Lines Matching +full:fixed +full:- +full:links
1 Explanation of the Linux-Kernel Memory Consistency Model
15 7. THE PROGRAM ORDER RELATION: po AND po-loc
18 10. THE READS-FROM RELATION: rf, rfi, and rfe
20 12. THE FROM-READS RELATION: fr, fri, and fre
22 14. PROPAGATION ORDER RELATION: cumul-fence
28 20. THE HAPPENS-BEFORE RELATION: hb
29 21. THE PROPAGATES-BEFORE RELATION: pb
30 22. RCU RELATIONS: rcu-link, rcu-gp, rcu-rscsi, rcu-fence, and rb
37 ------------
39 The Linux-kernel memory consistency model (LKMM) is rather complex and
41 linux-kernel.bell and linux-kernel.cat files that make up the formal
68 ----------
86 factors such as DMA and mixed-size accesses.) But on multiprocessor
97 ----------------
158 predict that r1 = 42 or r2 = -7, because neither of those values ever
180 ----------------------------
254 -------------------
285 ------
305 Atomic read-modify-write accesses, such as atomic_inc() or xchg(),
312 logical computations, control-flow instructions, or accesses to
318 is concerned only with the store itself -- its value and its address
319 -- not the computation leading up to it.
327 THE PROGRAM ORDER RELATION: po AND po-loc
328 -----------------------------------------
335 that X is po-before Y (written as "X ->po Y" in formulas) if X occurs
338 This is inherently a single-CPU relation; two instructions executing
342 po-loc is a sub-relation of po. It links two memory accesses when the
344 same memory location (the "-loc" suffix).
347 program order we need to explain. The LKMM was inspired by low-level
374 need not even be stored in normal memory at all -- in principle a
380 ---------
421 memory model cannot assume there is a fixed program order relation
427 ------------------------------------------
482 come earlier in program order. Symbolically, if we have R ->data X,
483 R ->addr X, or R ->ctrl X (where R is a read event), then we must also
484 have R ->po X. It wouldn't make sense for a computation to depend
489 THE READS-FROM RELATION: rf, rfi, and rfe
490 -----------------------------------------
492 The reads-from relation (rf) links a write event to a read event when
495 write W ->rf R to indicate that the load R reads from the store W. We
497 the same CPU (internal reads-from, or rfi) and where they occur on
498 different CPUs (external reads-from, or rfe).
506 of load-tearing, where a load obtains some of its bits from one store
508 and WRITE_ONCE() will prevent load-tearing; it's not possible to have:
527 On the other hand, load-tearing is unavoidable when mixed-size
548 If r1 = 0x56781234 (little-endian!) at the end, then P1 must have read
549 from both of P0's stores. It is possible to handle mixed-size and
556 ------------------------------------------------------------------
559 multi-processor system, the CPUs must share a consistent view of the
575 hardware-centric view, the order in which the stores get written to
576 x's cache line). We write W ->co W' if W comes before W' in the
583 Write-write coherence: If W ->po-loc W' (i.e., W comes before
585 and W' are two stores, then W ->co W'.
587 Write-read coherence: If W ->po-loc R, where W is a store and R
591 Read-write coherence: If R ->po-loc W, where R is a load and W
595 Read-read coherence: If R ->po-loc R', where R and R' are two
622 write-write coherence rule: Since the store of 23 comes later in
636 If r1 = 666 at the end, this would violate the read-write coherence
659 would violate the read-read coherence rule: The r1 load comes before
666 encoded in Itanium's Very-Long-Instruction-Word format, and it is yet
670 Just like the po relation, co is inherently an ordering -- it is not
678 related by po. Coherence order is strictly per-location, or if you
682 THE FROM-READS RELATION: fr, fri, and fre
683 -----------------------------------------
685 The from-reads relation (fr) can be a little difficult for people to
687 overwritten by a store. In other words, we have R ->fr W when the
707 stores to x, there would also be fr links from the READ_ONCE() to
716 event W for the same location, we will have R ->fr W if and only if
717 the write which R reads from is co-before W. In symbols,
719 (R ->fr W) := (there exists W' with W' ->rf R and W' ->co W).
723 --------------------
742 arrange for the store to be co-later than (i.e., to overwrite) any
746 whether there are any as-yet unexecuted store instructions, for the
748 uses the value of the po-latest such store as the value obtained by R,
752 of the co-latest store to the location in question which has already
761 First-In-First-Out order, and consequently the processing delay
763 have a partitioned design that results in non-FIFO behavior. We will
781 the CPU to execute all po-earlier instructions before any
782 po-later instructions;
784 smp_rmb() forces the CPU to execute all po-earlier loads
785 before any po-later loads;
787 smp_wmb() forces the CPU to execute all po-earlier stores
788 before any po-later stores;
792 part of an smp_load_acquire()) before any po-later
796 execute all po-earlier instructions before the store
803 For each other CPU C', smp_wmb() forces all po-earlier stores
804 on C to propagate to C' before any po-later stores do.
807 a release fence is executed (including all po-earlier
812 executed (including all po-earlier stores on C) is forced to
813 propagate to all other CPUs before any instructions po-after
820 strong fences are A-cumulative. By contrast, smp_wmb() fences are not
821 A-cumulative; they only affect the propagation of stores that are
829 PROPAGATION ORDER RELATION: cumul-fence
830 ---------------------------------------
833 smp_wmb() fences) are collectively referred to as cumul-fences, even
834 though smp_wmb() isn't A-cumulative. The cumul-fence relation is
841 where either X = E or else E ->rf X; or
844 order, where either X = E or else E ->rf X.
847 and W ->cumul-fence W', then W must propagate to any given CPU
853 -------------------------------------------------
866 Atomicity: This requires that atomic read-modify-write
870 Happens-before: This requires that certain instructions are
876 Rcu: This requires that RCU read-side critical sections and
878 Grace-Period Guarantee.
881 memory models (such as those for C11/C++11). The "happens-before" and
889 -----------------------------------
891 According to the principle of cache coherence, the stores to any fixed
900 and po-loc relations agree with this global ordering; in other words,
901 whenever we have X ->rf Y or X ->co Y or X ->fr Y or X ->po-loc Y, the
907 X0 -> X1 -> X2 -> ... -> Xn -> X0,
909 where each of the links is either rf, co, fr, or po-loc. This has to
910 hold if the accesses to the fixed memory location can be ordered as
919 -------------------
921 What does it mean to say that a read-modify-write (rmw) update, such
945 atomic read-modify-write and W' is the write event which R reads from,
949 (R ->rmw W) implies (there is no X with R ->fr X and X ->co W),
951 where the rmw relation links the read and write events making up each
956 -----------------------------------------
960 "preserved program order") relation, which links the po-earlier
961 instruction to the po-later instruction and is thus a sub-relation of
965 situation: Fences are a source of ppo links. Suppose X and Y are
966 memory accesses with X ->po Y; then the CPU must execute X before Y if
985 X and Y are both loads, X ->addr Y (i.e., there is an address
1007 To be fair about it, all Linux-supported architectures do execute
1011 the split-cache design used by Alpha can cause it to behave in a way
1019 store and a second, po-later load reads from that store:
1021 R ->dep W ->rfi R',
1048 R ->po-loc W
1050 (the po-loc link says that R comes before W in program order and they
1054 violation of the read-write coherence rule. Similarly, if we had
1056 W ->po-loc W'
1060 overwrite W', in violation of the write-write coherence rule.
1062 allowing out-of-order writes like this to occur. The model avoided
1063 violating the write-write coherence rule by requiring the CPU not to
1068 ------------------------
1075 int y = -1;
1122 nothing at all on non-Alpha builds) after every READ_ONCE() and atomic
1124 po-later instructions until after the local cache has finished
1146 the CPU to execute any po-later instructions (or po-later loads in the
1149 wait for all of its po-earlier stores to propagate to every other CPU
1151 the stores received as of that time -- not just the stores received
1158 THE HAPPENS-BEFORE RELATION: hb
1159 -------------------------------
1161 The happens-before relation (hb) links memory accesses that have to
1165 W ->rfe R implies that W and R are on different CPUs. It also means
1168 must have executed before R, and so we have W ->hb R.
1170 The equivalent fact need not hold if W ->rfi R (i.e., W and R are on
1177 W ->coe W'. This means that W and W' are stores to the same location,
1183 R ->fre W means that W overwrites the value which R reads, but it
1188 The third relation included in hb is like ppo, in that it only links
1191 cache coherence. The relation is called prop, and it links two events
1293 outcome is impossible -- as it should be.
1296 followed by an arbitrary number of cumul-fence links, ending with an
1300 followed by two cumul-fences and an rfe link, utilizing the fact that
1301 release fences are A-cumulative:
1332 store to y does (the first cumul-fence), the store to y propagates to P2
1335 store to z does (the second cumul-fence), and P0's load executes after the
1338 In summary, the fact that the hb relation links memory access events
1340 requirement is the content of the LKMM's "happens-before" axiom.
1348 THE PROPAGATES-BEFORE RELATION: pb
1349 ----------------------------------
1351 The propagates-before (pb) relation capitalizes on the special
1352 features of strong fences. It links two events E and F whenever some
1353 store is coherence-later than E and propagates to every CPU and to RAM
1355 F via a coe or fre link, an arbitrary number of cumul-fences, an
1357 links. Let's see how this definition works out.
1360 of links begins with coe). Then there are events W, X, Y, and Z such
1363 E ->coe W ->cumul-fence* X ->rfe? Y ->strong-fence Z ->hb* F,
1365 where the * suffix indicates an arbitrary number of links of the
1367 be equal to X). Because of the cumul-fence links, we know that W will
1371 And because of the hb links, we know that Z will execute before F.
1382 coherence order, contradicting the fact that E ->coe W. If E was a
1385 contradicting the fact that E ->fre W.
1413 In this example, the sequences of cumul-fence and hb links are empty.
1423 In summary, the fact that the pb relation links events in the order
1428 RCU RELATIONS: rcu-link, rcu-gp, rcu-rscsi, rcu-fence, and rb
1429 -------------------------------------------------------------
1431 RCU (Read-Copy-Update) is a powerful synchronization mechanism. It
1432 rests on two concepts: grace periods and read-side critical sections.
1435 synchronize_rcu(). A read-side critical section (or just critical
1441 Grace-Period Guarantee, which states that a critical section can never
1491 suitable places in the RCU-related code. Thus, if a critical section
1504 rcu-link relation. rcu-link encompasses a very general notion of
1507 E ->rcu-link F includes cases where E is po-before some memory-access
1508 event X, F is po-after some memory-access event Y, and we have any of
1509 X ->rfe Y, X ->co Y, or X ->fr Y.
1511 The formal definition of the rcu-link relation is more than a little
1515 about rcu-link is the information in the preceding paragraph.
1517 The LKMM also defines the rcu-gp and rcu-rscsi relations. They bring
1518 grace periods and read-side critical sections into the picture, in the
1521 E ->rcu-gp F means that E and F are in fact the same event,
1525 E ->rcu-rscsi F means that E and F are the rcu_read_unlock()
1526 and rcu_read_lock() fence events delimiting some read-side
1528 that this relation is "inverted": It links the end of the
1531 If we think of the rcu-link relation as standing for an extended
1532 "before", then X ->rcu-gp Y ->rcu-link Z roughly says that X is a
1536 after X ends.) Similarly, X ->rcu-rscsi Y ->rcu-link Z says that X is
1539 The LKMM goes on to define the rcu-fence relation as a sequence of
1540 rcu-gp and rcu-rscsi links separated by rcu-link links, in which the
1541 number of rcu-gp links is >= the number of rcu-rscsi links. For
1544 X ->rcu-gp Y ->rcu-link Z ->rcu-rscsi T ->rcu-link U ->rcu-gp V
1546 would imply that X ->rcu-fence V, because this sequence contains two
1547 rcu-gp links and one rcu-rscsi link. (It also implies that
1548 X ->rcu-fence T and Z ->rcu-fence V.) On the other hand:
1550 X ->rcu-rscsi Y ->rcu-link Z ->rcu-rscsi T ->rcu-link U ->rcu-gp V
1552 does not imply X ->rcu-fence V, because the sequence contains only
1553 one rcu-gp link but two rcu-rscsi links.
1555 The rcu-fence relation is important because the Grace Period Guarantee
1556 means that rcu-fence acts kind of like a strong fence. In particular,
1557 E ->rcu-fence F implies not only that E begins before F ends, but also
1558 that any write po-before E will propagate to every CPU before any
1559 instruction po-after F can execute. (However, it does not imply that
1561 is linked to itself by rcu-fence as a degenerate case.)
1566 G ->rcu-gp W ->rcu-link Z ->rcu-rscsi F.
1569 and there are events X, Y and a read-side critical section C such that:
1571 1. G = W is po-before or equal to X;
1575 2. Y is po-before Z;
1581 From 1 - 4 we deduce that the grace period G ends before the critical
1586 executing and hence before any instruction po-after F can execute.
1588 covered by rcu-fence.
1590 Finally, the LKMM defines the RCU-before (rb) relation in terms of
1591 rcu-fence. This is done in essentially the same way as the pb
1592 relation was defined in terms of strong-fence. We will omit the
1593 details; the end result is that E ->rb F implies E must execute
1594 before F, just as E ->pb F does (and for much the same reasons).
1599 and F with E ->rcu-link F ->rcu-fence E. Or to put it a third way,
1600 the axiom requires that there are no cycles consisting of rcu-gp and
1601 rcu-rscsi alternating with rcu-link, where the number of rcu-gp links
1602 is >= the number of rcu-rscsi links.
1617 are events Q and R where Q is po-after L (which marks the start of the
1618 critical section), Q is "before" R in the sense used by the rcu-link
1619 relation, and R is po-before the grace period S. Thus we have:
1621 L ->rcu-link S.
1627 some event X which is po-after S. Symbolically, this amounts to:
1629 S ->po X ->hb* Z ->fr W ->rf Y ->po U.
1633 discussion of the rcu-link relation earlier) that S and U are related
1634 by rcu-link:
1636 S ->rcu-link U.
1638 Since S is a grace period we have S ->rcu-gp S, and since L and U are
1639 the start and end of the critical section C we have U ->rcu-rscsi L.
1642 S ->rcu-gp S ->rcu-link U ->rcu-rscsi L ->rcu-link S,
1647 For something a little more down-to-earth, let's see how the axiom
1672 P1's load at W reads from, so we have W ->fre Y. Since S ->po W and
1673 also Y ->po U, we get S ->rcu-link U. In addition, S ->rcu-gp S
1677 so we have X ->rfe Z. Together with L ->po X and Z ->po S, this
1678 yields L ->rcu-link S. And since L and U are the start and end of a
1679 critical section, we have U ->rcu-rscsi L.
1681 Then U ->rcu-rscsi L ->rcu-link S ->rcu-gp S ->rcu-link U is a
1719 that U0 ->rcu-rscsi L0 ->rcu-link S1 ->rcu-gp S1 ->rcu-link U2 ->rcu-rscsi
1720 L2 ->rcu-link U0. However this cycle is not forbidden, because the
1721 sequence of relations contains fewer instances of rcu-gp (one) than of
1722 rcu-rscsi (two). Consequently the outcome is allowed by the LKMM.
1727 -------------------- -------------------- --------------------
1748 Addendum: The LKMM now supports SRCU (Sleepable Read-Copy-Update) in
1750 above, with new relations srcu-gp and srcu-rscsi added to represent
1751 SRCU grace periods and read-side critical sections. There is a
1752 restriction on the srcu-gp and srcu-rscsi links that can appear in an
1753 rcu-fence sequence (the srcu-rscsi links must be paired with srcu-gp
1754 links having the same SRCU domain with proper nesting); the details
1759 -------
1789 store-release in a spin_unlock() and the load-acquire which forms the
1791 spin_trylock() -- we can call these things lock-releases and
1792 lock-acquires -- have two properties beyond those of ordinary releases
1795 First, when a lock-acquire reads from a lock-release, the LKMM
1796 requires that every instruction po-before the lock-release must
1797 execute before any instruction po-after the lock-acquire. This would
1830 fences, only to lock-related operations. For instance, suppose P0()
1854 Second, when a lock-acquire reads from a lock-release, and some other
1855 stores W and W' occur po-before the lock-release and po-after the
1856 lock-acquire respectively, the LKMM requires that W must propagate to
1892 These two special requirements for lock-release and lock-acquire do
1900 -------------
1925 that are part of a non-value-returning atomic update. For instance,
1934 non-value-returning atomic operations effectively to be executed off
1943 smp_store_release() -- which is basically how the Linux kernel treats
1951 all po-earlier events against all po-later events, as smp_mb() does,
1954 smp_mb__before_atomic() orders all po-earlier events against
1955 po-later atomic updates and the events following them;
1957 smp_mb__after_atomic() orders po-earlier atomic updates and
1958 the events preceding them against all po-later events;
1960 smp_mb_after_spinlock() orders po-earlier lock acquisition
1961 events and the events preceding them against all po-later
1982 non-deadlocking executions. For example:
2006 will self-deadlock in the executions where it stores 36 in y.