lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <tencent_9C4C2E93BF6E6F9A61B2C8B72B800839BD05@qq.com>
Date: Mon, 11 Mar 2024 11:41:26 +0800
From: Kenneth-Lee-2012@...mail.com
To: Andrea Parri <parri.andrea@...il.com>
Cc: Alan Stern <stern@...land.harvard.edu>, linux-kernel@...r.kernel.org,
	paulmck@...nel.org
Subject: Re: Question about PB rule of LKMM

On Sun, Mar 10, 2024 at 03:27:10AM +0100, Andrea Parri wrote:
> Date: Sun, 10 Mar 2024 03:27:10 +0100
> From: Andrea Parri <parri.andrea@...il.com>
> To: Kenneth-Lee-2012@...mail.com
> Cc: Alan Stern <stern@...land.harvard.edu>, linux-kernel@...r.kernel.org,
>  paulmck@...nel.org
> Subject: Re: Question about PB rule of LKMM
> 
> > > Remark that, in the CAT language, the identity relation ({(e, e) : each event e})
> > > is a subset of R* (the _reflexive_-transitive closure of R) for any relation R.
> > > 
> > > The link at stake, (P0:Wx1, P0:Rx), is the result of the following composition:
> > > 
> > >   [Marked]         ; (overwrite & ext)? ; cumul-fence*     ; [Marked]          ; rfe?            ; [Marked]
> > >   (P0:Wx1, P0:Wx1)   (P0:Wx1, P1:Wx8)     (P1:Wx8, P1:Wx8)   (P1:Wx8, P1:Wx8))   (P1:Wx8, P0:Rx)   (P0:Rx, P0:Rx)
> > > 
> > 
> > So the cumul-fence relation includes the same Store? This is hard to
> > understand, because it is defined as:
> > 
> >   let cumul-fence = [Marked] ; (A-cumul(strong-fence | po-rel) | wmb |
> > 	po-unlock-lock-po) ; [Marked] ; rmw-sequence
> > 
> > There is at lease a rmw-sequence in the relation link.
> > 
> > I doubt we have different understanding on the effect of
> > reflexive operator. Let's discuss this with an example. Say we have two
> > relation r1 and r2. r1 have (e1, e2) while r2 have (e2, e3). Then we got
> > (e1, e3) for (r1;r2). The (;) operator joins r1's range to r2's domain.
> > 
> > If we upgrade (r1;r2) to  (r1?;r2), (r1?) become {(m1, m1), (m1, m2), (m2,
> > m2)}, it is r1 plus all identity of all elements used in r1's relations.
> > 
> > So (r1?;r2) is {(m1, m3), (m2, m3)}. If we consider this link:
> > 
> >   e1 ->r1 ->e2 ->r2 e3
> > 
> > A question mark on r1 means both (e1, e3) and (e2, e3) are included in
> > the final definition. The r1 is ignore-able in the definition. The event
> > before or behind the ignore-able relation both belong to the definition.
> > 
> > But this doesn't means r1 is optional. If r1 is empty, (r1?;r2) will
> > become empty, because there is no event element in r1's relations.
> > 
> > So I think the reflexive-transitive operation on cumul-fence cannot make
> > this relation optional. You should first have such link in the code.
> 
> In Cat, r1? is better described by (following your own wording) "r1 plus
> all identity of all elements (i.e. not necessarily in r1)".
> 
> As an example, in the scenario at stake, cumul-fence is empty while both
> cumul-fence? and cumul-fence* match the identity relation on all events.
> 
> Here is a (relatively old, but still accurate AFAICR) article describing
> these and other notions as used in Herd:  (cf. table at the bottom)
> 
>   https://mirrors.edge.kernel.org/pub/linux/kernel/people/paulmck/LWNLinuxMM/herd.html
> 
> Said this, I do think the best way to familiarize with these notions and
> check one's understanding is to spend time using the herd tool itself.
> 

Excuse me, May I ask one last question? I tried the herd tool on the
discussed example. But it seems it is not protected by the hb acyclic
rule. I can replace the linux-kernel.cat with lock.cat on the test:

	P0(int *x)
	{
		int r1;
		WRITE_ONCE(*x, 1);
		r1 = READ_ONCE(*x);
	}
	P1(int *x)
	{
		WRITE_ONCE(*x, 8);
	}
	locations[0:r1; x]
	exists (0:r1=8)

It can still ensure the P0:Wx execute before P0:Rx:

	Test test Allowed
	States 3
	0:r1=1; [x]=1;
	0:r1=1; [x]=8;
	0:r1=8; [x]=8;
	Ok
	Witnesses
	Positive: 1 Negative: 2
	Condition exists (0:r1=8)
	Observation test Sometimes 1 2

The example doesn't prove the hb rule is necessary. Is this
understanding correct? Thanks.

>   Andrea

-- 
			-Kenneth Lee


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ