Path: blob/master/tools/memory-model/Documentation/control-dependencies.txt
26282 views
CONTROL DEPENDENCIES1====================23A major difficulty with control dependencies is that current compilers4do not support them. One purpose of this document is therefore to5help you prevent your compiler from breaking your code. However,6control dependencies also pose other challenges, which leads to the7second purpose of this document, namely to help you to avoid breaking8your own code, even in the absence of help from your compiler.910One such challenge is that control dependencies order only later stores.11Therefore, a load-load control dependency will not preserve ordering12unless a read memory barrier is provided. Consider the following code:1314q = READ_ONCE(a);15if (q)16p = READ_ONCE(b);1718This is not guaranteed to provide any ordering because some types of CPUs19are permitted to predict the result of the load from "b". This prediction20can cause other CPUs to see this load as having happened before the load21from "a". This means that an explicit read barrier is required, for example22as follows:2324q = READ_ONCE(a);25if (q) {26smp_rmb();27p = READ_ONCE(b);28}2930However, stores are not speculated. This means that ordering is31(usually) guaranteed for load-store control dependencies, as in the32following example:3334q = READ_ONCE(a);35if (q)36WRITE_ONCE(b, 1);3738Control dependencies can pair with each other and with other types39of ordering. But please note that neither the READ_ONCE() nor the40WRITE_ONCE() are optional. Without the READ_ONCE(), the compiler might41fuse the load from "a" with other loads. Without the WRITE_ONCE(),42the compiler might fuse the store to "b" with other stores. Worse yet,43the compiler might convert the store into a load and a check followed44by a store, and this compiler-generated load would not be ordered by45the control dependency.4647Furthermore, if the compiler is able to prove that the value of variable48"a" is always non-zero, it would be well within its rights to optimize49the original example by eliminating the "if" statement as follows:5051q = a;52b = 1; /* BUG: Compiler and CPU can both reorder!!! */5354So don't leave out either the READ_ONCE() or the WRITE_ONCE().55In particular, although READ_ONCE() does force the compiler to emit a56load, it does *not* force the compiler to actually use the loaded value.5758It is tempting to try use control dependencies to enforce ordering on59identical stores on both branches of the "if" statement as follows:6061q = READ_ONCE(a);62if (q) {63barrier();64WRITE_ONCE(b, 1);65do_something();66} else {67barrier();68WRITE_ONCE(b, 1);69do_something_else();70}7172Unfortunately, current compilers will transform this as follows at high73optimization levels:7475q = READ_ONCE(a);76barrier();77WRITE_ONCE(b, 1); /* BUG: No ordering vs. load from a!!! */78if (q) {79/* WRITE_ONCE(b, 1); -- moved up, BUG!!! */80do_something();81} else {82/* WRITE_ONCE(b, 1); -- moved up, BUG!!! */83do_something_else();84}8586Now there is no conditional between the load from "a" and the store to87"b", which means that the CPU is within its rights to reorder them: The88conditional is absolutely required, and must be present in the final89assembly code, after all of the compiler and link-time optimizations90have been applied. Therefore, if you need ordering in this example,91you must use explicit memory ordering, for example, smp_store_release():9293q = READ_ONCE(a);94if (q) {95smp_store_release(&b, 1);96do_something();97} else {98smp_store_release(&b, 1);99do_something_else();100}101102Without explicit memory ordering, control-dependency-based ordering is103guaranteed only when the stores differ, for example:104105q = READ_ONCE(a);106if (q) {107WRITE_ONCE(b, 1);108do_something();109} else {110WRITE_ONCE(b, 2);111do_something_else();112}113114The initial READ_ONCE() is still required to prevent the compiler from115knowing too much about the value of "a".116117But please note that you need to be careful what you do with the local118variable "q", otherwise the compiler might be able to guess the value119and again remove the conditional branch that is absolutely required to120preserve ordering. For example:121122q = READ_ONCE(a);123if (q % MAX) {124WRITE_ONCE(b, 1);125do_something();126} else {127WRITE_ONCE(b, 2);128do_something_else();129}130131If MAX is compile-time defined to be 1, then the compiler knows that132(q % MAX) must be equal to zero, regardless of the value of "q".133The compiler is therefore within its rights to transform the above code134into the following:135136q = READ_ONCE(a);137WRITE_ONCE(b, 2);138do_something_else();139140Given this transformation, the CPU is not required to respect the ordering141between the load from variable "a" and the store to variable "b". It is142tempting to add a barrier(), but this does not help. The conditional143is gone, and the barrier won't bring it back. Therefore, if you need144to relying on control dependencies to produce this ordering, you should145make sure that MAX is greater than one, perhaps as follows:146147q = READ_ONCE(a);148BUILD_BUG_ON(MAX <= 1); /* Order load from a with store to b. */149if (q % MAX) {150WRITE_ONCE(b, 1);151do_something();152} else {153WRITE_ONCE(b, 2);154do_something_else();155}156157Please note once again that each leg of the "if" statement absolutely158must store different values to "b". As in previous examples, if the two159values were identical, the compiler could pull this store outside of the160"if" statement, destroying the control dependency's ordering properties.161162You must also be careful avoid relying too much on boolean short-circuit163evaluation. Consider this example:164165q = READ_ONCE(a);166if (q || 1 > 0)167WRITE_ONCE(b, 1);168169Because the first condition cannot fault and the second condition is170always true, the compiler can transform this example as follows, again171destroying the control dependency's ordering:172173q = READ_ONCE(a);174WRITE_ONCE(b, 1);175176This is yet another example showing the importance of preventing the177compiler from out-guessing your code. Again, although READ_ONCE() really178does force the compiler to emit code for a given load, the compiler is179within its rights to discard the loaded value.180181In addition, control dependencies apply only to the then-clause and182else-clause of the "if" statement in question. In particular, they do183not necessarily order the code following the entire "if" statement:184185q = READ_ONCE(a);186if (q) {187WRITE_ONCE(b, 1);188} else {189WRITE_ONCE(b, 2);190}191WRITE_ONCE(c, 1); /* BUG: No ordering against the read from "a". */192193It is tempting to argue that there in fact is ordering because the194compiler cannot reorder volatile accesses and also cannot reorder195the writes to "b" with the condition. Unfortunately for this line196of reasoning, the compiler might compile the two writes to "b" as197conditional-move instructions, as in this fanciful pseudo-assembly198language:199200ld r1,a201cmp r1,$0202cmov,ne r4,$1203cmov,eq r4,$2204st r4,b205st $1,c206207The control dependencies would then extend only to the pair of cmov208instructions and the store depending on them. This means that a weakly209ordered CPU would have no dependency of any sort between the load from210"a" and the store to "c". In short, control dependencies provide ordering211only to the stores in the then-clause and else-clause of the "if" statement212in question (including functions invoked by those two clauses), and not213to code following that "if" statement.214215216In summary:217218(*) Control dependencies can order prior loads against later stores.219However, they do *not* guarantee any other sort of ordering:220Not prior loads against later loads, nor prior stores against221later anything. If you need these other forms of ordering, use222smp_load_acquire(), smp_store_release(), or, in the case of prior223stores and later loads, smp_mb().224225(*) If both legs of the "if" statement contain identical stores to226the same variable, then you must explicitly order those stores,227either by preceding both of them with smp_mb() or by using228smp_store_release(). Please note that it is *not* sufficient to use229barrier() at beginning and end of each leg of the "if" statement230because, as shown by the example above, optimizing compilers can231destroy the control dependency while respecting the letter of the232barrier() law.233234(*) Control dependencies require at least one run-time conditional235between the prior load and the subsequent store, and this236conditional must involve the prior load. If the compiler is able237to optimize the conditional away, it will have also optimized238away the ordering. Careful use of READ_ONCE() and WRITE_ONCE()239can help to preserve the needed conditional.240241(*) Control dependencies require that the compiler avoid reordering the242dependency into nonexistence. Careful use of READ_ONCE() or243atomic{,64}_read() can help to preserve your control dependency.244245(*) Control dependencies apply only to the then-clause and else-clause246of the "if" statement containing the control dependency, including247any functions that these two clauses call. Control dependencies248do *not* apply to code beyond the end of that "if" statement.249250(*) Control dependencies pair normally with other types of barriers.251252(*) Control dependencies do *not* provide multicopy atomicity. If you253need all the CPUs to agree on the ordering of a given store against254all other accesses, use smp_mb().255256(*) Compilers do not understand control dependencies. It is therefore257your job to ensure that they do not break your code.258259260