to
170// compress the epilogue and get down to 2*n+6, but at the cost of
171// scalability (the neat feature of this implementation is that it
172// shall automagically spin in n+5 on "wider" IA-64 implementations:-)
173// I consider that the epilogue is short enough as it is to trade tiny
174// performance loss on Itanium for scalability.
175//
176// BN_ULONG bn_add_words(BN_ULONG *rp, BN_ULONG *ap, BN_ULONG *bp,int num)
177//
178.global	bn_add_words#
179.proc	bn_add_words#
180.align	64
181.skip	32	// makes the loop body aligned at 64-byte boundary
182bn_add_words:
183	.prologue
184	.save	ar.pfs,r2
185{ .mii;	alloc		r2=ar.pfs,4,12,0,16
186	cmp4.le		p6,p0=r35,r0	};;
187{ .mfb;	mov		r8=r0			// return value
188(p6)	br.ret.spnt.many	b0	};;
189
190{ .mib;	sub		r10=r35,r0,1
191	.save	ar.lc,r3
192	mov		r3=ar.lc
193	brp.loop.imp	.L_bn_add_words_ctop,.L_bn_add_words_cend-16
194					}
195{ .mib;	ADDP		r14=0,r32		// rp
196	.save	pr,r9
197	mov		r9=pr		};;
198	.body
199{ .mii;	ADDP		r15=0,r33		// ap
200	mov		ar.lc=r10
201	mov		ar.ec=6		}
202{ .mib;	ADDP		r16=0,r34		// bp
203	mov		pr.rot=1<<16	};;
204
205.L_bn_add_words_ctop:
206{ .mii;	(p16)	ld8		r32=[r16],8	  // b=*(bp++)
207	(p18)	add		r39=r37,r34
208	(p19)	cmp.ltu.unc	p56,p0=r40,r38	}
209{ .mfb;	(p0)	nop.m		0x0
210	(p0)	nop.f		0x0
211	(p0)	nop.b		0x0		}
212{ .mii;	(p16)	ld8		r35=[r15],8	  // a=*(ap++)
213	(p58)	cmp.eq.or	p57,p0=-1,r41	  // (p20)
214	(p58)	add		r41=1,r41	} // (p20)
215{ .mfb;	(p21)	st8		[r14]=r42,8	  // *(rp++)=r
216	(p0)	nop.f		0x0
217	br.ctop.sptk	.L_bn_add_words_ctop	};;
218.L_bn_add_words_cend:
219
220{ .mii;
221(p59)	add		r8=1,r8		// return value
222	mov		pr=r9,0x1ffff
223	mov		ar.lc=r3	}
224{ .mbb;	nop.b		0x0
225	br.ret.sptk.many	b0	};;
226.endp	bn_add_words#
227
228//
229// BN_ULONG bn_sub_words(BN_ULONG *rp, BN_ULONG *ap, BN_ULONG *bp,int num)
230//
231.global	bn_sub_words#
232.proc	bn_sub_words#
233.align	64
234.skip	32	// makes the loop body aligned at 64-byte boundary
235bn_sub_words:
236	.prologue
237	.save	ar.pfs,r2
238{ .mii;	alloc		r2=ar.pfs,4,12,0,16
239	cmp4.le		p6,p0=r35,r0	};;
240{ .mfb;	mov		r8=r0			// return value
241(p6)	br.ret.spnt.many	b0	};;
242
243{ .mib;	sub		r10=r35,r0,1
244	.save	ar.lc,r3
245	mov		r3=ar.lc
246	brp.loop.imp	.L_bn_sub_words_ctop,.L_bn_sub_words_cend-16
247					}
248{ .mib;	ADDP		r14=0,r32		// rp
249	.save	pr,r9
250	mov		r9=pr		};;
251	.body
252{ .mii;	ADDP		r15=0,r33		// ap
253	mov		ar.lc=r10
254	mov		ar.ec=6		}
255{ .mib;	ADDP		r16=0,r34		// bp
256	mov		pr.rot=1<<16	};;
257
258.L_bn_sub_words_ctop:
259{ .mii;	(p16)	ld8		r32=[r16],8	  // b=*(bp++)
260	(p18)	sub		r39=r37,r34
261	(p19)	cmp.gtu.unc	p56,p0=r40,r38	}
262{ .mfb;	(p0)	nop.m		0x0
263	(p0)	nop.f		0x0
264	(p0)	nop.b		0x0		}
265{ .mii;	(p16)	ld8		r35=[r15],8	  // a=*(ap++)
266	(p58)	cmp.eq.or	p57,p0=0,r41	  // (p20)
267	(p58)	add		r41=-1,r41	} // (p20)
268{ .mbb;	(p21)	st8		[r14]=r42,8	  // *(rp++)=r
269	(p0)	nop.b		0x0
270	br.ctop.sptk	.L_bn_sub_words_ctop	};;
271.L_bn_sub_words_cend:
272
273{ .mii;
274(p59)	add		r8=1,r8		// return value
275	mov		pr=r9,0x1ffff
276	mov		ar.lc=r3	}
277{ .mbb;	nop.b		0x0
278	br.ret.sptk.many	b0	};;
279.endp	bn_sub_words#
280#endif
281
282#if 0
283#define XMA_TEMPTATION
284#endif
285
286#if 1
287//
288// BN_ULONG bn_mul_words(BN_ULONG *rp, BN_ULONG *ap, int num, BN_ULONG w)
289//
290.global	bn_mul_words#
291.proc	bn_mul_words#
292.align	64
293.skip	32	// makes the loop body aligned at 64-byte boundary
294bn_mul_words:
295	.prologue
296	.save	ar.pfs,r2
297#ifdef XMA_TEMPTATION
298{ .mfi;	alloc		r2=ar.pfs,4,0,0,0	};;
299#else
300{ .mfi;	alloc		r2=ar.pfs,4,12,0,16	};;
301#endif
302{ .mib;	mov		r8=r0			// return value
303	cmp4.le		p6,p0=r34,r0
304(p6)	br.ret.spnt.many	b0		};;
305
306{ .mii;	sub	r10=r34,r0,1
307	.save	ar.lc,r3
308	mov	r3=ar.lc
309	.save	pr,r9
310	mov	r9=pr			};;
311
312	.body
313{ .mib;	setf.sig	f8=r35	// w
314	mov		pr.rot=0x800001<<16
315			// ------^----- serves as (p50) at first (p27)
316	brp.loop.imp	.L_bn_mul_words_ctop,.L_bn_mul_words_cend-16
317					}
318
319#ifndef XMA_TEMPTATION
320
321{ .mmi;	ADDP		r14=0,r32	// rp
322	ADDP		r15=0,r33	// ap
323	mov		ar.lc=r10	}
324{ .mmi;	mov		r40=0		// serves as r35 at first (p27)
325	mov		ar.ec=13	};;
326
327// This loop spins in 2*(n+12) ticks. It's scheduled for data in Itanium
328// L2 cache (i.e. 9 ticks away) as floating point load/store instructions
329// bypass L1 cache and L2 latency is actually best-case scenario for
330// ldf8. The loop is not scalable and shall run in 2*(n+12) even on
331// "wider" IA-64 implementations. It's a trade-off here. n+24 loop
332// would give us ~5% in *overall* performance improvement on "wider"
333// IA-64, but would hurt Itanium for about same because of longer
334// epilogue. As it's a matter of few percents in either case I've
335// chosen to trade the scalability for development time (you can see
336// this very instruction sequence in bn_mul_add_words loop which in
337// turn is scalable).
338.L_bn_mul_words_ctop:
339{ .mfi;	(p25)	getf.sig	r36=f52			// low
340	(p21)	xmpy.lu		f48=f37,f8
341	(p28)	cmp.ltu		p54,p50=r41,r39	}
342{ .mfi;	(p16)	ldf8		f32=[r15],8
343	(p21)	xmpy.hu		f40=f37,f8
344	(p0)	nop.i		0x0		};;
345{ .mii;	(p25)	getf.sig	r32=f44			// high
346	.pred.rel	"mutex",p50,p54
347	(p50)	add		r40=r38,r35		// (p27)
348	(p54)	add		r40=r38,r35,1	}	// (p27)
349{ .mfb;	(p28)	st8		[r14]=r41,8
350	(p0)	nop.f		0x0
351	br.ctop.sptk	.L_bn_mul_words_ctop	};;
352.L_bn_mul_words_cend:
353
354{ .mii;	nop.m		0x0
355.pred.rel	"mutex",p51,p55
356(p51)	add		r8=r36,r0
357(p55)	add		r8=r36,r0,1	}
358{ .mfb;	nop.m	0x0
359	nop.f	0x0
360	nop.b	0x0			}
361
362#else	// XMA_TEMPTATION
363
364	setf.sig	f37=r0	// serves as carry at (p18) tick
365	mov		ar.lc=r10
366	mov		ar.ec=5;;
367
368// Most of you examining this code very likely wonder why in the name
369// of Intel the following loop is commented out? Indeed, it looks so
370// neat that you find it hard to believe that it's something wrong
371// with it, right? The catch is that every iteration depends on the
372// result from previous one and the latter isn't available instantly.
373// The loop therefore spins at the latency of xma minus 1, or in other
374// words at 6*(n+4) ticks:-( Compare to the "production" loop above
375// that runs in 2*(n+11) where the low latency problem is worked around
376// by moving the dependency to one-tick latent integer ALU. Note that
377// "distance" between ldf8 and xma is not latency of ldf8, but the
378// *difference* between xma and ldf8 latencies.
379.L_bn_mul_words_ctop:
380{ .mfi;	(p16)	ldf8		f32=[r33],8
381	(p18)	xma.hu		f38=f34,f8,f39	}
382{ .mfb;	(p20)	stf8		[r32]=f37,8
383	(p18)	xma.lu		f35=f34,f8,f39
384	br.ctop.sptk	.L_bn_mul_words_ctop	};;
385.L_bn_mul_words_cend:
386
387	getf.sig	r8=f41		// the return value
388
389#endif	// XMA_TEMPTATION
390
391{ .mii;	nop.m		0x0
392	mov		pr=r9,0x1ffff
393	mov		ar.lc=r3	}
394{ .mfb;	rum		1<<5		// clear um.mfh
395	nop.f		0x0
396	br.ret.sptk.many	b0	};;
397.endp	bn_mul_words#
398#endif
399
400#if 1
401//
402// BN_ULONG bn_mul_add_words(BN_ULONG *rp, BN_ULONG *ap, int num, BN_ULONG w)
403//
404.global	bn_mul_add_words#
405.proc	bn_mul_add_words#
406.align	64
407.skip	48	// makes the loop body aligned at 64-byte boundary
408bn_mul_add_words:
409	.prologue
410	.save	ar.pfs,r2
411{ .mmi;	alloc		r2=ar.pfs,4,4,0,8
412	cmp4.le		p6,p0=r34,r0
413	.save	ar.lc,r3
414	mov		r3=ar.lc	};;
415{ .mib;	mov		r8=r0		// return value
416	sub		r10=r34,r0,1
417(p6)	br.ret.spnt.many	b0	};;
418
419{ .mib;	setf.sig	f8=r35		// w
420	.save	pr,r9
421	mov		r9=pr
422	brp.loop.imp	.L_bn_mul_add_words_ctop,.L_bn_mul_add_words_cend-16
423					}
424	.body
425{ .mmi;	ADDP		r14=0,r32	// rp
426	ADDP		r15=0,r33	// ap
427	mov		ar.lc=r10	}
428{ .mii;	ADDP		r16=0,r32	// rp copy
429	mov		pr.rot=0x2001<<16
430			// ------^----- serves as (p40) at first (p27)
431	mov		ar.ec=11	};;
432
433// This loop spins in 3*(n+10) ticks on Itanium and in 2*(n+10) on
434// Itanium 2. Yes, unlike previous versions it scales:-) Previous
435// version was performing *all* additions in IALU and was starving
436// for those even on Itanium 2. In this version one addition is
437// moved to FPU and is folded with multiplication. This is at cost
438// of propagating the result from previous call to this subroutine
439// to L2 cache... In other words negligible even for shorter keys.
440// *Overall* performance improvement [over previous version] varies
441// from 11 to 22 percent depending on key length.
442.L_bn_mul_add_words_ctop:
443.pred.rel	"mutex",p40,p42
444{ .mfi;	(p23)	getf.sig	r36=f45			// low
445	(p20)	xma.lu		f42=f36,f8,f50		// low
446	(p40)	add		r39=r39,r35	}	// (p27)
447{ .mfi;	(p16)	ldf8		f32=[r15],8		// *(ap++)
448	(p20)	xma.hu		f36=f36,f8,f50		// high
449	(p42)	add		r39=r39,r35,1	};;	// (p27)
450{ .mmi;	(p24)	getf.sig	r32=f40			// high
451	(p16)	ldf8		f46=[r16],8		// *(rp1++)
452	(p40)	cmp.ltu		p41,p39=r39,r35	}	// (p27)
453{ .mib;	(p26)	st8		[r14]=r39,8		// *(rp2++)
454	(p42)	cmp.leu		p41,p39=r39,r35		// (p27)
455	br.ctop.sptk	.L_bn_mul_add_words_ctop};;
456.L_bn_mul_add_words_cend:
457
458{ .mmi;	.pred.rel	"mutex",p40,p42
459(p40)	add		r8=r35,r0
460(p42)	add		r8=r35,r0,1
461	mov		pr=r9,0x1ffff	}
462{ .mib;	rum		1<<5		// clear um.mfh
463	mov		ar.lc=r3
464	br.ret.sptk.many	b0	};;
465.endp	bn_mul_add_words#
466#endif
467
468#if 1
469//
470// void bn_sqr_words(BN_ULONG *rp, BN_ULONG *ap, int num)
471//
472.global	bn_sqr_words#
473.proc	bn_sqr_words#
474.align	64
475.skip	32	// makes the loop body aligned at 64-byte boundary
476bn_sqr_words:
477	.prologue
478	.save	ar.pfs,r2
479{ .mii;	alloc		r2=ar.pfs,3,0,0,0
480	sxt4		r34=r34		};;
481{ .mii;	cmp.le		p6,p0=r34,r0
482	mov		r8=r0		}	// return value
483{ .mfb;	ADDP		r32=0,r32
484	nop.f		0x0
485(p6)	br.ret.spnt.many	b0	};;
486
487{ .mii;	sub	r10=r34,r0,1
488	.save	ar.lc,r3
489	mov	r3=ar.lc
490	.save	pr,r9
491	mov	r9=pr			};;
492
493	.body
494{ .mib;	ADDP		r33=0,r33
495	mov		pr.rot=1<<16
496	brp.loop.imp	.L_bn_sqr_words_ctop,.L_bn_sqr_words_cend-16
497					}
498{ .mii;	add		r34=8,r32
499	mov		ar.lc=r10
500	mov		ar.ec=18	};;
501
502// 2*(n+17) on Itanium, (n+17) on "wider" IA-64 implementations. It's
503// possible to compress the epilogue (I'm getting tired to write this
504// comment over and over) and get down to 2*n+16 at the cost of
505// scalability. The decision will very likely be reconsidered after the
506// benchmark program is profiled. I.e. if performance gain on Itanium
507// will appear larger than loss on "wider" IA-64, then the loop should
508// be explicitly split and the epilogue compressed.
509.L_bn_sqr_words_ctop:
510{ .mfi;	(p16)	ldf8		f32=[r33],8
511	(p25)	xmpy.lu		f42=f41,f41
512	(p0)	nop.i		0x0		}
513{ .mib;	(p33)	stf8		[r32]=f50,16
514	(p0)	nop.i		0x0
515	(p0)	nop.b		0x0		}
516{ .mfi;	(p0)	nop.m		0x0
517	(p25)	xmpy.hu		f52=f41,f41
518	(p0)	nop.i		0x0		}
519{ .mib;	(p33)	stf8		[r34]=f60,16
520	(p0)	nop.i		0x0
521	br.ctop.sptk	.L_bn_sqr_words_ctop	};;
522.L_bn_sqr_words_cend:
523
524{ .mii;	nop.m		0x0
525	mov		pr=r9,0x1ffff
526	mov		ar.lc=r3	}
527{ .mfb;	rum		1<<5		// clear um.mfh
528	nop.f		0x0
529	br.ret.sptk.many	b0	};;
530.endp	bn_sqr_words#
531#endif
532
533#if 1
534// Apparently we win nothing by implementing special bn_sqr_comba8.
535// Yes, it is possible to reduce the number of multiplications by
536// almost factor of two, but then the amount of additions would
537// increase by factor of two (as we would have to perform those
538// otherwise performed by xma ourselves). Normally we would trade
539// anyway as multiplications are way more expensive, but not this
540// time... Multiplication kernel is fully pipelined and as we drain
541// one 128-bit multiplication result per clock cycle multiplications
542// are effectively as inexpensive as additions. Special implementation
543// might become of interest for "wider" IA-64 implementation as you'll
544// be able to get through the multiplication phase faster (there won't
545// be any stall issues as discussed in the commentary section below and
546// you therefore will be able to employ all 4 FP units)... But these
547// Itanium days it's simply too hard to justify the effort so I just
548// drop down to bn_mul_comba8 code:-)
549//
550// void bn_sqr_comba8(BN_ULONG *r, BN_ULONG *a)
551//
552.global	bn_sqr_comba8#
553.proc	bn_sqr_comba8#
554.align	64
555bn_sqr_comba8:
556	.prologue
557	.save	ar.pfs,r2
558#if defined(_HPUX_SOURCE) && !defined(_LP64)
559{ .mii;	alloc	r2=ar.pfs,2,1,0,0
560	addp4	r33=0,r33
561	addp4	r32=0,r32		};;
562{ .mii;
563#else
564{ .mii;	alloc	r2=ar.pfs,2,1,0,0
565#endif
566	mov	r34=r33
567	add	r14=8,r33		};;
568	.body
569{ .mii;	add	r17=8,r34
570	add	r15=16,r33
571	add	r18=16,r34		}
572{ .mfb;	add	r16=24,r33
573	br	.L_cheat_entry_point8	};;
574.endp	bn_sqr_comba8#
575#endif
576
577#if 1
578// I've estimated this routine to run in ~120 ticks, but in reality
579// (i.e. according to ar.itc) it takes ~160 ticks. Are those extra
580// cycles consumed for instructions fetch? Or did I misinterpret some
581// clause in Itanium µ-architecture manual? Comments are welcomed and
582// highly appreciated.
583//
584// On Itanium 2 it takes ~190 ticks. This is because of stalls on
585// result from getf.sig. I do nothing about it at this point for
586// reasons depicted below.
587//
588// However! It should be noted that even 160 ticks is darn good result
589// as it's over 10 (yes, ten, spelled as t-e-n) times faster than the
590// C version (compiled with gcc with inline assembler). I really
591// kicked compiler's butt here, didn't I? Yeah! This brings us to the
592// following statement. It's damn shame that this routine isn't called
593// very often nowadays! According to the profiler most CPU time is
594// consumed by bn_mul_add_words called from BN_from_montgomery. In
595// order to estimate what we're missing, I've compared the performance
596// of this routine against "traditional" implementation, i.e. against
597// following routine:
598//
599// void bn_mul_comba8(BN_ULONG *r, BN_ULONG *a, BN_ULONG *b)
600// {	r[ 8]=bn_mul_words(    &(r[0]),a,8,b[0]);
601//	r[ 9]=bn_mul_add_words(&(r[1]),a,8,b[1]);
602//	r[10]=bn_mul_add_words(&(r[2]),a,8,b[2]);
603//	r[11]=bn_mul_add_words(&(r[3]),a,8,b[3]);
604//	r[12]=bn_mul_add_words(&(r[4]),a,8,b[4]);
605//	r[13]=bn_mul_add_words(&(r[5]),a,8,b[5]);
606//	r[14]=bn_mul_add_words(&(r[6]),a,8,b[6]);
607//	r[15]=bn_mul_add_words(&(r[7]),a,8,b[7]);
608// }
609//
610// The one below is over 8 times faster than the one above:-( Even
611// more reasons to "combafy" bn_mul_add_mont...
612//
613// And yes, this routine really made me wish there were an optimizing
614// assembler! It also feels like it deserves a dedication.
615//
616//	To my wife for being there and to my kids...
617//
618// void bn_mul_comba8(BN_ULONG *r, BN_ULONG *a, BN_ULONG *b)
619//
620#define	carry1	r14
621#define	carry2	r15
622#define	carry3	r34
623.global	bn_mul_comba8#
624.proc	bn_mul_comba8#
625.align	64
626bn_mul_comba8:
627	.prologue
628	.save	ar.pfs,r2
629#if defined(_HPUX_SOURCE) && !defined(_LP64)
630{ .mii;	alloc	r2=ar.pfs,3,0,0,0
631	addp4	r33=0,r33
632	addp4	r34=0,r34		};;
633{ .mii;	addp4	r32=0,r32
634#else
635{ .mii;	alloc   r2=ar.pfs,3,0,0,0
636#endif
637	add	r14=8,r33
638	add	r17=8,r34		}
639	.body
640{ .mii;	add	r15=16,r33
641	add	r18=16,r34
642	add	r16=24,r33		}
643.L_cheat_entry_point8:
644{ .mmi;	add	r19=24,r34
645
646	ldf8	f32=[r33],32		};;
647
648{ .mmi;	ldf8	f120=[r34],32
649	ldf8	f121=[r17],32		}
650{ .mmi;	ldf8	f122=[r18],32
651	ldf8	f123=[r19],32		};;
652{ .mmi;	ldf8	f124=[r34]
653	ldf8	f125=[r17]		}
654{ .mmi;	ldf8	f126=[r18]
655	ldf8	f127=[r19]		}
656
657{ .mmi;	ldf8	f33=[r14],32
658	ldf8	f34=[r15],32		}
659{ .mmi;	ldf8	f35=[r16],32;;
660	ldf8	f36=[r33]		}
661{ .mmi;	ldf8	f37=[r14]
662	ldf8	f38=[r15]		}
663{ .mfi;	ldf8	f39=[r16]
664// -------\ Entering multiplier's heaven /-------
665// ------------\                    /------------
666// -----------------\          /-----------------
667// ----------------------\/----------------------
668		xma.hu	f41=f32,f120,f0		}
669{ .mfi;		xma.lu	f40=f32,f120,f0		};; // (*)
670{ .mfi;		xma.hu	f51=f32,f121,f0		}
671{ .mfi;		xma.lu	f50=f32,f121,f0		};;
672{ .mfi;		xma.hu	f61=f32,f122,f0		}
673{ .mfi;		xma.lu	f60=f32,f122,f0		};;
674{ .mfi;		xma.hu	f71=f32,f123,f0		}
675{ .mfi;		xma.lu	f70=f32,f123,f0		};;
676{ .mfi;		xma.hu	f81=f32,f124,f0		}
677{ .mfi;		xma.lu	f80=f32,f124,f0		};;
678{ .mfi;		xma.hu	f91=f32,f125,f0		}
679{ .mfi;		xma.lu	f90=f32,f125,f0		};;
680{ .mfi;		xma.hu	f101=f32,f126,f0	}
681{ .mfi;		xma.lu	f100=f32,f126,f0	};;
682{ .mfi;		xma.hu	f111=f32,f127,f0	}
683{ .mfi;		xma.lu	f110=f32,f127,f0	};;//
684// (*)	You can argue that splitting at every second bundle would
685//	prevent "wider" IA-64 implementations from achieving the peak
686//	performance. Well, not really... The catch is that if you
687//	intend to keep 4 FP units busy by splitting at every fourth
688//	bundle and thus perform these 16 multiplications in 4 ticks,
689//	the first bundle *below* would stall because the result from
690//	the first xma bundle *above* won't be available for another 3
691//	ticks (if not more, being an optimist, I assume that "wider"
692//	implementation will have same latency:-). This stall will hold
693//	you back and the performance would be as if every second bundle
694//	were split *anyway*...
695{ .mfi;	getf.sig	r16=f40
696		xma.hu	f42=f33,f120,f41
697	add		r33=8,r32		}
698{ .mfi;		xma.lu	f41=f33,f120,f41	};;
699{ .mfi;	getf.sig	r24=f50
700		xma.hu	f52=f33,f121,f51	}
701{ .mfi;		xma.lu	f51=f33,f121,f51	};;
702{ .mfi;	st8		[r32]=r16,16
703		xma.hu	f62=f33,f122,f61	}
704{ .mfi;		xma.lu	f61=f33,f122,f61	};;
705{ .mfi;		xma.hu	f72=f33,f123,f71	}
706{ .mfi;		xma.lu	f71=f33,f123,f71	};;
707{ .mfi;		xma.hu	f82=f33,f124,f81	}
708{ .mfi;		xma.lu	f81=f33,f124,f81	};;
709{ .mfi;		xma.hu	f92=f33,f125,f91	}
710{ .mfi;		xma.lu	f91=f33,f125,f91	};;
711{ .mfi;		xma.hu	f102=f33,f126,f101	}
712{ .mfi;		xma.lu	f101=f33,f126,f101	};;
713{ .mfi;		xma.hu	f112=f33,f127,f111	}
714{ .mfi;		xma.lu	f111=f33,f127,f111	};;//
715//-------------------------------------------------//
716{ .mfi;	getf.sig	r25=f41
717		xma.hu	f43=f34,f120,f42	}
718{ .mfi;		xma.lu	f42=f34,f120,f42	};;
719{ .mfi;	getf.sig	r16=f60
720		xma.hu	f53=f34,f121,f52	}
721{ .mfi;		xma.lu	f52=f34,f121,f52	};;
722{ .mfi;	getf.sig	r17=f51
723		xma.hu	f63=f34,f122,f62
724	add		r25=r25,r24		}
725{ .mfi;		xma.lu	f62=f34,f122,f62
726	mov		carry1=0		};;
727{ .mfi;	cmp.ltu		p6,p0=r25,r24
728		xma.hu	f73=f34,f123,f72	}
729{ .mfi;		xma.lu	f72=f34,f123,f72	};;
730{ .mfi;	st8		[r33]=r25,16
731		xma.hu	f83=f34,f124,f82
732(p6)	add		carry1=1,carry1		}
733{ .mfi;		xma.lu	f82=f34,f124,f82	};;
734{ .mfi;		xma.hu	f93=f34,f125,f92	}
735{ .mfi;		xma.lu	f92=f34,f125,f92	};;
736{ .mfi;		xma.hu	f103=f34,f126,f102	}
737{ .mfi;		xma.lu	f102=f34,f126,f102	};;
738{ .mfi;		xma.hu	f113=f34,f127,f112	}
739{ .mfi;		xma.lu	f112=f34,f127,f112	};;//
740//-------------------------------------------------//
741{ .mfi;	getf.sig	r18=f42
742		xma.hu	f44=f35,f120,f43
743	add		r17=r17,r16		}
744{ .mfi;		xma.lu	f43=f35,f120,f43	};;
745{ .mfi;	getf.sig	r24=f70
746		xma.hu	f54=f35,f121,f53	}
747{ .mfi;	mov		carry2=0
748		xma.lu	f53=f35,f121,f53	};;
749{ .mfi;	getf.sig	r25=f61
750		xma.hu	f64=f35,f122,f63
751	cmp.ltu		p7,p0=r17,r16		}
752{ .mfi;	add		r18=r18,r17
753		xma.lu	f63=f35,f122,f63	};;
754{ .mfi;	getf.sig	r26=f52
755		xma.hu	f74=f35,f123,f73
756(p7)	add		carry2=1,carry2		}
757{ .mfi;	cmp.ltu		p7,p0=r18,r17
758		xma.lu	f73=f35,f123,f73
759	add		r18=r18,carry1		};;
760{ .mfi;
761		xma.hu	f84=f35,f124,f83
762(p7)	add		carry2=1,carry2		}
763{ .mfi;	cmp.ltu		p7,p0=r18,carry1
764		xma.lu	f83=f35,f124,f83	};;
765{ .mfi;	st8		[r32]=r18,16
766		xma.hu	f94=f35,f125,f93
767(p7)	add		carry2=1,carry2		}
768{ .mfi;		xma.lu	f93=f35,f125,f93	};;
769{ .mfi;		xma.hu	f104=f35,f126,f103	}
770{ .mfi;		xma.lu	f103=f35,f126,f103	};;
771{ .mfi;		xma.hu	f114=f35,f127,f113	}
772{ .mfi;	mov		carry1=0
773		xma.lu	f113=f35,f127,f113
774	add		r25=r25,r24		};;//
775//-------------------------------------------------//
776{ .mfi;	getf.sig	r27=f43
777		xma.hu	f45=f36,f120,f44
778	cmp.ltu		p6,p0=r25,r24		}
779{ .mfi;		xma.lu	f44=f36,f120,f44
780	add		r26=r26,r25		};;
781{ .mfi;	getf.sig	r16=f80
782		xma.hu	f55=f36,f121,f54
783(p6)	add		carry1=1,carry1		}
784{ .mfi;		xma.lu	f54=f36,f121,f54	};;
785{ .mfi;	getf.sig	r17=f71
786		xma.hu	f65=f36,f122,f64
787	cmp.ltu		p6,p0=r26,r25		}
788{ .mfi;		xma.lu	f64=f36,f122,f64
789	add		r27=r27,r26		};;
790{ .mfi;	getf.sig	r18=f62
791		xma.hu	f75=f36,f123,f74
792(p6)	add		carry1=1,carry1		}
793{ .mfi;	cmp.ltu		p6,p0=r27,r26
794		xma.lu	f74=f36,f123,f74
795	add		r27=r27,carry2		};;
796{ .mfi;	getf.sig	r19=f53
797		xma.hu	f85=f36,f124,f84
798(p6)	add		carry1=1,carry1		}
799{ .mfi;		xma.lu	f84=f36,f124,f84
800	cmp.ltu		p6,p0=r27,carry2	};;
801{ .mfi;	st8		[r33]=r27,16
802		xma.hu	f95=f36,f125,f94
803(p6)	add		carry1=1,carry1		}
804{ .mfi;		xma.lu	f94=f36,f125,f94	};;
805{ .mfi;		xma.hu	f105=f36,f126,f104	}
806{ .mfi;	mov		carry2=0
807		xma.lu	f104=f36,f126,f104
808	add		r17=r17,r16		};;
809{ .mfi;		xma.hu	f115=f36,f127,f114
810	cmp.ltu		p7,p0=r17,r16		}
811{ .mfi;		xma.lu	f114=f36,f127,f114
812	add		r18=r18,r17		};;//
813//-------------------------------------------------//
814{ .mfi;	getf.sig	r20=f44
815		xma.hu	f46=f37,f120,f45
816(p7)	add		carry2=1,carry2		}
817{ .mfi;	cmp.ltu		p7,p0=r18,r17
818		xma.lu	f45=f37,f120,f45
819	add		r19=r19,r18		};;
820{ .mfi;	getf.sig	r24=f90
821		xma.hu	f56=f37,f121,f55	}
822{ .mfi;		xma.lu	f55=f37,f121,f55	};;
823{ .mfi;	getf.sig	r25=f81
824		xma.hu	f66=f37,f122,f65
825(p7)	add		carry2=1,carry2		}
826{ .mfi;	cmp.ltu		p7,p0=r19,r18
827		xma.lu	f65=f37,f122,f65
828	add		r20=r20,r19		};;
829{ .mfi;	getf.sig	r26=f72
830		xma.hu	f76=f37,f123,f75
831(p7)	add		carry2=1,carry2		}
832{ .mfi;	cmp.ltu		p7,p0=r20,r19
833		xma.lu	f75=f37,f123,f75
834	add		r20=r20,carry1		};;
835{ .mfi;	getf.sig	r27=f63
836		xma.hu	f86=f37,f124,f85
837(p7)	add		carry2=1,carry2		}
838{ .mfi;		xma.lu	f85=f37,f124,f85
839	cmp.ltu		p7,p0=r20,carry1	};;
840{ .mfi;	getf.sig	r28=f54
841		xma.hu	f96=f37,f125,f95
842(p7)	add		carry2=1,carry2		}
843{ .mfi;	st8		[r32]=r20,16
844		xma.lu	f95=f37,f125,f95	};;
845{ .mfi;		xma.hu	f106=f37,f126,f105	}
846{ .mfi;	mov		carry1=0
847		xma.lu	f105=f37,f126,f105
848	add		r25=r25,r24		};;
849{ .mfi;		xma.hu	f116=f37,f127,f115
850	cmp.ltu		p6,p0=r25,r24		}
851{ .mfi;		xma.lu	f115=f37,f127,f115
852	add		r26=r26,r25		};;//
853//-------------------------------------------------//
854{ .mfi;	getf.sig	r29=f45
855		xma.hu	f47=f38,f120,f46
856(p6)	add		carry1=1,carry1		}
857{ .mfi;	cmp.ltu		p6,p0=r26,r25
858		xma.lu	f46=f38,f120,f46
859	add		r27=r27,r26		};;
860{ .mfi;	getf.sig	r16=f100
861		xma.hu	f57=f38,f121,f56
862(p6)	add		carry1=1,carry1		}
863{ .mfi;	cmp.ltu		p6,p0=r27,r26
864		xma.lu	f56=f38,f121,f56
865	add		r28=r28,r27		};;
866{ .mfi;	getf.sig	r17=f91
867		xma.hu	f67=f38,f122,f66
868(p6)	add		carry1=1,carry1		}
869{ .mfi;	cmp.ltu		p6,p0=r28,r27
870		xma.lu	f66=f38,f122,f66
871	add		r29=r29,r28		};;
872{ .mfi;	getf.sig	r18=f82
873		xma.hu	f77=f38,f123,f76
874(p6)	add		carry1=1,carry1		}
875{ .mfi;	cmp.ltu		p6,p0=r29,r28
876		xma.lu	f76=f38,f123,f76
877	add		r29=r29,carry2		};;
878{ .mfi;	getf.sig	r19=f73
879		xma.hu	f87=f38,f124,f86
880(p6)	add		carry1=1,carry1		}
881{ .mfi;		xma.lu	f86=f38,f124,f86
882	cmp.ltu		p6,p0=r29,carry2	};;
883{ .mfi;	getf.sig	r20=f64
884		xma.hu	f97=f38,f125,f96
885(p6)	add		carry1=1,carry1		}
886{ .mfi;	st8		[r33]=r29,16
887		xma.lu	f96=f38,f125,f96	};;
888{ .mfi;	getf.sig	r21=f55
889		xma.hu	f107=f38,f126,f106	}
890{ .mfi;	mov		carry2=0
891		xma.lu	f106=f38,f126,f106
892	add		r17=r17,r16		};;
893{ .mfi;		xma.hu	f117=f38,f127,f116
894	cmp.ltu		p7,p0=r17,r16		}
895{ .mfi;		xma.lu	f116=f38,f127,f116
896	add		r18=r18,r17		};;//
897//-------------------------------------------------//
898{ .mfi;	getf.sig	r22=f46
899		xma.hu	f48=f39,f120,f47
900(p7)	add		carry2=1,carry2		}
901{ .mfi;	cmp.ltu		p7,p0=r18,r17
902		xma.lu	f47=f39,f120,f47
903	add		r19=r19,r18		};;
904{ .mfi;	getf.sig	r24=f110
905		xma.hu	f58=f39,f121,f57
906(p7)	add		carry2=1,carry2		}
907{ .mfi;	cmp.ltu		p7,p0=r19,r18
908		xma.lu	f57=f39,f121,f57
909	add		r20=r20,r19		};;
910{ .mfi;	getf.sig	r25=f101
911		xma.hu	f68=f39,f122,f67
912(p7)	add		carry2=1,carry2		}
913{ .mfi;	cmp.ltu		p7,p0=r20,r19
914		xma.lu	f67=f39,f122,f67
915	add		r21=r21,r20		};;
916{ .mfi;	getf.sig	r26=f92
917		xma.hu	f78=f39,f123,f77
918(p7)	add		carry2=1,carry2		}
919{ .mfi;	cmp.ltu		p7,p0=r21,r20
920		xma.lu	f77=f39,f123,f77
921	add		r22=r22,r21		};;
922{ .mfi;	getf.sig	r27=f83
923		xma.hu	f88=f39,f124,f87
924(p7)	add		carry2=1,carry2		}
925{ .mfi;	cmp.ltu		p7,p0=r22,r21
926		xma.lu	f87=f39,f124,f87
927	add		r22=r22,carry1		};;
928{ .mfi;	getf.sig	r28=f74
929		xma.hu	f98=f39,f125,f97
930(p7)	add		carry2=1,carry2		}
931{ .mfi;		xma.lu	f97=f39,f125,f97
932	cmp.ltu		p7,p0=r22,carry1	};;
933{ .mfi;	getf.sig	r29=f65
934		xma.hu	f108=f39,f126,f107
935(p7)	add		carry2=1,carry2		}
936{ .mfi;	st8		[r32]=r22,16
937		xma.lu	f107=f39,f126,f107	};;
938{ .mfi;	getf.sig	r30=f56
939		xma.hu	f118=f39,f127,f117	}
940{ .mfi;		xma.lu	f117=f39,f127,f117	};;//
941//-------------------------------------------------//
942// Leaving multiplier's heaven... Quite a ride, huh?
943
944{ .mii;	getf.sig	r31=f47
945	add		r25=r25,r24
946	mov		carry1=0		};;
947{ .mii;		getf.sig	r16=f111
948	cmp.ltu		p6,p0=r25,r24
949	add		r26=r26,r25		};;
950{ .mfb;		getf.sig	r17=f102	}
951{ .mii;
952(p6)	add		carry1=1,carry1
953	cmp.ltu		p6,p0=r26,r25
954	add		r27=r27,r26		};;
955{ .mfb;	nop.m	0x0				}
956{ .mii;
957(p6)	add		carry1=1,carry1
958	cmp.ltu		p6,p0=r27,r26
959	add		r28=r28,r27		};;
960{ .mii;		getf.sig	r18=f93
961		add		r17=r17,r16
962		mov		carry3=0	}
963{ .mii;
964(p6)	add		carry1=1,carry1
965	cmp.ltu		p6,p0=r28,r27
966	add		r29=r29,r28		};;
967{ .mii;		getf.sig	r19=f84
968		cmp.ltu		p7,p0=r17,r16	}
969{ .mii;
970(p6)	add		carry1=1,carry1
971	cmp.ltu		p6,p0=r29,r28
972	add		r30=r30,r29		};;
973{ .mii;		getf.sig	r20=f75
974		add		r18=r18,r17	}
975{ .mii;
976(p6)	add		carry1=1,carry1
977	cmp.ltu		p6,p0=r30,r29
978	add		r31=r31,r30		};;
979{ .mfb;		getf.sig	r21=f66		}
980{ .mii;	(p7)	add		carry3=1,carry3
981		cmp.ltu		p7,p0=r18,r17
982		add		r19=r19,r18	}
983{ .mfb;	nop.m	0x0				}
984{ .mii;
985(p6)	add		carry1=1,carry1
986	cmp.ltu		p6,p0=r31,r30
987	add		r31=r31,carry2		};;
988{ .mfb;		getf.sig	r22=f57		}
989{ .mii;	(p7)	add		carry3=1,carry3
990		cmp.ltu		p7,p0=r19,r18
991		add		r20=r20,r19	}
992{ .mfb;	nop.m	0x0				}
993{ .mii;
994(p6)	add		carry1=1,carry1
995	cmp.ltu		p6,p0=r31,carry2	};;
996{ .mfb;		getf.sig	r23=f48		}
997{ .mii;	(p7)	add		carry3=1,carry3
998		cmp.ltu		p7,p0=r20,r19
999		add		r21=r21,r20	}
1000{ .mii;
1001(p6)	add		carry1=1,carry1		}
1002{ .mfb;	st8		[r33]=r31,16		};;
1003
1004{ .mfb;	getf.sig	r24=f112		}
1005{ .mii;	(p7)	add		carry3=1,carry3
1006		cmp.ltu		p7,p0=r21,r20
1007		add		r22=r22,r21	};;
1008{ .mfb;	getf.sig	r25=f103		}
1009{ .mii;	(p7)	add		carry3=1,carry3
1010		cmp.ltu		p7,p0=r22,r21
1011		add		r23=r23,r22	};;
1012{ .mfb;	getf.sig	r26=f94			}
1013{ .mii;	(p7)	add		carry3=1,carry3
1014		cmp.ltu		p7,p0=r23,r22
1015		add		r23=r23,carry1	};;
1016{ .mfb;	getf.sig	r27=f85			}
1017{ .mii;	(p7)	add		carry3=1,carry3
1018		cmp.ltu		p7,p8=r23,carry1};;
1019{ .mii;	getf.sig	r28=f76
1020	add		r25=r25,r24
1021	mov		carry1=0		}
1022{ .mii;		st8		[r32]=r23,16
1023	(p7)	add		carry2=1,carry3
1024	(p8)	add		carry2=0,carry3	};;
1025
1026{ .mfb;	nop.m	0x0				}
1027{ .mii;	getf.sig	r29=f67
1028	cmp.ltu		p6,p0=r25,r24
1029	add		r26=r26,r25		};;
1030{ .mfb;	getf.sig	r30=f58			}
1031{ .mii;
1032(p6)	add		carry1=1,carry1
1033	cmp.ltu		p6,p0=r26,r25
1034	add		r27=r27,r26		};;
1035{ .mfb;		getf.sig	r16=f113	}
1036{ .mii;
1037(p6)	add		carry1=1,carry1
1038	cmp.ltu		p6,p0=r27,r26
1039	add		r28=r28,r27		};;
1040{ .mfb;		getf.sig	r17=f104	}
1041{ .mii;
1042(p6)	add		carry1=1,carry1
1043	cmp.ltu		p6,p0=r28,r27
1044	add		r29=r29,r28		};;
1045{ .mfb;		getf.sig	r18=f95		}
1046{ .mii;
1047(p6)	add		carry1=1,carry1
1048	cmp.ltu		p6,p0=r29,r28
1049	add		r30=r30,r29		};;
1050{ .mii;		getf.sig	r19=f86
1051		add		r17=r17,r16
1052		mov		carry3=0	}
1053{ .mii;
1054(p6)	add		carry1=1,carry1
1055	cmp.ltu		p6,p0=r30,r29
1056	add		r30=r30,carry2		};;
1057{ .mii;		getf.sig	r20=f77
1058		cmp.ltu		p7,p0=r17,r16
1059		add		r18=r18,r17	}
1060{ .mii;
1061(p6)	add		carry1=1,carry1
1062	cmp.ltu		p6,p0=r30,carry2	};;
1063{ .mfb;		getf.sig	r21=f68		}
1064{ .mii;	st8		[r33]=r30,16
1065(p6)	add		carry1=1,carry1		};;
1066
1067{ .mfb;	getf.sig	r24=f114		}
1068{ .mii;	(p7)	add		carry3=1,carry3
1069		cmp.ltu		p7,p0=r18,r17
1070		add		r19=r19,r18	};;
1071{ .mfb;	getf.sig	r25=f105		}
1072{ .mii;	(p7)	add		carry3=1,carry3
1073		cmp.ltu		p7,p0=r19,r18
1074		add		r20=r20,r19	};;
1075{ .mfb;	getf.sig	r26=f96			}
1076{ .mii;	(p7)	add		carry3=1,carry3
1077		cmp.ltu		p7,p0=r20,r19
1078		add		r21=r21,r20	};;
1079{ .mfb;	getf.sig	r27=f87			}
1080{ .mii;	(p7)	add		carry3=1,carry3
1081		cmp.ltu		p7,p0=r21,r20
1082		add		r21=r21,carry1	};;
1083{ .mib;	getf.sig	r28=f78
1084	add		r25=r25,r24		}
1085{ .mib;	(p7)	add		carry3=1,carry3
1086		cmp.ltu		p7,p8=r21,carry1};;
1087{ .mii;		st8		[r32]=r21,16
1088	(p7)	add		carry2=1,carry3
1089	(p8)	add		carry2=0,carry3	}
1090
1091{ .mii;	mov		carry1=0
1092	cmp.ltu		p6,p0=r25,r24
1093	add		r26=r26,r25		};;
1094{ .mfb;		getf.sig	r16=f115	}
1095{ .mii;
1096(p6)	add		carry1=1,carry1
1097	cmp.ltu		p6,p0=r26,r25
1098	add		r27=r27,r26		};;
1099{ .mfb;		getf.sig	r17=f106	}
1100{ .mii;
1101(p6)	add		carry1=1,carry1
1102	cmp.ltu		p6,p0=r27,r26
1103	add		r28=r28,r27		};;
1104{ .mfb;		getf.sig	r18=f97		}
1105{ .mii;
1106(p6)	add		carry1=1,carry1
1107	cmp.ltu		p6,p0=r28,r27
1108	add		r28=r28,carry2		};;
1109{ .mib;		getf.sig	r19=f88
1110		add		r17=r17,r16	}
1111{ .mib;
1112(p6)	add		carry1=1,carry1
1113	cmp.ltu		p6,p0=r28,carry2	};;
1114{ .mii;	st8		[r33]=r28,16
1115(p6)	add		carry1=1,carry1		}
1116
1117{ .mii;		mov		carry2=0
1118		cmp.ltu		p7,p0=r17,r16
1119		add		r18=r18,r17	};;
1120{ .mfb;	getf.sig	r24=f116		}
1121{ .mii;	(p7)	add		carry2=1,carry2
1122		cmp.ltu		p7,p0=r18,r17
1123		add		r19=r19,r18	};;
1124{ .mfb;	getf.sig	r25=f107		}
1125{ .mii;	(p7)	add		carry2=1,carry2
1126		cmp.ltu		p7,p0=r19,r18
1127		add		r19=r19,carry1	};;
1128{ .mfb;	getf.sig	r26=f98			}
1129{ .mii;	(p7)	add		carry2=1,carry2
1130		cmp.ltu		p7,p0=r19,carry1};;
1131{ .mii;		st8		[r32]=r19,16
1132	(p7)	add		carry2=1,carry2	}
1133
1134{ .mfb;	add		r25=r25,r24		};;
1135
1136{ .mfb;		getf.sig	r16=f117	}
1137{ .mii;	mov		carry1=0
1138	cmp.ltu		p6,p0=r25,r24
1139	add		r26=r26,r25		};;
1140{ .mfb;		getf.sig	r17=f108	}
1141{ .mii;
1142(p6)	add		carry1=1,carry1
1143	cmp.ltu		p6,p0=r26,r25
1144	add		r26=r26,carry2		};;
1145{ .mfb;	nop.m	0x0				}
1146{ .mii;
1147(p6)	add		carry1=1,carry1
1148	cmp.ltu		p6,p0=r26,carry2	};;
1149{ .mii;	st8		[r33]=r26,16
1150(p6)	add		carry1=1,carry1		}
1151
1152{ .mfb;		add		r17=r17,r16	};;
1153{ .mfb;	getf.sig	r24=f118		}
1154{ .mii;		mov		carry2=0
1155		cmp.ltu		p7,p0=r17,r16
1156		add		r17=r17,carry1	};;
1157{ .mii;	(p7)	add		carry2=1,carry2
1158		cmp.ltu		p7,p0=r17,carry1};;
1159{ .mii;		st8		[r32]=r17
1160	(p7)	add		carry2=1,carry2	};;
1161{ .mfb;	add		r24=r24,carry2		};;
1162{ .mib;	st8		[r33]=r24		}
1163
1164{ .mib;	rum		1<<5		// clear um.mfh
1165	br.ret.sptk.many	b0	};;
1166.endp	bn_mul_comba8#
1167#undef	carry3
1168#undef	carry2
1169#undef	carry1
1170#endif
1171
1172#if 1
1173// It's possible to make it faster (see comment to bn_sqr_comba8), but
1174// I reckon it doesn't worth the effort. Basically because the routine
1175// (actually both of them) practically never called... So I just play
1176// same trick as with bn_sqr_comba8.
1177//
1178// void bn_sqr_comba4(BN_ULONG *r, BN_ULONG *a)
1179//
1180.global	bn_sqr_comba4#
1181.proc	bn_sqr_comba4#
1182.align	64
1183bn_sqr_comba4:
1184	.prologue
1185	.save	ar.pfs,r2
1186#if defined(_HPUX_SOURCE) && !defined(_LP64)
1187{ .mii;	alloc   r2=ar.pfs,2,1,0,0
1188	addp4	r32=0,r32
1189	addp4	r33=0,r33		};;
1190{ .mii;
1191#else
1192{ .mii;	alloc	r2=ar.pfs,2,1,0,0
1193#endif
1194	mov	r34=r33
1195	add	r14=8,r33		};;
1196	.body
1197{ .mii;	add	r17=8,r34
1198	add	r15=16,r33
1199	add	r18=16,r34		}
1200{ .mfb;	add	r16=24,r33
1201	br	.L_cheat_entry_point4	};;
1202.endp	bn_sqr_comba4#
1203#endif
1204
1205#if 1
1206// Runs in ~115 cycles and ~4.5 times faster than C. Well, whatever...
1207//
1208// void bn_mul_comba4(BN_ULONG *r, BN_ULONG *a, BN_ULONG *b)
1209//
1210#define	carry1	r14
1211#define	carry2	r15
1212.global	bn_mul_comba4#
1213.proc	bn_mul_comba4#
1214.align	64
1215bn_mul_comba4:
1216	.prologue
1217	.save	ar.pfs,r2
1218#if defined(_HPUX_SOURCE) && !defined(_LP64)
1219{ .mii;	alloc   r2=ar.pfs,3,0,0,0
1220	addp4	r33=0,r33
1221	addp4	r34=0,r34		};;
1222{ .mii;	addp4	r32=0,r32
1223#else
1224{ .mii;	alloc	r2=ar.pfs,3,0,0,0
1225#endif
1226	add	r14=8,r33
1227	add	r17=8,r34		}
1228	.body
1229{ .mii;	add	r15=16,r33
1230	add	r18=16,r34
1231	add	r16=24,r33		};;
1232.L_cheat_entry_point4:
1233{ .mmi;	add	r19=24,r34
1234
1235	ldf8	f32=[r33]		}
1236
1237{ .mmi;	ldf8	f120=[r34]
1238	ldf8	f121=[r17]		};;
1239{ .mmi;	ldf8	f122=[r18]
1240	ldf8	f123=[r19]		}
1241
1242{ .mmi;	ldf8	f33=[r14]
1243	ldf8	f34=[r15]		}
1244{ .mfi;	ldf8	f35=[r16]
1245
1246		xma.hu	f41=f32,f120,f0		}
1247{ .mfi;		xma.lu	f40=f32,f120,f0		};;
1248{ .mfi;		xma.hu	f51=f32,f121,f0		}
1249{ .mfi;		xma.lu	f50=f32,f121,f0		};;
1250{ .mfi;		xma.hu	f61=f32,f122,f0		}
1251{ .mfi;		xma.lu	f60=f32,f122,f0		};;
1252{ .mfi;		xma.hu	f71=f32,f123,f0		}
1253{ .mfi;		xma.lu	f70=f32,f123,f0		};;//
1254// Major stall takes place here, and 3 more places below. Result from
1255// first xma is not available for another 3 ticks.
1256{ .mfi;	getf.sig	r16=f40
1257		xma.hu	f42=f33,f120,f41
1258	add		r33=8,r32		}
1259{ .mfi;		xma.lu	f41=f33,f120,f41	};;
1260{ .mfi;	getf.sig	r24=f50
1261		xma.hu	f52=f33,f121,f51	}
1262{ .mfi;		xma.lu	f51=f33,f121,f51	};;
1263{ .mfi;	st8		[r32]=r16,16
1264		xma.hu	f62=f33,f122,f61	}
1265{ .mfi;		xma.lu	f61=f33,f122,f61	};;
1266{ .mfi;		xma.hu	f72=f33,f123,f71	}
1267{ .mfi;		xma.lu	f71=f33,f123,f71	};;//
1268//-------------------------------------------------//
1269{ .mfi;	getf.sig	r25=f41
1270		xma.hu	f43=f34,f120,f42	}
1271{ .mfi;		xma.lu	f42=f34,f120,f42	};;
1272{ .mfi;	getf.sig	r16=f60
1273		xma.hu	f53=f34,f121,f52	}
1274{ .mfi;		xma.lu	f52=f34,f121,f52	};;
1275{ .mfi;	getf.sig	r17=f51
1276		xma.hu	f63=f34,f122,f62
1277	add		r25=r25,r24		}
1278{ .mfi;	mov		carry1=0
1279		xma.lu	f62=f34,f122,f62	};;
1280{ .mfi;	st8		[r33]=r25,16
1281		xma.hu	f73=f34,f123,f72
1282	cmp.ltu		p6,p0=r25,r24		}
1283{ .mfi;		xma.lu	f72=f34,f123,f72	};;//
1284//-------------------------------------------------//
1285{ .mfi;	getf.sig	r18=f42
1286		xma.hu	f44=f35,f120,f43
1287(p6)	add		carry1=1,carry1		}
1288{ .mfi;	add		r17=r17,r16
1289		xma.lu	f43=f35,f120,f43
1290	mov		carry2=0		};;
1291{ .mfi;	getf.sig	r24=f70
1292		xma.hu	f54=f35,f121,f53
1293	cmp.ltu		p7,p0=r17,r16		}
1294{ .mfi;		xma.lu	f53=f35,f121,f53	};;
1295{ .mfi;	getf.sig	r25=f61
1296		xma.hu	f64=f35,f122,f63
1297	add		r18=r18,r17		}
1298{ .mfi;		xma.lu	f63=f35,f122,f63
1299(p7)	add		carry2=1,carry2		};;
1300{ .mfi;	getf.sig	r26=f52
1301		xma.hu	f74=f35,f123,f73
1302	cmp.ltu		p7,p0=r18,r17		}
1303{ .mfi;		xma.lu	f73=f35,f123,f73
1304	add		r18=r18,carry1		};;
1305//-------------------------------------------------//
1306{ .mii;	st8		[r32]=r18,16
1307(p7)	add		carry2=1,carry2
1308	cmp.ltu		p7,p0=r18,carry1	};;
1309
1310{ .mfi;	getf.sig	r27=f43	// last major stall
1311(p7)	add		carry2=1,carry2		};;
1312{ .mii;		getf.sig	r16=f71
1313	add		r25=r25,r24
1314	mov		carry1=0		};;
1315{ .mii;		getf.sig	r17=f62
1316	cmp.ltu		p6,p0=r25,r24
1317	add		r26=r26,r25		};;
1318{ .mii;
1319(p6)	add		carry1=1,carry1
1320	cmp.ltu		p6,p0=r26,r25
1321	add		r27=r27,r26		};;
1322{ .mii;
1323(p6)	add		carry1=1,carry1
1324	cmp.ltu		p6,p0=r27,r26
1325	add		r27=r27,carry2		};;
1326{ .mii;		getf.sig	r18=f53
1327(p6)	add		carry1=1,carry1
1328	cmp.ltu		p6,p0=r27,carry2	};;
1329{ .mfi;	st8		[r33]=r27,16
1330(p6)	add		carry1=1,carry1		}
1331
1332{ .mii;		getf.sig	r19=f44
1333		add		r17=r17,r16
1334		mov		carry2=0	};;
1335{ .mii;	getf.sig	r24=f72
1336		cmp.ltu		p7,p0=r17,r16
1337		add		r18=r18,r17	};;
1338{ .mii;	(p7)	add		carry2=1,carry2
1339		cmp.ltu		p7,p0=r18,r17
1340		add		r19=r19,r18	};;
1341{ .mii;	(p7)	add		carry2=1,carry2
1342		cmp.ltu		p7,p0=r19,r18
1343		add		r19=r19,carry1	};;
1344{ .mii;	getf.sig	r25=f63
1345	(p7)	add		carry2=1,carry2
1346		cmp.ltu		p7,p0=r19,carry1};;
1347{ .mii;		st8		[r32]=r19,16
1348	(p7)	add		carry2=1,carry2	}
1349
1350{ .mii;	getf.sig	r26=f54
1351	add		r25=r25,r24
1352	mov		carry1=0		};;
1353{ .mii;		getf.sig	r16=f73
1354	cmp.ltu		p6,p0=r25,r24
1355	add		r26=r26,r25		};;
1356{ .mii;
1357(p6)	add		carry1=1,carry1
1358	cmp.ltu		p6,p0=r26,r25
1359	add		r26=r26,carry2		};;
1360{ .mii;		getf.sig	r17=f64
1361(p6)	add		carry1=1,carry1
1362	cmp.ltu		p6,p0=r26,carry2	};;
1363{ .mii;	st8		[r33]=r26,16
1364(p6)	add		carry1=1,carry1		}
1365
1366{ .mii;	getf.sig	r24=f74
1367		add		r17=r17,r16
1368		mov		carry2=0	};;
1369{ .mii;		cmp.ltu		p7,p0=r17,r16
1370		add		r17=r17,carry1	};;
1371
1372{ .mii;	(p7)	add		carry2=1,carry2
1373		cmp.ltu		p7,p0=r17,carry1};;
1374{ .mii;		st8		[r32]=r17,16
1375	(p7)	add		carry2=1,carry2	};;
1376
1377{ .mii;	add		r24=r24,carry2		};;
1378{ .mii;	st8		[r33]=r24		}
1379
1380{ .mib;	rum		1<<5		// clear um.mfh
1381	br.ret.sptk.many	b0	};;
1382.endp	bn_mul_comba4#
1383#undef	carry2
1384#undef	carry1
1385#endif
1386
1387#if 1
1388//
1389// BN_ULONG bn_div_words(BN_ULONG h, BN_ULONG l, BN_ULONG d)
1390//
1391// In the nutshell it's a port of my MIPS III/IV implementation.
1392//
1393#define	AT	r14
1394#define	H	r16
1395#define	HH	r20
1396#define	L	r17
1397#define	D	r18
1398#define	DH	r22
1399#define	I	r21
1400
1401#if 0
1402// Some preprocessors (most notably HP-UX) appear to be allergic to
1403// macros enclosed to parenthesis [as these three were].
1404#define	cont	p16
1405#define	break	p0	// p20
1406#define	equ	p24
1407#else
1408cont=p16
1409break=p0
1410equ=p24
1411#endif
1412
1413.global	abort#
1414.global	bn_div_words#
1415.proc	bn_div_words#
1416.align	64
1417bn_div_words:
1418	.prologue
1419	.save	ar.pfs,r2
1420{ .mii;	alloc		r2=ar.pfs,3,5,0,8
1421	.save	b0,r3
1422	mov		r3=b0
1423	.save	pr,r10
1424	mov		r10=pr		};;
1425{ .mmb;	cmp.eq		p6,p0=r34,r0
1426	mov		r8=-1
1427(p6)	br.ret.spnt.many	b0	};;
1428
1429	.body
1430{ .mii;	mov		H=r32		// save h
1431	mov		ar.ec=0		// don't rotate at exit
1432	mov		pr.rot=0	}
1433{ .mii;	mov		L=r33		// save l
1434	mov		r25=r0		// needed if abort is called on VMS
1435	mov		r36=r0		};;
1436
1437.L_divw_shift:	// -vv- note signed comparison
1438{ .mfi;	(p0)	cmp.lt		p16,p0=r0,r34	// d
1439	(p0)	shladd		r33=r34,1,r0	}
1440{ .mfb;	(p0)	add		r35=1,r36
1441	(p0)	nop.f		0x0
1442(p16)	br.wtop.dpnt		.L_divw_shift	};;
1443
1444{ .mii;	mov		D=r34
1445	shr.u		DH=r34,32
1446	sub		r35=64,r36		};;
1447{ .mii;	setf.sig	f7=DH
1448	shr.u		AT=H,r35
1449	mov		I=r36			};;
1450{ .mib;	cmp.ne		p6,p0=r0,AT
1451	shl		H=H,r36
1452(p6)	br.call.spnt.clr	b0=abort	};;	// overflow, die...
1453
1454{ .mfi;	fcvt.xuf.s1	f7=f7
1455	shr.u		AT=L,r35		};;
1456{ .mii;	shl		L=L,r36
1457	or		H=H,AT			};;
1458
1459{ .mii;	nop.m		0x0
1460	cmp.leu		p6,p0=D,H;;
1461(p6)	sub		H=H,D			}
1462
1463{ .mlx;	setf.sig	f14=D
1464	movl		AT=0xffffffff		};;
1465///////////////////////////////////////////////////////////
1466{ .mii;	setf.sig	f6=H
1467	shr.u		HH=H,32;;
1468	cmp.eq		p6,p7=HH,DH		};;
1469{ .mfb;
1470(p6)	setf.sig	f8=AT
1471(p7)	fcvt.xuf.s1	f6=f6
1472(p7)	br.call.sptk	b6=.L_udiv64_32_b6	};;
1473
1474{ .mfi;	getf.sig	r33=f8				// q
1475	xmpy.lu		f9=f8,f14		}
1476{ .mfi;	xmpy.hu		f10=f8,f14
1477	shrp		H=H,L,32		};;
1478
1479{ .mmi;	getf.sig	r35=f9				// tl
1480	getf.sig	r31=f10			};;	// th
1481
1482.L_divw_1st_iter:
1483{ .mii;	(p0)	add		r32=-1,r33
1484	(p0)	cmp.eq		equ,cont=HH,r31		};;
1485{ .mii;	(p0)	cmp.ltu		p8,p0=r35,D
1486	(p0)	sub		r34=r35,D
1487	(equ)	cmp.leu		break,cont=r35,H	};;
1488{ .mib;	(cont)	cmp.leu		cont,break=HH,r31
1489	(p8)	add		r31=-1,r31
1490(cont)	br.wtop.spnt		.L_divw_1st_iter	};;
1491///////////////////////////////////////////////////////////
1492{ .mii;	sub		H=H,r35
1493	shl		r8=r33,32
1494	shl		L=L,32			};;
1495///////////////////////////////////////////////////////////
1496{ .mii;	setf.sig	f6=H
1497	shr.u		HH=H,32;;
1498	cmp.eq		p6,p7=HH,DH		};;
1499{ .mfb;
1500(p6)	setf.sig	f8=AT
1501(p7)	fcvt.xuf.s1	f6=f6
1502(p7)	br.call.sptk	b6=.L_udiv64_32_b6	};;
1503
1504{ .mfi;	getf.sig	r33=f8				// q
1505	xmpy.lu		f9=f8,f14		}
1506{ .mfi;	xmpy.hu		f10=f8,f14
1507	shrp		H=H,L,32		};;
1508
1509{ .mmi;	getf.sig	r35=f9				// tl
1510	getf.sig	r31=f10			};;	// th
1511
1512.L_divw_2nd_iter:
1513{ .mii;	(p0)	add		r32=-1,r33
1514	(p0)	cmp.eq		equ,cont=HH,r31		};;
1515{ .mii;	(p0)	cmp.ltu		p8,p0=r35,D
1516	(p0)	sub		r34=r35,D
1517	(equ)	cmp.leu		break,cont=r35,H	};;
1518{ .mib;	(cont)	cmp.leu		cont,break=HH,r31
1519	(p8)	add		r31=-1,r31
1520(cont)	br.wtop.spnt		.L_divw_2nd_iter	};;
1521///////////////////////////////////////////////////////////
1522{ .mii;	sub	H=H,r35
1523	or	r8=r8,r33
1524	mov	ar.pfs=r2		};;
1525{ .mii;	shr.u	r9=H,I			// remainder if anybody wants it
1526	mov	pr=r10,0x1ffff		}
1527{ .mfb;	br.ret.sptk.many	b0	};;
1528
1529// Unsigned 64 by 32 (well, by 64 for the moment) bit integer division
1530// procedure.
1531//
1532// inputs:	f6 = (double)a, f7 = (double)b
1533// output:	f8 = (int)(a/b)
1534// clobbered:	f8,f9,f10,f11,pred
1535pred=p15
1536// This snippet is based on text found in the "Divide, Square
1537// Root and Remainder" section at
1538// http://www.intel.com/software/products/opensource/libraries/num.htm.
1539// Yes, I admit that the referred code was used as template,
1540// but after I realized that there hardly is any other instruction
1541// sequence which would perform this operation. I mean I figure that
1542// any independent attempt to implement high-performance division
1543// will result in code virtually identical to the Intel code. It
1544// should be noted though that below division kernel is 1 cycle
1545// faster than Intel one (note commented splits:-), not to mention
1546// original prologue (rather lack of one) and epilogue.
1547.align	32
1548.skip	16
1549.L_udiv64_32_b6:
1550	frcpa.s1	f8,pred=f6,f7;;		// [0]  y0 = 1 / b
1551
1552(pred)	fnma.s1		f9=f7,f8,f1		// [5]  e0 = 1 - b * y0
1553(pred)	fmpy.s1		f10=f6,f8;;		// [5]  q0 = a * y0
1554(pred)	fmpy.s1		f11=f9,f9		// [10] e1 = e0 * e0
1555(pred)	fma.s1		f10=f9,f10,f10;;	// [10] q1 = q0 + e0 * q0
1556(pred)	fma.s1		f8=f9,f8,f8	//;;	// [15] y1 = y0 + e0 * y0
1557(pred)	fma.s1		f9=f11,f10,f10;;	// [15] q2 = q1 + e1 * q1
1558(pred)	fma.s1		f8=f11,f8,f8	//;;	// [20] y2 = y1 + e1 * y1
1559(pred)	fnma.s1		f10=f7,f9,f6;;		// [20] r2 = a - b * q2
1560(pred)	fma.s1		f8=f10,f8,f9;;		// [25] q3 = q2 + r2 * y2
1561
1562	fcvt.fxu.trunc.s1	f8=f8		// [30] q = trunc(q3)
1563	br.ret.sptk.many	b6;;
1564.endp	bn_div_words#
1565#endif
1566