Relaxed Memory Model¶

The execution of a WebAssembly program gives rise to a trace of events. WebAssembly’s relaxed memory model constrains the observable behaviours of the program’s execution by defining a consistency condition on the trace of events.

Note

A relaxed memory model is necessary to describe the behaviour of programs exhibiting shared memory concurrency. WebAssembly’s relaxed memory model is heavily based on those of C/C++11 and JavaScript. The relaxed memory model described here is derived from the following article: 1.

Preliminary Definitions¶

\begin{array}{r} \begin{array}{rcl} time ({act}^{*} at {time}_{p} time) & = & time \\ {time}_{p} ({act}^{*} at {time}_{p} time) & = & {time}_{p} \\ loc ({rd}_{ord} loc {byte}^{*} {notears}^{?}) & = & loc \\ loc ({wr}_{ord} loc {byte}^{*} {notears}^{?}) & = & loc \\ loc (rmw loc {byte}_{1}^{*} {byte}_{2}^{*}) & = & loc \\ loc (wait loc s 64) & = & loc \\ loc (woken loc) & = & loc \\ loc (timeout loc) & = & loc \\ loc (notify loc u 32 u 32) & = & loc \\ ord ({rd}_{ord} loc {byte}^{*} {notears}^{?}) & = & ord \\ ord ({wr}_{ord} loc {byte}^{*} {notears}^{?}) & = & ord \\ ord (rmw loc {byte}_{1}^{*} {byte}_{2}^{*}) & = & seqcst \\ overlap ({act}_{1}, {act}_{2}) & = & (range ({act}_{1}) \cup range ({act}_{2}) \neq ϵ) \\ same ({act}_{1}, {act}_{2}) & = & (range ({act}_{1}) = range ({act}_{2})) \\ reading (act) & = & (read (act) \neq ϵ) \\ writing (act) & = & (write (act) \neq ϵ) \\ susp (u 32, wait reg [u 32] s 64) & = & wait reg [u 32] s 64 \\ susp (u 32, woken reg [u 32]) & = & woken reg [u 32] \\ susp (u 32, timeout reg [u 32]) & = & timeout reg [u 32] \\ susp (u 32, notify reg [u 32] {u 32}^{'} {u 32}^{″}) & = & notify reg [u 32] {u 32}^{'} {u 32}^{″} \\ susp (u 32, act) & = & ϵ (otherwise) \\ read ({rd}_{ord} loc {byte}^{*} {notears}^{?}) & = & {byte}^{*} \\ read (rmw loc {byte}_{1}^{*} {byte}_{2}^{*}) & = & {byte}_{1}^{*} \\ read (act) & = & ϵ (otherwise) \\ write ({wr}_{ord} loc {byte}^{*} {notears}^{?}) & = & {byte}^{*} \\ write (rmw loc {byte}_{1}^{*} {byte}_{2}^{*}) & = & {byte}_{2}^{*} \\ write (act) & = & ϵ (otherwise) \\ offset (act) & = & u 32 (if loc (act) = reg [u 32]) \\ sync ({act}_{1}, {act}_{2}) & = & (same ({act}_{1}, {act}_{2}) \land \\ ord ({act}_{1}) = ord ({act}_{2}) = seqcst) \\ range (act) & = & [u 32 \dots u 32 + n - 1] \\ (if loc (act) = reg [u 32] \land \\ n = \max (| read (act) |, | write (act) |)) \\ tearfree ({rd}_{ord} loc {byte}^{*}) & = & ⊥ (if ord = unord \lor ord = init) \\ tearfree ({wr}_{ord} loc {byte}^{*}) & = & ⊥ (if ord = unord \lor ord = init) \\ tearfree (act) & = & ⊤ (otherwise) \\ id (act) & = & act \end{array} \end{array}

The above operations on actions are raised to operations on events, indexed by region.

\begin{array}{r} \begin{array}{rcl} {func}_{reg} ({act}_{1}^{*} act {act}_{2}^{*} at {time}_{p} time) & = & func (act) \\ (if loc (act) = reg [u 32]) \\ {func}_{reg} ({act}_{1}^{*} act {act}_{2}^{*} at {time}_{p} time, \\ {act}_{3}^{*} {act}^{'} {act}_{4}^{*} at {time}_{p}^{'} {time}^{'}) & = & func (act, {act}^{'}) \\ (if loc (act) = loc ({act}^{'}) = reg [u 32]) \end{array} \end{array}

Traces¶

Todo

novel notation here?

A trace is a coinductive list of events. A trace is considered to be a pre-execution of a given global configuration if it represents the events emitted by the coinductive closure of the global reduction relation on that configuration, such that all of the trace’s consituent events have unique time stamps that are totally ordered according to the reduction order.

\begin{array}{r} \begin{array}{c} \begin{matrix} config ↪^{evt} {config}^{'} ⊢ {config}^{'} : tr \\ \forall {evt}^{'} \in tr, time ({evt}^{'}) ≺_{tot} time (evt) \end{matrix} \begin{array}{l} time (evt) \notin {time}^{*} (tr) \\ {time}_{p} (evt) \notin {time}_{p}^{*} (tr) \end{array} \\ ⊢ config : evt tr \end{array} \end{array}

When a WebAssembly program is executed, all behaviours observed during that execution must correspond to a single consistent pre-execution of that execution’s starting configuration.

Consistency¶

\frac{\forall reg, ⊢_{reg} tr consistent-with}{⊢ tr consistent}

\begin{array}{r} \frac{\begin{array}{c} \forall i, ⊢_{reg}^{i} tr suspensions-consistent \\ \forall {evt}_{R} \in {reading}_{reg} (tr), \exists {evt}_{W}^{*}, tr ⊢_{reg} {evt}_{R} reads-each-from {evt}_{W}^{*} \\ \forall {evt}_{I}, evt \in tr, {ord}_{reg} ({evt}_{I}) = init \land {evt}_{I} \neq evt \land overlap ({evt}_{I}, evt) \Rightarrow {evt}_{I} ≺_{hb} evt \end{array}}{⊢_{reg} tr consistent-with} \end{array}

\begin{array}{r} \frac{\begin{array}{c} | {evt}_{W}^{*} | = | {read}_{reg} ({evt}_{R}) | \\ \forall i < | {evt}_{W}^{*} |, tr ⊢_{reg}^{i} {evt}_{R} reads-from ({evt}_{W}^{*} [i]) \\ ⊢_{reg} {evt}_{R} no-tear {evt}_{W}^{*} \end{array}}{tr ⊢_{reg} {evt}_{R} reads-each-from {evt}_{W}^{*}} \end{array}

\begin{array}{r} \frac{\begin{array}{c} {evt}_{R} \neq {evt}_{W} \\ {evt}_{W} \in {writing}_{reg} (tr) \\ tr ⊢_{reg}^{i, k} {evt}_{R} value-consistent {evt}_{W} \\ tr ⊢_{reg}^{k} {evt}_{R} hb-consistent {evt}_{W} \\ tr ⊢_{reg} {evt}_{R} sc-last-visible {evt}_{W}^{*} \end{array}}{tr ⊢_{reg}^{i} {evt}_{R} reads-from {evt}_{W}} \end{array}

\begin{array}{r} \frac{\begin{array}{rcl} {read}_{reg} ({evt}_{R}) [i] & = & {write}_{reg} ({evt}_{W}) [j] \\ k = {offset}_{reg} ({evt}_{R}) + i & = & {offset}_{reg} ({evt}_{W}) + j \end{array}}{tr ⊢_{reg}^{i, k} {evt}_{R} value-consistent {evt}_{W}} \end{array}

\begin{array}{r} \frac{\begin{array}{c} \neg ({evt}_{R} ≺_{hb} {evt}_{W}) \\ {sync}_{reg} ({evt}_{W}, {evt}_{R}) \Rightarrow {evt}_{W} ≺_{hb} {evt}_{R} \\ \forall {evt}_{W}^{'} \in {writing}_{reg} (tr), {evt}_{W} ≺_{hb} {evt}_{W}^{'} ≺_{hb} {evt}_{R} \Rightarrow k \notin {range}_{reg} ({evt}_{W}^{'}) \end{array}}{tr ⊢_{reg}^{k} {evt}_{R} hb-consistent {evt}_{W}} \end{array}

\begin{array}{r} \frac{\begin{array}{ll} \forall {evt}_{W}^{'} \in {writing}_{reg} (tr), {evt}_{W} ≺_{hb} {evt}_{R} \Rightarrow \\ {evt}_{W} ≺_{tot} {evt}_{W}^{'} ≺_{tot} {evt}_{R} \land {sync}_{reg} ({evt}_{W}, {evt}_{R}) \Rightarrow \neg {sync}_{reg} ({evt}_{W}^{'}, {evt}_{R}) \\ {evt}_{W} ≺_{hb} {evt}_{W}^{'} ≺_{tot} {evt}_{R} \Rightarrow \neg {sync}_{reg} ({evt}_{W}^{'}, {evt}_{R}) \\ {evt}_{W} ≺_{tot} {evt}_{W}^{'} ≺_{hb} {evt}_{R} \Rightarrow \neg {sync}_{reg} ({evt}_{W}, {evt}_{W}^{'}) \end{array}}{tr ⊢_{reg} {evt}_{R} sc-last-visible {evt}_{W}} \end{array}

\begin{array}{r} \frac{\begin{array}{l} {tearfree}_{reg} ({evt}_{R}) \Rightarrow \\ | {{evt}_{W} \in {evt}_{W}^{*} | {same}_{reg} ({evt}_{R}, {evt}_{W}) \land {tearfree}_{reg} ({evt}_{W})} | \leq 1 \end{array}}{⊢_{reg} {evt}_{R} no-tear {evt}_{W}^{*}} \end{array}

\begin{array}{r} \frac{\begin{array}{c} {susp}_{reg}^{*} (i, tr) = {tr}^{'} ⊢_{reg}^{i} {tr}^{'} suspensions-consistent-with (ϵ) \\ \forall evt, {evt}^{'} \in {tr}^{'}, evt ≺_{tot} {evt}^{'} ⟹ evt ≺_{hb} {evt}^{'} \end{array}}{⊢_{reg}^{i} tr suspensions-consistent} \end{array}

\frac{}{⊢_{reg}^{i} ϵ suspensions-consistent-with ({time}^{*})}

\frac{{id}_{reg} (evt) = (wait reg [i] s 64) ⊢_{reg}^{i} tr suspensions-consistent-with (time (evt) {time}^{*})}{⊢_{reg}^{i} evt tr suspensions-consistent-with ({time}^{*})}

\frac{{id}_{reg} (evt) = (timeout reg [i]) ⊢_{reg}^{i} tr suspensions-consistent-with ({time}^{*} {time}^{' *})}{⊢_{reg}^{i} evt tr suspensions-consistent-with ({time}^{*} {time}_{p} (evt) {time}^{' *})}

\begin{array}{r} \frac{\begin{array}{c} {id}_{reg}^{n} ({evt}^{n}) = (woken reg [i]) {id}_{reg} ({evt}_{N}) = (notify reg [i] n k) \\ n < k ⟹ m = 0 ⊢_{reg}^{i} tr suspensions-consistent-with ({time}^{m}) \end{array}}{⊢_{reg}^{i} {evt}_{N} {evt}^{n} tr suspensions-consistent-with ({time}^{m} {time}_{p}^{n} ({evt}^{n}))} \end{array}

Note

The following is a non-normative and non-exhaustive explanation of WebAssembly’s relaxed memory model in plain English. Note that the definition of Consistency is the sole normative definition of the relaxed memory model.

When a WebAssembly operation reads from shared mutable state, the WebAssembly relaxed memory model determines the value that this read access observes, in terms of the write access to the same location(s) that have occurred in the execution.

The WebAssembly memory model is built around the concept of a happens-before transitive partial order between accesses of shared mutable state, $≺_{hb}$ , which captures a strong notion of causality. All sequential accesses in the same thread are related by $≺_{hb}$ according to execution order. Certain operations also establish a $≺_{hb}$ relation between operations of different threads (see atomic accesses below). A read access may never take its value from a write access that comes later in $≺_{hb}$ . Moreover, if two write accesses ordered by $≺_{hb}$ come before a read access in $≺_{hb}$ , the read access must take its value from the later of the two write accesses according to $≺_{hb}$ . In the case that $≺_{hb}$ does not uniquely determine a write access that a given read access must take its value from, the read access may non-deterministically take its value from any permitted write.

In the case that a read operation is a multi-byte memory access, the value of each byte may in certain circumstances be determined by a different write event. If this happens, we describe the read operation as tearing. In general, naturally aligned multi-byte reads are not allowed to tear, unless they race with a partially overlapping write or are greater than four bytes in width.

Most WebAssembly accesses of shared mutable state are classified as non-atomic. However a number of operations are classified as performing atomic accesses. Atomic accesses must always be naturally aligned. If an atomic read takes its value from an atomic write of the same width, the write access is fixed as coming before the read access in $≺_{hb}$ . This is the main mechanism by which a $≺_{hb}$ relation is established between threads.

WebAssembly’s atomic operations are also required to be sequentially consistent. The relaxed memory model defines a toal order on all events of the execution, $≺_{tot}$ , and sequentially consistent operations to identical ranges must respect this ordering - i.e. sequentially consistent reads cannot read from any sequentially consistent write of idential range other than the most recent preceding one according to $≺_{tot}$ .

Some operations such as memory accesses must perform a bounds check in addition to accessing data. The relaxed memory model treats these accesses as additionally accessing a distinguished length location, with the observed value respecting the constraints of the relaxed memory model. Most bounds checks are non-atomic, but bounds checks peformed during instantiation are atomic, and changes to the length (e.g. $memory . grow$ ) are modelled as atomic read-modify-write accesses.

In some circumstances, two accesses to overlapping locations may occur in an execution without any relation in $≺_{hb}$ . This situation is known as a race. If at least one of these accesses is a non-atomic write, we describe this situation as a data race. Unlike some other relaxed memory models, WebAssembly does not declare data races to be undefined behaviour. However, the allowed execution behaviours may still be highly non-deterministic as the lack of $≺_{hb}$ relations means that reads participating in or overlapping with the location of the data race may non-deterministically observe a number of different values.

The relaxed memory model also describes the concurrent behaviour of WebAssembly’s wait ( $memory . atomic . wait$ ) and notify ( $memory . atomic . notify$ ) operations. Each memory location is associated with a queue of waiting threads. A thread suspending as the result of a wait operation enters the queue, and a notify operation to that location will attempt to wake up as many threads as possible from the head of the associated queue, up to the maximum specified by the arguments of the notify operation. All operations on the same location which change the state of that location’s wait queue are sequentially consistent and totally ordered by $≺_{hb}$ .

1: The semantics of the relaxed memory model is derived from the following article: Conrad Watt, Andreas Rossberg, Jean Pichon-Pharabod. Weakening WebAssembly. Proceedings of the ACM on Programming Languages (OOPSLA 2019). ACM 2019.