Received: by 2002:a05:6358:3188:b0:123:57c1:9b43 with SMTP id q8csp32261412rwd; Fri, 7 Jul 2023 10:59:44 -0700 (PDT) X-Google-Smtp-Source: APBJJlFJ1VhjNzHGbyo016MQ5ixo8u8GoJmJ4UpJ90ArSsJKY034j7bt9qLAB6uJPv8FmCdOJGew X-Received: by 2002:a17:90a:88b:b0:262:ff1c:bc37 with SMTP id v11-20020a17090a088b00b00262ff1cbc37mr4670300pjc.2.1688752783445; Fri, 07 Jul 2023 10:59:43 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1688752783; cv=none; d=google.com; s=arc-20160816; b=Zs+WVotq89C0feK43svlwjCnz3qu/aZ5imSSPFGVc0oehn1cR9tlMrMHO/PBRt5m6S wxcE9bw4X92p4DTmQ89z0hrHVAZfhyNC2he08jzfoLoyBUFJtZO5rEF8fcLC7hqs8/Jz Dl63RivSZmYXq9hLblMWp0/aOre02dnJXg7CPFTIzhoA+/pUx12Vz0QHInlYCkihaOo+ KRtSveOJCcyOfyUFzUEMFG0C4dlTFc/4s/IENB02LDg6QZW/dXxtyEoXmZKRP1laF3s4 k/lObRDsxmahXV7iGvwk1zdJmaQTNJsffnr2fH7+pWu/Ec/WPj/sLE88mgwoMAQbqVxh wTjA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :message-id:date:references:organization:in-reply-to:subject:cc:to :from:dkim-signature; bh=p9f5pBwAeZgK2f3rwRWWRB4qiDzxgMks3mszTekrNXc=; fh=BFJHzJE0HBz4IMDs2FJk/8pcJTJuVyn0GsLcxvRo9eY=; b=N2zceFYhqPLtFfWcNXtXbZ4jhgpak3WPknOZ8+E7EGA2uWX1/PzbFR4WJXNLK1sKKH DNTZjJtTKXDARoFygLnbACovObI4nh3ziYwGlft8qUKc6cIaBPG2ktc+2bMydal5ZNhB 5ToUiEg9qWOEYJnRHlUnqbmWbY09ar/Mi+zRBy06587qwWzt7jFNeM29HsbQCihD674Q edza1uc/6Sm7rk29Io+StQYPpfSuqi7IEM2ggHPKftEfX0y4zRLOCoJk1oKA7xMMVSrl rXbheEBSL3qPK/eB2ObzYu/yptOrHHHnzuCbG3gFmTGyJWYLQhJnqjdBT8OKk4hti2B/ ayyQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@efficios.com header.s=smtpout1 header.b=JkC77+or; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=efficios.com Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id i18-20020a63e452000000b0055ba60a3301si4251563pgk.295.2023.07.07.10.59.29; Fri, 07 Jul 2023 10:59:43 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@efficios.com header.s=smtpout1 header.b=JkC77+or; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=efficios.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S229729AbjGGR0P (ORCPT + 99 others); Fri, 7 Jul 2023 13:26:15 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:48130 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229502AbjGGR0N (ORCPT ); Fri, 7 Jul 2023 13:26:13 -0400 Received: from smtpout.efficios.com (smtpout.efficios.com [167.114.26.122]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 99C5D2695; Fri, 7 Jul 2023 10:25:44 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=efficios.com; s=smtpout1; t=1688750730; bh=U4pVnVRpmpXfIqV7cJuo7sgBurUuFKflAnJ53taBTfU=; h=From:To:Cc:Subject:In-Reply-To:References:Date:From; b=JkC77+orgeKep1j+yDMZZQGX6/Cp9HpVF8d+JFNTqXRiuysh+AIhvF2P0DPoOsAPu gxfP8/qL0vlGKuAF3ruEC8SjouEfUiB0EimaPdqnLhpipVgZbJcYDz4K/J2aOfGMvo Q3okW5ZGdCkUqvmWH3cRHg2y8rF96TggGN0upqh5cTVxGxI9D6ntldHEz+ffTK31LF k1xPzNU1+p5c5+aUpU/ZLajBJfG3c0bfWhzI9PGWAjbCjUygO0rHx7fcpvqBO4L3KQ V1LX89P5B1IMvjRmv/Mwx9swMu9PbPg5U3afQ3FHx4zZa7GG3n2r6rxurJjPQ3OzMq bX6Wnt4bcrYBw== Received: from localhost (modemcable094.169-200-24.mc.videotron.ca [24.200.169.94]) by smtpout.efficios.com (Postfix) with ESMTPSA id 4QyKzZ5jhKz1G7F; Fri, 7 Jul 2023 13:25:30 -0400 (EDT) From: Olivier Dion To: Jonas Oberhauser , Mathieu Desnoyers , rnk@google.com, Alan Stern , Andrea Parri , Will Deacon , Peter Zijlstra , Boqun Feng , Nicholas Piggin , David Howells , Jade Alglave , Luc Maranget , "Paul E. McKenney" , Nathan Chancellor , Nick Desaulniers , Tom Rix Cc: linux-kernel@vger.kernel.org, linux-arch@vger.kernel.org, gcc@gcc.gnu.org, llvm@lists.linux.dev Subject: Re: [RFC] Bridging the gap between the Linux Kernel Memory Consistency Model (LKMM) and C11/C++11 atomics In-Reply-To: <357752c2-4fb0-708e-4b05-564e37a234be@huaweicloud.com> Organization: EfficiOS References: <87ttukdcow.fsf@laura> <357752c2-4fb0-708e-4b05-564e37a234be@huaweicloud.com> Date: Fri, 07 Jul 2023 13:25:30 -0400 Message-ID: <87y1jrfxbp.fsf@laura> MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable X-Spam-Status: No, score=-2.1 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,SPF_HELO_NONE,SPF_PASS, T_SCC_BODY_TEXT_LINE,URIBL_BLOCKED autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Fri, 07 Jul 2023, Jonas Oberhauser wr= ote: [...] >> This is a request for comments on extending the atomic builtins API to >> help avoiding redundant memory barriers. Indeed, there are >> discrepancies between the Linux kernel consistency memory model (LKMM) >> and the C11/C++11 memory consistency model [0]. For example, >> fully-ordered atomic operations like xchg and cmpxchg success in LKMM >> have implicit memory barriers before/after the operations [1-2], while >> atomic operations using the __ATOMIC_SEQ_CST memory order in C11/C++11 >> do not have any ordering guarantees of an atomic thread fence >> __ATOMIC_SEQ_CST with respect to other non-SEQ_CST operations [3]. > > > The issues run quite a bit deeper than this. The two models have two > completely different perspectives that are quite much incompatible. Agreed. Our intent is not to close the gap completely, but to reduce the gap between the two models, by supporting the "full barrier before/after" semantic of LKMM in the C11/C++11 memory model. > I think all you can really do is bridge the gap at the level of the > generated assembly. I.e., don't bridge the gap between LKMM and the > C11 MCM. Bridge the gap between the assembly code generated by C11 > atomics and the one generated by LKMM. But I'm not sure that's really > the task here. We have considered analyzing the assembler output of different toolchain's versions to generate manually our own before/after fences. However, nothing prevents a toolchain from changing the emitted assembler in the future, which would make things fragile. The only thing that is guaranteed to not change is the definitions in the standard (C11/C++11). Anything else is fair game for optimizations. >> [...] For example, to make Read-Modify-Write (RMW) operations match >> the Linux kernel "full barrier before/after" semantics, the liburcu's >> uatomic API has to emit both a SEQ_CST RMW operation and a subsequent >> thread fence SEQ_CST, which leads to duplicated barriers in some cases. > > Does it have to though? Can't you just do e.g. an release RMW > operation followed by an after_atomic=C2=A0 fence? And for loads, a > SEQ_CST fence followed by an acquire load? Analogously (but: mirrored) > for stores. That would not improve anything for RMW. Consider the following example and its resulting assembler on x86-64 gcc 13.1 -O2: int exchange(int *x, int y) { int r =3D __atomic_exchange_n(x, y, __ATOMIC_RELEASE); __atomic_thread_fence(__ATOMIC_SEQ_CST); return r; } exchange: movl %esi, %eax xchgl (%rdi), %eax lock orq $0, (%rsp) ;; Redundant with previous exchange ret also that would make the exchange weaker, in the sense of the C11/C++11 memory model, by losing its acquire and its sequential consistency semantics. [...] >> // Always NOP. >> __atomic_thread_fence_{before,after}_rmw(int rmw_memorder, >> int fence_memorder) > > > I currently don't feel comfortable adding such extensions to LKMM (or a=20 > compiler API for that matter). There's no plan to add such extensions to LKMM but only to extend the current atomic builtins API of toolchains. > You mentioned that the goal is to check some code written using LKMM > primitives with TSAN due to some formal requirements. What exactly do > these requirements entail? Do you need to check the code exactly as it > will be executed (modulo the TSAN instrumentation)? Is it an option to > map to normal builtins with suboptimal performance just for the > verification purpose, but then run the slightly more optimized > original code later? We aim to validate with TSAN the code that will run during production, minus TSAN itself. > Specifically for TSAN's ordering requirements, you may need to make > LKMM's RMWs into acq+rel with an extra mb, even if all that extra > ordering isn't necessary at the assembler level. > > > Also note that no matter what you do, due to the two different > perspectives, TSAN's hb relation may introduce false positive data > races w.r.t. LKMM.=C2=A0 For example, if the happens-before ordering is > guaranteed through pb starting with coe/fre. This is why we have implemented our primitives and changed our algorithms so that they use the acquire/release semantics of the C11/C++11 memory model. > Without thinking too hard, it seems to me no matter what fences and > barriers you introduce, TSAN will not see this kind of ordering and > consider the situation a data race. We have come to the same conclusion, mainly because TSAN does not support thread fence in its verifications. This is why we have implemented an annotation layer that group relaxed memory accesses into a single acquire/release event. This layer, makes TSAN aware of the happen-before relations of the RCU implementations -- and lock-free data structures -- in Userspace RCU. This came with a downside of introducing redundant fences on strongly ordered architectures because of the usage of atomic builtins of the C11/C++11 memory model which does not provide any means for expressing fully-ordered atomic operations without relying on explicit thread fences. [...] Thanks, Olivier --=20 Olivier Dion EfficiOS Inc. https://www.efficios.com