[PATCH memorymodel 02/19] tools/memorymodel: Redefine rb in terms of rcufence
From: Paul E. McKenney
Date: Mon May 14 2018  19:33:58 EST
From: Alan Stern <stern@xxxxxxxxxxxxxxxxxxx>
This patch reorganizes the definition of rb in the Linux Kernel Memory
Consistency Model. The relation is now expressed in terms of
rcufence, which consists of a sequence of gp and rscs links separated
by rculink links, in which the number of occurrences of gp is >= the
number of occurrences of rscs.
Arguments similar to those published in
http://diy.inria.fr/linux/long.pdf show that rcufence behaves like an
interCPU strong fence. Furthermore, the definition of rb in terms of
rcufence is highly analogous to the definition of pb in terms of
strongfence, which can help explain why rcupath expresses a form of
temporal ordering.
This change should not affect the semantics of the memory model, just
its internal organization.
Signedoffby: Alan Stern <stern@xxxxxxxxxxxxxxxxxxx>
Reviewedby: Boqun Feng <boqun.feng@xxxxxxxxx>
Reviewedby: Andrea Parri <parri.andrea@xxxxxxxxx>
Signedoffby: Paul E. McKenney <paulmck@xxxxxxxxxxxxxxxxxx>

tools/memorymodel/Documentation/explanation.txt  168 +++++++++++++++
tools/memorymodel/linuxkernel.cat  33 +++
2 files changed, 129 insertions(+), 72 deletions()
diff git a/tools/memorymodel/Documentation/explanation.txt b/tools/memorymodel/Documentation/explanation.txt
index 1a387d703212..1b09f3175a1f 100644
 a/tools/memorymodel/Documentation/explanation.txt
+++ b/tools/memorymodel/Documentation/explanation.txt
@@ 27,7 +27,7 @@ Explanation of the LinuxKernel Memory Consistency Model
19. AND THEN THERE WAS ALPHA
20. THE HAPPENSBEFORE RELATION: hb
21. THE PROPAGATESBEFORE RELATION: pb
 22. RCU RELATIONS: rculink, gplink, rscslink, and rb
+ 22. RCU RELATIONS: rculink, gp, rscs, rcufence, and rb
23. ODDS AND ENDS
@@ 1451,8 +1451,8 @@ they execute means that it cannot have cycles. This requirement is
the content of the LKMM's "propagation" axiom.
RCU RELATIONS: rculink, gplink, rscslink, and rb

+RCU RELATIONS: rculink, gp, rscs, rcufence, and rb
+
RCU (ReadCopyUpdate) is a powerful synchronization mechanism. It
rests on two concepts: grace periods and readside critical sections.
@@ 1537,49 +1537,100 @@ relation, and the details don't matter unless you want to comb through
a somewhat lengthy formal proof. Pretty much all you need to know
about rculink is the information in the preceding paragraph.
The LKMM goes on to define the gplink and rscslink relations. They
bring grace periods and readside critical sections into the picture,
in the following way:
+The LKMM also defines the gp and rscs relations. They bring grace
+periods and readside critical sections into the picture, in the
+following way:
 E >gplink F means there is a synchronize_rcu() fence event S
 and an event X such that E >po S, either S >po X or S = X,
 and X >rculink F. In other words, E and F are linked by a
 grace period followed by an instance of rculink.
+ E >gp F means there is a synchronize_rcu() fence event S such
+ that E >po S and either S >po F or S = F. In simple terms,
+ there is a grace period pobetween E and F.
 E >rscslink F means there is a critical section delimited by
 an rcu_read_lock() fence L and an rcu_read_unlock() fence U,
 and an event X such that E >po U, either L >po X or L = X,
 and X >rculink F. Roughly speaking, this says that some
 event in the same critical section as E is linked by rculink
 to F.
+ E >rscs F means there is a critical section delimited by an
+ rcu_read_lock() fence L and an rcu_read_unlock() fence U, such
+ that E >po U and either L >po F or L = F. You can think of
+ this as saying that E and F are in the same critical section
+ (in fact, it also allows E to be pobefore the start of the
+ critical section and F to be poafter the end).
If we think of the rculink relation as standing for an extended
"before", then E >gplink F says that E executes before a grace
period which ends before F executes. (In fact it covers more than
this, because it also includes cases where E executes before a grace
period and some store propagates to F's CPU before F executes and
doesn't propagate to some other CPU until after the grace period
ends.) Similarly, E >rscslink F says that E is part of (or before
the start of) a critical section which starts before F executes.
+"before", then X >gp Y >rculink Z says that X executes before a
+grace period which ends before Z executes. (In fact it covers more
+than this, because it also includes cases where X executes before a
+grace period and some store propagates to Z's CPU before Z executes
+but doesn't propagate to some other CPU until after the grace period
+ends.) Similarly, X >rscs Y >rculink Z says that X is part of (or
+before the start of) a critical section which starts before Z
+executes.
+
+The LKMM goes on to define the rcufence relation as a sequence of gp
+and rscs links separated by rculink links, in which the number of gp
+links is >= the number of rscs links. For example:
+
+ X >gp Y >rculink Z >rscs T >rculink U >gp V
+
+would imply that X >rcufence V, because this sequence contains two
+gp links and only one rscs link. (It also implies that X >rcufence T
+and Z >rcufence V.) On the other hand:
+
+ X >rscs Y >rculink Z >rscs T >rculink U >gp V
+
+does not imply X >rcufence V, because the sequence contains only
+one gp link but two rscs links.
+
+The rcufence relation is important because the Grace Period Guarantee
+means that rcufence acts kind of like a strong fence. In particular,
+if W is a write and we have W >rcufence Z, the Guarantee says that W
+will propagate to every CPU before Z executes.
+
+To prove this in full generality requires some intellectual effort.
+We'll consider just a very simple case:
+
+ W >gp X >rculink Y >rscs Z.
+
+This formula means that there is a grace period G and a critical
+section C such that:
+
+ 1. W is pobefore G;
+
+ 2. X is equal to or poafter G;
+
+ 3. X comes "before" Y in some sense;
+
+ 4. Y is pobefore the end of C;
+
+ 5. Z is equal to or poafter the start of C.
+
+From 2  4 we deduce that the grace period G ends before the critical
+section C. Then the second part of the Grace Period Guarantee says
+not only that G starts before C does, but also that W (which executes
+on G's CPU before G starts) must propagate to every CPU before C
+starts. In particular, W propagates to every CPU before Z executes
+(or finishes executing, in the case where Z is equal to the
+rcu_read_lock() fence event which starts C.) This sort of reasoning
+can be expanded to handle all the situations covered by rcufence.
+
+Finally, the LKMM defines the RCUbefore (rb) relation in terms of
+rcufence. This is done in essentially the same way as the pb
+relation was defined in terms of strongfence. We will omit the
+details; the end result is that E >rb F implies E must execute before
+F, just as E >pb F does (and for much the same reasons).
Putting this all together, the LKMM expresses the Grace Period
Guarantee by requiring that there are no cycles consisting of gplink
and rscslink links in which the number of gplink instances is >= the
number of rscslink instances. It does this by defining the rb
relation to link events E and F whenever it is possible to pass from E
to F by a sequence of gplink and rscslink links with at least as
many of the former as the latter. The LKMM's "rcu" axiom then says
that there are no events E with E >rb E.

Justifying this axiom takes some intellectual effort, but it is in
fact a valid formalization of the Grace Period Guarantee. We won't
attempt to go through the detailed argument, but the following
analysis gives a taste of what is involved. Suppose we have a
violation of the first part of the Guarantee: A critical section
starts before a grace period, and some store propagates to the
critical section's CPU before the end of the critical section but
doesn't propagate to some other CPU until after the end of the grace
period.
+Guarantee by requiring that the rb relation does not contain a cycle.
+Equivalently, this "rcu" axiom requires that there are no events E and
+F with E >rculink F >rcufence E. Or to put it a third way, the
+axiom requires that there are no cycles consisting of gp and rscs
+alternating with rculink, where the number of gp links is >= the
+number of rscs links.
+
+Justifying the axiom isn't easy, but it is in fact a valid
+formalization of the Grace Period Guarantee. We won't attempt to go
+through the detailed argument, but the following analysis gives a
+taste of what is involved. Suppose we have a violation of the first
+part of the Guarantee: A critical section starts before a grace
+period, and some store propagates to the critical section's CPU before
+the end of the critical section but doesn't propagate to some other
+CPU until after the end of the grace period.
Putting symbols to these ideas, let L and U be the rcu_read_lock() and
rcu_read_unlock() fence events delimiting the critical section in
@@ 1606,11 +1657,14 @@ by rculink, yielding:
S >po X >rculink Z >po U.
The formulas say that S is pobetween F and X, hence F >gplink Z
via X. They also say that Z comes before the end of the critical
section and E comes after its start, hence Z >rscslink F via E. But
now we have a forbidden cycle: F >gplink Z >rscslink F. Thus the
"rcu" axiom rules out this violation of the Grace Period Guarantee.
+The formulas say that S is pobetween F and X, hence F >gp X. They
+also say that Z comes before the end of the critical section and E
+comes after its start, hence Z >rscs E. From all this we obtain:
+
+ F >gp X >rculink Z >rscs E >rculink F,
+
+a forbidden cycle. Thus the "rcu" axiom rules out this violation of
+the Grace Period Guarantee.
For something a little more downtoearth, let's see how the axiom
works out in practice. Consider the RCU code example from above, this
@@ 1639,15 +1693,15 @@ time with statement labels added to the memory access instructions:
If r2 = 0 at the end then P0's store at X overwrites the value that
P1's load at Z reads from, so we have Z >fre X and thus Z >rculink X.
In addition, there is a synchronize_rcu() between Y and Z, so therefore
we have Y >gplink X.
+we have Y >gp Z.
If r1 = 1 at the end then P1's load at Y reads from P0's store at W,
so we have W >rculink Y. In addition, W and X are in the same critical
section, so therefore we have X >rscslink Y.
+section, so therefore we have X >rscs W.
This gives us a cycle, Y >gplink X >rscslink Y, with one gplink
and one rscslink, violating the "rcu" axiom. Hence the outcome is
not allowed by the LKMM, as we would expect.
+Then X >rscs W >rculink Y >gp Z >rculink X is a forbidden cycle,
+violating the "rcu" axiom. Hence the outcome is not allowed by the
+LKMM, as we would expect.
For contrast, let's see what can happen in a more complicated example:
@@ 1683,15 +1737,11 @@ For contrast, let's see what can happen in a more complicated example:
}
If r0 = r1 = r2 = 1 at the end, then similar reasoning to before shows
that W >rscslink Y via X, Y >gplink U via Z, and U >rscslink W
via V. And just as before, this gives a cycle:

 W >rscslink Y >gplink U >rscslink W.

However, this cycle has fewer gplink instances than rscslink
instances, and consequently the outcome is not forbidden by the LKMM.
The following instruction timing diagram shows how it might actually
occur:
+that W >rscs X >rculink Y >gp Z >rculink U >rscs V >rculink W.
+However this cycle is not forbidden, because the sequence of relations
+contains fewer instances of gp (one) than of rscs (two). Consequently
+the outcome is allowed by the LKMM. The following instruction timing
+diagram shows how it might actually occur:
P0 P1 P2
  
diff git a/tools/memorymodel/linuxkernel.cat b/tools/memorymodel/linuxkernel.cat
index cdf682859d4e..1e5c4653dd12 100644
 a/tools/memorymodel/linuxkernel.cat
+++ b/tools/memorymodel/linuxkernel.cat
@@ 102,20 +102,27 @@ let rscs = po ; crit^1 ; po?
*)
let rculink = hb* ; pb* ; prop
(* Chains that affect the RCU graceperiod guarantee *)
let gplink = gp ; rculink
let rscslink = rscs ; rculink

(*
 * A cycle containing at least as many grace periods as RCU readside
 * critical sections is forbidden.
+ * Any sequence containing at least as many grace periods as RCU readside
+ * critical sections (joined by rculink) acts as a generalized strong fence.
*)
let rec rb =
 gplink 
 (gplink ; rscslink) 
 (rscslink ; gplink) 
 (rb ; rb) 
 (gplink ; rb ; rscslink) 
 (rscslink ; rb ; gplink)
+let rec rcufence = gp 
+ (gp ; rculink ; rscs) 
+ (rscs ; rculink ; gp) 
+ (gp ; rculink ; rcufence ; rculink ; rscs) 
+ (rscs ; rculink ; rcufence ; rculink ; gp) 
+ (rcufence ; rculink ; rcufence)
+
+(* rb orders instructions just as pb does *)
+let rb = prop ; rcufence ; hb* ; pb*
irreflexive rb as rcu
+
+(*
+ * The happensbefore, propagation, and rcu constraints are all
+ * expressions of temporal ordering. They could be replaced by
+ * a single constraint on an "executesbefore" relation, xb:
+ *
+ * let xb = hb  pb  rb
+ * acyclic xb as executesbefore
+ *)

2.5.2