https://www.mattkeeter.com/blog/2023-01-25-branch/ Matt Keeter // blog * projects * research * blog * about * links Do Not Taunt Happy Fun Branch Predictor I've been writing a lot of AArch64 assembly, for reasons. I recently came up with a "clever" idea to eliminate one jump from an inner loop, and was surprised to find that it slowed things down. Allow me to explain my terrible error, so that you don't fall victim in the future. A toy model of the relevant code looks something like this: float run(const float* data, size_t n) { float g = 0.0; while (n) { n--; const float f = *data++; foo(f, &g); } return g; } static void foo(float f, float* g) { // do some stuff, modifying g } (eliding headers and the forward declaration of foo for space) A simple translation into AArch64 assembly gives something like this: // x0: const float* data // x1: size_t n // Returns a single float in s0 // Prelude: store frame and link registers stp x29, x30, [sp, #-16]! // Initialize g = 0.0 fmov s0, #0.0 loop: cmp x1, #0 b.eq exit sub x1, x1, #1 ldr s1, [x0], #4 bl foo // call the function b loop // keep looping foo: // Do some work, reading from s1 and accumulating into s0 // ... ret exit: // Function exit ldp x29, x30, [sp], #16 ret Here, foo is kinda like a naked function: it uses the same stack frame and registers as the parent function, reads from s1, and writes to s0. The call to foo uses the the bl instruction, which is "branch and link": it jumps to the given label, and stores the next instruction address in the link register (lr or x30). When foo is done, the ret instruction jumps to the address in the link register, which is the instruction following the original bl. Looking at this code, I was struck by the fact that it does two branches, one after the other. Surely, it would be more efficient to only branch once. I had the clever idea to do so without changing foo: stp x29, x30, [sp, #-16]! fmov s0, #0.0 bl loop // Set up x30 to point to the loop entrance loop: cmp x1, #0 b.eq exit sub x1, x1, #1 ldr s1, [x0], #4 foo: // Do some work, accumulating into `s0` // ... ret exit: // Function exit ldp x29, x30, [sp], #16 ret This is a little subtle: * The first call to bl loop stores the beginning of the loop block in x30 * After checking for loop termination, we fall through into the foo function (without a branch!) * foo still ends with ret, which returns to the loop block (because that's what's in x30). Within the body of the loop, we never change x30, so the repeated ret instructions always return to the same place. I set up a benchmark using a very simple foo: foo: fadd s0, s0, s1 ret With this foo, the function as a whole sums the incoming array of float values. Benchmarking with criterion (on an M1 Max CPU), with a 1024-element array: Program Time Original 969 ns "Optimized" 3.85 us The "optimized" code with one jump per loop is about 4x slower than the original version with two jumps per loop! I found this surprising, so I asked a few colleagues about it. Between Cliff and Dan, the consensus was that mismatched bl / ret pairs were confusing the branch predictor. The ARM documentation agrees: Why do we need a special function return instruction? Functionally, BR LR would do the same job as RET. Using RET tells the processor that this is a function return. Most modern processors, and all Cortex-A processors, support branch prediction. Knowing that this is a function return allows processors to more accurately predict the branch. Branch predictors guess the direction the program flow will take across branches. The guess is used to decide what to load into a pipeline with instructions waiting to be processed. If the branch predictor guesses correctly, the pipeline has the correct instructions and the processor does not have to wait for instructions to be loaded from memory. More specifically, the branch predictor probably keeps an internal stack of function return addresses, which is pushed to whenever a bl is executed. When the branch predictor sees a ret coming down the pipeline, it assumes that you're returning to the address associated with the most recent bl (and begins prefetching / speculative execution / whatever), then pops that top address from its internal stack. This works if you've got matched bl / ret pairs, but the prediction will fail if the same address is used by multiple ret instructions; you'll end up with (vague handwaving) useless prefetching, incorrect speculative execution, and pipeline stalls / flushes Dan made the great suggestion of replacing ret with br x30 to test this theory. Sure enough, this fixes the performance regression: Program Time Matched bl / ret 969 ns One bl, many ret 3.85 us One bl, many br x30 913 ns In fact, it's slightly faster, probably because it's only doing one branch per loop instead of two! To further test the "branch predictor" theory, I opened up Instruments and examined performance counters for the first two programs. Picking out the worst offenders, the results seem conclusive: Counter Matched bl / ret One bl, many ret BRANCH_RET_INDIR_MISPRED_NONSPECIFIC 92 928,644,975 FETCH_RESTART 61,121 987,765,276 MAP_DISPATCH_BUBBLE 1,155,632 7,350,085,139 MAP_REWIND 6,412,734 2,789,499,545 These measurements are captured while summing an array of 1B elements. We see that with mismatched bl / ret pairs, the return branch predictor fails about 93% of the time! Apple doesn't fully document these counters, but I'm guessing that the other counters are downstream effects of bad branch prediction: * FETCH_RESTART is presumably bad prefetching * MAP_DISPATCH_BUBBLE probably refers to pipeline stalls * MAP_REWIND might be bad speculative execution that needs to be rewound In conclusion, do not taunt happy fun branch predictor with asymmetric usage of bl and ret instructions. --------------------------------------------------------------------- Appendix: Going Fast Take a second look at this program: stp x29, x30, [sp, #-16]! fmov s0, #0.0 loop: cmp x1, #0 b.eq exit sub x1, x1, #1 ldr s1, [x0], #4 bl foo // call the function b loop // keep looping foo: fadd s0, s0, s1 ret exit: // Function exit ldp x29, x30, [sp], #16 ret Upon seeing this program, it's a common reaction to ask "why is foo a subroutine at all?" The answer is "because this is a didactic example, not code that's trying to go as fast as possible". Still, it's a fair question. You wanna go fast? Let's go fast. If we know the contents of foo when building this function (and it's shorter than the maximum jump distance), we can remove the bl and ret entirely: loop: cmp x1, #0 b.eq exit sub x1, x1, #1 ldr s1, [x0], #4 // foo is completely inlined here fadd s0, s0, s1 b loop exit: // Function exit ldp x29, x30, [sp], #16 ret This is a roughly 6% speedup: from 969 ns to 911 ns. We can get faster still by trusting the compiler: pub fn sum_slice(f: &[f32]) -> f32 { f.iter().sum() } This brings us down to 833 ns, a significant improvement! Looking at the assembly, it's doing some loop unrolling. However, even when compiled with -C target-cpu=native, it's not generating NEON SIMD instructions. Can we beat it? We sure can! stp x29, x30, [sp, #-16]! fmov s0, #0.0 dup v1.4s, v0.s[0] dup v2.4s, v0.s[0] loop: // 1x per loop ands xzr, x1, #3 b.eq simd sub x1, x1, #1 ldr s3, [x0], #4 fadd s0, s0, s3 b loop simd: // 4x SIMD per loop ands xzr, x1, #7 b.eq simd2 sub x1, x1, #4 ldp d3, d4, [x0], #16 mov v3.d[1], v4.d[0] fadd v1.4s, v1.4s, v3.4s b simd simd2: // 2 x 4x SIMD per loop cmp x1, #0 b.eq exit sub x1, x1, #8 ldp d3, d4, [x0], #16 mov v3.d[1], v4.d[0] fadd v1.4s, v1.4s, v3.4s ldp d5, d6, [x0], #16 mov v5.d[1], v6.d[0] fadd v2.4s, v2.4s, v5.4s b simd2 exit: // function exit fadd v2.4s, v2.4s, v1.4s mov s1, v2.s[0] fadd s0, s0, s1 mov s1, v2.s[1] fadd s0, s0, s1 mov s1, v2.s[2] fadd s0, s0, s1 mov s1, v2.s[3] fadd s0, s0, s1 ldp x29, x30, [sp], #16 ret This code includes three different loops: * The first loop (loop) sums individual values into s0 until we have a multiple of four values remaining * The second loop (simd) uses SIMD instructions to sum 4 values at a time into the vector register v1, until we have a multiple of 8 values remaining * The last loop (simd2) is the same as simd, but is unrolled 2x so it handles 8 values per loop iteration, summing into v1 and v2 At the function exit, we accumulate the values in the vector registers v1/v2 into s0, which is returned. The type punning here is particularly cute: ldp d3, d4, [x0], #16 mov v3.d[1], v4.d[0] fadd v1.4s, v1.4s, v3.4s Remember, x0 holds a float*. We pretend that it's a double* to load 128 bits (i.e. 4x float values) into d3 and d4. Then, we move the "double" in d4 to occupy the top 64 bits of the v3 vector register (of which d3 is the lower 64 bits). Of course, each "double" is two floats, but that doesn't matter when shuffling them around. When summing with fadd, we tell the processor to treat them as four floats (the .4s suffix), and everything works out fine. How fast are we now? This runs in 94 ns, or about 8.8x faster than our previous best. Here's a summary of performance: Program Time Matched bl / ret 969 ns One bl, many ret 3.85 us One bl, many br x30 913 ns Plain loop with b 911 ns Rewrite it in Rust 833 ns SIMD + manual loop unrolling 94 ns Could we get even faster? I'm sure it's possible; I make no claims to being the Agner Fog of AArch64 assembly. Still, this is a reasonable point to wrap up: we've demystified the initial performance regression, and had some fun hand-writing assembly to go very fast indeed. The SIMD code does come with one asterisk, though: because floating-point addition is not associative, and it performs the summation in a different order, it may not get the same result as straight-line code. In retrospect, this is likely why the compiler doesn't generate SIMD instructions to compute the sum! Does this matter for your use case? Only you can know! --------------------------------------------------------------------- All of the code from this post is published to GitHub. You can reproduce benchmarks by running cargo bench on an ARM64 machine. (c) 2010-2022 Matthew Keeter