semantics of black_box and clobber in the memory model

[gnzlbg]

I've just closed rust-lang/rfcs#2360 due to @rkruppe's input that by trying to specify what black_box and clobber do there the RFC is basically specifying a subset of the memory model.

So I'd like to ask feedback for these here first.

The specification in the RFC is very loose. mem::black_box(x) is specified as follows:

• writes the address of x to memory
• reads all memory
• writes all memory

while mem::clobber():

• reads all memory
• writes all memory

where I have no idea how to specify memory but @rkruppe came up with a minimal example that helps:

{
    let tmp = x;
    clobber();
}

Here, the compiler is allowed to optimize the store of x to tmp away, because the only code that has the address of tmp is in that scope, and that code does not read or write from tmp. In the specification of clobber, when it states "read/write from/to all memory", "memory" does not refer to tmp. However, if I change the example to:

{
    let tmp = x;
    black_box(&tmp);
    clobber();
}

in this case clobber() requires the store of x to tmp to be live, because black_box has written the address of tmp to "memory", and thus the "read/write to/from memory" in clobber can do something with tmp.

So a big question I have is what is "memory" here, and how does tmp in the first example differs from the rest?

I don't know how these could make sense in Rust memory model, what the wording for their specification should be, and I am barely qualified to follow the discussion at all. The RFC contains more information, and lots of godbolt links, but black_box and clobber proposed implementaiton is this:

#[inline(always)]
fn clobber() {
    unsafe { asm!("" : : : "memory" : "volatile") };
}

#[inline(always)]
fn black_box<T>(x: T) -> T {
    unsafe {
        asm!("" // template
          : // output operands
          : "r"(&x) // input operands
          // r: any general purpose register
          : "memory"    // clobbers all memory
          : "volatile"  // has side-effects
        );
        x
    }
}

Also, @rkruppe asked:

I'd like to know the difference between this and compiler_fence(SeqCst)

To which @nagisa answered:

The difference between asm! with a memory clobber and compiler_fence exists in the fact, that memory clobber requires compiler to actually reload the memory if they want to use it again (as memory is… clobbered – considered changed), whereas compiler_fence only enforces that memory accesses are not reordered and the compiler still may use the usual rules to figure that it needn’t to reload stuff.

---

cc @rkruppe @nagisa

[strega-nil]

These functions, by definition, are no-ops to the virtual machine. All they are, are hints to the optimizer. The definition of these functions is implementation-defined. It's similar to the volatile semantics of C++.

[hanna-kruppe]

I tend to agree to that positon, though then their docs need to be much more carefully worded, and they may not make sense to put in std. But the underlying questions -- what the effects of asm!(... "memory") and asm!(... "memory" : "volatile") are, for example -- are relevant for other unsafe code as well. The answers to that will also influence how robust the proposed implementation is under optimizer improvements.

[strega-nil]

@rkruppe It is all implementation defined. Defining asm in a cross-platform way seems... nearly impossible. This would be a question for rustc, not for the memory model. volatile semantics get into codegen on specific platforms, which would be impossible to specify in a useful way, imo. (that's not to say we shouldn't specify it, just that the memory model is not the correct place to specify it)

[hanna-kruppe]

Defining asm in a cross-platform way is nonsense, sure. But its interactions (edit: or more specifically, the interactions of any loads and stores that may be made from the inline asm) with surrounding loads and stores? That seems perfectly possible (disclaimer: after having thought like two minutes about it).

[strega-nil]

@rkruppe what could we define? Beyond it being UB to store to a memory location you don't have mutable access to, or load from a memory location you don't have access to, and it being fine to not do that. Assembler is completely outside the bounds of a reasonable memory model - the best you can do is treat it as any other linked thing, and force the visible effects of the "call" to be valid under the Rust object/memory model.

[hanna-kruppe]

@ubsan That's pretty much what I was thinking of and it's already something more useful than "it's all implementation defined"! Saying precisely which memory locations the inline asm can and can't affect already tells us in which cases it can't possibly block optimizations, and (looking beyond the scope of clobber) makes quite a few "misuses" of inline asm unambigiously UB rather than being all implementation-defined.

[strega-nil]

@rkruppe Yeah, fair. I'd define it similarly to how it'd be defined to call out to C with. for black_box and clobber in specific, since they're hints to the optimizer and not side effecting in any way, it's not necessary to really define anything wrt them. Perhaps clobber should only be callable on valid objects which are reachable and mutable(?) in the current context? And I don't think it should deal with atomics in any way, shape, or form.

[gnzlbg]

Perhaps clobber should only be callable on valid objects which are reachable and mutable(?) in the current context?

@ubsan mem::clobber() takes no arguments :/

[strega-nil]

@gnzlbg oh. Then there's like, literally nothing that clobber does in the memory model, besides being a side effect (maybe?)

[gnzlbg]

It's a side-effect that reads all memory and does something observable with it - but it does not alter any memory that the program can observe.

[hanna-kruppe]

[clobber] does not alter any memory that the program can observe

This is off-topic but I keep forgetting to point it out so I'll do it now: that's not what clobbering usually means, and not what asm!(... : "memory") means. (And FWIW it's not what the Google Benchmark function ClobberMemory referenced in the RFC does, either.) I don't know if that's really what one would want for benchmarking, but either change your definition or don't call it clobber.

[strega-nil]

@rkruppe clobber means "the optimizer cannot assume that any memory before this point wasn't changed by the call to clobber", no?

[hanna-kruppe]

@ubsan When applied to "memory as a whole", yes -- the term is also commony applied to specific memory locations and to registers. Although in the context of inline asm I wouldn't call it a an optimizer hint. But I don't know what @gnzlbg has envisioned for the proposed function in std::mem. (Sorry, I should have laid all this in the previous post.)

[gnzlbg]

@rkruppe

Yes, sorry for the confusion, the RFC currently gives it the

"the optimizer cannot assume that any memory before this point wasn't changed by the call to clobber"

semantics, so it makes sense to me to call that clobber.

For the purpose of benchmarking, clobber is heavier weight than what's actually needed, and what is needed is actually what I mentioned above:

It's a side-effect that reads all memory and does something observable with it - but it does not alter any memory that the program can observe.

Sorry for calling that clobber, that was a mistake. I don't know what we can call that, maybe mem::read_volatile / mem::read_all / mem::flush .

Sorry again for the confusion.

[gnzlbg]

So what would the std docs be allowed to say about black_box and clobber?

• black_box: prevents the result value of an expression from being optimized away - no mention of reads value x, all memory, and writes to all memory with side-effects.
• clobber: inserts an unspecified side-effect - no mention of flushing, reading/writing all memory with side-effects