Detecting ABAs

So far we have introduced restrictions, namely pointer race freedom and elision support, to rule out cases where our idea of eliding memory reuse does not work, that is, breaks similarity or the SMR behavior inclusion. If those restrictions were strong enough to carry out our development, then we could remove any reuse from a computation and get a similar one where no memory is reused. That the resulting computation does not reuse memory means, intuitively, that it is executed under garbage collection. As shown in the literature [Michael and Scott 1996], the ABA problem is a subtle bug caused by manual memory management which is prevented by garbage collection. So, eliding all reuses jeopardizes soundness of the analysis—it could miss ABAs which result in a safety violation. With this observation, we elide all reuses except for one address per computation. This way we analyze a semantics that is close to garbage collection, can detect ABA problems, and is much simpler than fullO⟦P⟧^Adr_Adr.

The semantics that we suggest to analyze isO⟦P⟧^one_Adr ≔ ⋃𝑎∈AdrO⟦P⟧^{_Adr^𝑎}. It is the set of all computations that reuse at most a single address. A single address suffices to detect the ABA problem. The ABA problem manifests as an assumption of the form^assume𝑝 =𝑞where the addresses held by𝑝and𝑞coincide but stem from different allocations. That is, one of the pointers has received its address, the address was freed and then reallocated, before the pointer is used in the assumption. Note that this implies that for an assumption to be ABA one of the involved pointers must be invalid. Pointer race freedom does not forbid this. Nor do we want to forbid such assumptions. In fact, most programs using hazard pointers contain ABAs. They are written in a way that ensures that the ABA isharmless.

Example 7.16 (ABAs in Michael&Scott’s queue using hazard pointers).Consider the following code, repeated from Michael&Scott’s queue from Figure 2.13:

326 Node* head = Head;

327 protect₀(head);

328 if (head != Head) continue;

In Line 326 the value of the shared pointer^Headis read into the local pointer^head. Then, a hazard pointer is used in Line 327 to protect^headfrom being freed. In between reading and protecting^head, its address could have been deleted, reused, and reentered the queue. That is,

Section 7.3 Detecting ABAs 73

when executing Line 328 the pointers^Headand^headcan coincide although the^headpointer stems from an earlier allocation. This scenario is an ABA. Nevertheless, the queue’s correctness is not affected by it. The ABA prone assumption is only used to guarantee that the address protected in Line 327 is indeed protected after Line 328. With respect to the SMR automatonO_HP, the assumption guarantees that the protection was issued before a retirement (after the latest reallocation) so thatO_HP is guaranteed to be in𝐿₁₀and thus prevents future retirements from freeing the protected memory. The ABA does not void this guarantee, it is harmless.

The above example shows that non-blocking data structures may perform ABAs which do not affect their correctness. To soundly verify such algorithms, our approach is to detect every ABA and decide whether it is harmless indeed. If so, our verification is sound. Otherwise, we report to the programmer that the implementation suffers from a harmful ABA problem.

A discussion of how to detect ABAs is in order. Let𝜏 ∈O⟦P⟧^Adr_Adr and𝜎 ∈O⟦P⟧^{_Adr^𝑎}be similar computations. Intuitively,𝜎is a computation which elides the reuses from𝜏 except for address𝑎. Address𝑎can be used in𝜎in exactly the same way as it is used in𝜏. Letactbe an ABA prone assumption of the formact=⟨𝑡 ,_assume𝑝=𝑞,∅⟩. Assumeactis enabled after𝜏. To detect this ABA underO⟦P⟧^{_Adr^𝑎}we needactto be enabled after𝜎. We seek to have𝜎 .act∈O⟦P⟧^{_Adr^𝑎}. This is not guaranteed. Sinceactis an ABA it involves at least one invalid pointer, say𝑝. Computation similarity does not guarantee that𝑝has the same valuation in both𝜏and𝜎. However, if𝑝points to𝑎in𝜏, then it does so in𝜎because𝑎is (re)used in𝜎in the same way as in𝜏. Thus, we end up with𝑚_𝜏(𝑝)=𝑚_𝜎(𝑝)although𝑝is invalid. In order to guarantee this, we introduce anaddress alignmentrelation which precisely tracks how the reusable address𝑎is used.

Definition 7.17 (Address Alignment).Computations𝜏 and𝜎are𝑎-aligned,𝜏 ≼𝑎𝜎, if:

∀𝑝∈PVar. 𝑚_𝜏(𝑝)=𝑎 ⟺ 𝑚_𝜎(𝑝)=𝑎

and ∀𝑏∈𝑚_𝜏(valid^𝜏). 𝑚_𝜏(𝑏 ._next)=𝑎 ⟺ 𝑚_𝜎(𝑏 ._next)=𝑎 and 𝑎∈fresh𝜏∪freed𝜏 ⟺ 𝑎∈fresh𝜎∪freed𝜎

and F_O(𝜏 , 𝑎)⊆F_O(𝜎 , 𝑎)

and 𝑎∈retired^𝜏 ⟺ 𝑎∈retired^𝜎 .

The first line in this definition states that the same pointer variables in𝜏 and𝜎 are pointing to𝑎. Similarly, the second line states this for the pointer selectors of valid addresses. We have to exclude the invalid addresses here because𝜏 and𝜎 may differ on the in-use addresses due to eliding reuse. The third line states that𝑎can be allocated in𝜏 iff it can be allocated in𝜎. The fourth line states that the SMR automaton allows for more behavior on𝑎in𝜎than in𝜏. These properties combined guarantee that𝜎 can mimic actions of𝜏 involving𝑎no matter if invalid pointers are used. The last line requires that𝑎is retired in𝜏 iff it is retired in𝜎. This property makes double retires performed after𝜏 visible in the mimicking𝜎.

74 ^{Chapter 7} Pointer Races

The address alignment lets us detect ABAs inO⟦P⟧^one_Adr. Intuitively, we can only detectfirst ABAs because we allow for only a single address to be reused. Subsequent ABAs on different addresses cannot be detected. To detect ABA sequences of arbitrary length, an arbitrary number of reusable addresses is required. To avoid this, i.e., to avoid an analysis of fullO⟦P⟧^Adr_Adr, we formalize the idea ofharmless ABAsfrom before. We say that an ABA is harmless if executing it leads to a system state which can be explored (by another computation) without performing an ABA. That the system state can be explored without performing an ABA means that every ABA is also a first ABA. Thus, any sequence of ABAs is explored by considering only first ABAs.

Note that this definition is independent of the actual correctness notion.

Definition 7.18 (Harmful ABA).The semanticsO⟦P⟧^one_Adris free from harmful ABAs if:

∀𝜎_𝑎.act∈O⟦P⟧^{_Adr^𝑎}∀𝜎_𝑏 ∈O⟦P⟧^{_Adr^𝑏}∃𝜎_𝑏^′ ∈O⟦P⟧^{_Adr^𝑏}.

𝜎_𝑎∼𝜎_𝑏 ∧ act=⟨•,_assume•,•⟩ ⟹ 𝜎_𝑎.act∼𝜎_𝑏^′ ∧ 𝜎_𝑏 ≼𝑏𝜎_𝑏^′ ∧ 𝜎_𝑎.act⋖𝜎_𝑏^′ . To understand how the definition implements our intuition, consider𝜏 .act∈O⟦P⟧^Adr_Adr whereact performs an ABA on address𝑎. Our goal is to mimic𝜏 .act inO⟦P⟧^{_Adr^𝑏}, that is, we want to mimic the ABA without reusing address𝑎(for instance, to detect subsequent ABAs on address𝑏).

Assume we are given𝜎_𝑏 ∈O⟦P⟧^{_Adr^𝑏}which is similar and𝑏-aligned to𝜏. This does not guarantee thatactcan be mimicked after𝜎_𝑏; the ABA may not be enabled because it involves invalid pointers the valuation of which differs in𝜏 and𝜎_𝑏. However, we can construct a computation𝜎_𝑎 which is similar and𝑎-aligned to𝜏. After𝜎_𝑎 the ABA is enabled, i.e.,𝜎_𝑎.act∈O⟦P⟧^{_Adr^𝑎}. For those two computations𝜎_𝑎.actand𝜎_𝑏we invoke the above definition. It yields another com-putation𝜎^′

𝑏 ∈O⟦P⟧^{_Adr^𝑏} which, intuitively, coincides with𝜎_𝑏 but where the ABA has already been executed. Put differently,𝜎_𝑏^′ is a computation which mimics the execution ofactafter𝜎_𝑏 althoughactis not enabled.

Example 7.19 (Continued).Consider the computation𝜏 .actof Michael&Scott’s queue with:

𝜏 =𝜏₆.⟨𝑡 ,_head∶=Head,[^head↦𝑎]⟩. 𝜏₇._free(𝑎). 𝜏₈.

⟨𝑡 ,_in∶^protect₀(^head),∅⟩.⟨𝑡 ,_re∶^protect₀,∅⟩

and act=⟨𝑡 ,assume head=Head,∅⟩.

This computation resembles a thread𝑡 executing Lines 326 to 328 while an interferer frees address𝑎referenced by^head, reallocates it, and makes it the^Headof the queue again; we assume that𝜏₆, 𝜏₇, 𝜏₈consist of the interferer’s actions the precise form of which does not matter here.

The^assumeinactresembles the conditional from Line 328 and states that the condition evaluates to^true. That is,actis a potential ABA on address𝑎.

Reusing address𝑎allows us to mimic𝜏 with an𝑎-aligned computation𝜎_𝑎 ∈O⟦P⟧^{_Adr^𝑎}. The ABA prone actionactis guaranteed to be enabled after𝜎_𝑎, so𝜎_𝑎.actmimics𝜏 .act. Reusing another

Section 7.3 Detecting ABAs 75

address𝑏 yields a𝑏-aligned𝜎_𝑏 ∈ O⟦P⟧^{_Adr^𝑏} mimicking𝜏. After𝜎_𝑏,act may not be enabled.

The reason for this is that𝜎_𝑏 elides allocations of𝑎to avoid it being reused. The interferer’s reallocation of𝑎(in𝜏₈) forces𝜎_𝑏 to elide its previous allocation. Hence, thread𝑡’s^headdoes not point to𝑎while^Headstill does. The ABA proneactis not enabled after𝜎_𝑏.

To see that the above ABA is harmless, consider the following rescheduling of the actions in𝜏: 𝜏^′=𝜏₆. 𝜏₇._free(𝑎). 𝜏₈.⟨𝑡 ,_head∶=Head,[^head↦𝑎]⟩.

⟨𝑡 ,_in∶^protect₀(^head),∅⟩.⟨𝑡 ,_re∶^protect₀,∅⟩.

Here, thread𝑡reads the latest version of^Head. This gives rise to a computation𝜎^′

𝑏 ∈O⟦P⟧^{_Adr^𝑏} mimicking𝜏^′. Unlike𝜎_𝑏, however,𝜎_𝑏^′ can executeactsince the later read of^headis not affected by the elision of reallocations. Finally,𝜎_𝑏^′.actmimics𝜏 .act. Requiring the existence of such a𝜎_𝑏^′ guarantees that an analysis cansee pastABAs on address𝑎, although𝑎is not reused.

A key aspect of the above definition is that checking for harmful ABAs can be done in the simpler semanticsO⟦P⟧^one_Adr. Altogether, this means that we can rely onO⟦P⟧^one_Adr for both the actual analysis and a soundness (absence of harmful ABAs) check. Our experiments show that the above definition is practical. There were no harmful ABAs in the benchmarks we considered.