On Thu, Aug 30, 2018 at 11:17:13AM +0200, Andrea Parri wrote:
> On Wed, Aug 29, 2018 at 02:10:49PM -0700, Paul E. McKenney wrote:
> > This commit adds more detail about compiler optimizations and
> > not-yet-modeled Linux-kernel APIs.
> >
> > Signed-off-by: Paul E. McKenney <paul...@linux.vnet.ibm.com>
> > ---
> > tools/memory-model/README | 39 +++++++++++++++++++++++++++++++++++++++
> > 1 file changed, 39 insertions(+)
> >
> > diff --git a/tools/memory-model/README b/tools/memory-model/README
> > index ee987ce20aae..acf9077cffaa 100644
> > --- a/tools/memory-model/README
> > +++ b/tools/memory-model/README
> > @@ -171,6 +171,12 @@ The Linux-kernel memory model has the following
> > limitations:
> > particular, the "THE PROGRAM ORDER RELATION: po AND po-loc"
> > and "A WARNING" sections).
> >
> > + Note that this limitation in turn limits LKMM's ability to
> > + accurately model address, control, and data dependencies.
> > + For example, if the compiler can deduce the value of some variable
> > + carrying a dependency, then the compiler can break that dependency
> > + by substituting a constant of that value.
> > +
> > 2. Multiple access sizes for a single variable are not supported,
> > and neither are misaligned or partially overlapping accesses.
> >
> > @@ -190,6 +196,36 @@ The Linux-kernel memory model has the following
> > limitations:
> > However, a substantial amount of support is provided for these
> > operations, as shown in the linux-kernel.def file.
> >
> > + a. When rcu_assign_pointer() is passed NULL, the Linux
> > + kernel provides no ordering, but LKMM models this
> > + case as a store release.
> > +
> > + b. The "unless" RMW operations are not currently modeled:
> > + atomic_long_add_unless(), atomic_add_unless(),
> > + atomic_inc_unless_negative(), and
> > + atomic_dec_unless_positive(). These can be emulated
> > + in litmus tests, for example, by using atomic_cmpxchg().
>
> There is a prototype atomic_add_unless(): with current herd7,
>
> $ cat atomic_add_unless.litmus
> C atomic_add_unless
>
> {}
>
> P0(atomic_t *u, atomic_t *v)
> {
> int r0;
> int r1;
>
> r0 = atomic_add_unless(u, 1, 2);
> r1 = atomic_read(v);
> }
>
> P1(atomic_t *u, atomic_t *v)
> {
> int r0;
> int r1;
>
> r0 = atomic_add_unless(v, 1, 2);
> r1 = atomic_read(u);
> }
>
> exists (0:r1=0 /\ 1:r1=0)
>
> $ herd7 -conf linux-kernel.cfg atomic_add_unless.litmus
> Test atomic_add_unless Allowed
> States 3
> 0:r1=0; 1:r1=1;
> 0:r1=1; 1:r1=0;
> 0:r1=1; 1:r1=1;
> No
> Witnesses
> Positive: 0 Negative: 3
> Condition exists (0:r1=0 /\ 1:r1=0)
> Observation atomic_add_unless Never 0 3
> Time atomic_add_unless 0.00
> Hash=fa37a2359831690299e4cc394e45d966
>
> The last commit in the herdtools7 repo. related to this implementation
> (AFAICT) is:
>
> 9523c340917b6a ("herd/linux: make atomic_add_unless a primitive, so as to
> yield more precise dependencies for the returned boolean.")
>
> but I can only vaguely remember those dependencies issues now :/ ...;
> maybe we can now solve these issues? or should we change herd7 to re-
> turn a warning? (Notice that this primitive is currently not exported
> to the linux-kernel.def file.)
Cool! It would be good to add this to the .def file once the underlying
herd7 machinery is ready. And then I would update the documentation
accordingly. Or happily accept a patch updating the documentation,
as the case might be. ;-)
Thanx, Paul
> Andrea
>
>
> > +
> > + c. The call_rcu() function is not modeled. It can be
> > + emulated in litmus tests by adding another process that
> > + invokes synchronize_rcu() and the body of the callback
> > + function, with (for example) a release-acquire from
> > + the site of the emulated call_rcu() to the beginning
> > + of the additional process.
> > +
> > + d. The rcu_barrier() function is not modeled. It can be
> > + emulated in litmus tests emulating call_rcu() via
> > + (for example) a release-acquire from the end of each
> > + additional call_rcu() process to the site of the
> > + emulated rcu-barrier().
> > +
> > + e. Sleepable RCU (SRCU) is not modeled. It can be
> > + emulated, but perhaps not simply.
> > +
> > + f. Reader-writer locking is not modeled. It can be
> > + emulated in litmus tests using atomic read-modify-write
> > + operations.
> > +
> > The "herd7" tool has some additional limitations of its own, apart from
> > the memory model:
> >
> > @@ -204,3 +240,6 @@ the memory model:
> > Some of these limitations may be overcome in the future, but others are
> > more likely to be addressed by incorporating the Linux-kernel memory model
> > into other tools.
> > +
> > +Finally, please note that LKMM is subject to change as hardware, use cases,
> > +and compilers evolve.
> > --
> > 2.17.1
> >
>
