lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-Id: <EE1FA3DC-5A38-45EC-97AB-44B19C1C7707@in.tum.de>
Date:   Fri, 2 Sep 2022 10:40:34 +0200
From:   Paul Heidekrüger <Paul.Heidekrueger@...tum.de>
To:     Alan Stern <stern@...land.harvard.edu>
Cc:     Joel Fernandes <joel@...lfernandes.org>,
        Andrea Parri <parri.andrea@...il.com>,
        Will Deacon <will@...nel.org>,
        Peter Zijlstra <peterz@...radead.org>,
        Boqun Feng <boqun.feng@...il.com>,
        Nicholas Piggin <npiggin@...il.com>,
        David Howells <dhowells@...hat.com>,
        Jade Alglave <j.alglave@....ac.uk>,
        Luc Maranget <luc.maranget@...ia.fr>,
        "Paul E. McKenney" <paulmck@...nel.org>,
        Akira Yokosawa <akiyks@...il.com>,
        Daniel Lustig <dlustig@...dia.com>,
        LKML <linux-kernel@...r.kernel.org>,
        linux-arch <linux-arch@...r.kernel.org>,
        Marco Elver <elver@...gle.com>,
        Charalampos Mainas <charalampos.mainas@...il.com>,
        Pramod Bhatotia <pramod.bhatotia@...tum.de>,
        Soham Chakraborty <s.s.chakraborty@...elft.nl>,
        Martin Fink <martin.fink@...tum.de>
Subject: Re: [PATCH] tools/memory-model: Weaken ctrl dependency definition in
 explanation.txt

On 31. Aug 2022, at 19:38, Alan Stern <stern@...land.harvard.edu> wrote:

> On Wed, Aug 31, 2022 at 06:42:05PM +0200, Paul Heidekrüger wrote:
>> On 31. Aug 2022, at 03:57, Alan Stern <stern@...land.harvard.edu> wrote:
>> 
>>> On Tue, Aug 30, 2022 at 05:12:33PM -0400, Joel Fernandes wrote:
>>>> On 8/30/2022 5:08 PM, Joel Fernandes wrote:
>>>>> On 8/30/2022 4:44 PM, Paul Heidekrüger wrote:
>>>>>> The current informal control dependency definition in explanation.txt is
>>>>>> too broad and, as dicsussed, needs to be updated.
>>>>>> 
>>>>>> Consider the following example:
>>>>>> 
>>>>>>> if(READ_ONCE(x))
>>>>>>> 	return 42;
>>>>>>> 
>>>>>>> 	WRITE_ONCE(y, 42);
>>>>>>> 
>>>>>>> 	return 21;
>>>>>> 
>>>>>> The read event determines whether the write event will be executed "at
>>>>>> all" - as per the current definition - but the formal LKMM does not
>>>>>> recognize this as a control dependency.
>>>>>> 
>>>>>> Introduce a new defintion which includes the requirement for the second
>>>>>> memory access event to syntactically lie within the arm of a non-loop
>>>>>> conditional.
>>>>>> 
>>>>>> Link: https://lore.kernel.org/all/20220615114330.2573952-1-paul.heidekrueger@in.tum.de/
>>>>>> Cc: Marco Elver <elver@...gle.com>
>>>>>> Cc: Charalampos Mainas <charalampos.mainas@...il.com>
>>>>>> Cc: Pramod Bhatotia <pramod.bhatotia@...tum.de>
>>>>>> Cc: Soham Chakraborty <s.s.chakraborty@...elft.nl>
>>>>>> Cc: Martin Fink <martin.fink@...tum.de>
>>>>>> Signed-off-by: Paul Heidekrüger <paul.heidekrueger@...tum.de>
>>>>>> Co-developed-by: Alan Stern <stern@...land.harvard.edu>
>>>>>> ---
>>>>>> 
>>>>>> @Alan:
>>>>>> 
>>>>>> Since I got it wrong the last time, I'm adding you as a co-developer after my
>>>>>> SOB. I'm sorry if this creates extra work on your side due to you having to
>>>>>> resubmit the patch now with your SOB if I understand correctly, but since it's
>>>>>> based on your wording from the other thread, I definitely wanted to give you
>>>>>> credit.
>>>>>> 
>>>>>> tools/memory-model/Documentation/explanation.txt | 7 ++++---
>>>>>> 1 file changed, 4 insertions(+), 3 deletions(-)
>>>>>> 
>>>>>> diff --git a/tools/memory-model/Documentation/explanation.txt b/tools/memory-model/Documentation/explanation.txt
>>>>>> index ee819a402b69..0bca50cac5f4 100644
>>>>>> --- a/tools/memory-model/Documentation/explanation.txt
>>>>>> +++ b/tools/memory-model/Documentation/explanation.txt
>>>>>> @@ -464,9 +464,10 @@ to address dependencies, since the address of a location accessed
>>>>>> through a pointer will depend on the value read earlier from that
>>>>>> pointer.
>>>>>> 
>>>>>> -Finally, a read event and another memory access event are linked by a
>>>>>> -control dependency if the value obtained by the read affects whether
>>>>>> -the second event is executed at all.  Simple example:
>>>>>> +Finally, a read event X and another memory access event Y are linked by
>>>>>> +a control dependency if Y syntactically lies within an arm of an if,
>>>>>> +else or switch statement and the condition guarding Y is either data or
>>>>>> +address-dependent on X.  Simple example:
>> 
>> Thank you both for commenting!
>> 
>>> "if, else or switch" should be just "if or switch".  In C there is no 
>>> such thing as an "else" statement; an "else" clause is merely part of 
>>> an "if" statement.  In fact, maybe "body" would be more appropriate than 
>>> "arm", because "switch" statements don't have arms -- they have cases.
>> 
>> Right. What do you think of "branch"? "Body" to me suggests that there's
>> only one and therefore that the else clause isn't included.
>> 
>> Would it be fair to say that switch statements have branches? I guess
>> because switch statements are a convenient way of writing goto's, i.e.
>> jumps, it's a stretch and basically the same as saying "arm"?
>> 
>> Maybe we can avoid the arm / case clash by just having a definition for if
>> statements and appending something like "similarly for switch statements"?
> 
> That sounds good.
> 
>>>>> 'conditioning guarding Y' sounds confusing to me as it implies to me that the
>>>>> condition's evaluation depends on Y. I much prefer Alan's wording from the
>>>>> linked post saying something like 'the branch condition is data or address
>>>>> dependent on X, and Y lies in one of the arms'.
>>>>> 
>>>>> I have to ask though, why doesn't this imply that the second instruction never
>>>>> executes at all? I believe that would break the MP-pattern if it were not true.
>>>> 
>>>> About my last statement, I believe your patch does not disagree with the
>>>> correctness of the earlier text but just wants to improve it. If that's case
>>>> then that's fine.
>>> 
>>> The biggest difference between the original text and Paul's suggested 
>>> update is that the new text makes clear that Y has to lie within the 
>>> body of the "if" or "switch" statement.  If Y follows the end of the 
>>> if/else, as in the example at the top of this email, then it does have 
>>> not a control dependency on X (at least, not via that if/else), even 
>>> though the value read by X does determine whether or not Y will execute.
>>> 
>>> [It has to be said that this illustrates a big weakness of the LKMM: It 
>>> isn't cognizant of "goto"s or "return"s.  This naturally derives from 
>>> limitations of the herd tool, but the situation could be improved.  So 
>>> for instance, I don't think it would cause trouble to say that in:
>>> 
>>> 	if (READ_ONCE(x) == 0)
>>> 		return;
>>> 	WRITE_ONCE(y, 5);
>>> 
>>> there really is a control dependence from x to y, even though the 
>>> WRITE_ONCE is outside the body of the "if" statement.  Certainly the 
>>> compiler can't reorder the write before the read.  But AFAIK there's no 
>>> way to include a "return" statement in a litmus test for herd.  Or a 
>>> subroutine definition, for that matter.]
>>> 
>>> I agree that "condition guarding Y" is somewhat awkward.  "the 
>>> condition of the if (or the expression of the switch)" might be better, 
>>> even though it is somewhat awkward as well.  At least it's more 
>>> explicit.
>> 
>> Maybe we can reuse the wording from the data and address dependency
>> definition here and say "affects"?
>> 
>> Putting it all together:
>> 
>>> Finally, a read event X and another memory access event Y are linked by a
>>> control dependency if Y syntactically lies within a branch of an if or
>>> switch statement and X affects the evaluation of that statement's
>>> condition via a data or address dependency.
>> 
>> Alternatively without the arm / case clash:
>> 
>>> Finally, a read event X and another memory access event Y are linked by a
>>> control dependency if Y syntactically lies within an arm of an if
>>> statement and X affects the evaluation of the if condition via a data or
>>> address dependency.  Similarly for switch statements.
>> 
>> What do you think?
> 
> I like the second one.  How about combining the last two sentences?  
> 
> 	... via a data or address dependency (or similarly for a switch 
> 	statement).

Yes, sounds good!

> Now I suppose someone will pipe up and ask about the conditional 
> expressions in "for", "while" and "do" statements...  :-)

Happy to have obliged :-)
https://lore.kernel.org/all/20F4C097-24B4-416B-95EE-AC11F5952B44@in.tum.de/

Do you think the text should explicitly address control dependencies in the
context of loops as well? If yes, would it be a separate patch, or would it
make sense to combine it with this one?

Many thanks,
Paul


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ