lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <Y9AR4Gr10SyCKovo@rowland.harvard.edu>
Date:   Tue, 24 Jan 2023 12:14:08 -0500
From:   Alan Stern <stern@...land.harvard.edu>
To:     Jonas Oberhauser <jonas.oberhauser@...weicloud.com>
Cc:     Jonas Oberhauser <jonas.oberhauser@...wei.com>, paulmck@...nel.org,
        parri.andrea@...il.com, will@...nel.org, peterz@...radead.org,
        boqun.feng@...il.com, npiggin@...il.com, dhowells@...hat.com,
        j.alglave@....ac.uk, luc.maranget@...ia.fr, akiyks@...il.com,
        dlustig@...dia.com, joel@...lfernandes.org, urezki@...il.com,
        quic_neeraju@...cinc.com, frederic@...nel.org,
        linux-kernel@...r.kernel.org, viktor@...-sws.org
Subject: Re: [PATCH] tools/memory-model: Make ppo a subrelation of po

On Tue, Jan 24, 2023 at 02:14:03PM +0100, Jonas Oberhauser wrote:
> After mulling it over a bit in my big old head, I consider that even though
> dropping the [W] may be shorter, it might make for the simpler model by
> excluding lots of cases.
> That makes me think you should do it for real in the definition of prop. And
> not just at the very end, because in fact each cumul-fence link might come
> from a non-A-cumulative fence. So the same argument you are giving should be
> applied recursively.
> Either
> 
> 	prop = (overwrite & ext)? ; (cumul-fence; [W])* ; rfe?
> 
> or integrate it directly into cumul-fence.

I dislike this sort of argument.  I understand the formal memory model 
by relating it to the informal operational model.  Thus, cumul-fence 
links a write W to another event E when the fence guarantees that W will 
propagate to E's CPU before E executes.  That's how the memory model 
expresses the propagation properties of these fences.  I don't want to 
rule out the possibility that E is a read merely because cumul-fence 
might be followed by another, A-cumulative fence.  If E=read were ruled 
out then cumul-fence would not properly express the propagation 
properties of the fences.

> > > > Consider: Could we remove all propagation-ordering fences from ppo
> > > > because they are subsumed by prop?  (Or is that just wrong?)
> > > Surely not, since prop doesn't usually provide ordering by itself.
> > Sorry, I meant the prop-related non-ppo parts of hb and pb.
> 
> I still don't follow :( Can you write some equations to show me what you
> mean?

Consider:

	Rx=1			Ry=1
	Wrelease Y=1		Wx=1

Here we have Wx=1 ->hb* Ry=1 by (prop \ id) & int, using the fact that 
Wy=1 is an A-cumulative release fence.  But we also have

	Wx=1 ->rfe Rx=1 ->ppo Wy=1 ->rfe Ry=1.

Thus there are two distinct ways of proving that Wx=1 ->hb* Ry=1.  If we 
removed the fence term from the definition of ppo (or weakened it to 
just rmb | acq), we would eliminate the second, redundant proof.  Is 
this the sort of thing you think we should do?

> > > > > > In fact, I wouldn't mind removing the happens-before, propagation, and
> > > > > > rcu axioms from LKMM entirely, replacing them with the single
> > > > > > executes-before axiom.
> > > > > I was planning to propose the same thing, however, I would also propose to
> > > > > redefine hb and rb by dropping the hb/pb parts at the end of these
> > > > > relations.
> > > > > 
> > > > >    hb = ....
> > > > >    pb = prop ; strong-fence ; [Marked]
> > > > >    rb = prop ; rcu-fence ; [Marked]
> > > > > 
> > > > >    xb = hb|pb|rb
> > > > >    acyclic xb
> > > > I'm not so sure that's a good idea.  For instance, it would require the
> > > > definitions of rcu-link and rb to be changed from having (hb* ; pb*) to
> > > > having (hb | pb)*.
> > > I think that's an improvement. It's obvious that (hb | pb)* is right and so
> > > is (pb | hb)*.
> > > For (hb* ; pb*), the first reaction is "why do all the hb edges need to be
> > > before the pb edges?", until one realizes that pb actually allows hb* at the
> > > end, so in a sense this is  hb* ; (pb ; hb*)*, and then one has to
> > > understand that this means that the prop;strong-fence edges can appear any
> > > number of times at arbitrary locations. It just seems like defining (pb |
> > > hb)* with extra steps.
> > This can be mentioned explicitly as a comment or in explanation.txt.
> Ok, but why not just use  (pb|hb)* and (pb|hb|rb)* and not worry about
> having to explain anything?
> And make the hb and rb definitions simpler at the same time?

Do you think (pb | hb)* is simpler than pb* (as in the statement of the 
propagation axiom)?

Besides, remember what I said about understanding the formal memory 
model in terms of the operational model.  pb relates a write W to 
another event E when the strong fence guarantees that W will propagate 
to E's CPU before E executes.  If the hb* term were omitted from the 
definition of pb, this wouldn't be true any more.  Or at least, not as 
true as it should be.

Alan

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ