lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date:   Thu, 30 Aug 2018 11:17:13 +0200
From:   Andrea Parri <parri.andrea@...il.com>
To:     "Paul E. McKenney" <paulmck@...ux.vnet.ibm.com>
Cc:     linux-kernel@...r.kernel.org, linux-arch@...r.kernel.org,
        mingo@...nel.org, stern@...land.harvard.edu, will.deacon@....com,
        peterz@...radead.org, boqun.feng@...il.com, npiggin@...il.com,
        dhowells@...hat.com, j.alglave@....ac.uk, luc.maranget@...ia.fr,
        akiyks@...il.com
Subject: Re: [PATCH RFC LKMM 3/7] EXP tools/memory-model: Add more LKMM
 limitations

On Wed, Aug 29, 2018 at 02:10:49PM -0700, Paul E. McKenney wrote:
> This commit adds more detail about compiler optimizations and
> not-yet-modeled Linux-kernel APIs.
> 
> Signed-off-by: Paul E. McKenney <paulmck@...ux.vnet.ibm.com>
> ---
>  tools/memory-model/README | 39 +++++++++++++++++++++++++++++++++++++++
>  1 file changed, 39 insertions(+)
> 
> diff --git a/tools/memory-model/README b/tools/memory-model/README
> index ee987ce20aae..acf9077cffaa 100644
> --- a/tools/memory-model/README
> +++ b/tools/memory-model/README
> @@ -171,6 +171,12 @@ The Linux-kernel memory model has the following limitations:
>  	particular, the "THE PROGRAM ORDER RELATION: po AND po-loc"
>  	and "A WARNING" sections).
>  
> +	Note that this limitation in turn limits LKMM's ability to
> +	accurately model address, control, and data dependencies.
> +	For example, if the compiler can deduce the value of some variable
> +	carrying a dependency, then the compiler can break that dependency
> +	by substituting a constant of that value.
> +
>  2.	Multiple access sizes for a single variable are not supported,
>  	and neither are misaligned or partially overlapping accesses.
>  
> @@ -190,6 +196,36 @@ The Linux-kernel memory model has the following limitations:
>  	However, a substantial amount of support is provided for these
>  	operations, as shown in the linux-kernel.def file.
>  
> +	a.	When rcu_assign_pointer() is passed NULL, the Linux
> +		kernel provides no ordering, but LKMM models this
> +		case as a store release.
> +
> +	b.	The "unless" RMW operations are not currently modeled:
> +		atomic_long_add_unless(), atomic_add_unless(),
> +		atomic_inc_unless_negative(), and
> +		atomic_dec_unless_positive().  These can be emulated
> +		in litmus tests, for example, by using atomic_cmpxchg().

There is a prototype atomic_add_unless(): with current herd7,

$ cat atomic_add_unless.litmus
C atomic_add_unless

{}

P0(atomic_t *u, atomic_t *v)
{
	int r0;
	int r1;

	r0 = atomic_add_unless(u, 1, 2);
	r1 = atomic_read(v);
}

P1(atomic_t *u, atomic_t *v)
{
	int r0;
	int r1;

	r0 = atomic_add_unless(v, 1, 2);
	r1 = atomic_read(u);
}

exists (0:r1=0 /\ 1:r1=0)

$ herd7 -conf linux-kernel.cfg atomic_add_unless.litmus
Test atomic_add_unless Allowed
States 3
0:r1=0; 1:r1=1;
0:r1=1; 1:r1=0;
0:r1=1; 1:r1=1;
No
Witnesses
Positive: 0 Negative: 3
Condition exists (0:r1=0 /\ 1:r1=0)
Observation atomic_add_unless Never 0 3
Time atomic_add_unless 0.00
Hash=fa37a2359831690299e4cc394e45d966

The last commit in the herdtools7 repo. related to this implementation
(AFAICT) is:

  9523c340917b6a ("herd/linux: make atomic_add_unless a primitive, so as to yield more precise dependencies for the returned boolean.")

but I can only vaguely remember those dependencies issues now :/  ...;
maybe we can now solve these issues?  or should we change herd7 to re-
turn a warning?  (Notice that this primitive is currently not exported
to the linux-kernel.def file.)

  Andrea


> +
> +	c.	The call_rcu() function is not modeled.  It can be
> +		emulated in litmus tests by adding another process that
> +		invokes synchronize_rcu() and the body of the callback
> +		function, with (for example) a release-acquire from
> +		the site of the emulated call_rcu() to the beginning
> +		of the additional process.
> +
> +	d.	The rcu_barrier() function is not modeled.  It can be
> +		emulated in litmus tests emulating call_rcu() via
> +		(for example) a release-acquire from the end of each
> +		additional call_rcu() process to the site of the
> +		emulated rcu-barrier().
> +
> +	e.	Sleepable RCU (SRCU) is not modeled.  It can be
> +		emulated, but perhaps not simply.
> +
> +	f.	Reader-writer locking is not modeled.  It can be
> +		emulated in litmus tests using atomic read-modify-write
> +		operations.
> +
>  The "herd7" tool has some additional limitations of its own, apart from
>  the memory model:
>  
> @@ -204,3 +240,6 @@ the memory model:
>  Some of these limitations may be overcome in the future, but others are
>  more likely to be addressed by incorporating the Linux-kernel memory model
>  into other tools.
> +
> +Finally, please note that LKMM is subject to change as hardware, use cases,
> +and compilers evolve.
> -- 
> 2.17.1
> 

Powered by blists - more mailing lists