How herd Works

July 26, 2016

This article was contributed by Jade Alglave, Paul E. McKenney, Alan Stern, Luc Maranget, Andrea Parri and TBD

The herd program reads in a litmus test and evaluates it according to a memory model. The model is contained in a .cat file specified by the “-model” command-line option (or a “model” line in the configuration file) plus an optional .bell file specified by the “-bell” option (or a “bell” line in the configuration file). The Bell file, if present, gets processed first. Both files consist of statements in the cat language, and herd treats them almost identically—the only real difference is that the Bell file is allowed to contain “instructions” statements but the Cat file is not. (The “instructions” statement defines tags which can decorate elementary operations. For instance, one such statement might specify that a barrier operation can be decorated with an “mb” tag, which could indicate that the operation is a full memory barrier.) Typically a Bell file is used for common code that is shared among multiple models, where each model would have its own Cat file.

After loading the Bell and Cat files, herd parses the litmus-test program. The program may contain macros (for instance, “smp_mb()”) which are expanded to internal constructs (such as a barrier with an “mb” tag). The mapping from user-level macros to internal constructs is defined in a file like linux.def that is specified by the “-macros” command-line option (or a “macros” line in the configuration file).

Next, herd interprets the program by constructing a list of events for each thread. For programs written in a high-level language like C, this involves breaking statements and expressions down into a series of elementary operations (read, write, arithmetic/logic on registers, branch, and so on); for programs in assembly language, the individual instructions generally correspond directly to these operations. However, atomic read-modify-write instructions always get represented by two operations, a read and a write, linked by the built-in rmw relation.

The events are organized as one list per thread, in program order. This is not always straightforward, because of a subtle but important fact: “Program order” refers to the order of instructions as they are presented to the processor's execution unit, not their order in the program's source or object code. While the two orders are often the same, they will differ when branches are present. A forward branch causes some instructions to be left out of the event list, and a backward branch can cause some instructions to be repeated in the list.

Since it is not known in advance whether a conditional branch will be taken, each such branch causes herd to generate two event lists: one in which the branch is taken and one in which it isn't. Thus, a program containing two conditional branches will give rise to four lists, a program containing three will give rise to eight, and so on. The po relation then refers to the order of the events in an individual list, and herd has to test each list separately, as a possible program execution.

When the program contains a loop, a conditional branch may be taken an indefinitely large number of times. In this situation the number of possible executions would quickly get out of hand, so there is a limit on how many times herd will allow a particular branch to appear in an execution (specified by the “-unroll” command-line option), typically set to 2. Executions with a higher number of iterations simply will not be considered.

Then, given a candidate execution, herd has to determine, for each read event, which write event stored the value that the read will retrieve. Again, there's no way to know this in advance, so if a program has more than one write to a particular variable, herd has to try all possible combinations for the rf relation. Just as with conditional branches, this can lead to exponential growth in the number of possible executions to be tested.

As part of its processing of a candidate execution, herd carries out a dataflow analysis of the values computed and stored in the local variables (or CPU registers) for each thread. This analysis gets used in several ways:

  • herd checks each conditional branch, making sure that the branch's condition is true if and only if the execution has decided to take the branch.
  • herd checks the target address of each indirect memory access (i.e., access through a pointer or relative to a CPU register), making sure that the rf relation really does link writes and reads to the same target address.
  • herd determines exactly what data, address, or control dependencies exist between memory-access events. These dependencies are made available to the model through the built-in data, addr, and ctrl relations.
As an example of this last point, given the statement
WRITE_ONCE(*x, READ_ONCE(*y));
in the litmus-test program, herd would break it down into two events:
rtemp = READ_ONCE(*y)
WRITE_ONCE(*x, rtemp)
(where rtemp is a temporary local variable), and it would add a link
rtemp = READ_ONCE(*y)WRITE_ONCE(*x, rtemp)
to the data relation.

Finally, once a particular choice for the po and rf relations has been settled on, the execution checks out okay, and the data, addr, and ctrl relations have been set up, herd runs the statements in the Bell and Cat files to see whether the memory model considers the candidate execution to be allowed. If any of the model's checks fail, the execution is abandoned. Otherwise, herd evaluates the logical assertion at the end of the litmus test. It keeps track of the number of allowed executions for which the assertion is true and the number for which it is false; these are the numbers reported at the end in herd's output.

Unlike po and rf, the co relation is not built-in. It has to be computed explicitly by the memory model. In practice this is done by the cos.cat file, which is included near the start of the model's Cat file (see for example line 3 in each of the two RMO memory-model files above). This involves another potentially exponential computation, because it is necessary to try all possible orderings of the write accesses to each variable.

herd works in terms of sets of events and relations between events. (A relation is a collection of ordered pairs of events; you can think of each ordered pair as a link going from the first event in the pair to the second.) The cat language used in the Bell and Cat files is rich in operators for constructing and testing these sets and relations.

To begin with, herd has a number of built-in sets used for classifying events. Each event is automatically added to the appropriate sets.

Name Contents Comment
R Read events
W Write events
IW Initial Write events “writes” that set a variable's initial value
FW Final Write events values that are tested in the final assertion
M Memory access events same as “R | W
B Branch events
RMW Read-Modify-Write events the component events of an atomic RMW instruction
F Fence events also known as Barrier events
_ All events wildcard

In addition, using the “enum” and “instructions” statements, a Bell file can define an enumerated list of tag values and specify that instructions of a specific kind must be labelled with one of these tags. herd then creates a set for each tag value; the name of the set is the same as the name of the tag but with the first letter capitalized, and the set contains all events generated from instructions labelled by the corresponding tag. For example, the following cat code:

enum Accesses = 'once || 'release || 'acquire || 'deref
instructions R[{'once,'acquire,'deref}]
defines a bunch of Accesses tags, and says that all read (“R”) instructions should be labelled with a “once”, an “acquire”, or a “deref” tag. Given this, the “Once” set would contain all events corresponding to an instruction (possibly a read, possibly something else) labelled with the “once” tag, and similarly for the “Release”, “Acquire” and “Deref” sets.

herd also comes with a selection of built-in relations, some of which we have already mentioned:

Name Relation Comment
0 Empty empty relation, contains no links
id Identity links each event to itself
int Internal links events that are in the same thread
ext External links events that are in different threads
loc Location links memory-access events that target the same variable
rf Reads-From links a write event to any read event that loads the value stored by that write
rmw Read-Modify-Write links the read and write component events of an RMW instruction
po Program Order links events in the same thread, in the order they occur in the instruction stream
addr Address dependency links a read event to any memory-access event whose target address depends on the value loaded by the read
ctrl Control dependency links a read event to all events that are executed conditionally depending on the value loaded by the read
data Data dependency links a read event to any write event that stores a value which depends on the value loaded by the read

herd's standard libraries stdlib.cat (automatically included for all models) and cos.cat define a few extra relations, which can be used as though they were built-in:

Name Relation Comment
po-loc po for the same location links memory-access events that target the same variable, in program order; same as “po & loc
rfe external reads-from rf restricted to pairs of accesses in different threads; same as “rf & ext
rfi internal reads-from rf restricted to pairs of accesses in the same thread; same as “rf & int
co coherence order total ordering of all writes to the each variable
coe external coherence order co restricted to pairs of writes in different threads; same as “co & ext
coi internal coherence order co restricted to pairs of writes in the same thread; same as “co & int
fr from-read links a read event to any write event for the same variable that comes after (in the variable's coherence order) the write which the read event reads from; same as “rf^-1 ; co
fre external from-read fr restricted to pairs of accesses in different threads; same as “fr & ext
fri internal from-read fr restricted to pairs of accesses in the same thread; same as “fr & int

Bell and Cat files can compute their own sets and relations using functions and operators provided by the cat language and libraries, as summarized in the following table. Operators with higher precedence (tighter binding) are higher up in the table.

Operator Operation Example Applicability
domain Domain of a relation domain(x)
computes the set of all events that are the start of a link in x
Applies to a relation, yields a set
range Range of a relation range(x)
computes the set of all events that are the end of a link in x
Applies to a relation, yields a set
fencerel Link events separated by a fence fencerel(x)
computes the relation consisting of all pairs of events where the first precedes (in program order) an event in the set x and the second follows it; the same as “(po & (_ * x)) ; po
Applies to a set, yields a relation
Postfix ^-1 Inversion x^-1
computes the relation obtained by reversing all the links in x
Applies to a relation
Postfix ? Reflexive closure x?
computes the relation consisting of all pairs of events that can be connected by a chain of links from x of length 0 or 1; the same as “id | x
Applies to a relation
Postfix + Transitive closure x+
computes the relation consisting of all pairs of events that can be connected by a chain of links from x of length 1 or greater; the same as “x | (x;x) | (x;x;x) | ...
Applies to a relation
Postfix * Reflexive-transitive closure x*
computes the relation consisting of all pairs of events that can be connected by a chain of links from x of length 0 or greater; the same as “id | x | (x;x) | (x;x;x) | ...
Applies to a relation
Prefix ~ Complement ~x
computes the relation (or set) consisting of all links (or events) not in x
Applies to a relation or a set
Infix * Cartesian product x * y
computes the relation consisting of all links from an event in set x to an event in set y
Applies to sets, yields a relation
\ Difference x \ y
computes the relation (or set) consisting of all links (or events) in x that are not in y
Applies to relations or sets
& Intersection x & y
computes the relation (or set) consisting of all links (or events) in both x and y
Applies to relations or sets
; Sequencing x ; y
computes the relation consisting of all links a⟶c such that for some event b, x contains a⟶b and y contains b⟶c
Applies to relations
| Union x | y
computes the relation (or set) consisting of all links (or events) in x or y or both
Applies to relations or sets
(* *) Encloses comments (* This is a comment *)

Although the language includes a variety of statement types, the ones found most frequently in Bell and Cat files are assignment (“let” or “let rec”) and check statements. “let” statements are self-explanatory; we have already seen several examples in the RMO memory models above. “let rec” statements, used for mutually recursive definitions, are more complex; we will see an example here. Check statements come in three forms:

  • acyclic <expr>” requires the relation computed from “expr” not to have any cycles;
  • irreflexive <expr>” requires the relation computed from “expr” not to have any links from an event to itself;
  • empty <expr>” requires the set or relation computed from “expr” to be empty.
If a check fails, it indicates that the memory model prohibits the candidate execution under consideration; that is, the memory model says that this execution could never occur.

A check can be negated by prefixing it with “~”. Also, a check can be flagged by putting the “flag” keyword in front of it. Unlike a normal check, when a flagged check succeeds it indicates that the execution has encountered some sort of semantic problem. If this happens, herd adds a warning message to its output.

Along with the “let”, “include”, and check statements, the only other types of statement we will see are “enum” and “instructions”, both briefly mentioned earlier.

The cat language supports many features we won't cover here, including higher-order sets and tuples, pattern matching, user-defined functions, iteration, and recursion in the style of OCaml (the language herd is written in). herd itself also has a large number of features we won't discuss, such as the ability to skip certain checks when testing a memory model or to produce figures (like the ones in this document) illustrating the events and relations in a particular program execution. More complete documentation can be found in the herd manual.

With this background, we are ready to examine larger, more realistic memory models. Something like the Linux-kernel memory models, in fact.