Concurrency in the Linux Kernel
Total Page:16
File Type:pdf, Size:1020Kb
Frightening small children and disconcerting grown-ups: Concurrency in the Linux kernel Jade Alglave Luc Maranget Paul E. McKenney University College London Inria — Paris IBM Corporation Microsoft Research [email protected] Oregon State University [email protected] [email protected] Andrea Parri Alan Stern Scuola Superiore Sant’Anna Harvard University [email protected] [email protected] Abstract Model URL SPARC [51, 76] Concurrency in the Linux kernel can be a contentious topic. LK [84] The Linux kernel mailing list features numerous discussions LK [56, 4] related to consistency models, including those of the more LK [19] than 30 CPU architectures supported by the kernel and that LK [73] of the kernel itself. How are Linux programs supposed to LK [36] behave? Do they behave correctly on exotic hardware? LK/Itanium [16, 70] A formal model can help address such questions. Better LK [20] yet, an executable model allows programmers to experiment Itanium [57, 48, 49, 88] with the model to develop their intuition. Thus we offer Intel [53, 41] a model written in the cat language, making it not only LK/C11 [22, 23] formal, but also executable by the herd simulator. We tested LK [21] our model against hardware and refined it in consultation Alpha [79] with maintainers. Finally, we formalised the fundamental LK [31] law of the Read-Copy-Update synchronisation mechanism, ARM64 [26] and proved that one of its implementations satisfies this law. LK [27] MIPS [85, 86, 87, 81] Power [32, 33, 30] 1. Introduction ARM64 [28] Concurrency in Linux may frighten small children [35]; it LK/C11 [24] also appears to be disconcerting to grown-ups. LK [72] Table 1: Selection of LKML discussions 1.1 “Still confusion situation all round” [sic] [89] The Linux kernel (LK) targets more than 30 CPU ar- LK developers must understand not only the kernel’s concur- chitectures, amongst which Alpha [18], ARM [14], IBM rency primitives, but also those of the underlying hardware. Power [38], Intel [40], Itanium [40] and MIPS [39] imple- Several documents make laudable efforts in this direction: ment weak consistency models. Consistency models deter- [37] lists what orderings are guaranteed; [69] summarises mine what values a read can take; weak models allow more semantics of read-modify-write operations, and [55] doc- behaviours than Sequential Consistency (SC) [45]. uments ways of avoiding counterproductive optimisations. These architectures implement distinct models and thus Sadly these documents are in prose, subject to ambiguities disagree on the values that a read can return. This leads to and misinterpretations. As a candid disclaimer puts it [37]: a plethora of discussions on the Linux Kernel mailing list This document is not a specification; it is intentionally (for the (LKML), some of which are listed in Table 1; their frequency sake of brevity) and unintentionally (due to being human) incom- has increased as multicore systems have gone mainstream. plete. [. ] in case of any doubt (and there are many) please ask. This quote suggests that a specification might dispel all doubts. However, as Linus Torvalds writes [78]: In short, the LK should have a model of its own. With specs, there really *are* people who spend years discussing 1.3 “[P]ick a sane, maintainable memory model” what the meaning of the word ”access” is or similar [the authors [71] of this paper plead guilty]. Combine that with a big spec that is Our LK model is a first attempt at fulfilling this wish. Of 500+ pages in size and then try to apply that all to a project that is 15 million lines of code and sometimes *knowingly* has to do course, concerns like sanity or maintainability are to an things that it simply knows are outside the spec [...]” extent in the eye of the beholder. But we believe that the LK community will help achieve these goals. Indeed, our This highlights the need for an object beyond a prose work is based on interactions with the community, along specification: unambiguous, concise, amenable to vast code with documentation and posts to mailing lists. This has been projects, and complete. We offer a formal executable model necessary for understanding the semantics of certain pieces for the LK, written in the cat language [12]. of code. Writing a memory consistency model in cat gives it a for- LK issue URL mal meaning, since cat has a formal semantics [3]. More- locking on ARM64 [26] over, a cat model can be executed within the herd tool [5], ambiguities in [37] [59] allowing users to experiment with the model to develop their ambiguities in RCU documentation [58] intuition. CPU hotplug [90] 1.2 “[I]t is your kernel, so what is your preference?” [54] assumption about lock-unlock [64] semantics of spin unlock wait [83] Architects and standard committees are often seen as ulti- Table 2: LK issues that our work helped address mate authorities on consistency matters. In our case, we rely on Linus Torvalds’s and his maintainers’ posts to LKML and Moreover, our model has already resolved ambiguities the gcc mailing list. We cite and discuss these posts below. and helped fix bugs (see Table 2). The RCU documentation A common denominator of hardware models seems to now uses our definitions [58] and memory-barriers.txt [37] align with Torvalds’ view [80]: was updated to distinguish between transitivity and cumu- Weak memory ordering is [. ] hard to think about [. ] So the lativity [59]. Our work informed fixes to code incorrectly memory ordering rules should [. ] absolutely be as tight as at relying on fully ordered lock-unlock pairs [64], code where all humanly possible, given real hardware constraints. ARM64 needed stronger ordering from combinations of To this end, we axiomatised models of IBM Power [75, locking and fences [26], and discussions about the semantics 74] in cat. We modified this formalisation to handle Al- of locking primitives [83]. Finally, our model was directly pha [18] and incorporate ideas from academic ARM mod- used by a maintainer to justify his patch [90]; this highlights els [34]. ARM then released their official memory model [47, the practical applicability of our model. Chap. B2.3] (including a cat file distributed within the Seven maintainers agreed to sponsor our model, which diy+herd toolsuite [5]), making those models obsolete; we has received positive feedback on LKML [60]. thus modified our LK model accordingly. This experience 1.4 Correctness of concurrent code shows that our model will change over time as existing hard- ware evolves, or new hardware arises. Our model is also a stepping stone towards assessing the cor- Yet the LK cannot simply be an envelope for the architec- rectness of LK code. We focus here on Read-Copy-Update tures it supports. As Ingo Molnar writes [71]: (RCU) [52]. CBMC [17] has been used to verify LK Tree RCU over it’s not true that Linux has to offer a barrier and locking model that panders to the weakest (and craziest!) memory ordering SC, TSO, and PSO [46]; others used Nidhugg over SC and model amongst all the possible Linux platforms—theoretical or TSO [42]. Userspace RCU has been examined with respect real metal. Instead what we want to do is to consciously, intelli- to C11 [77, 43]. These works provided valuable insights, but gently pick a sane, maintainable memory model and offer primi- only relative to the models available to them. We examine tives for that—at least as far as generic code is concerned. Each RCU in the light of our LK model, the first to provide a architecture can map those primitives to the best of its abilities. formal semantics for RCU. Moreover, our results provide This seems much like defining a language-level model: it two alternative ways to integrate a semantics of RCU in a might appear that the C11 model could be used as the LK software analysis tool. model. Indeed, converging with C11 is the topic of several 1.5 Overview of the paper and contributions LKML discussions [22, 24]. Unfortunately the C11 model is an imperfect fit [78]: Section 2 introduces LK programs and their executions, and I do not believe for a second that we can actually use the C11 the cat language. Section 3 describes and illustrates our memory model in the kernel [. ] We will continue to have to do model. Section 4 formalises RCU. Section 5 gives our ex- things that are “outside the specs” [. ] with models that C11 perimental results. Section 6 examines the correctness of an simply doesn’t cover. RCU implementation. In summary, this paper presents: 1. a formal core LK memory model, in the form of a spec- LK/C primitive Event ification of the model in cat (Figure 8) and precise con- READ ONCE() R[once] straints under which executions are allowed or forbidden WRITE ONCE() W[once] by the LK model (Figure 3); smp load acquire() R[acquire] 2. examples illustrating how forbidden executions violate smp store release() W[release] the constraints (Figures 2, 4, 5, 6, and 7); smp rmb() F[rmb] smp wmb() F[wmb] 3. a formalisation of RCU as an axiom (Figure 12); smp mb() F[mb] 4. a formalisation of the fundamental law of RCU [62], smp read barrier depends() F[rb-dep] equivalent to the axiom (Theorem 1); xchg relaxed() R[once]; W[once] 5. experiments showing that our model is sound with re- xchg acquire() R[acquire]; W[once] spect to hardware, and a comparison with C11 (Table 5); xchg release() R[once]; W[release] xchg() F[mb]; R[once]; W[once]; F[mb] 6.