Metadata Table
Manual Type user
Spec Revision 20181106-Base-Ratification
Spec Release Date
Git Revision 20181106-Base-Ratification
Git URLhttps://github.com/riscv/riscv-isa-manual.git
Sourcesrc/memory-model-operational.tex
Conversion Date2023/11/12
LicenseCC-by-4.0

An Operational Memory Model

This is an alternative presentation of the RVWMO memory model in operational style. It aims to admit exactly the same extensional behaviour as the axiomatic presentation: for any given program, admitting an execution if and only if the axiomatic presentation allows it.

The axiomatic presentation is defined as a predicate on complete candidate executions. In contrast, this operational presentation has an abstract microarchitectural flavour: it is expressed as a state machine, with states that are an abstract representation of hardware machine states, and with explicit out-of-order and speculative execution (but abstracting from more implementation-specific microarchitectural details such as register renaming, store buffers, cache hierarchies, cache protocols, etc.). As such, it can provide useful intuition. It can also construct executions incrementally, making it possible to interactively and randomly explore the behaviour of larger examples, while the axiomatic model requires complete candidate executions over which the axioms can be checked.

The operational presentation covers mixed-size execution, with potentially overlapping memory accesses of different power-of-two byte sizes. Misaligned accesses are broken up into single-byte accesses.

An interactive version of the model, together with a library of litmus tests, is provided online: http://www.cl.cam.ac.uk/~pes20/rmem. This is integrated with a fragment of the RISC-V ISA semantics (RV64I and A) expressed explicitly in Sail (https://github.com/rems-project/sail)).

Below is an informal introduction of the model states and transitions. The description of the formal model starts in the next subsection.

Terminology: In contrast to the axiomatic presentation, here every memory operation is either a load or a store. Hence, AMOs give rise to two distinct memory operations, a load and a store. When used in conjunction with “instruction”, the terms “load” and “store” refer to instructions that give rise to such memory operations. As such, both include AMO instructions. The term “acquire” refers to instruction (or its memory operation) with the acquire-RCpc or acquire-RCsc annotation. The term “release” refers to instruction (or its memory operation) with the release-RCpc or release-RCsc annotation.

Model states

A model state consists of a shared memory and a tuple of hart states.

image

The shared memory state records all the memory store operations that have propagated so far, in the order they propagated (this can be made more efficient, but for simplicity of the presentation we keep it this way).

Each hart state consists principally of a tree of instruction instances, some of which have been finished, and some of which have not. Non-finished instruction instances can be subject to restart, e.g. if they depend on an out-of-order or speculative load that turns out to be unsound.

Conditional branch and indirect jump instructions may have multiple successors in the instruction tree. When such instruction is finished, any un-taken alternative paths are discarded.

Each instruction instance in the instruction tree has a state that includes an execution state of the intra-instruction semantics (the ISA pseudocode for this instruction). The model uses a formalisation of the intra-instruction semantics in Sail. One can think of the execution state of an instruction as a representation of the pseudocode control state, pseudocode call stack, and local variable values. An instruction instance state also includes information about the instance’s memory and register footprints, its register reads and writes, its memory operations, whether it is finished, etc.

Model transitions

The model defines, for any model state, the set of allowed transitions, each of which is a single atomic step to a new abstract machine state. Execution of a single instruction will typically involve many transitions, and they may be interleaved in operational-model execution with transitions arising from other instructions. Each transition arises from a single instruction instance; it will change the state of that instance, and it may depend on or change the rest of its hart state and the shared memory state, but it does not depend on other hart states, and it will not change them. The transitions are introduced below and defined in Section 1.5, with a precondition and a construction of the post-transition model state for each.

Transitions for all instructions:

Transitions specific to load instructions:

Transitions specific to store instructions:

Transitions specific to sc instructions:

Transitions specific to AMO instructions:

Transitions specific to fence instructions:

The transitions labelled  can always be taken eagerly, as soon as their precondition is satisfied, without excluding other behaviour; the cannot. Although is marked with a , it can be taken eagerly as long as it is not taken infinitely many times.

An instance of a non-AMO load instruction, after being fetched, will typically experience the following transitions in this order:

  1. and/or (as many as needed to satisfy all the load operations of the instance)

Before, between and after the transitions above, any number of transitions may appear. In addition, a transition for fetching the instruction in the next program location will be available until it is taken.

This concludes the informal description of the operational model. The following sections describe the formal operational model.

Intra-instruction Pseudocode Execution

The intra-instruction semantics for each instruction instance is expressed as a state machine, essentially running the instruction pseudocode. Given a pseudocode execution state, it computes the next state. Most states identify a pending memory or register operation, requested by the pseudocode, which the memory model has to do. The states are (this is a tagged union; tags in small-caps):

image

Here:

mem_value and reg_value are lists of bytes;

address is an integer of XLEN bits;

for load/store, kind identifies whether it is lr/sc, acquire-RCpc/release-RCpc, acquire-RCsc/release-RCsc, acquire-release-RCsc;

for fence, kind identifies whether it is a normal or TSO, and (for normal fences) the predecessor and successor ordering bits;

reg_name identifies a register and a slice thereof (start and end bit indices); and

the continuations describe how the instruction instance will continue for each value that might be provided by the surrounding memory model (the load_continuation and read_continuation take the value loaded from memory and read from the previous register write, the store_continuation takes false for an sc that failed and true in all other cases, and res_continuation takes false if the sc fails and true otherwise).

For example, given the load instruction lw x1,0(x2), an execution will typically go as follows. The initial execution state will be computed from the pseudocode for the given opcode. This can be expected to be Read_reg(x2, read_continuation). Feeding the most recently written value of register x2 (the instruction semantics will be blocked if necessary until the register value is available), say 0x4000, to read_continuation returns Load_mem(plain_load, 0x4000, 4, load_continuation). Feeding the 4-byte value loaded from memory location 0x4000, say 0x42, to load_continuation returns Write_reg(x1, 0x42, Done). Many Internal(next_state) states may appear before and between the states above.

Notice that writing to memory is split into two steps, Store_ea and Store_memv: the first one makes the memory footprint of the store provisionally known, and the second one adds the value to be stored. We ensure these are paired in the pseudocode (Store_ea followed by Store_memv), but there may be other steps between them.

It is observable that the Store_ea can occur before the value to be stored is determined. For example, for the litmus test LB+fence.r.rw+data-po to be allowed by the operational model (as it is by RVWMO), the first store in Hart 1 has to take the Store_ea step before its value is determined, so that the second store can see it is to a non-overlapping memory footprint, allowing the second store to be committed out of order without violating coherence.

The pseudocode of each instruction performs at most one store or one load, except for AMOs that perform exactly one load and one store. Those memory accesses are then split apart into the architecturally atomic units by the hart semantics (see and below).

Informally, each bit of a register read should be satisfied from a register write by the most recent (in program order) instruction instance that can write that bit (or from the hart’s initial register state if there is no such write). Hence, it is essential to know the register write footprint of each instruction instance, which we calculate when the instruction instance is created (see the action of below). We ensure in the pseudocode that each instruction does at most one register write to each register bit, and also that it does not try to read a register value it just wrote.

Data-flow dependencies (address and data) in the model emerge from the fact that each register read has to wait for the appropriate register write to be executed (as described above).

Instruction Instance State

Each instruction instance i has a state comprising:

Each memory load operation includes a memory footprint (address and size). Each memory store operations includes a memory footprint, and, when available, a value.

A load instruction instance with a non-empty mem_loads, for which all the load operations are satisfied (i.e. there are no unsatisfied load slices) is said to be entirely satisfied.

Informally, an instruction instance is said to have fully determined data if the load (and sc) instructions feeding its source registers are finished. Similarly, it is said to have a fully determined memory footprint if the load (and sc) instructions feeding its memory operation address register are finished. Formally, we first define the notion of fully determined register write: a register write w from reg_writes of instruction instance i is said to be fully determined if one of the following conditions hold:

  1. i is finished; or

  2. the value written by w is not affected by a memory operation that i has made (i.e. a value loaded from memory or the result of sc), and, for every register read that i has made, that affects w, the register write from which i read is fully determined (or i read from the initial register state).

Now, an instruction instance i is said to have fully determined data if for every register read r from reg_reads, the register writes that r reads from are fully determined. An instruction instance i is said to have a fully determined memory footprint if for every register read r from reg_reads that feeds into i’s memory operation address, the register writes that r reads from are fully determined.

The rmem tool records, for every register write, the set of register writes from other instructions that have been read by this instruction at the point of performing the write. By carefully arranging the pseudocode of the instructions covered by the tool we were able to make it so that this is exactly the set of register writes on which the write depends on.

Hart State

The model state of a single hart comprises:

Shared Memory State

The model state of the shared memory comprises a list of memory store operations, in the order they propagated to the shared memory.

When a store operation is propagated to the shared memory it is simply added to the end of the list. When a load operation is satisfied from memory, for each byte of the load operation, the most recent corresponding store slice is returned.

For most purposes, it is simpler to think of the shared memory as an array, i.e., a map from memory locations to memory store operation slices, where each memory location is mapped to a one-byte slice of the most recent memory store operation to that location. However, this abstraction is not detailed enough to properly handle the sc instruction. The RVWMO allows store operations from the same hart as the sc to intervene between the store operation of the sc and the store operations the paired lr read from. To allow such store operations to intervene, and forbid others, the array abstraction must be extended to record more information. Here, we use a list as it is very simple, but a more efficient and scalable implementations should probably use something better.

Transitions

Each of the paragraphs below describes a single kind of system transition. The description starts with a condition over the current system state. The transition can be taken in the current state only if the condition is satisfied. The condition is followed by an action that is applied to that state when the transition is taken, in order to generate the new system state.

Fetch instruction

A possible program-order-successor of instruction instance i can be fetched from address loc if:

  1. it has not already been fetched, i.e., none of the immediate successors of i in the hart’s instruction_tree are from loc; and

  2. if i’s pseudocode has already wrote an address to pc, then loc must be that address, otherwise loc is:

Action: construct a freshly initialized instruction instance i for the instruction in the program memory at loc, with state Plain(isa_state), computed from the instruction pseudocode, including the static information available from the pseudocode such as its instruction_kind, src_regs, and dst_regs, and add i to the hart’s instruction_tree as a successor of i.

The possible next fetch addresses (loc) are available immediately after fetching i and the model does not need to wait for the pseudocode to write to pc; this allows out-of-order execution, and speculation past conditional branches and jumps. For most instructions these addresses are easily obtained from the instruction pseudocode. The only exception to that is the indirect jump instruction (jalr), where the address depends on the value held in a register. In principle the mathematical model should allow speculation to arbitrary addresses here. The exhaustive search in the rmem tool handles this by running the exhaustive search multiple times with a growing set of possible next fetch addresses for each indirect jump. The initial search uses empty sets, hence there is no fetch after indirect jump instruction until the pseudocode of the instruction writes to pc, and then we use that value for fetching the next instruction. Before starting the next iteration of exhaustive search, we collect for each indirect jump (grouped by code location) the set of values it wrote to pc in all the executions in the previous search iteration, and use that as possible next fetch addresses of the instruction. This process terminates when no new fetch addresses are detected.

Initiate memory load operations

An instruction instance i in state Plain(Load_mem(kind, address, size, load_continuation)) can always initiate the corresponding memory load operations. Action:

  1. Construct the appropriate memory load operations mlos:

  2. set mem_loads of i to mlos; and

  3. update the state of i to Pending_mem_loads(load_continuation).

In Section [sec:rvwmo:primitives] it is said that misaligned memory accesses may be decomposed at any granularity. Here we decompose them to one-byte accesses as this granularity subsumes all others.

Satisfy memory load operation by forwarding from unpropagated stores

For a non-AMO load instruction instance i in state Pending_mem_loads(load_continuation), and a memory load operation mlo in i.mem_loads that has unsatisfied slices, the memory load operation can be partially or entirely satisfied by forwarding from unpropagated memory store operations by store instruction instances that are program-order-before i if:

  1. all program-order-previous fence instructions with .sr and .pw set are finished;

  2. for every program-order-previous fence instruction, f, with .sr and .pr set, and .pw not set, if f is not finished then all load instructions that are program-order-before f are entirely satisfied;

  3. for every program-order-previous fence.tso instruction, f, that is not finished, all load instructions that are program-order-before f are entirely satisfied;

  4. if i is a load-acquire-RCsc, all program-order-previous store-releases-RCsc are finished;

  5. if i is a load-acquire-release, all program-order-previous instructions are finished;

  6. all non-finished program-order-previous load-acquire instructions are entirely satisfied; and

  7. all program-order-previous store-acquire-release instructions are finished;

Let msoss be the set of all unpropagated memory store operation slices from non-sc store instruction instances that are program-order-before i and have already calculated the value to be stored, that overlap with the unsatisfied slices of mlo, and which are not superseded by intervening stores operations or store operations that are read from by an intervening loads. The last condition requires, for each memory store operation slice msos in msoss from instruction i:

that there is no store instruction program-order-between i and i with a memory store operation overlapping msos; and

that there is no load instruction program-order-between i and i that was satisfied from an overlapping memory store operation slice from a different hart.

Action:

  1. update i.mem_loads to indicate that mlo was satisfied by msoss; and

  2. restart any speculative instructions which have violated coherence as a result of this, i.e., for every non-finished instruction i that is a program-order-successor of i, and every memory load operation mlo of i that was satisfied from msoss, if there exists a memory store operation slice msos in msoss, and an overlapping memory store operation slice from a different memory store operation in msoss, and msos is not from an instruction that is a program-order-successor of i, restart i and its restart-dependents.

Where, the restart-dependents of instruction j are:

program-order-successors of j that have data-flow dependency on a register write of j;

program-order-successors of j that have a memory load operation that reads from a memory store operation of j (by forwarding);

if j is a load-acquire, all the program-order-successors of j;

if j is a load, for every fence, f, with .sr and .pr set, and .pw not set, that is program-order-successors of j, all the load instructions that are program-order-successors of f;

if j is a load, for every fence.tso, f, that is program-order-successors of j, all the load instructions that are program-order-successors of f; and

(recursively) all the restart-dependents of all the instruction instances above.

Forwarding memory store operations to a memory load might satisfy only some slices of the load, leaving other slices unsatisfied.

A program-order-previous store operation that was not available when taking the transition above might make msoss provisionally unsound (violating coherence) when it becomes available. That store will prevent the load from being finished (see ), and will cause it to restart when that store operation is propagated (see ).

A consequence of the transition condition above is that store-release-RCsc memory store operations cannot be forwarded to load-acquire-RCsc instructions: msoss does not include memory store operations from finished stores (as those must be propagated memory store operations), and the condition above requires all program-order-previous store-releases-RCsc to be finished when the load is acquire-RCsc.

Satisfy memory load operation from memory

For an instruction instance i of a non-AMO load instruction or an AMO instruction in the context of the “” transition, any memory load operation mlo in i.mem_loads that has unsatisfied slices, can be satisfied from memory if all the conditions of are satisfied. Action: let msoss be the memory store operation slices from memory covering the unsatisfied slices of mlo, and apply the action of .

Note that might leave some slices of the memory load operation unsatisfied, those will have to be satisfied by taking the transition again, or taking . , on the other hand, will always satisfy all the unsatisfied slices of the memory load operation.

Complete load operations

A load instruction instance i in state Pending_mem_loads(load_continuation) can be completed (not to be confused with finished) if all the memory load operations i.mem_loads are entirely satisfied (i.e. there are no unsatisfied slices). Action: update the state of i to Plain(load_continuation(mem_value)), where mem_value is assembled from all the memory store operation slices that satisfied i.mem_loads.

Early sc fail

An sc instruction instance i in state Plain(Early_sc_fail(res_continuation)) can always be made to fail. Action: update the state of i to Plain(res_continuation(false)).

Paired sc

An sc instruction instance i in state Plain(Early_sc_fail(res_continuation)) can continue its (potentially successful) execution if i is paired with an lr. Action: update the state of i to Plain(res_continuation(true)).

Initiate memory store operation footprints

An instruction instance i in state Plain(Store_ea(kind, address, size, next_state)) can always announce its pending memory store operation footprint. Action:

  1. construct the appropriate memory store operations msos (without the store value):

  2. set i.mem_stores to msos; and

  3. update the state of i to Plain(next_state).

Note that after taking the transition above the memory store operations do not yet have their values. The importance of splitting this transition from the transition below is that it allows other program-order-successor store instructions to observe the memory footprint of this instruction, and if they don’t overlap, propagate out of order as early as possible (i.e. before the data register value becomes available).

Instantiate memory store operation values

An instruction instance i in state Plain(Store_memv(mem_value, store_continuation)) can always instantiate the values of the memory store operations i.mem_stores. Action:

  1. split mem_value between the memory store operations i.mem_stores; and

  2. update the state of i to Pending_mem_stores(store_continuation).

Commit store instruction

An uncommitted instruction instance i of a non-sc store instruction or an sc instruction in the context of the “” transition, in state Pending_mem_stores(store_continuation), can be committed (not to be confused with propagated) if:

  1. i has fully determined data;

  2. all program-order-previous conditional branch and indirect jump instructions are finished;

  3. all program-order-previous fence instructions with .sw set are finished;

  4. all program-order-previous fence.tso instructions are finished;

  5. all program-order-previous load-acquire instructions are finished;

  6. all program-order-previous store-acquire-release instructions are finished;

  7. if i is a store-release, all program-order-previous instructions are finished;

  8. [omm:commit_store:prev_addrs] all program-order-previous memory access instructions have a fully determined memory footprint;

  9. [omm:commit_store:prev_stores] all program-order-previous store instructions, except for sc that failed, have initiated and so have non-empty mem_stores; and

  10. [omm:commit_store:prev_loads] all program-order-previous load instructions have initiated and so have non-empty mem_loads.

Action: record that i is committed.

Notice that if condition [omm:commit_store:prev_addrs] is satisfied the conditions [omm:commit_store:prev_stores] and [omm:commit_store:prev_loads] are also satisfied, or will be satisfied after taking some eager transitions. Hence, requiring them does not strengthen the model. By requiring them, we guarantee that previous memory access instructions have taken enough transitions to make their memory operations visible for the condition check of , which is the next transition the instruction will take, making that condition simpler.

Propagate store operation

For a committed instruction instance i in state Pending_mem_stores(store_continuation), and an unpropagated memory store operation mso in i.mem_stores, mso can be propagated if:

  1. all memory store operations of program-order-previous store instructions that overlap with mso have already propagated;

  2. all memory load operations of program-order-previous load instructions that overlap with mso have already been satisfied, and (the load instructions) are non-restartable (see definition below); and

  3. all memory load operations that were satisfied by forwarding mso are entirely satisfied.

Where a non-finished instruction instance j is non-restartable if:

  1. there does not exist a store instruction s and an unpropagated memory store operation mso of s such that applying the action of the “” transition to mso will result in the restart of j; and

  2. there does not exist a non-finished load instruction l and a memory load operation mlo of l such that applying the action of the “”/“” transition (even if mlo is already satisfied) to mlo will result in the restart of j.

Action:

  1. update the shared memory state with mso;

  2. update i.mem_stores to indicate that mso was propagated; and

  3. restart any speculative instructions which have violated coherence as a result of this, i.e., for every non-finished instruction i program-order-after i and every memory load operation mlo of i that was satisfied from msoss, if there exists a memory store operation slice msos in msoss that overlaps with mso and is not from mso, and msos is not from a program-order-successor of i, restart i and its restart-dependents (see ).

Commit and propagate store operation of an sc

An uncommitted sc instruction instance i, from hart h, in state Pending_mem_stores(store_continuation), with a paired lr i that has been satisfied by some store slices msoss, can be committed and propagated at the same time if:

  1. i is finished;

  2. every memory store operation that has been forwarded to i is propagated;

  3. the conditions of is satisfied;

  4. the conditions of is satisfied (notice that an sc instruction can only have one memory store operation); and

  5. for every store slice msos from msoss, msos has not been overwritten, in the shared memory, by a store that is from a hart that is not h, at any point since msos was propagated to memory.

Action:

  1. apply the actions of ; and

  2. apply the action of .

Late sc fail

An sc instruction instance i in state Pending_mem_stores(store_continuation), that has not propagated its memory store operation, can always be made to fail. Action:

  1. clear i.mem_stores; and

  2. update the state of i to Plain(store_continuation(false)).

For efficiency, the rmem tool allows this transition only when it is not possible to take the transition. This does not affect the set of allowed final states, but when explored interactively, if the sc should fail one should use the transition instead of waiting for this transition.

Complete store operations

A store instruction instance i in state Pending_mem_stores(store_continuation), for which all the memory store operations in i.mem_stores have been propagated, can always be completed (not to be confused with finished). Action: update the state of i to Plain(store_continuation(true)).

Satisfy, commit and propagate operations of an AMO

An AMO instruction instance i in state Pending_mem_loads(load_continuation) can perform its memory access if it is possible to perform the following sequence of transitions with no intervening transitions:

  1. (zero or more times)

and in addition, the condition of , with the exception of not requiring i to be in state Plain(Done), holds after those transitions. Action: perform the above sequence of transitions (this does not include ), one after the other, with no intervening transitions.

Notice that program-order-previous stores cannot be forwarded to the load of an AMO. This is simply because the sequence of transitions above does not include the forwarding transition. But even if it did include it, the sequence will fail when trying to do the transition, as this transition requires all program-order-previous store operations to overlapping memory footprints to be propagated, and forwarding requires the store operation to be unpropagated.

In addition, the store of an AMO cannot be forwarded to a program-order-successor load. Before taking the transition above, the store operation of the AMO does not have its value and therefore cannot be forwarded; after taking the transition above the store operation is propagated and therefore cannot be forwarded.

Commit fence

A fence instruction instance i in state Plain(Fence(kind, next_state)) can be committed if:

  1. if i is a normal fence and it has .pr set, all program-order-previous load instructions are finished;

  2. if i is a normal fence and it has .pw set, all program-order-previous store instructions are finished; and

  3. if i is a fence.tso, all program-order-previous load and store instructions are finished.

Action:

  1. record that i is committed; and

  2. update the state of i to Plain(next_state).

Register read

An instruction instance i in state Plain(Read_reg(reg_name, read_cont)) can do a register read of reg_name if every instruction instance that it needs to read from has already performed the expected reg_name register write.

Let read_sources include, for each bit of reg_name, the write to that bit by the most recent (in program order) instruction instance that can write to that bit, if any. If there is no such instruction, the source is the initial register value from initial_register_state. Let reg_value be the value assembled from read_sources. Action:

  1. add reg_name to i.reg_reads with read_sources and reg_value; and

  2. update the state of i to Plain(read_cont(reg_value)).

Register write

An instruction instance i in state Plain(Write_reg(reg_name, reg_value, next_state)) can always do a reg_name register write. Action:

  1. add reg_name to i.reg_writes with deps and reg_value; and

  2. update the state of i to Plain(next_state).

where deps is a pair of the set of all read_sources from i.reg_reads, and a flag that is true iff i is a load instruction instance that has already been entirely satisfied.

Pseudocode internal step

An instruction instance i in state Plain(Internal(next_state)) can always do that pseudocode-internal step. Action: update the state of i to Plain(next_state).

Finish instruction

A non-finished instruction instance i in state Plain(Done) can be finished if:

  1. if i is a load instruction:

    1. all program-order-previous load-acquire instructions are finished;

    2. all program-order-previous fence instructions with .sr set are finished;

    3. for every program-order-previous fence.tso instruction, f, that is not finished, all load instructions that are program-order-before f are finished; and

    4. it is guaranteed that the values read by the memory load operations of i will not cause coherence violations, i.e., for any program-order-previous instruction instance i, let cfp be the combined footprint of propagated memory store operations from store instructions program-order-between i and i, and fixed memory store operations that were forwarded to i from store instructions program-order-between i and i including i, and let $\overline{\textit{cfp}}$ be the complement of cfp in the memory footprint of i. If $\overline{\textit{cfp}}$ is not empty:

      1. i has a fully determined memory footprint;

      2. i has no unpropagated memory store operations that overlap with $\overline{\textit{cfp}}$; and

      3. if i is a load with a memory footprint that overlaps with $\overline{\textit{cfp}}$, then all the memory load operations of i that overlap with $\overline{\textit{cfp}}$ are satisfied and i is non-restartable (see the transition for how to determined if an instruction is non-restartable).

      Here, a memory store operation is called fixed if the store instruction has fully determined data.

  2. i has a fully determined data; and

  3. if i is not a fence, all program-order-previous conditional branch and indirect jump instructions are finished.

Action:

  1. if i is a conditional branch or indirect jump instruction, discard any untaken paths of execution, i.e., remove all instruction instances that are not reachable by the branch/jump taken in instruction_tree; and

  2. record the instruction as finished, i.e., set finished to true.

Limitations