THE SEMANTICS OF TRANSACTIONS AND WEAK MEMORY

IN X86, POWER, ARM, AND C++

Tyler Sorensen Princeton University

John Wickerson Imperial College London

Nathan Chong Arm Ltd.

USENIX Annual Technical Conference, 11 July 2019

WEAK MEMORY

!2

8 > > > > > > > < > > > > > > > :SC

8 > > > > > > > > > > > > < > > > > > > > > > > > > :x86

r0=1r1=0

r0=0r1=1

r0=1r1=1

r0=0r1=0

MOV [x] 1 MOV [y] 1

MOV r0 [y] MOV r1 [x]

WEAK MEMORY

!3

8 > > > > > > > < > > > > > > > :SC

8 > > > > > > > > > > > > < > > > > > > > > > > > > :x86

r0=1r1=0

r0=0r1=1

r0=1r1=1

r0=0r1=0

MOV [x] 1 MOV [y] 1

MOV r0 [y] MOV r1 [x]

WEAK MEMORY IS HARD!

• x86 proved tricky to formalise correctly [Sarkar et al., POPL'09; Owens et al., TPHOLs'09]

• Bug found in deployed "Power 5" processors [Alglave et al., CAV'10]

• C++ specification did not guarantee its own key property [Batty et al., POPL'11]

• Routine compiler optimisations are invalid under Java and C++ memory models [Sevcik, PLDI'11; Vafeiadis et al. POPL'15]

• Behaviour of NVIDIA graphics processors contradicted NVIDIA's programming guide [Alglave et al., ASPLOS'15]

!4

MODELLING WEAK MEMORY

!5

MOV [x] 1 MOV [y] 1

MOV r0 [y] MOV r1 [x]

r0=1 r1=1

W x 1

R y 1

W y 1

R x 1

rf

rfpo po

W x 1

R y 0

W y 1

R x 1po po

rffr

W x 1

R y 1

W y 1

R x 0po

rfpo

fr

W x 1

R y 0

W y 1

R x 0po po

fr

fr

x86:

SC:

x86:

SC:

x86:

SC:

x86:

SC:

r0=0 r1=1 r0=1 r1=0 r0=0 r1=0

TRANSACTIONAL MEMORY

!6

• X86: XBEGIN

...

XEND

• Power: tbegin ...

tend

• ARM: tstart

...

tcommit

• C++: atomic {

...

}

WEAK MEMORY + TM = ?

!7

r0=1r1=0

r0=0r1=1

r0=1r1=1

r0=0r1=0

MOV [x] 1MOV r0 [y]

MOV [y] 1MOV r1 [x]

XBEGIN

XEND

XBEGIN

XEND

8 > > > > > > > < > > > > > > > :SC

8 > > > > > > > > > > > > < > > > > > > > > > > > > :x86

WEAK MEMORY + TM = ?

!8

8 > > > > > > > < > > > > > > > :SC

8 > > > > > > > > > > > > < > > > > > > > > > > > > :x86

r0=1r1=0

r0=0r1=1

r0=1r1=1

r0=0r1=0

MOV [x] 1MOV r0 [y]

MOV [y] 1MOV r1 [x]

8 > > > > > > > < > > > > > > > :

transactional SC

XBEGIN

XEND

XBEGIN

XEND

BUILDING OUR MODELS

!9

x86:

Power:

ARM:

C++:

VALIDATING OUR MODELS

!10

1. Consult architecture manuals.

2. Interview engineers.

3. Check models have reasonable mathematical properties (e.g. adding/extending/coalescing transactions is safe).

4. Check that models validate existing compiler mappings.

5. Generate conformance tests and run them on hardware.

VALIDATING OUR MODELS

!11

x86

Num

ber o

f tes

ts

0

100

200

300

400

Test size (instructions)

2 3 4 5 6 7

Power

Num

ber o

f tes

ts

0

250

500

750

1000

Test size (instructions)

2 3 4 5 6

Behaviours that must be forbidden

VALIDATING OUR MODELS

!12

x86

Num

ber o

f tes

ts

0

750

1500

2250

3000

Test size (instructions)

2 3 4 5 6 7

Behaviours that should be allowed

Power

Num

ber o

f tes

ts

0

1500

3000

4500

6000

Test size (instructions)

2 3 4 5 6

USING OUR MODELS

LOCK ELISION

!14

lock()X = X + 2unlock()

lock()X = 1unlock()

LOCK ELISION

!15

lock()ldr W5,[X]add W5,W5,#2str W5,[X]unlock()

lock()mov W7,#1str W7,[X]unlock()

LOCK ELISION

!16

lock()mov W7,#1str W7,[X]unlock()

Loop:ldaxr W2,[M]cbnz W2,Loopmov W3,#1stxr W4,W3,[M]cbnz W4,Loopldr W5,[X]add W5,W5,#2str W5,[X]stlr WZR,[M]

LOCK ELISION

!17

Loop:ldaxr W2,[M]cbnz W2,Loopmov W3,#1stxr W4,W3,[M]cbnz W4,Loopldr W5,[X]add W5,W5,#2str W5,[X]stlr WZR,[M]

tstartldr W6,[M]cbz W6,L1tcancelL1:mov W7,#1str W7,[X]tcommit

LOCK ELISION

!18

CONCLUSION

• Weak memory is pervasive, and transactional memory is entering the mainstream.

• We have designed and validated formal models of how these features interact in x86, Power, ARM, and C++.

• Weak memory + transactions + lock elision = tricky!

!19

THE SEMANTICS OF TRANSACTIONS AND WEAK MEMORY

IN X86, POWER, ARM, AND C++

Tyler Sorensen Princeton University

John Wickerson Imperial College London

Nathan Chong Arm Ltd.

USENIX Annual Technical Conference, 11 July 2019