Received: by 10.213.65.68 with SMTP id h4csp366645imn; Tue, 13 Mar 2018 06:58:01 -0700 (PDT) X-Google-Smtp-Source: AG47ELsQIlGTjBLFf24toGITQ4KrHB6f/GZB3kec36xRvtRp7HBTNPCE7dUUgycbJ1UbThvwT97i X-Received: by 2002:a17:902:4827:: with SMTP id s36-v6mr640471pld.269.1520949481153; Tue, 13 Mar 2018 06:58:01 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1520949481; cv=none; d=google.com; s=arc-20160816; b=OxiK1+26ffqJ4+Kgpo+ux0k7aCmNRNIvzPObpS1SdsNWI7mWrRhUIsy2hciHF3F118 E+ZAb8FGofhkzeVIlo8nBql2XR7n6YEPtw326aDriHB5IhkzCxQVSMRrNhrgpd3BGbYf SQpv7RLVrKLwyNZWw5+lfBR9MyP4+18sQx3WHU47NasX5Tr9DoYhr8IdHj8wtHHjqnJo mjUq8wJKfxwdgwgdPqk2uLDBqSRi9Mk5wFlqMyvOqgCknCJJfk8eeGBRk3o6eQCfcZLs wtl5TuEVHhM4M/GRgTax4OL5wK/pFdPZYQeEfqLjkIknSdMZMTHZM5EDPVgVDzibCoUo eAmA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:user-agent:in-reply-to :content-disposition:mime-version:references:message-id:subject:cc :to:from:date:dkim-signature:arc-authentication-results; bh=gQ5KxAuSw0iouF63RuiEpFH/dxmPasmhjVi7/G1oYpI=; b=GNTo0h7lfZw2uuNBBQZNJai7QNypSLSJB9QfhZ0BN1K0DEGEKf9JcDf3CkRKIxtiRc GjmwsJFJbGL8xzRXS1tv62rZn+y8sTiYV9IbPR8Gs6xAq/V6g3TiICmUlSIlFt8zxgfq iGGWQdsOzmNkawen3rIbaTPk51/eEdUncgzhYEvJ+DwU7xjjllqGWOJVAwPW1W6OlxXO 0QoUoY0a3XF6sI/BA4+zAsaafybax0GY0ffUr/jDumehtR3QYN5v6VqQSNE98oCJoimI LNSKt3o1LEmqsaIVZOzBsMtaHynl+ufuwKz2yyQUwPNNPlCjkO25H7IgauW7c37ome3v oZVw== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@gmail.com header.s=20161025 header.b=eGzw8T41; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id w8-v6si124507plq.641.2018.03.13.06.57.46; Tue, 13 Mar 2018 06:58:01 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@gmail.com header.s=20161025 header.b=eGzw8T41; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S932897AbeCMN4P (ORCPT + 99 others); Tue, 13 Mar 2018 09:56:15 -0400 Received: from mail-wr0-f193.google.com ([209.85.128.193]:36097 "EHLO mail-wr0-f193.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S932435AbeCMN4N (ORCPT ); Tue, 13 Mar 2018 09:56:13 -0400 Received: by mail-wr0-f193.google.com with SMTP id d10so10513857wrf.3 for ; Tue, 13 Mar 2018 06:56:12 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=date:from:to:cc:subject:message-id:references:mime-version :content-disposition:in-reply-to:user-agent; bh=gQ5KxAuSw0iouF63RuiEpFH/dxmPasmhjVi7/G1oYpI=; b=eGzw8T41z2UYmdPAwhXghwmZ6u7z+zIuAvLRiwnoT5cNRf8DSgjJjOjf7lz0jZs6AY E1RTRrAEO+bQY7BAyLz/tv+KcJsavA+AiG+Te+qeUcHcVv2b16k2YDwg8L0miBuSHrkz RreVcrOu/b9V7sAkHlVI67G6Ej5P6rf2ORHS9Vx7PDHiH9Lpp9Fz3LC6RBkiS7alr/Z4 GKXuurLvcqgsrmCFoWyLfp2/aZjQao+lfcufzCzLainOAJxT6QG1SwljNuQrymeqGakS vZsGGyiki3VArv6RZaVqjnCNhbR8tdP0TMxFn9SxL6kK3HQujDyc2jaOjZLa5NTBcXWu RzUA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:date:from:to:cc:subject:message-id:references :mime-version:content-disposition:in-reply-to:user-agent; bh=gQ5KxAuSw0iouF63RuiEpFH/dxmPasmhjVi7/G1oYpI=; b=eHwhkgs9s8qu7g6+1K7lRcoke3qDjR+PsQHZctRRVSztLXcvXBdkssrX92z3Rxf4Vj O03MSuczfKW2aITtxf2CbNMYCiI4KDrDSiDnX2mn8IB2+gv4XXOVSmdUxuBfqeKb3z4W gPIWRGizQzJ3Aqq7WU8rspWw/bzLEXcv72k9r9Ynn9lw8hbUMDGe8uPs+IUXLKrAUo0N V8BBYXDZeCqZNWWctJ6TV3QxKYw6VkfsyqF5br42rO1GQfPoRp7Bj5Yr2X7uL4ZJ2XTu Mxxndf8kalGY+/VyUWM/xzoroyRwVyLO9DogXk8s1v0ETKnpVMX/SQd8eK6vNB7mIQSb 1sNw== X-Gm-Message-State: AElRT7GuJm6gD7ScUguHLmLQJjvIdFciFzbtAGZH+KyhdNPSkdniqYJk 2jQE667KcJ66B71XDA2Yv9QymDji X-Received: by 10.28.225.130 with SMTP id y124mr890949wmg.60.1520949371807; Tue, 13 Mar 2018 06:56:11 -0700 (PDT) Received: from andrea (85.100.broadband17.iol.cz. [109.80.100.85]) by smtp.gmail.com with ESMTPSA id c14sm385851wmh.15.2018.03.13.06.56.10 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Tue, 13 Mar 2018 06:56:11 -0700 (PDT) Date: Tue, 13 Mar 2018 14:56:08 +0100 From: Andrea Parri To: Alan Stern Cc: LKMM Maintainers -- Akira Yokosawa , Boqun Feng , David Howells , Jade Alglave , Luc Maranget , Nicholas Piggin , "Paul E. McKenney" , Peter Zijlstra , Will Deacon , Kernel development list Subject: Re: [PATCH 2/2 v2 RFC] tools/memory-model: redefine rb in terms of rcu-fence Message-ID: <20180313135608.GB10273@andrea> References: MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: User-Agent: Mutt/1.5.24 (2015-08-30) Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Wed, Feb 28, 2018 at 03:13:54PM -0500, Alan Stern wrote: > This patch reorganizes the definition of rb in the Linux Kernel Memory > Consistency Model. The relation is now expressed in terms of > rcu-fence, which consists of a sequence of gp and rscs links separated > by rcu-link links, in which the number of occurrences of gp is >= the > number of occurrences of rscs. > > Arguments similar to those published in > http://diy.inria.fr/linux/long.pdf show that rcu-fence behaves like an > inter-CPU strong fence. Furthermore, the definition of rb in terms of > rcu-fence is highly analogous to the definition of pb in terms of > strong-fence, which can help explain why rcu-path expresses a form of > temporal ordering. > > This change should not affect the semantics of the memory model, just > its internal organization. > > Signed-off-by: Alan Stern I like Boqun's suggestion of "reducing rcu-fence" and using "acyclic". IIRC, time ago we discussed "enlarging" hb, pb by defining them to be transitive closed (and using "irreflexive" everywhere); however, this resulted in slightly longer simulation times... For this patch, Reviewed-by: Andrea Parri Andrea > > --- > > v2: Rebase on top of the preceding patch which renames "link" to > "rcu-link" and "rcu-path" to "rb". Add back the missing "rec" keyword > in the definition of rcu-fence. Minor editing improvements in > explanation.txt. > > Index: usb-4.x/tools/memory-model/linux-kernel.cat > =================================================================== > --- usb-4.x.orig/tools/memory-model/linux-kernel.cat > +++ usb-4.x/tools/memory-model/linux-kernel.cat > @@ -102,20 +102,27 @@ let rscs = po ; crit^-1 ; po? > *) > let rcu-link = hb* ; pb* ; prop > > -(* Chains that affect the RCU grace-period guarantee *) > -let gp-link = gp ; rcu-link > -let rscs-link = rscs ; rcu-link > - > (* > - * A cycle containing at least as many grace periods as RCU read-side > - * critical sections is forbidden. > + * Any sequence containing at least as many grace periods as RCU read-side > + * critical sections (joined by rcu-link) acts as a generalized strong fence. > *) > -let rec rb = > - gp-link | > - (gp-link ; rscs-link) | > - (rscs-link ; gp-link) | > - (rb ; rb) | > - (gp-link ; rb ; rscs-link) | > - (rscs-link ; rb ; gp-link) > +let rec rcu-fence = gp | > + (gp ; rcu-link ; rscs) | > + (rscs ; rcu-link ; gp) | > + (gp ; rcu-link ; rcu-fence ; rcu-link ; rscs) | > + (rscs ; rcu-link ; rcu-fence ; rcu-link ; gp) | > + (rcu-fence ; rcu-link ; rcu-fence) > + > +(* rb orders instructions just as pb does *) > +let rb = prop ; rcu-fence ; hb* ; pb* > > irreflexive rb as rcu > + > +(* > + * The happens-before, propagation, and rcu constraints are all > + * expressions of temporal ordering. They could be replaced by > + * a single constraint on an "executes-before" relation, xb: > + * > + * let xb = hb | pb | rb > + * acyclic xb as executes-before > + *) > Index: usb-4.x/tools/memory-model/Documentation/explanation.txt > =================================================================== > --- usb-4.x.orig/tools/memory-model/Documentation/explanation.txt > +++ usb-4.x/tools/memory-model/Documentation/explanation.txt > @@ -27,7 +27,7 @@ Explanation of the Linux-Kernel Memory C > 19. AND THEN THERE WAS ALPHA > 20. THE HAPPENS-BEFORE RELATION: hb > 21. THE PROPAGATES-BEFORE RELATION: pb > - 22. RCU RELATIONS: rcu-link, gp-link, rscs-link, and rb > + 22. RCU RELATIONS: rcu-link, gp, rscs, rcu-fence, and rb > 23. ODDS AND ENDS > > > @@ -1451,8 +1451,8 @@ they execute means that it cannot have c > the content of the LKMM's "propagation" axiom. > > > -RCU RELATIONS: rcu-link, gp-link, rscs-link, and rb > ---------------------------------------------------- > +RCU RELATIONS: rcu-link, gp, rscs, rcu-fence, and rb > +---------------------------------------------------- > > RCU (Read-Copy-Update) is a powerful synchronization mechanism. It > rests on two concepts: grace periods and read-side critical sections. > @@ -1537,49 +1537,100 @@ relation, and the details don't matter u > a somewhat lengthy formal proof. Pretty much all you need to know > about rcu-link is the information in the preceding paragraph. > > -The LKMM goes on to define the gp-link and rscs-link relations. They > -bring grace periods and read-side critical sections into the picture, > -in the following way: > - > - E ->gp-link F means there is a synchronize_rcu() fence event S > - and an event X such that E ->po S, either S ->po X or S = X, > - and X ->rcu-link F. In other words, E and F are linked by a > - grace period followed by an instance of rcu-link. > - > - E ->rscs-link F means there is a critical section delimited by > - an rcu_read_lock() fence L and an rcu_read_unlock() fence U, > - and an event X such that E ->po U, either L ->po X or L = X, > - and X ->rcu-link F. Roughly speaking, this says that some > - event in the same critical section as E is linked by rcu-link > - to F. > +The LKMM also defines the gp and rscs relations. They bring grace > +periods and read-side critical sections into the picture, in the > +following way: > + > + E ->gp F means there is a synchronize_rcu() fence event S such > + that E ->po S and either S ->po F or S = F. In simple terms, > + there is a grace period po-between E and F. > + > + E ->rscs F means there is a critical section delimited by an > + rcu_read_lock() fence L and an rcu_read_unlock() fence U, such > + that E ->po U and either L ->po F or L = F. You can think of > + this as saying that E and F are in the same critical section > + (in fact, it also allows E to be po-before the start of the > + critical section and F to be po-after the end). > > If we think of the rcu-link relation as standing for an extended > -"before", then E ->gp-link F says that E executes before a grace > -period which ends before F executes. (In fact it covers more than > -this, because it also includes cases where E executes before a grace > -period and some store propagates to F's CPU before F executes and > -doesn't propagate to some other CPU until after the grace period > -ends.) Similarly, E ->rscs-link F says that E is part of (or before > -the start of) a critical section which starts before F executes. > +"before", then X ->gp Y ->rcu-link Z says that X executes before a > +grace period which ends before Z executes. (In fact it covers more > +than this, because it also includes cases where X executes before a > +grace period and some store propagates to Z's CPU before Z executes > +but doesn't propagate to some other CPU until after the grace period > +ends.) Similarly, X ->rscs Y ->rcu-link Z says that X is part of (or > +before the start of) a critical section which starts before Z > +executes. > + > +The LKMM goes on to define the rcu-fence relation as a sequence of gp > +and rscs links separated by rcu-link links, in which the number of gp > +links is >= the number of rscs links. For example: > + > + X ->gp Y ->rcu-link Z ->rscs T ->rcu-link U ->gp V > + > +would imply that X ->rcu-fence V, because this sequence contains two > +gp links and only one rscs link. (It also implies that X ->rcu-fence T > +and Z ->rcu-fence V.) On the other hand: > + > + X ->rscs Y ->rcu-link Z ->rscs T ->rcu-link U ->gp V > + > +does not imply X ->rcu-fence V, because the sequence contains only > +one gp link but two rscs links. > + > +The rcu-fence relation is important because the Grace Period Guarantee > +means that rcu-fence acts kind of like a strong fence. In particular, > +if W is a write and we have W ->rcu-fence Z, the Guarantee says that W > +will propagate to every CPU before Z executes. > + > +To prove this in full generality requires some intellectual effort. > +We'll consider just a very simple case: > + > + W ->gp X ->rcu-link Y ->rscs Z. > + > +This formula means that there is a grace period G and a critical > +section C such that: > + > + 1. W is po-before G; > + > + 2. X is equal to or po-after G; > + > + 3. X comes "before" Y in some sense; > + > + 4. Y is po-before the end of C; > + > + 5. Z is equal to or po-after the start of C. > + > +From 2 - 4 we deduce that the grace period G ends before the critical > +section C. Then the second part of the Grace Period Guarantee says > +not only that G starts before C does, but also that W (which executes > +on G's CPU before G starts) must propagate to every CPU before C > +starts. In particular, W propagates to every CPU before Z executes > +(or finishes executing, in the case where Z is equal to the > +rcu_read_lock() fence event which starts C.) This sort of reasoning > +can be expanded to handle all the situations covered by rcu-fence. > + > +Finally, the LKMM defines the RCU-before (rb) relation in terms of > +rcu-fence. This is done in essentially the same way as the pb > +relation was defined in terms of strong-fence. We will omit the > +details; the end result is that E ->rb F implies E must execute before > +F, just as E ->pb F does (and for much the same reasons). > > Putting this all together, the LKMM expresses the Grace Period > -Guarantee by requiring that there are no cycles consisting of gp-link > -and rscs-link links in which the number of gp-link instances is >= the > -number of rscs-link instances. It does this by defining the rb > -relation to link events E and F whenever it is possible to pass from E > -to F by a sequence of gp-link and rscs-link links with at least as > -many of the former as the latter. The LKMM's "rcu" axiom then says > -that there are no events E with E ->rb E. > - > -Justifying this axiom takes some intellectual effort, but it is in > -fact a valid formalization of the Grace Period Guarantee. We won't > -attempt to go through the detailed argument, but the following > -analysis gives a taste of what is involved. Suppose we have a > -violation of the first part of the Guarantee: A critical section > -starts before a grace period, and some store propagates to the > -critical section's CPU before the end of the critical section but > -doesn't propagate to some other CPU until after the end of the grace > -period. > +Guarantee by requiring that the rb relation does not contain a cycle. > +Equivalently, this "rcu" axiom requires that there are no events E and > +F with E ->rcu-link F ->rcu-fence E. Or to put it a third way, the > +axiom requires that there are no cycles consisting of gp and rscs > +alternating with rcu-link, where the number of gp links is >= the > +number of rscs links. > + > +Justifying the axiom isn't easy, but it is in fact a valid > +formalization of the Grace Period Guarantee. We won't attempt to go > +through the detailed argument, but the following analysis gives a > +taste of what is involved. Suppose we have a violation of the first > +part of the Guarantee: A critical section starts before a grace > +period, and some store propagates to the critical section's CPU before > +the end of the critical section but doesn't propagate to some other > +CPU until after the end of the grace period. > > Putting symbols to these ideas, let L and U be the rcu_read_lock() and > rcu_read_unlock() fence events delimiting the critical section in > @@ -1606,11 +1657,14 @@ by rcu-link, yielding: > > S ->po X ->rcu-link Z ->po U. > > -The formulas say that S is po-between F and X, hence F ->gp-link Z > -via X. They also say that Z comes before the end of the critical > -section and E comes after its start, hence Z ->rscs-link F via E. But > -now we have a forbidden cycle: F ->gp-link Z ->rscs-link F. Thus the > -"rcu" axiom rules out this violation of the Grace Period Guarantee. > +The formulas say that S is po-between F and X, hence F ->gp X. They > +also say that Z comes before the end of the critical section and E > +comes after its start, hence Z ->rscs E. From all this we obtain: > + > + F ->gp X ->rcu-link Z ->rscs E ->rcu-link F, > + > +a forbidden cycle. Thus the "rcu" axiom rules out this violation of > +the Grace Period Guarantee. > > For something a little more down-to-earth, let's see how the axiom > works out in practice. Consider the RCU code example from above, this > @@ -1639,15 +1693,15 @@ time with statement labels added to the > If r2 = 0 at the end then P0's store at X overwrites the value that > P1's load at Z reads from, so we have Z ->fre X and thus Z ->rcu-link X. > In addition, there is a synchronize_rcu() between Y and Z, so therefore > -we have Y ->gp-link X. > +we have Y ->gp Z. > > If r1 = 1 at the end then P1's load at Y reads from P0's store at W, > so we have W ->rcu-link Y. In addition, W and X are in the same critical > -section, so therefore we have X ->rscs-link Y. > +section, so therefore we have X ->rscs W. > > -This gives us a cycle, Y ->gp-link X ->rscs-link Y, with one gp-link > -and one rscs-link, violating the "rcu" axiom. Hence the outcome is > -not allowed by the LKMM, as we would expect. > +Then X ->rscs W ->rcu-link Y ->gp Z ->rcu-link X is a forbidden cycle, > +violating the "rcu" axiom. Hence the outcome is not allowed by the > +LKMM, as we would expect. > > For contrast, let's see what can happen in a more complicated example: > > @@ -1683,15 +1737,11 @@ For contrast, let's see what can happen > } > > If r0 = r1 = r2 = 1 at the end, then similar reasoning to before shows > -that W ->rscs-link Y via X, Y ->gp-link U via Z, and U ->rscs-link W > -via V. And just as before, this gives a cycle: > - > - W ->rscs-link Y ->gp-link U ->rscs-link W. > - > -However, this cycle has fewer gp-link instances than rscs-link > -instances, and consequently the outcome is not forbidden by the LKMM. > -The following instruction timing diagram shows how it might actually > -occur: > +that W ->rscs X ->rcu-link Y ->gp Z ->rcu-link U ->rscs V ->rcu-link W. > +However this cycle is not forbidden, because the sequence of relations > +contains fewer instances of gp (one) than of rscs (two). Consequently > +the outcome is allowed by the LKMM. The following instruction timing > +diagram shows how it might actually occur: > > P0 P1 P2 > -------------------- -------------------- -------------------- > >