Re: [PATCH 2/3] [CRYPTO] Add optimized SHA-1 implementation for i486+

From: Matt Mackall
Date: Sun Jun 10 2007 - 10:01:03 EST

On Sat, Jun 09, 2007 at 08:33:25PM -0400, Benjamin Gilbert wrote:
> Jeff Garzik wrote:
> >Matt Mackall wrote:
> >>Have you benchmarked this against lib/sha1.c? Please post the results.
> >>Until then, I'm frankly skeptical that your unrolled version is faster
> >>because when I introduced lib/sha1.c the rolled version therein won by
> >>a significant margin and had 1/10th the cache footprint.
> See the benchmark tables in patch 0 at the head of this thread.
> Performance improved by at least 25% in every test, and 40-60% was more
> common for the 32-bit version (on a Pentium IV).
> It's not just the loop unrolling; it's the register allocation and
> spilling. For comparison, I built SHATransform() from the
> drivers/char/random.c in 2.6.11, using gcc 3.3.5 with -O2 and
> SHA_CODE_SIZE == 3 (i.e., fully unrolled); I'm guessing this is pretty
> close to what you tested back then. The resulting code is 49% MOV
> instructions, and 80% of *those* involve memory. gcc4 is somewhat
> better, but it still spills a whole lot, both for the 2.6.11 unrolled
> code and for the current lib/sha1.c.

Wait, your benchmark is comparing against the unrolled code?

> In contrast, the assembly implementation in this patch only has to go to
> memory for data and workspace (with one small exception in the F3
> rounds), and the workspace has a fifth of the cache footprint of the
> default implementation.

How big is the -code- footprint?

Earlier you wrote:

> On the aforementioned Pentium IV, /dev/urandom throughput goes from
> 3.7 MB/s to 5.6 MB/s with the patches; on the Core 2, it increases
> from 5.5 MB/s to 8.1 MB/s.

Whoa. We've regressed something horrible here:

In 2003, I was getting 17MB/s out of my Athlon. Now I'm getting 2.7MB/s.
Were your tests with or without the latest /dev/urandom fixes? This
one in particular:;a=commitdiff;h=374f167dfb97c1785515a0c41e32a66b414859a8

