Separation of concerning things: a simpler basis for defining and programming with the C/C++ memory model (extended version)

A key concept underpinning both processor pipelines and compiler transformations is that of data dependencies, where one instruction depends on a value being calculated by another. To capture this we write $\alpha\rightsquigarrow\beta$ if instruction $\beta$ depends on a value that instruction $\alpha$ writes to. We define a range of foundational syntactic and semantic concepts below. In a concurrent setting we distinguish between local and shared variables, that is, the set ${\sf Var}$ is divided into two mutually exclusive and exhaustive sets ${\sf Local}$ and ${\sf Shared}$. By convention we let $x,y,z$ be shared variables and $r,r_{\_}1,r_{\_}2\ldots$ be local variables. For convenience we introduce the syntax $s_{\_}1\mathbin{\not\!\!\hskip 0.5pt\cap}s_{\_}2$ to mean that sets $s_{\_}1$ and $s_{\_}2$ are mutually exclusive.

The write variables of instructions (written ${\sf wv}(\alpha)$) are collected syntactically (2.8), as are the read variables (written ${\sf rv}(\alpha)$) (2.9), which depend on the usual notion of the free variables in an expression (written ${\sf fv}(e)$, defined straightforwardly over the syntax of expressions). The free variables of an instruction are the union of the write and read variables (2.10). Shared and local variables have different requirements from a reordering perspective and so we introduce specialisations of these concepts to just the shared variables (2.11). We define “store” instructions ($\mathbb{S}$) as those that write to a shared variable, and “load” instructions ($\mathbb{L}$) as those that read shared variables (and hence an instruction such as $x\mathop{{:}{=}}y$ is both a store and a load).

Using these definitions we can describe various relationships between actions. One of the key notions is that of “data dependence”, where we write $\alpha\rightsquigarrow\beta$ if instruction $\beta$ references a variable being modified by instruction $\alpha$ (2.13) (and similarly we write $\alpha\,\,\mathop{\not\!\rightsquigarrow}\,\beta$ if there is no data dependence (2.14)). For instance, $x\mathop{{:}{=}}1\rightsquigarrow r\mathop{{:}{=}}x$ but $x\mathop{{:}{=}}1\,\,\mathop{\not\!\rightsquigarrow}\,r\mathop{{:}{=}}y$. The former can be expressed as $x\mathop{{:}{=}}1$ “carries a dependency into” $r\mathop{{:}{=}}x$. Two instructions are interference free if there is no data dependence in either direction, and they write to different variables (2.2.1).²²2 This is a well-known property, the earliest example being Hoare’s disjointness (Hoare, 1972, 2002; Apt and Olderog, 2019), and is also called non-interference in separation logic (Brookes, 2007). This condition, formally discussed since the 1960’s, is remarkably powerful for explaining the majority of observed behaviours of basic instructions types on modern hardware, although this author did not find evidence of cross-over in older references ((Thornton, 1964; Tomasulo, 1967), etc). Note that instructions that are interference-free may still load the same variables; we say they are load independent if they access distinct shared variables (2.16). Finally, two instructions are “order independent” if the effect of executing them is independent of the execution order (2.21). The “effect” function ${\sf eff}(\alpha)$ denotes actions as a set of pairs of states in the usual imperative style (defined later in Fig. 4), using ‘$\mathbin{\raise 2.58334pt\hbox{\oalign{\hfil$\scriptscriptstyle\mathrm{o}$\hfil\cr\hfil$\scriptscriptstyle\mathrm{9}$\hfil}}}$’ for relational composition. Note that order-independence is a weaker condition than non-interference, for example, $x\mathop{{:}{=}}1$ and $x\mathop{{:}{=}}1$ are order-independent but not interference-free. All of these definitions or concepts defined for instructions can be lifted straightforwardly to commands by induction on the syntax (see Appendix A).

The key aspect of interference-freedom is the following.

We say $\beta$ may be reordered before $\alpha$ with respect to sequential semantics, written $\alpha\mathrel{{\color[rgb]{0.2.,0.5,0.2}\ext@arrow 0055{\Leftarrowfill@}{}{\,{{\textsc{g}}}}}}\beta$, if they are interference-free and load-independent; the latter constraint maintains coherence of loads.

A syntactic check may be used to validate $\alpha\mathrel{{\color[rgb]{0.2.,0.5,0.2}\ext@arrow 0055{\Leftarrowfill@}{}{\,{{\textsc{g}}}}}}\beta$. Of course one could do a semantic check to establish the weaker property of order-independence, however this is typically not done on a case-by-case basis but rather is used to justify compiler transformations. It is not feasible to check order independence directly for all cases.

We can derive the following, where we assume $x,y\in{\sf Shared}$, $r,r_{\_}1,r_{\_}2\in{\sf Local}$, and all are distinct, and $v,w\in{\sf Val}$. We write $\alpha\mathrel{{\color[rgb]{1.,0.,0.}\ooalign{\hss{/\hss}\cr{$\ext@arrow 0055{\Leftarrowfill@}{}{\,{{\textsc{g}}}}$}}}}\beta$ if $\neg(\alpha\mathrel{{\color[rgb]{0.2.,0.5,0.2}\ext@arrow 0055{\Leftarrowfill@}{}{\,{{\textsc{g}}}}}}\beta)$.

This shows that independent stores can be reordered, but not stores to the same variable (2.25); similarly independent stores and loads can be reordered, as can loads, provided they are not referencing the same (shared) variable ((2.28) and (2.31)). Accesses of the same local variable, however, can be reordered (2.32), since no interference is possible. Finally, stores can be reordered before (independent) guards (2.33). Since, as we show later, guards model branch points, this is a significant aspect of c. For hardware weak memory models (2.33) is not allowed, as it implies a “speculative” write that may not be valid if $r=v$ is eventually found not to hold; however at compile-time whether a branch condition will eventually hold may be able to be predetermined.

Since the reorderings allowed by weak memory models may be problematic for establishing communication protocols between processes such models typically have their own “fence” instruction types, which are artificial constraints on reordering (as opposed to the “natural” data-dependence constraint). C has fences specifically to establish order between stores, between loads, or between either type. We define $\mathrel{{\color[rgb]{0.2.,0.5,0.2}\ext@arrow 0055{\Leftarrowfill@}{}{\,{{\textsc{fnc}}}}}}$ below, relating fences and instructions.

Eq. (2.36) states that a store fence blocks store instructions (recall (2.12)), while (2.39) similarly states that load fences block loads. Eq. (2.42) states that a “full” fence blocks all instruction types.

We use this base definition to define when two instructions can be reordered according to their respective fences (lifting the relation name $\mathrel{{\color[rgb]{0.2.,0.5,0.2}\ext@arrow 0055{\Leftarrowfill@}{}{\,{{\textsc{fnc}}}}}}$).

where $|\!\alpha\!|$ extracts the fences present in $\alpha$, i.e.,

Hence $\alpha$ and $\beta$ can be reordered (considering fences only) if they each respect the others’ fences. Note that all C fences are defined symmetrically so we simply check the pair in each direction.³³3 For asymmetric fences, such as Arm’s isb instruction, both directions need to be specified (Colvin, 2021b).

Based on these definitions we can determine the following special cases, where $x,y\in{\sf Shared}$ and $r,r_{\_}i\in{\sf Local}$.

Statements of the form $\alpha\mathrel{{\color[rgb]{1.,0.,0.}\ooalign{\hss{/\hss}\cr{$\ext@arrow 0055{\Leftarrowfill@}{}{\,{{\textsc{c}}}}$}}}}\beta\mathrel{{\color[rgb]{1.,0.,0.}\ooalign{\hss{/\hss}\cr{$\ext@arrow 0055{\Leftarrowfill@}{}{\,{{\textsc{c}}}}$}}}}\gamma$ should be read as a shorthand for $\alpha\mathrel{{\color[rgb]{1.,0.,0.}\ooalign{\hss{/\hss}\cr{$\ext@arrow 0055{\Leftarrowfill@}{}{\,{{\textsc{c}}}}$}}}}\beta$ and $\beta\mathrel{{\color[rgb]{1.,0.,0.}\ooalign{\hss{/\hss}\cr{$\ext@arrow 0055{\Leftarrowfill@}{}{\,{{\textsc{c}}}}$}}}}\gamma$. Inserting fences limits the number of possible traces of a program, an outcome which obviously may restore intended relationships between variables.

We describe the six ordering constraints defined in type memoryoder below.

• •

  Relaxed (rlx, memory   order   relaxed). A relaxed access is the simplest, not adding any extra constraints to the variable access, allowing both the hardware and compiler to potentially reorder independent relaxed accesses. For instance, consider the following program snippet (where ‘$\mathchar 24635\relax\;$’ is C’s semicolon).

  (2.61)

  $${x}^{{\textsc{rlx}}}\mathop{{:}{=}}1\mathchar 24635\relax\;{flag}^{{\textsc{rlx}}}\mathop{{:}{=}}\mathsf{True}$$

  If the programmer’s intention is that the $flag$ variable is set to $\mathsf{True}$ after the data $x$ is set to 1, then they have erred: either the compiler or the hardware may reorder the apparently independent stores to $x$ and $flag$.

• •

  Release (rel, memory   order   release). The release tag can be applied to stores, indicating the end of a set of shared accesses (and hence control can be “released” to the system). Typically this tag is used on the setting of a flag variable, e.g., modifying the above case,

  (2.62)

  $${x}^{{\textsc{rlx}}}\mathop{{:}{=}}1\mathchar 24635\relax\;{flag}^{{\textsc{rel}}}\mathop{{:}{=}}\mathsf{True}$$

  now ensures that any other process that sees $flag=\mathsf{True}$ knows that the update (${x}^{{\textsc{rlx}}}\mathop{{:}{=}}1$) preceding the change to $flag$ has taken effect.

• •

  Acquire (acq, memory   order   acquire). The acquire tag can be applied to loads, and is the reciprocal of a release: any subsequent loads will see everything the acquire can see. For example, continuing from above, a simple process that reads the $flag$ in parallel with the above process may be written as follows:

  (2.63)

  $$f\mathop{{:}{=}}{flag}^{{\textsc{acq}}}\mathchar 24635\relax\;r\mathop{{:}{=}}{x}^{{\textsc{rlx}}}$$

  In this case the loads are kept in order by the acquire constraint, and hence at the end of the program, in the absence of any other interference, $f=1\Rightarrow r=1$.

• •

  Consume (con, memory   order   consume). The consume tag is similar to, but weaker than, acq, in that it is intended to be partnered with a rel, but only subsequent loads that are data-dependent on the loaded value are guaranteed to see the change. Hence,

  (2.64)

  $${f\mathop{{:}{=}}flag}^{{\textsc{con}}}\mathchar 24635\relax\;{r\mathop{{:}{=}}x}^{{\textsc{rlx}}}$$

  does not give $f=1\Rightarrow r=1$. However, after

  (2.65)

  $$f\mathop{{:}{=}}{flag}^{{\textsc{con}}}\mathchar 24635\relax\;{y\mathop{{:}{=}}f}^{{\textsc{rlx}}}$$

  then $f=1\Rightarrow y=1$. Data-dependence is maintained by the $\mathrel{{\color[rgb]{0.2.,0.5,0.2}\ext@arrow 0055{\Leftarrowfill@}{}{\,{{\textsc{g}}}}}}$ relation, and in that sense the con constraint provides no extra reordering information to that of rlx. However the intention is that a con load indicates to the compiler that it must not lose, via optimisations, data dependencies to later instructions. We return to con in Sect. 8.2, in the context of expression optimisations, but for concision in the rest of the paper we omit consideration of con, which otherwise behaves as a rlx constraint.

• •

  Sequentially consistent (sc, memory   order   seq   cst). The sequentially consistent constraint is the strongest, forcing order between sc-tagged instructions and any other instructions. For example, the snippet

  (2.66)

  $${x}^{{\textsc{sc}}}\mathop{{:}{=}}1\mathchar 24635\relax\;{flag}^{{\textsc{sc}}}\mathop{{:}{=}}\mathsf{True}$$

  ensures $flag=1\Rightarrow x=1$ (in fact only one instruction needs the constraint for this to hold). This is considered a more “heavyweight” method for enforcing order than the acquire/release constraints.

• •

  Acquire-release (acqrel, memory   order   acq   rel). This constraint is used on instructions that have both an acquire and release component, and as will be seen it is straightforward to combine them in our syntax.

The relationship between the ordering constraints can be thought of in terms of a reordering relationship, $\mathrel{{\color[rgb]{0.2.,0.5,0.2}\ext@arrow 0055{\Leftarrowfill@}{}{\,{{\textsc{oc}}}}}}$, as in the previous sections.

We write ${\textsc{oc}}_{\_}1\mathrel{{\color[rgb]{0.2.,0.5,0.2}\ext@arrow 0055{\Leftarrowfill@}{}{\,{{\textsc{oc}}}}}}{\textsc{oc}}_{\_}2$ if $({\textsc{oc}}_{\_}1,{\textsc{oc}}_{\_}2)\in\mathrel{{\color[rgb]{0.2.,0.5,0.2}\ext@arrow 0055{\Leftarrowfill@}{}{\,{{\textsc{oc}}}}}}$, and as before ${\textsc{oc}}_{\_}1\mathrel{{\color[rgb]{1.,0.,0.}\ooalign{\hss{/\hss}\cr{$\ext@arrow 0055{\Leftarrowfill@}{}{\,{{\textsc{oc}}}}$}}}}{\textsc{oc}}_{\_}2$ otherwise. Expressing the relation as a negative is perhaps more intuitive, i.e., for all constraints oc, ${\textsc{oc}}\mathrel{{\color[rgb]{1.,0.,0.}\ooalign{\hss{/\hss}\cr{$\ext@arrow 0055{\Leftarrowfill@}{}{\,{{\textsc{oc}}}}$}}}}{\textsc{sc}}\mathrel{{\color[rgb]{1.,0.,0.}\ooalign{\hss{/\hss}\cr{$\ext@arrow 0055{\Leftarrowfill@}{}{\,{{\textsc{oc}}}}$}}}}{\textsc{oc}}$, ${\textsc{oc}}\mathrel{{\color[rgb]{1.,0.,0.}\ooalign{\hss{/\hss}\cr{$\ext@arrow 0055{\Leftarrowfill@}{}{\,{{\textsc{oc}}}}$}}}}{\textsc{rel}}$, and ${\textsc{acq}}\mathrel{{\color[rgb]{1.,0.,0.}\ooalign{\hss{/\hss}\cr{$\ext@arrow 0055{\Leftarrowfill@}{}{\,{{\textsc{oc}}}}$}}}}{\textsc{oc}}$. Additionally, the con constraint is equal to a rlx constraint for the purposes of ordering (but see Sect. 8.2), and acqrel is the combination of both acq and rel. An alternative presentation of the relationship of ${\textsc{oc}}_{\_}1\mathrel{{\color[rgb]{0.2.,0.5,0.2}\ext@arrow 0055{\Leftarrowfill@}{}{\,{{\textsc{oc}}}}}}{\textsc{oc}}_{\_}2$ is as a grid, i.e.,

Note that acquire loads may come before release stores, that is, C follows the rc_pc model rather than the the stronger rc_sc model in (Gharachorloo et al., 1990) (it is of course straightforward to accommodate either; see also (Colvin, 2021b)).

We extend the syntax of instructions to incorporate ordering constraints, allowing variables and fences to be annotated with a set thereof, as shown in Fig. 1. The reordering relation for instructions, considering only ordering constraints, can be defined as below.

where the $\lceil.\rceil$ function extracts the ordering constraints from the expression and instructions syntax.

For example, $\lceil{x}^{{\textsc{rel}}}\mathop{{:}{=}}{y}^{{\textsc{acq}}}\rceil=\{{\textsc{rel}},{\textsc{acq}}\}$. Thus $\alpha\mathrel{{\color[rgb]{0.2.,0.5,0.2}\ext@arrow 0055{\Leftarrowfill@}{}{\,{{\textsc{ocs}}}}}}\beta$ is checked by comparing point-wise each pair of ordering constraints in $\alpha$ and $\beta$. If $\alpha$ or $\beta$ has no ordering constraints then $\alpha\mathrel{{\color[rgb]{0.2.,0.5,0.2}\ext@arrow 0055{\Leftarrowfill@}{}{\,{{\textsc{ocs}}}}}}\beta$ vacuously holds.

For example

Note that a locals-only instructions, such as $r_{\_}1\mathop{{:}{=}}r_{\_}2*2$, does not have any ordering constraints, and so is not affected by them, that is $\lceil r_{\_}1\mathop{{:}{=}}r_{\_}2*2\rceil=\varnothing$ and hence $r_{\_}1\mathop{{:}{=}}r_{\_}2*2\mathrel{{\color[rgb]{0.2.,0.5,0.2}\ext@arrow 0055{\Leftarrowfill@}{}{\,{{\textsc{ocs}}}}}}\beta$ for all $\beta$.

For convenience we define some abbreviations and conventions at the bottom of Fig. 1: we require every reference to a shared variable to have (at least one) ordering constraint, with the default being rlx; when there is exactly one ordering constraint we omit the set comprehension brackets in the syntax, and typically, when the types are clear, we abbreviate ${x}^{{\textsc{rlx}}}$ to plain $x$ as rlx is the default. Local variables are by definition never declared “atomic” and hence their set of ordering constraints is always empty; hence, when $r$ is a local variable, we abbreviate ${r}$ to $r$. Similarly we abbreviate ordering constraints on fences. We can now define release, acquire and sequentially consistent fences as the combination of a fence and ordering constraint. A “release fence” ($\mathbf{rel\leavevmode\vbox{\hrule width=3.99994pt}fence}$) operates according to the rel semantics above, and in addition blocks stores, hence is a combination of a $\mathsf{store_{fnc}}$ and rel ordering, and similarly an “acquire fence” ($\mathbf{acq\leavevmode\vbox{\hrule width=3.99994pt}fence}$) acts as a $\mathsf{load_{fnc}}$ and acq ordering. A “sequentially consisitent” fence ($\mathbf{sc\leavevmode\vbox{\hrule width=3.99994pt}fence}$) is also defined straightforwardly; these fences map to C’s atomicthreadfence(...) definition.

To complete the syntax extension we update the syntax-based definitions for extracting variables from expressions and instructions by defining ${\sf wv}({x}^{ocs}\mathop{{:}{=}}e)=\{x\}$ and ${\sf rv}({x}^{ocs})=\{x\}$, that is, read/write variables do not include the ordering constraints (and ${\sf wv}({\mathsf{f}}^{ocs})={\sf rv}({\mathsf{f}}^{ocs})=\varnothing$).