Re: [Patch 2/2] tools/memory-model: Provide exact SRCU semantics

From: Jonas Oberhauser
Date: Thu Jan 26 2023 - 11:32:08 EST

Next message: Bryan O'Donoghue: "Re: [PATCH v4 0/6] Add MSM8939 SoC support with two devices"
Previous message: Michael S. Tsirkin: "Re: Linux guest kernel threat model for Confidential Computing"
In reply to: Alan Stern: "Re: [Patch 2/2] tools/memory-model: Provide exact SRCU semantics"
Next in thread: Paul E. McKenney: "Re: [Patch 2/2] tools/memory-model: Provide exact SRCU semantics"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On 1/26/2023 5:02 PM, Alan Stern wrote:

On Thu, Jan 26, 2023 at 12:30:14PM +0100, Jonas Oberhauser wrote:

On 1/25/2023 11:52 PM, Alan Stern wrote:

On Wed, Jan 25, 2023 at 10:04:29PM +0100, Jonas Oberhauser wrote:

On 1/25/2023 9:21 PM, Alan Stern wrote:

(* Validate nesting *)
flag ~empty Srcu-lock \ domain(srcu-rscs) as unmatched-srcu-lock
flag ~empty Srcu-unlock \ range(srcu-rscs) as unmatched-srcu-unlock
+flag ~empty (srcu-rscs^-1 ; srcu-rscs) \ id as multiple-srcu-matches

[...]

// SRCU
-srcu_read_lock(X) __srcu{srcu-lock}(X)
-srcu_read_unlock(X,Y) { __srcu{srcu-unlock}(X,Y); }
+srcu_read_lock(X) __load{srcu-lock}(*X)
+srcu_read_unlock(X,Y) { __store{srcu-unlock}(*X,Y); }
+srcu_down_read(X) __load{srcu-lock}(*X)
+srcu_up_read(X,Y) { __store{srcu-unlock}(*X,Y); }

How do you feel about introducing Srcu-up and Srcu-down with this patch?

Why invent new classes for them? They are literally the same operation
as Srcu-lock and Srcu-unlock; the only difference is how the kernel's
lockdep checker treats them.

I don't think they're necessarily implemented in a compatible way, so

r = srcu_lock(s);
srcu_up(s,r);

might not actually work, but would currently be ok'ed by LKMM.

I'll let Paul answer this.

With
different classes you could state
flag ~empty [Srcu-lock];srcu-rscs;[Srcu-up] as srcu-mismatch-lock-to-up
flag ~empty [Srcu-down];srcu-rscs;[Srcu-unlock] as
srcu-mismatch-down-to-unlock

I think with the current implementation this code might work, but I don't
feel like this is inherently true.

You could then also go ahead and define the "same CPU" requirement as a flag
for lock and unlock specifically, like
flag ~empty [Srcu-lock];srcu-rscs & ext as srcu-lock-unlock-mismatch-CPU
or so.

Bear in mind that the herd7 model is not obliged to find and warn about
all possible bugs in a litmus test. Especially if the same code would
generate a warning or error when run in the kernel.

I agree, and indeed it may not even possible to do so (even under a hypothetical formal proof that the list of bugs is complete, some might not be formalizable in a satisfactory way in herd).
Mostly I'm just trying to see if you have considered the possibilities and decided against them intentionally, or if you just hadn't considered it. I don't have a strong opinion either way and would be ok with the patch as written.

That said, I do like to think of the model as a kind of compact formal specification/documentation, including the assumptions the kernel makes about how these APIs are to be used.

Best wishes, jonas

Next message: Bryan O'Donoghue: "Re: [PATCH v4 0/6] Add MSM8939 SoC support with two devices"
Previous message: Michael S. Tsirkin: "Re: Linux guest kernel threat model for Confidential Computing"
In reply to: Alan Stern: "Re: [Patch 2/2] tools/memory-model: Provide exact SRCU semantics"
Next in thread: Paul E. McKenney: "Re: [Patch 2/2] tools/memory-model: Provide exact SRCU semantics"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]