Received: by 10.223.164.202 with SMTP id h10csp2192998wrb; Mon, 27 Nov 2017 13:17:43 -0800 (PST) X-Google-Smtp-Source: AGs4zMZskm8AT6zlU0kt4CRjlS2f3PMnB25fiVeeIOy0xak1QL3XKR2NCVMuChS9cWEIa7Z0WkvT X-Received: by 10.98.129.4 with SMTP id t4mr38293670pfd.125.1511817463569; Mon, 27 Nov 2017 13:17:43 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1511817463; cv=none; d=google.com; s=arc-20160816; b=YwoO2E/PYj18ERohm/RIXo0Nk+XO5ncrGYY6kWW/PT5L7goqyFuWxKAss3Lls/Uuya YvcQlx2T1luAwy32N0HB8X8E8wCg3hdl/Cnn30AoyuLRcMSa6abGPN/QSydr1HfvUeCg btZsDUYP5P2KQlZIqceSnLtzPHxT3ZJ1BeR6v0p9yaR9eV2JKTankHCxYVh5I73PjyL1 0aO8+BOtLlR8rzvZz97Aof7QF0N29SxIplN0O3fw6Qj/UIh/nyuEKiv3uYGl0DZWkTND MaymBCo/+kXXm0HnEjdNTkSybYpIDS/NLBGzDWGAYJyOIGw+trWUtYVXKP6wHnLJS3Uf BJjg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:mime-version:message-id:in-reply-to :subject:cc:to:from:date:arc-authentication-results; bh=VIeq/zj9xpoBAWn2p1MLW6rp4JXPHaKEwC2wXbGUVWI=; b=pveOcAexLEEfE8paRu+Y0LyW/ivyS6LloGkrywpTuSNdoKCxpOZGmrCup+XRbt+31W bO7gTgH8ynIz0NxY3zBk8MNYukvgePF3Hs8TY1qyBlWXMcryVhgLqcJzgaqgI9o/H4hK xShlGPr+H9SyuUfPI1L9AzrLH3PLJTBl1DKuuIOR1xMxrHZmHJGmVkJP39gSoeh75nBU cJnYILjkYevAXFLK+7sJqURZSr3BmYygSwMxkVO0HvrFDzVlBRTen9icEl43vuJVEM8S nMrG2Bu7ViecwheSkuV3DaTl6F4iqim7uxGhODiY8SIYwMvSBpS1dwYCC9nxL6+AlII5 UKBg== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=harvard.edu Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id m2si26315557pfj.342.2017.11.27.13.17.30; Mon, 27 Nov 2017 13:17:43 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=harvard.edu Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1751771AbdK0VQt (ORCPT + 78 others); Mon, 27 Nov 2017 16:16:49 -0500 Received: from iolanthe.rowland.org ([192.131.102.54]:58822 "HELO iolanthe.rowland.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with SMTP id S1751443AbdK0VQs (ORCPT ); Mon, 27 Nov 2017 16:16:48 -0500 Received: (qmail 3528 invoked by uid 2102); 27 Nov 2017 16:16:47 -0500 Received: from localhost (sendmail-bs@127.0.0.1) by localhost with SMTP; 27 Nov 2017 16:16:47 -0500 Date: Mon, 27 Nov 2017 16:16:47 -0500 (EST) From: Alan Stern X-X-Sender: stern@iolanthe.rowland.org To: "Paul E. McKenney" , Andrea Parri , Luc Maranget , Jade Alglave , Boqun Feng , Nicholas Piggin , Peter Zijlstra , Will Deacon , David Howells , Daniel Lustig , Palmer Dabbelt cc: Kernel development list Subject: Unlock-lock questions and the Linux Kernel Memory Model In-Reply-To: <4118cdbe-c396-08b9-a3e3-a0a6491b82fa@nvidia.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org This is essentially a repeat of an email I sent out before the Thanksgiving holiday, the assumption being that lack of any responses was caused by the holiday break. (And this time the message is CC'ed to LKML, so there will be a public record of it.) A few people have said they believe the Linux Kernel Memory Model should make unlock followed by lock (of the same variable) act as a write memory barrier. In other words, they want the memory model to forbid the following litmus test: C unlock-lock-write-ordering-1 {} P0(int *x, int *y, spinlock_t *s) { spin_lock(s); WRITE_ONCE(*x, 1); spin_unlock(s); spin_lock(s); WRITE_ONCE(*y, 1); spin_unlock(s); } P1(int *x, int *y) { r1 = READ_ONCE(*y); smp_rmb(); r2 = READ_ONCE(*x); } exists (1:r1=1 /\ 1:r2=0) Judging from this, it seems likely that they would want the memory model to forbid the next two litmus tests as well (since there's never any guarantee that some other CPU won't interpose a critical section between a given unlock and a following lock): C unlock-lock-write-ordering-2 {} P0(int *x, spinlock_t *s) { spin_lock(s); WRITE_ONCE(*x, 1); spin_unlock(s); } P1(int *x, int *y, spinlock_t *s) { spin_lock(s); r1 = READ_ONCE(*x); WRITE_ONCE(*y, 1); spin_unlock(s); } P2(int *x, int *y) { r2 = READ_ONCE(*y); smp_rmb(); r3 = READ_ONCE(*x); } exists (1:r1=1 /\ 2:r2=1 /\ 2:r3=0) C unlock-lock-write-ordering-3 {} P0(int *x, int *y, int *z, spinlock_t *s) { spin_lock(s); WRITE_ONCE(*x, 1); spin_unlock(s); spin_lock(s); r1 = READ_ONCE(*z); WRITE_ONCE(*y, 1); spin_unlock(s); } P1(int *x, int *z, spinlock_t *s) { spin_lock(s); r2 = READ_ONCE(*x); WRITE_ONCE(*z, 1); spin_unlock(s); } P2(int *x, int *y) { r3 = READ_ONCE(*y); smp_rmb(); r4 = READ_ONCE(*x); } exists (0:r1=1 /\ 1:r2=1 /\ 2:r3=1 /\ 2:r4=0) The general justification is that all the architectures currently supported by the kernel do forbid these tests, and there is code in the kernel that depends on this behavior. Thus the model should forbid them. (Currently the model allows them, on the principle that ordering induced by a lock is visible only to CPUs that take the lock.) On the other hand, whether RISC-V would forbid these tests is not clear. Basically, it comes down to using an RCsc versus an RCpc approach for the locking primitives. Given that spin_lock() and spin_unlock() derive many of their properties from acting as an acquire and a release respectively, we can ask if the memory model should forbid the analogous release-acquire litmus test: C rel-acq-write-ordering-3 {} P0(int *x, int *s, int *y) { WRITE_ONCE(*x, 1); smp_store_release(s, 1); r1 = smp_load_acquire(s); WRITE_ONCE(*y, 1); } P1(int *x, int *y) { r2 = READ_ONCE(*y); smp_rmb(); r3 = READ_ONCE(*x); } exists (1:r2=1 /\ 1:r3=0) For that matter, what if we take the initial write to be the store-release itself rather than something coming before it? C rel-acq-write-ordering-1 {} P0(int *s, int *y) { smp_store_release(s, 1); r1 = smp_load_acquire(s); WRITE_ONCE(*y, 1); } P1(int *s, int *y) { r2 = READ_ONCE(*y); smp_rmb(); r3 = READ_ONCE(*s); } exists (1:r2=1 /\ 1:r3=0) And going to extremes, what if the load-acquire reads from a different variable, not the one written by the store-release? This would be like unlocking s and then locking t: C rel-acq-write-ordering-2 {} P0(int *s, int *t, int *y) { smp_store_release(s, 1); r1 = smp_load_acquire(t); WRITE_ONCE(*y, 1); } P1(int *s, int *y) { r2 = READ_ONCE(*y); smp_rmb(); r3 = READ_ONCE(*s); } exists (1:r2=1 /\ 1:r3=0) The architectures currently supported by the kernel all forbid this last test, but whether we want the model to forbid it is a lot more questionable. I (and others!) would like to know people's opinions on these matters. Alan Stern From 1585510294555705936@xxx Thu Nov 30 16:47:26 +0000 2017 X-GM-THRID: 1585506351213539491 X-Gmail-Labels: Inbox,Category Forums,HistoricalUnread