Re: Litmus test for question from Al Viro

From: Alan Stern
Date: Sat Oct 03 2020 - 09:22:15 EST

Next message: Jarkko Sakkinen: "Re: [PATCH v39 16/24] x86/sgx: Add a page reclaimer"
Previous message: Hans de Goede: "[RFC] Documentation: Add documentation for new performance_profile sysfs class"
In reply to: Alan Stern: "Re: Litmus test for question from Al Viro"
Next in thread: Akira Yokosawa: "Re: Litmus test for question from Al Viro"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

To expand on my statement about the LKMM's weakness regarding control
constructs, here is a litmus test to illustrate the issue. You might
want to add this to one of the archives.

Alan

C crypto-control-data
(*
* LB plus crypto-control-data plus data
*
* Expected result: allowed
*
* This is an example of OOTA and we would like it to be forbidden.
* The WRITE_ONCE in P0 is both data-dependent and (at the hardware level)
* control-dependent on the preceding READ_ONCE. But the dependencies are
* hidden by the form of the conditional control construct, hence the
* name "crypto-control-data". The memory model doesn't recognize them.
*)

{}

P0(int *x, int *y)
{
int r1;

r1 = 1;
if (READ_ONCE(*x) == 0)
r1 = 0;
WRITE_ONCE(*y, r1);
}

P1(int *x, int *y)
{
WRITE_ONCE(*x, READ_ONCE(*y));
}

exists (0:r1=1)

Next message: Jarkko Sakkinen: "Re: [PATCH v39 16/24] x86/sgx: Add a page reclaimer"
Previous message: Hans de Goede: "[RFC] Documentation: Add documentation for new performance_profile sysfs class"
In reply to: Alan Stern: "Re: Litmus test for question from Al Viro"
Next in thread: Akira Yokosawa: "Re: Litmus test for question from Al Viro"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]