From: "Paul E. McKenney" <paulmck@linux.vnet.ibm.com>
To: Alan Stern <stern@rowland.harvard.edu>
Cc: Peter Zijlstra <peterz@infradead.org>,
Will Deacon <will.deacon@arm.com>,
linux-kernel@vger.kernel.org, mingo@kernel.org,
dhowells@redhat.com
Subject: Re: [PATCH locking/Documentation 1/2] Add note of release-acquire store vulnerability
Date: Thu, 29 Sep 2016 13:26:41 -0700 [thread overview]
Message-ID: <20160929202641.GE14933@linux.vnet.ibm.com> (raw)
In-Reply-To: <Pine.LNX.4.44L0.1609291527490.1387-100000@iolanthe.rowland.org>
On Thu, Sep 29, 2016 at 03:36:38PM -0400, Alan Stern wrote:
> On Thu, 29 Sep 2016, Paul E. McKenney wrote:
>
> > On Thu, Sep 29, 2016 at 08:44:39PM +0200, Peter Zijlstra wrote:
>
> > > How about something like so on PPC?
> > >
> > > P0(int *x, int *y)
> > > {
> > > WRITE_ONCE(*x, 1);
> > > smp_store_release(y, 1);
> > > }
> > >
> > > P1(int *x, int *y)
> > > {
> > > WRITE_ONCE(x, 2);
> >
> > Need "WRITE_ONCE(*x, 2)" here.
> >
> > > smp_store_release(y, 2);
> > > }
> > >
> > > P2(int *x, int *y)
> > > {
> > > r1 = smp_load_acquire(y);
> > > r2 = READ_ONCE(*x);
> > > }
> > >
> > > (((x==1 && y==2) | (x==2 && y==1)) && (r1==1 || r1==2) && r2==0)
> >
> > That exists-clause is quite dazzling... So if each of P0 and P1
> > win, but on different stores, and if P2 follows one or the other
> > of P0 or P1, can r2 get the pre-initialization value for x?
>
> In fact, this is more than you need. It's enough to specify
>
> exists (2:r1=1 \/ 2:r1=2) /\ 2:r2=0
>
> This much already is forbidden. For the sake of argument, say r1=1.
> Then P2 has read from P1's store-release. By definition, P1's write to
> x is visible to P2, so r2 will get the value from that write or from
> one that is later in x's coherence order. In other words, r2 will end
> up equal to either 1 or 2, but not 0.
>
> > > If you execute P0 and P1 concurrently and one store of each 'wins' the
> > > LWSYNC of either is null and void, and therefore P2 is unordered and can
> > > observe r2==0.
>
> Not so. lwsync instructions cannot be "voided".
>
> > That vaguely resembles the infamous Z6.3, but only vaguely. The Linux-kernel
> > memory model says "forbidden" to this:
> >
> > C C-WillDeacon-AcqRelStore.litmus
> >
> > {
> > }
> >
> > P0(int *x, int *y)
> > {
> > WRITE_ONCE(*x, 1);
> > smp_store_release(y, 1);
> > }
> >
> > P1(int *x, int *y)
> > {
> > WRITE_ONCE(*x, 2);
> > smp_store_release(y, 2);
> > }
> >
> > P2(int *x, int *y)
> > {
> > r1 = smp_load_acquire(y);
> > r2 = READ_ONCE(*x);
> > }
> >
> > exists
> > (((x=1 /\ y=2) \/ (x=2 /\ y=1)) /\ (2:r1=1 \/ 2:r1=2) /\ 2:r2=0)
>
> As above, you can leave out the part about the final values for x and
> y. The test will still be forbidden.
>
> On the other hand, there's no guarantee that if r1=1 at the end then r2
> will also be 1. It's quite possible that r1=1 and r2=2, or vice versa.
And herd agrees for both the kernel model and the powerpc translation.
I killed PPCMEM, which was up to 1.2G of state space. So is this a
case where "herd -cat ppc.cat" can be trusted? ;-)
And the web ppcmem does not allow the exists clause, from what I could
see.
Thanx, Paul
next prev parent reply other threads:[~2016-09-29 20:26 UTC|newest]
Thread overview: 27+ messages / expand[flat|nested] mbox.gz Atom feed top
2016-09-29 15:54 [PATCH locking/Documentation 1/2] Add note of release-acquire store vulnerability Paul E. McKenney
2016-09-29 15:58 ` Peter Zijlstra
2016-09-29 16:03 ` Will Deacon
2016-09-29 16:17 ` Peter Zijlstra
2016-09-29 16:44 ` Paul E. McKenney
2016-09-29 16:43 ` Paul E. McKenney
2016-09-29 17:10 ` Will Deacon
2016-09-29 17:23 ` Paul E. McKenney
2016-09-29 18:04 ` Paul E. McKenney
2016-09-29 18:10 ` Paul E. McKenney
2016-09-29 18:44 ` Peter Zijlstra
2016-09-29 19:18 ` Paul E. McKenney
2016-09-29 19:36 ` Alan Stern
2016-09-29 20:26 ` Paul E. McKenney [this message]
2016-09-30 8:53 ` Peter Zijlstra
2016-09-30 9:00 ` Peter Zijlstra
2016-09-30 9:57 ` Peter Zijlstra
2016-09-30 12:14 ` Paul E. McKenney
2016-09-30 12:51 ` Peter Zijlstra
2016-09-30 13:35 ` Paul E. McKenney
2016-09-30 5:53 ` Boqun Feng
2016-09-30 9:20 ` Will Deacon
2016-09-30 11:35 ` Paul E. McKenney
2016-09-30 10:25 ` Peter Zijlstra
2016-09-30 12:17 ` Paul E. McKenney
2016-09-30 12:45 ` Peter Zijlstra
2016-09-30 13:10 ` Paul E. McKenney
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20160929202641.GE14933@linux.vnet.ibm.com \
--to=paulmck@linux.vnet.ibm.com \
--cc=dhowells@redhat.com \
--cc=linux-kernel@vger.kernel.org \
--cc=mingo@kernel.org \
--cc=peterz@infradead.org \
--cc=stern@rowland.harvard.edu \
--cc=will.deacon@arm.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.