Received: by 2002:a05:6358:a55:b0:ec:fcf4:3ecf with SMTP id 21csp1556581rwb; Thu, 19 Jan 2023 12:13:43 -0800 (PST) X-Google-Smtp-Source: AMrXdXtCGF3DEf6bx8ZlPjXj3ZJaB3ZnonyFPzA4VeFHzyf7XHDQMO36Xii+wS5bREGtZkEHLmj5 X-Received: by 2002:a17:906:774f:b0:870:94e:13f9 with SMTP id o15-20020a170906774f00b00870094e13f9mr12858473ejn.0.1674159223761; Thu, 19 Jan 2023 12:13:43 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1674159223; cv=none; d=google.com; s=arc-20160816; b=v6fZssNz2KIjfH5PuUasE+B1lCd41iVYCUnlWABMdXpxFn7A9bEHh4d3XrOkT4BHVe PMGVf11Rvx1cRloL7Pi+SHGOk4NI/IsB4YihQv8afp271QkPQ7MqLfd7zmMheVLuLOYm BVwrMkRbFVZtZpJWsY4zGqYwclUJwIKEhi6N4wTM+3S0dmHhFPOGJFJzkRHh+3lCFlT6 exWEG52vX3Gay12Lrpa2R56MllMXizKWYjW1IFiP1IB4AcOvDKkeAWIS6f5DwiX5tV/C OkyeYZlHVoy1ZpLL21kphsWhkGI9naA1akACEXyEmYg0BIiG+EZfUwt9oOBdfsH56k/3 4hNA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:in-reply-to:content-transfer-encoding :content-disposition:mime-version:references:message-id:subject:cc :to:from:date; bh=uTsJpCgYKw2/FlKp7WKkX4Pbp0xrN5AdmRr7bAD86Dc=; b=NMMMvbx1zP+xAfuxVxV2TIfBMQjRaty7tY/rpnxjI62gNaFpxXCI9MlehBMYBhQ+/j GCUk1A7AD5v2R4dY4G22k+El6Y+TfcMfVXiP6MMFEcL53iATUq2isIVM36Qxlo9/e2+l UnDTCj0+mFEWQdk8oqgCxQG6gLko/NnjhB6Q79dCl90MatX3zLx9SiuZF2Do+By2MRI/ xLlxjTkU8azW87VMp3EyGSLeS0ddeNj6Ap8QWjLo7iETF+M/RF/bKWiZtN3uCbdU4c5h Ca+v8Zhn4ary7HB/yPxeGBdAcHRegAkDcXtaN/mB/8Bo7BZaLJBySX2spk+Zw5xvoJTF M7ug== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id cw19-20020a170906479300b00876a2339b6fsi7594320ejc.25.2023.01.19.12.13.32; Thu, 19 Jan 2023 12:13:43 -0800 (PST) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S230116AbjASUGP (ORCPT + 46 others); Thu, 19 Jan 2023 15:06:15 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:59930 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229775AbjASUGJ (ORCPT ); Thu, 19 Jan 2023 15:06:09 -0500 Received: from netrider.rowland.org (netrider.rowland.org [192.131.102.5]) by lindbergh.monkeyblade.net (Postfix) with SMTP id 0C74E9516C for ; Thu, 19 Jan 2023 12:06:07 -0800 (PST) Received: (qmail 262815 invoked by uid 1000); 19 Jan 2023 15:06:07 -0500 Date: Thu, 19 Jan 2023 15:06:07 -0500 From: Alan Stern To: Jonas Oberhauser Cc: paulmck@kernel.org, parri.andrea@gmail.com, will@kernel.org, peterz@infradead.org, boqun.feng@gmail.com, npiggin@gmail.com, dhowells@redhat.com, j.alglave@ucl.ac.uk, luc.maranget@inria.fr, akiyks@gmail.com, dlustig@nvidia.com, joel@joelfernandes.org, urezki@gmail.com, quic_neeraju@quicinc.com, frederic@kernel.org, linux-kernel@vger.kernel.org, viktor@mpi-sws.org Subject: Re: [PATCH] tools/memory-model: Make ppo a subrelation of po Message-ID: References: <20230117193159.22816-1-jonas.oberhauser@huaweicloud.com> <75c74fe1-a846-aed8-c00c-45deeb1cfdda@huaweicloud.com> MIME-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Content-Disposition: inline Content-Transfer-Encoding: 8bit In-Reply-To: <75c74fe1-a846-aed8-c00c-45deeb1cfdda@huaweicloud.com> X-Spam-Status: No, score=-1.7 required=5.0 tests=BAYES_00, HEADER_FROM_DIFFERENT_DOMAINS,SPF_HELO_PASS,SPF_PASS autolearn=no autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Thu, Jan 19, 2023 at 04:05:38PM +0100, Jonas Oberhauser wrote: > > > On 1/19/2023 4:13 AM, Alan Stern wrote: > > On Wed, Jan 18, 2023 at 10:38:11PM +0100, Jonas Oberhauser wrote: > > > > > > On 1/18/2023 8:52 PM, Alan Stern wrote: > > > > On Tue, Jan 17, 2023 at 08:31:59PM +0100, Jonas Oberhauser wrote: > > > > > - ([M] ; po? ; [LKW] ; fencerel(After-spinlock) ; [M]) | > > > > > - ([M] ; po ; [UL] ; (co | po) ; [LKW] ; > > > > > - fencerel(After-unlock-lock) ; [M]) > > > > > + ([M] ; po? ; [LKW] ; fencerel(After-spinlock) ; [M]) > > > > Shouldn't the po case of (co | po) remain intact here? > > > You can leave it here, but it is already covered by two other parts: the > > > ordering given through ppo/hb is covered by the po-unlock-lock-po & int in > > > ppo, and the ordering given through pb is covered by its inclusion in > > > strong-order. > > What about the ordering given through > > A-cumul(strong-fence)/cumul-fence/prop/hb? I suppose that might be > > superseded by pb as well, > Indeed, in fact all of A-cumul(strong-fence) is already covered through pb. > > but it seems odd not to have it in hb. > > In general, the idea in the memory model is that hb ordering relies on > > the non-strong properties of fences, whereas pb relies on the properties > > of strong fences, and rb relies on the properties of the RCU fences. > > I agree in the sense that all strong-ordering operations are A-cumulative > and not including them in A-cumul is weird. The reason for including A-cumul(strong-fence | po-rel) in the definition of cumul-fence had nothing to do with the fact that the fences needed to be strong. It was simply a convenient way to list all the A-cumulative fences. It could just as well have been written A-cumul(mb | gp | po-rel). > On the other side? the model becomes a tiny bit smaller and simpler when all > ordering of prop;strong-ordering goes through a single place (pb). > > If you want, you could think of the A-cumulativity of strong ordering > operations as being a consequence of their strong properties. Mathematically That's backward logic. Being strong isn't the reason the fences are A-cumulative. Indeed, the model could have been written not to assume that strong fences are A-cumulative. > it already is the case, since > ? overwrite&ext ; cumul-fence* ; rfe ; strong-fence ; cumul-fence* ; rfe? > is a subset of > ? prop ; strong-fence ; hb* Invalid reasoning. If strong fences had not been A-cumulative then this inclusion wouldn't matter, because the pb relation would have been defined differently. > > > > > @@ -91,8 +89,12 @@ acyclic hb as happens-before > > > > > (* Write and fence propagation ordering *) > > > > > (****************************************) > > > > > -(* Propagation: Each non-rf link needs a strong fence. *) > > > > > -let pb = prop ; strong-fence ; hb* ; [Marked] > > > > > +(* Strong ordering operations *) > > > > > +let strong-order = strong-fence | ([M] ; po-unlock-lock-po ; > > > > > + [After-unlock-lock] ; po ; [M]) > > > > This is not the same as the definition removed above. In particular, > > > > po-unlock-lock-po only allows one step along the locking chain -- it has > > > > rf where the definition above has co. > > > Indeed it is not, but the subsequent lock-unlock sequences are in hb*. For > > > this reason it can be simplified to just consider the directly following > > > unlock(). > > I'm not sure that argument is right. The smp_mb__after_unlock_lock > > needs to go after the _last_ lock in the sequence, not after the first. > > So you don't have to worry about subsequent lock-unlock sequences; you > > have to worry about preceding lock-unlock sequences. > > I formalized a proof of equivalence in Coq a few months ago, but I was > recalling the argument incorrectly from memory. > I think the correct argument is that the previous po-unlock-lock-po form a > cumul-fence*;rfe;po sequence that starts with a po-rel. > so any > ??? prop; .... ; co ; ... ; this fence ;... > can be rewritten to > ??? prop; cumul_fence* ; po-unlock-lock-po ; this fence ;... > and because the the first cumul-fence here needs to start with po-release, > the prop ;cumul-fence* can be merged into a larger prop, leaving > ??? prop; po-unlock-lock-po ; this fence ;... This may be so, but I would like to point out that the memory model was not particularly designed to be as short or as simple as possible, but more to reflect transparently the intuitions that kernel programmers have about the ways ordering should work in the kernel. It may very well include redundancies as a result. I don't think that's a bad point. For example, the prop relation is meant to cover all fences that order store propagations in the usual way (basically all fences except rmb). This includes both weak and strong fences; the fact that strong fences also have other ordering properties doesn't mean they should be kept out of prop. Alan