Explaining Atomics in Rust

Understanding atomics and the memory ordering options when dealing with them can help us better understand multithreaded programming and why Rust helps us write safe and performant multithreaded code.

Trying to understand atomics by just reading random articles and the documentation in Rust (or C++ for that matter) feels like trying to learn physics by reverse engineeringE=MC^2.

I'll give it my best try to explain this for myself and for you in this article. If I succeed, the ratio should be WTF?/AHA! < 1. Let me know in the issue tracker of the repository for this article how we did.

Multiprocessor programming

When writing code for multiple CPUs, there are several subtle things we need to consider. You see, both compilers and CPU's reorder the code we write if they think it will lead to faster execution. In single threaded programs, this is not something we need to consider, but once we start writing multithreaded programs, the compiler reordering can get us into trouble.

However, while the compiler ordering is possible to check by looking at the disassembled code, things get much more difficult on systems with multiple CPUs.

When threads are run on different CPUs, the internal reordering of instructions on the CPU can lead to some very hard to debug problems since we mostly observe the side effects of CPU reordering, speculative execution, pipelining and caching.

I don't think the CPU knows in advance exactly how it's going to run your code either.

The problem atomics solve are related to memory loads and stores. Any reordering of instructions which does not operate on shared memory has no impact that we're concerned about here.

I'll be using one main reference here unless I state otherwise: Intel® 64 and IA-32 Architectures Software Developer’s Manual Volume 3A. So when I refer to Chapter x in the Intel Developer manual, I refer to this document.

Let's start at the bottom and work our way up to a better understanding.

Strong vs Weak Memory Ordering

So to start off, we need to get some concepts right. CPUs give different guarantees when it comes to how they treat memory. We can classify them from Weak to Strong. However, it's not a precise specification so there are models which are somewhere in between.

To abstract over these differences, Rust has the concept of an abstract machine. It borrows this model from C++. This abstract machine needs to be an abstraction which makes it possible to program against weak and strong CPUs (and everything in between).

You see, the C++ abstract machine specifies many ways to access memory. It kind of has to if we're supposed to use the same semantics for weak and strong processors in the same language.

A CPU with a strong memory model gives some important guarantees that make much of the semantics we use in the abstract machine no-ops. It does nothing fancy at all, and is only a hint to the compiler to not change the order of memory operations from what we as programmers wrote.

On a weak system however, it might need to set up memory fences or use special instructions to prevent synchronization issues. The best way to learn this abstract machine using experiments would be using a CPU with a weak ordering. However, since most programmers program on a CPU with a strong model, we'll just have to point out the differences so we understand why the semantics are the way they are.

Most current desktop CPUs from AMD and Intel uses strong ordering. That means that the CPU itself gives some guarantees about not reordering certain operations. Some examples of this guarantee can be found in Intels Developer Manual, chapter 8.2.2:

  • Reads are not reordered with other reads.

  • Writes are not reordered with older reads.

  • Writes to memory are not reordered with other writes (with some exceptions)

Critically, it also includes one non-guarantee:

  • Reads may be reordered with older writes to different locations but not with older writes to the same location.

This last one will be important to understand SeqCst memory ordering later on, just make a note of it for now.

Now, in the following chapters, I'll try to be clear on these differences. I'll still use the weak model of the abstract machine as the basis for the explanations however...

...I'll point out the differences on a strongly ordered CPU using these boxes.

CPU Caches

Normally, a CPU has three levels of caching: L1, L2, and L3. While L2, and L3 are shared between cores, L1 is a per core cache. Our challenges start here.

The L1 cache uses a sort of MESI caching protocol. While the name might sound mysterious, it's actually pretty simple. It is an acronym for the different states items in the cache can find themselves in:

These states apply to each cache line in the L1 cache:
​
(M) Modified - modified (dirty). Need to write back data to main memory.
(E) Exclusive - only exists in this cache. Doesn't need to be synced (clean).
(S) Shared - might exist in other caches. Is current with main memory (clean).
(I) Invalid - cache line is invalid. Another cache has modified it.

See chapter 11.4 in Intels Developer Manual for more information about the cache states.

Ok, so we can model this for ourselves by thinking that every cache line in the CPU has an enum with four states attached to them.

Does this sound familiar?

In Rust we have two kind of references & shared references, and &mut exclusive references.

It will help you a lot if you stop thinking of them as mutable and immutable references, since this is not true all the time. Atomics and types which allow for interior mutability do indeed break this mental model. Think of them as exclusive and shared instead.

This does indeed map very well to the E and S, two of the possible states data can have in the L1 Cache. Modelling this in the language can (and does) provide the possibility of optimizations which languages without these semantics can't do.

In Rust, only memory which is Exclusive can be modified by default.

This means, as long as we don't break the rule and mutate Shared references, all Rust programs can assume that the L1 cache on the core they're running on is up to date and does not need any synchronization.

Of course, many programs needs to share memory between cores to work, but doing so explicitly and with care can lead to better code for running on multiple processors.

Inter-processor Communication

So, if we really do need to access and change memory which is Shared how do the other cores know that their L1 cache is invalid?

Well, a cache line is invalidated if the data exists in the L1 cache on a different core (remember, it's in theSharedstate) and is modified there. To actually inform the other cores that their cached data is invalid, there must be some way for the cores to communicate with each other, right?

Yes there is, however, it's pretty hard to find documentation about the exact details. Each core has what we can think of as a mailbox.

This mailbox can buffer a certain number of messages. Each message is buffered here to avoid interrupting the CPU all the time and force it to handle every message sent from other cores immediately.

Now, at some point the CPU checks this mailbox and updates its cache accordingly.

Let's take an example of a cache line which is marked as Shared.

If a CPU modifies this cache line, it is invalidated in the other caches. The core that modified the data sends a message to rest of the CPU's. When the other cores check their mailbox, they see that this cache line is now invalid and the state is updated accordingly in each cache on the other cores.

The L1 cache on each core then fetches the correct value from main memory (or L2/L3 cache) and sets its state to Shared again.

On a strongly ordered CPU this model works in a slightly different way. If a core modifies a Shared cache line, it forces the other cores to invalidate their corresponding cache line before the value is actually modified. such CPUs often have a cache coherency mechanism which changes the state of the caches on each core.

Memory ordering

Now that we have some idea of how the CPUs are designed to coordinate between them, we can talk about different memory orderings and what they mean.

In Rust, the memory ordering is represented by the std::sync::atomic::Ordering enum, which has 5 possible values.

A mental model

While in practice this is pretty hard to do in Rust due to its type system (we have no way to get a pointer to an Atomic for example), I find it useful to imagine an observer-core. This observer core is interested in the same memory as we perform atomic operations on for some reason, so we'll divide each model in two: how it looks on the core it's running and how it looks from an observer-core.

Remember that Rust inherits its memory model for atomics from C++ 20, and C copies its model from C++ as well. In these languages, the type system doesn't constrain you in the same way as it does in safe Rust, so accessing an Atomic, using a pointer is easier.

Relaxed

On the current CPU: Relaxed memory ordering on atomics will prevent the compiler from reordering these instructions themselves, but, on weakly ordered CPUs, it might reorder all other memory accesses. It's OK if you only increment a counter, but it might get you into trouble if you use a flag to implement a spin-lock for example, since you can't trust that "normal" memory access before and after the flag is set is not reordered.

On the observer CPU: Both the compiler and the CPU are free to reorder any other memory access except from switching two Relaxed load/stores with each other. The observer core might observe operations in a different order than the "program order" (as we wrote them). They will however, always see Relaxed operation-A before Relaxed operation-B if we wrote them in that order.

Relaxed is therefore the weakest of the possible memory orderings. It implies that the operation does not do any specific synchronization with the other CPUs.

On a strongly ordered CPU all memory operations are said to have Acquire/Release semantics by default. Therefore, this only serves as a hint to the compiler that these operations can't be reordered amongst themselves. The reason for using these operations on a strongly ordered system is that they allow for the compiler to reorder all other memory accesses as it sees fit.

If you wonder why you seem to be able to use Relaxed and get the same result as you do with Acquire/Release this is the reason. However, it's important to try to understand the "abstract machine" model and not only rely on experience you get by running experiments on a strongly ordered CPU. Your code might break on a different CPU.

Take a look at this article where they run the same code on both a strongly ordered CPU and a weakly ordered CPU to see the differences.

Acquire

On the current CPU: Any memory operation written after the Acquire access stays after it. It's meant to be paired with a Release memory ordering flag, forming a sort of a "memory sandwich". All memory access between the load and store will be synchronized with the other CPUs.

On weakly ordered systems, this might result in using special CPU instructions before the Acquire operation, which forces the current core to process all messages in its mailbox (many CPUs have both serializing and memory ordering instructions). A memory fence will most likely also be implemented to prevent the CPU from reordering memory access before the Acquire load. The Acquire operation will therefore be synchronized with modifications on memory done on the other CPUs.

Memory fences

Since this is the first time we encounter this term, let's not leave it alone assuming everybody knows what it is. A Memory fence is a hardware concept. The memory fence prevents the CPU from reordering instructions by forcing it to finish loads/stores to and from memory before the fence, thereby making sure no such operation before the fence is reordered with any such operation after it.

To be able to distinguish between instructions only regarding reads, writes, or both, they're called different names. A fence preventing both from being reordered is called a full fence.

Let's take a quick look at some documentation from Intels Developer Manual for one such full fence. (it's abrreviated, and the emphasis is mine)

Program synchronization can also be carried out with serializing instructions (see Section 8.3). These instructions are typically used at critical procedure or task boundaries to force completion of all previous instructions before a jump to a new section of code or a context switch occurs. Like the I/O and locking instructions, the processor waits until all previous instructions have been completed and all buffered writes have been drained to memory before executing the serializing instruction.The SFENCE, LFENCE, and MFENCE instructions provide a performance-efficient way of ensuring load and store memory ordering between routines that produce weakly-ordered results and routines that consume that data.

MFENCE — Serializes all store and load operations that occurred prior to the MFENCE instruction in the program instruction stream.

MFENCE is such an instruction. You'll find documentation for it throughout chapter 8.2 and 8.3 of Intels Developer Manual. You won't see these instructions too often on strongly ordered processors since they're rarely needed, but on weakly ordered systems they'll be critical to be able to implement the Acquire/Release model used in the abstract machine.

On the observer CPU: Since Acquire is a load operation, it doesn't modify memory, there is nothing to observe.

However, and there is one caveat, if the observer core itself does an Acquire load, it will be able to see all memory operations happening from the Acquire load, and to the Release store (including the store). This means there must be some global synchronization going on. Let's discuss this a bit more in when we talk about Release.

Acquire is often used to write locks, where some operations need to stay after the successful acquisition of the lock. For this exact reason, Acquire only makes sense in load operations. Most atomic methods in Rust that involve stores will panic if you pass in Acquire as the memory ordering of a store operation.

On strongly ordered CPUs, this will be a no-op and will therefore not incur any cost in terms of performance. It will however prevent the compiler from reordering any memory operations we write after the Acquire operation to happen before the Acquire operation.

Release

On the current CPU: In contrast to Acquire, any memory operation written before the Release memory ordering flag stays before it. It's meant to be paired with an Acquire memory ordering flag.

On weakly ordered CPUs the compiler might insert a memory fence to ensure that the CPU doesn't reorder the memory operations before the Release operation so that they happen after it. There is also a guarantee that all other cores which do an Acquire must see all memory operations after the Acquire and before this Release.

So not only do the operations need to be correctly ordered locally, there is also a guarantee that the changes must be visible to an observing core at this point.

That means some global synchronization must happen either before each Acquire access, or after a Release store. This basically leaves us with two choices:

  1. An Acquire load must ensure that it processes all messages and if any other core has invalidated any memory we load, it must fetch the correct value.

  2. A Release store must be atomic and invalidate all other caches holding that value before it modifies it.

Only doing one of these is enough though. This is partially what makes it weaker than SeqCst but also more performant.

On the observer CPU: An observing CPU might not see these changes in any specific order, unless it itself uses an Acquire load of the memory. If it does, it will see all memory which has been modified between the Acquire and the Release, including the Release store itself.

Release is often used together with Acquire to write locks. For a lock to function, some operations need to stay after the successful acquisition of the lock, but before the lock is released. For this reason, and opposite of the Acquire ordering, most load methods in Rust will panic if you pass in a Release ordering.

On a strongly ordered CPU, all instances of a Shared value are invalidated in all L1 caches where the value is present before it is modified. That means that the Acquire load will already have an updated view of all relevant memory, and a Release store will instantly invalidate any cache lines which contain the data on other cores.

Thats why these semantics have no performance cost on such a system.

AcqRel

This is intended to be used on operations which both load and store a value. AtomicBool::compare_and_swap is one such operation. Since this operation both loads and stores a value, this could matter on weakly ordered systems in contrast to Relaxed operations.

We can think of this operation more or less like a fence. Memory operations that are written before it will not be reordered across this boundary and memory operations that are written after it will not be reordered before it.

Read the Acquire and Release paragraphs, the same applies here.

SeqCst

In this part of this article, I'll talk about this using a strongly ordered CPU as the basis for discussion. You'll not see these "strongly ordered" sections here.

SeqCst stands for Sequential Consistency and gives the same guarantee that Acquire/Release does but also promises to establish a single total modification order.

SeqCst has been critiqued for being promoted as the recommended ordering to use and I've seen several objections about using it since it seems to be hard to prove that you have a good reason for using it. It has also been criticized for being slightly broken.

This figure should explain where SeqCst might fail in upholding it's guarantees:

https://plv.mpi-sws.org/scfix/paper.pdf

Got it? Good! We'll focus on the practical sides of SeqCst and not the theoretical foundations of it from now on.

Just know that there is a bit of discussion around it, and that most likely Acquire/Release will cover most of your challenges, at least on a strongly ordered CPU.

Let's consider SeqCst in contrast to an Acquire/Release operation.

I'll use this Godbolt example to explain:

The code looks like this:

use std::sync::atomic::{AtomicBool, Ordering};
static X: AtomicBool = AtomicBool::new(true);
static Y: AtomicBool = AtomicBool::new(true);
​
pub fn example(val: bool) -> bool {
let x = X.load(Ordering::Acquire);
X.store(val | x, Ordering::Release);
let y = Y.load(Ordering::Acquire);
x || y
}

The outputted assembly using Acquire/Releasewill look like this:

movb example::X.0.0(%rip), %al # load(Acquire)
testb %al, %al
setne %al
orb %dil, %al
movb %al, example::X.0.0(%rip) # store(Release)
movb $1, %al # load(Acquire)
retq

Now, on a weakly ordered CPU, the instructions might differ, but the result must be the same.

The store operation which used Release memory ordering is movb %al, example::X.0.0(%rip). We know that on a strongly ordered system, this is enough to make sure that this is immediately set as Invalid in other caches if they contain this data.

So what's the problem?

Well, to actually point that out, we need to take a look at the relevant part of the C++ specification for Release-Acquire:

The synchronization is established only between the threads releasing and acquiring the same atomic variable. Other threads can see different order of memory accesses than either or both of the synchronized threads.

Rusts documentation for Release re-iterates on that and states:

... In particular, all previous writes become visible to all threads that perform an Acquire (or stronger) load of this value.

An now is the time where we go and take a closer look that one non-guarantee I mentioned in the start. The Intel Developers Manual goes in to a little more detail in chapter 8.2.3.4:

8.2.3.4 Loads May Be Reordered with Earlier Stores to Different Locations

The Intel-64 memory-ordering model allows a load to be reordered with an earlier store to a different location. However, loads are not reordered with stores to the same location.

So if we put this information together, we could have the following situation:

let x = X.load(Ordering::Acquire);
X.store(val | x, Ordering::Release); # earlier store to different location
let y = Y.load(Ordering::Acquire); # load
​
// *Could* get reordered on the CPU to this:
​
let x = X.load(Ordering::Acquire);
let y = Y.load(Ordering::Acquire);
X.store(val | x, Ordering::Release);

Now, I've tried my best on my Intel CPU to provoke a situation where this causes a problem, but I have not managed to get a simple example going to reliably showing that. But in theory, judging by the specs and the description of the abstract machine, Acquire/Release doesn't prevent this.

If we change our code to:

use std::sync::atomic::{AtomicBool, Ordering};
static X: AtomicBool = AtomicBool::new(true);
static Y: AtomicBool = AtomicBool::new(true);
​
pub fn example(val: bool) -> bool {
let x = X.load(Ordering::SeqCst);
X.store(val | x, Ordering::SeqCst);
let y = Y.load(Ordering::SeqCst);
x || y
}

We get the following assembly output:

movb example::X.0.0(%rip), %al
testb %al, %al
setne %al
orb %dil, %al
xchgb %al, example::X.0.0(%rip)
movb $1, %al
retq

The interesting change here is the store operation which is now changed from a simple load to a special instruction xchgb %al, example::X.0.0(%rip). This is an atomic operation (xchghas an implicit lockprefix).

Since the xchg instruction is a locked instruction (when it refers to memory) it will make sure that all cache lines on other cores referring to the same memory are locked when the memory is fetched and then invalidated after the modification. In addition it works as a full memory fence which we can derive from chapter 8.2.3.9 in the Intel Developer Manual:

8.2.3.9 Loads and Stores Are Not Reordered with Locked Instructions

The memory-ordering model prevents loads and stores from being reordered with locked instructions that execute earlier or later. The examples in this section illustrate only cases in which a locked instruction is executed before a load or a store. The reader should note that reordering is prevented also if the locked instruction is executed after a load or a store.

For our observing core this is a noticeable change.

Sequential Consistency

If we somehow relied on the fact that the value we get from a load happens after, for example, the release of a flag, we could observe that it actually changed before the Release operation if we used Acquire/Release semantics. At least in theory.

Using the locking instruction prevents this. So in addition to having Acquire/Release guarantees, it also guarantees that no other memory operations, reads or writes, will happen in between.

Single total modification order

On a weakly ordered CPU, SeqCst also gives some guarantees which we get by default on a strongly ordered CPU, most importantly a single total modification order.

That means that if we have two observing cores, they will see all SeqCst operations in the same order. Acquire/Release does not give this guarantee. Observer-1 could see the two changes in a different order than observer-2 (remember the mailbox analogy).

Let's say core-1 acquires a flag X using compare_and_swap using Acquire ordering, and core-2 does the same on Y. Both do the same operations and then change the flag value back using Release store.

There is nothing that prevents Observer-1 from seeing the flag-Y change back before flag-X, and observer-2 the opposite.

SeqCst prevents this from happening.

On a strongly ordered system, every store is immediately visible on all other cores, so the modification order is not a real issue there.

SeqCst is the strongest of the memory orderings. It also has a slightly higher cost than the others.

You can see an example of why above, since every atomic instruction has an overhead of involving the CPU's cache coherency mechanism and locking the memory location in the other caches. The fewer such instructions we need while still having a correct program, the better the performance.

Atomic Operations

In addition to the memory fences discussed above, using the atomic types in the std::sync::atomic module gives access to some important CPU instructions we normally don't see in Rust:

From Implementing Scalable Atomic Locks for Multi-Core Intel® EM64T and IA32 Architectures:

User level locks involve utilizing the atomic instructions of processor to atomically update a memory space. The atomic instructions involve utilizing a lock prefix on the instruction and having the destination operand assigned to a memory address. The following instructions can run atomically with a lock prefix on current Intel processors: ADD, ADC, AND, BTC, BTR, BTS, CMPXCHG, CMPXCH8B, DEC, INC, NEG, NOT, OR, SBB, SUB, XOR, XADD, and XCHG...

Ok, so when we use the methods of an atomic, such as fetch_add on AtomicUsize, the compiler actually changes the instructions it emits for the addition of the two numbers on the CPU. The assembly would instead look something like (an AT&T dialect) lock addq ..., ...instead of addq ..., ...which we'd normally expect.

An atomic operation is a set of operations executed as one indivisible unit. Any observer is prevented from seeing any of the sub operations or acquiring the same data while it's being operated on. Any conflicting operation-B from another core on the same data will have to wait until the the first atomic operation-A is finished.

Let's take the simple example of increasing a counter. There are three steps: load data, modify it and store data.

For each step, another core might change go in and load the same data, modify it and store it back before we're finished.

LOAD NUMBER
---- a competing core can load the same value here ----
INCREASE NUMBER
---- a competing core can increase the same value ----
---- a competing core can store its data here ----
STORE NUMBER
---- we overwrite that data here ----

Often we want to prevent anyone from observing or interfering from the point we load our data until we store our data. This is exactly what atomic operations solve for us.

A pretty normal use case for atomics is spin-locks. A very simple (and unsafe) one could look like this:

static LOCKED: AtomicBool = AtomicBool::new(false);
static mut COUNTER: usize = 0;
​
pub fn spinlock(inc: usize) {
while LOCKED.compare_and_swap(false, true, Ordering::Acquire) {}
unsafe { COUNTER += inc };
LOCKED.store(false, Ordering::Release);
}

This will result in the following assembly:

xorl %eax, %eax
lock cmpxchgb %cl, example::LOCKED(%rip)
jne .LBB0_1
addq %rdi, example::COUNTER(%rip)
movb $0, example::LOCKED(%rip)
retq

lock cmpxchgb %cl, example::LOCKED(%rip)is the atomic operation we do in compare_and_swap. lock cmpxchgb is a locking operation; it reads a flag and changes its value if a certain condition is met.

From chapter 8.2.5 in Intels Developer Manual:

Synchronization mechanisms in multiple-processor systems may depend upon a strong memory-ordering model. Here, a program can use a locking instruction such as the XCHG instruction or the LOCK prefix to ensure that a read-modify-write operation on memory is carried out atomically. Locking operations typically operate like I/O operations in that they wait for all previous instructions to complete and for all buffered writes to drain to memory (see Section 8.1.2, “Bus Locking”).

Now what does this lock instruction prefix do?

It can quickly become a bit technical, but as far as I understand it, an easy way to model this is that it sets the cache line state to Modified already when the memory is fetched from the cache.

This way, from the moment it's fetched from a core's L1 cache it's marked as Modified. The processor uses its cache coherence mechanism to make sure the state is updated to Invalid on all other caches where it exists - even though they've not yet processed all of their messages in their mailboxes yet.

If message passing is the normal way of synchronizing changes, the locked instruction (and other memory-ordering or serializing instructions) involves a more expensive and more powerful mechanism which bypasses the message passing, locks the cache lines on the other caches (so no load or store operation can happen when while it's in progress) and sets them as invalid accordingly, which forces the cache to fetch an updated value from memory.

If you're interested in reading more about this, then take a look at chapter 8 of the Intel® 64 and IA-32 Architectures Software Developer’s Manual.

A cache line is most often 64 bytes on a 64 bit system. This can vary based on the exact CPU, but what is important to consider is that the locking mechanisms used if a memory crosses two cache lines is much more expensive and might involve bus locking and other hardware techniques.

Atomic operations crossing cache line boundaries have a very varying support based on different architectures.

Conclusion

Are you still there? If so, relax now, we're done for today. Thanks for staying with me and reading through, I do sincerely hope you enjoyed it and got some value out of it.

I fundamentally believe that getting a good mental model around problems you actually work hard to deal with has numerous benefits for both your personal motivation and how you write your code, even though you never venture into the std::sync::atomic module at all in your daily life.

Until next time!