Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18;
Date:   Wed, 29 Sep 2021 14:06:34 +0200
From:   Marco Elver <elver@google.com>
To:     Mathieu Desnoyers <mathieu.desnoyers@efficios.com>
Cc:     will@kernel.org, paulmck@kernel.org,
        Peter Zijlstra <peterz@infradead.org>,
        Segher Boessenkool <segher@kernel.crashing.org>,
        linux-kernel@vger.kernel.org,
        Linus Torvalds <torvalds@linux-foundation.org>,
        stern@rowland.harvard.edu, parri.andrea@gmail.com,
        boqun.feng@gmail.com, npiggin@gmail.com, dhowells@redhat.com,
        j.alglave@ucl.ac.uk, luc.maranget@inria.fr, akiyks@gmail.com,
        linux-toolchains@vger.kernel.org, linux-arch@vger.kernel.org
Subject: Re: [RFC PATCH] LKMM: Add ctrl_dep() macro for control dependency
Message-ID: <YVRWyq+rDeAFLx+X@elver.google.com>
References: <20210928211507.20335-1-mathieu.desnoyers@efficios.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <20210928211507.20335-1-mathieu.desnoyers@efficios.com>
User-Agent: Mutt/2.0.5 (2021-01-21)
Precedence: bulk

On Tue, Sep 28, 2021 at 05:15PM -0400, Mathieu Desnoyers wrote:
> The control dependency ordering currently documented in
> Documentation/memory-barriers.txt is fragile and can be broken by
> various compiler optimizations.
> 
> The goal here is to prevent the compiler from being able to optimize a
> conditional branch into something which lacks the control dependency,
> while letting the compiler choose the best conditional branch in each
> case.
> 
> Prevent the compiler from considering the two legs of a conditional
> branch as identical by adding a distinct volatile asm in each leg of the
> branch. Those asm do not emit any instruction nor data into the
> resulting executable, and do not have any clobbers.
> 
> GNU describes asm volatile statements as having side-effects. [1]
> 
> C99 describes that accessing volatile objects are side-effects, and that
> "at certain specified points in the execution sequence called sequence
> points, all side effects of previous evaluations shall be complete
> and no side effects of subsequent evaluations shall have taken
> place". [2]
> 
> This ensures that the program order of READ_ONCE(), asm volatile in both
> legs of the branch, and following WRITE_ONCE() and after_ctrl_dep()
> barriers are preserved.
> 
> With this approach, the following code now keeps the control dependency:
> 
>         z = READ_ONCE(var1);
>         if (ctrl_dep(z))
>                 WRITE_ONCE(var2, 5);
>         else
>                 WRITE_ONCE(var2, 5);
> 
> And the ctrl_dep_eval() checking the constant triggers a build error
> for:
> 
>         y = READ_ONCE(var1);
>         if (ctrl_dep(y % 1))
>                 WRITE_ONCE(var2, 5);
>         else
>                 WRITE_ONCE(var2, 6);
> 
> Which is good to have to ensure the compiler don't end up removing the
> conditional branch because the it evaluates a constant.
> 
> Introduce the ctrl_dep macro in the generic headers, and use it
> everywhere it appears relevant.  The approach taken is simply to
> look for smp_acquire__after_ctrl_dep and "control dependency" across the
> kernel sources, so a few other uses may have been missed.

It would be nice to know where and on which arch things are currently
broken of course, which might then also help raise confidence that this
implementation of ctrl_dep() works.

Because it's still hard to prove that the compiler will always do the
right thing with that implementation. The only concrete option I see
here is creating tests with known or potential breakage.

In an ideal world we could add such tests to the compiler's test-suites
themselves, assuming the behaviour your ctrl_dep() implementation relies
on is supposed to be guaranteed (and the compiler folks agree..).

Beyond the above trivial test case with 2 identical branches, here's
another one that breaks on arm64 with clang 12 (taken from
https://reviews.llvm.org/D103958):

 | int x, y;
 | void noinline test_ctrl_dep_broken1(void)
 | {
 | 	/* ARM: do NOT expect: cinc | expect: cbz */
 | 	if (ctrl_dep(READ_ONCE(x))) {
 | 		y = 1;
 | 	} else {
 | 		y = 2;
 | 	}
 | }

Without ctrl_dep():

 | <test_ctrl_dep_broken1>:
 |        d00042a8        adrp    x8, ffffffc010868000 <initcall_debug>
 |        b9400508        ldr     w8, [x8, #4]
 |        52800029        mov     w9, #0x1                        // #1
 |        7100011f        cmp     w8, #0x0
 |        1a891528        cinc    w8, w9, eq  // eq = none
 |        d00042a9        adrp    x9, ffffffc010868000 <initcall_debug>
 |        b9000928        str     w8, [x9, #8]
 |        d65f03c0        ret

			^^ no branch, compiler replaced branch with cinc!

with ctrl_dep():

 | <test_ctrl_dep_broken1>:
 |        d00042a8        adrp    x8, ffffffc010868000 <initcall_debug>
 |        b9400508        ldr     w8, [x8, #4]
 |        34000068        cbz     w8, ffffffc0100124b4 <test_ctrl_dep_broken1+0x14>
 |        52800028        mov     w8, #0x1                        // #1
 |        14000002        b       ffffffc0100124b8 <test_ctrl_dep_broken1+0x18>
 |        52800048        mov     w8, #0x2                        // #2
 |        d00042a9        adrp    x9, ffffffc010868000 <initcall_debug>
 |        b9000928        str     w8, [x9, #8]
 |        d65f03c0        ret

			^^ has cbz (and no cinc)

Which is good -- empirically, this seems to work for this case at least.