Received: by 2002:a05:6a10:22f:0:0:0:0 with SMTP id 15csp2006877pxk;
        Tue, 1 Sep 2020 13:12:07 -0700 (PDT)
X-Google-Smtp-Source: ABdhPJzQMaRftwImEDdaz9fVRXsDO/HqMaQ4pIsagW3PBGNqBxCOqS7W8zGEboWmAPWCbNO+WDmv
X-Received: by 2002:a17:906:640c:: with SMTP id d12mr3155524ejm.388.1598991126838;
        Tue, 01 Sep 2020 13:12:06 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1598991126; cv=none;
        d=google.com; s=arc-20160816;
        b=fs9fN1LBDkPbJ34CYQIBgx6x21OdEuvFKuutGH0YeiGsM/XzKa2zDzWqRHj4xHeBLR
         t2QpJZgI7iVO0TCiJLZfGwKKJHvpEmsDOsBla+Hq5J+hS/aSLEzLk4YyoSo3yzTVQLFQ
         Z+4Qr2yEVprN+kxDbJZkQdtCd5j653c4R8WJGzxaMI75HkIg5Lmuy1JmHqpvJDme3AJ9
         6mMPpKqKQWvPfXNBSI0W//e/jSi/Xtlhb5sIzWPxktcIFF/IHqsSZrISMqlIEHoEUqfY
         Wx0dbkQ/EeSa0AhNzCBJ3KlnPIv8NkMclYZfBEMk76mYaB2UNtkSOCFdHLox2POmiI7t
         CIaw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:user-agent:in-reply-to
         :content-disposition:mime-version:references:message-id:subject:cc
         :to:from:date;
        bh=s2v1zj0adbis5HX8w/3/HY0K9QXDKiDjwVPU63uUxa8=;
        b=mqS/UBcgweVghH+OT4cGqu+wO5uRebmgBMDxaNuJBcF6yOjJDIAY7jiEOwHtgO9FHP
         AQ4aLzGG5zZR3Dvl7K7rs4gnbVY2jdBue6IAd/yMO+HTHyhZbNdeaQTRvcIFYs0WPl3r
         fPlAgQWxlNAH8ocEG3mfVhPpsMhUHZmW7BUfi7581VRpmnZOoXBESkmbmfoap46huFYX
         UJzMB42pfb21LKS8LVBx5WY56Imb4jmr8EuPtTRgY7BVdipPxqsoCu+OZSdA3g64CdKp
         8EvJ47+iSAVTZFUP8Bnpey3BsnWriBr/nuJOB3SzCgkE8I1neA5olbLUoo2zk5i5GMVm
         4F+A==
ARC-Authentication-Results: i=1; mx.google.com;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18])
        by mx.google.com with ESMTP id f27si1286628ejt.420.2020.09.01.13.11.43;
        Tue, 01 Sep 2020 13:12:06 -0700 (PDT)
Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18;
Authentication-Results: mx.google.com;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1728502AbgIAULO (ORCPT <rfc822;thunderbird.krnldev@gmail.com>
        + 99 others); Tue, 1 Sep 2020 16:11:14 -0400
Received: from netrider.rowland.org ([192.131.102.5]:38371 "HELO
        netrider.rowland.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with SMTP id S1727842AbgIAULL (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Tue, 1 Sep 2020 16:11:11 -0400
Received: (qmail 600595 invoked by uid 1000); 1 Sep 2020 16:11:10 -0400
Date:   Tue, 1 Sep 2020 16:11:10 -0400
From:   Alan Stern <stern@rowland.harvard.edu>
To:     "Paul E. McKenney" <paulmck@kernel.org>
Cc:     linux-kernel@vger.kernel.org, linux-arch@vger.kernel.org,
        kernel-team@fb.com, mingo@kernel.org, parri.andrea@gmail.com,
        will@kernel.org, peterz@infradead.org, boqun.feng@gmail.com,
        npiggin@gmail.com, dhowells@redhat.com, j.alglave@ucl.ac.uk,
        luc.maranget@inria.fr, akiyks@gmail.com
Subject: Re: [PATCH kcsan 9/9] tools/memory-model:  Document locking corner
 cases
Message-ID: <20200901201110.GB599114@rowland.harvard.edu>
References: <20200831182012.GA1965@paulmck-ThinkPad-P72>
 <20200831182037.2034-9-paulmck@kernel.org>
 <20200831201701.GB558270@rowland.harvard.edu>
 <20200831214738.GE2855@paulmck-ThinkPad-P72>
 <20200901014504.GB571008@rowland.harvard.edu>
 <20200901170421.GF29330@paulmck-ThinkPad-P72>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <20200901170421.GF29330@paulmck-ThinkPad-P72>
User-Agent: Mutt/1.10.1 (2018-07-13)
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

On Tue, Sep 01, 2020 at 10:04:21AM -0700, Paul E. McKenney wrote:
> On Mon, Aug 31, 2020 at 09:45:04PM -0400, Alan Stern wrote:

> > The question is, what are you trying to accomplish in this section?  Are 
> > you trying to demonstrate that it isn't safe to allow arbitrary code to 
> > leak into a critical section?  If so then you don't need to present an 
> > LKMM litmus test to make the point; the example I gave here will do 
> > quite as well.  Perhaps even better, since it doesn't drag in all sorts 
> > of extraneous concepts like limitations of litmus tests or how to 
> > emulate a spin loop.
> > 
> > On the other hand, if your goal is to show how to construct a litmus 
> > test that will model a particular C language test case (such as the one 
> > I gave), then the text does a reasonable job -- although I do think it 
> > could be clarified somewhat.  For instance, it wouldn't hurt to include 
> > the real C code before giving the corresponding litmus test, so that the 
> > reader will have a clear idea of what you're trying to model.
> 
> Makes sense.  I can apply this at some point, but I would welcome a patch
> from you, which I would be happy to fold in with your Codeveloped-by.

I don't have time to work on these documents now.  Maybe later on.  They 
do need some serious editing.  (You could try reading through them 
carefully yourself; I'm sure you'd find a lot of things to fix up.)

Incidentally, your patch bomb from yesterday was the first time I had 
seen these things (except for the litmus-test format document).

> > Just what you want to achieve here is not clear from the context.
> 
> People who have internalized the "roach motel" model of locking
> (https://www.cs.umd.edu/~pugh/java/memoryModel/BidirectionalMemoryBarrier.html)
> need their internalization adjusted.

Shucks, if you only want to show that letting arbitrary code (i.e., 
branches) migrate into a critical section is unsafe, all you need is 
this uniprocessor example:

	P0(int *sl)
	{
		goto Skip;
		spin_lock(sl);
		spin_unlock(sl);
	Skip:
		spin_lock(sl);
		spin_unlock(sl);
	}

This does nothing but runs fine.  Letting the branch move into the first 
critical section gives:

	P0(int *sl)
	{
		spin_lock(sl);
		goto Skip;
		spin_unlock(sl);
	Skip:
		spin_lock(sl);
		spin_unlock(sl);
	}

which self-deadlocks 100% of the time.  You don't need to know anything 
about memory models or concurrency to understand this.

On the other hand, if you want to show that letting memory accesses leak 
into a critical section is unsafe then you need a different example: 
spin loops won't do it.

> > Besides, the example is in any case a straw man.  The text starts out 
> > saying "It is tempting to allow memory-reference instructions to be 
> > pulled into a critical section", but then the example pulls an entire 
> > spin loop inside -- not just the memory references but also the 
> > conditional branch instruction at the bottom of the loop!  I can't 
> > imagine anyone would think it was safe to allow branches to leak into a 
> > critical section, particularly when doing so would break a control 
> > dependency (as it does here).
> 
> Most people outside of a few within the Linux kernel community and within
> the various hardware memory-ordering communities don't know that control
> dependencies even exist, so could not be expected to see any danger
> in rather thoroughly folding, spindling, or otherwise mutilating them,
> let alone pulling them into a lock-based critical section.  And many in
> the various toolchain communities see dependencies of any sort as an
> impediment to performance that should be broken wherever and whenever
> possible.
> 
> That said, a less prejudicial introduction to this example might be good.
> What did you have in mind?

Again, it depends on what example is intended to accomplish (which you 
still haven't said explicitly).  Whatever it is, I don't think the 
current text is a good way to do it.

Alan