Is Parallel Programming Hard, And, If So, What Can You Do About It?

F.16. CHAPTER E: FORMAL VERIFICATION 327any RCU read-side critical sections in the NMIhandler would lose their RCU protection.The possibility of NMI handlers, which, by definitioncannot be masked, does complicate this code.Quick Quiz E.8:But if line 7 finds that we are the outermostinterrupt, wouldn’t we always need to incrementdynticks_progress_counter?Answer:Not if we interrupted a running task! In that case,dynticks_progress_counter would have alreadybeen incremented by rcu_exit_nohz(), and therewould be no need to increment it again.why are they instead being modeled as single globalvariables?Answer:Because the grace-period code processes eachCPU’s dynticks_progress_counter andrcu_dyntick_snapshot variables separately,we can collapse the state onto a single CPU. If thegrace-period code were instead to do somethingspecial given specific values on specific CPUs, thenwe would indeed need to model multiple CPUs. Butfortunately, we can safely confine ourselves to twoCPUs, the one running the grace-period processingand the one entering and leaving dynticks-idlemode.Quick Quiz E.9:Can you spot any bugs in any of the code in thissection?Answer:Read the next section to see if you were correct.Quick Quiz E.10:Why isn’t the memory barrier in rcu_exit_nohz()and rcu_enter_nohz() modeled in Promela?Answer:Promela assumes sequential consistency, so it isnot necessary to model memory barriers. In fact,one must instead explicitly model lack of memorybarriers, for example, as shown in Figure E.13 onpage 251.Quick Quiz E.11:Isn’t it a bit strange to model rcu_exit_nohz()followed by rcu_enter_nohz()? Wouldn’t it bemore natural to instead model entry before exit?Quick Quiz E.13:Given there are a pair of back-to-back changes tograce_period_state on lines 25 and 26, how canwe be sure that line 25’s changes won’t be lost?Answer:Recall that Promela and spin trace out every possiblesequence of state changes. Therefore, timingis irrelevant: Promela/spin will be quite happy tojam the entire rest of the model between those twostatements unless some state variable specificallyprohibits doing so.Quick Quiz E.14:But what would you do if you needed the statementsin a single EXECUTE_MAINLINE() group to executenon-atomically?Answer:The easiest thing to do would be to put eachsuch statement in its own EXECUTE_MAINLINE()statement.Answer:It probably would be more natural, but we will needthis particular order for the liveness checks that wewill add later.Quick Quiz E.12:Wait a minute! In the Linux kernel,both dynticks_progress_counter andrcu_dyntick_snapshot are per-CPU variables. SoQuick Quiz E.15:But what if the dynticks_nohz() process had“if” or “do” statements with conditions, wherethe statement bodies of these constructs needed toexecute non-atomically?Answer:One approach, as we will see in a later section, isto use explicit labels and “goto” statements. Forexample, the construct: