Received: by 2002:a05:6a10:22f:0:0:0:0 with SMTP id 15csp1388467pxk;
        Mon, 31 Aug 2020 18:48:16 -0700 (PDT)
X-Google-Smtp-Source: ABdhPJzLSZ9YH9iVtIInVkq2Ef9uzhzusDXQYXFV0A6g0w8T+iS+L7aAtRPL8HS/h5+ivpwhczz1
X-Received: by 2002:a17:906:1794:: with SMTP id t20mr3262802eje.229.1598924896675;
        Mon, 31 Aug 2020 18:48:16 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1598924896; cv=none;
        d=google.com; s=arc-20160816;
        b=GsIw4hVcnx8giYdYGZ6Gs124tNWLeStV6L6sukJ2cc7YvuG+e6yuNwe9+gH+EOav45
         QxkTJYki0sSJUmyXmIuJGh0GWSEWNWGF6kqnl0q4+mKUpJZabBxBtOYNhWBP87nWpkbG
         7UtbOk2e4gBwm0ncQul/Z9vo0f4TZCrDV+mDuY6cjQRS2uNVe8KjLUVUfjojdXXA+Dmu
         KgvtsVzz/I4f69LW6/kqKD5b7p4uI8naTcI3WPMHJv9xdPJ0kPwLpic9ZOVp92pq99Bi
         zdYsDa2O0ZLX2akA5ePNY292X51gk04pB0wccVXPus0trSoSKJHiPAYLi1tgpzcSKmtJ
         /Scg==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:user-agent:in-reply-to
         :content-disposition:mime-version:references:message-id:subject:cc
         :to:from:date;
        bh=VpNcyOwVHpHGnT4IRUqJhUGnlpoxYK5zjNrTTRNqMT0=;
        b=kdJbkHU2Z/CEmKbaFRfW3YdGKTZmETQ/DwISSF+iK4B4ZDP4lmmfyV7MO04EIMvC0B
         lAX4Q5Qn1yeeGf0z6x+p3oN2cy/0T9Lr1QaaGcDfk+WLjmui86kCbCeI2bTbC+Y60ioH
         y/dU4MgIHaJwIL6Z8E2X5apn98b+zyUqMxHSnerPptcRvOOQrAcf/ta921vFBCxp0dbl
         XFUdm8OVk9tnd4IcJ2Kdor13f8sUtMYNky+O/rlDRgbQxT3vdeX2PiVxICGqWxI4Qtp/
         KhLd4mu8EliLu7nwxSJSL2Bnu+U5yAiravEFuD1BAXfWnFl0z4abKjV6jXQW744NHICM
         lvJA==
ARC-Authentication-Results: i=1; mx.google.com;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18])
        by mx.google.com with ESMTP id kt6si3329049ejb.276.2020.08.31.18.47.54;
        Mon, 31 Aug 2020 18:48:16 -0700 (PDT)
Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18;
Authentication-Results: mx.google.com;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1726107AbgIABpG (ORCPT <rfc822;huangweiredhat@gmail.com>
        + 99 others); Mon, 31 Aug 2020 21:45:06 -0400
Received: from netrider.rowland.org ([192.131.102.5]:37433 "HELO
        netrider.rowland.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with SMTP id S1726023AbgIABpF (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Mon, 31 Aug 2020 21:45:05 -0400
Received: (qmail 571492 invoked by uid 1000); 31 Aug 2020 21:45:04 -0400
Date:   Mon, 31 Aug 2020 21:45:04 -0400
From:   Alan Stern <stern@rowland.harvard.edu>
To:     "Paul E. McKenney" <paulmck@kernel.org>
Cc:     linux-kernel@vger.kernel.org, linux-arch@vger.kernel.org,
        kernel-team@fb.com, mingo@kernel.org, parri.andrea@gmail.com,
        will@kernel.org, peterz@infradead.org, boqun.feng@gmail.com,
        npiggin@gmail.com, dhowells@redhat.com, j.alglave@ucl.ac.uk,
        luc.maranget@inria.fr, akiyks@gmail.com
Subject: Re: [PATCH kcsan 9/9] tools/memory-model:  Document locking corner
 cases
Message-ID: <20200901014504.GB571008@rowland.harvard.edu>
References: <20200831182012.GA1965@paulmck-ThinkPad-P72>
 <20200831182037.2034-9-paulmck@kernel.org>
 <20200831201701.GB558270@rowland.harvard.edu>
 <20200831214738.GE2855@paulmck-ThinkPad-P72>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <20200831214738.GE2855@paulmck-ThinkPad-P72>
User-Agent: Mutt/1.10.1 (2018-07-13)
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

On Mon, Aug 31, 2020 at 02:47:38PM -0700, Paul E. McKenney wrote:
> On Mon, Aug 31, 2020 at 04:17:01PM -0400, Alan Stern wrote:

> > Is this discussion perhaps overkill?
> > 
> > Let's put it this way: Suppose we have the following code:
> > 
> > 	P0(int *x, int *lck)
> > 	{
> > 		spin_lock(lck);
> > 		WRITE_ONCE(*x, 1);
> > 		do_something();
> > 		spin_unlock(lck);
> > 	}
> > 
> > 	P1(int *x, int *lck)
> > 	{
> > 		while (READ_ONCE(*x) == 0)
> > 			;
> > 		spin_lock(lck);
> > 		do_something_else();
> > 		spin_unlock(lck);
> > 	}
> > 
> > It's obvious that this test won't deadlock.  But if P1 is changed to:
> > 
> > 	P1(int *x, int *lck)
> > 	{
> > 		spin_lock(lck);
> > 		while (READ_ONCE(*x) == 0)
> > 			;
> > 		do_something_else();
> > 		spin_unlock(lck);
> > 	}
> > 
> > then it's equally obvious that the test can deadlock.  No need for
> > fancy memory models or litmus tests or anything else.
> 
> For people like you and me, who have been thinking about memory ordering
> for longer than either of us care to admit, this level of exposition is
> most definitely -way- overkill!!!
> 
> But I have had people be very happy and grateful that I explained this to
> them at this level of detail.  Yes, I started parallel programming before
> some of them were born, but they are definitely within our target audience
> for this particular document.  And it is not just Linux kernel hackers
> who need this level of detail.  A roughly similar transactional-memory
> scenario proved to be so non-obvious to any number of noted researchers
> that Blundell, Lewis, and Martin needed to feature it in this paper:
> https://ieeexplore.ieee.org/abstract/document/4069174
> (Alternative source: https://repository.upenn.edu/cgi/viewcontent.cgi?article=1344&context=cis_papers)
> 
> Please note that I am -not- advocating making (say) explanation.txt or
> recipes.txt more newbie-accessible than they already are.  After all,
> the point of the README file in that same directory is to direct people
> to the documentation files that are the best fit for them, and both
> explanation.txt and recipes.txt contain advanced material, and thus
> require similarly advanced prerequisites.
> 
> Seem reasonable, or am I missing your point?

The question is, what are you trying to accomplish in this section?  Are 
you trying to demonstrate that it isn't safe to allow arbitrary code to 
leak into a critical section?  If so then you don't need to present an 
LKMM litmus test to make the point; the example I gave here will do 
quite as well.  Perhaps even better, since it doesn't drag in all sorts 
of extraneous concepts like limitations of litmus tests or how to 
emulate a spin loop.

On the other hand, if your goal is to show how to construct a litmus 
test that will model a particular C language test case (such as the one 
I gave), then the text does a reasonable job -- although I do think it 
could be clarified somewhat.  For instance, it wouldn't hurt to include 
the real C code before giving the corresponding litmus test, so that the 
reader will have a clear idea of what you're trying to model.

Just what you want to achieve here is not clear from the context.

Besides, the example is in any case a straw man.  The text starts out 
saying "It is tempting to allow memory-reference instructions to be 
pulled into a critical section", but then the example pulls an entire 
spin loop inside -- not just the memory references but also the 
conditional branch instruction at the bottom of the loop!  I can't 
imagine anyone would think it was safe to allow branches to leak into a 
critical section, particularly when doing so would break a control 
dependency (as it does here).

Alan