OCaml multicore memory model and C (runtime, FFI, VM)

[gadmm]

Even simple OCaml programs depend on bits written in C, via the runtime or the FFI, and all bytecode OCaml programs are run by an interpreter written in C. C11 has so-called “catch-fire” semantics for data races, which means that the program can (even in practice) crash or do worse things in the presence of a data race. The OCaml multicore memory model (proposed in the PLDI'18 paper) on the other hand aims to guarantee that even racy programs have well-defined behaviour.

• To prevent the C code from threatening OCaml's local DRF property, the C code interacting with OCaml should implement the OCaml memory model.

The backwards-compatibility guarantees of multicore motivates (ideally) retrofitting this property onto existing programs, including in terms of performance preservation, which might prove challenging. If the local DRF property is (reasonably) not required of all C code in existence (which is initially going to be legacy code inherited from OCaml 4), then we can weaken the requirement as follows:

• To prevent the catch-fire semantics of C11 from threatening OCaml's memory safety guarantees, the C code interacting with OCaml should take the OCaml memory model and racy OCaml programs into account.

In addition, the backwards-compatibility requirement is strict for single-threaded programs, but this leaves some leeway to ask programmers that they audit C code for memory-model compliance before turning on multiple domains. In this case, there should be a realistic path to making existing code compliant. It is not clear yet that such a relaxation of backwards-compatibility claims is necessary, but it is an option.

(Disclaimer that usually discussions about memory models fly over my head, but I made the effort of finding good references for what is below and I asked for expert advice who confirmed the diagnosis. All errors in the document below are mine.)

(I believe that this issue can interest @stedolan, @kayceesrk, @maranget.)

---

The Field macro

In this issue I will focus on the Field macro from caml/mlvalues.h which is used to read and initialize blocks in the OCaml heap, and is part of the documented FFI. It is currently implemented as a plain load/store:

#define Field(x, i) (((value *)(x)) [i])           /* Also an l-value. */

This can notably be subject to load/store tearing (even on aligned word-sized pointers) and invented load/stores (see Who's afraid of a big bad optimizing compiler?).

Example

As an example, the following is a well-defined racy OCaml program:

let t1 x = x := Some (1,1) (* thread 1 *)
let t2 x = match !x with None -> () | Some (n,m) -> Printf.printf "%d:%d" n m (* thread 2 *)
let _ =
  let x = ref None in
  {{ t1 x || t2 x }}

Thread 1 and 2 can also be implemented in C which looks like code that one can imagine seeing in real-world programs:

value t1(value x)
{
  CAMLparam1(x);
  CAMLlocal2(y,z);
  y = caml_alloc_small(1, Tag_some); // plain stores
  z = caml_alloc_small(2, 0); // plain stores
  Field(z, 0) = Val_int(0); // plain store
  Field(z, 1) = Val_int(0); // plain store
  Field(y, 0) = z; // plain store
  Store_field(x, 0, y); // release atomic store via caml_modify
  CAMLreturn(Val_unit);
}

value t2(value x)
{
  value y = Field(x, 0); // plain read
  if (Is_some(y)) {
    value z = Field(y, 0); // plain read
    printf("%d:%d", Int_val(Field(z, 0)), Int_val(Field(z, 1))); // plain reads
  }
  return Val_unit;
}

According to the C memory model this is UB because 1) Field does a plain read on a value with a conflicting concurrent access, and 2) even if Field did a relaxed atomic read, there is no guarantee that t2 sees the initializing writes of y, it might be looking at uninitialized memory and dereferencing garbage. The code does not do anything fancy: any implementation of a simple pattern-matching can be subject to these issues. (The variable y would be declared with CAMLlocal1 if the documentation was followed closely, but this does not fundamentally change the problem and the simplification is realistic of what to expect of expert code.)

For example, for 1) the compiler could rewrite t2 by inventing reads as:

  if (Is_some(Field(x, 0))) {
    z = Field(Field(x, 0), 0);
    printf("%d:%d", Int_val(Field(z, 0)), Int_val(Field(z, 1)));
  }

which could happen in practice if this code is placed in a context of high register pressure. Now the second read is not guaranteed to give the same value as the first one in a racy OCaml program, so one might be dereferencing whatever. To avoid this, the read should at least be a relaxed atomic read.

For 2), the current implementation of the OCaml memory model (adapted to the new STW collector design) intends to rely on dependency ordering being enforced in hardware (e.g. address dependency in Arm) and the compiler not doing anything crazy things that breaks dependencies.

Dependency ordering in C

• In theory the C version is going to be UB if reads are not at least memory_order_consume.
• In practice it falls within a de facto use of the relaxed ordering, see http://www.open-std.org/JTC1/SC22/WG21/docs/papers/2020/p2055r0.pdf §2.6.7 (see also §A).

  “[if] the developers are willing to live within strict coding standards [12], memory_order_relaxed may be used to head dependency chains. […] Note well that this design pattern is outside of the current standard.”

Some background for people not familiar with memory_order_consume: it is an ordering for atomic reads stronger than relaxed but much cheaper than acquire on relaxed memory models, meant to rely on chips' ordering of data dependencies, inspired by the Linux kernel's RCU synchronisation mechanism which is very cheap for the reader. In practice though it was found impossible to implement as intended and is compiled like an acquire load by all compilers. Only DEC Alpha did not respect data dependency due to cache incoherence, in theory it is also threatened by any form of value prediction, more below. This is why in practice “memory_order_relaxed may be used to head dependency chains”.

The Linux kernel is a good source of info regarding the use of data dependency in practice in C. They avoid consume atomics at some cost:

• place trust in the C compilers that Linux is supposed to be compiled with (gcc, clang, icc?) to do nothing crazy
• use volatile reads, expected to be treated similarly to relaxed atomic reads on word-sized values on the trusted compilers (AFAIU they could also use relaxed atomics, but use volatile for a mix of code legacy, backwards-compatibility and inadequacy of the C11 memory model)
• expect programmers to follow a strict coding discipline, cf. link above. In practice for OCaml+C code not all of these rules are necessary and the rest are difficult to break (essentially not doing anything that would let the compiler break dependencies by speculating on the value of pointers).

At least, Linux shows precedent about the need to go off-road regarding the strict confines of C11 well-defined behaviour. (The situation is eloquently described here.)

2 imperfect solutions

Therefore for the Field macro I see two (imperfect) options:

1. Make Field a volatile cast (((volatile value *)(x)) [i]):
   • the OCaml runtime & FFI do not follow the C11 memory model
   • volatile reads are forever assumed to mimick relaxed load/stores on word-sized aligned pointers, and to head dependency chains: no exotic/futuristic ISAs even for bytecode (or hope that a compiler switch makes it well-defined in the future, like -fwrapv regularizes OCaml's assumptions on signed overflows).
   • preserves performance (hopefully)
   • clarify rules similar to the RCU “coding standards” linked above (based on the relevant subset of it). A careful read is reassuring that only things out of the ordinary can have bad consequences, but is still important to document.
   • not sufficient for legacy code to automatically enforce the OCaml memory model?
   • backwards-compatible?
2. Make Field an atomic cast (((_Atomic value *)(x)) [i]):
   • well-defined behaviour, read/writes using Field become SC load/stores
   • definite performance impact: the idea is that code does not break but users are encouraged to progressively migrate towards newly-introduced more efficient primitives
   • in order to stay within the C11 memory model, a new primitive to read a field would still require at least consume ordering (that is, an acquire in practice, with permanent impact on performance), with some optimisations possible if immediate
   • sufficient for legacy code to automatically enforce the OCaml memory model?
   • backwards-compatible in a different manner?

Another option is to not change anything and inherit the “catch-fire” semantics of C11 when there is a race where one victim is the runtime or FFI code. But since this already invokes UB, it is unclear that there are any advantages to this compared to making Field a volatile cast.

---

Remaining questions

• Decide a solution to fix the Field macro and similar macros in the same file as described above.
• Is any undocumented rule used by realistic, professional code with OCaml 4 but invalid for the OCaml memory model? (For instance, use of Field to store an immediate when it is known that what is overwritten is an immediate?)
• Are there other parts of the documented FFI that requires adaptation to make it realistic to conform to the OCaml memory model? Is the documentation up-to-date in this respect?
• The Field macro is found in the C parts of the stdlib. Assuming Field is fixed, do the latter conform to the OCaml memory model?
• The Field macro is found in the interpreter. Assuming Field is fixed, does the latter implement the OCaml memory model?

[xavierleroy]

Thank you for the concrete example. There's a typo: Field(y, 0) = y; should be = z;.

More surprisingly, your analysis seems to ignore the "acquire barrier; store release" operations performed by caml_modify, a.k.a. Store_field. Of course, if Store_field was a plain write, "there is no guarantee that t2 sees the initializing reads writes of y, it might be looking at uninitialized memory and dereferencing garbage". But it is not a plain write. So, what' really going on in this example?

[gadmm]

My layman's understanding is this: for synchronization to happen you need an order on the writer side and an order on the reader side. If you lack either then there is no order in total. Here the problematic behaviour is with relaxed memory models in hardware that can reorder reads (e.g. out-of-order and speculative reads on Arm), or clever compilers that try to leverage branch prediction by speculating on values. Both behaviours are allowed by the C11 memory model. So what is missing is an order on the reader side. As I wrote, Store_field does a release atomic store. But you can have the strongest barrier you want in caml_modify, this is not going to address the issue.

Now as you can guess it would be very hard for a chip to load the value at address *p before loading the value at address p (!). So it is very cheap for Arm to guarantee that this does not happen (address ordering). It is possible to imagine though how hardware could give up this guarantee and require a fence, if the cache itself is not ordered like on Alpha, or if the hardware is able to predict values (only an academic research topic at the moment). The C11 memory model is either very in the past or very in the future, and allows such things. The only way to leverage Arm's address ordering according to the C11 standard is to use an order stronger or equal to memory_order_consume.

Compilers can speculate on values by rewriting E[p] as if (p == A) then E[A] else E[p] which kicks in branch prediction. It is very hard for a compiler to speculate on pointer values, this is the gist of the RCU coding guidelines which gives a few examples where this can happen (essentially the compiler can take guesses according to what you do with the pointer afterwards). Most examples do not apply to normal usage of the OCaml FFI, and I find it rather reassuring. The guidelines advises turning off feedback-driven optimizers, which lets you imagine very creative scenarios: for instance if an optimizer observes a program running and decides that it is good to speculate on the equality between two pointer values (for instance if a single rare allocation is the only allocation in a certain size class for the whole duration of the program, which de facto gives it a fixed address compared to some internal allocator data). Of course this is very unlikely to happen. But this is allowed by the C11 memory model. To force compilers to preserve data dependencies, C11 gives you memory_order_consume.

Now compilers gave up implementing memory_order_consume and simply replace it with memory_order_acquire. Hence even putting backwards-compatibility constraints aside, you are left with a choice between efficiency and standards-compliance.

[xavierleroy]

Thanks for the additional explanations. I was too focused on the writing side but now I see the reading side is the concern.

If it can help, we could introduce and mandate the use of a Load_mutable_field macro, symmetrical to Store_field, that loads with appropriate memory ordering (acquire?), and is not a l-value. Most OCaml data structures being immutable, and esp. those accessed from C stubs, I'd like to keep the existing Field definition unchanged for initializing and reading from immutable blocks.

I'm more afraid of crazy hardware than of crazy compilers. OCaml already depends on various UBs to be compiled in a sensible manner, e.g. overflows in signed integer arithmetic, and to mitigate the risks we can pass options to the compiler (e.g. -fwrap currently) and/or limit optimization level (e.g. -O2 currently, and I wouldn't go any higher). So, if crazy compiler optimizations is the only concern, it should be manageable.

Finally, I didn't see how making Field a volatile memory access would prevent the "let's guess the address that will be accessed" optimizations.

[stedolan]

Thanks for the excellent writeup. For the record, my ideal option for Field would be some sort of (_Atomic(relaxed) value*) cast that results in an lvalue that does relaxed-atomic loads and stores. Sadly no such cast exists in C, so I'd lean towards option (1) (volatile cast) as the closest alternative. (However, even this changes the type of (&Field(...)), which will have its own backwards compatibility concerns)

[gadmm]

• Adding a Load_mutable_field and deprecating certain uses of Field reminds (at a smaller scale) of the kind of changes that were needed by the previous concurrent collector design (it, too, could have simply preserved the behaviour for programs running on a single domain, IIUC). It does not seem obvious at all to me that one can look at C code and identify all the places where Field should be changed (nothing distinguishes a mutable load from an immutable load in current code). Perhaps Stephen and KC have more experience to share regarding the difficulty of such changes?
• A performance (and backwards-compatibility, in light of Stephen's remark) evaluation of making Field a volatile cast seems needed to decide whether or not the change has such big impact. It seems that various reasons could force you to keep the macro as it is, requiring empirical evidence.
• The rationale for assuming volatile reads head dependency ordering is: the C committee knows that consume is broken, and that relaxed is used for this purpose in practice (cf. p2055r0); moreover you are in good company in assuming that volatile is a proxy for relaxed in this usage. This is current de facto, documented use of C, the first of which still has currently no alternative for some crucial use. If I follow correctly, the committee are more the kind of people to try to evolve the standard to serve existing usage than the converse, and (C) compiler writers try to avoid breaking code.

[gasche]

I personally would like to see Load_mutable_field and Load_immutable_field macros on the C side, that need not be lvalues. I could use them to express my intent / my understanding of the value type being manipulated, and I would feel confident that this is robust to future changes in the runtime.
(I don't know if it's realistic to deprecate Field and expect those new macros to replace existing FFI code. But having them in addition to the current approach makes it easier to write forward-looking code, and it will make it easier to make some more opinionated changes to the FFI in N years if we want to or hav to.)

[maranget]

The Load_mutable_field/Store_field suggestion reminds me of C-kernel practice: deprecating the all-purpose macro for sensitive pointers, in favor of having different macros for storing to and loading from sensitive pointers. Those macros a based upon casts to volatile pointers. Notice that they did so for reason different of ours and that they manage for the load-side macros not to be a lvalue (some details). So it is possible to have volatile casts and force r-value usage.

Additional note (sorry for this, skip please if not interested). Something has been puzzling me for long and I have no answer: what happens when one mixes atomic and pain accesses to the same location? In other words, I am not sure that casting non atomic values to atomic ones and using atomic primitive to replace a plain load (something like atomic_load_explicit((_Atomic(value) *)p,MEMORY_ORDER_RELAXED), if I am not mistaken) is well defined according to the standard.

[gadmm]

I think @maranget's question on casting to atomics (currently used in multicore) is on-topic for this issue. http://www.open-std.org/jtc1/sc22/wg21/docs/papers/2014/n4013.html provides some useful context (leaning towards "admitted off-standard practice").

[gadmm]

Possible solution

What is going to happen is that there is going to be legacy code where mutable state is safe by virtue of not being shared between domains. If we admit this, then one gets the best of all worlds: legacy code remains fast and correct even in a strict C11 sense ("please use this library only on one domain"), and this legacy code can nevertheless evolve progressively as needed to lift the restriction (and remain correct in a strict C11 sense).

Understand that by one domain, I do not mean a restriction to single-core programs, but instead that a multi-core program should make sure all uses of the library happen on the same domain (which less strict and would still make many libraries useful). We can discuss various ways to enforce this constraint.

Note that this is going to solve initially more thread-unsafety issues for code ported from OCaml 4 than the one discussed here (e.g. races that are not C data races).

With this in mind, you want to introduce a macro Load_field that performs an acquire load, but:

1. you can either say that newly-introduced loads must use it, or that there are situations where it still makes sense to use Field (e.g. performance in single-domain scenarios, given how expensive acquire-release is on Arm)
2. you can make Field perform volatile accesses, but this is not necessary for safety. You would want to do it to guard against crashes in practice due to misuse, but the first argument for memory safety remains based in the C11 standard.

edit: Load_field instead of Load_mutable_field.

[xavierleroy]

there are situations where it still makes sense to use Field

Just to make sure we're on the same page: there are two very common such situation, namely 1- using Field to access an immutable field and 2- initializing such a field after caml_alloc_small. But for mutable fields, I'm all in favor of introducing and using Load_mutable_field.

[gadmm]

Just to make sure we're on the same page

Yes we are, I should have clarified that I was talking about loads of mutable fields.