# Repairing Sequential Consistency in C/C++11

Ori Lahav<sup>1</sup> Viktor Vafeiadis<sup>1</sup> Jeehoon Kang<sup>2</sup> Chung-Kil Hur<sup>2</sup> Derek Dreyer<sup>1</sup>

<sup>1</sup>Max Planck Institute for Software Systems (MPI-SWS)

<sup>2</sup>Seoul National University

**PLDI 2017** 

#### 

#### Access modes

```
\begin{array}{cccc} \text{non-} & & \text{release/} \\ \text{atomic} & & & \text{acquire} \end{array} \quad \Box \quad \text{sc}
```

#### Message passing

```
x :=_{sc} 1; a := y_{sc}; //1

y :=_{sc} 1; b := x_{sc}; //0 \approx x :=_{rlx} 1; a := y_{acq}; //1

y :=_{rel} 1; b := x_{rlx}; //0
```

#### Store buffer

#### Access modes

```
\begin{array}{cccc} \text{non-} & & & \text{release/} \\ \text{atomic} & & & & & \\ \end{array}
```

#### Message passing

```
x :=_{sc} 1; \quad a := y_{sc}; \quad 1 \\ y :=_{sc} 1; \quad b := x_{sc}; \quad 0 \cong \quad x :=_{rlx} 1; \quad a := y_{acq}; \quad 1 \\ y :=_{rel} 1; \quad b := x_{rlx}; \quad 0
```

#### Store buffer







1. SC semantics is too strong (new correctness problem!)

We show how to get SC semantics just right!

2. SC semantics is too weak (SC-fences)

Sto

3. Out-of-thin-air reads (relaxed accesses)



1. SC semantics is too strong (new correctness problem!)

We show how to get SC semantics just right!

2. SC semantics is too weak (SC-fences)

Story

3. Out-of-thin-air reads (relaxed accesses)

Example due to Yatin Manerkar et al. [CoRR abs/1611.01507]

C/C++11: behavior disallowed

Example due to Yatin Manerkar et al. [CoRR abs/1611.01507]

C/C++11: behavior disallowed

| Compilation of $C/C++11$ to Power |                                                  |                      |                                                                                |
|-----------------------------------|--------------------------------------------------|----------------------|--------------------------------------------------------------------------------|
|                                   | $\mathtt{R}^{\mathtt{rlx}} \mapsto$              | ld                   | $	exttt{W}^{	exttt{rlx}} \mapsto 	exttt{st}$                                   |
|                                   | $\mathtt{R}^{\mathtt{acq}} \mapsto$              | <pre>ld;lwsync</pre> | $	exttt{W}^{	exttt{rel}} \mapsto 	exttt{lwsync;st}$                            |
| Leading sync:                     | $\mathtt{R}^{\mathtt{sc}} \mapsto \mathtt{sync}$ | c;ld;lwsync          | $\mathtt{W^{sc}} \; \mapsto \; sync; \mathtt{st}$                              |
| Trailing sync:                    | $\mathtt{R}^{\mathtt{sc}} \; \mapsto \;$         | ld; sync             | $\mathtt{W}^{\mathtt{sc}} \mapsto \mathtt{lwsync}; \mathtt{st}; \mathtt{sync}$ |

Example due to Yatin Manerkar et al. [CoRR abs/1611.01507]

C/C++11: behavior disallowed

```
\begin{tabular}{c|cccc} $Compilation of $C/C++11$ to Power & $R^{rlx} \mapsto & ld & $W^{rlx} \mapsto & st \\ \hline $R^{acq} \mapsto & ld; lwsync & $W^{rel} \mapsto lwsync; st$ \\ \hline $Leading sync: $R^{sc} \mapsto sync; ld; lwsync & $W^{sc} \mapsto sync; st$ \\ \hline $Trailing sync: $R^{sc} \mapsto & ld; sync & $W^{sc} \mapsto lwsync; st; sync$ \\ \hline \end{tabular}
```

Compilation result with "trailing sync" convention:

```
a := x;  // 1
lwsync;
b := y;  // 0
sync;
x := 1;
sync;
y := 1;
lwsync;
d := x;  // 0
sync;
```

Power: behavior allowed

## Other examples show unsoundness of:

- ► Leading sync compilation (implemented in GCC and LLVM)
- ▶ Placing sync both before and after SC-accesses

In order to recover the correctness of existing compilers, we suggest to weaken the standard.

```
a := x_{acq}; //1 
 b := y_{sc}; //0  | x :=_{sc} 1; | y :=_{sc} 1; | c := y_{acq}; //1 
 <math>d := x_{sc}; //0
```





program order

$$a := x_{acq}; \ //1 \ b := y_{sc}; \ //0 \ || \ x :=_{sc} 1; \ || \ y :=_{sc} 1; \ || \ c := y_{acq}; \ //1 \ d := x_{sc}; \ //0$$



program order

## Stage 0: choose reads-from

Every read reads from a corresponding write.



program order

reads from

## Stage 0: choose reads-from

Every read reads from a corresponding write.



program order

reads from





program order

reads from

happens-before



```
a := x_{acq}; \ //1 \ b := y_{sc}; \ //0 \ | \ x :=_{sc} 1; \ | \ y :=_{sc} 1; \ | \ c := y_{acq}; \ //1 \ d := x_{sc}; \ //0
```



program order

reads from
happens-before









```
a := x_{\text{acq}};  /\!\!/ 1 
b := y_{\text{sc}};  /\!\!/ 0 
x :=_{\text{sc}} 1;  |\!\!| y :=_{\text{sc}} 1;  |\!\!| c := y_{\text{acq}};  /\!\!/ 1 
d := x_{\text{sc}};  /\!\!/ 0 
x :=_{\text{sc}} 1;  |\!\!| c := y_{\text{acq}};  /\!\!/ 1 
y :=_{\text{sc}} 1;  |\!\!| c := y_{\text{acq}};  /\!\!/ 1 
y :=_{\text{sc}} 1;  |\!\!| c := y_{\text{acq}};  /\!\!/ 1 
y :=_{\text{sc}} 1;  |\!\!| c := y_{\text{acq}};  /\!\!/ 1 
y :=_{\text{sc}} 1;  |\!\!| c := y_{\text{acq}};  /\!\!/ 1 
y :=_{\text{sc}} 1;  |\!\!| c := y_{\text{acq}};  /\!\!/ 1 
y :=_{\text{sc}} 1;  |\!\!| c := y_{\text{acq}};  /\!\!/ 1 
y :=_{\text{sc}} 1;  |\!\!| c := y_{\text{acq}};  /\!\!/ 1 
y :=_{\text{sc}} 1;  |\!\!| c := y_{\text{acq}};  /\!\!/ 1 
y :=_{\text{sc}} 1;  |\!\!| c := y_{\text{acq}};  /\!\!/ 1 
y :=_{\text{sc}} 1;  |\!\!| c := y_{\text{acq}};  /\!\!/ 1 
y :=_{\text{sc}} 1;  |\!\!| c := y_{\text{acq}};  /\!\!/ 1 
y :=_{\text{sc}} 1;  |\!\!| c := y_{\text{acq}};  /\!\!/ 1 
y :=_{\text{sc}} 1;  |\!\!| c := y_{\text{acq}};  /\!\!/ 1 
y :=_{\text{sc}} 1;  |\!\!| c := y_{\text{acq}};  /\!\!/ 1 
y :=_{\text{sc}} 1;  |\!\!| c := y_{\text{acq}};  /\!\!/ 1 
y :=_{\text{sc}} 1;  |\!\!| c := y_{\text{acq}};  /\!\!/ 1 
y :=_{\text{sc}} 1;  |\!\!| c := y_{\text{acq}};  /\!\!/ 1 
y :=_{\text{sc}} 1;  |\!\!| c := y_{\text{acq}};  /\!\!/ 1 
y :=_{\text{sc}} 1;  |\!\!| c := y_{\text{acq}};  /\!\!/ 1 
y :=_{\text{sc}} 1;  |\!\!| c := y_{\text{acq}};  /\!\!/ 1 
y :=_{\text{sc}} 1;  |\!\!| c := y_{\text{acq}};  /\!\!/ 1 
y :=_{\text{sc}} 1;  |\!\!| c := y_{\text{acq}};  /\!\!/ 1 
y :=_{\text{sc}} 1;  |\!\!| c := y_{\text{acq}};  /\!\!/ 1 
y :=_{\text{sc}} 1;  |\!\!| c := y_{\text{acq}};  /\!\!/ 1 
y :=_{\text{sc}} 1;  |\!\!| c := y_{\text{acq}};  /\!\!/ 1 
y :=_{\text{sc}} 1;  |\!\!| c := y_{\text{acq}};  /\!\!/ 1 
y :=_{\text{sc}} 1;  |\!\!| c := y_{\text{acq}};  /\!\!/ 1 
y :=_{\text{sc}} 1;  |\!\!| c := y_{\text{acq}};  /\!\!| 1 
y :=_{\text{sc}} 1;  |\!\!| c := y_{\text{acq}};  /\!\!| 1 
y :=_{\text{sc}} 1;  |\!\!| c := y_{\text{acq}};  /\!\!| 1 
y :=_{\text{sc}} 1;  |\!\!| c := y_{\text{acq}};  /\!\!| 1 
y :=_{\text{sc}} 1;  |\!\!| c := y_{\text{acq}};  /\!\!| 1 
y :=_{\text{sc}} 1;  |\!\!| c := y_{\text{acq}};  /\!\!| 1 
y :=_{\text{sc}} 1;  |\!\!| c := y_{\text{acq}};  /\!\!| 1 
y :=_{\text{sc}} 1;  |\!\!| c := y_{\text{acq}};  /\!\!| 1 
y :=_{\text{sc}} 1;  |\!\!| c :=_{\text{sc}} 1;  |\!\!| c :=_{\text{sc}} 1;  |\!\!| c :=_{\text{sc}} 1;  |\!\!| c
```





program order
reads from
happens-before
sc-per-loc

#### Stage 3: global restrictions on SC-accesses

Order all SC-accesses while respecting:

$$a: *^{\operatorname{sc}} \xrightarrow{\operatorname{hb}} b: *^{\operatorname{sc}} \qquad a: *^{\operatorname{sc}}_{\times} \xrightarrow{\operatorname{sc-per-loc}} b: \mathbb{W}_{\times}^{\operatorname{sc}}$$

$$a : *^{\operatorname{sc}} \xrightarrow{\operatorname{hb}} b : *^{\operatorname{sc}} \xrightarrow{\operatorname{sc-per-loc}} b: \mathbb{W}_{\times}^{\operatorname{sc}}$$

$$a := x_{acq}; \ //1 \ b := y_{sc}; \ //0 \ || \ x :=_{sc} 1; \ || \ y :=_{sc} 1; \ || \ c := y_{acq}; \ //1 \ d := x_{sc}; \ //0$$



program order
reads from
happens-before
sc-per-loc
sc-order

#### Stage 3: global restrictions on SC-accesses

Order all SC-accesses while respecting:

$$a: *^{\operatorname{sc}} \xrightarrow{\operatorname{hb}} b: *^{\operatorname{sc}} \qquad a: *^{\operatorname{sc}}_{x} \xrightarrow{\operatorname{sc-per-loc}} b: W_{x}^{\operatorname{sc}}$$

$$a : *^{\operatorname{sc}} \xrightarrow{\operatorname{bb}} b : W_{x}^{\operatorname{sc}} \xrightarrow{\operatorname{sc-order}} b$$



C/C++11: behavior disallowed

program order reads from happens-before sc-per-loc sc-order

#### Stage 3: global restrictions on SC-accesses

Order all SC-accesses while respecting:



C/C++11: behavior disallowed





reads from
happens-before
sc-per-loc
sc-order

C/C++11: behavior disallowed

```
\frac{a: *^{\text{sc}} \xrightarrow{\text{hb}} b: *^{\text{sc}}}{a \xrightarrow{\text{sc-order}} b}
```

▶ There are hb-paths between SC-accesses without sync fence in between.



program order
reads from
happens-before
sc-per-loc
sc-order

C/C++11: behavior disallowed

- ▶ There are hb-paths between SC-accesses without sync fence in between.
- Both compilation schemes ensure a sync fence on hb-paths between SC-accesses that start and end with "program order".



reads from
happens-before
sc-per-loc
sc-order

C/C++11: behavior disallowed



- ▶ There are hb-paths between SC-accesses without sync fence in between.
- Both compilation schemes ensure a sync fence on hb-paths between SC-accesses that start and end with "program order".



C/C++11: behavior disallowed



- ▶ There are hb-paths between SC-accesses without sync fence in between.
- Both compilation schemes ensure a sync fence on hb-paths between SC-accesses that start and end with "program order".



C/C++11: behavior disallowed



- ▶ There are hb-paths between SC-accesses without sync fence in between.
- Both compilation schemes ensure a sync fence on hb-paths between SC-accesses that start and end with "program order".



- ▶ There are hb-paths between SC-accesses without sync fence in between.
- Both compilation schemes ensure a sync fence on hb-paths between SC-accesses that start and end with "program order".

## Results

## The fixed model is not too strong:

- correctness of existing compilation schemes
  - ▶ Power/ARMv7 (Alglave et al. '14): leading/trailing sync
  - x86-TSO: mfence after-SC-writes/before-SC-reads
- soundness of compiler optimizations

#### The fixed model is not too weak:

- DRF theorem (without relaxed accesses)
- coincides with C11 when SC-accesses are to distinguished locations

## **SC-fences**

## Store buffer

$$x := 1;$$
  
 $a := y;$  // 0 ||  $y := 1;$   
 $b := x;$  // 0

How to guarantee only SC behaviors (i.e.,  $a = 1 \lor b = 1$ )?

$$x :=_{sc} 1;$$
  $y :=_{sc} 1;$   $z :=_{rlx} 1;$ 

## Semantics of SC-fences is too weak!

► SC-fences, even when placed between every two accesses, do not restore SC.

## Example

- ► Algorithm designers may have to unnecessarily strengthen access modes, leading to redundant hardware fences.
  - ► Chase-Lev concurrent deque [Lê et al. '13]: "unrecoverable overheads" in the interaction between atomic operations and memory barriers in C11.

## Stronger semantics for SC fences

#### Global restrictions on SC-fences

Order all SC-fences while respecting:

$$a: F^{\text{sc}} \xrightarrow{\text{hb}} b: F^{\text{sc}}$$

$$a: F^{\text{sc}} \xrightarrow{\text{hb}} *_{x} \xrightarrow{\text{sc-per-loc}} *_{x} \xrightarrow{\text{hb}} b: F^{\text{sc}}$$

$$a \xrightarrow{\text{sc-order}} b$$

$$a \xrightarrow{\text{sc-order}} b$$

- ▶ We prove the correctness of existing compilation schemes and compiler optimizations for the strengthened model.
- ► SC-fences between every two accesses suffice to restore SC (assuming no data races on non-atomics).

# Thin-air conservative solution

#### The out-of-thin-air problem

Relaxed accesses are overly weak:

► Values appear out-of-thin-air

▶ DRF is broken

#### Load-buffering + data dependency

$$a := x_{rlx}; //1$$
  $b := y_{rlx}; //1$   $y :=_{rlx} a;$   $x :=_{rlx} b;$ 

#### Load-buffering + control dependency

```
egin{aligned} a := x_{	ext{rlx}}; \ \# 1 \ & \text{if } (a = 1) \ & y :=_{	ext{rlx}} 1; \end{aligned} \qquad egin{aligned} b := y_{	ext{rlx}}; \ \# 1 \ & \text{if } (b = 1) \ & x :=_{	ext{rlx}} 1; \end{aligned}
```

#### Thin-air conservative solution

#### The out-of-thin-air problem

Relaxed accesses are overly weak:

► Values appear out-of-thin-air

▶ DRF is broken

#### Load-buffering + data dependency

$$a := x_{rlx}; \ /\!\!/ 1$$
  $y :=_{rlx} a;$   $m > 1$   $m > 1$   $m > 2$   $m > 3$   $m >$ 

#### ${\sf Load\text{-}buffering} + {\sf control} \ {\sf dependency}$

```
a := x_{rlx}; \ /\!\!/ 1

if (a = 1)

y :=_{rlx} 1;

b := y_{rlx}; \ /\!\!/ 1

if (b = 1)

x :=_{rlx} 1;
```

#### Conservative solution

#### [Boehm&Demsky '14]

- ► Require acyclicity of (program order U reads-from)
- ► More expensive compilation:
  - 1. (fake) control dependency after relaxed reads
  - 2. or: (lightweight) fence before relaxed writes

#### Correctness of conservative solution

#### Conservative solution

[Boehm&Demsky '14]

- ▶ Require acyclicity of (program order ∪ reads-from)
- More expensive compilation:
  - 1. (fake) control dependency after relaxed reads
  - 2. or: (lightweight) fence before relaxed writes

We proved correctness of compilation to Power/ARMv7 for scheme (1).

#### Main challenge

- ► Hardware models allow (program order U reads-from) cycles (involving non-atomic reads in the source).
- ▶ We have to show that such cycles can be untangled to produce a racy consistent execution.

# Summary

We presented **RC11**, a repaired model for C/C++11 concurrency:

- weaker semantics for SC-accesses
- stronger semantics for SC-fences
- ▶ disallow (program order ∪ reads-from) cycles

#### We proved:

- correctness of compilation schemes
- soundness of compiler optimizations
- programming guarantees (DRF, SC-fences can restore SC)

#### Future Work

- Mechanize our proofs
- ► ARMv8

# Summary

We presented **RC11**, a repaired model for C/C++11 concurrency:

- weaker semantics for SC-accesses
- stronger semantics for SC-fences
- ▶ disallow (program order ∪ reads-from) cycles

#### We proved:

- correctness of compilation schemes
- soundness of compiler optimizations
- programming guarantees (DRF, SC-fences can restore SC)

#### Future Work

- Mechanize our proofs
- ► ARMv8

# Thank you!

# Correctness of compilation to different hardware

|                          | C/C++11 | Batty <i>et al.</i><br>[POPL'16] | RC11 | Strong<br>RC11 | Strongest |
|--------------------------|---------|----------------------------------|------|----------------|-----------|
| x86-TSO                  | ✓       | ✓                                | ✓    | Х              | Х         |
| POWER                    | X       | X                                | ✓    | ✓              | Х         |
| ARMv7 (no isb)           | ✓       | ✓                                | 1    | ✓              | ✓         |
| ARMv7 (with isb)         | ×       | X                                | 1    | ✓              | X         |
| ARMv8 POP                | X       | X                                | ✓ *  | ?              | X         |
| ARMv8.2 (with STLR,LDAR) | ✓ *     | ✓ *                              | ✓ *  | <b>✓</b> *     | ✓ *       |

```
\begin{split} & eco \stackrel{\text{def}}{=} (\texttt{rf} \cup \texttt{mo} \cup \texttt{rb})^+ \\ & pohbpo \stackrel{\text{def}}{=} po|_{\neq \texttt{loc}}; \texttt{hb}; po|_{\neq \texttt{loc}} \\ & RC11 \stackrel{\text{def}}{=} acyclic(([\texttt{E}^{\texttt{sc}}] \cup [\texttt{F}^{\texttt{sc}}]; \texttt{hb}^?); (po \cup \texttt{pohbpo} \cup \texttt{rf} \cup \texttt{mo} \cup \texttt{rb}); ([\texttt{E}^{\texttt{sc}}] \cup \texttt{hb}^?; [\texttt{F}^{\texttt{sc}}]) \\ & \cup [\texttt{F}^{\texttt{sc}}]; \texttt{hb}^?; (\texttt{hb} \cup \texttt{eco}); \texttt{hb}^?; [\texttt{F}^{\texttt{sc}}]) \\ & Strong-RC11 \stackrel{\text{def}}{=} acyclic(([\texttt{E}^{\texttt{sc}}] \cup [\texttt{F}^{\texttt{sc}}]; \texttt{hb}^?); (po \cup \texttt{pohbpo} \cup \texttt{eco}); ([\texttt{E}^{\texttt{sc}}] \cup \texttt{hb}^?; [\texttt{F}^{\texttt{sc}}]) \\ & \cup [\texttt{F}^{\texttt{sc}}]; \texttt{hb}^?; (\texttt{hb} \cup \texttt{eco}); \texttt{hb}^?; [\texttt{F}^{\texttt{sc}}]) \\ & Strongest \stackrel{\text{def}}{=} acyclic([\texttt{E}^{\texttt{sc}}] \cup [\texttt{F}^{\texttt{sc}}]; \texttt{hb}^?); (\texttt{hb} \cup \texttt{eco}); ([\texttt{E}^{\texttt{sc}}] \cup \texttt{hb}^?; [\texttt{F}^{\texttt{sc}}]) \end{split}
```

```
a := x_{rlx}; \ /\!\!/ 1
fence_{sc};
b := y_{rlx}; \ /\!\!/ 0
x :=_{rlx} 1;
y :=_{rlx} 1;
c := y_{rlx}; \ /\!\!/ 1
fence_{sc};
d := x_{rlx}; \ /\!\!/ 0
```

sc-order

$$a := x_{rlx}; \ /\!\!/ 1$$
fence<sub>sc</sub>;
 $b := y_{rlx}; \ /\!\!/ 0$ 
 $x :=_{rlx} 1;$ 
 $y :=_{rlx} 1;$ 
 $c := y_{rlx}; \ /\!\!/ 1$ 
fence<sub>sc</sub>;
 $d := x_{rlx}; \ /\!\!/ 0$ 



# Global restrictions on SC-fences Order all SC-fences while respecting: $a : F^{sc} \xrightarrow{hb} h : F^{sc} \qquad a : F^{sc} \xrightarrow{po} *_{x} \xrightarrow{sc-per-loc}$

$$a: F^{\text{sc}} \xrightarrow{\text{hb}} b: F^{\text{sc}}$$

$$a: F^{\text{sc}} \xrightarrow{\text{po}} *_{x} \xrightarrow{\text{sc-per-loc}} W_{x} \xrightarrow{\text{po}} b: F^{\text{sc}}$$

$$a \xrightarrow{\text{sc-order}} b$$

$$a \xrightarrow{\text{sc-order}} b$$

$$a := x_{rlx}; \ /\!\!/ 1$$
fence<sub>sc</sub>;
 $b := y_{rlx}; \ /\!\!/ 0$ 
 $x :=_{rlx} 1;$ 
 $y :=_{rlx} 1;$ 
 $c := y_{rlx}; \ /\!\!/ 1$ 
fence<sub>sc</sub>;
 $d := x_{rlx}; \ /\!\!/ 0$ 



C/C++11: behavior allowed!

#### Global restrictions on SC-fences

$$\begin{array}{c}
a : F^{\text{sc}} \xrightarrow{\text{hb}} b : F^{\text{sc}} \\
a \xrightarrow{\text{sc-order}} b
\end{array}
\qquad
\begin{array}{c}
a : F^{\text{sc}} \xrightarrow{\text{po}} *_{x} \xrightarrow{\text{sc-per-loc}} W_{x} \xrightarrow{\text{po}} b : F^{\text{sc}} \\
a \xrightarrow{\text{sc-order}} b
\end{array}$$

$$a := x_{rlx}; \ /\!\!/ 1$$
fence<sub>sc</sub>;
 $b := y_{rlx}; \ /\!\!/ 0$ 
 $x :=_{rlx} 1;$ 
 $y :=_{rlx} 1;$ 
 $c := y_{rlx}; \ /\!\!/ 1$ 
fence<sub>sc</sub>;
 $d := x_{rlx}; \ /\!\!/ 0$ 



C/C++11: behavior allowed!

# Global restrictions on SC-fences

$$\begin{array}{c}
a: F^{\text{sc}} & \xrightarrow{\text{hb}} b: F^{\text{sc}} \\
\hline
 & a & \xrightarrow{\text{sc-order}} b
\end{array}
\qquad
\begin{array}{c}
a: F^{\text{sc}} & \xrightarrow{\text{po}} *_{\times} \xrightarrow{\text{sc-per-loc}} *_{\times} & \text{po} \\
\hline
 & a & \xrightarrow{\text{sc-order}} b
\end{array}$$

$$a := x_{rlx}; \ /\!\!/ 1$$
 $fence_{sc};$ 
 $b := y_{rlx}; \ /\!\!/ 0$ 
 $x :=_{rlx} 1;$ 
 $y :=_{rlx} 1;$ 
 $c := y_{rlx}; \ /\!\!/ 1$ 
 $fence_{sc};$ 
 $d := x_{rlx}; \ /\!\!/ 0$ 



C/C++11: behavior allowed!

# Global restrictions on SC-fences

$$a := x_{rlx}; \ /\!\!/ 1$$
fence<sub>sc</sub>;
 $b := y_{rlx}; \ /\!\!/ 0$ 
 $x :=_{rlx} 1;$ 
 $y :=_{rlx} 1;$ 
 $c := y_{rlx}; \ /\!\!/ 1$ 
fence<sub>sc</sub>;
 $d := x_{rlx}; \ /\!\!/ 0$ 



C/C++11: behavior allowed!

Fixed model: behavior disallowed!

#### Global restrictions on SC-fences

$$\begin{array}{c}
a: F^{\text{sc}} \xrightarrow{\text{hb}} b: F^{\text{sc}} \\
a \xrightarrow{\text{sc-order}} b
\end{array}
\qquad
\begin{array}{c}
a: F^{\text{sc}} \xrightarrow{\text{po}} *_{x} \xrightarrow{\text{sc-per-loc}} *_{x} \xrightarrow{\text{po}} b: F^{\text{sc}} \\
a \xrightarrow{\text{sc-order}} b
\end{array}$$

$$a := x_{rlx}; \ /\!\!/ 1$$
fence<sub>sc</sub>;
 $b := y_{rlx}; \ /\!\!/ 0$ 
 $x :=_{rlx} 1;$ 
 $y :=_{rlx} 1;$ 
 $c := y_{rlx}; \ /\!\!/ 1$ 
fence<sub>sc</sub>;
 $d := x_{rlx}; \ /\!\!/ 0$ 



C/C++11: behavior allowed!

Fixed model: behavior disallowed!

# Global restrictions on SC-fences Order all SC-fences while respecting: $\underbrace{a: F^{\text{sc}} \xrightarrow{\text{hb}} b: F^{\text{sc}}}_{\text{a} \xrightarrow{\text{sc-order}} b} \xrightarrow{a: F^{\text{sc}} \xrightarrow{\text{sc}} b} *_{x} \xrightarrow{\text{sc-per-loc}} *_{x} \xrightarrow{\text{b}} b: F^{\text{sc}}$