Received: by 10.192.165.156 with SMTP id m28csp883693imm;
        Wed, 11 Apr 2018 08:43:16 -0700 (PDT)
X-Google-Smtp-Source: AIpwx4/kX8ycNPREEPCJQGoHXqEEVFK3yvNScQtRBuWuV3s6w2dldMipNFR7lGbYtJ329bnD1qT1
X-Received: by 2002:a17:902:20cb:: with SMTP id v11-v6mr5821799plg.82.1523461396894;
        Wed, 11 Apr 2018 08:43:16 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1523461396; cv=none;
        d=google.com; s=arc-20160816;
        b=DqiNUxVSrl6d8Zx7f30b8iY3QcfJs+VPdUAHexxxo+LrUMsmLo6BOF4BzLWMIjGTON
         OIKOM6twaJ6Wbib9J4BfPqmGtDPk0xyVia1I9J81DCx+5WfAimunKcawvQsu+Mfjyjhm
         jGQ/f2HEZi1oHoJxc4aD+vOymYGv5lRJm6g42WYH5zP6oJCu6s8+4GYGKmwUrVsXbW1T
         NbVY1oyiPpmMT2Htj0YjEsTxB6jwBlwhkXyN3WHIymihdSBruvVcohVnq7hFQRfYH0wq
         C3mV3JhP9d0TLgO4EnfetKeynncFMJxHKIUqQvmF4NiqSNT/EjgOLZBihIFBnxqzL7Bs
         lnEg==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:user-agent:in-reply-to
         :content-disposition:mime-version:references:message-id:subject:cc
         :to:from:date:dkim-signature:arc-authentication-results;
        bh=ArbrX/5yyG8FWRkqgfRqlMRuePOguAcoKGv78N//1P0=;
        b=Wjj951WeLF3VUNzTioV5HZ9Iax+u6fw0awkB7W4UIRuWf14csheKrewIzlafONg3OD
         Xn5dIZodbjCL4WvlzgD/Cd+eOiV1kasPycKhaRhj+UAcPMfo32M+dHIL0YMvhQd7ZLdy
         sxCaRkf0Tbw/MhsKGLZsczhndDTBq+byfvancS/PAfJwTcI5DK6E0fbwRcyv89+fv5j1
         wcTr6ODJ+mlBv38Vb+ccnbFeo+ZhWsNFhJ4Y09MU37x54n+Yp3tQkYMJlxMJGi6bo8g1
         DT/wMKx0wIxJpUyFqlB2rtFlzjwRYF9T+/ilESqK7Imvcvggtu1AcQX/Cp+gR8lCPRy1
         znrQ==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@amarulasolutions.com header.s=google header.b=RC/xGnsc;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
        by mx.google.com with ESMTP id t3si913853pgt.547.2018.04.11.08.42.39;
        Wed, 11 Apr 2018 08:43:16 -0700 (PDT)
Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@amarulasolutions.com header.s=google header.b=RC/xGnsc;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1753106AbeDKPjK (ORCPT <rfc822;ablacktshirt@gmail.com>
        + 99 others); Wed, 11 Apr 2018 11:39:10 -0400
Received: from mail-wr0-f196.google.com ([209.85.128.196]:41483 "EHLO
        mail-wr0-f196.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S1751541AbeDKPjJ (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Wed, 11 Apr 2018 11:39:09 -0400
Received: by mail-wr0-f196.google.com with SMTP id s12so2225017wrc.8
        for <linux-kernel@vger.kernel.org>; Wed, 11 Apr 2018 08:39:09 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=amarulasolutions.com; s=google;
        h=date:from:to:cc:subject:message-id:references:mime-version
         :content-disposition:in-reply-to:user-agent;
        bh=ArbrX/5yyG8FWRkqgfRqlMRuePOguAcoKGv78N//1P0=;
        b=RC/xGnscLtE85RSJX8QFHbcp1iloPqgGxqTznzjI68fydwhQot3MJHENLKafTuzt+Z
         coMoybTFy/vnAKhIfDmlg9HkRNKNfgZ1dZxWMIvc/MLzz6vMUfc7mMJA5LKcDBTw1gwM
         z1734gqrzVLYdTneLvUkpqFDfErL9xsFMzvx8=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20161025;
        h=x-gm-message-state:date:from:to:cc:subject:message-id:references
         :mime-version:content-disposition:in-reply-to:user-agent;
        bh=ArbrX/5yyG8FWRkqgfRqlMRuePOguAcoKGv78N//1P0=;
        b=XsULfOPlHS6XlA2Oo4j9sR61yKSBpo2+D2y3LKnsLfA903fhNAfz8lQExo6JzRp9OH
         KdX3nSXK2Q+jngdMJL31Vng3yAMMaVkpwLjibatsTXByy7kpWrUGy97ZxDgumNPqdSRP
         Hfn8Xk13OrwFYF7PZNpUxaQisWV7uukZCAiylHH9MQeUIVn7jN1vY1H2md7dP4ZbG0Cv
         lugc9SDSj3kiWoUGAlJdPcP3p0imT6nGFGolG3s43vyBcVL0/8nG8O2305cYg5l8pAP0
         WW1hPZXwWmx4qcCRcsXoP2HapiiCNdKdjKY6OWLUOaNTaWVgU0x3if+BlPl5f4TIfvue
         EB3A==
X-Gm-Message-State: ALQs6tCqaHPHPDLjaBghFcDAkkhA9ZxEyyp80InwbD3pru930ch+KNFC
        fR3eHlRzoRr3b2izlw6pS7esgEx+
X-Received: by 10.223.226.14 with SMTP id j14mr3722967wri.17.1523461148485;
        Wed, 11 Apr 2018 08:39:08 -0700 (PDT)
Received: from andrea ([213.209.242.222])
        by smtp.gmail.com with ESMTPSA id k35sm1297015wre.55.2018.04.11.08.39.07
        (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128);
        Wed, 11 Apr 2018 08:39:07 -0700 (PDT)
Date:   Wed, 11 Apr 2018 17:39:01 +0200
From:   Andrea Parri <andrea.parri@amarulasolutions.com>
To:     Catalin Marinas <catalin.marinas@arm.com>
Cc:     Will Deacon <will.deacon@arm.com>, peterz@infradead.org,
        boqun.feng@gmail.com, linux-kernel@vger.kernel.org,
        paulmck@linux.vnet.ibm.com, mingo@kernel.org,
        linux-arm-kernel@lists.infradead.org
Subject: Re: [PATCH 00/10] kernel/locking: qspinlock improvements
Message-ID: <20180411153901.GA14205@andrea>
References: <1522947547-24081-1-git-send-email-will.deacon@arm.com>
 <20180406132249.GA7071@andrea>
 <20180411102003.rjfrcmc4fjukehst@armageddon.cambridge.arm.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <20180411102003.rjfrcmc4fjukehst@armageddon.cambridge.arm.com>
User-Agent: Mutt/1.5.24 (2015-08-30)
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

On Wed, Apr 11, 2018 at 11:20:04AM +0100, Catalin Marinas wrote:
> On Fri, Apr 06, 2018 at 03:22:49PM +0200, Andrea Parri wrote:
> > On Thu, Apr 05, 2018 at 05:58:57PM +0100, Will Deacon wrote:
> > > I've been kicking the tyres further on qspinlock and with this set of patches
> > > I'm happy with the performance and fairness properties. In particular, the
> > > locking algorithm now guarantees forward progress whereas the implementation
> > > in mainline can starve threads indefinitely in cmpxchg loops.
> > > 
> > > Catalin has also implemented a model of this using TLA to prove that the
> > > lock is fair, although this doesn't take the memory model into account:
> > > 
> > > https://git.kernel.org/pub/scm/linux/kernel/git/cmarinas/kernel-tla.git/commit/
> > 
> > Nice!  I'll dig into this formalization, but my guess is that our model
> > (and axiomatic models "a-la-herd", in general) are not well-suited when
> > it comes to study properties such as fairness, liveness...
> 
> Maybe someone with a background in formal methods could give a better
> answer. How TLA+ works is closer to rmem [1] (operational model,
> exhaustive memoised state search) than herd. Liveness verification
> requires checking that, under certain fairness properties, some state is
> eventually reached. IOW, it tries to show that either all state change
> graphs lead to (go through) such state or that there are cycles in the
> graph and the state is never reached. I don't know whether herd could be
> modified to check liveness. I'm not sure it can handle infinite loops
> either (the above model checks an infinite lock/unlock loop on each
> CPU and that's easier to implement in a tool with memoised states).
> 
> The TLA+ model above assumes sequential consistency, so no memory
> ordering taken into account. One could build an operational model in
> TLA+ that's equivalent to the axiomatic one (e.g. following the Flat
> model equivalence as in [2]), however, liveness checking (at least with
> TLA+) is orders of magnitude slower than safety. Any small variation has
> an exponential impact on the state space, so likely to be impractical.
> For specific parts of the algorithm, you may be able to use a poor man's
> ordering by e.g. writing two accesses in two different orders so the
> model checks both combinations.
> 
> There are papers (e.g. [3]) on how to convert liveness checking to
> safety checking but I haven't dug further. I think it's easier/faster if
> you do liveness checking with a simplified model and separately check
> the safety with respect to memory ordering on tools like herd.

Indeed.  A fundamental problem, AFAICT, is to formalize that concept of
'[it] will _eventually_ happen'.  Consider a simple example:

	{ x = 0}

	P0	|   P1
		|
	x = 1	|   while (!x)
		|  	 ;

herd 'knows' that:

	- on the 1st iteration of the 'while' loop, the load from x
	  can return the value 0 or 1 (only);

	- on the 2nd iteration of the 'while' loop, the load from x
	  can return the value 0 or 1;

	- [ ... and 'so on'! ]

but this is pretty much all herd knows about this snippet by now ... ;)

Thanks,
  Andrea


> 
> [1] http://www.cl.cam.ac.uk/~sf502/regressions/rmem/
> [2] http://www.cl.cam.ac.uk/~pes20/armv8-mca/armv8-mca-draft.pdf
> [3] https://www.sciencedirect.com/science/article/pii/S1571066104804109
> 
> -- 
> Catalin