tools/memory-model: Rename link and rcu-path to rcu-link and rb

This patch makes a simple non-functional change to the RCU portion of the Linux Kernel Memory Consistency Model by renaming the "link" and "rcu-path" relations to "rcu-link" and "rb", respectively. The name "link" was an unfortunate choice, because it was too generic and subject to confusion with other meanings of the same word, which occur quite often in LKMM documentation. The name "rcu-path" is not very appropriate, because the relation is analogous to the happens-before (hb) and propagates-before (pb) relations -- although that fact won't become apparent until the second patch in this series. Signed-off-by: Alan Stern <stern@rowland.harvard.edu> Signed-off-by: Paul E. McKenney <paulmck@linux.vnet.ibm.com> Acked-by: Andrea Parri <parri.andrea@gmail.com> Cc: Andrew Morton <akpm@linux-foundation.org> Cc: Linus Torvalds <torvalds@linux-foundation.org> Cc: Peter Zijlstra <peterz@infradead.org> Cc: Thomas Gleixner <tglx@linutronix.de> Cc: Will Deacon <will.deacon@arm.com> Cc: akiyks@gmail.com Cc: boqun.feng@gmail.com Cc: dhowells@redhat.com Cc: j.alglave@ucl.ac.uk Cc: linux-arch@vger.kernel.org Cc: luc.maranget@inria.fr Cc: npiggin@gmail.com Link: http://lkml.kernel.org/r/1526340837-12222-1-git-send-email-paulmck@linux.vnet.ibm.com Signed-off-by: Ingo Molnar <mingo@kernel.org>
author: Alan Stern <stern@rowland.harvard.edu> 2018-05-14 19:33:39 -0400
committer: Ingo Molnar <mingo@kernel.org> 2018-05-15 02:11:15 -0400
commit: 1ee2da5f9b5a8e814b397b77a08d44fed5f96a4a (patch)
tree: 50d91cddf71277c1d2a9f21b860aac0c2f8a59d0 /tools/memory-model
parent: 1362ae43c503a4e333ab6948fc4c6e0e794e1558 (diff)
2 files changed, 55 insertions, 54 deletions
diff --git a/tools/memory-model/Documentation/explanation.txt b/tools/memory-model/Documentation/explanation.txt
index a727c82bd434..1a387d703212 100644
--- a/tools/memory-model/Documentation/explanation.txt
+++ b/tools/memory-model/Documentation/explanation.txt
@@ -27,7 +27,7 @@ Explanation of the Linux-Kernel Memory Consistency Model
  19. AND THEN THERE WAS ALPHA
  20. THE HAPPENS-BEFORE RELATION: hb
  21. THE PROPAGATES-BEFORE RELATION: pb
-  22. RCU RELATIONS: link, gp-link, rscs-link, and rcu-path
+  22. RCU RELATIONS: rcu-link, gp-link, rscs-link, and rb
  23. ODDS AND ENDS
@@ -1451,8 +1451,8 @@ they execute means that it cannot have cycles.  This requirement is
 the content of the LKMM's "propagation" axiom.
-RCU RELATIONS: link, gp-link, rscs-link, and rcu-path
+RCU RELATIONS: rcu-link, gp-link, rscs-link, and rb
-----------------------------------------------------
+---------------------------------------------------
 RCU (Read-Copy-Update) is a powerful synchronization mechanism.  It
 rests on two concepts: grace periods and read-side critical sections.
@@ -1509,8 +1509,8 @@ y, which occurs before the end of the critical section, did not
 propagate to P1 before the end of the grace period, violating the
 Guarantee.
-In the kernel's implementations of RCU, the business about stores
+In the kernel's implementations of RCU, the requirements for stores
-propagating to every CPU is realized by placing strong fences at
+to propagate to every CPU are fulfilled by placing strong fences at
 suitable places in the RCU-related code.  Thus, if a critical section
 starts before a grace period does then the critical section's CPU will
 execute an smp_mb() fence after the end of the critical section and
@@ -1523,19 +1523,19 @@ executes.
 What exactly do we mean by saying that a critical section "starts
 before" or "ends after" a grace period?  Some aspects of the meaning
 are pretty obvious, as in the example above, but the details aren't
-entirely clear.  The LKMM formalizes this notion by means of a
+entirely clear.  The LKMM formalizes this notion by means of the
-relation with the unfortunately generic name "link".  It is a very
+rcu-link relation.  rcu-link encompasses a very general notion of
-general relation; among other things, X ->link Z includes cases where
+"before": Among other things, X ->rcu-link Z includes cases where X
-X happens-before or is equal to some event Y which is equal to or
+happens-before or is equal to some event Y which is equal to or comes
-comes before Z in the coherence order.  Taking Y = Z, this says that
+before Z in the coherence order.  When Y = Z this says that X ->rfe Z
-X ->rfe Z implies X ->link Z, and taking Y = X, it says that X ->fr Z
+implies X ->rcu-link Z.  In addition, when Y = X it says that X ->fr Z
-and X ->co Z each imply X ->link Z.
+and X ->co Z each imply X ->rcu-link Z.
-The formal definition of the link relation is more than a little
+The formal definition of the rcu-link relation is more than a little
 obscure, and we won't give it here.  It is closely related to the pb
 relation, and the details don't matter unless you want to comb through
 a somewhat lengthy formal proof.  Pretty much all you need to know
-about link is the information in the preceding paragraph.
+about rcu-link is the information in the preceding paragraph.
 The LKMM goes on to define the gp-link and rscs-link relations.  They
 bring grace periods and read-side critical sections into the picture,
@@ -1543,32 +1543,33 @@ in the following way:
        E ->gp-link F means there is a synchronize_rcu() fence event S
        and an event X such that E ->po S, either S ->po X or S = X,
-        and X ->link F.  In other words, E and F are connected by a
+        and X ->rcu-link F.  In other words, E and F are linked by a
-        grace period followed by an instance of link.
+        grace period followed by an instance of rcu-link.
        E ->rscs-link F means there is a critical section delimited by
        an rcu_read_lock() fence L and an rcu_read_unlock() fence U,
        and an event X such that E ->po U, either L ->po X or L = X,
-        and X ->link F.  Roughly speaking, this says that some event
+        and X ->rcu-link F.  Roughly speaking, this says that some
-        in the same critical section as E is connected by link to F.
+        event in the same critical section as E is linked by rcu-link
+        to F.
-If we think of the link relation as standing for an extended "before",
-then E ->gp-link F says that E executes before a grace period which
+If we think of the rcu-link relation as standing for an extended
-ends before F executes.  (In fact it says more than this, because it
+"before", then E ->gp-link F says that E executes before a grace
-includes cases where E executes before a grace period and some store
+period which ends before F executes.  (In fact it covers more than
-propagates to F's CPU before F executes and doesn't propagate to some
+this, because it also includes cases where E executes before a grace
-other CPU until after the grace period ends.)  Similarly,
+period and some store propagates to F's CPU before F executes and
-E ->rscs-link F says that E is part of (or before the start of) a
+doesn't propagate to some other CPU until after the grace period
-critical section which starts before F executes.
+ends.)  Similarly, E ->rscs-link F says that E is part of (or before
+the start of) a critical section which starts before F executes.
 Putting this all together, the LKMM expresses the Grace Period
 Guarantee by requiring that there are no cycles consisting of gp-link
-and rscs-link connections in which the number of gp-link instances is
+and rscs-link links in which the number of gp-link instances is >= the
->= the number of rscs-link instances.  It does this by defining the
+number of rscs-link instances.  It does this by defining the rb
-rcu-path relation to link events E and F whenever it is possible to
+relation to link events E and F whenever it is possible to pass from E
-pass from E to F by a sequence of gp-link and rscs-link connections
+to F by a sequence of gp-link and rscs-link links with at least as
-with at least as many of the former as the latter.  The LKMM's "rcu"
+many of the former as the latter.  The LKMM's "rcu" axiom then says
-axiom then says that there are no events E such that E ->rcu-path E.
+that there are no events E with E ->rb E.
 Justifying this axiom takes some intellectual effort, but it is in
 fact a valid formalization of the Grace Period Guarantee.  We won't
@@ -1585,10 +1586,10 @@ rcu_read_unlock() fence events delimiting the critical section in
 question, and let S be the synchronize_rcu() fence event for the grace
 period.  Saying that the critical section starts before S means there
 are events E and F where E is po-after L (which marks the start of the
-critical section), E is "before" F in the sense of the link relation,
+critical section), E is "before" F in the sense of the rcu-link
-and F is po-before the grace period S:
+relation, and F is po-before the grace period S:
-        L ->po E ->link F ->po S.
+        L ->po E ->rcu-link F ->po S.
 Let W be the store mentioned above, let Z come before the end of the
 critical section and witness that W propagates to the critical
@@ -1600,12 +1601,12 @@ some event X which is po-after S.  Symbolically, this amounts to:
 The fr link from Y to W indicates that W has not propagated to Y's CPU
 at the time that Y executes.  From this, it can be shown (see the
-discussion of the link relation earlier) that X and Z are connected by
+discussion of the rcu-link relation earlier) that X and Z are related
-link, yielding:
+by rcu-link, yielding:
-        S ->po X ->link Z ->po U.
+        S ->po X ->rcu-link Z ->po U.
-These formulas say that S is po-between F and X, hence F ->gp-link Z
+The formulas say that S is po-between F and X, hence F ->gp-link Z
 via X.  They also say that Z comes before the end of the critical
 section and E comes after its start, hence Z ->rscs-link F via E.  But
 now we have a forbidden cycle: F ->gp-link Z ->rscs-link F.  Thus the
@@ -1635,13 +1636,13 @@ time with statement labels added to the memory access instructions:
        }
-If r2 = 0 at the end then P0's store at X overwrites the value
+If r2 = 0 at the end then P0's store at X overwrites the value that
-that P1's load at Z reads from, so we have Z ->fre X and thus
+P1's load at Z reads from, so we have Z ->fre X and thus Z ->rcu-link X.
-Z ->link X.  In addition, there is a synchronize_rcu() between Y and
+In addition, there is a synchronize_rcu() between Y and Z, so therefore
-Z, so therefore we have Y ->gp-link X.
+we have Y ->gp-link X.
 If r1 = 1 at the end then P1's load at Y reads from P0's store at W,
-so we have W ->link Y.  In addition, W and X are in the same critical
+so we have W ->rcu-link Y.  In addition, W and X are in the same critical
 section, so therefore we have X ->rscs-link Y.
 This gives us a cycle, Y ->gp-link X ->rscs-link Y, with one gp-link
diff --git a/tools/memory-model/linux-kernel.cat b/tools/memory-model/linux-kernel.cat
index df97db03b6c2..cdf682859d4e 100644
--- a/tools/memory-model/linux-kernel.cat
+++ b/tools/memory-model/linux-kernel.cat
@@ -100,22 +100,22 @@ let rscs = po ; crit^-1 ; po?
 * one but two non-rf relations, but only in conjunction with an RCU
 * read-side critical section.
 *)
-let link = hb* ; pb* ; prop
+let rcu-link = hb* ; pb* ; prop
 (* Chains that affect the RCU grace-period guarantee *)
-let gp-link = gp ; link
+let gp-link = gp ; rcu-link
-let rscs-link = rscs ; link
+let rscs-link = rscs ; rcu-link
 (*
 * A cycle containing at least as many grace periods as RCU read-side
 * critical sections is forbidden.
 *)
-let rec rcu-path =
+let rec rb =
        gp-link |
        (gp-link ; rscs-link) |
        (rscs-link ; gp-link) |
-        (rcu-path ; rcu-path) |
+        (rb ; rb) |
-        (gp-link ; rcu-path ; rscs-link) |
+        (gp-link ; rb ; rscs-link) |
-        (rscs-link ; rcu-path ; gp-link)
+        (rscs-link ; rb ; gp-link)
-irreflexive rcu-path as rcu
+irreflexive rb as rcu
author	Alan Stern <stern@rowland.harvard.edu>	2018-05-14 19:33:39 -0400
committer	Ingo Molnar <mingo@kernel.org>	2018-05-15 02:11:15 -0400
commit	1ee2da5f9b5a8e814b397b77a08d44fed5f96a4a (patch)
tree	50d91cddf71277c1d2a9f21b860aac0c2f8a59d0 /tools/memory-model
parent	1362ae43c503a4e333ab6948fc4c6e0e794e1558 (diff)

diff --git a/tools/memory-model/Documentation/explanation.txt b/tools/memory-model/Documentation/explanation.txt index a727c82bd434..1a387d703212 100644 --- a/tools/memory-model/Documentation/explanation.txt +++ b/tools/memory-model/Documentation/explanation.txt
@@ -27,7 +27,7 @@ Explanation of the Linux-Kernel Memory Consistency Model
27	19. AND THEN THERE WAS ALPHA	27	19. AND THEN THERE WAS ALPHA
28	20. THE HAPPENS-BEFORE RELATION: hb	28	20. THE HAPPENS-BEFORE RELATION: hb
29	21. THE PROPAGATES-BEFORE RELATION: pb	29	21. THE PROPAGATES-BEFORE RELATION: pb
30	22. RCU RELATIONS: link, gp-link, rscs-link, and rcu-path	30	22. RCU RELATIONS: rcu-link, gp-link, rscs-link, and rb
31	23. ODDS AND ENDS	31	23. ODDS AND ENDS
32		32
33		33
@@ -1451,8 +1451,8 @@ they execute means that it cannot have cycles. This requirement is
1451	the content of the LKMM's "propagation" axiom.	1451	the content of the LKMM's "propagation" axiom.
1452		1452
1453		1453
1454	RCU RELATIONS: link, gp-link, rscs-link, and rcu-path	1454	RCU RELATIONS: rcu-link, gp-link, rscs-link, and rb
1455	-----------------------------------------------------	1455	---------------------------------------------------
1456		1456
1457	RCU (Read-Copy-Update) is a powerful synchronization mechanism. It	1457	RCU (Read-Copy-Update) is a powerful synchronization mechanism. It
1458	rests on two concepts: grace periods and read-side critical sections.	1458	rests on two concepts: grace periods and read-side critical sections.
@@ -1509,8 +1509,8 @@ y, which occurs before the end of the critical section, did not
1509	propagate to P1 before the end of the grace period, violating the	1509	propagate to P1 before the end of the grace period, violating the
1510	Guarantee.	1510	Guarantee.
1511		1511
1512	In the kernel's implementations of RCU, the business about stores	1512	In the kernel's implementations of RCU, the requirements for stores
1513	propagating to every CPU is realized by placing strong fences at	1513	to propagate to every CPU are fulfilled by placing strong fences at
1514	suitable places in the RCU-related code. Thus, if a critical section	1514	suitable places in the RCU-related code. Thus, if a critical section
1515	starts before a grace period does then the critical section's CPU will	1515	starts before a grace period does then the critical section's CPU will
1516	execute an smp_mb() fence after the end of the critical section and	1516	execute an smp_mb() fence after the end of the critical section and
@@ -1523,19 +1523,19 @@ executes.
1523	What exactly do we mean by saying that a critical section "starts	1523	What exactly do we mean by saying that a critical section "starts
1524	before" or "ends after" a grace period? Some aspects of the meaning	1524	before" or "ends after" a grace period? Some aspects of the meaning
1525	are pretty obvious, as in the example above, but the details aren't	1525	are pretty obvious, as in the example above, but the details aren't
1526	entirely clear. The LKMM formalizes this notion by means of a	1526	entirely clear. The LKMM formalizes this notion by means of the
1527	relation with the unfortunately generic name "link". It is a very	1527	rcu-link relation. rcu-link encompasses a very general notion of
1528	general relation; among other things, X ->link Z includes cases where	1528	"before": Among other things, X ->rcu-link Z includes cases where X
1529	X happens-before or is equal to some event Y which is equal to or	1529	happens-before or is equal to some event Y which is equal to or comes
1530	comes before Z in the coherence order. Taking Y = Z, this says that	1530	before Z in the coherence order. When Y = Z this says that X ->rfe Z
1531	X ->rfe Z implies X ->link Z, and taking Y = X, it says that X ->fr Z	1531	implies X ->rcu-link Z. In addition, when Y = X it says that X ->fr Z
1532	and X ->co Z each imply X ->link Z.	1532	and X ->co Z each imply X ->rcu-link Z.
1533		1533
1534	The formal definition of the link relation is more than a little	1534	The formal definition of the rcu-link relation is more than a little
1535	obscure, and we won't give it here. It is closely related to the pb	1535	obscure, and we won't give it here. It is closely related to the pb
1536	relation, and the details don't matter unless you want to comb through	1536	relation, and the details don't matter unless you want to comb through
1537	a somewhat lengthy formal proof. Pretty much all you need to know	1537	a somewhat lengthy formal proof. Pretty much all you need to know
1538	about link is the information in the preceding paragraph.	1538	about rcu-link is the information in the preceding paragraph.
1539		1539
1540	The LKMM goes on to define the gp-link and rscs-link relations. They	1540	The LKMM goes on to define the gp-link and rscs-link relations. They
1541	bring grace periods and read-side critical sections into the picture,	1541	bring grace periods and read-side critical sections into the picture,
@@ -1543,32 +1543,33 @@ in the following way:
1543		1543
1544	E ->gp-link F means there is a synchronize_rcu() fence event S	1544	E ->gp-link F means there is a synchronize_rcu() fence event S
1545	and an event X such that E ->po S, either S ->po X or S = X,	1545	and an event X such that E ->po S, either S ->po X or S = X,
1546	and X ->link F. In other words, E and F are connected by a	1546	and X ->rcu-link F. In other words, E and F are linked by a
1547	grace period followed by an instance of link.	1547	grace period followed by an instance of rcu-link.
1548		1548
1549	E ->rscs-link F means there is a critical section delimited by	1549	E ->rscs-link F means there is a critical section delimited by
1550	an rcu_read_lock() fence L and an rcu_read_unlock() fence U,	1550	an rcu_read_lock() fence L and an rcu_read_unlock() fence U,
1551	and an event X such that E ->po U, either L ->po X or L = X,	1551	and an event X such that E ->po U, either L ->po X or L = X,
1552	and X ->link F. Roughly speaking, this says that some event	1552	and X ->rcu-link F. Roughly speaking, this says that some
1553	in the same critical section as E is connected by link to F.	1553	event in the same critical section as E is linked by rcu-link
1554		1554	to F.
1555	If we think of the link relation as standing for an extended "before",	1555
1556	then E ->gp-link F says that E executes before a grace period which	1556	If we think of the rcu-link relation as standing for an extended
1557	ends before F executes. (In fact it says more than this, because it	1557	"before", then E ->gp-link F says that E executes before a grace
1558	includes cases where E executes before a grace period and some store	1558	period which ends before F executes. (In fact it covers more than
1559	propagates to F's CPU before F executes and doesn't propagate to some	1559	this, because it also includes cases where E executes before a grace
1560	other CPU until after the grace period ends.) Similarly,	1560	period and some store propagates to F's CPU before F executes and
1561	E ->rscs-link F says that E is part of (or before the start of) a	1561	doesn't propagate to some other CPU until after the grace period
1562	critical section which starts before F executes.	1562	ends.) Similarly, E ->rscs-link F says that E is part of (or before
		1563	the start of) a critical section which starts before F executes.
1563		1564
1564	Putting this all together, the LKMM expresses the Grace Period	1565	Putting this all together, the LKMM expresses the Grace Period
1565	Guarantee by requiring that there are no cycles consisting of gp-link	1566	Guarantee by requiring that there are no cycles consisting of gp-link
1566	and rscs-link connections in which the number of gp-link instances is	1567	and rscs-link links in which the number of gp-link instances is >= the
1567	>= the number of rscs-link instances. It does this by defining the	1568	number of rscs-link instances. It does this by defining the rb
1568	rcu-path relation to link events E and F whenever it is possible to	1569	relation to link events E and F whenever it is possible to pass from E
1569	pass from E to F by a sequence of gp-link and rscs-link connections	1570	to F by a sequence of gp-link and rscs-link links with at least as
1570	with at least as many of the former as the latter. The LKMM's "rcu"	1571	many of the former as the latter. The LKMM's "rcu" axiom then says
1571	axiom then says that there are no events E such that E ->rcu-path E.	1572	that there are no events E with E ->rb E.
1572		1573
1573	Justifying this axiom takes some intellectual effort, but it is in	1574	Justifying this axiom takes some intellectual effort, but it is in
1574	fact a valid formalization of the Grace Period Guarantee. We won't	1575	fact a valid formalization of the Grace Period Guarantee. We won't
@@ -1585,10 +1586,10 @@ rcu_read_unlock() fence events delimiting the critical section in
1585	question, and let S be the synchronize_rcu() fence event for the grace	1586	question, and let S be the synchronize_rcu() fence event for the grace
1586	period. Saying that the critical section starts before S means there	1587	period. Saying that the critical section starts before S means there
1587	are events E and F where E is po-after L (which marks the start of the	1588	are events E and F where E is po-after L (which marks the start of the
1588	critical section), E is "before" F in the sense of the link relation,	1589	critical section), E is "before" F in the sense of the rcu-link
1589	and F is po-before the grace period S:	1590	relation, and F is po-before the grace period S:
1590		1591
1591	L ->po E ->link F ->po S.	1592	L ->po E ->rcu-link F ->po S.
1592		1593
1593	Let W be the store mentioned above, let Z come before the end of the	1594	Let W be the store mentioned above, let Z come before the end of the
1594	critical section and witness that W propagates to the critical	1595	critical section and witness that W propagates to the critical
@@ -1600,12 +1601,12 @@ some event X which is po-after S. Symbolically, this amounts to:
1600		1601
1601	The fr link from Y to W indicates that W has not propagated to Y's CPU	1602	The fr link from Y to W indicates that W has not propagated to Y's CPU
1602	at the time that Y executes. From this, it can be shown (see the	1603	at the time that Y executes. From this, it can be shown (see the
1603	discussion of the link relation earlier) that X and Z are connected by	1604	discussion of the rcu-link relation earlier) that X and Z are related
1604	link, yielding:	1605	by rcu-link, yielding:
1605		1606
1606	S ->po X ->link Z ->po U.	1607	S ->po X ->rcu-link Z ->po U.
1607		1608
1608	These formulas say that S is po-between F and X, hence F ->gp-link Z	1609	The formulas say that S is po-between F and X, hence F ->gp-link Z
1609	via X. They also say that Z comes before the end of the critical	1610	via X. They also say that Z comes before the end of the critical
1610	section and E comes after its start, hence Z ->rscs-link F via E. But	1611	section and E comes after its start, hence Z ->rscs-link F via E. But
1611	now we have a forbidden cycle: F ->gp-link Z ->rscs-link F. Thus the	1612	now we have a forbidden cycle: F ->gp-link Z ->rscs-link F. Thus the
@@ -1635,13 +1636,13 @@ time with statement labels added to the memory access instructions:
1635	}	1636	}
1636		1637
1637		1638
1638	If r2 = 0 at the end then P0's store at X overwrites the value	1639	If r2 = 0 at the end then P0's store at X overwrites the value that
1639	that P1's load at Z reads from, so we have Z ->fre X and thus	1640	P1's load at Z reads from, so we have Z ->fre X and thus Z ->rcu-link X.
1640	Z ->link X. In addition, there is a synchronize_rcu() between Y and	1641	In addition, there is a synchronize_rcu() between Y and Z, so therefore
1641	Z, so therefore we have Y ->gp-link X.	1642	we have Y ->gp-link X.
1642		1643
1643	If r1 = 1 at the end then P1's load at Y reads from P0's store at W,	1644	If r1 = 1 at the end then P1's load at Y reads from P0's store at W,
1644	so we have W ->link Y. In addition, W and X are in the same critical	1645	so we have W ->rcu-link Y. In addition, W and X are in the same critical
1645	section, so therefore we have X ->rscs-link Y.	1646	section, so therefore we have X ->rscs-link Y.
1646		1647
1647	This gives us a cycle, Y ->gp-link X ->rscs-link Y, with one gp-link	1648	This gives us a cycle, Y ->gp-link X ->rscs-link Y, with one gp-link


diff --git a/tools/memory-model/linux-kernel.cat b/tools/memory-model/linux-kernel.cat index df97db03b6c2..cdf682859d4e 100644 --- a/tools/memory-model/linux-kernel.cat +++ b/tools/memory-model/linux-kernel.cat
@@ -100,22 +100,22 @@ let rscs = po ; crit^-1 ; po?
100	* one but two non-rf relations, but only in conjunction with an RCU	100	* one but two non-rf relations, but only in conjunction with an RCU
101	* read-side critical section.	101	* read-side critical section.
102	*)	102	*)
103	let link = hb* ; pb* ; prop	103	let rcu-link = hb* ; pb* ; prop
104		104
105	(* Chains that affect the RCU grace-period guarantee *)	105	(* Chains that affect the RCU grace-period guarantee *)
106	let gp-link = gp ; link	106	let gp-link = gp ; rcu-link
107	let rscs-link = rscs ; link	107	let rscs-link = rscs ; rcu-link
108		108
109	(*	109	(*
110	* A cycle containing at least as many grace periods as RCU read-side	110	* A cycle containing at least as many grace periods as RCU read-side
111	* critical sections is forbidden.	111	* critical sections is forbidden.
112	*)	112	*)
113	let rec rcu-path =	113	let rec rb =
114	gp-link \|	114	gp-link \|
115	(gp-link ; rscs-link) \|	115	(gp-link ; rscs-link) \|
116	(rscs-link ; gp-link) \|	116	(rscs-link ; gp-link) \|
117	(rcu-path ; rcu-path) \|	117	(rb ; rb) \|
118	(gp-link ; rcu-path ; rscs-link) \|	118	(gp-link ; rb ; rscs-link) \|
119	(rscs-link ; rcu-path ; gp-link)	119	(rscs-link ; rb ; gp-link)
120		120
121	irreflexive rcu-path as rcu	121	irreflexive rb as rcu