[[sec:herd]] == Formal Axiomatic Specification in Herd The tool [.sans-serif]#herd# takes a memory model and a litmus test as input and simulates the execution of the test on top of the memory model. Memory models are written in the domain specific language Cat. This section provides two Cat memory model of RVWMO. The first model, Figure #fig:herd2[[fig:herd2]], follows the _global memory order_, Chapter #ch:memorymodel[[ch:memorymodel]], definition of RVWMO, as much as is possible for a Cat model. The second model, Figure #fig:herd3[[fig:herd3]], is an equivalent, more efficient, partial order based RVWMO model. The simulator [.sans-serif]#herd# is part of the [.sans-serif]#diy# tool suite — see http://diy.inria.fr for software and documentation. The models and more are available online at http://diy.inria.fr/cats7/riscv/. ` ` .... (*************) (* Utilities *) (*************) (* All fence relations *) let fence.r.r = [R];fencerel(Fence.r.r);[R] let fence.r.w = [R];fencerel(Fence.r.w);[W] let fence.r.rw = [R];fencerel(Fence.r.rw);[M] let fence.w.r = [W];fencerel(Fence.w.r);[R] let fence.w.w = [W];fencerel(Fence.w.w);[W] let fence.w.rw = [W];fencerel(Fence.w.rw);[M] let fence.rw.r = [M];fencerel(Fence.rw.r);[R] let fence.rw.w = [M];fencerel(Fence.rw.w);[W] let fence.rw.rw = [M];fencerel(Fence.rw.rw);[M] let fence.tso = let f = fencerel(Fence.tso) in ([W];f;[W]) | ([R];f;[M]) let fence = fence.r.r | fence.r.w | fence.r.rw | fence.w.r | fence.w.w | fence.w.rw | fence.rw.r | fence.rw.w | fence.rw.rw | fence.tso (* Same address, no W to the same address in-between *) let po-loc-no-w = po-loc \ (po-loc?;[W];po-loc) (* Read same write *) let rsw = rf^-1;rf (* Acquire, or stronger *) let AQ = Acq|AcqRel (* Release or stronger *) and RL = RelAcqRel (* All RCsc *) let RCsc = Acq|Rel|AcqRel (* Amo events are both R and W, relation rmw relates paired lr/sc *) let AMO = R & W let StCond = range(rmw) (*************) (* ppo rules *) (*************) (* Overlapping-Address Orderings *) let r1 = [M];po-loc;[W] and r2 = ([R];po-loc-no-w;[R]) \ rsw and r3 = [AMO|StCond];rfi;[R] (* Explicit Synchronization *) and r4 = fence and r5 = [AQ];po;[M] and r6 = [M];po;[RL] and r7 = [RCsc];po;[RCsc] and r8 = rmw (* Syntactic Dependencies *) and r9 = [M];addr;[M] and r10 = [M];data;[W] and r11 = [M];ctrl;[W] (* Pipeline Dependencies *) and r12 = [R];(addr|data);[W];rfi;[R] and r13 = [R];addr;[M];po;[W] let ppo = r1 | r2 | r3 | r4 | r5 | r6 | r7 | r8 | r9 | r10 | r11 | r12 | r13 .... ` ` .... Total (* Notice that herd has defined its own rf relation *) (* Define ppo *) include "riscv-defs.cat" (********************************) (* Generate global memory order *) (********************************) let gmo0 = (* precursor: ie build gmo as an total order that include gmo0 *) loc & (W\FW) * FW | # Final write after any write to the same location ppo | # ppo compatible rfe # includes herd external rf (optimization) (* Walk over all linear extensions of gmo0 *) with gmo from linearizations(M\IW,gmo0) (* Add initial writes upfront -- convenient for computing rfGMO *) let gmo = gmo | loc & IW * (M\IW) (**********) (* Axioms *) (**********) (* Compute rf according to the load value axiom, aka rfGMO *) let WR = loc & ([W];(gmo|po);[R]) let rfGMO = WR \ (loc&([W];gmo);WR) (* Check equality of herd rf and of rfGMO *) empty (rf\rfGMO)|(rfGMO\rf) as RfCons (* Atomicity axiom *) let infloc = (gmo & loc)^-1 let inflocext = infloc & ext let winside = (infloc;rmw;inflocext) & (infloc;rf;rmw;inflocext) & [W] empty winside as Atomic .... ` ` .... Partial (***************) (* Definitions *) (***************) (* Define ppo *) include "riscv-defs.cat" (* Compute coherence relation *) include "cos-opt.cat" (**********) (* Axioms *) (**********) (* Sc per location *) acyclic co|rf|fr|po-loc as Coherence (* Main model axiom *) acyclic co|rfe|fr|ppo as Model (* Atomicity axiom *) empty rmw & (fre;coe) as Atomic ....