Upload
others
View
10
Download
0
Embed Size (px)
Citation preview
THE SEMANTICS OF TRANSACTIONS AND WEAK MEMORY
IN X86, POWER, ARM, AND C++
Tyler Sorensen Princeton University
John Wickerson Imperial College London
Nathan Chong Arm Ltd.
USENIX Annual Technical Conference, 11 July 2019
WEAK MEMORY
!2
8 > > > > > > > < > > > > > > > :SC
8 > > > > > > > > > > > > < > > > > > > > > > > > > :x86
r0=1r1=0
r0=0r1=1
r0=1r1=1
r0=0r1=0
MOV [x] 1 MOV [y] 1
MOV r0 [y] MOV r1 [x]
WEAK MEMORY
!3
8 > > > > > > > < > > > > > > > :SC
8 > > > > > > > > > > > > < > > > > > > > > > > > > :x86
r0=1r1=0
r0=0r1=1
r0=1r1=1
r0=0r1=0
MOV [x] 1 MOV [y] 1
MOV r0 [y] MOV r1 [x]
WEAK MEMORY IS HARD!
• x86 proved tricky to formalise correctly [Sarkar et al., POPL'09; Owens et al., TPHOLs'09]
• Bug found in deployed "Power 5" processors [Alglave et al., CAV'10]
• C++ specification did not guarantee its own key property [Batty et al., POPL'11]
• Routine compiler optimisations are invalid under Java and C++ memory models [Sevcik, PLDI'11; Vafeiadis et al. POPL'15]
• Behaviour of NVIDIA graphics processors contradicted NVIDIA's programming guide [Alglave et al., ASPLOS'15]
!4
MODELLING WEAK MEMORY
!5
MOV [x] 1 MOV [y] 1
MOV r0 [y] MOV r1 [x]
r0=1 r1=1
W x 1
R y 1
W y 1
R x 1
rf
rfpo po
W x 1
R y 0
W y 1
R x 1po po
rffr
W x 1
R y 1
W y 1
R x 0po
rfpo
fr
W x 1
R y 0
W y 1
R x 0po po
fr
fr
x86:
SC:
x86:
SC:
x86:
SC:
x86:
SC:
r0=0 r1=1 r0=1 r1=0 r0=0 r1=0
TRANSACTIONAL MEMORY
!6
• X86: XBEGIN
...
XEND
• Power: tbegin ...
tend
• ARM: tstart
...
tcommit
• C++: atomic {
...
}
WEAK MEMORY + TM = ?
!7
r0=1r1=0
r0=0r1=1
r0=1r1=1
r0=0r1=0
MOV [x] 1MOV r0 [y]
MOV [y] 1MOV r1 [x]
XBEGIN
XEND
XBEGIN
XEND
8 > > > > > > > < > > > > > > > :SC
8 > > > > > > > > > > > > < > > > > > > > > > > > > :x86
WEAK MEMORY + TM = ?
!8
8 > > > > > > > < > > > > > > > :SC
8 > > > > > > > > > > > > < > > > > > > > > > > > > :x86
r0=1r1=0
r0=0r1=1
r0=1r1=1
r0=0r1=0
MOV [x] 1MOV r0 [y]
MOV [y] 1MOV r1 [x]
8 > > > > > > > < > > > > > > > :
transactional SC
XBEGIN
XEND
XBEGIN
XEND
BUILDING OUR MODELS
!9
x86:
Power:
ARM:
C++:
VALIDATING OUR MODELS
!10
1. Consult architecture manuals.
2. Interview engineers.
3. Check models have reasonable mathematical properties (e.g. adding/extending/coalescing transactions is safe).
4. Check that models validate existing compiler mappings.
5. Generate conformance tests and run them on hardware.
VALIDATING OUR MODELS
!11
x86
Num
ber o
f tes
ts
0
100
200
300
400
Test size (instructions)
2 3 4 5 6 7
Power
Num
ber o
f tes
ts
0
250
500
750
1000
Test size (instructions)
2 3 4 5 6
Behaviours that must be forbidden
VALIDATING OUR MODELS
!12
x86
Num
ber o
f tes
ts
0
750
1500
2250
3000
Test size (instructions)
2 3 4 5 6 7
Behaviours that should be allowed
Power
Num
ber o
f tes
ts
0
1500
3000
4500
6000
Test size (instructions)
2 3 4 5 6
USING OUR MODELS
LOCK ELISION
!14
lock()X = X + 2unlock()
lock()X = 1unlock()
LOCK ELISION
!15
lock()ldr W5,[X]add W5,W5,#2str W5,[X]unlock()
lock()mov W7,#1str W7,[X]unlock()
LOCK ELISION
!16
lock()mov W7,#1str W7,[X]unlock()
Loop:ldaxr W2,[M]cbnz W2,Loopmov W3,#1stxr W4,W3,[M]cbnz W4,Loopldr W5,[X]add W5,W5,#2str W5,[X]stlr WZR,[M]
LOCK ELISION
!17
Loop:ldaxr W2,[M]cbnz W2,Loopmov W3,#1stxr W4,W3,[M]cbnz W4,Loopldr W5,[X]add W5,W5,#2str W5,[X]stlr WZR,[M]
tstartldr W6,[M]cbz W6,L1tcancelL1:mov W7,#1str W7,[X]tcommit
LOCK ELISION
!18
CONCLUSION
• Weak memory is pervasive, and transactional memory is entering the mainstream.
• We have designed and validated formal models of how these features interact in x86, Power, ARM, and C++.
• Weak memory + transactions + lock elision = tricky!
!19
THE SEMANTICS OF TRANSACTIONS AND WEAK MEMORY
IN X86, POWER, ARM, AND C++
Tyler Sorensen Princeton University
John Wickerson Imperial College London
Nathan Chong Arm Ltd.
USENIX Annual Technical Conference, 11 July 2019