lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
Message-Id: <20220613122744.373516-1-paul.heidekrueger@in.tum.de>
Date:   Mon, 13 Jun 2022 12:27:44 +0000
From:   Paul Heidekrüger <paul.heidekrueger@...tum.de>
To:     Alan Stern <stern@...land.harvard.edu>,
        Andrea Parri <parri.andrea@...il.com>,
        Will Deacon <will@...nel.org>,
        Peter Zijlstra <peterz@...radead.org>,
        Boqun Feng <boqun.feng@...il.com>,
        Nicholas Piggin <npiggin@...il.com>,
        David Howells <dhowells@...hat.com>,
        Jade Alglave <j.alglave@....ac.uk>,
        Luc Maranget <luc.maranget@...ia.fr>,
        "Paul E. McKenney" <paulmck@...nel.org>,
        Akira Yokosawa <akiyks@...il.com>,
        Daniel Lustig <dlustig@...dia.com>,
        Joel Fernandes <joel@...lfernandes.org>,
        Paul Heidekrüger <paul.heidekrueger@...tum.de>,
        linux-kernel@...r.kernel.org, linux-arch@...r.kernel.org
Cc:     Marco Elver <elver@...gle.com>,
        Charalampos Mainas <charalampos.mainas@...il.com>,
        Pramod Bhatotia <pramod.bhatotia@...tum.de>,
        Soham Chakraborty <s.s.chakraborty@...elft.nl>,
        Martin Fink <martin.fink@...tum.de>
Subject: [PATCH] tools/memory-model: Clarify LKMM's limitations in litmus-tests.txt

As discussed, clarify LKMM not recognizing certain kinds of orderings.
In particular, highlight the fact that LKMM might deliberately make
weaker guarantees than compilers and architectures.

Link: https://lore.kernel.org/all/YpoW1deb%2FQeeszO1@ethstick13.dse.in.tum.de/T/#u
Signed-off-by: Paul Heidekrüger <paul.heidekrueger@...tum.de>
Cc: Marco Elver <elver@...gle.com>
Cc: Charalampos Mainas <charalampos.mainas@...il.com>
Cc: Pramod Bhatotia <pramod.bhatotia@...tum.de>
Cc: Soham Chakraborty <s.s.chakraborty@...elft.nl>
Cc: Martin Fink <martin.fink@...tum.de>
---
 .../Documentation/litmus-tests.txt            | 29 ++++++++++++-------
 1 file changed, 19 insertions(+), 10 deletions(-)

diff --git a/tools/memory-model/Documentation/litmus-tests.txt b/tools/memory-model/Documentation/litmus-tests.txt
index 8a9d5d2787f9..623059eff84e 100644
--- a/tools/memory-model/Documentation/litmus-tests.txt
+++ b/tools/memory-model/Documentation/litmus-tests.txt
@@ -946,22 +946,31 @@ Limitations of the Linux-kernel memory model (LKMM) include:
 	carrying a dependency, then the compiler can break that dependency
 	by substituting a constant of that value.
 
-	Conversely, LKMM sometimes doesn't recognize that a particular
-	optimization is not allowed, and as a result, thinks that a
-	dependency is not present (because the optimization would break it).
-	The memory model misses some pretty obvious control dependencies
-	because of this limitation.  A simple example is:
+	Conversely, LKMM will sometimes overstate the amount of reordering
+	done by architectures and compilers, leading it to missing some
+	pretty obvious orderings.  A simple example is:
 
 		r1 = READ_ONCE(x);
 		if (r1 == 0)
 			smp_mb();
 		WRITE_ONCE(y, 1);
 
-	There is a control dependency from the READ_ONCE to the WRITE_ONCE,
-	even when r1 is nonzero, but LKMM doesn't realize this and thinks
-	that the write may execute before the read if r1 != 0.  (Yes, that
-	doesn't make sense if you think about it, but the memory model's
-	intelligence is limited.)
+	There is no dependency from the WRITE_ONCE() to the READ_ONCE(),
+	and as a result, LKMM does not assume ordering.  However, the
+	smp_mb() in the if branch will prevent architectures from
+	reordering the WRITE_ONCE() ahead of the READ_ONCE() but only if r1
+	is 0.  This, by definition, is not a control dependency, yet
+	ordering is guaranteed in some cases, depending on the READ_ONCE(),
+	which LKMM doesn't recognize.
+
+	It is clear that it is not dangerous in the slightest for LKMM to
+	make weaker guarantees than architectures.  In fact, it is
+	desirable, as it gives compilers room for making optimizations.
+	For instance, because a value of 0 triggers undefined behavior
+	elsewhere, a clever compiler might deduce that r1 can never be 0 in
+	the if condition.  As a result, said clever compiler might deem it
+	safe to optimize away the smp_mb(), eliminating the branch and
+	any ordering an architecture would guarantee otherwise.
 
 2.	Multiple access sizes for a single variable are not supported,
 	and neither are misaligned or partially overlapping accesses.
-- 
2.35.1

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ