summaryrefslogtreecommitdiff
path: root/tools/memory-model/linux-kernel.cat
blob: 8f23c74a96fdca4775bc463b46838c1d57c496ec (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
// SPDX-License-Identifier: GPL-2.0+
(*
 * Copyright (C) 2015 Jade Alglave <j.alglave@ucl.ac.uk>,
 * Copyright (C) 2016 Luc Maranget <luc.maranget@inria.fr> for Inria
 * Copyright (C) 2017 Alan Stern <stern@rowland.harvard.edu>,
 *                    Andrea Parri <parri.andrea@gmail.com>
 *
 * An earlier version of this file appeared in the companion webpage for
 * "Frightening small children and disconcerting grown-ups: Concurrency
 * in the Linux kernel" by Alglave, Maranget, McKenney, Parri, and Stern,
 * which appeared in ASPLOS 2018.
 *)

"Linux-kernel memory consistency model"

(*
 * File "lock.cat" handles locks and is experimental.
 * It can be replaced by include "cos.cat" for tests that do not use locks.
 *)

include "lock.cat"

(*******************)
(* Basic relations *)
(*******************)

(* Fences *)
let rmb = [R \ Noreturn] ; fencerel(Rmb) ; [R \ Noreturn]
let wmb = [W] ; fencerel(Wmb) ; [W]
let mb = ([M] ; fencerel(Mb) ; [M]) |
	([M] ; fencerel(Before-atomic) ; [RMW] ; po? ; [M]) |
	([M] ; po? ; [RMW] ; fencerel(After-atomic) ; [M]) |
	([M] ; po? ; [LKW] ; fencerel(After-spinlock) ; [M]) |
	([M] ; po ; [UL] ; (co | po) ; [LKW] ;
		fencerel(After-unlock-lock) ; [M])
let gp = po ; [Sync-rcu] ; po?

let strong-fence = mb | gp

(* Release Acquire *)
let acq-po = [Acquire] ; po ; [M]
let po-rel = [M] ; po ; [Release]
let po-unlock-rf-lock-po = po ; [UL] ; rf ; [LKR] ; po

(**********************************)
(* Fundamental coherence ordering *)
(**********************************)

(* Sequential Consistency Per Variable *)
let com = rf | co | fr
acyclic po-loc | com as coherence

(* Atomic Read-Modify-Write *)
empty rmw & (fre ; coe) as atomic

(**********************************)
(* Instruction execution ordering *)
(**********************************)

(* Preserved Program Order *)
let dep = addr | data
let rwdep = (dep | ctrl) ; [W]
let overwrite = co | fr
let to-w = rwdep | (overwrite & int)
let to-r = addr | (dep ; rfi)
let fence = strong-fence | wmb | po-rel | rmb | acq-po
let ppo = to-r | to-w | fence | (po-unlock-rf-lock-po & int)

(* Propagation: Ordering from release operations and strong fences. *)
let A-cumul(r) = rfe? ; r
let cumul-fence = A-cumul(strong-fence | po-rel) | wmb | po-unlock-rf-lock-po
let prop = (overwrite & ext)? ; cumul-fence* ; rfe?

(*
 * Happens Before: Ordering from the passage of time.
 * No fences needed here for prop because relation confined to one process.
 *)
let hb = ppo | rfe | ((prop \ id) & int)
acyclic hb as happens-before

(****************************************)
(* Write and fence propagation ordering *)
(****************************************)

(* Propagation: Each non-rf link needs a strong fence. *)
let pb = prop ; strong-fence ; hb*
acyclic pb as propagation

(*******)
(* RCU *)
(*******)

(*
 * Effect of read-side critical section proceeds from the rcu_read_lock()
 * onward on the one hand and from the rcu_read_unlock() backwards on the
 * other hand.
 *)
let rscs = po ; crit^-1 ; po?

(*
 * The synchronize_rcu() strong fence is special in that it can order not
 * one but two non-rf relations, but only in conjunction with an RCU
 * read-side critical section.
 *)
let rcu-link = hb* ; pb* ; prop

(*
 * Any sequence containing at least as many grace periods as RCU read-side
 * critical sections (joined by rcu-link) acts as a generalized strong fence.
 *)
let rec rcu-fence = gp |
	(gp ; rcu-link ; rscs) |
	(rscs ; rcu-link ; gp) |
	(gp ; rcu-link ; rcu-fence ; rcu-link ; rscs) |
	(rscs ; rcu-link ; rcu-fence ; rcu-link ; gp) |
	(rcu-fence ; rcu-link ; rcu-fence)

(* rb orders instructions just as pb does *)
let rb = prop ; rcu-fence ; hb* ; pb*

irreflexive rb as rcu

(*
 * The happens-before, propagation, and rcu constraints are all
 * expressions of temporal ordering.  They could be replaced by
 * a single constraint on an "executes-before" relation, xb:
 *
 * let xb = hb | pb | rb
 * acyclic xb as executes-before
 *)