Open
Conversation
Add tools to measure and compare Metal GPU vs CPU performance: - metal_fft benchmark: Stark252 and Goldilocks FFT, twiddle generation, bit-reverse permutation (GPU vs CPU across 2^10 to 2^20) - metal_cfft benchmark: Mersenne31 Circle FFT evaluation/interpolation, raw butterfly kernels and full pipelines (GPU vs CPU) - metal_profile example: standalone profiler that measures kernel timing, throughput (Melem/s), effective bandwidth (GB/s), identifies GPU/CPU crossover points, and prints improvement suggestions Run with: cargo bench -p lambdaworks-math --features metal --bench metal_fft cargo bench -p lambdaworks-math --features metal --bench metal_cfft cargo run -p lambdaworks-math --features metal --example metal_profile --release
FieldElement<Mersenne31Field> implements From<&u32> not From<u32>.
Add threadgroup twiddle caching, multi-stage fusion kernels, and GPU crossover thresholds to reduce global memory traffic and dispatch overhead. Key changes: - Threadgroup-cached butterfly kernels that cooperatively load twiddles into shared memory for CFFT (Mersenne31) and standard FFT (Stark252, Goldilocks) - Fused multi-stage kernels that process 4 consecutive butterfly stages in threadgroup memory, avoiding 3 global memory round-trips - GPU/CPU crossover at 2^14 for evaluate/interpolate and standard FFT - Fix Mersenne31 random element generation in benchmarks and profiler Bandwidth improvements: Goldilocks +65% (23→38 GB/s), Mersenne31 CFFT +93% (7→13.5 GB/s), Stark252 +20% (25→30 GB/s).
…orks into feat/metal-profiling
…itrev - Replace compile-time FFT_FUSED_STAGES=4 with runtime parameter computed from field element size and 32KB threadgroup memory budget (Goldilocks: 12 stages, Stark256: 8 stages) - Merge bit-reverse permutation into same Metal command buffer, eliminating one GPU roundtrip and two intermediate CPU memcopies - Store w*b in local variable across all butterfly kernels to guarantee CSE - Add -O2 optimization flag to Metal shader compiler in build.rs Goldilocks 2^22: 2.03x → 3.17x speedup, 38 → 57 GB/s bandwidth Stark256 2^22: 6.29x speedup, 47 GB/s bandwidth
…merged bitrev Port the three-phase optimized dispatch (tg-cached → fused-tail → merged bitrev) from base-field FFT to extension field FFT. Add pipeline caching to MetalState via RefCell<HashMap> with get_pipeline() method. New Metal kernels: radix2_dit_butterfly_tg_ext (threadgroup-cached base-field twiddles) and radix2_dit_butterfly_fused_ext (fused multi-stage with extension elements in shared memory). Reduces dispatch count from O(log n) + 1 roundtrip to ~9 per-stage + 1 fused + merged bitrev in a single command buffer.
Kimi AI ReviewThe PR diff is quite extensive, involving changes to GPU Metal shader compilation, Rust source code, and Metal shader code. Here are the key issues and feedback points:
Overall, the PR aims to improve the performance of GPU-accelerated computations by optimizing shader compilation, introducing caching mechanisms, and enhancing the GPU kernels with more sophisticated variants. However, these changes are non-trivial and require thorough testing and validation to ensure that they do not introduce any correctness issues or performance regressions. |
![github-actions[bot]](https://avatars.githubusercontent.com/in/15368?s=60&v=4){kind=small}
| "-O2", | ||
| "-c", | ||
| &source_file, | ||
| "-o", |
There was a problem hiding this comment.
-
Security Concerns:
- It appears that there's a change related to shader compilation (
compile_metal_shaders) with optimization level set to-O2, but no context about its implications on cryptographic operations. Ensure this doesn’t impact any cryptographic security properties, especially since optimization flags may introduce unintended side-channel leaks by altering execution patterns.
- It appears that there's a change related to shader compilation (
-
Timing Side-Channels:
- Verify that all cryptographic operations, especially those involving secret data, do not vary execution time based on input values. This is crucial in field and curve operations.
-
Edge Cases & Correctness:
- Ensure that mathematical operations correctly handle edge cases, especially zero values, identity elements, and infinity points in elliptic curve operations.
-
Performance Considerations:
- Check for unnecessary allocations and redundant field inversions, as these can impact performance, particularly in intensive operations like FFT.
-
Potential Bugs & Errors:
- Inspect the code for any panic calls or unwraps, especially in scenarios involving external inputs or potentially malformed data. Panics can cause unexpected crashes.
-
Code Simplicity:
- While not necessarily related to style, ensure there aren't overly complex implementations that could maintain broader implications for security and maintainability.
Please provide more context or details particularly around the security and mathematical corrections, especially focusing on how these changes impact the correctness and secure operation of the cryptographic primitives used.
|
|
||
| /// Allocates `length` elements of type `T` in shared memory between CPU and GPU. | ||
| /// | ||
| /// Uses `StorageModeShared` for unified memory access on Apple Silicon. |
There was a problem hiding this comment.
Correctness:
- The code does not contain information related to mathematical operations, field operations, or polynomial implementations, so correctness specifically in these operations cannot be directly assessed.
Security:
- Potential Timing Side-Channels: The use of interior mutability and dynamic checking of the cache in
get_pipelinecould introduce timing side-channels. However, as Metal pipeline caching isn't directly related to secret-dependent operations, this may not pose an immediate issue in this context. - Zeroization of Sensitive Data: There is no evident mention of zeroization of sensitive data. Ensure that any sensitive cryptographic material is properly zeroized.
- Cryptographically Secure Randomness: No randomness function is assessed here.
- Secret-dependent Branching: No issues noted since the code reviewed does not involve secret-dependent branching.
- Hash Function Domain Separation: Not applicable to the provided code.
Performance:
- Unnecessary Allocations: The caching mechanism avoids redundant allocations by reusing pipelines.
- Efficiency Considerations: While caching strategies reduce performance overhead, interior mutability and repeated borrow operations might incur performance impacts if not managed correctly in concurrent contexts.
Bugs & Errors:
- Potential Panics: The
unwrapincache.get(kernel_name).unwrap()can potentially panic. This should be handled gracefully, possibly with a descriptive error if the key does not exist. - Memory Safety: No explicit memory safety concerns apart from
unwrapwhich can lead to panics that might disrupt program flow. - Integer Overflow/Underflow: Not applicable here.
Code Simplicity:
- The introduction of
RefCelland interior mutability increases complexity, but it helps reduce redundancy in pipeline state management. Ensure that readers are aware of this design choice due to its implications in a concurrent context. - No duplicated code or apparent poor abstractions were identified besides the use of
unwrap. Consider adding checks or returning a more informative error message if the lookup fails.
Overall:
- Resolve the use of
unwrap()with a safer alternative to avoid panics. Consider potential concurrency issues arising from interior mutability in systems relying onMutexor other synchronization primitives. - Ensure all security concerns around timing attacks and sensitive data management are thoroughly assessed in the broader codebase context.
- Assuming the rest of the library operates correctly and securely, the code introduces performance benefits for computation workload on GPUs, pending the correction of the error handling issue.
| [[bench]] | ||
| name = "metal_cfft" | ||
| harness = false | ||
| required-features = ["metal"] |
There was a problem hiding this comment.
Correctness:
- Edge Cases: Ensure handling of zero, identity elements, and infinity points is well tested, particularly in elliptic curve operations and proof systems. These cases are often problematic in cryptographic implementations.
Security:
- Timing Side-Channels: Ensure that all operations involving secret data are constant-time. Verify no secret-dependent branching, especially in math operations.
- Sensitive Data Zeroization: Check if cryptographic secrets are properly zeroed out after use to prevent data leakage through memory.
- Cryptographically Secure Randomness: Validate that random number generation uses a cryptographically secure RNG, essential in cryptographic applications.
- Hash Function Domain Separation: Ensure any hash functions used adhere to domain separation principles to prevent cross-protocol attacks.
Performance:
- FFT Efficiency: Check for the efficiency of the FFT implementation. Ensure no unnecessary memory allocations are present and that algorithms are optimized for the size of input data.
Bugs & Errors:
- Potential Panics: Watch out for any uses of
unwrap()or other methods that could panic, especially in critical operations like field inversions or polynomial evaluations. - Integer Overflow: Specify checks for integer overflow, especially in arithmetic operations, to prevent potential vulnerabilities.
Code Simplicity:
- Complexity and Duplications: Ensure implementations are not overly complex or redundant. Check for duplicated code that could be abstracted to improve maintainability.
Overall, the presence of these concerns needs to be addressed before considering the code merge-safe.
| bench_interpolate_cfft, | ||
| ); | ||
|
|
||
| criterion_main!(metal_cfft_benches); |
There was a problem hiding this comment.
Review Comments
Correctness
- Polynomial FFT Implementations: The correctness checks between GPU and CPU for
cfft,icfft,evaluate_cfft, andinterpolate_cfftseem to confirm the GPU results match the CPU results, which is crucial. - Edge Cases: There's no explicit handling or testing for edge cases, such as zero input, etc. Ensure that cases dealing with zero elements or identity elements are tested and managed.
Security
- Timing Side-Channel: There is no code related to handling secrets or sensitive data in this portion. Thus, no concerns about timing side-channel attacks or zeroization in this context.
- Cryptographically Secure Randomness: Randomness used here for test input (
StdRng) is not cryptographically secure but seems intentional for benchmarking purposes and reproducibility.
Performance
- Unnecessary Allocations: Input vectors are cloned for GPU/CPU comparisons. While this ensures correctness, consider measuring cost if this behavior shifts to production settings.
- FFT Efficiency: No immediately visible redundant inversions, but worth assessing if FFTs can be optimized further for the Metal GPU capabilities.
Bugs & Errors
- Potential Panics: Unwraps and expects are used, particularly in GPU operations. This should be avoided in production code without handling errors gracefully.
- Memory Safety Issues: No direct memory safety issues were noticed, but the use of external libraries merits caution.
- Off-by-One and Overflow: No apparent off-by-one errors or integer overflow issues, given the range seems well-defined.
Code Simplicity
- Duplicated Code: Validation functions for cfft and icfft look similar. An abstraction could potentially reduce this duplication for better maintenance.
- Complexity: The code complexity seems reasonable, given the benchmarking nature of the task.
Overall, though the validation and benchmarking code serve its purpose, the absence of handling edge cases and potential panics on GPU execution errors need addressing for robustness and correctness validation beyond typical paths.
| bench_bitrev_permutation, | ||
| ); | ||
|
|
||
| criterion_main!(metal_fft_benches); |
There was a problem hiding this comment.
Correctness:
- Polynomial and FFT implementations: The code appears to correctly validate GPU FFT outputs against the CPU implementations.
- Edge cases: Ensure edge cases like zero input or specific known values are tested, especially in FFT functions.
Security:
- Timing side-channels: It is not evident if GPU operations are constant-time. GPU execution characteristics may expose side channels that should be taken into account.
- Cryptographically secure randomness: The usage of
rand::random()is noted for element generation. Ensure this is suitable for cryptographic purposes or switch to a secure random number generator if not. - Zeroization of sensitive data and secret-dependent branching: Not directly applicable in the context shown here but always keep these in mind for operations that handle cryptographic secrets.
Performance:
- There might be potentially more optimized methods for random element generation if the same sequence or constant-time generation isn't essential.
Bugs & Errors:
- Potential panics or unwraps: Several calls to
unwrap()could cause panics. Prefer.expect()with a clear error message in bench scenarios, or handle errors where possible.
Code Simplicity:
- Generally, the code structure in terms of separate functions for validation and benchmarking enhances readability.
In summary, while the functionality appears correct for typical scenarios, security considerations require reviewing the randomness sources and evaluating the constant-time nature of GPU computations. Use .expect() instead of unwrap() to help diagnose potential panics during bench execution.
| uint32_t, | ||
| uint32_t, | ||
| threadgroup FpGoldilocks* | ||
| ); |
There was a problem hiding this comment.
Correctness
- Polynomial and FFT implementations: Ensure that the radix-2 DIT butterfly functions are implemented correctly to handle inputs correctly across cycles. Verify that edge cases such as empty inputs, single-element inputs, or inputs of size that are not powers of two are handled properly. Ensure that the twiddle factors are computed correctly and are being used as intended.
Security
- Timing side-channels: Verify that the operations within these FFT transformations are constant-time with respect to any secret data being processed to prevent timing attacks.
- Zeroization: Check if
threadgroupdata buffers storing sensitive data are properly zeroized after use. - Cryptographically secure randomness: If randomness is used in the implementation, confirm the source is cryptographically secure.
Performance
- FFT efficiency: Check if the
threadgroupmemory is being used optimally to minimize memory access penalties. Look for possible performance improvements by reducing redundant computations where possible.
Bugs & Errors
- Potential panics or unwraps: Ensure that no panics or unwraps will occur due to out-of-bounds accesses or unhandled cases.
- Memory safety issues: Particularly with
threadgroupusage, memory safety in concurrent environments must be checked. Consider potential data races or out-of-bound writes. - Integer overflow/underflow: Investigate if there are protections against integer overflow for the
uint32_toperations, especially as they relate to FFT index calculations.
Code Simplicity
- Poor abstractions: Consider if abstractions can be improved to encapsulate repeated patterns seen in the radix-2 DIT butterfly functions. This can reduce duplication and make the code easier to maintain or extend.
Without addressing the above concerns, the changes are not ready to be merged.
|
|
||
| // Bit-reverse permutation for extension field elements | ||
| template [[ host_name("bitrev_permutation_Goldilocks_fp2") ]] | ||
| [[kernel]] void bitrev_permutation_ext<FpExtFp2>( |
There was a problem hiding this comment.
The code changes include the implementation of FFTs using butterflies which are critical for cryptographic operations. Here are some points to consider:
Correctness:
- Ensure that the butterfly operations correctly handle modular arithmetic particularly with extension fields to avoid mathematical errors.
- Carefully test zero edge cases where the inputs are zero, as well as situations involving identity elements.
Security:
- Ensure that these operations are constant-time to prevent timing side-channel attacks. This means there shouldn't be any branching based on secret values which would result in different execution times.
- Check if sensitive data is properly zeroized after use, especially in context switching between function calls.
Performance:
- There should be attention to the efficiency of the FFT operations, such as reducing unnecessary allocations and optimizing memory access patterns within the
threadgroup. - Consider the potential for redundant field inversions and addressing them to improve performance.
Bugs & Errors:
- Ensure robust error handling; avoid functions that could result in panics or unwrap issues especially when dealing with indices and bounds within FFT operations.
- Double-check for potential integer overflows or underflows especially in cases where large fields or large indices are involved.
Code Simplicity:
- The templates and kernels seem to be abstracted well, however, ensure that they are not unnecessarily duplicating functionality that could be reused.
- The naming conventions and separation of functionality seem clean, ensure this continues across the code to keep maintenance simple.
Overall, further testing and verification are needed to ensure both correctness and security.
|
|
||
| // Bit-reverse permutation for extension field elements | ||
| template [[ host_name("bitrev_permutation_Goldilocks_fp3") ]] | ||
| [[kernel]] void bitrev_permutation_ext<FpExtFp3>( |
There was a problem hiding this comment.
Correctness:
- Mathematical Operations: Ensure that
FpExtFp3correctly implements modular arithmetic and respects all field axioms. Carefully verify carry handling and reduction logic to prevent overflow or wraparound errors, as these can lead to incorrect computations. - Edge Cases: Consider adding explicit checks or tests for edge cases, such as zero and identity operations, especially in FFT calculations that involve inversion or division.
Security:
- Timing Side-Channels: Verify that all operations, particularly within FFTs and any operations involving secret data, are constant-time to prevent leakage.
- Zeroization of Sensitive Data: Ensure temporary variables containing sensitive information are zeroed out immediately after use, especially those allocated on the heap or stack within kernel functions.
Performance:
- Unnecessary Allocations: Review the use of
threadgroupmemory to ensure it is efficiently used and not leading to excessive memory allocation which could degrade performance. - FFT Efficiency: For the butterfly operations, ensure no redundant calculations or data movements are being performed, and that the algorithm utilizes in-place operations where applicable.
Bugs & Errors:
- Potential Panics: Check all index accesses, especially in template specializations and kernel configurations, to prevent out-of-bounds errors.
Code Simplicity:
- It would help to see more details regarding the implementation of these kernels for further assessment regarding complexity and duplication. Ensure that abstractions can't be simplified further for ease of maintenance.
Given these concerns, some improvements regarding correctness and security need to be addressed before merging.
| uint32_t, | ||
| uint32_t, | ||
| threadgroup FpMersenne31* | ||
| ); |
There was a problem hiding this comment.
Correctness
- Polynomial and FFT Implementations: The provided code snippets define butterfly operations for FFTs over the
FpMersenne31field. While there isn't enough detail for full verification, ensure that the butterfly operations handle all edge cases, especially when dealing with zero elements where divisions might occur. Ensure results are correctly reduced modulo the Mersenne prime.
Security
- Constant-time operations: These function definitions don't show the internal logic, so it's critical to ensure that the implementations avoid timing side channels. Make sure all operations on potentially secret data are constant-time.
- Proper zeroization of sensitive data: If any intermediate values are sensitive, confirm they're properly zeroized to prevent leakage.
- Cryptographically secure randomness: If your implementation relies on randomness (not observable here), it must use a cryptographically secure RNG without visible details.
- No secret-dependent branching: Ensure that all branching decisions are independent of secret values to prevent timing attacks.
Performance
- MSM and FFT efficiency: The use of threadgroup memory suggests optimization for parallel execution, which is good for performance. Verify the implementation efficiently utilizes this for minimizing latency and maximizing throughput.
Bugs & Errors
- Potential Panics or Unwraps: Without seeing actual logic, watch for unwrapping options or handling divisions without checks. Make sure to manage these safely to prevent panics.
Code Simplicity
- Duplicated Code: The function declarations appear very similar. Consider whether these can be refactored or parameterized to reduce code duplication.
To make a more informed decision, reviewing the complete implementation of these kernels is advised, especially focusing on the mathematical correctness and security aspects mentioned.
| uint32_t, | ||
| uint32_t, | ||
| threadgroup FpStark256* | ||
| ); |
There was a problem hiding this comment.
Correctness
- Mathematical operations: Ensure that modular reductions are handled correctly in FFT operations to avoid overflow or math errors.
- Edge cases: No explicit checks for edge cases like zero inputs or identity elements.
Security
- Timing side-channels: Need to verify that all arithmetic on secret data is constant-time. The code snippet doesn't make this clear.
- Zeroization of sensitive data: There's no evidence that sensitive data gets zeroed after use, which can be a security risk.
Performance
- Unnecessary allocations: Check if memory allocations for FFT operations can be minimized or reused.
- FFT efficiency: The implementation of radix-2 DIT can be optimized further for performance by reducing branch mispredictions and enhancing cache efficiency.
Bugs & Errors
- Potential panics or unwraps: Code doesn't show error handling for potential allocation panics or array bounds.
- Memory safety: Ensure indexed accesses are bounds-checked or proven safe.
Code Simplicity
- Duplicated code: The provided kernel templates are structurally similar; consider consolidating repeated patterns into a common base if possible to reduce duplication.
Overall, the code needs further scrutiny on correctness, security, and performance aspects. Particularly, focus on addressing edge cases and potential side-channel vulnerabilities.
Greptile OverviewGreptile SummaryOptimized Metal GPU FFT implementation with dynamic stage fusion and extension field support. Introduced three kernel variants: basic (global memory), threadgroup-cached (shared twiddles), and fused multi-stage (shared data blocks). Runtime computation of optimal fusion stages based on field element size and 32KB threadgroup memory budget eliminates hardcoded constants and supports varying field sizes. Key Changes
Testing & Validation
Confidence Score: 5/5
|
| Filename | Overview |
|---|---|
| crates/math/src/fft/gpu/metal/ops.rs | Optimized FFT with dynamic fused stages and extension field support - well-structured with comprehensive tests |
| crates/math/src/circle/gpu/metal/ops.rs | Added threadgroup-cached and fused CFFT kernels - clean implementation with proper error handling |
| crates/gpu/src/metal/abstractions/state.rs | Added pipeline caching with interior mutability - correct RefCell usage |
| crates/math/src/gpu/metal/shaders/fft/fft.h.metal | Added threadgroup-cached and dynamically-fused FFT kernels - efficient shared memory usage |
| crates/math/src/gpu/metal/shaders/fft/fft_extension.h.metal | Extension field FFT kernels with base-field twiddles - correct scalar multiplication usage |
| crates/math/src/gpu/metal/shaders/fft/cfft.h.metal | Fused CFFT kernels with 4-stage fusion - proper threadgroup synchronization |
Sequence Diagram
sequenceDiagram
participant Rust as Rust Host Code
participant GPU as Metal GPU
participant TG as Threadgroup Memory
participant Global as Global Memory
Note over Rust,Global: FFT Optimization Strategy
Rust->>Rust: Compute optimal_fused_stages()<br/>based on element size & 32KB budget
Rust->>GPU: Allocate input/twiddles buffers
Rust->>Global: Upload input data & twiddles
Note over Rust,Global: Phase 1: Per-Stage Dispatches (Early Stages)
loop For each early stage
alt Twiddles fit in threadgroup memory
Rust->>GPU: Dispatch threadgroup-cached kernel
GPU->>TG: Cooperative load twiddles
GPU->>Global: Read input pairs
GPU->>GPU: Butterfly computation
GPU->>Global: Write results
else Too many twiddles
Rust->>GPU: Dispatch basic kernel
GPU->>Global: Read twiddles & input pairs
GPU->>GPU: Butterfly computation
GPU->>Global: Write results
end
end
Note over Rust,Global: Phase 2: Fused Tail (Last K Stages)
Rust->>GPU: Dispatch fused kernel (single dispatch)
GPU->>TG: Load data block to shared memory
loop K fused stages
GPU->>Global: Read twiddle
GPU->>TG: Butterfly in shared memory
GPU->>TG: Threadgroup barrier
end
GPU->>Global: Write block back
Note over Rust,Global: Phase 3: Bit-Reverse (Same Command Buffer)
Rust->>GPU: Set bitrev pipeline
GPU->>Global: Read input
GPU->>Global: Write permuted output
Rust->>Rust: Wait for completion
Rust->>Global: Retrieve final result
Codecov Report✅ All modified and coverable lines are covered by tests. Additional details and impacted files@@ Coverage Diff @@
## main #1169 +/- ##
=======================================
Coverage 73.18% 73.18%
=======================================
Files 176 176
Lines 39491 39491
=======================================
Hits 28903 28903
Misses 10588 10588 ☔ View full report in Codecov by Sentry. 🚀 New features to boost your workflow:
|
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
No description provided.