[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <10cfb309-4a12-2b57-e367-b5224a442685@huaweicloud.com>
Date: Thu, 26 Jan 2023 17:31:20 +0100
From: Jonas Oberhauser <jonas.oberhauser@...weicloud.com>
To: Alan Stern <stern@...land.harvard.edu>
Cc: "Paul E. McKenney" <paulmck@...nel.org>,
Andrea Parri <parri.andrea@...il.com>,
Jonas Oberhauser <jonas.oberhauser@...wei.com>,
Peter Zijlstra <peterz@...radead.org>, will <will@...nel.org>,
"boqun.feng" <boqun.feng@...il.com>, npiggin <npiggin@...il.com>,
dhowells <dhowells@...hat.com>,
"j.alglave" <j.alglave@....ac.uk>,
"luc.maranget" <luc.maranget@...ia.fr>, akiyks <akiyks@...il.com>,
dlustig <dlustig@...dia.com>, joel <joel@...lfernandes.org>,
urezki <urezki@...il.com>,
quic_neeraju <quic_neeraju@...cinc.com>,
frederic <frederic@...nel.org>,
Kernel development list <linux-kernel@...r.kernel.org>
Subject: Re: [Patch 2/2] tools/memory-model: Provide exact SRCU semantics
On 1/26/2023 5:02 PM, Alan Stern wrote:
> On Thu, Jan 26, 2023 at 12:30:14PM +0100, Jonas Oberhauser wrote:
>>
>> On 1/25/2023 11:52 PM, Alan Stern wrote:
>>> On Wed, Jan 25, 2023 at 10:04:29PM +0100, Jonas Oberhauser wrote:
>>>> On 1/25/2023 9:21 PM, Alan Stern wrote:
>>>>> (* Validate nesting *)
>>>>> flag ~empty Srcu-lock \ domain(srcu-rscs) as unmatched-srcu-lock
>>>>> flag ~empty Srcu-unlock \ range(srcu-rscs) as unmatched-srcu-unlock
>>>>> +flag ~empty (srcu-rscs^-1 ; srcu-rscs) \ id as multiple-srcu-matches
>>>> [...]
>>>>> // SRCU
>>>>> -srcu_read_lock(X) __srcu{srcu-lock}(X)
>>>>> -srcu_read_unlock(X,Y) { __srcu{srcu-unlock}(X,Y); }
>>>>> +srcu_read_lock(X) __load{srcu-lock}(*X)
>>>>> +srcu_read_unlock(X,Y) { __store{srcu-unlock}(*X,Y); }
>>>>> +srcu_down_read(X) __load{srcu-lock}(*X)
>>>>> +srcu_up_read(X,Y) { __store{srcu-unlock}(*X,Y); }
>>>> How do you feel about introducing Srcu-up and Srcu-down with this patch?
>>> Why invent new classes for them? They are literally the same operation
>>> as Srcu-lock and Srcu-unlock; the only difference is how the kernel's
>>> lockdep checker treats them.
>> I don't think they're necessarily implemented in a compatible way, so
>>
>> r = srcu_lock(s);
>> srcu_up(s,r);
>>
>> might not actually work, but would currently be ok'ed by LKMM.
> I'll let Paul answer this.
>
>> With
>> different classes you could state
>> flag ~empty [Srcu-lock];srcu-rscs;[Srcu-up] as srcu-mismatch-lock-to-up
>> flag ~empty [Srcu-down];srcu-rscs;[Srcu-unlock] as
>> srcu-mismatch-down-to-unlock
>>
>> I think with the current implementation this code might work, but I don't
>> feel like this is inherently true.
>>
>> You could then also go ahead and define the "same CPU" requirement as a flag
>> for lock and unlock specifically, like
>> flag ~empty [Srcu-lock];srcu-rscs & ext as srcu-lock-unlock-mismatch-CPU
>> or so.
> Bear in mind that the herd7 model is not obliged to find and warn about
> all possible bugs in a litmus test. Especially if the same code would
> generate a warning or error when run in the kernel.
I agree, and indeed it may not even possible to do so (even under a
hypothetical formal proof that the list of bugs is complete, some might
not be formalizable in a satisfactory way in herd).
Mostly I'm just trying to see if you have considered the possibilities
and decided against them intentionally, or if you just hadn't considered
it. I don't have a strong opinion either way and would be ok with the
patch as written.
That said, I do like to think of the model as a kind of compact formal
specification/documentation, including the assumptions the kernel makes
about how these APIs are to be used.
Best wishes, jonas
Powered by blists - more mailing lists