base: memory barriers in lock implementations

The memory barrier prevents the compiler from changing the program order
of memory accesses in such a way that accesses to the guarded resource
get outside the guarded stage. As cmpxchg() defines the start of the
guarded stage it also represents an effective memory barrier.

On x86, the architecture ensures to not reorder writes with older reads,
writes to memory with other writes (except in cases that are not
relevant for our locks), or read/write instructions with I/O
instructions, locked instructions, and serializing instructions.

However on ARM, the architectural memory model allows not only that
memory accesses take local effect in another order as their program
order but also that different observers (components that can access
memory like data-busses, TLBs and branch predictors) observe these
effects each in another order. Thus, a correct program order isn't
sufficient for a correct observation order. An additional architectural
preservation of the memory barrier is needed to achieve this.

Fixes #692
This commit is contained in:
Martin Stein 2014-11-14 10:44:56 +01:00 committed by Christian Helmuth
parent d452f37c25
commit ec6c19a487
12 changed files with 163 additions and 9 deletions

View File

@ -14,6 +14,7 @@
/* Genode includes */ /* Genode includes */
#include <base/cancelable_lock.h> #include <base/cancelable_lock.h>
#include <cpu/atomic.h> #include <cpu/atomic.h>
#include <cpu/memory_barrier.h>
#include <base/printf.h> #include <base/printf.h>
/* L4/Fiasco includes */ /* L4/Fiasco includes */
@ -46,5 +47,6 @@ void Cancelable_lock::lock()
void Cancelable_lock::unlock() void Cancelable_lock::unlock()
{ {
Genode::memory_barrier();
_lock = UNLOCKED; _lock = UNLOCKED;
} }

View File

@ -17,6 +17,7 @@
/* Genode includes */ /* Genode includes */
#include <cpu/atomic.h> #include <cpu/atomic.h>
#include <cpu/memory_barrier.h>
/* core includes */ /* core includes */
#include <kernel/early_translations.h> #include <kernel/early_translations.h>
@ -49,11 +50,6 @@ class Kernel::Lock
int volatile _locked; int volatile _locked;
/**
* Finish all previously started memory transactions
*/
void _memory_barrier() { asm volatile ("" : : : "memory"); }
public: public:
Lock() : _locked(0) { } Lock() : _locked(0) { }
@ -68,7 +64,7 @@ class Kernel::Lock
*/ */
void unlock() void unlock()
{ {
_memory_barrier(); Genode::memory_barrier();
_locked = 0; _locked = 0;
} }

View File

@ -16,6 +16,7 @@
/* Genode includes */ /* Genode includes */
#include <cpu/atomic.h> #include <cpu/atomic.h>
#include <cpu/memory_barrier.h>
#include <base/thread.h> #include <base/thread.h>
/* local includes */ /* local includes */
@ -89,7 +90,7 @@ static inline void spinlock_unlock(volatile T *lock_variable)
if (utcb) { if (utcb) {
utcb->tls = (((utcb->tls & COUNTER_MASK) + 4) % 4096) & COUNTER_MASK; utcb->tls = (((utcb->tls & COUNTER_MASK) + 4) % 4096) & COUNTER_MASK;
/* take care that compiler generates code that writes tls to memory */ /* take care that compiler generates code that writes tls to memory */
asm volatile ("":::"memory"); Genode::memory_barrier();
} }
/* /*

View File

@ -15,6 +15,8 @@
#ifndef _INCLUDE__ARM__CPU__ATOMIC_H_ #ifndef _INCLUDE__ARM__CPU__ATOMIC_H_
#define _INCLUDE__ARM__CPU__ATOMIC_H_ #define _INCLUDE__ARM__CPU__ATOMIC_H_
#include <cpu/memory_barrier.h>
namespace Genode { namespace Genode {
/** /**
@ -25,6 +27,8 @@ namespace Genode {
* both values are different, the value at dest remains * both values are different, the value at dest remains
* unchanged. * unchanged.
* *
* Note, that cmpxchg() represents a memory barrier.
*
* \return 1 if the value was successfully changed to new_val, * \return 1 if the value was successfully changed to new_val,
* 0 if cmp_val and the value at dest differ. * 0 if cmp_val and the value at dest differ.
*/ */
@ -47,6 +51,7 @@ namespace Genode {
: "=&r" (not_exclusive), "=&r" (equal) : "=&r" (not_exclusive), "=&r" (equal)
: "r" (dest), "r" (cmp_val), "r" (new_val) : "r" (dest), "r" (cmp_val), "r" (new_val)
: "cc"); : "cc");
Genode::memory_barrier();
return equal && !not_exclusive; return equal && !not_exclusive;
} }
} }

View File

@ -0,0 +1,32 @@
/*
* \brief Memory barrier
* \author Martin Stein
* \date 2014-11-12
*
* The memory barrier prevents memory accesses from being reordered in such a
* way that accesses to the guarded resource get outside the guarded stage. As
* cmpxchg() defines the start of the guarded stage it also represents an
* effective memory barrier.
*
* Note, we assume a compiler-memory barrier is sufficient on ARMv5.
*/
/*
* Copyright (C) 2014 Genode Labs GmbH
*
* This file is part of the Genode OS framework, which is distributed
* under the terms of the GNU General Public License version 2.
*/
#ifndef _INCLUDE__ARM_V5__CPU__MEMORY_BARRIER_H_
#define _INCLUDE__ARM_V5__CPU__MEMORY_BARRIER_H_
namespace Genode {
static inline void memory_barrier()
{
asm volatile ("" ::: "memory");
}
}
#endif /* _INCLUDE__ARM_V5__CPU__MEMORY_BARRIER_H_ */

View File

@ -0,0 +1,38 @@
/*
* \brief Memory barrier
* \author Martin Stein
* \date 2014-11-12
*
* The memory barrier prevents memory accesses from being reordered in such a
* way that accesses to the guarded resource get outside the guarded stage. As
* cmpxchg() defines the start of the guarded stage it also represents an
* effective memory barrier.
*
* On ARM, the architectural memory model allows not only that memory accesses
* take local effect in another order as their program order but also that
* different observers (components that can access memory like data-busses,
* TLBs and branch predictors) observe these effects each in another order.
* Thus, achieving a correct program order via a compiler memory-barrier isn't
* sufficient for a correct observation order. An additional architectural
* preservation of the memory barrier is needed.
*/
/*
* Copyright (C) 2014 Genode Labs GmbH
*
* This file is part of the Genode OS framework, which is distributed
* under the terms of the GNU General Public License version 2.
*/
#ifndef _INCLUDE__ARM_V6__CPU__MEMORY_BARRIER_H_
#define _INCLUDE__ARM_V6__CPU__MEMORY_BARRIER_H_
namespace Genode {
static inline void memory_barrier()
{
asm volatile ("mcr p15, 0, r0, c7, c10, 5" ::: "memory");
}
}
#endif /* _INCLUDE__ARM_V6__CPU__MEMORY_BARRIER_H_ */

View File

@ -0,0 +1,38 @@
/*
* \brief Memory barrier
* \author Martin Stein
* \date 2014-11-12
*
* The memory barrier prevents memory accesses from being reordered in such a
* way that accesses to the guarded resource get outside the guarded stage. As
* cmpxchg() defines the start of the guarded stage it also represents an
* effective memory barrier.
*
* On ARM, the architectural memory model allows not only that memory accesses
* take local effect in another order as their program order but also that
* different observers (components that can access memory like data-busses,
* TLBs and branch predictors) observe these effects each in another order.
* Thus, achieving a correct program order via a compiler memory-barrier isn't
* sufficient for a correct observation order. An additional architectural
* preservation of the memory barrier is needed.
*/
/*
* Copyright (C) 2014 Genode Labs GmbH
*
* This file is part of the Genode OS framework, which is distributed
* under the terms of the GNU General Public License version 2.
*/
#ifndef _INCLUDE__ARM_V7__CPU__MEMORY_BARRIER_H_
#define _INCLUDE__ARM_V7__CPU__MEMORY_BARRIER_H_
namespace Genode {
static inline void memory_barrier()
{
asm volatile ("dmb" ::: "memory");
}
}
#endif /* _INCLUDE__ARM_V7__CPU__MEMORY_BARRIER_H_ */

View File

@ -26,6 +26,8 @@ namespace Genode {
* both values are different, the value at dest remains * both values are different, the value at dest remains
* unchanged. * unchanged.
* *
* Note, that cmpxchg() represents a memory barrier.
*
* \return 1 if the value was successfully changed to new_val, * \return 1 if the value was successfully changed to new_val,
* 0 if cmp_val and the value at dest differ. * 0 if cmp_val and the value at dest differ.
*/ */

View File

@ -0,0 +1,36 @@
/*
* \brief Memory barrier
* \author Martin Stein
* \date 2014-11-12
*
* The memory barrier prevents memory accesses from being reordered in such a
* way that accesses to the guarded resource get outside the guarded stage. As
* cmpxchg() defines the start of the guarded stage it also represents an
* effective memory barrier.
*
* On x86, the architecture ensures to not reorder writes with older reads,
* writes to memory with other writes (except in cases that are not relevant
* for our locks), or read/write instructions with I/O instructions, locked
* instructions, and serializing instructions. Thus, a compiler memory-barrier
* is sufficient.
*/
/*
* Copyright (C) 2014 Genode Labs GmbH
*
* This file is part of the Genode OS framework, which is distributed
* under the terms of the GNU General Public License version 2.
*/
#ifndef _INCLUDE__X86__CPU__MEMORY_BARRIER_H_
#define _INCLUDE__X86__CPU__MEMORY_BARRIER_H_
namespace Genode {
static inline void memory_barrier()
{
asm volatile ("" ::: "memory");
}
}
#endif /* _INCLUDE__X86__CPU__MEMORY_BARRIER_H_ */

View File

@ -1,5 +1,8 @@
SPECS += arm SPECS += arm
# add repository relative include paths
REP_INC_DIR += include/arm_v5
# #
# Configure target CPU # Configure target CPU
# #

View File

@ -13,6 +13,7 @@
/* Genode includes */ /* Genode includes */
#include <base/cancelable_lock.h> #include <base/cancelable_lock.h>
#include <cpu/memory_barrier.h>
/* local includes */ /* local includes */
#include <spin_lock.h> #include <spin_lock.h>

View File

@ -17,6 +17,7 @@
/* Genode includes */ /* Genode includes */
#include <cpu/atomic.h> #include <cpu/atomic.h>
#include <cpu/memory_barrier.h>
/* local includes */ /* local includes */
#include <lock_helper.h> #include <lock_helper.h>
@ -29,7 +30,6 @@
enum State { SPINLOCK_LOCKED, SPINLOCK_UNLOCKED }; enum State { SPINLOCK_LOCKED, SPINLOCK_UNLOCKED };
static inline void memory_barrier() { asm volatile ("" : : : "memory"); }
static inline void spinlock_lock(volatile int *lock_variable) static inline void spinlock_lock(volatile int *lock_variable)
{ {
@ -46,7 +46,7 @@ static inline void spinlock_lock(volatile int *lock_variable)
static inline void spinlock_unlock(volatile int *lock_variable) static inline void spinlock_unlock(volatile int *lock_variable)
{ {
/* make sure all got written by compiler before releasing lock */ /* make sure all got written by compiler before releasing lock */
memory_barrier(); Genode::memory_barrier();
*lock_variable = SPINLOCK_UNLOCKED; *lock_variable = SPINLOCK_UNLOCKED;
} }