mirror_ubuntu-kernels/tools/memory-model/Documentation/explanation.txt

2811 lines
107 KiB
Plaintext

Explanation of the Linux-Kernel Memory Consistency Model
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
:Author: Alan Stern <stern@rowland.harvard.edu>
:Created: October 2017
.. Contents
1. INTRODUCTION
2. BACKGROUND
3. A SIMPLE EXAMPLE
4. A SELECTION OF MEMORY MODELS
5. ORDERING AND CYCLES
6. EVENTS
7. THE PROGRAM ORDER RELATION: po AND po-loc
8. A WARNING
9. DEPENDENCY RELATIONS: data, addr, and ctrl
10. THE READS-FROM RELATION: rf, rfi, and rfe
11. CACHE COHERENCE AND THE COHERENCE ORDER RELATION: co, coi, and coe
12. THE FROM-READS RELATION: fr, fri, and fre
13. AN OPERATIONAL MODEL
14. PROPAGATION ORDER RELATION: cumul-fence
15. DERIVATION OF THE LKMM FROM THE OPERATIONAL MODEL
16. SEQUENTIAL CONSISTENCY PER VARIABLE
17. ATOMIC UPDATES: rmw
18. THE PRESERVED PROGRAM ORDER RELATION: ppo
19. AND THEN THERE WAS ALPHA
20. THE HAPPENS-BEFORE RELATION: hb
21. THE PROPAGATES-BEFORE RELATION: pb
22. RCU RELATIONS: rcu-link, rcu-gp, rcu-rscsi, rcu-order, rcu-fence, and rb
23. SRCU READ-SIDE CRITICAL SECTIONS
24. LOCKING
25. PLAIN ACCESSES AND DATA RACES
26. ODDS AND ENDS
INTRODUCTION
------------
The Linux-kernel memory consistency model (LKMM) is rather complex and
obscure. This is particularly evident if you read through the
linux-kernel.bell and linux-kernel.cat files that make up the formal
version of the model; they are extremely terse and their meanings are
far from clear.
This document describes the ideas underlying the LKMM. It is meant
for people who want to understand how the model was designed. It does
not go into the details of the code in the .bell and .cat files;
rather, it explains in English what the code expresses symbolically.
Sections 2 (BACKGROUND) through 5 (ORDERING AND CYCLES) are aimed
toward beginners; they explain what memory consistency models are and
the basic notions shared by all such models. People already familiar
with these concepts can skim or skip over them. Sections 6 (EVENTS)
through 12 (THE FROM_READS RELATION) describe the fundamental
relations used in many models. Starting in Section 13 (AN OPERATIONAL
MODEL), the workings of the LKMM itself are covered.
Warning: The code examples in this document are not written in the
proper format for litmus tests. They don't include a header line, the
initializations are not enclosed in braces, the global variables are
not passed by pointers, and they don't have an "exists" clause at the
end. Converting them to the right format is left as an exercise for
the reader.
BACKGROUND
----------
A memory consistency model (or just memory model, for short) is
something which predicts, given a piece of computer code running on a
particular kind of system, what values may be obtained by the code's
load instructions. The LKMM makes these predictions for code running
as part of the Linux kernel.
In practice, people tend to use memory models the other way around.
That is, given a piece of code and a collection of values specified
for the loads, the model will predict whether it is possible for the
code to run in such a way that the loads will indeed obtain the
specified values. Of course, this is just another way of expressing
the same idea.
For code running on a uniprocessor system, the predictions are easy:
Each load instruction must obtain the value written by the most recent
store instruction accessing the same location (we ignore complicating
factors such as DMA and mixed-size accesses.) But on multiprocessor
systems, with multiple CPUs making concurrent accesses to shared
memory locations, things aren't so simple.
Different architectures have differing memory models, and the Linux
kernel supports a variety of architectures. The LKMM has to be fairly
permissive, in the sense that any behavior allowed by one of these
architectures also has to be allowed by the LKMM.
A SIMPLE EXAMPLE
----------------
Here is a simple example to illustrate the basic concepts. Consider
some code running as part of a device driver for an input device. The
driver might contain an interrupt handler which collects data from the
device, stores it in a buffer, and sets a flag to indicate the buffer
is full. Running concurrently on a different CPU might be a part of
the driver code being executed by a process in the midst of a read(2)
system call. This code tests the flag to see whether the buffer is
ready, and if it is, copies the data back to userspace. The buffer
and the flag are memory locations shared between the two CPUs.
We can abstract out the important pieces of the driver code as follows
(the reason for using WRITE_ONCE() and READ_ONCE() instead of simple
assignment statements is discussed later):
int buf = 0, flag = 0;
P0()
{
WRITE_ONCE(buf, 1);
WRITE_ONCE(flag, 1);
}
P1()
{
int r1;
int r2 = 0;
r1 = READ_ONCE(flag);
if (r1)
r2 = READ_ONCE(buf);
}
Here the P0() function represents the interrupt handler running on one
CPU and P1() represents the read() routine running on another. The
value 1 stored in buf represents input data collected from the device.
Thus, P0 stores the data in buf and then sets flag. Meanwhile, P1
reads flag into the private variable r1, and if it is set, reads the
data from buf into a second private variable r2 for copying to
userspace. (Presumably if flag is not set then the driver will wait a
while and try again.)
This pattern of memory accesses, where one CPU stores values to two
shared memory locations and another CPU loads from those locations in
the opposite order, is widely known as the "Message Passing" or MP
pattern. It is typical of memory access patterns in the kernel.
Please note that this example code is a simplified abstraction. Real
buffers are usually larger than a single integer, real device drivers
usually use sleep and wakeup mechanisms rather than polling for I/O
completion, and real code generally doesn't bother to copy values into
private variables before using them. All that is beside the point;
the idea here is simply to illustrate the overall pattern of memory
accesses by the CPUs.
A memory model will predict what values P1 might obtain for its loads
from flag and buf, or equivalently, what values r1 and r2 might end up
with after the code has finished running.
Some predictions are trivial. For instance, no sane memory model would
predict that r1 = 42 or r2 = -7, because neither of those values ever
gets stored in flag or buf.
Some nontrivial predictions are nonetheless quite simple. For
instance, P1 might run entirely before P0 begins, in which case r1 and
r2 will both be 0 at the end. Or P0 might run entirely before P1
begins, in which case r1 and r2 will both be 1.
The interesting predictions concern what might happen when the two
routines run concurrently. One possibility is that P1 runs after P0's
store to buf but before the store to flag. In this case, r1 and r2
will again both be 0. (If P1 had been designed to read buf
unconditionally then we would instead have r1 = 0 and r2 = 1.)
However, the most interesting possibility is where r1 = 1 and r2 = 0.
If this were to occur it would mean the driver contains a bug, because
incorrect data would get sent to the user: 0 instead of 1. As it
happens, the LKMM does predict this outcome can occur, and the example
driver code shown above is indeed buggy.
A SELECTION OF MEMORY MODELS
----------------------------
The first widely cited memory model, and the simplest to understand,
is Sequential Consistency. According to this model, systems behave as
if each CPU executed its instructions in order but with unspecified
timing. In other words, the instructions from the various CPUs get
interleaved in a nondeterministic way, always according to some single
global order that agrees with the order of the instructions in the
program source for each CPU. The model says that the value obtained
by each load is simply the value written by the most recently executed
store to the same memory location, from any CPU.
For the MP example code shown above, Sequential Consistency predicts
that the undesired result r1 = 1, r2 = 0 cannot occur. The reasoning
goes like this:
Since r1 = 1, P0 must store 1 to flag before P1 loads 1 from
it, as loads can obtain values only from earlier stores.
P1 loads from flag before loading from buf, since CPUs execute
their instructions in order.
P1 must load 0 from buf before P0 stores 1 to it; otherwise r2
would be 1 since a load obtains its value from the most recent
store to the same address.
P0 stores 1 to buf before storing 1 to flag, since it executes
its instructions in order.
Since an instruction (in this case, P0's store to flag) cannot
execute before itself, the specified outcome is impossible.
However, real computer hardware almost never follows the Sequential
Consistency memory model; doing so would rule out too many valuable
performance optimizations. On ARM and PowerPC architectures, for
instance, the MP example code really does sometimes yield r1 = 1 and
r2 = 0.
x86 and SPARC follow yet a different memory model: TSO (Total Store
Ordering). This model predicts that the undesired outcome for the MP
pattern cannot occur, but in other respects it differs from Sequential
Consistency. One example is the Store Buffer (SB) pattern, in which
each CPU stores to its own shared location and then loads from the
other CPU's location:
int x = 0, y = 0;
P0()
{
int r0;
WRITE_ONCE(x, 1);
r0 = READ_ONCE(y);
}
P1()
{
int r1;
WRITE_ONCE(y, 1);
r1 = READ_ONCE(x);
}
Sequential Consistency predicts that the outcome r0 = 0, r1 = 0 is
impossible. (Exercise: Figure out the reasoning.) But TSO allows
this outcome to occur, and in fact it does sometimes occur on x86 and
SPARC systems.
The LKMM was inspired by the memory models followed by PowerPC, ARM,
x86, Alpha, and other architectures. However, it is different in
detail from each of them.
ORDERING AND CYCLES
-------------------
Memory models are all about ordering. Often this is temporal ordering
(i.e., the order in which certain events occur) but it doesn't have to
be; consider for example the order of instructions in a program's
source code. We saw above that Sequential Consistency makes an
important assumption that CPUs execute instructions in the same order
as those instructions occur in the code, and there are many other
instances of ordering playing central roles in memory models.
The counterpart to ordering is a cycle. Ordering rules out cycles:
It's not possible to have X ordered before Y, Y ordered before Z, and
Z ordered before X, because this would mean that X is ordered before
itself. The analysis of the MP example under Sequential Consistency
involved just such an impossible cycle:
W: P0 stores 1 to flag executes before
X: P1 loads 1 from flag executes before
Y: P1 loads 0 from buf executes before
Z: P0 stores 1 to buf executes before
W: P0 stores 1 to flag.
In short, if a memory model requires certain accesses to be ordered,
and a certain outcome for the loads in a piece of code can happen only
if those accesses would form a cycle, then the memory model predicts
that outcome cannot occur.
The LKMM is defined largely in terms of cycles, as we will see.
EVENTS
------
The LKMM does not work directly with the C statements that make up
kernel source code. Instead it considers the effects of those
statements in a more abstract form, namely, events. The model
includes three types of events:
Read events correspond to loads from shared memory, such as
calls to READ_ONCE(), smp_load_acquire(), or
rcu_dereference().
Write events correspond to stores to shared memory, such as
calls to WRITE_ONCE(), smp_store_release(), or atomic_set().
Fence events correspond to memory barriers (also known as
fences), such as calls to smp_rmb() or rcu_read_lock().
These categories are not exclusive; a read or write event can also be
a fence. This happens with functions like smp_load_acquire() or
spin_lock(). However, no single event can be both a read and a write.
Atomic read-modify-write accesses, such as atomic_inc() or xchg(),
correspond to a pair of events: a read followed by a write. (The
write event is omitted for executions where it doesn't occur, such as
a cmpxchg() where the comparison fails.)
Other parts of the code, those which do not involve interaction with
shared memory, do not give rise to events. Thus, arithmetic and
logical computations, control-flow instructions, or accesses to
private memory or CPU registers are not of central interest to the
memory model. They only affect the model's predictions indirectly.
For example, an arithmetic computation might determine the value that
gets stored to a shared memory location (or in the case of an array
index, the address where the value gets stored), but the memory model
is concerned only with the store itself -- its value and its address
-- not the computation leading up to it.
Events in the LKMM can be linked by various relations, which we will
describe in the following sections. The memory model requires certain
of these relations to be orderings, that is, it requires them not to
have any cycles.
THE PROGRAM ORDER RELATION: po AND po-loc
-----------------------------------------
The most important relation between events is program order (po). You
can think of it as the order in which statements occur in the source
code after branches are taken into account and loops have been
unrolled. A better description might be the order in which
instructions are presented to a CPU's execution unit. Thus, we say
that X is po-before Y (written as "X ->po Y" in formulas) if X occurs
before Y in the instruction stream.
This is inherently a single-CPU relation; two instructions executing
on different CPUs are never linked by po. Also, it is by definition
an ordering so it cannot have any cycles.
po-loc is a sub-relation of po. It links two memory accesses when the
first comes before the second in program order and they access the
same memory location (the "-loc" suffix).
Although this may seem straightforward, there is one subtle aspect to
program order we need to explain. The LKMM was inspired by low-level
architectural memory models which describe the behavior of machine
code, and it retains their outlook to a considerable extent. The
read, write, and fence events used by the model are close in spirit to
individual machine instructions. Nevertheless, the LKMM describes
kernel code written in C, and the mapping from C to machine code can
be extremely complex.
Optimizing compilers have great freedom in the way they translate
source code to object code. They are allowed to apply transformations
that add memory accesses, eliminate accesses, combine them, split them
into pieces, or move them around. The use of READ_ONCE(), WRITE_ONCE(),
or one of the other atomic or synchronization primitives prevents a
large number of compiler optimizations. In particular, it is guaranteed
that the compiler will not remove such accesses from the generated code
(unless it can prove the accesses will never be executed), it will not
change the order in which they occur in the code (within limits imposed
by the C standard), and it will not introduce extraneous accesses.
The MP and SB examples above used READ_ONCE() and WRITE_ONCE() rather
than ordinary memory accesses. Thanks to this usage, we can be certain
that in the MP example, the compiler won't reorder P0's write event to
buf and P0's write event to flag, and similarly for the other shared
memory accesses in the examples.
Since private variables are not shared between CPUs, they can be
accessed normally without READ_ONCE() or WRITE_ONCE(). In fact, they
need not even be stored in normal memory at all -- in principle a
private variable could be stored in a CPU register (hence the convention
that these variables have names starting with the letter 'r').
A WARNING
---------
The protections provided by READ_ONCE(), WRITE_ONCE(), and others are
not perfect; and under some circumstances it is possible for the
compiler to undermine the memory model. Here is an example. Suppose
both branches of an "if" statement store the same value to the same
location:
r1 = READ_ONCE(x);
if (r1) {
WRITE_ONCE(y, 2);
... /* do something */
} else {
WRITE_ONCE(y, 2);
... /* do something else */
}
For this code, the LKMM predicts that the load from x will always be
executed before either of the stores to y. However, a compiler could
lift the stores out of the conditional, transforming the code into
something resembling:
r1 = READ_ONCE(x);
WRITE_ONCE(y, 2);
if (r1) {
... /* do something */
} else {
... /* do something else */
}
Given this version of the code, the LKMM would predict that the load
from x could be executed after the store to y. Thus, the memory
model's original prediction could be invalidated by the compiler.
Another issue arises from the fact that in C, arguments to many
operators and function calls can be evaluated in any order. For
example:
r1 = f(5) + g(6);
The object code might call f(5) either before or after g(6); the
memory model cannot assume there is a fixed program order relation
between them. (In fact, if the function calls are inlined then the
compiler might even interleave their object code.)
DEPENDENCY RELATIONS: data, addr, and ctrl
------------------------------------------
We say that two events are linked by a dependency relation when the
execution of the second event depends in some way on a value obtained
from memory by the first. The first event must be a read, and the
value it obtains must somehow affect what the second event does.
There are three kinds of dependencies: data, address (addr), and
control (ctrl).
A read and a write event are linked by a data dependency if the value
obtained by the read affects the value stored by the write. As a very
simple example:
int x, y;
r1 = READ_ONCE(x);
WRITE_ONCE(y, r1 + 5);
The value stored by the WRITE_ONCE obviously depends on the value
loaded by the READ_ONCE. Such dependencies can wind through
arbitrarily complicated computations, and a write can depend on the
values of multiple reads.
A read event and another memory access event are linked by an address
dependency if the value obtained by the read affects the location
accessed by the other event. The second event can be either a read or
a write. Here's another simple example:
int a[20];
int i;
r1 = READ_ONCE(i);
r2 = READ_ONCE(a[r1]);
Here the location accessed by the second READ_ONCE() depends on the
index value loaded by the first. Pointer indirection also gives rise
to address dependencies, since the address of a location accessed
through a pointer will depend on the value read earlier from that
pointer.
Finally, a read event X and a write event Y are linked by a control
dependency if Y syntactically lies within an arm of an if statement and
X affects the evaluation of the if condition via a data or address
dependency (or similarly for a switch statement). Simple example:
int x, y;
r1 = READ_ONCE(x);
if (r1)
WRITE_ONCE(y, 1984);
Execution of the WRITE_ONCE() is controlled by a conditional expression
which depends on the value obtained by the READ_ONCE(); hence there is
a control dependency from the load to the store.
It should be pretty obvious that events can only depend on reads that
come earlier in program order. Symbolically, if we have R ->data X,
R ->addr X, or R ->ctrl X (where R is a read event), then we must also
have R ->po X. It wouldn't make sense for a computation to depend
somehow on a value that doesn't get loaded from shared memory until
later in the code!
Here's a trick question: When is a dependency not a dependency? Answer:
When it is purely syntactic rather than semantic. We say a dependency
between two accesses is purely syntactic if the second access doesn't
actually depend on the result of the first. Here is a trivial example:
r1 = READ_ONCE(x);
WRITE_ONCE(y, r1 * 0);
There appears to be a data dependency from the load of x to the store
of y, since the value to be stored is computed from the value that was
loaded. But in fact, the value stored does not really depend on
anything since it will always be 0. Thus the data dependency is only
syntactic (it appears to exist in the code) but not semantic (the
second access will always be the same, regardless of the value of the
first access). Given code like this, a compiler could simply discard
the value returned by the load from x, which would certainly destroy
any dependency. (The compiler is not permitted to eliminate entirely
the load generated for a READ_ONCE() -- that's one of the nice
properties of READ_ONCE() -- but it is allowed to ignore the load's
value.)
It's natural to object that no one in their right mind would write
code like the above. However, macro expansions can easily give rise
to this sort of thing, in ways that often are not apparent to the
programmer.
Another mechanism that can lead to purely syntactic dependencies is
related to the notion of "undefined behavior". Certain program
behaviors are called "undefined" in the C language specification,
which means that when they occur there are no guarantees at all about
the outcome. Consider the following example:
int a[1];
int i;
r1 = READ_ONCE(i);
r2 = READ_ONCE(a[r1]);
Access beyond the end or before the beginning of an array is one kind
of undefined behavior. Therefore the compiler doesn't have to worry
about what will happen if r1 is nonzero, and it can assume that r1
will always be zero regardless of the value actually loaded from i.
(If the assumption turns out to be wrong the resulting behavior will
be undefined anyway, so the compiler doesn't care!) Thus the value
from the load can be discarded, breaking the address dependency.
The LKMM is unaware that purely syntactic dependencies are different
from semantic dependencies and therefore mistakenly predicts that the
accesses in the two examples above will be ordered. This is another
example of how the compiler can undermine the memory model. Be warned.
THE READS-FROM RELATION: rf, rfi, and rfe
-----------------------------------------
The reads-from relation (rf) links a write event to a read event when
the value loaded by the read is the value that was stored by the
write. In colloquial terms, the load "reads from" the store. We
write W ->rf R to indicate that the load R reads from the store W. We
further distinguish the cases where the load and the store occur on
the same CPU (internal reads-from, or rfi) and where they occur on
different CPUs (external reads-from, or rfe).
For our purposes, a memory location's initial value is treated as
though it had been written there by an imaginary initial store that
executes on a separate CPU before the main program runs.
Usage of the rf relation implicitly assumes that loads will always
read from a single store. It doesn't apply properly in the presence
of load-tearing, where a load obtains some of its bits from one store
and some of them from another store. Fortunately, use of READ_ONCE()
and WRITE_ONCE() will prevent load-tearing; it's not possible to have:
int x = 0;
P0()
{
WRITE_ONCE(x, 0x1234);
}
P1()
{
int r1;
r1 = READ_ONCE(x);
}
and end up with r1 = 0x1200 (partly from x's initial value and partly
from the value stored by P0).
On the other hand, load-tearing is unavoidable when mixed-size
accesses are used. Consider this example:
union {
u32 w;
u16 h[2];
} x;
P0()
{
WRITE_ONCE(x.h[0], 0x1234);
WRITE_ONCE(x.h[1], 0x5678);
}
P1()
{
int r1;
r1 = READ_ONCE(x.w);
}
If r1 = 0x56781234 (little-endian!) at the end, then P1 must have read
from both of P0's stores. It is possible to handle mixed-size and
unaligned accesses in a memory model, but the LKMM currently does not
attempt to do so. It requires all accesses to be properly aligned and
of the location's actual size.
CACHE COHERENCE AND THE COHERENCE ORDER RELATION: co, coi, and coe
------------------------------------------------------------------
Cache coherence is a general principle requiring that in a
multi-processor system, the CPUs must share a consistent view of the
memory contents. Specifically, it requires that for each location in
shared memory, the stores to that location must form a single global
ordering which all the CPUs agree on (the coherence order), and this
ordering must be consistent with the program order for accesses to
that location.
To put it another way, for any variable x, the coherence order (co) of
the stores to x is simply the order in which the stores overwrite one
another. The imaginary store which establishes x's initial value
comes first in the coherence order; the store which directly
overwrites the initial value comes second; the store which overwrites
that value comes third, and so on.
You can think of the coherence order as being the order in which the
stores reach x's location in memory (or if you prefer a more
hardware-centric view, the order in which the stores get written to
x's cache line). We write W ->co W' if W comes before W' in the
coherence order, that is, if the value stored by W gets overwritten,
directly or indirectly, by the value stored by W'.
Coherence order is required to be consistent with program order. This
requirement takes the form of four coherency rules:
Write-write coherence: If W ->po-loc W' (i.e., W comes before
W' in program order and they access the same location), where W
and W' are two stores, then W ->co W'.
Write-read coherence: If W ->po-loc R, where W is a store and R
is a load, then R must read from W or from some other store
which comes after W in the coherence order.
Read-write coherence: If R ->po-loc W, where R is a load and W
is a store, then the store which R reads from must come before
W in the coherence order.
Read-read coherence: If R ->po-loc R', where R and R' are two
loads, then either they read from the same store or else the
store read by R comes before the store read by R' in the
coherence order.
This is sometimes referred to as sequential consistency per variable,
because it means that the accesses to any single memory location obey
the rules of the Sequential Consistency memory model. (According to
Wikipedia, sequential consistency per variable and cache coherence
mean the same thing except that cache coherence includes an extra
requirement that every store eventually becomes visible to every CPU.)
Any reasonable memory model will include cache coherence. Indeed, our
expectation of cache coherence is so deeply ingrained that violations
of its requirements look more like hardware bugs than programming
errors:
int x;
P0()
{
WRITE_ONCE(x, 17);
WRITE_ONCE(x, 23);
}
If the final value stored in x after this code ran was 17, you would
think your computer was broken. It would be a violation of the
write-write coherence rule: Since the store of 23 comes later in
program order, it must also come later in x's coherence order and
thus must overwrite the store of 17.
int x = 0;
P0()
{
int r1;
r1 = READ_ONCE(x);
WRITE_ONCE(x, 666);
}
If r1 = 666 at the end, this would violate the read-write coherence
rule: The READ_ONCE() load comes before the WRITE_ONCE() store in
program order, so it must not read from that store but rather from one
coming earlier in the coherence order (in this case, x's initial
value).
int x = 0;
P0()
{
WRITE_ONCE(x, 5);
}
P1()
{
int r1, r2;
r1 = READ_ONCE(x);
r2 = READ_ONCE(x);
}
If r1 = 5 (reading from P0's store) and r2 = 0 (reading from the
imaginary store which establishes x's initial value) at the end, this
would violate the read-read coherence rule: The r1 load comes before
the r2 load in program order, so it must not read from a store that
comes later in the coherence order.
(As a minor curiosity, if this code had used normal loads instead of
READ_ONCE() in P1, on Itanium it sometimes could end up with r1 = 5
and r2 = 0! This results from parallel execution of the operations
encoded in Itanium's Very-Long-Instruction-Word format, and it is yet
another motivation for using READ_ONCE() when accessing shared memory
locations.)
Just like the po relation, co is inherently an ordering -- it is not
possible for a store to directly or indirectly overwrite itself! And
just like with the rf relation, we distinguish between stores that
occur on the same CPU (internal coherence order, or coi) and stores
that occur on different CPUs (external coherence order, or coe).
On the other hand, stores to different memory locations are never
related by co, just as instructions on different CPUs are never
related by po. Coherence order is strictly per-location, or if you
prefer, each location has its own independent coherence order.
THE FROM-READS RELATION: fr, fri, and fre
-----------------------------------------
The from-reads relation (fr) can be a little difficult for people to
grok. It describes the situation where a load reads a value that gets
overwritten by a store. In other words, we have R ->fr W when the
value that R reads is overwritten (directly or indirectly) by W, or
equivalently, when R reads from a store which comes earlier than W in
the coherence order.
For example:
int x = 0;
P0()
{
int r1;
r1 = READ_ONCE(x);
WRITE_ONCE(x, 2);
}
The value loaded from x will be 0 (assuming cache coherence!), and it
gets overwritten by the value 2. Thus there is an fr link from the
READ_ONCE() to the WRITE_ONCE(). If the code contained any later
stores to x, there would also be fr links from the READ_ONCE() to
them.
As with rf, rfi, and rfe, we subdivide the fr relation into fri (when
the load and the store are on the same CPU) and fre (when they are on
different CPUs).
Note that the fr relation is determined entirely by the rf and co
relations; it is not independent. Given a read event R and a write
event W for the same location, we will have R ->fr W if and only if
the write which R reads from is co-before W. In symbols,
(R ->fr W) := (there exists W' with W' ->rf R and W' ->co W).
AN OPERATIONAL MODEL
--------------------
The LKMM is based on various operational memory models, meaning that
the models arise from an abstract view of how a computer system
operates. Here are the main ideas, as incorporated into the LKMM.
The system as a whole is divided into the CPUs and a memory subsystem.
The CPUs are responsible for executing instructions (not necessarily
in program order), and they communicate with the memory subsystem.
For the most part, executing an instruction requires a CPU to perform
only internal operations. However, loads, stores, and fences involve
more.
When CPU C executes a store instruction, it tells the memory subsystem
to store a certain value at a certain location. The memory subsystem
propagates the store to all the other CPUs as well as to RAM. (As a
special case, we say that the store propagates to its own CPU at the
time it is executed.) The memory subsystem also determines where the
store falls in the location's coherence order. In particular, it must
arrange for the store to be co-later than (i.e., to overwrite) any
other store to the same location which has already propagated to CPU C.
When a CPU executes a load instruction R, it first checks to see
whether there are any as-yet unexecuted store instructions, for the
same location, that come before R in program order. If there are, it
uses the value of the po-latest such store as the value obtained by R,
and we say that the store's value is forwarded to R. Otherwise, the
CPU asks the memory subsystem for the value to load and we say that R
is satisfied from memory. The memory subsystem hands back the value
of the co-latest store to the location in question which has already
propagated to that CPU.
(In fact, the picture needs to be a little more complicated than this.
CPUs have local caches, and propagating a store to a CPU really means
propagating it to the CPU's local cache. A local cache can take some
time to process the stores that it receives, and a store can't be used
to satisfy one of the CPU's loads until it has been processed. On
most architectures, the local caches process stores in
First-In-First-Out order, and consequently the processing delay
doesn't matter for the memory model. But on Alpha, the local caches
have a partitioned design that results in non-FIFO behavior. We will
discuss this in more detail later.)
Note that load instructions may be executed speculatively and may be
restarted under certain circumstances. The memory model ignores these
premature executions; we simply say that the load executes at the
final time it is forwarded or satisfied.
Executing a fence (or memory barrier) instruction doesn't require a
CPU to do anything special other than informing the memory subsystem
about the fence. However, fences do constrain the way CPUs and the
memory subsystem handle other instructions, in two respects.
First, a fence forces the CPU to execute various instructions in
program order. Exactly which instructions are ordered depends on the
type of fence:
Strong fences, including smp_mb() and synchronize_rcu(), force
the CPU to execute all po-earlier instructions before any
po-later instructions;
smp_rmb() forces the CPU to execute all po-earlier loads
before any po-later loads;
smp_wmb() forces the CPU to execute all po-earlier stores
before any po-later stores;
Acquire fences, such as smp_load_acquire(), force the CPU to
execute the load associated with the fence (e.g., the load
part of an smp_load_acquire()) before any po-later
instructions;
Release fences, such as smp_store_release(), force the CPU to
execute all po-earlier instructions before the store
associated with the fence (e.g., the store part of an
smp_store_release()).
Second, some types of fence affect the way the memory subsystem
propagates stores. When a fence instruction is executed on CPU C:
For each other CPU C', smp_wmb() forces all po-earlier stores
on C to propagate to C' before any po-later stores do.
For each other CPU C', any store which propagates to C before
a release fence is executed (including all po-earlier
stores executed on C) is forced to propagate to C' before the
store associated with the release fence does.
Any store which propagates to C before a strong fence is
executed (including all po-earlier stores on C) is forced to
propagate to all other CPUs before any instructions po-after
the strong fence are executed on C.
The propagation ordering enforced by release fences and strong fences
affects stores from other CPUs that propagate to CPU C before the
fence is executed, as well as stores that are executed on C before the
fence. We describe this property by saying that release fences and
strong fences are A-cumulative. By contrast, smp_wmb() fences are not
A-cumulative; they only affect the propagation of stores that are
executed on C before the fence (i.e., those which precede the fence in
program order).
rcu_read_lock(), rcu_read_unlock(), and synchronize_rcu() fences have
other properties which we discuss later.
PROPAGATION ORDER RELATION: cumul-fence
---------------------------------------
The fences which affect propagation order (i.e., strong, release, and
smp_wmb() fences) are collectively referred to as cumul-fences, even
though smp_wmb() isn't A-cumulative. The cumul-fence relation is
defined to link memory access events E and F whenever:
E and F are both stores on the same CPU and an smp_wmb() fence
event occurs between them in program order; or
F is a release fence and some X comes before F in program order,
where either X = E or else E ->rf X; or
A strong fence event occurs between some X and F in program
order, where either X = E or else E ->rf X.
The operational model requires that whenever W and W' are both stores
and W ->cumul-fence W', then W must propagate to any given CPU
before W' does. However, for different CPUs C and C', it does not
require W to propagate to C before W' propagates to C'.
DERIVATION OF THE LKMM FROM THE OPERATIONAL MODEL
-------------------------------------------------
The LKMM is derived from the restrictions imposed by the design
outlined above. These restrictions involve the necessity of
maintaining cache coherence and the fact that a CPU can't operate on a
value before it knows what that value is, among other things.
The formal version of the LKMM is defined by six requirements, or
axioms:
Sequential consistency per variable: This requires that the
system obey the four coherency rules.
Atomicity: This requires that atomic read-modify-write
operations really are atomic, that is, no other stores can
sneak into the middle of such an update.
Happens-before: This requires that certain instructions are
executed in a specific order.
Propagation: This requires that certain stores propagate to
CPUs and to RAM in a specific order.
Rcu: This requires that RCU read-side critical sections and
grace periods obey the rules of RCU, in particular, the
Grace-Period Guarantee.
Plain-coherence: This requires that plain memory accesses
(those not using READ_ONCE(), WRITE_ONCE(), etc.) must obey
the operational model's rules regarding cache coherence.
The first and second are quite common; they can be found in many
memory models (such as those for C11/C++11). The "happens-before" and
"propagation" axioms have analogs in other memory models as well. The
"rcu" and "plain-coherence" axioms are specific to the LKMM.
Each of these axioms is discussed below.
SEQUENTIAL CONSISTENCY PER VARIABLE
-----------------------------------
According to the principle of cache coherence, the stores to any fixed
shared location in memory form a global ordering. We can imagine
inserting the loads from that location into this ordering, by placing
each load between the store that it reads from and the following
store. This leaves the relative positions of loads that read from the
same store unspecified; let's say they are inserted in program order,
first for CPU 0, then CPU 1, etc.
You can check that the four coherency rules imply that the rf, co, fr,
and po-loc relations agree with this global ordering; in other words,
whenever we have X ->rf Y or X ->co Y or X ->fr Y or X ->po-loc Y, the
X event comes before the Y event in the global ordering. The LKMM's
"coherence" axiom expresses this by requiring the union of these
relations not to have any cycles. This means it must not be possible
to find events
X0 -> X1 -> X2 -> ... -> Xn -> X0,
where each of the links is either rf, co, fr, or po-loc. This has to
hold if the accesses to the fixed memory location can be ordered as
cache coherence demands.
Although it is not obvious, it can be shown that the converse is also
true: This LKMM axiom implies that the four coherency rules are
obeyed.
ATOMIC UPDATES: rmw
-------------------
What does it mean to say that a read-modify-write (rmw) update, such
as atomic_inc(&x), is atomic? It means that the memory location (x in
this case) does not get altered between the read and the write events
making up the atomic operation. In particular, if two CPUs perform
atomic_inc(&x) concurrently, it must be guaranteed that the final
value of x will be the initial value plus two. We should never have
the following sequence of events:
CPU 0 loads x obtaining 13;
CPU 1 loads x obtaining 13;
CPU 0 stores 14 to x;
CPU 1 stores 14 to x;
where the final value of x is wrong (14 rather than 15).
In this example, CPU 0's increment effectively gets lost because it
occurs in between CPU 1's load and store. To put it another way, the
problem is that the position of CPU 0's store in x's coherence order
is between the store that CPU 1 reads from and the store that CPU 1
performs.
The same analysis applies to all atomic update operations. Therefore,
to enforce atomicity the LKMM requires that atomic updates follow this
rule: Whenever R and W are the read and write events composing an
atomic read-modify-write and W' is the write event which R reads from,
there must not be any stores coming between W' and W in the coherence
order. Equivalently,
(R ->rmw W) implies (there is no X with R ->fr X and X ->co W),
where the rmw relation links the read and write events making up each
atomic update. This is what the LKMM's "atomic" axiom says.
Atomic rmw updates play one more role in the LKMM: They can form "rmw
sequences". An rmw sequence is simply a bunch of atomic updates where
each update reads from the previous one. Written using events, it
looks like this:
Z0 ->rf Y1 ->rmw Z1 ->rf ... ->rf Yn ->rmw Zn,
where Z0 is some store event and n can be any number (even 0, in the
degenerate case). We write this relation as: Z0 ->rmw-sequence Zn.
Note that this implies Z0 and Zn are stores to the same variable.
Rmw sequences have a special property in the LKMM: They can extend the
cumul-fence relation. That is, if we have:
U ->cumul-fence X -> rmw-sequence Y
then also U ->cumul-fence Y. Thinking about this in terms of the
operational model, U ->cumul-fence X says that the store U propagates
to each CPU before the store X does. Then the fact that X and Y are
linked by an rmw sequence means that U also propagates to each CPU
before Y does. In an analogous way, rmw sequences can also extend
the w-post-bounded relation defined below in the PLAIN ACCESSES AND
DATA RACES section.
(The notion of rmw sequences in the LKMM is similar to, but not quite
the same as, that of release sequences in the C11 memory model. They
were added to the LKMM to fix an obscure bug; without them, atomic
updates with full-barrier semantics did not always guarantee ordering
at least as strong as atomic updates with release-barrier semantics.)
THE PRESERVED PROGRAM ORDER RELATION: ppo
-----------------------------------------
There are many situations where a CPU is obliged to execute two
instructions in program order. We amalgamate them into the ppo (for
"preserved program order") relation, which links the po-earlier
instruction to the po-later instruction and is thus a sub-relation of
po.
The operational model already includes a description of one such
situation: Fences are a source of ppo links. Suppose X and Y are
memory accesses with X ->po Y; then the CPU must execute X before Y if
any of the following hold:
A strong (smp_mb() or synchronize_rcu()) fence occurs between
X and Y;
X and Y are both stores and an smp_wmb() fence occurs between
them;
X and Y are both loads and an smp_rmb() fence occurs between
them;
X is also an acquire fence, such as smp_load_acquire();
Y is also a release fence, such as smp_store_release().
Another possibility, not mentioned earlier but discussed in the next
section, is:
X and Y are both loads, X ->addr Y (i.e., there is an address
dependency from X to Y), and X is a READ_ONCE() or an atomic
access.
Dependencies can also cause instructions to be executed in program
order. This is uncontroversial when the second instruction is a
store; either a data, address, or control dependency from a load R to
a store W will force the CPU to execute R before W. This is very
simply because the CPU cannot tell the memory subsystem about W's
store before it knows what value should be stored (in the case of a
data dependency), what location it should be stored into (in the case
of an address dependency), or whether the store should actually take
place (in the case of a control dependency).
Dependencies to load instructions are more problematic. To begin with,
there is no such thing as a data dependency to a load. Next, a CPU
has no reason to respect a control dependency to a load, because it
can always satisfy the second load speculatively before the first, and
then ignore the result if it turns out that the second load shouldn't
be executed after all. And lastly, the real difficulties begin when
we consider address dependencies to loads.
To be fair about it, all Linux-supported architectures do execute
loads in program order if there is an address dependency between them.
After all, a CPU cannot ask the memory subsystem to load a value from
a particular location before it knows what that location is. However,
the split-cache design used by Alpha can cause it to behave in a way
that looks as if the loads were executed out of order (see the next
section for more details). The kernel includes a workaround for this
problem when the loads come from READ_ONCE(), and therefore the LKMM
includes address dependencies to loads in the ppo relation.
On the other hand, dependencies can indirectly affect the ordering of
two loads. This happens when there is a dependency from a load to a
store and a second, po-later load reads from that store:
R ->dep W ->rfi R',
where the dep link can be either an address or a data dependency. In
this situation we know it is possible for the CPU to execute R' before
W, because it can forward the value that W will store to R'. But it
cannot execute R' before R, because it cannot forward the value before
it knows what that value is, or that W and R' do access the same
location. However, if there is merely a control dependency between R
and W then the CPU can speculatively forward W to R' before executing
R; if the speculation turns out to be wrong then the CPU merely has to
restart or abandon R'.
(In theory, a CPU might forward a store to a load when it runs across
an address dependency like this:
r1 = READ_ONCE(ptr);
WRITE_ONCE(*r1, 17);
r2 = READ_ONCE(*r1);
because it could tell that the store and the second load access the
same location even before it knows what the location's address is.
However, none of the architectures supported by the Linux kernel do
this.)
Two memory accesses of the same location must always be executed in
program order if the second access is a store. Thus, if we have
R ->po-loc W
(the po-loc link says that R comes before W in program order and they
access the same location), the CPU is obliged to execute W after R.
If it executed W first then the memory subsystem would respond to R's
read request with the value stored by W (or an even later store), in
violation of the read-write coherence rule. Similarly, if we had
W ->po-loc W'
and the CPU executed W' before W, then the memory subsystem would put
W' before W in the coherence order. It would effectively cause W to
overwrite W', in violation of the write-write coherence rule.
(Interestingly, an early ARMv8 memory model, now obsolete, proposed
allowing out-of-order writes like this to occur. The model avoided
violating the write-write coherence rule by requiring the CPU not to
send the W write to the memory subsystem at all!)
AND THEN THERE WAS ALPHA
------------------------
As mentioned above, the Alpha architecture is unique in that it does
not appear to respect address dependencies to loads. This means that
code such as the following:
int x = 0;
int y = -1;
int *ptr = &y;
P0()
{
WRITE_ONCE(x, 1);
smp_wmb();
WRITE_ONCE(ptr, &x);
}
P1()
{
int *r1;
int r2;
r1 = ptr;
r2 = READ_ONCE(*r1);
}
can malfunction on Alpha systems (notice that P1 uses an ordinary load
to read ptr instead of READ_ONCE()). It is quite possible that r1 = &x
and r2 = 0 at the end, in spite of the address dependency.
At first glance this doesn't seem to make sense. We know that the
smp_wmb() forces P0's store to x to propagate to P1 before the store
to ptr does. And since P1 can't execute its second load
until it knows what location to load from, i.e., after executing its
first load, the value x = 1 must have propagated to P1 before the
second load executed. So why doesn't r2 end up equal to 1?
The answer lies in the Alpha's split local caches. Although the two
stores do reach P1's local cache in the proper order, it can happen
that the first store is processed by a busy part of the cache while
the second store is processed by an idle part. As a result, the x = 1
value may not become available for P1's CPU to read until after the
ptr = &x value does, leading to the undesirable result above. The
final effect is that even though the two loads really are executed in
program order, it appears that they aren't.
This could not have happened if the local cache had processed the
incoming stores in FIFO order. By contrast, other architectures
maintain at least the appearance of FIFO order.
In practice, this difficulty is solved by inserting a special fence
between P1's two loads when the kernel is compiled for the Alpha
architecture. In fact, as of version 4.15, the kernel automatically
adds this fence after every READ_ONCE() and atomic load on Alpha. The
effect of the fence is to cause the CPU not to execute any po-later
instructions until after the local cache has finished processing all
the stores it has already received. Thus, if the code was changed to:
P1()
{
int *r1;
int r2;
r1 = READ_ONCE(ptr);
r2 = READ_ONCE(*r1);
}
then we would never get r1 = &x and r2 = 0. By the time P1 executed
its second load, the x = 1 store would already be fully processed by
the local cache and available for satisfying the read request. Thus
we have yet another reason why shared data should always be read with
READ_ONCE() or another synchronization primitive rather than accessed
directly.
The LKMM requires that smp_rmb(), acquire fences, and strong fences
share this property: They do not allow the CPU to execute any po-later
instructions (or po-later loads in the case of smp_rmb()) until all
outstanding stores have been processed by the local cache. In the
case of a strong fence, the CPU first has to wait for all of its
po-earlier stores to propagate to every other CPU in the system; then
it has to wait for the local cache to process all the stores received
as of that time -- not just the stores received when the strong fence
began.
And of course, none of this matters for any architecture other than
Alpha.
THE HAPPENS-BEFORE RELATION: hb
-------------------------------
The happens-before relation (hb) links memory accesses that have to
execute in a certain order. hb includes the ppo relation and two
others, one of which is rfe.
W ->rfe R implies that W and R are on different CPUs. It also means
that W's store must have propagated to R's CPU before R executed;
otherwise R could not have read the value stored by W. Therefore W
must have executed before R, and so we have W ->hb R.
The equivalent fact need not hold if W ->rfi R (i.e., W and R are on
the same CPU). As we have already seen, the operational model allows
W's value to be forwarded to R in such cases, meaning that R may well
execute before W does.
It's important to understand that neither coe nor fre is included in
hb, despite their similarities to rfe. For example, suppose we have
W ->coe W'. This means that W and W' are stores to the same location,
they execute on different CPUs, and W comes before W' in the coherence
order (i.e., W' overwrites W). Nevertheless, it is possible for W' to
execute before W, because the decision as to which store overwrites
the other is made later by the memory subsystem. When the stores are
nearly simultaneous, either one can come out on top. Similarly,
R ->fre W means that W overwrites the value which R reads, but it
doesn't mean that W has to execute after R. All that's necessary is
for the memory subsystem not to propagate W to R's CPU until after R
has executed, which is possible if W executes shortly before R.
The third relation included in hb is like ppo, in that it only links
events that are on the same CPU. However it is more difficult to
explain, because it arises only indirectly from the requirement of
cache coherence. The relation is called prop, and it links two events
on CPU C in situations where a store from some other CPU comes after
the first event in the coherence order and propagates to C before the
second event executes.
This is best explained with some examples. The simplest case looks
like this:
int x;
P0()
{
int r1;
WRITE_ONCE(x, 1);
r1 = READ_ONCE(x);
}
P1()
{
WRITE_ONCE(x, 8);
}
If r1 = 8 at the end then P0's accesses must have executed in program
order. We can deduce this from the operational model; if P0's load
had executed before its store then the value of the store would have
been forwarded to the load, so r1 would have ended up equal to 1, not
8. In this case there is a prop link from P0's write event to its read
event, because P1's store came after P0's store in x's coherence
order, and P1's store propagated to P0 before P0's load executed.
An equally simple case involves two loads of the same location that
read from different stores:
int x = 0;
P0()
{
int r1, r2;
r1 = READ_ONCE(x);
r2 = READ_ONCE(x);
}
P1()
{
WRITE_ONCE(x, 9);
}
If r1 = 0 and r2 = 9 at the end then P0's accesses must have executed
in program order. If the second load had executed before the first
then the x = 9 store must have been propagated to P0 before the first
load executed, and so r1 would have been 9 rather than 0. In this
case there is a prop link from P0's first read event to its second,
because P1's store overwrote the value read by P0's first load, and
P1's store propagated to P0 before P0's second load executed.
Less trivial examples of prop all involve fences. Unlike the simple
examples above, they can require that some instructions are executed
out of program order. This next one should look familiar:
int buf = 0, flag = 0;
P0()
{
WRITE_ONCE(buf, 1);
smp_wmb();
WRITE_ONCE(flag, 1);
}
P1()
{
int r1;
int r2;
r1 = READ_ONCE(flag);
r2 = READ_ONCE(buf);
}
This is the MP pattern again, with an smp_wmb() fence between the two
stores. If r1 = 1 and r2 = 0 at the end then there is a prop link
from P1's second load to its first (backwards!). The reason is
similar to the previous examples: The value P1 loads from buf gets
overwritten by P0's store to buf, the fence guarantees that the store
to buf will propagate to P1 before the store to flag does, and the
store to flag propagates to P1 before P1 reads flag.
The prop link says that in order to obtain the r1 = 1, r2 = 0 result,
P1 must execute its second load before the first. Indeed, if the load
from flag were executed first, then the buf = 1 store would already
have propagated to P1 by the time P1's load from buf executed, so r2
would have been 1 at the end, not 0. (The reasoning holds even for
Alpha, although the details are more complicated and we will not go
into them.)
But what if we put an smp_rmb() fence between P1's loads? The fence
would force the two loads to be executed in program order, and it
would generate a cycle in the hb relation: The fence would create a ppo
link (hence an hb link) from the first load to the second, and the
prop relation would give an hb link from the second load to the first.
Since an instruction can't execute before itself, we are forced to
conclude that if an smp_rmb() fence is added, the r1 = 1, r2 = 0
outcome is impossible -- as it should be.
The formal definition of the prop relation involves a coe or fre link,
followed by an arbitrary number of cumul-fence links, ending with an
rfe link. You can concoct more exotic examples, containing more than
one fence, although this quickly leads to diminishing returns in terms
of complexity. For instance, here's an example containing a coe link
followed by two cumul-fences and an rfe link, utilizing the fact that
release fences are A-cumulative:
int x, y, z;
P0()
{
int r0;
WRITE_ONCE(x, 1);
r0 = READ_ONCE(z);
}
P1()
{
WRITE_ONCE(x, 2);
smp_wmb();
WRITE_ONCE(y, 1);
}
P2()
{
int r2;
r2 = READ_ONCE(y);
smp_store_release(&z, 1);
}
If x = 2, r0 = 1, and r2 = 1 after this code runs then there is a prop
link from P0's store to its load. This is because P0's store gets
overwritten by P1's store since x = 2 at the end (a coe link), the
smp_wmb() ensures that P1's store to x propagates to P2 before the
store to y does (the first cumul-fence), the store to y propagates to P2
before P2's load and store execute, P2's smp_store_release()
guarantees that the stores to x and y both propagate to P0 before the
store to z does (the second cumul-fence), and P0's load executes after the
store to z has propagated to P0 (an rfe link).
In summary, the fact that the hb relation links memory access events
in the order they execute means that it must not have cycles. This
requirement is the content of the LKMM's "happens-before" axiom.
The LKMM defines yet another relation connected to times of
instruction execution, but it is not included in hb. It relies on the
particular properties of strong fences, which we cover in the next
section.
THE PROPAGATES-BEFORE RELATION: pb
----------------------------------
The propagates-before (pb) relation capitalizes on the special
features of strong fences. It links two events E and F whenever some
store is coherence-later than E and propagates to every CPU and to RAM
before F executes. The formal definition requires that E be linked to
F via a coe or fre link, an arbitrary number of cumul-fences, an
optional rfe link, a strong fence, and an arbitrary number of hb
links. Let's see how this definition works out.
Consider first the case where E is a store (implying that the sequence
of links begins with coe). Then there are events W, X, Y, and Z such
that:
E ->coe W ->cumul-fence* X ->rfe? Y ->strong-fence Z ->hb* F,
where the * suffix indicates an arbitrary number of links of the
specified type, and the ? suffix indicates the link is optional (Y may
be equal to X). Because of the cumul-fence links, we know that W will
propagate to Y's CPU before X does, hence before Y executes and hence
before the strong fence executes. Because this fence is strong, we
know that W will propagate to every CPU and to RAM before Z executes.
And because of the hb links, we know that Z will execute before F.
Thus W, which comes later than E in the coherence order, will
propagate to every CPU and to RAM before F executes.
The case where E is a load is exactly the same, except that the first
link in the sequence is fre instead of coe.
The existence of a pb link from E to F implies that E must execute
before F. To see why, suppose that F executed first. Then W would
have propagated to E's CPU before E executed. If E was a store, the
memory subsystem would then be forced to make E come after W in the
coherence order, contradicting the fact that E ->coe W. If E was a
load, the memory subsystem would then be forced to satisfy E's read
request with the value stored by W or an even later store,
contradicting the fact that E ->fre W.
A good example illustrating how pb works is the SB pattern with strong
fences:
int x = 0, y = 0;
P0()
{
int r0;
WRITE_ONCE(x, 1);
smp_mb();
r0 = READ_ONCE(y);
}
P1()
{
int r1;
WRITE_ONCE(y, 1);
smp_mb();
r1 = READ_ONCE(x);
}
If r0 = 0 at the end then there is a pb link from P0's load to P1's
load: an fre link from P0's load to P1's store (which overwrites the
value read by P0), and a strong fence between P1's store and its load.
In this example, the sequences of cumul-fence and hb links are empty.
Note that this pb link is not included in hb as an instance of prop,
because it does not start and end on the same CPU.
Similarly, if r1 = 0 at the end then there is a pb link from P1's load
to P0's. This means that if both r1 and r2 were 0 there would be a
cycle in pb, which is not possible since an instruction cannot execute
before itself. Thus, adding smp_mb() fences to the SB pattern
prevents the r0 = 0, r1 = 0 outcome.
In summary, the fact that the pb relation links events in the order
they execute means that it cannot have cycles. This requirement is
the content of the LKMM's "propagation" axiom.
RCU RELATIONS: rcu-link, rcu-gp, rcu-rscsi, rcu-order, rcu-fence, and rb
------------------------------------------------------------------------
RCU (Read-Copy-Update) is a powerful synchronization mechanism. It
rests on two concepts: grace periods and read-side critical sections.
A grace period is the span of time occupied by a call to
synchronize_rcu(). A read-side critical section (or just critical
section, for short) is a region of code delimited by rcu_read_lock()
at the start and rcu_read_unlock() at the end. Critical sections can
be nested, although we won't make use of this fact.
As far as memory models are concerned, RCU's main feature is its
Grace-Period Guarantee, which states that a critical section can never
span a full grace period. In more detail, the Guarantee says:
For any critical section C and any grace period G, at least
one of the following statements must hold:
(1) C ends before G does, and in addition, every store that
propagates to C's CPU before the end of C must propagate to
every CPU before G ends.
(2) G starts before C does, and in addition, every store that
propagates to G's CPU before the start of G must propagate
to every CPU before C starts.
In particular, it is not possible for a critical section to both start
before and end after a grace period.
Here is a simple example of RCU in action:
int x, y;
P0()
{
rcu_read_lock();
WRITE_ONCE(x, 1);
WRITE_ONCE(y, 1);
rcu_read_unlock();
}
P1()
{
int r1, r2;
r1 = READ_ONCE(x);
synchronize_rcu();
r2 = READ_ONCE(y);
}
The Grace Period Guarantee tells us that when this code runs, it will
never end with r1 = 1 and r2 = 0. The reasoning is as follows. r1 = 1
means that P0's store to x propagated to P1 before P1 called
synchronize_rcu(), so P0's critical section must have started before
P1's grace period, contrary to part (2) of the Guarantee. On the
other hand, r2 = 0 means that P0's store to y, which occurs before the
end of the critical section, did not propagate to P1 before the end of
the grace period, contrary to part (1). Together the results violate
the Guarantee.
In the kernel's implementations of RCU, the requirements for stores
to propagate to every CPU are fulfilled by placing strong fences at
suitable places in the RCU-related code. Thus, if a critical section
starts before a grace period does then the critical section's CPU will
execute an smp_mb() fence after the end of the critical section and
some time before the grace period's synchronize_rcu() call returns.
And if a critical section ends after a grace period does then the
synchronize_rcu() routine will execute an smp_mb() fence at its start
and some time before the critical section's opening rcu_read_lock()
executes.
What exactly do we mean by saying that a critical section "starts
before" or "ends after" a grace period? Some aspects of the meaning
are pretty obvious, as in the example above, but the details aren't
entirely clear. The LKMM formalizes this notion by means of the
rcu-link relation. rcu-link encompasses a very general notion of
"before": If E and F are RCU fence events (i.e., rcu_read_lock(),
rcu_read_unlock(), or synchronize_rcu()) then among other things,
E ->rcu-link F includes cases where E is po-before some memory-access
event X, F is po-after some memory-access event Y, and we have any of
X ->rfe Y, X ->co Y, or X ->fr Y.
The formal definition of the rcu-link relation is more than a little
obscure, and we won't give it here. It is closely related to the pb
relation, and the details don't matter unless you want to comb through
a somewhat lengthy formal proof. Pretty much all you need to know
about rcu-link is the information in the preceding paragraph.
The LKMM also defines the rcu-gp and rcu-rscsi relations. They bring
grace periods and read-side critical sections into the picture, in the
following way:
E ->rcu-gp F means that E and F are in fact the same event,
and that event is a synchronize_rcu() fence (i.e., a grace
period).
E ->rcu-rscsi F means that E and F are the rcu_read_unlock()
and rcu_read_lock() fence events delimiting some read-side
critical section. (The 'i' at the end of the name emphasizes
that this relation is "inverted": It links the end of the
critical section to the start.)
If we think of the rcu-link relation as standing for an extended
"before", then X ->rcu-gp Y ->rcu-link Z roughly says that X is a
grace period which ends before Z begins. (In fact it covers more than
this, because it also includes cases where some store propagates to
Z's CPU before Z begins but doesn't propagate to some other CPU until
after X ends.) Similarly, X ->rcu-rscsi Y ->rcu-link Z says that X is
the end of a critical section which starts before Z begins.
The LKMM goes on to define the rcu-order relation as a sequence of
rcu-gp and rcu-rscsi links separated by rcu-link links, in which the
number of rcu-gp links is >= the number of rcu-rscsi links. For
example:
X ->rcu-gp Y ->rcu-link Z ->rcu-rscsi T ->rcu-link U ->rcu-gp V
would imply that X ->rcu-order V, because this sequence contains two
rcu-gp links and one rcu-rscsi link. (It also implies that
X ->rcu-order T and Z ->rcu-order V.) On the other hand:
X ->rcu-rscsi Y ->rcu-link Z ->rcu-rscsi T ->rcu-link U ->rcu-gp V
does not imply X ->rcu-order V, because the sequence contains only
one rcu-gp link but two rcu-rscsi links.
The rcu-order relation is important because the Grace Period Guarantee
means that rcu-order links act kind of like strong fences. In
particular, E ->rcu-order F implies not only that E begins before F
ends, but also that any write po-before E will propagate to every CPU
before any instruction po-after F can execute. (However, it does not
imply that E must execute before F; in fact, each synchronize_rcu()
fence event is linked to itself by rcu-order as a degenerate case.)
To prove this in full generality requires some intellectual effort.
We'll consider just a very simple case:
G ->rcu-gp W ->rcu-link Z ->rcu-rscsi F.
This formula means that G and W are the same event (a grace period),
and there are events X, Y and a read-side critical section C such that:
1. G = W is po-before or equal to X;
2. X comes "before" Y in some sense (including rfe, co and fr);
3. Y is po-before Z;
4. Z is the rcu_read_unlock() event marking the end of C;
5. F is the rcu_read_lock() event marking the start of C.
From 1 - 4 we deduce that the grace period G ends before the critical
section C. Then part (2) of the Grace Period Guarantee says not only
that G starts before C does, but also that any write which executes on
G's CPU before G starts must propagate to every CPU before C starts.
In particular, the write propagates to every CPU before F finishes
executing and hence before any instruction po-after F can execute.
This sort of reasoning can be extended to handle all the situations
covered by rcu-order.
The rcu-fence relation is a simple extension of rcu-order. While
rcu-order only links certain fence events (calls to synchronize_rcu(),
rcu_read_lock(), or rcu_read_unlock()), rcu-fence links any events
that are separated by an rcu-order link. This is analogous to the way
the strong-fence relation links events that are separated by an
smp_mb() fence event (as mentioned above, rcu-order links act kind of
like strong fences). Written symbolically, X ->rcu-fence Y means
there are fence events E and F such that:
X ->po E ->rcu-order F ->po Y.
From the discussion above, we see this implies not only that X
executes before Y, but also (if X is a store) that X propagates to
every CPU before Y executes. Thus rcu-fence is sort of a
"super-strong" fence: Unlike the original strong fences (smp_mb() and
synchronize_rcu()), rcu-fence is able to link events on different
CPUs. (Perhaps this fact should lead us to say that rcu-fence isn't
really a fence at all!)
Finally, the LKMM defines the RCU-before (rb) relation in terms of
rcu-fence. This is done in essentially the same way as the pb
relation was defined in terms of strong-fence. We will omit the
details; the end result is that E ->rb F implies E must execute
before F, just as E ->pb F does (and for much the same reasons).
Putting this all together, the LKMM expresses the Grace Period
Guarantee by requiring that the rb relation does not contain a cycle.
Equivalently, this "rcu" axiom requires that there are no events E
and F with E ->rcu-link F ->rcu-order E. Or to put it a third way,
the axiom requires that there are no cycles consisting of rcu-gp and
rcu-rscsi alternating with rcu-link, where the number of rcu-gp links
is >= the number of rcu-rscsi links.
Justifying the axiom isn't easy, but it is in fact a valid
formalization of the Grace Period Guarantee. We won't attempt to go
through the detailed argument, but the following analysis gives a
taste of what is involved. Suppose both parts of the Guarantee are
violated: A critical section starts before a grace period, and some
store propagates to the critical section's CPU before the end of the
critical section but doesn't propagate to some other CPU until after
the end of the grace period.
Putting symbols to these ideas, let L and U be the rcu_read_lock() and
rcu_read_unlock() fence events delimiting the critical section in
question, and let S be the synchronize_rcu() fence event for the grace
period. Saying that the critical section starts before S means there
are events Q and R where Q is po-after L (which marks the start of the
critical section), Q is "before" R in the sense used by the rcu-link
relation, and R is po-before the grace period S. Thus we have:
L ->rcu-link S.
Let W be the store mentioned above, let Y come before the end of the
critical section and witness that W propagates to the critical
section's CPU by reading from W, and let Z on some arbitrary CPU be a
witness that W has not propagated to that CPU, where Z happens after
some event X which is po-after S. Symbolically, this amounts to:
S ->po X ->hb* Z ->fr W ->rf Y ->po U.
The fr link from Z to W indicates that W has not propagated to Z's CPU
at the time that Z executes. From this, it can be shown (see the
discussion of the rcu-link relation earlier) that S and U are related
by rcu-link:
S ->rcu-link U.
Since S is a grace period we have S ->rcu-gp S, and since L and U are
the start and end of the critical section C we have U ->rcu-rscsi L.
From this we obtain:
S ->rcu-gp S ->rcu-link U ->rcu-rscsi L ->rcu-link S,
a forbidden cycle. Thus the "rcu" axiom rules out this violation of
the Grace Period Guarantee.
For something a little more down-to-earth, let's see how the axiom
works out in practice. Consider the RCU code example from above, this
time with statement labels added:
int x, y;
P0()
{
L: rcu_read_lock();
X: WRITE_ONCE(x, 1);
Y: WRITE_ONCE(y, 1);
U: rcu_read_unlock();
}
P1()
{
int r1, r2;
Z: r1 = READ_ONCE(x);
S: synchronize_rcu();
W: r2 = READ_ONCE(y);
}
If r2 = 0 at the end then P0's store at Y overwrites the value that
P1's load at W reads from, so we have W ->fre Y. Since S ->po W and
also Y ->po U, we get S ->rcu-link U. In addition, S ->rcu-gp S
because S is a grace period.
If r1 = 1 at the end then P1's load at Z reads from P0's store at X,
so we have X ->rfe Z. Together with L ->po X and Z ->po S, this
yields L ->rcu-link S. And since L and U are the start and end of a
critical section, we have U ->rcu-rscsi L.
Then U ->rcu-rscsi L ->rcu-link S ->rcu-gp S ->rcu-link U is a
forbidden cycle, violating the "rcu" axiom. Hence the outcome is not
allowed by the LKMM, as we would expect.
For contrast, let's see what can happen in a more complicated example:
int x, y, z;
P0()
{
int r0;
L0: rcu_read_lock();
r0 = READ_ONCE(x);
WRITE_ONCE(y, 1);
U0: rcu_read_unlock();
}
P1()
{
int r1;
r1 = READ_ONCE(y);
S1: synchronize_rcu();
WRITE_ONCE(z, 1);
}
P2()
{
int r2;
L2: rcu_read_lock();
r2 = READ_ONCE(z);
WRITE_ONCE(x, 1);
U2: rcu_read_unlock();
}
If r0 = r1 = r2 = 1 at the end, then similar reasoning to before shows
that U0 ->rcu-rscsi L0 ->rcu-link S1 ->rcu-gp S1 ->rcu-link U2 ->rcu-rscsi
L2 ->rcu-link U0. However this cycle is not forbidden, because the
sequence of relations contains fewer instances of rcu-gp (one) than of
rcu-rscsi (two). Consequently the outcome is allowed by the LKMM.
The following instruction timing diagram shows how it might actually
occur:
P0 P1 P2
-------------------- -------------------- --------------------
rcu_read_lock()
WRITE_ONCE(y, 1)
r1 = READ_ONCE(y)
synchronize_rcu() starts
. rcu_read_lock()
. WRITE_ONCE(x, 1)
r0 = READ_ONCE(x) .
rcu_read_unlock() .
synchronize_rcu() ends
WRITE_ONCE(z, 1)
r2 = READ_ONCE(z)
rcu_read_unlock()
This requires P0 and P2 to execute their loads and stores out of
program order, but of course they are allowed to do so. And as you
can see, the Grace Period Guarantee is not violated: The critical
section in P0 both starts before P1's grace period does and ends
before it does, and the critical section in P2 both starts after P1's
grace period does and ends after it does.
The LKMM supports SRCU (Sleepable Read-Copy-Update) in addition to
normal RCU. The ideas involved are much the same as above, with new
relations srcu-gp and srcu-rscsi added to represent SRCU grace periods
and read-side critical sections. However, there are some significant
differences between RCU read-side critical sections and their SRCU
counterparts, as described in the next section.
SRCU READ-SIDE CRITICAL SECTIONS
--------------------------------
The LKMM uses the srcu-rscsi relation to model SRCU read-side critical
sections. They differ from RCU read-side critical sections in the
following respects:
1. Unlike the analogous RCU primitives, synchronize_srcu(),
srcu_read_lock(), and srcu_read_unlock() take a pointer to a
struct srcu_struct as an argument. This structure is called
an SRCU domain, and calls linked by srcu-rscsi must have the
same domain. Read-side critical sections and grace periods
associated with different domains are independent of one
another; the SRCU version of the RCU Guarantee applies only
to pairs of critical sections and grace periods having the
same domain.
2. srcu_read_lock() returns a value, called the index, which must
be passed to the matching srcu_read_unlock() call. Unlike
rcu_read_lock() and rcu_read_unlock(), an srcu_read_lock()
call does not always have to match the next unpaired
srcu_read_unlock(). In fact, it is possible for two SRCU
read-side critical sections to overlap partially, as in the
following example (where s is an srcu_struct and idx1 and idx2
are integer variables):
idx1 = srcu_read_lock(&s); // Start of first RSCS
idx2 = srcu_read_lock(&s); // Start of second RSCS
srcu_read_unlock(&s, idx1); // End of first RSCS
srcu_read_unlock(&s, idx2); // End of second RSCS
The matching is determined entirely by the domain pointer and
index value. By contrast, if the calls had been
rcu_read_lock() and rcu_read_unlock() then they would have
created two nested (fully overlapping) read-side critical
sections: an inner one and an outer one.
3. The srcu_down_read() and srcu_up_read() primitives work
exactly like srcu_read_lock() and srcu_read_unlock(), except
that matching calls don't have to execute on the same CPU.
(The names are meant to be suggestive of operations on
semaphores.) Since the matching is determined by the domain
pointer and index value, these primitives make it possible for
an SRCU read-side critical section to start on one CPU and end
on another, so to speak.
In order to account for these properties of SRCU, the LKMM models
srcu_read_lock() as a special type of load event (which is
appropriate, since it takes a memory location as argument and returns
a value, just as a load does) and srcu_read_unlock() as a special type
of store event (again appropriate, since it takes as arguments a
memory location and a value). These loads and stores are annotated as
belonging to the "srcu-lock" and "srcu-unlock" event classes
respectively.
This approach allows the LKMM to tell whether two events are
associated with the same SRCU domain, simply by checking whether they
access the same memory location (i.e., they are linked by the loc
relation). It also gives a way to tell which unlock matches a
particular lock, by checking for the presence of a data dependency
from the load (srcu-lock) to the store (srcu-unlock). For example,
given the situation outlined earlier (with statement labels added):
A: idx1 = srcu_read_lock(&s);
B: idx2 = srcu_read_lock(&s);
C: srcu_read_unlock(&s, idx1);
D: srcu_read_unlock(&s, idx2);
the LKMM will treat A and B as loads from s yielding values saved in
idx1 and idx2 respectively. Similarly, it will treat C and D as
though they stored the values from idx1 and idx2 in s. The end result
is much as if we had written:
A: idx1 = READ_ONCE(s);
B: idx2 = READ_ONCE(s);
C: WRITE_ONCE(s, idx1);
D: WRITE_ONCE(s, idx2);
except for the presence of the special srcu-lock and srcu-unlock
annotations. You can see at once that we have A ->data C and
B ->data D. These dependencies tell the LKMM that C is the
srcu-unlock event matching srcu-lock event A, and D is the
srcu-unlock event matching srcu-lock event B.
This approach is admittedly a hack, and it has the potential to lead
to problems. For example, in:
idx1 = srcu_read_lock(&s);
srcu_read_unlock(&s, idx1);
idx2 = srcu_read_lock(&s);
srcu_read_unlock(&s, idx2);
the LKMM will believe that idx2 must have the same value as idx1,
since it reads from the immediately preceding store of idx1 in s.
Fortunately this won't matter, assuming that litmus tests never do
anything with SRCU index values other than pass them to
srcu_read_unlock() or srcu_up_read() calls.
However, sometimes it is necessary to store an index value in a
shared variable temporarily. In fact, this is the only way for
srcu_down_read() to pass the index it gets to an srcu_up_read() call
on a different CPU. In more detail, we might have soething like:
struct srcu_struct s;
int x;
P0()
{
int r0;
A: r0 = srcu_down_read(&s);
B: WRITE_ONCE(x, r0);
}
P1()
{
int r1;
C: r1 = READ_ONCE(x);
D: srcu_up_read(&s, r1);
}
Assuming that P1 executes after P0 and does read the index value
stored in x, we can write this (using brackets to represent event
annotations) as:
A[srcu-lock] ->data B[once] ->rf C[once] ->data D[srcu-unlock].
The LKMM defines a carry-srcu-data relation to express this pattern;
it permits an arbitrarily long sequence of
data ; rf
pairs (that is, a data link followed by an rf link) to occur between
an srcu-lock event and the final data dependency leading to the
matching srcu-unlock event. carry-srcu-data is complicated by the
need to ensure that none of the intermediate store events in this
sequence are instances of srcu-unlock. This is necessary because in a
pattern like the one above:
A: idx1 = srcu_read_lock(&s);
B: srcu_read_unlock(&s, idx1);
C: idx2 = srcu_read_lock(&s);
D: srcu_read_unlock(&s, idx2);
the LKMM treats B as a store to the variable s and C as a load from
that variable, creating an undesirable rf link from B to C:
A ->data B ->rf C ->data D.
This would cause carry-srcu-data to mistakenly extend a data
dependency from A to D, giving the impression that D was the
srcu-unlock event matching A's srcu-lock. To avoid such problems,
carry-srcu-data does not accept sequences in which the ends of any of
the intermediate ->data links (B above) is an srcu-unlock event.
LOCKING
-------
The LKMM includes locking. In fact, there is special code for locking
in the formal model, added in order to make tools run faster.
However, this special code is intended to be more or less equivalent
to concepts we have already covered. A spinlock_t variable is treated
the same as an int, and spin_lock(&s) is treated almost the same as:
while (cmpxchg_acquire(&s, 0, 1) != 0)
cpu_relax();
This waits until s is equal to 0 and then atomically sets it to 1,
and the read part of the cmpxchg operation acts as an acquire fence.
An alternate way to express the same thing would be:
r = xchg_acquire(&s, 1);
along with a requirement that at the end, r = 0. Similarly,
spin_trylock(&s) is treated almost the same as:
return !cmpxchg_acquire(&s, 0, 1);
which atomically sets s to 1 if it is currently equal to 0 and returns
true if it succeeds (the read part of the cmpxchg operation acts as an
acquire fence only if the operation is successful). spin_unlock(&s)
is treated almost the same as:
smp_store_release(&s, 0);
The "almost" qualifiers above need some explanation. In the LKMM, the
store-release in a spin_unlock() and the load-acquire which forms the
first half of the atomic rmw update in a spin_lock() or a successful
spin_trylock() -- we can call these things lock-releases and
lock-acquires -- have two properties beyond those of ordinary releases
and acquires.
First, when a lock-acquire reads from or is po-after a lock-release,
the LKMM requires that every instruction po-before the lock-release
must execute before any instruction po-after the lock-acquire. This
would naturally hold if the release and acquire operations were on
different CPUs and accessed the same lock variable, but the LKMM says
it also holds when they are on the same CPU, even if they access
different lock variables. For example:
int x, y;
spinlock_t s, t;
P0()
{
int r1, r2;
spin_lock(&s);
r1 = READ_ONCE(x);
spin_unlock(&s);
spin_lock(&t);
r2 = READ_ONCE(y);
spin_unlock(&t);
}
P1()
{
WRITE_ONCE(y, 1);
smp_wmb();
WRITE_ONCE(x, 1);
}
Here the second spin_lock() is po-after the first spin_unlock(), and
therefore the load of x must execute before the load of y, even though
the two locking operations use different locks. Thus we cannot have
r1 = 1 and r2 = 0 at the end (this is an instance of the MP pattern).
This requirement does not apply to ordinary release and acquire
fences, only to lock-related operations. For instance, suppose P0()
in the example had been written as:
P0()
{
int r1, r2, r3;
r1 = READ_ONCE(x);
smp_store_release(&s, 1);
r3 = smp_load_acquire(&s);
r2 = READ_ONCE(y);
}
Then the CPU would be allowed to forward the s = 1 value from the
smp_store_release() to the smp_load_acquire(), executing the
instructions in the following order:
r3 = smp_load_acquire(&s); // Obtains r3 = 1
r2 = READ_ONCE(y);
r1 = READ_ONCE(x);
smp_store_release(&s, 1); // Value is forwarded
and thus it could load y before x, obtaining r2 = 0 and r1 = 1.
Second, when a lock-acquire reads from or is po-after a lock-release,
and some other stores W and W' occur po-before the lock-release and
po-after the lock-acquire respectively, the LKMM requires that W must
propagate to each CPU before W' does. For example, consider:
int x, y;
spinlock_t s;
P0()
{
spin_lock(&s);
WRITE_ONCE(x, 1);
spin_unlock(&s);
}
P1()
{
int r1;
spin_lock(&s);
r1 = READ_ONCE(x);
WRITE_ONCE(y, 1);
spin_unlock(&s);
}
P2()
{
int r2, r3;
r2 = READ_ONCE(y);
smp_rmb();
r3 = READ_ONCE(x);
}
If r1 = 1 at the end then the spin_lock() in P1 must have read from
the spin_unlock() in P0. Hence the store to x must propagate to P2
before the store to y does, so we cannot have r2 = 1 and r3 = 0. But
if P1 had used a lock variable different from s, the writes could have
propagated in either order. (On the other hand, if the code in P0 and
P1 had all executed on a single CPU, as in the example before this
one, then the writes would have propagated in order even if the two
critical sections used different lock variables.)
These two special requirements for lock-release and lock-acquire do
not arise from the operational model. Nevertheless, kernel developers
have come to expect and rely on them because they do hold on all
architectures supported by the Linux kernel, albeit for various
differing reasons.
PLAIN ACCESSES AND DATA RACES
-----------------------------
In the LKMM, memory accesses such as READ_ONCE(x), atomic_inc(&y),
smp_load_acquire(&z), and so on are collectively referred to as
"marked" accesses, because they are all annotated with special
operations of one kind or another. Ordinary C-language memory
accesses such as x or y = 0 are simply called "plain" accesses.
Early versions of the LKMM had nothing to say about plain accesses.
The C standard allows compilers to assume that the variables affected
by plain accesses are not concurrently read or written by any other
threads or CPUs. This leaves compilers free to implement all manner
of transformations or optimizations of code containing plain accesses,
making such code very difficult for a memory model to handle.
Here is just one example of a possible pitfall:
int a = 6;
int *x = &a;
P0()
{
int *r1;
int r2 = 0;
r1 = x;
if (r1 != NULL)
r2 = READ_ONCE(*r1);
}
P1()
{
WRITE_ONCE(x, NULL);
}
On the face of it, one would expect that when this code runs, the only
possible final values for r2 are 6 and 0, depending on whether or not
P1's store to x propagates to P0 before P0's load from x executes.
But since P0's load from x is a plain access, the compiler may decide
to carry out the load twice (for the comparison against NULL, then again
for the READ_ONCE()) and eliminate the temporary variable r1. The
object code generated for P0 could therefore end up looking rather
like this:
P0()
{
int r2 = 0;
if (x != NULL)
r2 = READ_ONCE(*x);
}
And now it is obvious that this code runs the risk of dereferencing a
NULL pointer, because P1's store to x might propagate to P0 after the
test against NULL has been made but before the READ_ONCE() executes.
If the original code had said "r1 = READ_ONCE(x)" instead of "r1 = x",
the compiler would not have performed this optimization and there
would be no possibility of a NULL-pointer dereference.
Given the possibility of transformations like this one, the LKMM
doesn't try to predict all possible outcomes of code containing plain
accesses. It is instead content to determine whether the code
violates the compiler's assumptions, which would render the ultimate
outcome undefined.
In technical terms, the compiler is allowed to assume that when the
program executes, there will not be any data races. A "data race"
occurs when there are two memory accesses such that:
1. they access the same location,
2. at least one of them is a store,
3. at least one of them is plain,
4. they occur on different CPUs (or in different threads on the
same CPU), and
5. they execute concurrently.
In the literature, two accesses are said to "conflict" if they satisfy
1 and 2 above. We'll go a little farther and say that two accesses
are "race candidates" if they satisfy 1 - 4. Thus, whether or not two
race candidates actually do race in a given execution depends on
whether they are concurrent.
The LKMM tries to determine whether a program contains race candidates
which may execute concurrently; if it does then the LKMM says there is
a potential data race and makes no predictions about the program's
outcome.
Determining whether two accesses are race candidates is easy; you can
see that all the concepts involved in the definition above are already
part of the memory model. The hard part is telling whether they may
execute concurrently. The LKMM takes a conservative attitude,
assuming that accesses may be concurrent unless it can prove they
are not.
If two memory accesses aren't concurrent then one must execute before
the other. Therefore the LKMM decides two accesses aren't concurrent
if they can be connected by a sequence of hb, pb, and rb links
(together referred to as xb, for "executes before"). However, there
are two complicating factors.
If X is a load and X executes before a store Y, then indeed there is
no danger of X and Y being concurrent. After all, Y can't have any
effect on the value obtained by X until the memory subsystem has
propagated Y from its own CPU to X's CPU, which won't happen until
some time after Y executes and thus after X executes. But if X is a
store, then even if X executes before Y it is still possible that X
will propagate to Y's CPU just as Y is executing. In such a case X
could very well interfere somehow with Y, and we would have to
consider X and Y to be concurrent.
Therefore when X is a store, for X and Y to be non-concurrent the LKMM
requires not only that X must execute before Y but also that X must
propagate to Y's CPU before Y executes. (Or vice versa, of course, if
Y executes before X -- then Y must propagate to X's CPU before X
executes if Y is a store.) This is expressed by the visibility
relation (vis), where X ->vis Y is defined to hold if there is an
intermediate event Z such that:
X is connected to Z by a possibly empty sequence of
cumul-fence links followed by an optional rfe link (if none of
these links are present, X and Z are the same event),
and either:
Z is connected to Y by a strong-fence link followed by a
possibly empty sequence of xb links,
or:
Z is on the same CPU as Y and is connected to Y by a possibly
empty sequence of xb links (again, if the sequence is empty it
means Z and Y are the same event).
The motivations behind this definition are straightforward:
cumul-fence memory barriers force stores that are po-before
the barrier to propagate to other CPUs before stores that are
po-after the barrier.
An rfe link from an event W to an event R says that R reads
from W, which certainly means that W must have propagated to
R's CPU before R executed.
strong-fence memory barriers force stores that are po-before
the barrier, or that propagate to the barrier's CPU before the
barrier executes, to propagate to all CPUs before any events
po-after the barrier can execute.
To see how this works out in practice, consider our old friend, the MP
pattern (with fences and statement labels, but without the conditional
test):
int buf = 0, flag = 0;
P0()
{
X: WRITE_ONCE(buf, 1);
smp_wmb();
W: WRITE_ONCE(flag, 1);
}
P1()
{
int r1;
int r2 = 0;
Z: r1 = READ_ONCE(flag);
smp_rmb();
Y: r2 = READ_ONCE(buf);
}
The smp_wmb() memory barrier gives a cumul-fence link from X to W, and
assuming r1 = 1 at the end, there is an rfe link from W to Z. This
means that the store to buf must propagate from P0 to P1 before Z
executes. Next, Z and Y are on the same CPU and the smp_rmb() fence
provides an xb link from Z to Y (i.e., it forces Z to execute before
Y). Therefore we have X ->vis Y: X must propagate to Y's CPU before Y
executes.
The second complicating factor mentioned above arises from the fact
that when we are considering data races, some of the memory accesses
are plain. Now, although we have not said so explicitly, up to this
point most of the relations defined by the LKMM (ppo, hb, prop,
cumul-fence, pb, and so on -- including vis) apply only to marked
accesses.
There are good reasons for this restriction. The compiler is not
allowed to apply fancy transformations to marked accesses, and
consequently each such access in the source code corresponds more or
less directly to a single machine instruction in the object code. But
plain accesses are a different story; the compiler may combine them,
split them up, duplicate them, eliminate them, invent new ones, and
who knows what else. Seeing a plain access in the source code tells
you almost nothing about what machine instructions will end up in the
object code.
Fortunately, the compiler isn't completely free; it is subject to some
limitations. For one, it is not allowed to introduce a data race into
the object code if the source code does not already contain a data
race (if it could, memory models would be useless and no multithreaded
code would be safe!). For another, it cannot move a plain access past
a compiler barrier.
A compiler barrier is a kind of fence, but as the name implies, it
only affects the compiler; it does not necessarily have any effect on
how instructions are executed by the CPU. In Linux kernel source
code, the barrier() function is a compiler barrier. It doesn't give
rise directly to any machine instructions in the object code; rather,
it affects how the compiler generates the rest of the object code.
Given source code like this:
... some memory accesses ...
barrier();
... some other memory accesses ...
the barrier() function ensures that the machine instructions
corresponding to the first group of accesses will all end po-before
any machine instructions corresponding to the second group of accesses
-- even if some of the accesses are plain. (Of course, the CPU may
then execute some of those accesses out of program order, but we
already know how to deal with such issues.) Without the barrier()
there would be no such guarantee; the two groups of accesses could be
intermingled or even reversed in the object code.
The LKMM doesn't say much about the barrier() function, but it does
require that all fences are also compiler barriers. In addition, it
requires that the ordering properties of memory barriers such as
smp_rmb() or smp_store_release() apply to plain accesses as well as to
marked accesses.
This is the key to analyzing data races. Consider the MP pattern
again, now using plain accesses for buf:
int buf = 0, flag = 0;
P0()
{
U: buf = 1;
smp_wmb();
X: WRITE_ONCE(flag, 1);
}
P1()
{
int r1;
int r2 = 0;
Y: r1 = READ_ONCE(flag);
if (r1) {
smp_rmb();
V: r2 = buf;
}
}
This program does not contain a data race. Although the U and V
accesses are race candidates, the LKMM can prove they are not
concurrent as follows:
The smp_wmb() fence in P0 is both a compiler barrier and a
cumul-fence. It guarantees that no matter what hash of
machine instructions the compiler generates for the plain
access U, all those instructions will be po-before the fence.
Consequently U's store to buf, no matter how it is carried out
at the machine level, must propagate to P1 before X's store to
flag does.
X and Y are both marked accesses. Hence an rfe link from X to
Y is a valid indicator that X propagated to P1 before Y
executed, i.e., X ->vis Y. (And if there is no rfe link then
r1 will be 0, so V will not be executed and ipso facto won't
race with U.)
The smp_rmb() fence in P1 is a compiler barrier as well as a
fence. It guarantees that all the machine-level instructions
corresponding to the access V will be po-after the fence, and
therefore any loads among those instructions will execute
after the fence does and hence after Y does.
Thus U's store to buf is forced to propagate to P1 before V's load
executes (assuming V does execute), ruling out the possibility of a
data race between them.
This analysis illustrates how the LKMM deals with plain accesses in
general. Suppose R is a plain load and we want to show that R
executes before some marked access E. We can do this by finding a
marked access X such that R and X are ordered by a suitable fence and
X ->xb* E. If E was also a plain access, we would also look for a
marked access Y such that X ->xb* Y, and Y and E are ordered by a
fence. We describe this arrangement by saying that R is
"post-bounded" by X and E is "pre-bounded" by Y.
In fact, we go one step further: Since R is a read, we say that R is
"r-post-bounded" by X. Similarly, E would be "r-pre-bounded" or
"w-pre-bounded" by Y, depending on whether E was a store or a load.
This distinction is needed because some fences affect only loads
(i.e., smp_rmb()) and some affect only stores (smp_wmb()); otherwise
the two types of bounds are the same. And as a degenerate case, we
say that a marked access pre-bounds and post-bounds itself (e.g., if R
above were a marked load then X could simply be taken to be R itself.)
The need to distinguish between r- and w-bounding raises yet another
issue. When the source code contains a plain store, the compiler is
allowed to put plain loads of the same location into the object code.
For example, given the source code:
x = 1;
the compiler is theoretically allowed to generate object code that
looks like:
if (x != 1)
x = 1;
thereby adding a load (and possibly replacing the store entirely).
For this reason, whenever the LKMM requires a plain store to be
w-pre-bounded or w-post-bounded by a marked access, it also requires
the store to be r-pre-bounded or r-post-bounded, so as to handle cases
where the compiler adds a load.
(This may be overly cautious. We don't know of any examples where a
compiler has augmented a store with a load in this fashion, and the
Linux kernel developers would probably fight pretty hard to change a
compiler if it ever did this. Still, better safe than sorry.)
Incidentally, the other tranformation -- augmenting a plain load by
adding in a store to the same location -- is not allowed. This is
because the compiler cannot know whether any other CPUs might perform
a concurrent load from that location. Two concurrent loads don't
constitute a race (they can't interfere with each other), but a store
does race with a concurrent load. Thus adding a store might create a
data race where one was not already present in the source code,
something the compiler is forbidden to do. Augmenting a store with a
load, on the other hand, is acceptable because doing so won't create a
data race unless one already existed.
The LKMM includes a second way to pre-bound plain accesses, in
addition to fences: an address dependency from a marked load. That
is, in the sequence:
p = READ_ONCE(ptr);
r = *p;
the LKMM says that the marked load of ptr pre-bounds the plain load of
*p; the marked load must execute before any of the machine
instructions corresponding to the plain load. This is a reasonable
stipulation, since after all, the CPU can't perform the load of *p
until it knows what value p will hold. Furthermore, without some
assumption like this one, some usages typical of RCU would count as
data races. For example:
int a = 1, b;
int *ptr = &a;
P0()
{
b = 2;
rcu_assign_pointer(ptr, &b);
}
P1()
{
int *p;
int r;
rcu_read_lock();
p = rcu_dereference(ptr);
r = *p;
rcu_read_unlock();
}
(In this example the rcu_read_lock() and rcu_read_unlock() calls don't
really do anything, because there aren't any grace periods. They are
included merely for the sake of good form; typically P0 would call
synchronize_rcu() somewhere after the rcu_assign_pointer().)
rcu_assign_pointer() performs a store-release, so the plain store to b
is definitely w-post-bounded before the store to ptr, and the two
stores will propagate to P1 in that order. However, rcu_dereference()
is only equivalent to READ_ONCE(). While it is a marked access, it is
not a fence or compiler barrier. Hence the only guarantee we have
that the load of ptr in P1 is r-pre-bounded before the load of *p
(thus avoiding a race) is the assumption about address dependencies.
This is a situation where the compiler can undermine the memory model,
and a certain amount of care is required when programming constructs
like this one. In particular, comparisons between the pointer and
other known addresses can cause trouble. If you have something like:
p = rcu_dereference(ptr);
if (p == &x)
r = *p;
then the compiler just might generate object code resembling:
p = rcu_dereference(ptr);
if (p == &x)
r = x;
or even:
rtemp = x;
p = rcu_dereference(ptr);
if (p == &x)
r = rtemp;
which would invalidate the memory model's assumption, since the CPU
could now perform the load of x before the load of ptr (there might be
a control dependency but no address dependency at the machine level).
Finally, it turns out there is a situation in which a plain write does
not need to be w-post-bounded: when it is separated from the other
race-candidate access by a fence. At first glance this may seem
impossible. After all, to be race candidates the two accesses must
be on different CPUs, and fences don't link events on different CPUs.
Well, normal fences don't -- but rcu-fence can! Here's an example:
int x, y;
P0()
{
WRITE_ONCE(x, 1);
synchronize_rcu();
y = 3;
}
P1()
{
rcu_read_lock();
if (READ_ONCE(x) == 0)
y = 2;
rcu_read_unlock();
}
Do the plain stores to y race? Clearly not if P1 reads a non-zero
value for x, so let's assume the READ_ONCE(x) does obtain 0. This
means that the read-side critical section in P1 must finish executing
before the grace period in P0 does, because RCU's Grace-Period
Guarantee says that otherwise P0's store to x would have propagated to
P1 before the critical section started and so would have been visible
to the READ_ONCE(). (Another way of putting it is that the fre link
from the READ_ONCE() to the WRITE_ONCE() gives rise to an rcu-link
between those two events.)
This means there is an rcu-fence link from P1's "y = 2" store to P0's
"y = 3" store, and consequently the first must propagate from P1 to P0
before the second can execute. Therefore the two stores cannot be
concurrent and there is no race, even though P1's plain store to y
isn't w-post-bounded by any marked accesses.
Putting all this material together yields the following picture. For
race-candidate stores W and W', where W ->co W', the LKMM says the
stores don't race if W can be linked to W' by a
w-post-bounded ; vis ; w-pre-bounded
sequence. If W is plain then they also have to be linked by an
r-post-bounded ; xb* ; w-pre-bounded
sequence, and if W' is plain then they also have to be linked by a
w-post-bounded ; vis ; r-pre-bounded
sequence. For race-candidate load R and store W, the LKMM says the
two accesses don't race if R can be linked to W by an
r-post-bounded ; xb* ; w-pre-bounded
sequence or if W can be linked to R by a
w-post-bounded ; vis ; r-pre-bounded
sequence. For the cases involving a vis link, the LKMM also accepts
sequences in which W is linked to W' or R by a
strong-fence ; xb* ; {w and/or r}-pre-bounded
sequence with no post-bounding, and in every case the LKMM also allows
the link simply to be a fence with no bounding at all. If no sequence
of the appropriate sort exists, the LKMM says that the accesses race.
There is one more part of the LKMM related to plain accesses (although
not to data races) we should discuss. Recall that many relations such
as hb are limited to marked accesses only. As a result, the
happens-before, propagates-before, and rcu axioms (which state that
various relation must not contain a cycle) doesn't apply to plain
accesses. Nevertheless, we do want to rule out such cycles, because
they don't make sense even for plain accesses.
To this end, the LKMM imposes three extra restrictions, together
called the "plain-coherence" axiom because of their resemblance to the
rules used by the operational model to ensure cache coherence (that
is, the rules governing the memory subsystem's choice of a store to
satisfy a load request and its determination of where a store will
fall in the coherence order):
If R and W are race candidates and it is possible to link R to
W by one of the xb* sequences listed above, then W ->rfe R is
not allowed (i.e., a load cannot read from a store that it
executes before, even if one or both is plain).
If W and R are race candidates and it is possible to link W to
R by one of the vis sequences listed above, then R ->fre W is
not allowed (i.e., if a store is visible to a load then the
load must read from that store or one coherence-after it).
If W and W' are race candidates and it is possible to link W
to W' by one of the vis sequences listed above, then W' ->co W
is not allowed (i.e., if one store is visible to a second then
the second must come after the first in the coherence order).
This is the extent to which the LKMM deals with plain accesses.
Perhaps it could say more (for example, plain accesses might
contribute to the ppo relation), but at the moment it seems that this
minimal, conservative approach is good enough.
ODDS AND ENDS
-------------
This section covers material that didn't quite fit anywhere in the
earlier sections.
The descriptions in this document don't always match the formal
version of the LKMM exactly. For example, the actual formal
definition of the prop relation makes the initial coe or fre part
optional, and it doesn't require the events linked by the relation to
be on the same CPU. These differences are very unimportant; indeed,
instances where the coe/fre part of prop is missing are of no interest
because all the other parts (fences and rfe) are already included in
hb anyway, and where the formal model adds prop into hb, it includes
an explicit requirement that the events being linked are on the same
CPU.
Another minor difference has to do with events that are both memory
accesses and fences, such as those corresponding to smp_load_acquire()
calls. In the formal model, these events aren't actually both reads
and fences; rather, they are read events with an annotation marking
them as acquires. (Or write events annotated as releases, in the case
smp_store_release().) The final effect is the same.
Although we didn't mention it above, the instruction execution
ordering provided by the smp_rmb() fence doesn't apply to read events
that are part of a non-value-returning atomic update. For instance,
given:
atomic_inc(&x);
smp_rmb();
r1 = READ_ONCE(y);
it is not guaranteed that the load from y will execute after the
update to x. This is because the ARMv8 architecture allows
non-value-returning atomic operations effectively to be executed off
the CPU. Basically, the CPU tells the memory subsystem to increment
x, and then the increment is carried out by the memory hardware with
no further involvement from the CPU. Since the CPU doesn't ever read
the value of x, there is nothing for the smp_rmb() fence to act on.
The LKMM defines a few extra synchronization operations in terms of
things we have already covered. In particular, rcu_dereference() is
treated as READ_ONCE() and rcu_assign_pointer() is treated as
smp_store_release() -- which is basically how the Linux kernel treats
them.
Although we said that plain accesses are not linked by the ppo
relation, they do contribute to it indirectly. Firstly, when there is
an address dependency from a marked load R to a plain store W,
followed by smp_wmb() and then a marked store W', the LKMM creates a
ppo link from R to W'. The reasoning behind this is perhaps a little
shaky, but essentially it says there is no way to generate object code
for this source code in which W' could execute before R. Just as with
pre-bounding by address dependencies, it is possible for the compiler
to undermine this relation if sufficient care is not taken.
Secondly, plain accesses can carry dependencies: If a data dependency
links a marked load R to a store W, and the store is read by a load R'
from the same thread, then the data loaded by R' depends on the data
loaded originally by R. Thus, if R' is linked to any access X by a
dependency, R is also linked to access X by the same dependency, even
if W' or R' (or both!) are plain.
There are a few oddball fences which need special treatment:
smp_mb__before_atomic(), smp_mb__after_atomic(), and
smp_mb__after_spinlock(). The LKMM uses fence events with special
annotations for them; they act as strong fences just like smp_mb()
except for the sets of events that they order. Instead of ordering
all po-earlier events against all po-later events, as smp_mb() does,
they behave as follows:
smp_mb__before_atomic() orders all po-earlier events against
po-later atomic updates and the events following them;
smp_mb__after_atomic() orders po-earlier atomic updates and
the events preceding them against all po-later events;
smp_mb__after_spinlock() orders po-earlier lock acquisition
events and the events preceding them against all po-later
events.
Interestingly, RCU and locking each introduce the possibility of
deadlock. When faced with code sequences such as:
spin_lock(&s);
spin_lock(&s);
spin_unlock(&s);
spin_unlock(&s);
or:
rcu_read_lock();
synchronize_rcu();
rcu_read_unlock();
what does the LKMM have to say? Answer: It says there are no allowed
executions at all, which makes sense. But this can also lead to
misleading results, because if a piece of code has multiple possible
executions, some of which deadlock, the model will report only on the
non-deadlocking executions. For example:
int x, y;
P0()
{
int r0;
WRITE_ONCE(x, 1);
r0 = READ_ONCE(y);
}
P1()
{
rcu_read_lock();
if (READ_ONCE(x) > 0) {
WRITE_ONCE(y, 36);
synchronize_rcu();
}
rcu_read_unlock();
}
Is it possible to end up with r0 = 36 at the end? The LKMM will tell
you it is not, but the model won't mention that this is because P1
will self-deadlock in the executions where it stores 36 in y.