public inbox for gcc-bugs@sourceware.org
help / color / mirror / Atom feed
From: "luke.geeson at cs dot ucl.ac.uk" <gcc-bugzilla@gcc.gnu.org>
To: gcc-bugs@gcc.gnu.org
Subject: [Bug translation/111235] New: [Armv7-a]: Control-dependency between atomic accesses removed by -O1.
Date: Wed, 30 Aug 2023 09:42:04 +0000 [thread overview]
Message-ID: <bug-111235-4@http.gcc.gnu.org/bugzilla/> (raw)
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=111235
Bug ID: 111235
Summary: [Armv7-a]: Control-dependency between atomic accesses
removed by -O1.
Product: gcc
Version: 14.0
Status: UNCONFIRMED
Severity: normal
Priority: P3
Component: translation
Assignee: unassigned at gcc dot gnu.org
Reporter: luke.geeson at cs dot ucl.ac.uk
Target Milestone: ---
Consider the following litmus test that captures bad behaviour:
```
C test
{ *x = 0; *y = 0; } // fixed initial state where x and y are 0
// Concurrent threads
P0 (atomic_int* y,int* x) {
int r0 = *x;
if (r0 == 1) {
atomic_store_explicit(y,1,memory_order_relaxed);
}
}
P1 (atomic_int* y,int* x) {
int r0 = atomic_load_explicit(y,memory_order_acquire);
*x = 1;
}
// predicate over final state - does this outcome occur?
exists (P0:r0=1 /\ P1:r0=1)
```
where 'P0:r0 = 0' means thread P0, local variable r0 has value 0.
When simulating this test under the C/C++ model from its initial state, the
outcome of execution in the exists clause is forbidden by the source model. The
allowed outcomes are:
```
{P0:r0=0; P1:r0=0;}
{P0:r0=1; P1:r0=0;}
```
When compiling to target armv7-a using either GCC or LLVM trunk
(https://godbolt.org/z/nxWTbEfK1), the compiled program has the following
outcomes when simulated under the armv7 model:
```
{P0:r0=0; P1:r0=0;}
{P0:r0=1; P1:r0=0;}
{P0:r0=1; P1:r0=1;} <--- forbidden by source model, bug!
```
Since the `CMP;MOVEQ r1, #1;STREQ` sequence is predicated on the result of
CMP, but the STREQ can be reordered before the LDR of x on thread P0, allowing
the outcome {P0:r0=1; P1:r0=1;}.
The issue is that the control dependency between the load and store on P0 has
been removed by the compiler. Both GCC and LLVM produce the following (replace
symbolic registers e.g. %P0_x with concrete registers containing x).
```
ARM test
{ [P0_r0]=0;[P1_r0]=0;[x]=0;[y]=0;
%P0_P0_r0=P0_r0;%P0_x=x;%P0_y=y;
%P1_P1_r0=P1_r0;%P1_x=x;%P1_y=y }
(*****************************************************************)
(* the Telechat toolsuite *)
(* *)
(* Luke Geeson, University College London, UK. *)
(* gcc -O1 -march=armv7-a -pthread --std=c11 -marm -fno-section-anchors*)
(* *)
(*****************************************************************)
P0 | P1 ;
LDR R2,[%P0_x] | LDR R2,[%P1_y] ;
CMP R2,#1 | DMB ISH ;
MOVEQ R1,#1 | MOV R1,#1 ;
STREQ R1,[%P0_y] | STR R1,[%P1_x] ;
STR R2,[%P0_P0_r0] | STR R2,[%P1_P1_r0] ;
BX LR | BX LR ;
exists (P0_r0=1 /\ P1_r0=1) <--- yes, allowed by arm.cat, bug!
```
The forbidden {P0:r0=1; P1:r0=1;} behaviour disappears in GCC when optimising
using -O2 or above, since R2 is reused in the STREQ when the EQ condition holds
- a data dependency masks the loss of the control dependency. This buggy
behaviour remains in clang -O2 and above however
(https://godbolt.org/z/hGv7P3vGW).
To fix this - mark relaxed atomic load/stores as not predicated, and ideally
use an explicit branch to enforce the control dependency so that it is not
lost:
```
ARM test-fixed
{ [P0_r0]=0;[P1_r0]=0;[x]=0;[y]=0;
%P0_P0_r0=P0_r0;%P0_x=x;%P0_y=y;
%P1_P1_r0=P1_r0;%P1_x=x;%P1_y=y }
P0 | P1 ;
LDR R0,[%P0_x] | MOV R2,#1 ;
CMP R0,#1 | LDR R0,[%P1_y] ;
BNE L0x2c | DMB ISH ;
MOV R2,#1 | STR R2,[%P1_x] ;
STR R2,[%P0_y] | STR R0,[%P1_P1_r0] ;
L0x2c: | ;
STR R0,[%P0_P0_r0] | ;
exists (P0_r0=1 /\ P1_r0=1)
```
This prevents the buggy behaviour.
We will follow up by reporting the bug for GCC.
next reply other threads:[~2023-08-30 9:42 UTC|newest]
Thread overview: 8+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-08-30 9:42 luke.geeson at cs dot ucl.ac.uk [this message]
2023-08-30 9:42 ` [Bug translation/111235] " luke.geeson at cs dot ucl.ac.uk
2023-10-02 15:07 ` [Bug target/111235] " cvs-commit at gcc dot gnu.org
2023-10-02 15:39 ` sjames at gcc dot gnu.org
2023-10-03 13:19 ` luke.geeson at cs dot ucl.ac.uk
2023-10-25 16:10 ` luke.geeson at cs dot ucl.ac.uk
2023-10-31 16:42 ` wilco at gcc dot gnu.org
2023-10-31 16:48 ` sjames at gcc dot gnu.org
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=bug-111235-4@http.gcc.gnu.org/bugzilla/ \
--to=gcc-bugzilla@gcc.gnu.org \
--cc=gcc-bugs@gcc.gnu.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).