Received: by 2002:a6b:fb09:0:0:0:0:0 with SMTP id h9csp744351iog; Mon, 13 Jun 2022 11:58:27 -0700 (PDT) X-Google-Smtp-Source: AGRyM1uaiNeEIPBUn79aSyg5mosHtcERQK3Y67mYJQZDXusDKeF+zsJVlADrwhy35dF8bqJCfCIw X-Received: by 2002:a17:903:2483:b0:168:c4c3:e895 with SMTP id p3-20020a170903248300b00168c4c3e895mr401572plw.0.1655146706855; Mon, 13 Jun 2022 11:58:26 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1655146706; cv=none; d=google.com; s=arc-20160816; b=xGsWveUh3PXS/SRXvS2UTMH4EYV10Lysc7xiq+GUhXapE5xsod+jvpTwZ6kB6m+y4V NSm6Sy9ilXIcu3TfwHWPieEqZ6eLGZI1B3ewMatFbi8nssOrxRtzMRT5oI3mgcDi+w7H ouW5ziY9p2mZ+NIoO3BImjzvYkS0dM6CBOzZ0PCqktCCDQryd2TwCtb9yWhNF4KSVcoV KmhEFJ58WhxJfrLJnM3lyE2MTIMzYz8gwirtgdgi+YUmbZZWdNo4ITvGELK6KIsmaJpr HxxJ+p5zBei567nDJ2dSRgMY5NHfy036COAjCtm95g2S+GqjJnGXq31R+wuSqjn++Xn7 jSgg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:in-reply-to:content-transfer-encoding :content-disposition:mime-version:references:message-id:subject:cc :to:from:date; bh=GUgZ4a3rkf6xb9YgN73pXNohk7fp05BoTVL72OcCtoc=; b=dUDEoxxVeshdNdHmyvyTlLwOv0xyp0hIDVKALXoBFA/Dz3b11uw3LQQYDQfcQXl8yw gwey58fXGKT98YnHLBFg98/ya6Jr2b7hKwPQDveey/eeWEDsU6px6GA/lraXqlzNvUQW DUGLxXqoXW3ByvNxyfrmVDDOip0krnmPw4DnXfM8d1FzZH7r8y+nuNqd5DHkQmsal2tS uQjHE4tBcqA3bbYkS2Uvube9ui6jCGJi0uHD2NmgKjjWkV/beoQnRAaokp9AmjXXIjp4 KVbLBHfldlFIp+DSk5GX7RxAwMRjceNgeQPteuKHsKL3js6bvn3ALA8S5n+rKHX7TV6a Z26g== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id x22-20020aa79576000000b005187a9a74cdsi9056461pfq.269.2022.06.13.11.58.14; Mon, 13 Jun 2022 11:58:26 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S245018AbiFMStF (ORCPT + 99 others); Mon, 13 Jun 2022 14:49:05 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:51994 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1345365AbiFMSs2 (ORCPT ); Mon, 13 Jun 2022 14:48:28 -0400 Received: from netrider.rowland.org (netrider.rowland.org [192.131.102.5]) by lindbergh.monkeyblade.net (Postfix) with SMTP id BD9A3E64E7 for ; Mon, 13 Jun 2022 08:46:37 -0700 (PDT) Received: (qmail 603976 invoked by uid 1000); 13 Jun 2022 11:46:36 -0400 Date: Mon, 13 Jun 2022 11:46:36 -0400 From: Alan Stern To: Paul =?iso-8859-1?Q?Heidekr=FCger?= Cc: Andrea Parri , Will Deacon , Peter Zijlstra , Boqun Feng , Nicholas Piggin , David Howells , Jade Alglave , Luc Maranget , "Paul E. McKenney" , Akira Yokosawa , Daniel Lustig , Joel Fernandes , linux-kernel@vger.kernel.org, linux-arch@vger.kernel.org, Marco Elver , Charalampos Mainas , Pramod Bhatotia , Soham Chakraborty , Martin Fink Subject: Re: [PATCH] tools/memory-model: Clarify LKMM's limitations in litmus-tests.txt Message-ID: References: <20220613122744.373516-1-paul.heidekrueger@in.tum.de> MIME-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Content-Disposition: inline Content-Transfer-Encoding: 8bit In-Reply-To: <20220613122744.373516-1-paul.heidekrueger@in.tum.de> X-Spam-Status: No, score=-1.7 required=5.0 tests=BAYES_00, HEADER_FROM_DIFFERENT_DOMAINS,SPF_HELO_PASS,SPF_PASS, T_SCC_BODY_TEXT_LINE autolearn=no autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Mon, Jun 13, 2022 at 12:27:44PM +0000, Paul Heidekr?ger wrote: > As discussed, clarify LKMM not recognizing certain kinds of orderings. > In particular, highlight the fact that LKMM might deliberately make > weaker guarantees than compilers and architectures. > > Link: https://lore.kernel.org/all/YpoW1deb%2FQeeszO1@ethstick13.dse.in.tum.de/T/#u > Signed-off-by: Paul Heidekr?ger > Cc: Marco Elver > Cc: Charalampos Mainas > Cc: Pramod Bhatotia > Cc: Soham Chakraborty > Cc: Martin Fink > --- > .../Documentation/litmus-tests.txt | 29 ++++++++++++------- > 1 file changed, 19 insertions(+), 10 deletions(-) > > diff --git a/tools/memory-model/Documentation/litmus-tests.txt b/tools/memory-model/Documentation/litmus-tests.txt > index 8a9d5d2787f9..623059eff84e 100644 > --- a/tools/memory-model/Documentation/litmus-tests.txt > +++ b/tools/memory-model/Documentation/litmus-tests.txt > @@ -946,22 +946,31 @@ Limitations of the Linux-kernel memory model (LKMM) include: > carrying a dependency, then the compiler can break that dependency > by substituting a constant of that value. > > - Conversely, LKMM sometimes doesn't recognize that a particular > - optimization is not allowed, and as a result, thinks that a > - dependency is not present (because the optimization would break it). > - The memory model misses some pretty obvious control dependencies > - because of this limitation. A simple example is: > + Conversely, LKMM will sometimes overstate the amount of reordering > + done by architectures and compilers, leading it to missing some > + pretty obvious orderings. A simple example is: I don't like the word "overstate" here. How about instead: LKMM will sometimes overestimate the amount of reordering CPUs and compilers can carry out, leading it to miss some pretty obvious cases of ordering. > > r1 = READ_ONCE(x); > if (r1 == 0) > smp_mb(); > WRITE_ONCE(y, 1); > > - There is a control dependency from the READ_ONCE to the WRITE_ONCE, > - even when r1 is nonzero, but LKMM doesn't realize this and thinks > - that the write may execute before the read if r1 != 0. (Yes, that > - doesn't make sense if you think about it, but the memory model's > - intelligence is limited.) > + There is no dependency from the WRITE_ONCE() to the READ_ONCE(), You mean "from the READ_ONCE() to the WRITE_ONCE()". > + and as a result, LKMM does not assume ordering. However, the ... does not claim that the load is ordered before the store. > + smp_mb() in the if branch will prevent architectures from > + reordering the WRITE_ONCE() ahead of the READ_ONCE() but only if r1 Architectures don't do reordering; CPUs do. In any case this sentence is wrong; the presence of the "if" statement is what prevents the reordering. CPUs will never reorder a store before a conditional branch, even if the store gets executed on both branches of the conditional. By contrast, the smp_mb() in one of the branches prevents _compilers_ from moving the store before the conditional. > + is 0. This, by definition, is not a control dependency, yet > + ordering is guaranteed in some cases, depending on the READ_ONCE(), > + which LKMM doesn't recognize. Say instead: However, even though no dependency is present, the WRITE_ONCE() will not be executed before the READ_ONCE(). There are two reasons for this: The presence of the smp_mb() in one of the branches prevents the compiler from moving the WRITE_ONCE() up before the "if" statement, since the compiler has to assume that r1 will sometimes be 0 (but see the comment below); CPUs do not execute stores before po-earlier conditional branches, even in cases where the store occurs after the two arms of the branch have recombined. > + > + It is clear that it is not dangerous in the slightest for LKMM to > + make weaker guarantees than architectures. In fact, it is > + desirable, as it gives compilers room for making optimizations. > + For instance, because a value of 0 triggers undefined behavior "because a value of 0 triggers undefined behavior" implies that undefined behavior will always occur. Instead say: For instance, suppose that a 0 value in r1 would trigger undefined behavior later on. Then a clever compiler... > + elsewhere, a clever compiler might deduce that r1 can never be 0 in > + the if condition. As a result, said clever compiler might deem it > + safe to optimize away the smp_mb(), eliminating the branch and > + any ordering an architecture would guarantee otherwise. Alan > > 2. Multiple access sizes for a single variable are not supported, > and neither are misaligned or partially overlapping accesses. > -- > 2.35.1 >