[mirror_ubuntu-jammy-kernel.git] / tools / memory-model / Documentation / control-dependencies.txt

CONTROL DEPENDENCIES
====================

A major difficulty with control dependencies is that current compilers
do not support them.  One purpose of this document is therefore to
help you prevent your compiler from breaking your code.  However,
control dependencies also pose other challenges, which leads to the
second purpose of this document, namely to help you to avoid breaking
your own code, even in the absence of help from your compiler.

One such challenge is that control dependencies order only later stores.
Therefore, a load-load control dependency will not preserve ordering
unless a read memory barrier is provided.  Consider the following code:

	q = READ_ONCE(a);
	if (q)
		p = READ_ONCE(b);

This is not guaranteed to provide any ordering because some types of CPUs
are permitted to predict the result of the load from "b".  This prediction
can cause other CPUs to see this load as having happened before the load
from "a".  This means that an explicit read barrier is required, for example
as follows:

	q = READ_ONCE(a);
	if (q) {
		smp_rmb();
		p = READ_ONCE(b);
	}

However, stores are not speculated.  This means that ordering is
(usually) guaranteed for load-store control dependencies, as in the
following example:

	q = READ_ONCE(a);
	if (q)
		WRITE_ONCE(b, 1);

Control dependencies can pair with each other and with other types
of ordering.  But please note that neither the READ_ONCE() nor the
WRITE_ONCE() are optional.  Without the READ_ONCE(), the compiler might
fuse the load from "a" with other loads.  Without the WRITE_ONCE(),
the compiler might fuse the store to "b" with other stores.  Worse yet,
the compiler might convert the store into a load and a check followed
by a store, and this compiler-generated load would not be ordered by
the control dependency.

Furthermore, if the compiler is able to prove that the value of variable
"a" is always non-zero, it would be well within its rights to optimize
the original example by eliminating the "if" statement as follows:

	q = a;
	b = 1;  /* BUG: Compiler and CPU can both reorder!!! */

So don't leave out either the READ_ONCE() or the WRITE_ONCE().
In particular, although READ_ONCE() does force the compiler to emit a
load, it does *not* force the compiler to actually use the loaded value.

It is tempting to try use control dependencies to enforce ordering on
identical stores on both branches of the "if" statement as follows:

	q = READ_ONCE(a);
	if (q) {
		barrier();
		WRITE_ONCE(b, 1);
		do_something();
	} else {
		barrier();
		WRITE_ONCE(b, 1);
		do_something_else();
	}

Unfortunately, current compilers will transform this as follows at high
optimization levels:

	q = READ_ONCE(a);
	barrier();
	WRITE_ONCE(b, 1);  /* BUG: No ordering vs. load from a!!! */
	if (q) {
		/* WRITE_ONCE(b, 1); -- moved up, BUG!!! */
		do_something();
	} else {
		/* WRITE_ONCE(b, 1); -- moved up, BUG!!! */
		do_something_else();
	}

Now there is no conditional between the load from "a" and the store to
"b", which means that the CPU is within its rights to reorder them:  The
conditional is absolutely required, and must be present in the final
assembly code, after all of the compiler and link-time optimizations
have been applied.  Therefore, if you need ordering in this example,
you must use explicit memory ordering, for example, smp_store_release():

	q = READ_ONCE(a);
	if (q) {
		smp_store_release(&b, 1);
		do_something();
	} else {
		smp_store_release(&b, 1);
		do_something_else();
	}

Without explicit memory ordering, control-dependency-based ordering is
guaranteed only when the stores differ, for example:

	q = READ_ONCE(a);
	if (q) {
		WRITE_ONCE(b, 1);
		do_something();
	} else {
		WRITE_ONCE(b, 2);
		do_something_else();
	}

The initial READ_ONCE() is still required to prevent the compiler from
knowing too much about the value of "a".

But please note that you need to be careful what you do with the local
variable "q", otherwise the compiler might be able to guess the value
and again remove the conditional branch that is absolutely required to
preserve ordering.  For example:

	q = READ_ONCE(a);
	if (q % MAX) {
		WRITE_ONCE(b, 1);
		do_something();
	} else {
		WRITE_ONCE(b, 2);
		do_something_else();
	}

If MAX is compile-time defined to be 1, then the compiler knows that
(q % MAX) must be equal to zero, regardless of the value of "q".
The compiler is therefore within its rights to transform the above code
into the following:

	q = READ_ONCE(a);
	WRITE_ONCE(b, 2);
	do_something_else();

Given this transformation, the CPU is not required to respect the ordering
between the load from variable "a" and the store to variable "b".  It is
tempting to add a barrier(), but this does not help.  The conditional
is gone, and the barrier won't bring it back.  Therefore, if you need
to relying on control dependencies to produce this ordering, you should
make sure that MAX is greater than one, perhaps as follows:

	q = READ_ONCE(a);
	BUILD_BUG_ON(MAX <= 1); /* Order load from a with store to b. */
	if (q % MAX) {
		WRITE_ONCE(b, 1);
		do_something();
	} else {
		WRITE_ONCE(b, 2);
		do_something_else();
	}

Please note once again that each leg of the "if" statement absolutely
must store different values to "b".  As in previous examples, if the two
values were identical, the compiler could pull this store outside of the
"if" statement, destroying the control dependency's ordering properties.

You must also be careful avoid relying too much on boolean short-circuit
evaluation.  Consider this example:

	q = READ_ONCE(a);
	if (q || 1 > 0)
		WRITE_ONCE(b, 1);

Because the first condition cannot fault and the second condition is
always true, the compiler can transform this example as follows, again
destroying the control dependency's ordering:

	q = READ_ONCE(a);
	WRITE_ONCE(b, 1);

This is yet another example showing the importance of preventing the
compiler from out-guessing your code.  Again, although READ_ONCE() really
does force the compiler to emit code for a given load, the compiler is
within its rights to discard the loaded value.

In addition, control dependencies apply only to the then-clause and
else-clause of the "if" statement in question.  In particular, they do
not necessarily order the code following the entire "if" statement:

	q = READ_ONCE(a);
	if (q) {
		WRITE_ONCE(b, 1);
	} else {
		WRITE_ONCE(b, 2);
	}
	WRITE_ONCE(c, 1);  /* BUG: No ordering against the read from "a". */

It is tempting to argue that there in fact is ordering because the
compiler cannot reorder volatile accesses and also cannot reorder
the writes to "b" with the condition.  Unfortunately for this line
of reasoning, the compiler might compile the two writes to "b" as
conditional-move instructions, as in this fanciful pseudo-assembly
language:

	ld r1,a
	cmp r1,$0
	cmov,ne r4,$1
	cmov,eq r4,$2
	st r4,b
	st $1,c

The control dependencies would then extend only to the pair of cmov
instructions and the store depending on them.  This means that a weakly
ordered CPU would have no dependency of any sort between the load from
"a" and the store to "c".  In short, control dependencies provide ordering
only to the stores in the then-clause and else-clause of the "if" statement
in question (including functions invoked by those two clauses), and not
to code following that "if" statement.


In summary:

  (*) Control dependencies can order prior loads against later stores.
      However, they do *not* guarantee any other sort of ordering:
      Not prior loads against later loads, nor prior stores against
      later anything.  If you need these other forms of ordering, use
      smp_load_acquire(), smp_store_release(), or, in the case of prior
      stores and later loads, smp_mb().

  (*) If both legs of the "if" statement contain identical stores to
      the same variable, then you must explicitly order those stores,
      either by preceding both of them with smp_mb() or by using
      smp_store_release().  Please note that it is *not* sufficient to use
      barrier() at beginning and end of each leg of the "if" statement
      because, as shown by the example above, optimizing compilers can
      destroy the control dependency while respecting the letter of the
      barrier() law.

  (*) Control dependencies require at least one run-time conditional
      between the prior load and the subsequent store, and this
      conditional must involve the prior load.  If the compiler is able
      to optimize the conditional away, it will have also optimized
      away the ordering.  Careful use of READ_ONCE() and WRITE_ONCE()
      can help to preserve the needed conditional.

  (*) Control dependencies require that the compiler avoid reordering the
      dependency into nonexistence.  Careful use of READ_ONCE() or
      atomic{,64}_read() can help to preserve your control dependency.

  (*) Control dependencies apply only to the then-clause and else-clause
      of the "if" statement containing the control dependency, including
      any functions that these two clauses call.  Control dependencies
      do *not* apply to code beyond the end of that "if" statement.

  (*) Control dependencies pair normally with other types of barriers.

  (*) Control dependencies do *not* provide multicopy atomicity.  If you
      need all the CPUs to agree on the ordering of a given store against
      all other accesses, use smp_mb().

  (*) Compilers do not understand control dependencies.  It is therefore
      your job to ensure that they do not break your code.
Commit	Line	Data
ebb477cb PM	1	CONTROL DEPENDENCIES
	2	====================
	3
	4	A major difficulty with control dependencies is that current compilers
	5	do not support them. One purpose of this document is therefore to
	6	help you prevent your compiler from breaking your code. However,
	7	control dependencies also pose other challenges, which leads to the
	8	second purpose of this document, namely to help you to avoid breaking
	9	your own code, even in the absence of help from your compiler.
	10
	11	One such challenge is that control dependencies order only later stores.
	12	Therefore, a load-load control dependency will not preserve ordering
	13	unless a read memory barrier is provided. Consider the following code:
	14
	15	q = READ_ONCE(a);
	16	if (q)
	17	p = READ_ONCE(b);
	18
	19	This is not guaranteed to provide any ordering because some types of CPUs
	20	are permitted to predict the result of the load from "b". This prediction
	21	can cause other CPUs to see this load as having happened before the load
	22	from "a". This means that an explicit read barrier is required, for example
	23	as follows:
	24
	25	q = READ_ONCE(a);
	26	if (q) {
	27	smp_rmb();
	28	p = READ_ONCE(b);
	29	}
	30
	31	However, stores are not speculated. This means that ordering is
	32	(usually) guaranteed for load-store control dependencies, as in the
	33	following example:
	34
	35	q = READ_ONCE(a);
	36	if (q)
	37	WRITE_ONCE(b, 1);
	38
	39	Control dependencies can pair with each other and with other types
	40	of ordering. But please note that neither the READ_ONCE() nor the
	41	WRITE_ONCE() are optional. Without the READ_ONCE(), the compiler might
	42	fuse the load from "a" with other loads. Without the WRITE_ONCE(),
	43	the compiler might fuse the store to "b" with other stores. Worse yet,
	44	the compiler might convert the store into a load and a check followed
	45	by a store, and this compiler-generated load would not be ordered by
	46	the control dependency.
	47
	48	Furthermore, if the compiler is able to prove that the value of variable
	49	"a" is always non-zero, it would be well within its rights to optimize
	50	the original example by eliminating the "if" statement as follows:
	51
	52	q = a;
	53	b = 1; /* BUG: Compiler and CPU can both reorder!!! */
	54
	55	So don't leave out either the READ_ONCE() or the WRITE_ONCE().
	56	In particular, although READ_ONCE() does force the compiler to emit a
	57	load, it does not force the compiler to actually use the loaded value.
	58
	59	It is tempting to try use control dependencies to enforce ordering on
	60	identical stores on both branches of the "if" statement as follows:
	61
	62	q = READ_ONCE(a);
	63	if (q) {
	64	barrier();
65	WRITE_ONCE(b, 1);
66	do_something();
67	} else {
68	barrier();
69	WRITE_ONCE(b, 1);
70	do_something_else();
71	}
72
73	Unfortunately, current compilers will transform this as follows at high
74	optimization levels:
75
76	q = READ_ONCE(a);
77	barrier();
78	WRITE_ONCE(b, 1); /* BUG: No ordering vs. load from a!!! */
79	if (q) {
80	/* WRITE_ONCE(b, 1); -- moved up, BUG!!! */
81	do_something();
82	} else {
83	/* WRITE_ONCE(b, 1); -- moved up, BUG!!! */
84	do_something_else();
85	}
86
87	Now there is no conditional between the load from "a" and the store to
88	"b", which means that the CPU is within its rights to reorder them: The
89	conditional is absolutely required, and must be present in the final
90	assembly code, after all of the compiler and link-time optimizations
91	have been applied. Therefore, if you need ordering in this example,
92	you must use explicit memory ordering, for example, smp_store_release():
93
94	q = READ_ONCE(a);
95	if (q) {
96	smp_store_release(&b, 1);
97	do_something();
98	} else {
99	smp_store_release(&b, 1);
100	do_something_else();
101	}
102
103	Without explicit memory ordering, control-dependency-based ordering is
104	guaranteed only when the stores differ, for example:
105
106	q = READ_ONCE(a);
107	if (q) {
108	WRITE_ONCE(b, 1);
109	do_something();
110	} else {
111	WRITE_ONCE(b, 2);
112	do_something_else();
113	}
114
115	The initial READ_ONCE() is still required to prevent the compiler from
116	knowing too much about the value of "a".
117
118	But please note that you need to be careful what you do with the local
119	variable "q", otherwise the compiler might be able to guess the value
120	and again remove the conditional branch that is absolutely required to
121	preserve ordering. For example:
122
123	q = READ_ONCE(a);
124	if (q % MAX) {
125	WRITE_ONCE(b, 1);
126	do_something();
127	} else {
128	WRITE_ONCE(b, 2);
129	do_something_else();
130	}
131
132	If MAX is compile-time defined to be 1, then the compiler knows that
133	(q % MAX) must be equal to zero, regardless of the value of "q".
134	The compiler is therefore within its rights to transform the above code
135	into the following:
136
137	q = READ_ONCE(a);
138	WRITE_ONCE(b, 2);
139	do_something_else();
140
141	Given this transformation, the CPU is not required to respect the ordering
142	between the load from variable "a" and the store to variable "b". It is
143	tempting to add a barrier(), but this does not help. The conditional
144	is gone, and the barrier won't bring it back. Therefore, if you need
145	to relying on control dependencies to produce this ordering, you should
146	make sure that MAX is greater than one, perhaps as follows:
147
148	q = READ_ONCE(a);
149	BUILD_BUG_ON(MAX <= 1); /* Order load from a with store to b. */
150	if (q % MAX) {
151	WRITE_ONCE(b, 1);
152	do_something();
153	} else {
154	WRITE_ONCE(b, 2);
155	do_something_else();
156	}
157
158	Please note once again that each leg of the "if" statement absolutely
159	must store different values to "b". As in previous examples, if the two
160	values were identical, the compiler could pull this store outside of the
161	"if" statement, destroying the control dependency's ordering properties.
162
163	You must also be careful avoid relying too much on boolean short-circuit
164	evaluation. Consider this example:
165
166	q = READ_ONCE(a);
167	if (q \|\| 1 > 0)
168	WRITE_ONCE(b, 1);
169
170	Because the first condition cannot fault and the second condition is
171	always true, the compiler can transform this example as follows, again
172	destroying the control dependency's ordering:
173
174	q = READ_ONCE(a);
175	WRITE_ONCE(b, 1);
176
177	This is yet another example showing the importance of preventing the
178	compiler from out-guessing your code. Again, although READ_ONCE() really
179	does force the compiler to emit code for a given load, the compiler is
180	within its rights to discard the loaded value.
181
182	In addition, control dependencies apply only to the then-clause and
183	else-clause of the "if" statement in question. In particular, they do
184	not necessarily order the code following the entire "if" statement:
185
186	q = READ_ONCE(a);
187	if (q) {
188	WRITE_ONCE(b, 1);
189	} else {
190	WRITE_ONCE(b, 2);
191	}
192	WRITE_ONCE(c, 1); /* BUG: No ordering against the read from "a". */
193
194	It is tempting to argue that there in fact is ordering because the
195	compiler cannot reorder volatile accesses and also cannot reorder
196	the writes to "b" with the condition. Unfortunately for this line
197	of reasoning, the compiler might compile the two writes to "b" as
198	conditional-move instructions, as in this fanciful pseudo-assembly
199	language:
200
201	ld r1,a
202	cmp r1,$0
203	cmov,ne r4,$1
204	cmov,eq r4,$2
205	st r4,b
206	st $1,c
207
208	The control dependencies would then extend only to the pair of cmov
209	instructions and the store depending on them. This means that a weakly
210	ordered CPU would have no dependency of any sort between the load from
211	"a" and the store to "c". In short, control dependencies provide ordering
212	only to the stores in the then-clause and else-clause of the "if" statement
213	in question (including functions invoked by those two clauses), and not
214	to code following that "if" statement.
215
216
217	In summary:
218
219	(*) Control dependencies can order prior loads against later stores.
220	However, they do not guarantee any other sort of ordering:
221	Not prior loads against later loads, nor prior stores against
222	later anything. If you need these other forms of ordering, use
223	smp_load_acquire(), smp_store_release(), or, in the case of prior
224	stores and later loads, smp_mb().
225
226	(*) If both legs of the "if" statement contain identical stores to
227	the same variable, then you must explicitly order those stores,
228	either by preceding both of them with smp_mb() or by using
229	smp_store_release(). Please note that it is not sufficient to use
230	barrier() at beginning and end of each leg of the "if" statement
231	because, as shown by the example above, optimizing compilers can
232	destroy the control dependency while respecting the letter of the
233	barrier() law.
234
235	(*) Control dependencies require at least one run-time conditional
236	between the prior load and the subsequent store, and this
237	conditional must involve the prior load. If the compiler is able
238	to optimize the conditional away, it will have also optimized
239	away the ordering. Careful use of READ_ONCE() and WRITE_ONCE()
240	can help to preserve the needed conditional.
241
242	(*) Control dependencies require that the compiler avoid reordering the
243	dependency into nonexistence. Careful use of READ_ONCE() or
244	atomic{,64}_read() can help to preserve your control dependency.
245
246	(*) Control dependencies apply only to the then-clause and else-clause
247	of the "if" statement containing the control dependency, including
248	any functions that these two clauses call. Control dependencies
249	do not apply to code beyond the end of that "if" statement.
250
251	(*) Control dependencies pair normally with other types of barriers.
252
253	() Control dependencies do not* provide multicopy atomicity. If you
254	need all the CPUs to agree on the ordering of a given store against
255	all other accesses, use smp_mb().
256
257	(*) Compilers do not understand control dependencies. It is therefore
258	your job to ensure that they do not break your code.