linux-kernel.vger.kernel.org archive mirror
 help / color / mirror / Atom feed
From: Torvald Riegel <triegel@redhat.com>
To: Linus Torvalds <torvalds@linux-foundation.org>
Cc: Jan Kara <jack@suse.cz>, LKML <linux-kernel@vger.kernel.org>,
	linux-ia64@vger.kernel.org, dsterba@suse.cz, ptesarik@suse.cz,
	rguenther@suse.de, gcc@gcc.gnu.org
Subject: Re: Memory corruption due to word sharing
Date: Wed, 01 Feb 2012 18:42:54 +0100	[thread overview]
Message-ID: <1328118174.15992.6206.camel@triegel.csb> (raw)
In-Reply-To: <CA+55aFy55Q=+pFCZcS9cOM6SL+ZT3sNDB+c4qFvVqwwSpTqJ7g@mail.gmail.com>

On Wed, 2012-02-01 at 08:41 -0800, Linus Torvalds wrote:
> If the gcc people aren't willing to agree that this is actually a flaw
> in the standard (one that is being addressed, no less)

It has been addressed in the standards.

> and try to fix
> it,

Again, this is being worked on, see http://gcc.gnu.org/wiki/Atomic/GCCMM

> we just have to extend our assumptions to something like "a
> compiler would be stupid to ever access anything bigger than the
> aligned register-size area". It's still just an assumption, and
> compiler people could be crazy, but we could just extend the current
> alpha rules to cover not just "int", but "long" too.

So, let's ignore everyone's craziness (the kernel is not the only GCC
client...) and think about how we can improve the situation.

We need a proper memory model.  No vague assumptions with lots of
hand-waving.  If you think that this is simple stuff and can
sufficiently described by "don't do anything stupid", then please have a
look at the issues that the Java memory model faced, and all the
iterations of the C++11/C11 model and discussions about it.

The only candidate that I see is the C++11/C11 model.  Any other
suggestions?

Now, if we assume this model, what does the kernel community think about
it?  It might be good to split this discussion into the following two
points, to avoid syntax flame wars:
1) The model itself (ie, the memory orders, ordering guarantees, (lack
of) progress guarantees, etc.).
2) The syntax/APIs to specify atomics.

If something else or more is needed, the compiler needs to have a formal
specification for that.  This will help users too, because it avoids all
the ambiguities.

> Sure, the compiler people could use "load/store multiple" or something
> like that, but it would be obviously crazy code, so if it happens past
> a register size, at least you could argue that it's a performance
> issue and maybe the gcc people would care.
> 
> HOWEVER. The problem with the alpha rules (which, btw, were huge, and
> led to the CPU designers literally changing the CPU instruction set
> because they admitted they made a huge mistake) was never so much the
> occasional memory corruption, as the fact that the places where it
> could happen were basically almost impossible to find.
> 
> So we probably have tons of random places in the kernel that violate
> even the alpha rules - because the corruption is so rare, and the
> architecture was so rare as to making the corruption even harder to
> find.

I assume you still would want a weak memory model, or not?  (That is,
rely on data-race-freedom, only atomics do not contribute to data races,
and you need to mark data used for synchronization (or which is just
accessed concurrently) as atomics).

If so, you need to tell the compiler which variables etc. are atomics.

> I assume this code generation idiocy only happens with bitfields? The
> problem is, we really don't want to make all bitfields take up 64 bits
> just because we might have a lock or something else next to them. But
> we could probably re-order things (and then *occasionally* wasting
> memory) if we could just find the ones that are problematic.

If the compiler is aware what is a lock (or atomics, or similar), then a
correct implementation should leave the lock alone.  But in a weak
memory model, it needs to know what is a lock.
(Same goes for volatile obviously, like in the other example posted in
the thread where the bitfields interfered with the volatile.)

> 
> It's finding the problematic ones that is the issue. Which is why the
> compiler should just generate code that matches what we told it to do,

So, would it be okay to tell the compiler which part of the state is
accessed concurrently (ie, locks, atomics, ...)?


Torvald


  reply	other threads:[~2012-02-01 19:16 UTC|newest]

Thread overview: 67+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2012-02-01 15:19 Memory corruption due to word sharing Jan Kara
2012-02-01 15:34 ` Markus Trippelsdorf
2012-02-01 16:37 ` Colin Walters
2012-02-01 16:56   ` Linus Torvalds
2012-02-01 17:11     ` Jiri Kosina
2012-02-01 17:37       ` Linus Torvalds
2012-02-01 17:41       ` Michael Matz
2012-02-01 18:09         ` David Miller
2012-02-01 18:45           ` Jeff Law
2012-02-01 19:09             ` Linus Torvalds
2012-02-02 15:51               ` Jeff Garzik
2012-02-01 18:57           ` Linus Torvalds
2012-02-01 19:04           ` Peter Bergner
2012-02-01 18:52         ` Linus Torvalds
2012-02-02  9:35           ` Richard Guenther
2012-02-02  9:37           ` Richard Guenther
2012-02-02 13:43           ` Michael Matz
2012-02-01 16:41 ` Linus Torvalds
2012-02-01 17:42   ` Torvald Riegel [this message]
2012-02-01 19:40     ` Jakub Jelinek
2012-02-01 20:01       ` Linus Torvalds
2012-02-01 20:16         ` Jakub Jelinek
2012-02-01 20:44           ` Linus Torvalds
2012-02-02 15:58             ` Aldy Hernandez
2012-02-02 16:28               ` Michael Matz
2012-02-02 17:51                 ` Linus Torvalds
2012-02-01 20:19         ` Linus Torvalds
2012-02-02  9:46           ` Richard Guenther
2012-02-01 19:44     ` Boehm, Hans
2012-02-01 19:54       ` Jeff Law
2012-02-01 19:47     ` Linus Torvalds
2012-02-01 19:58       ` Alan Cox
2012-02-01 20:41       ` Torvald Riegel
2012-02-01 20:59         ` Linus Torvalds
2012-02-01 21:24           ` Torvald Riegel
2012-02-01 21:55             ` Linus Torvalds
2012-02-01 21:25           ` Boehm, Hans
2012-02-01 22:27             ` Linus Torvalds
2012-02-01 22:45           ` Paul E. McKenney
2012-02-01 23:11             ` Linus Torvalds
2012-02-02 18:42               ` Paul E. McKenney
2012-02-02 19:08                 ` Linus Torvalds
2012-02-02 19:37                   ` Paul E. McKenney
2012-02-03 16:38                     ` Andrew MacLeod
2012-02-03 17:16                       ` Linus Torvalds
2012-02-03 19:16                         ` Andrew MacLeod
2012-02-03 20:00                           ` Linus Torvalds
2012-02-03 20:19                             ` Paul E. McKenney
2012-02-06 15:38                             ` Torvald Riegel
2012-02-10 19:27                             ` Richard Henderson
2012-02-02 11:19           ` Ingo Molnar
2012-02-01 21:04       ` Boehm, Hans
2012-02-02  9:28         ` Bernd Petrovitsch
2012-02-01 17:08 ` Torvald Riegel
2012-02-01 17:29   ` Linus Torvalds
2012-02-01 20:53     ` Torvald Riegel
2012-02-01 21:20       ` Linus Torvalds
2012-02-01 21:37         ` Torvald Riegel
2012-02-01 22:18           ` Boehm, Hans
2012-02-02 11:11 ` James Courtier-Dutton
2012-02-02 11:24   ` Richard Guenther
2012-02-02 11:13 ` David Sterba
2012-02-02 11:23   ` Richard Guenther
2012-02-03  6:45 ` DJ Delorie
2012-02-03  9:37   ` Richard Guenther
2012-02-03 10:03     ` Matthew Gretton-Dann
2012-02-01 17:52 Dennis Clarke

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=1328118174.15992.6206.camel@triegel.csb \
    --to=triegel@redhat.com \
    --cc=dsterba@suse.cz \
    --cc=gcc@gcc.gnu.org \
    --cc=jack@suse.cz \
    --cc=linux-ia64@vger.kernel.org \
    --cc=linux-kernel@vger.kernel.org \
    --cc=ptesarik@suse.cz \
    --cc=rguenther@suse.de \
    --cc=torvalds@linux-foundation.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).