Decoupling Lock-Free Data Structures from Memory Reclamation for Static
  Analysis by Meyer, Roland & Wolff, Sebastian
58
Decoupling Lock-Free Data Structures from
Memory Reclamation for Static Analysis
Extended Version
ROLAND MEYER, TU Braunschweig, Germany
SEBASTIAN WOLFF, TU Braunschweig, Germany
Verification of concurrent data structures is one of the most challenging tasks in software verification. The topic
has received considerable attention over the course of the last decade. Nevertheless, human-driven techniques
remain cumbersome and notoriously difficult while automated approaches suffer from limited applicability.
The main obstacle for automation is the complexity of concurrent data structures. This is particularly true in
the absence of garbage collection. The intricacy of lock-free memory management paired with the complexity
of concurrent data structures makes automated verification prohibitive.
In this work we present a method for verifying concurrent data structures and their memory management
separately. We suggest two simpler verification tasks that imply the correctness of the data structure. The
first task establishes an over-approximation of the reclamation behavior of the memory management. The
second task exploits this over-approximation to verify the data structure without the need to consider the
implementation of the memory management itself. To make the resulting verification tasks tractable for
automated techniques, we establish a second result. We show that a verification tool needs to consider only
executions where a single memory location is reused. We implemented our approach and were able to verify
linearizability of Michael&Scott’s queue and the DGLM queue for both hazard pointers and epoch-based
reclamation. To the best of our knowledge, we are the first to verify such implementations fully automatically.
CCSConcepts: •Theory of computation→Data structures design and analysis;Programverification;
Shared memory algorithms; Program specifications; Program analysis;
Additional Key Words and Phrases: static analysis, lock-free data structures, verification, linearizability, safe
memory reclamation, memory management
Conference Paper:
Roland Meyer and Sebastian Wolff. 2019. Decoupling Lock-Free Data Structures from Memory Reclamation for
Static Analysis. Proc. ACM Program. Lang. 3, POPL, Article 58 (January 2019). https://doi.org/10.1145/3290371
1 INTRODUCTION
Data structures are a basic building block of virtually any program. Efficient implementations
are typically a part of a programming language’s standard library. With the advent of highly
concurrent computing being available even on commodity hardware, concurrent data structure
implementations are needed. The class of lock-free data structures has been shown to be particularly
efficient. Using fine-grained synchronization and avoiding such synchronization whenever possible
results in unrivaled performance and scalability.
Unfortunately, this use of fine-grained synchronization is what makes lock-free data structures
also unrivaled in terms of complexity. Indeed, bugs have been discovered in published lock-free
data structures [Doherty et al. 2004a; Michael and Scott 1995]. This confirms the need for formal
proofs of correctness. The de facto standard correctness notion for concurrent data structures is
Authors’ addresses: Roland Meyer, TU Braunschweig, Germany, roland.meyer@tu-bs.de; Sebastian Wolff, TU Braunschweig,
Germany, sebastian.wolff@tu-bs.de.
© 2019 Copyright held by the owner/author(s).
This is the author’s version of the work. It is posted here for your personal use. Not for redistribution. The definitive Version
of Record was published in Proceedings of the ACM on Programming Languages, https://doi.org/10.1145/3290371.
Proc. ACM Program. Lang., Vol. 3, No. POPL, Article 58. Publication date: January 2019.
ar
X
iv
:1
81
0.
10
80
7v
2 
 [c
s.P
L]
  9
 N
ov
 20
18
58:2 Roland Meyer and Sebastian Wolff
linearizability [Herlihy and Wing 1990]. Intuitively, linearizability provides the illusion that the
operations of a data structure appear atomically. Clients of linearizable data structures can thus
rely on a much simpler sequential specification.
Establishing linearizability for lock-free data structures is challenging. The topic has received
considerable attention over the past decade (cf. Section 7). For instance, Doherty et al. [2004b]
give a mechanized proof of a lock-free queue. Such proofs require a tremendous effort and a deep
understanding of the data structure and the verification technique. Automated approaches remove
this burden. Vafeiadis [2010a,b], for instance, verifies singly-linked structures fully automatically.
However, many linearizability proofs rely on a garbage collector. What is still missing are
automated techniques that can handle lock-free data structures with manual memory management.
The major obstacle in automating proofs for such implementations is that lock-free memory
management is rather complicated—in some cases even as complicated as the data structure using
it. The reason for this is that memory deletions need to be deferred until all unsynchronized,
concurrent readers are done accessing the memory. Coping with lock-free memory management
is an active field of research. It is oftentimes referred to as Safe Memory Reclamation (SMR). The
wording underlines its focus on safely reclaiming memory for lock-free programs. This results in
the system design depicted in Figure 1. The clients of a lock-free data structure are unaware of
how it manages its memory. The data structure uses an allocator to acquire memory, for example,
using malloc. However, it does not free the memory itself. Instead, it delegates this task to an SMR
algorithm which defers the free until it is safe. The deferral can be controlled by the data structure
through an API the functions of which depend on the actual SMR algorithm.
Client
LFDS SMR
Allocator
API
malloc free
this paper
Fig. 1. Typical interaction between the
components of a system. Lock-free data
structures (LFDS) perform all their recla-
mation through an SMR component.
In this paper we tackle the challenge of verifying
lock-free data structures which use SMR. To make the
verification tractable, we suggest a compositional ap-
proach which is inspired by the system design from
Figure 1. We observe that the only influence the SMR
implementation has on the data structure are the free
operations it performs. So we introduce SMR specifica-
tions that capture when a free can be executed depend-
ing on the history of invoked SMR API functions. With
such a specification at hand, we can verify that a given
SMR implementation adheres to the specification. More
importantly, it allows for a compositional verification
of the data structure. Intuitively, we replace the SMR
implementation with the SMR specification. If the SMR
implementation adheres to the specification, then the
specification over-approximates the frees of the implementation. Using this over-approximation for
verifying the data structure is sound because frees are the only influence the SMR implementation
has on the data structure.
Although our compositional approach localizes the verification effort, it leaves the verification
tool with a hard task: verifying shared-memory programs with memory reuse. Our second finding
eases this task by taming the complexity of reasoning about memory reuse. We prove sound that it
suffices to consider reusing a single memory location only. This result relies on data structures being
invariant to whether or not memory is actually reclaimed and reused. Intuitively, this requirement
boils down to ABA freedom and is satisfied by data structures from the literature.
To substantiate the usefulness of our approach, we implemented a linearizability checker which
realizes the approaches presented in this paper, compositional verification and reduction of reuse to
a single address. Our tool is able to establish linearizability of well-known lock-free data structures,
Proc. ACM Program. Lang., Vol. 3, No. POPL, Article 58. Publication date: January 2019.
Decoupling Lock-Free Data Structures from Memory Reclamation for Static Analysis 58:3
such as Treiber’s stack [Treiber 1986], Michael&Scott’s queue [Michael and Scott 1996], and the
DGLM queue [Doherty et al. 2004b], when using SMR, like Hazard Pointers [Michael 2002] and
Epoch-Based Reclamation [Fraser 2004]. We remark that we needed both results for the benchmarks
to go through. To the best of our knowledge, we are the first to verify lock-free data structures
with SMR fully automatically. We are also the first to automatically verify the DGLM queue with
any manual memory management.
Our contributions and the outline of our paper are summarized as follows:
§4 introduces a means for specifying SMR algorithms and establishes how to perform composi-
tional verification of lock-free data structures and SMR implementations,
§5 presents a sound verification approach which considers only those executions of a program
where at most a single memory location is reused,
§6 evaluates our approach on well-known lock-free data structures and SMR algorithms, and
demonstrates its practicality.
We illustrate our contributions informally in §2, introduce the programing model in §3, discuss
related work in §7, and conclude the paper in §8.
This technical report extends the conference version [Meyer andWolff 2018] with missing details.
For companion material refer to https://wolff09.github.io/TMRexp/.
2 THE VERIFICATION APPROACH ON AN EXAMPLE
The verification of lock-free data structures is challenging due to their complexity. One source
of this complexity is the avoidance of traditional synchronization. This leads to subtle thread
interactions and imposes a severe state space explosion. The problem becomes worse in the absence
of garbage collection. This is due to the fact that lock-free memory reclamation is far from trivial.
Due to the lack of synchronization it is typically impossible for a thread to judge whether or not
certain memory will be accessed by other threads. Hence, naively deleting memory is not feasible.
To overcome this problem, programmers employ SMR algorithms. While this solves the memory
reclamation problem, it imposes a major obstacle for verification. For one, SMR implementations
are oftentimes as complicated as the data structure using it. This makes the already hard verification
of lock-free data structures prohibitive.
We illustrate the above problems on the lock-free queue fromMichael and Scott [1996]. It is a prac-
tical example in that it is used for Java’s ConcurrentLinkedQueue and C++ Boost’s lockfree::queue,
for instance. The implementation is given in Figure 2 (ignore the lines marked by H for a moment).
The queue maintains a NULL-terminated singly-linked list of nodes. New nodes are enqueued at the
end of that list. If the Tail pointer points to the end of the list, a new node is appended by linking
Tail-> next to the new node. Then, Tail is updated to point to the new node. If Tail is not pointing
to the end of the list, the enqueue operation first moves Tail to the last node and then appends a
new node as before. The dequeue operation on the other hand removes nodes from the front of the
queue. To do so, it first reads the data of the second node in the queue (the first one is a dummy node)
and then swings Head to the subsequent node. Additionally, dequeues ensure that Head does not
overtake Tail. Hence, a dequeue operation may have to move Tail towards the end of the list before
it moves Head. It is worth pointing out that threads read from the queue without synchronization.
Updates synchronize on single memory words using atomic Compare-And-Swap (CAS).
In terms of memory management, the queue is flawed. It leaks memory because dequeued nodes
are not reclaimed. A naive fix for this leak would be to uncomment the delete head statement in
Line 40. However, other threads may still hold and dereference pointers to the then deleted node.
Such use-after-free dereference are unsafe. In C/C++, for example, the behavior is undefined and can
result in a system crash due to a segfault.
Proc. ACM Program. Lang., Vol. 3, No. POPL, Article 58. Publication date: January 2019.
58:4 Roland Meyer and Sebastian Wolff
1 struct Node { data_t data; Node* next; };
2 shared Node* Head , Tail;
3 atomic init() { Head = new Node (); Head ->next = NULL; Tail = Head; }
4 void enqueue(data_t input) {
5 Node* node = new Node ();
6 node ->data = input;
7 node ->next = NULL;
8 while (true) {
9 Node* tail = Tail;
10 H protect(tail , 0);
11 H if (tail != Tail) continue;
12 Node* next = tail ->next;
13 if (tail != Tail) continue;
14 if (next != NULL) {
15 CAS(&Tail , tail , next);
16 continue;
17 }
18 if (CAS(&tail ->next , next , node))
19 break
20 }
21 CAS(&Tail , tail , node);
22 H unprotect (0);
23 }
24 data_t dequeue () {
25 while (true) {
26 Node* head = Head;
27 H protect(head , 0);
28 H if (head != Head) continue;
29 Node* tail = Tail;
30 Node* next = head ->next;
31 H protect(next , 1);
32 if (head != Head) continue;
33 if (next == NULL) return EMPTY;
34 if (head == tail) {
35 CAS(&Tail , tail , next);
36 continue;
37 } else {
38 data_t output = next ->data;
39 if (CAS(&Head , head , next)) {
40 // delete head;
41 H retire(head);
42 H unprotect (0); unprotect (1);
43 return output;
44 } } } }
Fig. 2. Michael&Scott’s non-blocking queue [Michael and Scott 1996] extended with hazard pointers
[Michael 2002] for safe memory reclamation. The modifications needed for using hazard pointers are
marked with H. The implementation requires two hazard pointers per thread.
To avoid both memory leaks and unsafe accesses, programmers employ SMR algorithms like
Hazard Pointers (HP) [Michael 2002]. An example HP implementation is given in Figure 3. Each
thread holds a HPRec record containing two single-writer multiple-reader pointers hp0 and hp1. A
thread can use these pointers to protect nodes it will subsequently access without synchronization.
Put differently, a thread requests other threads to defer the deletion of a node by protecting it.
The deferred deletion mechanism is implemented as follows. Instead of explicitly deleting nodes,
threads retire them. Retired nodes are stored in a thread-local retiredList and await reclamation.
Eventually, a thread tries to reclaim the nodes collected in its list. Therefore, it reads the hazard
pointers of all threads and copies them into a local protectedList. The nodes in the intersection of
the two lists, retiredList∩ protectedList, cannot be reclaimed because they are still protected by
some thread. The remaining nodes, retiredList \ protectedList, are reclaimed.
Note that the HP implementation from Figure 3 allows for threads to join and part dynamically. In
order to join, a thread allocates an HPRec and appends it to a shared list of such records. Afterwards,
the thread uses the hp0 and hp1 fields of that record to issue protections. Subsequent reclaim
invocations of any thread are aware of the newly added hazard pointers since reclaim traverses
the shared list of HPRec records. To part, threads simply unprotect their hazard pointers. They do
Proc. ACM Program. Lang., Vol. 3, No. POPL, Article 58. Publication date: January 2019.
Decoupling Lock-Free Data Structures from Memory Reclamation for Static Analysis 58:5
45 struct HPRec { HPRec* next; Node* hp0; Node* hp1; }
46 shared HPRec* Records;
47 threadlocal HPRec* myRec;
48 threadlocal List <Node*> retiredList;
49 atomic init() { Records = NULL; }
50 void join() {
51 myRec = new HPRec ();
52 while (true) {
53 HPRec* rec = Records;
54 myRec ->next = rec;
55 if (CAS(Records , rec , myRec))
56 break;
57 }
58 }
59
60 void part() {
61 unprotect (0); unprotect (1);
62 }
63
64 void protect(Node* ptr , int i) {
65 if (i == 0) myRec ->hp0 = ptr;
66 if (i == 1) myRec ->hp1 = ptr;
67 assert(false);
68 }
69
70 void unprotect(int i) {
71 protect(NULL , i);
72 }
73 void retire(Node* ptr) {
74 if (ptr != NULL)
75 retiredList.add(ptr);
76 if (*) reclaim ();
77 }
78
79 void reclaim () {
80 List <Node*> protectedList;
81 HPRec* cur = Records;
82 while (cur != NULL) {
83 Node* hp0 = cur ->hp0;
84 Node* hp1 = cur ->hp1;
85 protectedList.add(hp0);
86 protectedList.add(hp1);
87 cur = cur ->next;
88 }
89 for (Node* ptr : retiredList) {
90 if (protectedList.contains(ptr))
91 continue;
92 retiredList.remove(ptr);
93 delete ptr;
94 }
95 }
Fig. 3. Simplified hazard pointer implementation [Michael 2002]. Each thread is equipped with two hazard
pointers. Threads can dynamically join and part. Note that the record used to store a thread’s hazard
pointers is not reclaimed upon parting.
not reclaim their HPRec record [Michael 2002]. The reason for this is that reclaiming would yield
the same difficulties that we face when reclaiming in lock-free data structures, as discussed before.
To use hazard pointers with Michael&Scott’s queue we have to modify the implementation to
retire dequeued nodes and to protect nodes that will be accessed without synchronization. The
required modifications are marked by H in Figure 2. Retiring dequeued nodes is straight forward,
as seen in Line 41. Successfully protecting a node is more involved. A typical pattern to do this is
implemented by Lines 26 to 28, for instance. First, a local copy head of the shared pointer Head is
created, Line 26. The node referenced by head is subsequently protected, Line 27. Simply issuing
this protection, however, does not have the intended effect. Another thread could concurrently
execute reclaim from Figure 3. If the reclaiming thread already computed its protectedList, i.e.,
executed reclaim up to Line 89, then it does not see the later protection and thus may reclaim
the node referenced by head. The check from Line 28 safeguards the queue from such situations.
Proc. ACM Program. Lang., Vol. 3, No. POPL, Article 58. Publication date: January 2019.
58:6 Roland Meyer and Sebastian Wolff
It ensures that head has not been retired since the protection was issued.1 Hence, no concurrent
reclaim considers it for deletion. This guarantees that subsequent dereferences of head are safe.
This pattern exploits a simple temporal property of hazard pointers, namely that a retired node is
not reclaimed if it has been protected continuously since before the retire [Gotsman et al. 2013].
As we have seen, the verification of lock-free data structures becomes much more complex when
considering SMR code. On the one hand, the data structure needs additional logic to properly use
the SMR implementation. On the other hand, the SMR implementation is complex in itself. It is
lock-free (as otherwise the data structure would not be lock-free) and uses multiple lists.
Our contributions make the verification tractable. First, we suggest a compositional verification
technique which allows us to verify the data structure and the SMR implementation separately.
Second, we reduce the impact of memory management for the two new verification tasks. We
found that both contributions are required to automate the verification of data structures like
Michael&Scott’s queue with hazard pointers.
2.1 Compositional Verification
We propose a compositional verification technique. We split up the single, monolithic task of
verifying a lock-free data structure together with its SMR implementation into two separate tasks:
verifying the SMR implementation and verifying the data structure implementation without the
SMR implementation. At the heart of our approach is a specification of the SMR behavior. Crucially,
this specification has to capture the influence of the SMR implementation on the data structure.
Our main observation is that it has none, as we have seen conceptually in Figure 1 and practically in
Figures 2 and 3. More precisely, there is no direct influence. The SMR algorithm influences the data
structure only indirectly through the underlying allocator: the data structure passes to-be-reclaimed
nodes to the SMR algorithm, the SMR algorithm eventually reclaims those nodes using free of the
allocator, and then the data structure can reuse the reclaimed memory with malloc of the allocator.
In order to come up with an SMR specification, we exploit the above observation as follows.We let
the specification define when reclaiming retired nodes is allowed. Then, the SMR implementation is
correct if the reclamations it performs are a subset of the reclamations allowed by the specification.
For verifying the data structure, we use the SMR specification to over-approximate the reclamation
of the SMR implementation. This way we over-approximate the influence the SMR implementation
has on the data structure, provided that the SMR implementation is correct. Hence, our approach is
sound for solving the original verification task.
Towards lightweight SMR specifications, we rely on the insight that SMR implementations,
despite their complexity, implement rather simple temporal properties [Gotsman et al. 2013]. We
have already seen that hazard pointers implement that a retired node is not reclaimed if it has
been protected continuously since before the retire. These temporal properties are incognizant of
the actual SMR implementation. Instead, they reason about those points in time when a call of
an SMR function is invoked or returns. We exploit this by having SMR specifications judge when
reclamation is allowed based on the history of SMR invocations and returns.
For the actual specification we use observer automata. A simplified specification for hazard
pointers is given in Figure 4. The automaton OHP (t ,a, i) is parametrized by a thread t , an address a,
and an integer i. Intuitively, OHP (t ,a, i) specifies when the i-th hazard pointer of t forces a free of
a to be deferred. Technically, the automaton reaches an accepting state if a free is performed that
1The reasoning is a bit more complicated. We discuss this in more detail in Section 5.3.
Proc. ACM Program. Lang., Vol. 3, No. POPL, Article 58. Publication date: January 2019.
Decoupling Lock-Free Data Structures from Memory Reclamation for Static Analysis 58:7
OHP (t ,a, i)
s1 s2 s3 s4 s5
inv
protect(t, a, i)
ret
protect(t, a, i)
inv
retire(∗, a) free(a)
inv :unprotect(t, i)
Fig. 4. Automaton for specifying negative HP behavior for thread t , address a, and index i. It states that if
a was protected by thread t using hazard pointer i before a is retired by any thread (denoted by ∗), then
freeing a must be deferred. Here, "must be deferred" is expressed by reaching a final state upon a free of a.
should have been deferred. That is, we let observers specify bad behavior. We found this easier
than to formalize the good behavior. For an example, consider the following histories:
h1 = inv :protect(t1,a, 0). ret :protect(t1,a, 0). inv :retire(t2,a). ret :retire(t2,a). free(a) and
h2 = inv :protect(t1,a, 0). inv :retire(t2,a). ret :protect(t1,a, 0). ret :retire(t2,a). free(a) .
History h1 leads OHP (t ,a, i) to an accepting state. Indeed, that a is protected before being retired
forbids a free of a. History h2 does not lead to an accepting state because the retire is issued before
the protection has returned. The free of a can be observed if the threads are scheduled in such a
way that the protection of t1 is not visible while t2 computes its retiredList, as in the scenario
described above for motivating why the check at Line 28 is required.
Now, we are ready for compositional verification. Given an observer, we first check that the SMR
implementation is correct wrt. to that observer. Second, we verify the data structure. To that end,
we strip away the SMR implementation and let the observer execute the frees. More precisely, we
non-deterministically free those addresses which are allowed to be freed according to the observer.
Theorem 2.1 (Proven by Theorem 4.2). Let D(R) be a data structure D using an SMR implemen-
tation R. Let O be an observer. If R is correct wrt. O and if D(O) is correct, then D(R) is correct.
A thorough discussion of the illustrated concepts is given in Section 4.
2.2 Taming Memory Management for Verification
Factoring out the implementation of the SMR algorithm and replacing it with its specification
reduces the complexity of the data structure code under scrutiny. What remains is the challenge
of verifying a data structure with manual memory management. As suggested by Abdulla et al.
[2013]; Haziza et al. [2016] this makes the analysis scale poorly or even intractable. To overcome
this problem, we suggest to perform verification in a simpler semantics. Inspired by the findings
of the aforementioned works we suggest to avoid reallocations as much as possible. As a second
contribution we prove the following theorem.
Theorem 2.2 (Proven by Theorem 5.20). For a sound verification of safety properties it suffices to
consider executions where at most a single address is reused.
The rational behind this theorem is the following. From the literature we know that avoiding
memory reuse altogether is not sound for verification [Michael and Scott 1996]. Put differently,
correctness under garbage collection (GC) does not imply correctness under manual memory
management (MM). The difference of the two program semantics becomes evident in the ABA
problem. An ABA is a scenario where a pointer referencing address a is changed to point to address
Proc. ACM Program. Lang., Vol. 3, No. POPL, Article 58. Publication date: January 2019.
58:8 Roland Meyer and Sebastian Wolff
cond ::= p = q | p , q | x = y | x , y | x < y
com ::= p := q | p := q.next | p.next := q | x := op(x1, . . . , xn) | x := q.data
| p.data := x | assert cond | p := malloc | enter func(p¯, x¯) | exit | smr
smr ::= free(p) | . . .
Fig. 5. The syntax of atomic commands. Here, x, y ∈ DVar are data variables, and p, q ∈ PVar are pointer
variables. We write p¯ instead of p1, . . . , pn and similarly for x¯. Besides free, SMR implementations may
use not further specified commands smr .
b and changed back to point to a again. Under MM a thread might erroneously conclude that the
pointer has never changed if the intermediate value was not seen due to a certain interleaving.
Typically, the root of the problem is that address a is removed from the data structure, deleted,
reallocated, and reenters the data structure. Under GC, the exact same code does not suffer from
this problem. A pointer referencing a would prevent it from being reused.
From this we learn that avoiding memory reuse does not allow for a sound analysis due to the
ABA problem. So we want to check with little overhead to a GC analysis whether or not the program
under scrutiny suffers from the ABA problem. If not, correctness under GC implies correctness
under MM. Otherwise, we reject the program as buggy.
To check whether a program suffers from ABAs it suffices to check for first ABAs. Fixing the
address a of such a first ABA allows us to avoid reuse of any address except a while retaining
the ability to detect the ABA. Intuitively, this is the case because the first ABA is the first time
the program reacts differently on a reused address than on a fresh address. Hence, replacing
reallocations with allocations of fresh addresses before the first ABA retains the behavior of the
program.
A formal discussion of the presented result is given in Section 5.
3 PROGRAMSWITH SAFE MEMORY RECLAMATION
We define shared-memory programs that use an SMR library to reclaim memory. Here, we focus
on the program. We leave unspecified the internal structure of SMR libraries (typically, they use
the same constructs as programs), our development does not depend on it. We show in Section 4
how to strip away the SMR implementation for verification.
Memory. A memory m is a partial function m : PExp ⊎ DExp ↛ Adr ⊎ {seg} ⊎ Dom which
maps pointer expressions PExp to addresses from Adr ⊎ {seg} and data expressions DExp to values
from Dom, respectively. A pointer expression is either a pointer variable or a pointer selector:
PExp = PVar ⊎ PSel. Similarly, we have DExp = DVar ⊎ DSel. The selectors of an address a are
a.next ∈ PSel and a.data ∈ DSel. A generalization to arbitrary selectors is straight forward. We
use seg < Adr to denote undefined/uninitialized pointers. We write m(e) = ⊥ if e < dom(m). An
address a is in-use if it is referenced by some pointer variable or if one of its selectors is defined.
The set of such in-use addresses in m is adr(m). For a formal definition refer to Appendix C.1.
Programs. We consider computations of data structures D using an SMR library R, written D(R).
A computation τ is a sequence of actions. An action act is of the form act = (t , com, up). Intuitively,
act states that thread t executes command com resulting in the memory update up. An action stems
either from executing D or from executing functions offered by R.
Proc. ACM Program. Lang., Vol. 3, No. POPL, Article 58. Publication date: January 2019.
Decoupling Lock-Free Data Structures from Memory Reclamation for Static Analysis 58:9
The commands are given in Figure 5. The commands of D include assignments, memory accesses,
assertions, and allocations with the usual meaning. We make explicit when a thread enters and
exits a library function with enter and exit, respectively. That is, we assume that computations
are well-formed in the sense that no commands from D and all commands from R of a thread occur
between enter and exit. Besides deallocations we leave the commands of R unspecified.
The memory resulting from a computation τ , denoted by mτ , is defined inductively by its
updates. Initially, pointer variables p are uninitialized,mϵ (p) = seg, and data variables x are default
initialized, mϵ (x) = 0. For a computation τ .act with act = (t , com, up) we have mτ .act = mτ [up].
With the memory update m′ = m[e 7→ v] we mean m′(e) = v and m′(e′) = m(e′) for all e′ , e.
Semantics. The semantics of D(R) is defined relative to a set X ⊆ Adr of addresses that may be
reused. It is the set of allowed executions, denoted by [[D(R)]]X . To make the semantics precise,
let fresh(τ ) and freed(τ ) be those sets of addresses which have never been allocated and have been
freed since their last allocation, respectively. (See Appendix C.1 for formal definitions.) Then, the
semantics is defined inductively. In the base case we have the empty execution ϵ ∈ [[D(R)]]X . In the
induction step we have τ .act ∈ [[D(R)]]X if one of the following rules applies.
(Malloc) If act = (t , p := malloc, [p 7→ a,a.next 7→ seg,a.data 7→ d]) where d ∈ Dom is
arbitrary and a ∈ Adr is fresh or available for reuse, that is, a ∈ fresh(τ ) or a ∈ freed(τ ) ∩ X .
(FreePtr) If act = (t , free(p), [a.next 7→ ⊥,a.data 7→ ⊥]) with mτ (p) = a ∈ Adr .
(Enter) If act = (t , enter func(p¯, x¯),) with p¯ = p1, . . . , pk and mτ (pi ) ∈ Adr for all 1 ≤ i ≤ k .
(Exit) If act = (t , exit,).
(Assign1) If act = (t , p := q, [p 7→ mτ (q)]).
(Assign2) If act = (t , p.next := q, [a.next 7→ mτ (q)]) with mτ (p) = a ∈ Adr .
(Assign3) If act = (t , p := q.next, [p 7→ mτ (a.next)]) with mτ (q) = a ∈ Adr .
(Assign4) If act = (t , x := op(y1, . . . , yn), [x 7→ d]) with d = op(mτ (y1), . . . ,mτ (yn)).
(Assign5) If act = (t , p.data := y, [a.data 7→ mτ (y)]) with mτ (p) = a ∈ Adr .
(Assign6) If act = (t , x := q.data, [x 7→ mτ (a.data)]) with mτ (q) = a ∈ Adr .
(Assert) If act = (t , assert lhs ≜ rhs,) if mτ (lhs) ≜ mτ (rhs).
We assume that computations respect the control flow (program order) of threads. The control
location after τ is denoted by ctrl(τ ). We deliberately leave this unspecified as we will express only
properties of the form ctrl(τ ) = ctrl(σ ) to state that after τ and σ the threads can execute the same
commands.
4 COMPOSITIONAL VERIFICATION
Our first contribution is a compositional verification approach for data structures D(R) which use
an SMR library R. The complexity of SMR implementations makes the verification of data structure
and SMR implementation in a single analysis prohibitive. To overcome this problem, we suggest
to verify both implementations independently of each other. More specifically, we (i) introduce
a means for specifying SMR implementations, then (ii) verify the SMR implementation R against
its specification, and (iii) verify the data structure D relative to the SMR specification rather than
the SMR implementation. If both verification tasks succeed, then the data structure using the SMR
implementation, D(R), is correct.
Our approach compares favorably to existing techniques. Manual techniques from the literature
consider a monolithic verification task where both the data structure and the SMR implementaetion
are verfied together [Fu et al. 2010; Gotsman et al. 2013; Krishna et al. 2018; Parkinson et al. 2007; To-
fan et al. 2011]. Consequently, only simple implementations using SMR have been verified. Existing
automated techniques rely on non-standard program semantics and support only simplistic SMR
techniques [Abdulla et al. 2013; Haziza et al. 2016]. Refer to Section 7 for a more detailed discussion.
Proc. ACM Program. Lang., Vol. 3, No. POPL, Article 58. Publication date: January 2019.
58:10 Roland Meyer and Sebastian Wolff
Towards our result, we first introduce observer automata for specifying SMR algorithms. Then
we discuss the two new verification tasks and show that they imply the desired correctness result.
Observer Automata. An observer automaton O consists of observer locations, observer variables,
and transitions. There is a dedicated initial location and some accepting locations. Transitions are
of the form l−−−−→f (r¯ ), g l′ with observer locations l, l′, event f (r¯ ), and guard g. Events f (r¯ ) consist of a
type f and parameters r¯ = r1, . . . , rn . The guard is a Boolean formula over equalities of observer
variables and the parameters r¯ . An observer state s is a tuple (l,φ) where l is a location and φ
maps observer variables to values. Such a state is initial if l is initial, and similarly accepting if l
is accepting. Then, (l,φ)−−−→f (v¯) (l′,φ) is an observer step, if l−−−−→f (r¯ ), g l′ is a transition and φ(g[r¯ 7→ v¯])
evaluates to true. With φ(g[r¯ 7→ v¯])we mean g where the formal parameters r¯ are replaced with the
actual values v¯ and where the observer variables are replaced by their φ-mapped values. Initially,
the valuation φ is chosen non-deterministically; it is not changed by observer steps.
A history h = f1(v¯1) . . . fn(v¯n) is a sequence of events. We write s−→h s′ if there are steps
s−−−−→f1(v¯1) · · · −−−−→fn (v¯n ) s′. If s′ is accepting, then we say that h is accepted by s. We use observers to
characterize bad behavior. So we say h is in the specification of s, denoted by h ∈ S(s), if it is not
accepted by s. Formally, the specification of s is the set S(s) := {h | ∀s′. s−→h s′ =⇒ s′ not final}
of histories that are not accepted by s. The specification of O is the set of histories that are not
accepted by any initial state of O, S(O) := ⋂{S(s) | s initial}. The cross-product O1 × O2 denotes
an observer with S(O1 × O2) = S(O1) ∩ S(O2).
SMR Specifications. To use observers for specifying SMR algorithms, we have to instantiate appro-
priately the histories they observe. Our instantiation crucially relies on the fact that programmers of
lock-free data structures rely solely on simple temporal properties that SMR algorithms implement
[Gotsman et al. 2013]. These properties are typically incognizant of the actual SMR implementation.
Instead, they allow reasoning about the implementation’s behavior based on the temporal order
of function invocations and responses. With respect to our programming model, enter and exit
actions provided the necessary means to deduce from the data structure computation how the SMR
implementation behaves.
We instantiate observers for specifying SMR as follows. As event types we use (i) func1, . . . , funcn ,
the functions offered by the SMR algorithm, (ii) exit, and (iii) free. The parameters to the events
are (i) the executing thread and the parameters to the call in case of type funci , (ii) the executing
thread for type exit, and (iii) the parameters to the call for type free. Here, type funci represents
the corresponding enter command of a call to funci . The corresponding exit event is uniquely
defined because both funci and exit events contain the executing thread.
For an example, consider the hazard pointer specification OBase ×OHP from Figure 6. It consists of
two observers. First, OBase specifies that no address must be freed that has not been retired. Second,
OHP implements the temporal property that no address must be freed if it has been protected
continuously since before the retire. For observer OBase × OHP we assume that no address is retired
multiple times before being reclaimed (freed) by the SMR implementation. This avoids handling
such double-retire scenarios in the observer, keeping it smaller and simpler. The assumption is
reasonable because in a setting where SMR is used a double-retire is the analogue of a double-free
and thus avoided. Our experiments confirm this intuition.
With an SMR specification in form of an observerOSMR at hand, our task is to checkwhether or not
a given SMR implementation R satisfies this specification. We do this by converting a computation
τ of R into its induced historyH(τ ) and check ifH(τ ) ∈ S(OSMR). The induced historyH(τ ) is a
projection of τ to enter, exit, and free actions. This projection replaces the formal parameters in τ
with their actual values. For example,H(τ .(t , protect(p, x), up)) = H(τ ).protect(t ,mτ (p),mτ (x)).
For a formal definition, consider Appendix C.1. Then, τ satisfies OSMR if H(τ ) ∈ S(OSMR). The
Proc. ACM Program. Lang., Vol. 3, No. POPL, Article 58. Publication date: January 2019.
Decoupling Lock-Free Data Structures from Memory Reclamation for Static Analysis 58:11
OBase
s6 s7 s8
free(a), a = v
retire(t, a), a = v
free(a), a = v
(a) Observer specifying that address v may be freed only if it has been retired and not been freed since.
OHP
s9 s10 s11 s12 s13
protect(t, a, i),
t = u ∧ a = v ∧ i = w
exit(t ),
t = u
retire(t, a),
a = v
free(a),
a = v
protect(t, a, i), t = u ∧ a , v ∧ i = w
unprotect(t, i), t = u ∧ i = w
(b) Observer specifying when HP defers frees. A retired cell v may not be freed if it has been protected
continuously by the w-th hazard pointer of thread u since before being retired.
Fig. 6. Observer OBase × OHP characterizes the histories that violate the Hazard Pointer specification.
Three observer variables, u, v, and w, are used to observe a thread, an address, and an integer, respectively.
For better legibility we omit self-loops for every location and every event that is missing an outgoing
transition from that location.
SMR implementation R satisfies OSMR if every possible usage of R produces a computation that
satisfies OSMR. To generate all such computations, we use a most general client (MGC) for R which
concurrently executes arbitrary sequences of SMR functions.
Definition 4.1 (SMR Correctness). An SMR implementation R is correct wrt. a specification OSMR,
denoted by R |= OSMR, if for every τ ∈ [[MGC(R)]]Adr we haveH(τ ) ∈ S(OSMR).
From the above definition follows the first new verification task: prove that the SMR implemen-
tation R cannot possibly violate the specification OSMR. Intuitively, this boils down to a reachability
analysis of accepting states in the cross-product ofMGC(R) and OSMR. Since we can understand R
as a lock-free data structure itself, this task is similar to our next one, namely verifying the data
structure relative to OSMR. In the remainder of the paper we focus on this second task because it is
harder than the first one. The reason for this lies in that SMR implementations typically do not
reclaim the memory they use. This holds true even if the SMR implementation supports dynamic
thread joining and parting [Michael 2002] (cf. part() from Figure 3). The absence of reclamation
allows for a simpler2 and more efficient analysis. We confirm this in our experiments where we
automatically verify the Hazard Pointer implementation from Figure 3 wrt. OBase × OHP .
Compositionality. The next task is to verify the data structure D(R) avoiding the complexity of R.
We have already established correctness of R wrt. a specification OSMR. Intuitively, we now replace
R by OSMR. Because OSMR is an observer, and not program code like R, we cannot just execute
OSMR in place of R. Instead, we remove the SMR implementation from D(R). The result is D(ϵ ) the
computations of which correspond to the ones of D(R) with SMR-specific actions between enter
and exit being removed. To account for the frees that R executes, we introduce environment steps.
2In terms of Section 5, the absence of reclamation results in SMR implementations being free from pointer races and harmful
ABAs since pointers do not become invalid. Intuitively, this allows us to combine our results with ones from Haziza et al.
[2016] and verify the SMR implementation in a garbage-collected semantics.
Proc. ACM Program. Lang., Vol. 3, No. POPL, Article 58. Publication date: January 2019.
58:12 Roland Meyer and Sebastian Wolff
We non-deterministically check for every address a whether or not OSMR allows freeing it. If so,
we free the address. Formally, the semantics [[D(OSMR)]]X corresponds to [[D(ϵ )]]X as defined in
Section 3 plus a new rule for frees from the environment.
(Free) If τ ∈ [[D(ϵ )]]X and a ∈ Adr can be freed, i.e., H(τ ).free(a) ∈ S(OSMR), then we have
τ .act ∈ [[D(ϵ )]]X with act = (t , free(a), [a.next 7→ ⊥,a.data 7→ ⊥]).
Note that free(a) from the environment has the same update as free(p) from R if p points to a.
With this definition, D(OSMR) performs more frees than D(R) provided R |= OSMR.
With the semantics of data structures with respect to an SMR specification rather than an SMR
implementation set up, we can turn to the main result of this section. It states that the correctness
of R wrt. OSMR and the correctness of D(OSMR) entail the correctness of the original program D(R).
Here, we focus on the verification of safety properties. It is known that this reduces to control
location reachability [Vardi 1987]. So we can assume that there is a dedicated bad control location
in D the unreachability of which is equivalent to the correctness of D(R). To establish the result, we
require that the interaction between D and R follows the one depicted in Figure 1 and discussed on
an example in Section 2. That is, the only influence R has on D are frees. In particular, this means
that R does not modify the memory accessed by D. We found this restriction to be satisfied by
many SMR algorithms from the literature. We believe that our development can be generalized
to reflect memory modifications performed by the SMR algorithm. A proper investigation of the
matter, however, is beyond the scope of this paper.
Theorem 4.2 (Compositionality). Let R |= OSMR. If [[D(OSMR)]]Adr is correct, so is [[D(R)]]Adr .
For the technical details of the above result, see Appendix C.2.
Compositionality is a powerful tool for verification. It allows us to verify the data structure and
the SMR implementation independently of each other. Although this simplifies the verification,
reasoning about lock-free programs operating on a shared memory remains hard. In Section 5 we
build upon the above result and propose a sound verification of [[D(OSMR)]]Adr which considers
only executions reusing a single addresses.
5 TAMING MEMORY REUSE
As a second contribution we demonstrate that one can soundly verify a data structure D(OSMR) by
considering only those computations where at most a single cell is reused. This avoids the need for
a state space exploration of full [[D(OSMR)]]Adr . Such explorations suffer from a severe state space
explosion. In fact, we were not able to make our analysis from Section 6 go through without this
second contribution. Previous works [Abdulla et al. 2013; Haziza et al. 2016; Holík et al. 2017] have
not required such a result since they did not consider fully fledged SMR implementations like we
do. For a thorough discussion of related work refer to Section 7.
Our results are independent of the actual safety property and the actual observer OSMR specifying
the SMR algorithm. To achieve this, we establish that for every computation from [[D(OSMR)]]Adr
there is a similar computation which reuses only a single address. We construct such a similar
computation by eliding reuse in the original computation. With elision we mean that we replace in
a computation a freed address with a fresh one. This allows a subsequent allocation to malloc the
elided address fresh instead of reusing it. Our notion of similarity makes sure that in both computa-
tions the threads reach the same control locations. This allows for verifying safety properties.
The remainder of the section is structured as follows. Section 5.1 introduces our notion of
similarity. Section 5.2 formalizes requirements on D(OSMR) such that the notion of similarity
suffices to prove the desired result. Section 5.3 discusses how the ABA problem can affect soundness
of our approach and shows how to detect those cases. Section 5.4 presents the reduction result.
Proc. ACM Program. Lang., Vol. 3, No. POPL, Article 58. Publication date: January 2019.
Decoupling Lock-Free Data Structures from Memory Reclamation for Static Analysis 58:13
5.1 Similarity of Computations
Our goal is to mimic a computation τ where memory is reused arbitrarily with a computation
σ where memory reuse is restricted. As noted before, we want that the threads in τ and σ reach
the same control locations in order to verify safety properties of τ in σ . We introduce a similarity
relation among computations such that τ and σ are similar if they can execute the same actions.
This results in both reaching the same control locations as desired. However, control location
equality alone is insufficient for σ to mimic subsequent actions of τ , that is, to preserve similarity
for subsequent actions. This is because most actions involve memory interaction. Since σ reuses
memory differently than τ , the memory of the two computations is not equal. Similarity requires a
non-trivial correspondence wrt. the memory. Towards a formal definition let us consider an example.
Example 5.1. Let τ1 be a computation of a data structure D(OBase × OHP ) using hazard pointers:
τ1 = (t , p := malloc, [p 7→ a, . . . ]). (t , retire(p),). (t , free(a), [. . . ]). (t , exit,).
(t , q := malloc, [q 7→ a, . . . ]) .
In this computation, thread t uses pointer p to allocate address a. The address is then retired and
freed. In the subsequent allocation, t acquires another pointer q to a; a is reused.
If σ1 is a computation where a shall not be reused, then σ1 is not able to execute the exact same
sequence of actions as τ1. However, it can mimic τ1 as follows:
σ1 = (t , p := malloc, [p 7→ b, . . . ]). (t , retire(p),). (t , free(b), [. . . ]). (t , exit,).
(t , q := malloc, [q 7→ a, . . . ]) ,
where σ1 coincides with τ1 up to replacing the first allocation of a with another address b. We say
that σ1 elides the reuse of a. Note that the memories of τ1 and σ1 differ on p and agree on q.
In the above example, p is a dangling pointer. Programmers typically avoid using such pointers
because it is unsafe. For a definition of similarity, this practice suggests that similar computations
must coincide only on the non-dangling pointers and may differ on the dangling ones. To make
precise which pointers in a computation are dangling, we use the notion of validity. That is, we
define a set of valid pointers. The dangling pointers are then the complement of the valid pointers.
We take this detour because we found it easier to formalize the valid pointers.
Initially, no pointer is valid. A pointer becomes valid if it receives its value from an allocation or
another valid pointer. A pointer becomes invalid if its referenced memory location is deleted or it
receives its value from an invalid pointer. A deletion of a memory cell makes invalid its pointer
selectors and all pointers to that cell. A subsequent reallocation of that cell makes valid only the
receiving pointer; all other pointers to that cell remain invalid. Assertions of the form p = q validate
p if q is valid, and vice versa. A formal definition of the valid pointers in a computation τ , denoted
by validτ , can be found in Appendix C.3.
Example 5.2 (Continued). In both τ1 and σ1 from the previous example, the last allocation renders
valid pointer q. On the other hand, the free to a in τ1 renders p invalid. The reallocation of a does
not change the validity of p, it remains invalid. In σ1, address b is allocated and freed rendering p
invalid. It remains invalid after the subsequent allocation of a. That is, both τ1 and σ1 agree on the
validity of q and the invalidity of p. Moreover, τ1 and σ1 agree on the valuation of the valid q and
disagree (here by chance) on the valuation of the invalid p.
The above example illustrates that eliding reuse of memory leads to a different memory valuation.
However, the elision can be performed in such a way that the valid memory is not affected. So we say
that two computations are similar if they agree on the resulting control locations of threads and the
valid memory. The valid memory includes the valid pointer variables, the valid pointer selectors, the
Proc. ACM Program. Lang., Vol. 3, No. POPL, Article 58. Publication date: January 2019.
58:14 Roland Meyer and Sebastian Wolff
data variables, and the data selectors of addresses that are referenced by a valid pointer variable/se-
lector. Formally, this is a restriction of the entire memory to the valid pointers, written mτ |validτ .
Definition 5.3 (Restrictions). A restriction of m to a set P ⊆ PExp, denoted by m|P , is a new m′
with dom(m′) := P ∪ DVar ∪ {a.data ∈ DExp | a ∈ m(P)} and m(e) = m′(e) for all e ∈ dom(m′).
We are now ready to formalize the notion of similarity among computations. Two computations
are similar if they agree on the control location of threads and the valid memory.
Definition 5.4 (Computation Similarity). Two computations τ and σ are similar, denoted by τ ∼ σ ,
if ctrl(τ ) = ctrl(σ ) and mτ |validτ = mσ |validσ .
If two computations τ and σ are similar, then each action enabled after τ can be mimicked in σ .
An action act = (t , com, up) can be mimicked by another action act ′ = (t , com, up′). Both actions
agree on the executing thread and the executed command but may differ in the memory update.
The reason for this is that similarity does not relate the invalid parts of the memory. This may give
another update in σ if com involves invalid pointers.
Example 5.5 (Continued). Consider the following continuation of τ1 and σ1:
τ2 = τ1 . (t , p := p, up) and σ2 = σ1 . (t , p := p, up′) ,
wherewe append an assignment of p to itself. The prefixes τ1 andσ1 are similar, τ1 ∼ σ1. Nevertheless,
the updates up and up′ differ because they involve the valuation of the invalid pointer p which
differs in τ1 and σ1. The updates are up = [p 7→ a] and up′ = [p 7→ b]. Since the assignment leaves
p invalid, similarity is preserved by the appended actions, τ2 ∼ σ2. We say that act ′ mimics act.
Altogether, similarity does not guarantee that the exact same actions are executable. It guarantees
that every action can be mimicked such that similarity is preserved.
In the above we omitted an integral part of the program semantics. Memory reclamation is not
based on the control location of threads but on an observer examining the history induced by a
computation. The enabledness of a free is not preserved by similarity. On the one hand, this is
due to the fact that invalid pointers can be (and in practice are) used in SMR calls which lead to
different histories. On the other hand, similar computations end up in the same control location but
may perform different sequences of actions to arrive there, for instance, execute different branches
of conditionals. That is, to mimic free actions we need to correlate the behavior of the observer
rather than the behavior of the program. We motivate the definition of an appropriate relation.
Example 5.6 (Continued). Consider the following continuation of τ2 and σ2:
τ3 = τ2 . (t , protect(p, i),). (t , exit,). (t , retire(q),). (t , exit,)
and σ3 = σ2 . (t , protect(p, i),). (t , exit,). (t , retire(q),). (t , exit,) ,
where t issues a protection and a retirement using p and q, respectively. The histories induced by
those computations are:
H(τ3) = H(τ1) . protect(t ,a, i). exit(t). retire(t ,a). exit(t)
and H(σ3) = H(σ1). protect(t ,b, i). exit(t). retire(t ,a). exit(t) .
Recall that τ2 and σ2 are similar. Similarity guarantees that the events of the retire call coincide
because q is valid. The events of the protect call differ because the valuations of the invalid p differ.
That is, SMR calls do not necessarily emit the same event in similar computations. Consequently,
the observer states after τ3 and σ3 differ. More precisely, OHP from Figure 6b has the following runs
from the initial observer state (l9,φ) with φ = {u 7→ t , v 7→ a,w 7→ i}:
(l9,φ)−−−−→H(τ1) (l9,φ)−−−−−−−−−−→protect(t,a, i) (l10,φ)−−−−−→exit(t ) (l11,φ)−−−−−−−−→retire(t,a) (l12,φ)−−−−−→exit(t ) (l12,φ)
and (l9,φ)−−−−→H(σ1) (l9,φ)−−−−−−−−−−→protect(t,b, i) (l9,φ) −−−−−→exit(t ) (l9,φ) −−−−−−−−→retire(t,a) (l9,φ) −−−−−→exit(t ) (l9,φ) .
Proc. ACM Program. Lang., Vol. 3, No. POPL, Article 58. Publication date: January 2019.
Decoupling Lock-Free Data Structures from Memory Reclamation for Static Analysis 58:15
This prevents a from being freed after τ3 (a free(a) would lead to the final state (l13,φ) and is thus
not enabled) but allows for freeing it after σ3.
The above example shows that eliding memory addresses to avoid reuse changes observer runs.
The affected runs involve freed addresses. Like for computation similarity, we define a relation
among computations which captures the observer behavior on the valid addresses, i.e., those
addresses that are referenced by valid pointers, and ignores all other addresses. Here, we do not use
an equivalence relation. That is, we do not require observers to reach the exact same state for valid
addresses. Instead, we express that the mimicking σ allows for more observer behavior on the valid
addresses than the mimicked τ does. We define an observer behavior inclusion among computations.
This is motivated by the above example. There, address a is valid because it is referenced by a valid
pointer, namely q. Yet the observer runs for a differ in τ3 and σ3. After σ3 more behavior is possible;
σ3 can free a while τ3 cannot.
To make this intuition precise, we need a notion of behavior on an address. Recall that the goal of
the desired behavior inclusion is to enable us to mimic frees. Intuitively, the behavior allowed by
OSMR on address a is the set of those histories that lead to a free of a.
Definition 5.7 (Observer Behavior). The behavior allowed by OSMR on address a after history h is
the set F (h, a) := {h′ | h.h′ ∈ S(OSMR) ∧ frees(h′) ⊆ a}.
Note that h′ ∈ F (h, a) contains free events for address a only. This is necessary because an
address may become invalid before being freed if, for instance, the address becomes unreachable
from valid pointers. The mimicking computation σ may have already freed such an address while
τ has not, despite similarity. Hence, the free is no longer allowed after σ but still possible after τ .
To prevent such invalid addresses from breaking the desired inclusion on valid addresses, we strip
from F (h, a) all frees that do not target a. Note that we do not even retain frees of valid addresses
here. This way, only actions which emit an event influence F (h, a).
The observer behavior inclusion among computations is defined such that σ includes at least the
behavior of τ on the valid addresses. Formally, the valid addresses in τ are adr(mτ |validτ ).
Definition 5.8 (Observer Behavior Inclusion). Computation σ includes the (observer) behavior of τ ,
denoted by τ ⋖σ , if F (τ , a) ⊆ F (σ , a) holds for all a ∈ adr(mτ |validτ ).
5.2 Preserving Similarity
The development in Section 5.1 is idealized. There are cases where the introduced relations do not
guarantee that an action can be mimicked. All such cases have in common that they involve the
usage of invalid pointers. More precisely, (i) the computation similarity may not be strong enough
to mimic actions that dereference invalid pointers, and (ii) the observer behavior inclusion may
not be strong enough to mimic calls involving invalid pointers. For each of those cases we give an
example and restrict our development. We argue throughout this section that our restrictions are
reasonable. Our experiments confirm this. We begin with the computation similarity.
Example 5.9 (Continued). Consider the following continuation of τ3 and σ3:
τ4 = τ3 . (t , q.next := q, [a.next 7→ a]). (t , p.next := p, [a.next 7→ a])
and σ4 = σ3 . (t , q.next := q, [a.next 7→ a]). (t , p.next := p, [b .next 7→ b]) .
The first appended action updates a.next in both computations to a. Since q is valid after both
τ3 and σ3 this assignment renders valid a.next. The second action assigns to a.next in τ4. This
results in a.next being invalid after τ4 because the right-hand side of the assignment is the invalid
p. In σ4 the second action updates b .next which is why a.next remains valid. That is, the valid
Proc. ACM Program. Lang., Vol. 3, No. POPL, Article 58. Publication date: January 2019.
58:16 Roland Meyer and Sebastian Wolff
memories of τ4 and σ4 differ. We have executed an action that cannot be mimicked on the valid
memory despite the computations being similar.
The problem in the above example is the dereference of an invalid pointer. The computation
similarity does not give any guarantees about the valuation of such pointers. Consequently, it
cannot guarantee that an action using invalid pointers can be mimicked. To avoid such problems,
we forbid programs to dereference invalid pointers.
The rational behind this is as follows. Recall that an invalid pointer is dangling. That is, the
memory it references has been freed. If the memory has been returned to the underlying operating
system, then a subsequent dereference is unsafe, that is, prone to a system crash due to a segfault.
Hence, such dereferences should be avoided. The dereference is only safe if the memory is guar-
anteed to be accessible. To decide this, the invalid pointer needs to be compared with a definitely
valid pointer. As we mentioned in Section 5.1, such a comparison renders valid the invalid pointer.
This means that dereferences of invalid pointers are always unsafe. We let verification fail if unsafe
accesses are performed. That performance-critical and lock-free code is free from unsafe accesses
was validated experimentally by Haziza et al. [2016] and is confirmed by our experiments.
Definition 5.10 (Unsafe Access). A computation τ .(t , com, up) performs an unsafe access if com
contains p.data or p.next with p < validτ .
Forbidding unsafe accesses makes the computation similarity strong enough to mimic all desired
actions. A discussion of cases where the observer behavior inclusion cannot be preserved is in
order. We start with an example.
Example 5.11 (Continued). Consider the following continuations of τ1 and σ1 from Example 5.1:
τ5 = τ1 . (t , retire(p),) with H(τ5) = H(τ1) . retire(t ,a)
and σ5 = σ1 . (t , retire(p),) with H(σ5) = H(σ1). retire(t ,b) .
The observer behavior of τ1 is included in σ1, τ1 ⋖σ1. After τ5 a deletion of a is possible because it
was retired. After σ5 a deletion of a is prevented by OBase because a was not retired. Technically,
we have free(a) ∈ F (τ5, a) and free(a) < F (σ5, a). However, a is a valid address because it is
referenced by the valid pointer q. That is, the behavior inclusion among τ1 and σ1 is not preserved
by the subsequent action.
The above example showcases that calls to the SMR algorithm can break the observer behavior
inclusion. This is the case because an action can emit different events in similar computations. The
event emitted by an SMR call differs only if it involves invalid pointers.
The naive solution would prevent using invalid pointers in calls altogether. In practice, this is
too strong a requirement. As discussed in Section 2, a common pattern for protecting an address
(cf. Figure 2, Lines 26 to 28) is to (i) read a pointer p into a local variable q, (ii) issue a protection using
q, and (iii) repeat the process if p and q do not coincide. After reading into q and before protecting
q the referenced memory may be freed. Hence, the protection is prone to use invalid pointers.
Forbidding such protections would render our theory inapplicable to lock-free data structures using
hazard pointers.
To fight this problem, we forbid only those calls involving invalid pointers which are prone
to break the observer behavior inclusion. Intuitively, this is the case if a call with the values of
the invalid pointers replaced arbitrarily allows for more behavior on the valid addresses than the
original call. Actually, we keep precise the address the behavior of which is under consideration.
This allows us to support more scenarios where invalid pointers are used.
Proc. ACM Program. Lang., Vol. 3, No. POPL, Article 58. Publication date: January 2019.
Decoupling Lock-Free Data Structures from Memory Reclamation for Static Analysis 58:17
Definition 5.12 (Racy SMRCalls). A computationτ .act with act = (t , enterfunc(p¯, x¯),),H(τ ) = h,
mτ (p¯) = a¯, and mτ (x¯) = d¯ performs a racy call if:
∃ c ∃ b¯ . (∀i . (ai = c ∨ pi ∈ validτ ) =⇒ ai = bi ) ∧ F (h.func(t , b¯, d¯), c) ⊈ F (h.func(t , a¯, d¯), c) .
It follows immediately that calls containing valid pointers only are not racy. In practice, retire
is always called using valid pointers, thus avoiding the problematic scenario from Example 5.11. The
rational behind this is that freeing invalid pointers may lead to system crashes, just like dereferences.
For protect calls of hazard pointers one can show that they never race. We have already seen
this in Example 5.6. There, a call to protect with invalid pointers has not caused the observer
relation to break. Instead, the mimicking computation (σ3) could perform (strictly) more frees than
the computation it mimicked (τ3).
We uniformly refer to the above situations where the usage of an invalid pointer can break the
ability to mimic an actions as a pointer race. It is a race indeed because the usage and the free of a
pointer are not properly synchronized.
Definition 5.13 (Pointer Race). A computation τ .act is a pointer race if act performs (i) an unsafe
access, or (ii) a racy SMR call.
With pointer races we restrict the class of supported programs. The restriction to pointer race
free programs is reasonable in that we can handle common non-blocking data structures from the
literature as shown in our experiments. Since we want to give the main result of this section in a
general fashion that does not rely on the actual observer used to specify the SMR implementation,
we have to restrict the class of supported observers as well.
We require that the observer supports the elision of reused addresses, as done in Example 5.1.
Intuitively, elision is a two-step process the observer must be insensitive to. First, an address a is
replaced with a fresh address b upon an allocation where a should be reused but cannot. In the
resulting computation, a is fresh and thus the allocation can be performed without reusing a. The
process of replacing a with b must not affect the behavior of the observer on addresses other than a
and b. Second, the observer must allow for more behavior on the fresh address than on the reused
address. This is required to preserve the observer behavior inclusion because the allocation of a
renders it a valid address.
Additionally, we require a third property: the observer behavior on an address must not be
influenced by frees to another address. This is needed because computation similarity and behavior
inclusion do not guarantee that frees of invalid addresses can be mimicked, as discussed before.
Since such frees do not affect the valid memory they need not be mimicked. The observer has to
allow us to do so, that is, simply skip such frees when mimicking a computation.
For a formal definition of our intuition we write h[a/b] to denote the history that is constructed
from h by replacing every occurrence of a with b (cf. Appendix C.3).
Definition 5.14 (Elision Support). The observer OSMR supports elision of memory reuse if
(i) for all h1,h2,a,b, c with a , c , b and h2 = h1[a/b] we have F (h1, c) = F (h2, c),
(ii) for all h1,h2,a,b with F (h1, a) ⊆ F (h2, a) and b ∈ fresh(h2) we have F (h1, b) ⊆ F (h2, b), and
(iii) for all h,a,b with a , b we have F (h.free(a), b) = F (h, b).
We found this definition practical in that the observers we use for our experiments support
elision (cf. Section 6.1). The hazard pointer observer OBase × OHP , for instance, supports elision.
5.3 Detecting ABAs
So far we have introduced restrictions, namely pointer race freedom and elision support, to rule
out cases where our idea of eliding memory reuse would not work, that is, break the similarity or
Proc. ACM Program. Lang., Vol. 3, No. POPL, Article 58. Publication date: January 2019.
58:18 Roland Meyer and Sebastian Wolff
behavior inclusion. If those restrictions were strong enough to carry out our development, then
we could remove any reuse from a computation and get a similar one where no memory is reused.
That the resulting computation does not reuse memory means, intuitively, that it is executed under
garbage collection. As shown in the literature [Michael and Scott 1996], the ABA problem is a
subtle bug caused by manual memory management which is prevented by garbage collection. So
eliding all reuses jeopardizes soundness of the analysis—it could miss ABAs which result in a safety
violation. With this observation, we elide all reuses except for one address per computation. This
way we analyse a semantics that is close to garbage collection, can detect ABA problems, and is
much simpler than full [[D(OSMR)]]Adr .
The semantics that we suggest to analyse is [[D(OSMR)]]one := ⋃a∈Adr [[D(OSMR)]]{a } . It is the
set of all computations that reuse at most a single address. A single address suffices to detect the
ABA problem. The ABA problem manifests as an assertion of the form assert p = q where the
addresses held by p and q coincide but stem from different allocations. That is, one of the pointers
has received its address, the address was freed and then reallocated, before the pointer is used in
the assertion. Note that this implies that for an assertion to be ABA one of the involved pointers
must be invalid. Pointer race freedom does not forbid this. Nor do we want to forbid such assertions.
In fact, most programs using hazard pointers contain ABAs. They are written in a way that ensures
that the ABA is harmless. Consider an example.
Example 5.15 (ABAs in Michael&Scott’s queue using hazard pointers). Consider the code of
Michael&Scott’s queue from Figure 2. More specifically, consider Lines 26 to 28. In Line 26 the
value of the shared pointer Head is read into the local pointer head. Then, a hazard pointer is used
in Line 27 to protect head from being freed. In between reading and protecting head, its address
could have been deleted, reused, and reentered the queue. That is, when executing Line 28 the
pointers Head and head can coincide although the head pointer stems from an earlier allocation. This
scenario is an ABA. Nevertheless, the queue’s correctness is not affected by this ABA. The ABA
prone assertion is only used to guarantee that the address protected in Line 27 is indeed protected
after Line 28. Wrt. to the observer OHP from Figure 6, the assertion guarantees that the protection
was issued before a retirement (after the latest reallocation) so that OHP is guaranteed to be in l11
and thus prevent future retirements from freeing the protected memory. The ABA does not void
this guarantee, it is harmless.
The above example shows that lock-free data structures may perform ABAs which do not affect
their correctness. To soundly verify such algorithms, our approach is to detect every ABA and
decide whether it is harmless indeed. If so, our verification is sound. Otherwise, we report to the
programmer that the implementation suffers from a harmful ABA problem.
A discussion of how to detect ABAs is in order. Let τ ∈ [[D(OSMR)]]Adr and σ ∈ [[D(OSMR)]]{a } be
two similar computations. Intuitively, σ is a computation which elides the reuses from τ except
for some address a. The address a can be used in σ in exactly the same way as it is used in τ . Let
act = (t , assert p = q,) be an ABA assertion which is enabled after τ . To detect this ABA under
[[D(OSMR)]]{a } we need act to be enabled after σ . We seek to have σ .act ∈ [[D(OSMR)]]{a } . This is
not guaranteed. Since act is an ABA it involves at least one invalid pointer, say p. Computation
similarity does not guarantee that p has the same valuation in both τ and σ . However, if p points
to a in τ , then it does so in σ because a is (re)used in σ in the same way as in τ . Thus, we end
up with mτ (p) = mσ (p) although p is invalid. In order to guarantee this, we introduce a memory
equivalence relation. We use this relation to precisely track how the reusable address a is used.
Proc. ACM Program. Lang., Vol. 3, No. POPL, Article 58. Publication date: January 2019.
Decoupling Lock-Free Data Structures from Memory Reclamation for Static Analysis 58:19
Definition 5.16 (Memory Equivalence). Two computations τ and σ are memory equivalent wrt.
address a, denoted by τ ≃a σ , if
∀ p ∈ PVar . mτ (p) = a ⇐⇒ mσ (p) = a
and ∀b ∈ mτ (validτ ). mτ (b .next) = a ⇐⇒ mσ (b .next) = a
and a ∈ fresh(τ ) ∪ freed(τ ) ⇐⇒ a ∈ fresh(σ ) ∪ freed(σ )
and F (τ , a) ⊆ F (σ , a) .
The first line in this definition states that the same pointer variables in τ and σ are pointing to a.
Similarly, the second line states this for the pointer selectors of valid addresses. We have to exclude
the invalid addresses here because τ and σ may differ on the in-use addresses due to eliding reuse.
The third line states that a can be allocated in τ iff it can be allocated in σ . The last line states that
the observer allows for more behavior on a in σ than in τ . These properties combined guarantee
that σ can mimic actions of τ involving a no matter if invalid pointers are used.
The memory equivalence lets us detect ABAs in [[D(OSMR)]]one . Intuitively, we can only detect
first ABAs because we allow for only a single address to be reused. Subsequent ABAs on different
addresses cannot be detected. To detect ABA sequences of arbitrary length, an arbitrary number
of reusable addresses is required. To avoid this, i.e., to avoid an analysis of full [[D(OSMR)]]Adr , we
formalize the idea of harmless ABA from before. We say that an ABA is harmless if executing it
leads to a system state which can be explored without performing the ABA. That the system state
can be explored without performing the ABA means that every ABA is also a first ABA. Thus,
any sequence of ABAs is explored by considering only first ABAs. Note that this definition is
independent of the actual correctness notion.
Definition 5.17 (Harmful ABA). [[D(OSMR)]]one is free from harmful ABAs if the following holds:
∀σa .act ∈ [[D(OSMR)]]{a } ∀σb ∈ [[D(OSMR)]]{b } ∃σ ′b ∈ [[D(OSMR)]]{b } .
σa ∼ σb ∧ act = (_, assert _, _) =⇒ σa .act ∼ σ ′b ∧ σb ≃b σ ′b ∧ σa .act ⋖σ ′b .
To understand how the definition implements our intuition, consider some τ .act ∈ [[D(OSMR)]]Adr
where act performs an ABA on address a. Our goal is to mimic τ .act in [[D(OSMR)]]{b } , that is, we
want to mimic the ABA without reusing address a (for instance, to detect subsequent ABAs on
address b). Assume we are given some σb ∈ [[D(OSMR)]]{b } which is similar and memory equivalent
wrt. b to τ . This does not guarantee that act can be mimicked after σb ; the ABA may not be enabled
because it involves invalid pointers the valuation of which may differ in τ and σb . However, we can
construct a computation σa which is similar and memory equivalent wrt. a to τ . After σa the ABA is
enabled, i.e., we have σa .act ∈ [[D(OSMR)]]{a } . For those two computations σa .act and σb we invoke
the above definition. It yields another computation σ ′b ∈ [[D(OSMR)]]{b } which, intuitively, coincides
with σb but where the ABA has already been executed. Put differently, σ ′b is a computation which
mimics the execution of act after σb (although act is not enabled).
Example 5.18 (Continued). Consider the following computation of Michael&Scott’s queue:
τ = τ6 . (t , head := Head, [head 7→ a]).τ7 . free(a).τ8 .
(t , enter protect(head, 0),). (t , exit,). (t , assert head = Head,) .
This computation resembles a thread t executing Lines 26 to 28 while an interferer frees address a
referenced by head. Note that the assert resembles the conditional from Line 28 and states that
the condition evaluates to true. That is, the last action in τ is an ABA.
Reusing address a allows us to mimic τ with a computation σa ∈ [[D(OSMR)]]{a } which detects the
ABA. For simplicity, assume τ = σa . Mimicking τ with another computation σb ∈ [[D(OSMR)]]{b } is
Proc. ACM Program. Lang., Vol. 3, No. POPL, Article 58. Publication date: January 2019.
58:20 Roland Meyer and Sebastian Wolff
not possible. In σb ∈ [[D(OSMR)]]{b } the first allocation of a will be elided such that the assertion is
not enabled. However, rescheduling the actions gives rise to σ ′b ∈ [[D(OSMR)]]{b } which coincides
with σb but where the assertion has also been executed:
σ ′b = τ6 .τ7 . free(a).τ8 . (t , head := Head, [head 7→ a]).
(t , enter protect(head, 0),). (t , exit,). (t , assert head = Head,) .
Requiring the existence of such a σ ′b guarantees that an analysis can see past ABAs on address a,
although a is not reused.
A key aspect of the above definition is that checking for harmful ABAs can be done in the simpler
semantics [[D(OSMR)]]one . Altogether, this means that we can rely on [[D(OSMR)]]one for both the
actual analysis and a soundness (absence of harmful ABAs) check. Our experiments show that the
above definition is practical. There were no harmful ABAs in the benchmarks we considered.
5.4 Reduction Result
We show how to exploit the concepts introduced so far to soundly verify safety properties in the
simpler semantics [[D(OSMR)]]one instead of full [[D(OSMR)]]Adr .
Lemma 5.19. Let [[D(OSMR)]]one be free from pointer races and harmful ABAs, and let OSMR support
elision. For all τ ∈ [[D(OSMR)]]Adr and a ∈Adr there is σ ∈ [[D(OSMR)]]{a } with τ ∼σ , τ ⋖σ , and τ ≃a σ .
Proof Sketch. We construct σ inductively by mimicking every action from τ and eliding reuses
as needed. For the construction, consider τ .act ∈ [[D(OSMR)]]Adr and assume we have already
constructed, for every a ∈ Adr , an appropriate σa ∈ [[D(OSMR)]]{a } . Consider some address a ∈ Adr .
The task is to mimic act in σa . If act is an assignment or an SMR call, then pointer race freedom
guarantees that we can mimic act by executing the same command with a possibly different update.
We discussed this in Section 5.2. The interesting cases are ABAs, frees, and allocations.
First, consider the case where act executes an ABA assertion assert p = q. That the assertion is
an ABA means that at least one of the pointers is invalid, say p. That is, act may not be enabled
after σa . Let p point to b in τ . By induction, we have already constructed σb for τ . The ABA is
enabled after σb . This is due to τ ≃b σb . It implies that p points to b in τ iff p points to b in σb
(independent of the validity), and likewise for q. That is, the comparison has the same outcome
in both computations. Now, we can exploit the absence of harmful ABAs to find a computation
mimicking τ .act for a. Applying Definition 5.17 to σb .act and σa yields some σ ′a that satisfies the
required properties.
Second, consider the case of act performing a free(b). If act is enabled after σa nothing needs
to be shown. In particular, this is the case if b is a valid address or a = b. Otherwise, b must be
an invalid address. Freeing an invalid address does not change the valid memory. It also does not
change the control location of threads as frees are performed by the environment. Hence, we have
τ .act ∼ σa . By the definition of elision support, Definition 5.14iii, the free does not affect the
behavior of the observer on other addresses. So we get τ .act ⋖σa . With the same arguments we
conclude τ .act ≃a σa . That is, we do not need to mimic frees of invalid addresses.
Last, consider act executing an allocation p := malloc of address b. If b is fresh in σa or a = b,
then act is enabled. The allocation makes b a valid address. That ⋖ holds for this address follows
from elision support, Definition 5.14ii. Otherwise, act is not enabled because b cannot be reused.
We replace in σa every occurrence of b with a fresh address c . Let us denote the result with σa[b/c].
Relying on elision support, Definition 5.14i, one can show σa ≺ σa[b/c] and thus τ ≺ σa[b/c] for
all ≺ ∈ {∼,⋖,≃a}. Since b is fresh in σa[b/c], we conclude by enabledness of act. □
Proc. ACM Program. Lang., Vol. 3, No. POPL, Article 58. Publication date: January 2019.
Decoupling Lock-Free Data Structures from Memory Reclamation for Static Analysis 58:21
From the above follows the second result of the paper. It states that for every computation there
is a similar one which reuses at most a single address. Since similarity implies control location
equality, our result allows for a much simpler verification of safety properties. We stress that the
result is independent of the actual observer used.
Theorem 5.20. If [[D(OSMR)]]one is pointer race free, supports elision, and is free from harmful ABAs,
then [[D(OSMR)]]Adr ∼ [[D(OSMR)]]one .
One can generalize the above results to a strictly weaker premise, see Appendix C.4. For the
proofs of the above results, refer to Appendix D.
6 EVALUATION
We implemented our approach in a tool. It is a thread-modular analysis for (i) verifying linearizability
of singly-linked lock-free data structures using SMR specifications, and (ii) verifying SMR imple-
mentations against their specification. In the following, we elaborate on the SMR implementations
used for our benchmarks and the implemented analysis, and evaluate our tool.
6.1 SMR Algorithms
For our experiments, we consider two well-known SMR algorithms: Hazard Pointers (HP) and Epoch-
Based Reclamation (EBR). Additionally, we include as a baseline for our experiments a simplistic GC
SMR algorithm which does not allow for memory to be reclaimed. We already introduced HP and
gave a specification (cf. Figure 6) in form of the observer OBase × OHP . We briefly introduce EBR.
Epoch-based reclamation [Fraser 2004] relies on two assumption: (i) threads cannot have pointers
to any node of the data structure in-between operation invocations, and (ii) nodes are retired only
after being removed from the data structure, i.e., after being made unreachable from the shared
variables. Those assumptions imply that no thread can acquire a pointer to a removed node if every
thread has been in-between an invocation since the removal. So it is safe to delete a retired node
if every thread has been in-between an invocation since the retire. Technically, EBR introduces
epoch counters, a global one and one for each thread. Similar to hazard pointers, thread epochs
are single-writer multiple-reader counters. Whenever a thread invokes an operation, it reads the
global epoch e and announces this value by setting its thread epoch to e . Then, it scans the epochs
announced by the other threads. If they all agree on e , the global epoch is set to e + 1. The fact that
all threads must have announced the current epoch e for it to be updated to e + 1 means that all
threads have invoked an operation after the epoch was changed from e − 1 to e . That is, all threads
have been in-between invocations. Thus, deleting nodes retired in the global epoch e − 1 becomes
safe from the moment when the global epoch is updated from e to e + 1. To perform those deletions,
every thread keeps a list of retired nodes for every epoch and stores nodes passed to retire in the
list for the current thread epoch. For the actual deletion it is important to note that the thread-local
epoch may lack behind the global epoch by up to 1. As a consequence, a thread may put a node
retired during the global epoch e into its retire-list for epoch e − 1. So for a thread during its local
epoch e . it is not safe to delete the nodes in the retired-list for e − 1 because it may have been retired
during the global epoch e . It is only safe to delete the nodes contained in the retired-list for epochs
e − 2 and smaller. Hence, it suffices to maintaining three retire-lists. Progressing to epoch e + 1
allows for deleting the nodes from the local epoch e − 2 and to reuse that retire-list for epoch e + 1.
Quiescent-State-Based Reclamation (QSBR) [McKenney and Slingwine 1998] generalizes EBR by
allowing the programmer to manually identify when threads are quiescent. A thread is quiescent if
it does not hold pointers to any node from the data structure. Threads signal this by calling enterQ
and leaveQ upon entering and leaving a quiescent phase, respectively.
Proc. ACM Program. Lang., Vol. 3, No. POPL, Article 58. Publication date: January 2019.
58:22 Roland Meyer and Sebastian Wolff
OEBR
s14 s15 s16 s17 s18
leaveQ(t ),
t = u
exit(t ),
t = u
retire(t, a),
a = v
free(a),
a = v
enterQ(t ), t = u
Fig. 7. Observer specifying when EBR/QSBR defers deletion using two variables, u and v, to observe a
thread and an address, respectively. The observer implements the property that a cell v retired during
the non-quiescent phase of a thread u may not be freed until the thread becomes quiescent. The full
specification of EBR/QSBR is the observer OBase × OEBR .
We use the observer OBase × OEBR from Figure 7 for specifying both EBR and QSBR (they have
the same specification). As for HP, we use OBase to ensure that only those addresses are freed that
have been retired. Observer OEBR implements the actual EBR/QSBR behavior described above.
To use HP and EBR with our approach for restricting reuse during an analysis, we have to show
that their observers support elision. This is established by the following lemma. We consider it
future work to extend our tool such that it performs the appropriate checks automatically.
Lemma 6.1. The observers OBase × OHP and OBase × OEBR support elision.
6.2 Thread-Modular Linearizability Analysis
Proving a data structure correct for an arbitrary number of client threads requires a thread-modular
analysis [Berdine et al. 2008; Jones 1983]. Such an analysis abstracts a system state into so-called
views, partial configurations reflecting a single thread’s perception of the system state. A view
includes a thread’s program counter and, in the case of shared-memory programs, the memory
reachable from the shared and thread-local variables. An analysis then saturates a setV of reachable
views. This is done by computing the least solution to the recursive equationV = V ∪seq(V )∪int(V ).
Function seq computes a sequential step, the views obtained from letting each thread execute an
action on its own views. Function int accounts for interference among threads. It updates the shared
memory of views by actions from other threads. We follow the analysis from Abdulla et al. [2013,
2017]. There, int is computed by combining two views, letting one thread perform an action, and
projecting the result to the other thread. More precisely, computing int(V ) requires for every pair
of views ν1,ν2 ∈ V to (i) compute a combined view ω of ν1 and ν2, (ii) perform for ω a sequential
step for the thread of ν2, and (iii) project the result of the sequential step to the perception of the
thread from ν1. This process is required only for views ν1 and ν2 thatmatch, i.e., agree on the shared
memory both views have in common. Otherwise, the views are guaranteed to reflect different
system states. Thus, interference is not needed for an exhaustive state space exploration.
To check for linearizability, we assume that the program under scrutiny is annotated with
linearization points, points at which the effect of operations take place logically and become visible
to other threads. Whether or not the sequence of emitted linearization points is indeed linearizable
can be checked using an observer automaton implementing the desired specification [Abdulla et al.
2013, 2017], in our case the one for stacks and queues. The state of this automaton is stored in the
views. If a final state is reached, verification fails.
For brevity, we omit a discussion of the memory abstraction we use. It is orthogonal to the
analysis. For more details, we refer the reader to [Abdulla et al. 2013, 2017]. We are not aware of
another memory abstraction which can handle reuse and admits automation.
Proc. ACM Program. Lang., Vol. 3, No. POPL, Article 58. Publication date: January 2019.
Decoupling Lock-Free Data Structures from Memory Reclamation for Static Analysis 58:23
We extend the above analysis by our approach to integrate SMR and restrict reuse to a single
address. To integrate SMR, we add the necessary observers to views. Note that observers have
a pleasant interplay with thread-modularity. In a view for thread t only those observer states
are required where t is observed. For the hazard pointer observer OBase × OHP this means that
only observer states with u capturing t need to be stored in the view for t . Similarly, the memory
abstraction induces a set of addresses that need to be observed (by v). However, we do not keep
observer states for shared addresses, i.e., addresses that are reachable from the shared variables.
Instead, we maintain the invariant that they are never retired nor freed. For the analysis, we then
assume that the ignored observer states are arbitrary (but not in observer locations implying
retiredness or freedness of shared addresses). We found that all benchmark programs satisfied this
invariant and that the resulting precision allowed for successful verification. Altogether, this keeps
the number of observer states per view small in practice.
As discussed in Section 4, observers OBase × OHP and OBase × OEBR assume that a client does not
perform double-retires. We integrate a check for this invariant, relying on observer OBase: if OBase
is in a state (l8,φ), then a double-retire occurs if an event of the form retire(_,φ(v)) is emitted.
To guarantee that the restriction of reuse to a single cell is sound, we have to check for pointer
races and harmful ABAs. To check for pointer races we annotate views with validity information.
This information is updated accordingly during sequential and interference steps. If a pointer
race is detected, verification fails. For this check, we rely on Lemma 6.2 below and deem racy any
invocation of retire with invalid pointers. That is, the pointer race check boils down to scanning
dereferences and retire invocations for invalid pointers.
Lemma 6.2. If a call is racy wrt. OBase × OEBR or OBase × OHP , then it is a call of function retire
using an invalid pointer.
Last, we add a check for harmful ABAs on top of the state space exploration. This check has to
implement Definition 5.17. That a computation σa .act contains a harmful ABA can be detected in
the view νa for thread t which performs act. Like for computations, the view abstraction νb of σb
for t cannot perform the ABA. To establish that the ABA is harmless, we seek a ν ′b which is similar
to νa , memory equivalent to νb , and includes the observer behavior of νb . (The relations introduced
in Section 5 naturally extend from computations to views.) If no such ν ′b exists, verification fails.
In the thread-modular setting one has to be careful with the choice of ν ′b . It is not sufficient to
find just some ν ′b satisfying the desired relations. The reason lies in that we perform the ABA check
on a thread-modular abstraction of computations. To see this, assume the view abstraction of σb
is α(σb ) = {νb ,ν } where νb is the view for thread t which performs the ABA in σa .act. For just
some ν ′b it is not guaranteed that there is a computation σ
′
b such that α(σ ′b ) = {ν ′b ,ν }. The sheer
existence of ν ′b and ν in V does not guarantee that there is a computation the abstraction of which
yields those two views. Put differently, we cannot construct computations from views. Hence, a
simple search for ν ′b cannot prove the existence of the required σ
′
b .
To overcome this problem, we use a method to search for a ν ′b that guarantees the existence of
σ ′b ; in terms of the above example, guarantees that there is σ
′
b with α(σ ′b ) = {ν ′b ,ν }. We take the
view νb that cannot perform the ABA. We apply sequential steps to νb until it comes back to the
same program counter. The rational behind is that ABAs are typically conditionals that restart the
operation if the ABA is not executable. Restarting the operation results in reading out pointers anew
(this time without interference from other threads). Consequently, the ABA is now executable. The
resulting view is a candidate for ν ′b . If it does not satisfy Definition 5.17, verification fails. Although
simple, this approach succeeded in all benchmarks.
Proc. ACM Program. Lang., Vol. 3, No. POPL, Article 58. Publication date: January 2019.
58:24 Roland Meyer and Sebastian Wolff
Table 1. Experimental results for verifying singly-linked data structures using SMR. The experiments were
conducted on an Intel Xeon X5650@2.67GHz running Ubuntu 16.04 and using Clang 6.0.
Programa SMR Time Verif. States ABAs Time ABA Linearizable
Coarse stack GC 0.44s 300 0 0s yes
None 0.5s 300 0 0s yes
Coarse queue GC 1.7s 300 0 0s yes
None 1.7s 300 0 0s yes
Treiber’s stack GC 3.2s 806 0 0s yes
EBR 16s 1822 0 0s yes
HP 19s 2606 186 0.06s yes
Opt. Treiber’s stack HP 0.8s — — — nob
Michael&Scott’s queue GC 414s 2202 0 0s yes
EBR 2630s 7613 0 0s yes
HP 7075s 19028 536 0.9s yes
DGLM queue GC 714s 9934 0 0s yesc
EBR 3754s 27132 0 0s yesc
HP 7010s 41753 2824 26s yesc
aThe code for the benchmark programs can be found in Appendix A.
bPointer race due to an ABA in push: the next pointer of the new node becomes invalid and the CAS succeeds.
cImprecision in the memory abstraction required hinting that Head cannot overtake Tail by more than one node.
6.3 Linearizability Experiments
We implemented the above analysis in a C++ tool.3 We evaluated the tool on singly-linked lock-free
data structures from the literature, like Treiber’s stack [Michael 2002; Treiber 1986], Michael&Scott’s
lock-free queue [Michael 2002; Michael and Scott 1996], and the DGLM lock-free queue [Doherty
et al. 2004b]. The findings are listed in Table 1. They include (i) the time taken for verification, i.e.,
to explore exhaustively the state space and check linearizability, (ii) the size of the explored state
space, i.e., the number of reachable views, (iii) the number of ABA prone views, i.e., views where a
thread is about to perform an assert containing an invalid pointer, (iv) the time taken to establish
that no ABA is harmful, and (v) the verdict of the linearizability check. The experiments were
conducted on an Intel Xeon X5650@2.67GHz running Ubuntu 16.04 and using Clang version 6.0.
Our approach is capable of verifying lock-free data structures using HP and EBR. We were able
to automatically verify Treiber’s stack, Michael&Scott’s queue, and the DGLM queue. To the best of
our knowledge, we are the first to verify data structures using the aforementioned SMR algorithms
fully automatically. Moreover, we are also the first to verify automatically the DGLM queue under
any manual memory management technique.
An interesting observation throughout the entire test suite is that the number of ABA prone views
is rather small compared to the total number of reachable views. Consequently, the time needed to
check for harmful ABAs is insignificant compared to the verification time. This substantiates the
usefulness of ignoring ABAs during the actual analysis and checking afterwards that no harmful
ABA exists.
3Available at: https://github.com/Wolff09/TMRexp/releases/tag/POPL19-chkds
Proc. ACM Program. Lang., Vol. 3, No. POPL, Article 58. Publication date: January 2019.
Decoupling Lock-Free Data Structures from Memory Reclamation for Static Analysis 58:25
96 struct Node {/* ... */}
97 shared Node* ToS;
98 void push(data_t input) {
99 Node* node = new Node ();
100 node ->data = input;
101 while (true) {
102 Node* top = ToS;
103 node ->next = top;
104 if (CAS&ToS , top , next)
105 break;
106 }
Fig. 8. The push operation of Treiber’s lock-
free stack [Treiber 1986].
Our tool could not establish linearizability for the op-
timized version of Treiber’s stack with hazard pointers
by Michael [2002]. The reason for this is that the push
operation does not use any hazard pointers. This leads
to pointer races and thus verification failure although
the implementation is correct. To see why, consider
the code of push from Figure 8. The operation allocates
a new node, reads the top-of-stack pointer into a lo-
cal variable top in Line 102, links the new node to the
top-of-stack in Line 103, and swings the top-of-stack
pointer to the new node in Line 104. Between Line 102
and Line 103 the node referenced by top can be popped,
reclaimed, reused, and reinserted by an interferer. That
is, the CAS in Line 104 is ABA prone. The reclamation of
the node referenced by top renders both the top pointer
and the next field of the new node invalid. As discussed
in Section 5, the comparison of the valid ToS with the invalid top makes top valid again. However,
the next field of the new node remains invalid. That is, the push succeeds and leaves the stack in a
state with ToS-> next being invalid. This leads to pointer races because no thread can acquire valid
pointers to the nodes following ToS. Hence, reading out data of such subsequent nodes in the pop
procedure, for example, raises a pointer race.
To solve this issue, the CAS in Line 104 has to validate the pointer node->next. One could annotate
the CAS with an invariant Tos == node-> next. Treating invariants and assertions alike would then
result in the CAS validating node->next (cf. Section 5.1) as desired. That the annotation is an invariant
indeed, could be checked during the analysis. We consider a proper investigation as future work.
For the DGLM queue, our tool required hints. The DGLM queue is similar to Michael&Scott’s
queue but allows the Head pointer to overtake the Tail pointer by at most one node. Due to
imprecision in the memory abstraction, our tool explored states with malformed lists where Head
overtook Tail by more than one node. We implemented a switch to increase the precision of the
abstraction and ignore cases where Head overtakes Tail by more than one node. This allowed us to
verifying the DGLM queue. While this change is ad hoc, it does not jeopardize the principledness
of our approach because it affects only the memory abstraction which we took from the literature.
6.4 Verifying SMR Implementations
It remains to verify that a given SMR implementation is correct wrt. an observer OSMR. As noted in
Section 4, an SMR implementation can be viewed as a lock-free data structure where the stored data
are pointers. Consequently, we can reuse the above analysis. We extended our implementation with
an abstraction for (sets of) data values.4 The main insight for a concise abstraction is that it suffices
to track a single observer state per view. If the SMR implementation is not correct wrt. OSMR, then
by definition there is τ ∈ [[MGC(R)]]Adr withH(τ ) < S(OSMR). Hence, there must be some observer
state s withH(τ ) < S(s). Consider the observers OBase × OHP and OBase × OEBR where s is of the
form s = (l, {u 7→ t , v 7→ a,w 7→ i}). This single state s induces a simple abstraction of data values
d : either d = a or d , a. Similarly, an abstraction of sets of data values simply tracks whether or
not the set contains a.
To gain adequate precision, we retain in every view the thread-local pointers of t . Wrt. Figure 3,
this keeps the thread-t-local HPRec in every view. It makes the analysis recognize that t has indeed
4Available at: https://github.com/Wolff09/TMRexp/releases/tag/POPL19-chksmr
Proc. ACM Program. Lang., Vol. 3, No. POPL, Article 58. Publication date: January 2019.
58:26 Roland Meyer and Sebastian Wolff
Table 2. Experimental results for verifying SMR implementations against their observer specifications. The
experiments were conducted on an Intel Xeon X5650@2.67GHz running Ubuntu 16.04 and using Clang 6.0.
SMR Implementationa Specification Verification Time States Correct
Hazard Pointers OBase × OHP 1.5s 5437 yes
Epoch-Based Reclamation OBase × OEBR 11.2s 11528 yes
aThe code for the benchmark programs can be found in Appendix A.
protected a. Moreover, we store in every view whether or not the last retire invocation stems from
the thread of that view. With this information, we avoid unnecessary matches during interference of
views ν1 and ν2: if both threads t1 of ν1 and t2 of ν2 have performed the last retire invocation, then t1
and t2 are the exact same thread. Hence, interference is not needed as threads have unique identities.
We found this extension necessary to gain the precision required to verify our benchmarks.
Table 2 shows the experimental results for the HP implementation from Figure 3 and an EBR
implementation. Both SMR implementations allow threads to dynamically join and part. We
conducted the experiments in the same setup as before. As noted in Section 4, the verification is
simpler and thus more efficient than the previous one. The reason for this is the absence of memory
reclamation.
7 RELATEDWORK
We discuss the related work on SMR implementations and on the verification of linearizability.
Safe Memory Reclamation. Besides HP and EBR further SMR algorithms have been proposed in
the literature. Free-lists is the simplest such mechanism. Retired nodes are stored in a thread-local
free-list. The nodes in this list are never reclaimed. Instead, a thread can reuse nodes instead of
allocating new ones. Reference Counting (RC) adds to nodes a counter representing the number
of pointers referencing that node. Updating such counters safely in a lock-free fashion, however,
requires the use of hazard pointers [Herlihy et al. 2005] or double-word CAS [Detlefs et al. 2001],
which is not available on most hardware. Besides free-lists and RC, most SMR implementations
from the literature combine techniques. For example, DEBRA [Brown 2015] is an optimized QSBR
implementation. Harris [2001] extends EBR by adding epochs to nodes to detect when reclamation
is safe. Cadence [Balmau et al. 2016], the work by Aghazadeh et al. [2014], and the work by Dice
et al. [2016] are HP implementations improving on the original implementation due to Michael
[2002]. ThreadScan [Alistarh et al. 2015], StackTrack [Alistarh et al. 2014], and Dynamic Collect
[Dragojevic et al. 2011] borrow the mechanics of hazard pointers to protect single cells at a time.
Drop the Anchor [Braginsky et al. 2013], Optimistic Access [Cohen and Petrank 2015b], Automatic
Optimistic Access [Cohen and Petrank 2015a], QSense [Balmau et al. 2016], Hazard Eras [Ramalhete
and Correia 2017], and Interval-Based Reclamation [Wen et al. 2018] are combinations of EBR
and HP. Beware&Cleanup [Gidenstam et al. 2005] is a combination of HP and RC. Isolde [Yang
and Wrigstad 2017] is an implementation of EBR and RC. We omit Read-Copy-Update (RCU) here
because it does not allow for non-blocking deletion [McKenney 2004]. While we have implemented
an analysis for EBR and HP only, we believe that our approach can handle most of the above works
with little to no modifications. We refer the reader to Appendix B for a more detailed discussion.
Proc. ACM Program. Lang., Vol. 3, No. POPL, Article 58. Publication date: January 2019.
Decoupling Lock-Free Data Structures from Memory Reclamation for Static Analysis 58:27
Linearizability. Linearizability of lock-free data structures has received considerable attention
over the last decade. The proposed techniques for verifying linearizability can be classified roughly
into (i) testing, (ii) non-automated proofs, and (iii) automated proofs. Linearizability testing [Bur-
ckhardt et al. 2010; Cerný et al. 2010; Emmi and Enea 2018; Emmi et al. 2015; Horn and Kroening
2015; Liu et al. 2009, 2013; Lowe 2017; Travkin et al. 2013; Vechev and Yahav 2008; Yang et al.
2017; Zhang 2011] enumerates an incomplete portion of the state space and checks whether or
not the discovered computations are linearizable. This approach is useful for bug-hunting and for
analyzing huge code bases. However, it cannot prove an implementation linearizable as it might
miss non-linearizable computations.
In order to prove a given implementation linearizable, one can conduct a manual (pen&paper) or
a mechanized (tool-supported, not automated) proof. Such proofs are cumbersome and require a
human to have a deep understanding of both the implementation under scrutiny and the verification
technique used. Common verification techniques are program logics and simulation relations. Since
our focus lies on automated proofs, we do not discuss non-automated proof techniques in detail.
For a survey refer to [Dongol and Derrick 2014].
Interestingly, most non-automated proofs of lock-free code rely on a garbage collector [Bäumler
et al. 2011; Bouajjani et al. 2017; Colvin et al. 2005, 2006; Delbianco et al. 2017; Derrick et al. 2011;
Doherty and Moir 2009; Elmas et al. 2010; Groves 2007, 2008; Hemed et al. 2015; Jonsson 2012;
Khyzha et al. 2017; Liang and Feng 2013; Liang et al. 2012, 2014; O’Hearn et al. 2010; Sergey et al.
2015a,b] to avoid the complexity of memory reclamation. Henzinger et al. [2013]; Schellhorn et al.
[2012] verify a lock-free queue by Herlihy and Wing [1990] which does not reclaim memory.
There is less work on manual verification in the presence of reclamation. Doherty et al. [2004b]
verify a lock-free queue implementation using tagged pointers and free-lists. Dodds et al. [2015]
verify a time-stamped stack using tagged pointers. Krishna et al. [2018] verify Harris’ list [Harris
2001] with reclamation. Finally, there are works [Fu et al. 2010; Gotsman et al. 2013; Parkinson et al.
2007; Tofan et al. 2011] which verify implementations using safe memory reclamation. With the
exception of [Gotsman et al. 2013], they only consider implementations using HP. Gotsman et al.
[2013] in addition verify implementations using EBR. With respect to lock-free data structures,
these works prove linearizability of stacks. Unlike in our approach, data structure and SMR code are
verified together. In theory, those works are not limited to such simple data structures. In practice,
however, we are not aware of any work that proves linearizable more complicated implementations
using HP. The (temporal) specifications for HP and EBR from Gotsman et al. [2013] are reflected in
our observer automata.
Alglave et al. [2013]; Desnoyers et al. [2013]; Kokologiannakis and Sagonas [2017]; Liang et al.
[2018] test RCU implementations. Gotsman et al. [2013]; Tassarotti et al. [2015] specify RCU and
verify data structures using it non-automatically. We do not discuss such approaches because
memory reclamation in RCU is blocking.
Automated approaches relieve a human checker from the complexity of manual/mechanized
proofs. In turn, they have to automatically synthesize invariants and finitely encode all possible
computations. The state-of-the-art methodology to do so is thread-modularity [Berdine et al. 2008;
Jones 1983]. We have already discussed this technique in Section 6.2. Its main advantage is the
ability to verify library code under an unbounded number of concurrent clients.
Similar to non-automated verification, most automated approaches assume a garbage collector
[Abdulla et al. 2016; Amit et al. 2007; Berdine et al. 2008; Segalov et al. 2009; Sethi et al. 2013;
Vafeiadis 2010a,b; Vechev et al. 2009; Zhu et al. 2015]. Garbage collection has the advantage of
ownership: an allocation is always owned by the allocating thread, it cannot be accessed by any
other thread. This allows for guiding thread-modular techniques, resulting in faster convergence
times and more precise analyses. Despite this, there are many techniques that suffer from poor
Proc. ACM Program. Lang., Vol. 3, No. POPL, Article 58. Publication date: January 2019.
58:28 Roland Meyer and Sebastian Wolff
scalability. To counteract the state space explosion, they neglect SMR code making the programs
under scrutiny simpler (and shorter).
Few works [Abdulla et al. 2013; Haziza et al. 2016; Holík et al. 2017] address the challenge of
verifying lock-free data structures under manual memory management. These works assume that
accessing deleted memory is safe and that tag fields are never overwritten with non-tag values.
Basically, they integrate free-lists into the semantics. Their tools are able to verify Treiber’s stack
and Micheal&Scott’s queue using tagged pointers. For our experiments we implemented an analysis
based on [Abdulla et al. 2013; Haziza et al. 2016]. For our theoretical development, we borrowed
the observer automata from Abdulla et al. [2013] as a specification means for SMR algorithms.
From Haziza et al. [2016] we borrowed the notion of validity and pointer races. We modified the
definition of validity to allow for ABAs and lifted the pointer race definition to SMR calls. This
allowed us to verify lock-free data structures without the complexity of SMR implementations and
without considering all possible reallocations. With our approach we could verify the DGLM queue
which has not been verified automatically for manual memory management before.
To the best of our knowledge, there are no works which propose an automated approach for
verifying linearizability of lock-free data structures similar to ours. We are the first to (i) propose
a method for automatically verifying linearizability which decouples the verification of memory
reclamation from the verification of the data structure, and (ii) propose a method for easing the
verification task by avoiding reuse of memory except for a single memory location.
8 CONCLUSION AND FUTUREWORK
In this paper, we have shown that the way lock-free data structures and their memory reclamation
are implemented allows for compositional verification. The memory reclamation can be verified
against a simple specification. In turn, this specification can be used to verify the data structure
without considering the implementation of the memory reclamation. This breaks verification into
two tasks each of which has to consider only a part of the original code under scrutiny.
However, the resulting tasks remain hard for verification tools. To reduce their complexity and
make automation tractable, we showed that one can rely on a simpler semantics without sacrificing
soundness. The semantics we proposed is simpler in that, instead of arbitrary reuse, only a single
memory location needs to be considered for reuse. To ensure soundness, we showed how to check
in such a semantics for ABAs. We showed how to tolerate certain, harmless ABAs to handle SMR
implementations like hazard pointers. That is, we need to give up verification only if there are
harmful ABAs, that is, true bugs.
We evaluated our approach in an automated linearizability checker. Our experiments confirmed
that our approach can handle complex data structures with SMR the verification of which is beyond
the capabilities of existing automatic approaches.
As future work we would like to extend our implementation to support more data structures
and more SMR implementations from the literature. As stated before, this may require some
generalizations of our theory.
ACKNOWLEDGMENTS
We thank the POPL’19 reviewers for their valuable feedback and suggestions for improvements.
REFERENCES
Parosh Aziz Abdulla, Frédéric Haziza, Lukás Holík, Bengt Jonsson, and Ahmed Rezine. 2013. An Integrated Specification
and Verification Technique for Highly Concurrent Data Structures. In TACAS (LNCS), Vol. 7795. Springer, 324–338.
https://doi.org/10.1007/978-3-642-36742-7_23
Proc. ACM Program. Lang., Vol. 3, No. POPL, Article 58. Publication date: January 2019.
Decoupling Lock-Free Data Structures from Memory Reclamation for Static Analysis 58:29
Parosh Aziz Abdulla, Frédéric Haziza, Lukás Holík, Bengt Jonsson, and Ahmed Rezine. 2017. An Integrated Specification
and Verification Technique for Highly Concurrent Data Structures. STTT 19, 5 (2017), 549–563. https://doi.org/10.1007/
s10009-016-0415-4
Parosh Aziz Abdulla, Bengt Jonsson, and Cong Quy Trinh. 2016. Automated Verification of Linearization Policies. In SAS
(LNCS), Vol. 9837. Springer, 61–83. https://doi.org/10.1007/978-3-662-53413-7_4
Zahra Aghazadeh, Wojciech M. Golab, and Philipp Woelfel. 2014. Making objects writable. In PODC. ACM, 385–395.
https://doi.org/10.1145/2611462.2611483
Jade Alglave, Daniel Kroening, and Michael Tautschnig. 2013. Partial Orders for Efficient Bounded Model Checking of
Concurrent Software. In CAV (LNCS), Vol. 8044. Springer, 141–157. https://doi.org/10.1007/978-3-642-39799-8_9
Dan Alistarh, Patrick Eugster, Maurice Herlihy, Alexander Matveev, and Nir Shavit. 2014. StackTrack: an automated
transactional approach to concurrent memory reclamation. In EuroSys. ACM, 25:1–25:14. https://doi.org/10.1145/2592798.
2592808
Dan Alistarh, William M. Leiserson, Alexander Matveev, and Nir Shavit. 2015. ThreadScan: Automatic and Scalable Memory
Reclamation. In SPAA. ACM, 123–132. https://doi.org/10.1145/2755573.2755600
Daphna Amit, Noam Rinetzky, Thomas W. Reps, Mooly Sagiv, and Eran Yahav. 2007. Comparison Under Abstraction for
Verifying Linearizability. In CAV (LNCS), Vol. 4590. Springer, 477–490. https://doi.org/10.1007/978-3-540-73368-3_49
Oana Balmau, Rachid Guerraoui, Maurice Herlihy, and Igor Zablotchi. 2016. Fast and Robust Memory Reclamation for
Concurrent Data Structures. In SPAA. ACM, 349–359. https://doi.org/10.1145/2935764.2935790
Simon Bäumler, Gerhard Schellhorn, Bogdan Tofan, and Wolfgang Reif. 2011. Proving linearizability with temporal logic.
Formal Asp. Comput. 23, 1 (2011), 91–112. https://doi.org/10.1007/s00165-009-0130-y
Josh Berdine, Tal Lev-Ami, Roman Manevich, G. Ramalingam, and Shmuel Sagiv. 2008. Thread Quantification for Concurrent
Shape Analysis. In CAV (LNCS), Vol. 5123. Springer, 399–413. https://doi.org/10.1007/978-3-540-70545-1_37
Ahmed Bouajjani, Michael Emmi, Constantin Enea, and Suha Orhun Mutluergil. 2017. Proving Linearizability Using Forward
Simulations. In CAV (2) (LNCS), Vol. 10427. Springer, 542–563. https://doi.org/10.1007/978-3-319-63390-9_28
Anastasia Braginsky, Alex Kogan, and Erez Petrank. 2013. Drop the anchor: lightweight memory management for non-
blocking data structures. In SPAA. ACM, 33–42. https://doi.org/10.1145/2486159.2486184
Trevor Alexander Brown. 2015. Reclaiming Memory for Lock-Free Data Structures: There has to be a Better Way. In PODC.
ACM, 261–270. https://doi.org/10.1145/2767386.2767436
Sebastian Burckhardt, Chris Dern, Madanlal Musuvathi, and Roy Tan. 2010. Line-up: a complete and automatic linearizability
checker. In PLDI. ACM, 330–340. https://doi.org/10.1145/1806596.1806634
Pavol Cerný, Arjun Radhakrishna, Damien Zufferey, Swarat Chaudhuri, and Rajeev Alur. 2010. Model Checking of
Linearizability of Concurrent List Implementations. In CAV (LNCS), Vol. 6174. Springer, 465–479. https://doi.org/10.
1007/978-3-642-14295-6_41
Nachshon Cohen and Erez Petrank. 2015a. Automatic memory reclamation for lock-free data structures. In OOPSLA. ACM,
260–279. https://doi.org/10.1145/2814270.2814298
Nachshon Cohen and Erez Petrank. 2015b. Efficient Memory Management for Lock-Free Data Structures with Optimistic
Access. In SPAA. ACM, 254–263. https://doi.org/10.1145/2755573.2755579
Robert Colvin, Simon Doherty, and Lindsay Groves. 2005. Verifying Concurrent Data Structures by Simulation. Electr. Notes
Theor. Comput. Sci. 137, 2 (2005), 93–110. https://doi.org/10.1016/j.entcs.2005.04.026
Robert Colvin, Lindsay Groves, Victor Luchangco, and Mark Moir. 2006. Formal Verification of a Lazy Concurrent List-Based
Set Algorithm. In CAV (LNCS), Vol. 4144. Springer, 475–488. https://doi.org/10.1007/11817963_44
Germán Andrés Delbianco, Ilya Sergey, Aleksandar Nanevski, and Anindya Banerjee. 2017. Concurrent Data Structures
Linked in Time. In ECOOP (LIPIcs), Vol. 74. Schloss Dagstuhl - Leibniz-Zentrum fuer Informatik, 8:1–8:30. https:
//doi.org/10.4230/LIPIcs.ECOOP.2017.8
John Derrick, Gerhard Schellhorn, and Heike Wehrheim. 2011. Mechanically verified proof obligations for linearizability.
ACM Trans. Program. Lang. Syst. 33, 1 (2011), 4:1–4:43. https://doi.org/10.1145/1889997.1890001
Mathieu Desnoyers, Paul E. McKenney, and Michel R. Dagenais. 2013. Multi-core systems modeling for formal verification
of parallel algorithms. Operating Systems Review 47, 2 (2013), 51–65. https://doi.org/10.1145/2506164.2506174
David Detlefs, Paul Alan Martin, Mark Moir, and Guy L. Steele Jr. 2001. Lock-free reference counting. In PODC. ACM,
190–199. https://doi.org/10.1145/383962.384016
Dave Dice, Maurice Herlihy, and Alex Kogan. 2016. Fast non-intrusive memory reclamation for highly-concurrent data
structures. In ISMM. ACM, 36–45. https://doi.org/10.1145/2926697.2926699
Mike Dodds, Andreas Haas, and Christoph M. Kirsch. 2015. A Scalable, Correct Time-Stamped Stack. In POPL. ACM,
233–246. https://doi.org/10.1145/2676726.2676963
Simon Doherty, David Detlefs, Lindsay Groves, Christine H. Flood, Victor Luchangco, Paul Alan Martin, Mark Moir, Nir
Shavit, and Guy L. Steele Jr. 2004a. DCAS is not a silver bullet for nonblocking algorithm design. In SPAA. ACM, 216–224.
https://doi.org/10.1145/1007912.1007945
Proc. ACM Program. Lang., Vol. 3, No. POPL, Article 58. Publication date: January 2019.
58:30 Roland Meyer and Sebastian Wolff
Simon Doherty, Lindsay Groves, Victor Luchangco, and Mark Moir. 2004b. Formal Verification of a Practical Lock-Free
Queue Algorithm. In FORTE (LNCS), Vol. 3235. Springer, 97–114. https://doi.org/10.1007/978-3-540-30232-2_7
Simon Doherty and Mark Moir. 2009. Nonblocking Algorithms and Backward Simulation. In DISC (LNCS), Vol. 5805.
Springer, 274–288. https://doi.org/10.1007/978-3-642-04355-0_28
Brijesh Dongol and John Derrick. 2014. Verifying linearizability: A comparative survey. CoRR abs/1410.6268 (2014).
http://arxiv.org/abs/1410.6268
Aleksandar Dragojevic, Maurice Herlihy, Yossi Lev, and Mark Moir. 2011. On the power of hardware transactional memory
to simplify memory management. In PODC. ACM, 99–108. https://doi.org/10.1145/1993806.1993821
Tayfun Elmas, Shaz Qadeer, Ali Sezgin, Omer Subasi, and Serdar Tasiran. 2010. Simplifying Linearizability Proofs with
Reduction and Abstraction. In TACAS (LNCS), Vol. 6015. Springer, 296–311. https://doi.org/10.1007/978-3-642-12002-2_25
Michael Emmi and Constantin Enea. 2018. Sound, complete, and tractable linearizability monitoring for concurrent
collections. PACMPL 2, POPL (2018), 25:1–25:27. https://doi.org/10.1145/3158113
Michael Emmi, Constantin Enea, and Jad Hamza. 2015. Monitoring refinement via symbolic reasoning. In PLDI. ACM,
260–269. https://doi.org/10.1145/2737924.2737983
Keir Fraser. 2004. Practical lock-freedom. Ph.D. Dissertation. University of Cambridge, UK. http://ethos.bl.uk/OrderDetails.
do?uin=uk.bl.ethos.599193
Ming Fu, Yong Li, Xinyu Feng, Zhong Shao, and Yu Zhang. 2010. Reasoning about Optimistic Concurrency Using a Program
Logic for History. In CONCUR (LNCS), Vol. 6269. Springer, 388–402. https://doi.org/10.1007/978-3-642-15375-4_27
Anders Gidenstam, Marina Papatriantafilou, Håkan Sundell, and Philippas Tsigas. 2005. Efficient and Reliable Lock-Free
Memory Reclamation Based on Reference Counting. In ISPAN. IEEE Computer Society, 202–207. https://doi.org/10.1109/
ISPAN.2005.42
Alexey Gotsman, Noam Rinetzky, and Hongseok Yang. 2013. Verifying Concurrent Memory Reclamation Algorithms with
Grace. In ESOP (LNCS), Vol. 7792. Springer, 249–269. https://doi.org/10.1007/978-3-642-37036-6_15
Lindsay Groves. 2007. Reasoning about Nonblocking Concurrency using Reduction. In ICECCS. IEEE Computer Society,
107–116. https://doi.org/10.1109/ICECCS.2007.39
Lindsay Groves. 2008. Verifying Michael and Scott’s Lock-Free Queue Algorithm using Trace Reduction. In CATS (CRPIT),
Vol. 77. Australian Computer Society, 133–142. http://crpit.com/abstracts/CRPITV77Groves.html
Timothy L. Harris. 2001. A Pragmatic Implementation of Non-blocking Linked-Lists. In DISC (LNCS), Vol. 2180. Springer,
300–314. https://doi.org/10.1007/3-540-45414-4_21
Thomas E. Hart, Paul E. McKenney, Angela Demke Brown, and JonathanWalpole. 2007. Performance of memory reclamation
for lockless synchronization. J. Parallel Distrib. Comput. 67, 12 (2007), 1270–1285. https://doi.org/10.1016/j.jpdc.2007.04.010
Frédéric Haziza, Lukás Holík, Roland Meyer, and Sebastian Wolff. 2016. Pointer Race Freedom. In VMCAI (LNCS), Vol. 9583.
Springer, 393–412. https://doi.org/10.1007/978-3-662-49122-5_19
Nir Hemed, Noam Rinetzky, and Viktor Vafeiadis. 2015. Modular Verification of Concurrency-Aware Linearizability. In
DISC (LNCS), Vol. 9363. Springer, 371–387. https://doi.org/10.1007/978-3-662-48653-5_25
Thomas A. Henzinger, Ali Sezgin, and Viktor Vafeiadis. 2013. Aspect-Oriented Linearizability Proofs. In CONCUR (LNCS),
Vol. 8052. Springer, 242–256. https://doi.org/10.1007/978-3-642-40184-8_18
Maurice Herlihy, Victor Luchangco, Paul A. Martin, and Mark Moir. 2005. Nonblocking memory management support for
dynamic-sized data structures. ACM Trans. Comput. Syst. 23, 2 (2005), 146–196. https://doi.org/10.1145/1062247.1062249
Maurice Herlihy and Jeannette M. Wing. 1990. Linearizability: A Correctness Condition for Concurrent Objects. ACM Trans.
Program. Lang. Syst. 12, 3 (1990), 463–492. https://doi.org/10.1145/78969.78972
Lukás Holík, Roland Meyer, Tomás Vojnar, and Sebastian Wolff. 2017. Effect Summaries for Thread-Modular Analysis -
Sound Analysis Despite an Unsound Heuristic. In SAS (LNCS), Vol. 10422. Springer, 169–191. https://doi.org/10.1007/
978-3-319-66706-5_9
Alex Horn and Daniel Kroening. 2015. Faster Linearizability Checking via P-Compositionality. In FORTE (LNCS), Vol. 9039.
Springer, 50–65. https://doi.org/10.1007/978-3-319-19195-9_4
Cliff B. Jones. 1983. Tentative Steps Toward a Development Method for Interfering Programs. ACM Trans. Program. Lang.
Syst. 5, 4 (1983), 596–619. https://doi.org/10.1145/69575.69577
Bengt Jonsson. 2012. Using refinement calculus techniques to prove linearizability. Formal Asp. Comput. 24, 4-6 (2012),
537–554. https://doi.org/10.1007/s00165-012-0250-7
Artem Khyzha, Mike Dodds, Alexey Gotsman, and Matthew J. Parkinson. 2017. Proving Linearizability Using Partial Orders.
In ESOP (LNCS), Vol. 10201. Springer, 639–667. https://doi.org/10.1007/978-3-662-54434-1_24
Michalis Kokologiannakis and Konstantinos Sagonas. 2017. Stateless model checking of the Linux kernel’s hierarchical
read-copy-update (tree RCU). In SPIN. ACM, 172–181. https://doi.org/10.1145/3092282.3092287
Siddharth Krishna, Dennis E. Shasha, and Thomas Wies. 2018. Go with the flow: compositional abstractions for concurrent
data structures. PACMPL 2, POPL (2018), 37:1–37:31. https://doi.org/10.1145/3158125
Proc. ACM Program. Lang., Vol. 3, No. POPL, Article 58. Publication date: January 2019.
Decoupling Lock-Free Data Structures from Memory Reclamation for Static Analysis 58:31
Hongjin Liang and Xinyu Feng. 2013. Modular verification of linearizability with non-fixed linearization points. In PLDI.
ACM, 459–470. https://doi.org/10.1145/2462156.2462189
Hongjin Liang, Xinyu Feng, and Ming Fu. 2012. A rely-guarantee-based simulation for verifying concurrent program
transformations. In POPL. ACM, 455–468. https://doi.org/10.1145/2103656.2103711
Hongjin Liang, Xinyu Feng, and Ming Fu. 2014. Rely-Guarantee-Based Simulation for Compositional Verification of
Concurrent Program Transformations. ACM Trans. Program. Lang. Syst. 36, 1 (2014), 3:1–3:55. https://doi.org/10.1145/
2576235
Lihao Liang, Paul E. McKenney, Daniel Kroening, and Tom Melham. 2018. Verification of tree-based hierarchical read-copy
update in the Linux kernel. In DATE. IEEE, 61–66. https://doi.org/10.23919/DATE.2018.8341980
Yang Liu, Wei Chen, Yanhong A. Liu, and Jun Sun. 2009. Model Checking Linearizability via Refinement. In FM (LNCS),
Vol. 5850. Springer, 321–337. https://doi.org/10.1007/978-3-642-05089-3_21
Yang Liu, Wei Chen, Yanhong A. Liu, Jun Sun, Shao Jie Zhang, and Jin Song Dong. 2013. Verifying Linearizability via
Optimized Refinement Checking. IEEE Trans. Software Eng. 39, 7 (2013), 1018–1039. https://doi.org/10.1109/TSE.2012.82
Gavin Lowe. 2017. Testing for linearizability. Concurrency and Computation: Practice and Experience 29, 4 (2017). https:
//doi.org/10.1002/cpe.3928
Paul E. McKenney. 2004. Exploiting Deferred Destruction: an Analysis of Read-Copy-Update Techniques in Operating System
Kernels. Ph.D. Dissertation. Oregon Health & Science University.
Paul E. McKenney and John D. Slingwine. 1998. Read-copy Update: Using Execution History to Solve Concurrency Problems.
Roland Meyer and Sebastian Wolff. 2018. Decoupling Lock-Free Data Structures from Memory Reclamation for Static
Analysis. PACMPL 3, POPL (2018), 58:1–58:31. https://doi.org/10.1145/3290371
Maged M. Michael. 2002. Safe memory reclamation for dynamic lock-free objects using atomic reads and writes. In PODC.
ACM, 21–30. https://doi.org/10.1145/571825.571829
Maged M. Michael. 2004. Hazard Pointers: Safe Memory Reclamation for Lock-Free Objects. IEEE Trans. Parallel Distrib.
Syst. 15, 6 (2004), 491–504. https://doi.org/10.1109/TPDS.2004.8
Maged M. Michael and Michael L. Scott. 1995. Correction of a Memory Management Method for Lock-Free Data Structures.
Technical Report. Rochester, NY, USA.
Maged M. Michael and Michael L. Scott. 1996. Simple, Fast, and Practical Non-Blocking and Blocking Concurrent Queue
Algorithms. In PODC. ACM, 267–275. https://doi.org/10.1145/248052.248106
Peter W. O’Hearn, Noam Rinetzky, Martin T. Vechev, Eran Yahav, and Greta Yorsh. 2010. Verifying linearizability with
hindsight. In PODC. ACM, 85–94. https://doi.org/10.1145/1835698.1835722
Matthew J. Parkinson, Richard Bornat, and Peter W. O’Hearn. 2007. Modular verification of a non-blocking stack. In POPL.
ACM, 297–302. https://doi.org/10.1145/1190216.1190261
Pedro Ramalhete and Andreia Correia. 2017. Brief Announcement: Hazard Eras - Non-Blocking Memory Reclamation. In
SPAA. ACM, 367–369. https://doi.org/10.1145/3087556.3087588
Gerhard Schellhorn, Heike Wehrheim, and John Derrick. 2012. How to Prove Algorithms Linearisable. In CAV (LNCS),
Vol. 7358. Springer, 243–259. https://doi.org/10.1007/978-3-642-31424-7_21
Michal Segalov, Tal Lev-Ami, Roman Manevich, Ganesan Ramalingam, and Mooly Sagiv. 2009. Abstract Transformers for
Thread Correlation Analysis. In APLAS (LNCS), Vol. 5904. Springer, 30–46. https://doi.org/10.1007/978-3-642-10672-9_5
Ilya Sergey, Aleksandar Nanevski, and Anindya Banerjee. 2015a. Mechanized verification of fine-grained concurrent
programs. In PLDI. ACM, 77–87. https://doi.org/10.1145/2737924.2737964
Ilya Sergey, Aleksandar Nanevski, and Anindya Banerjee. 2015b. Specifying and Verifying Concurrent Algorithms with
Histories and Subjectivity. In ESOP (LNCS), Vol. 9032. Springer, 333–358. https://doi.org/10.1007/978-3-662-46669-8_14
Divjyot Sethi, Muralidhar Talupur, and Sharad Malik. 2013. Model Checking Unbounded Concurrent Lists. In SPIN (LNCS),
Vol. 7976. Springer, 320–340. https://doi.org/10.1007/978-3-642-39176-7_20
Joseph Tassarotti, Derek Dreyer, and Viktor Vafeiadis. 2015. Verifying read-copy-update in a logic for weak memory. In
PLDI. ACM, 110–120. https://doi.org/10.1145/2737924.2737992
Bogdan Tofan, Gerhard Schellhorn, and Wolfgang Reif. 2011. Formal Verification of a Lock-Free Stack with Hazard Pointers.
In ICTAC (LNCS), Vol. 6916. Springer, 239–255. https://doi.org/10.1007/978-3-642-23283-1_16
Oleg Travkin, Annika Mütze, and Heike Wehrheim. 2013. SPIN as a Linearizability Checker under Weak Memory Models.
In Haifa Verification Conference (LNCS), Vol. 8244. Springer, 311–326. https://doi.org/10.1007/978-3-319-03077-7_21
R.Kent Treiber. 1986. Systems programming: coping with parallelism. Technical Report RJ 5118. IBM.
Viktor Vafeiadis. 2010a. Automatically Proving Linearizability. In CAV (LNCS), Vol. 6174. Springer, 450–464. https:
//doi.org/10.1007/978-3-642-14295-6_40
Viktor Vafeiadis. 2010b. RGSep Action Inference. In VMCAI (LNCS), Vol. 5944. Springer, 345–361. https://doi.org/10.1007/
978-3-642-11319-2_25
Moshe Y. Vardi. 1987. Verification of Concurrent Programs: The Automata-Theoretic Framework. In LICS. IEEE Computer
Society, 167–176.
Proc. ACM Program. Lang., Vol. 3, No. POPL, Article 58. Publication date: January 2019.
58:32 Roland Meyer and Sebastian Wolff
Martin T. Vechev and Eran Yahav. 2008. Deriving linearizable fine-grained concurrent objects. In PLDI. ACM, 125–135.
https://doi.org/10.1145/1375581.1375598
Martin T. Vechev, Eran Yahav, and Greta Yorsh. 2009. Experience with Model Checking Linearizability. In SPIN (LNCS),
Vol. 5578. Springer, 261–278. https://doi.org/10.1007/978-3-642-02652-2_21
Haosen Wen, Joseph Izraelevitz, Wentao Cai, H. Alan Beadle, and Michael L. Scott. 2018. Interval-based memory reclamation.
In PPOPP. ACM, 1–13. https://doi.org/10.1145/3178487.3178488
Albert Mingkun Yang and Tobias Wrigstad. 2017. Type-assisted automatic garbage collection for lock-free data structures.
In ISMM. ACM, 14–24. https://doi.org/10.1145/3092255.3092274
Xiaoxiao Yang, Joost-Pieter Katoen, Huimin Lin, and Hao Wu. 2017. Verifying Concurrent Stacks by Divergence-Sensitive
Bisimulation. CoRR abs/1701.06104 (2017). http://arxiv.org/abs/1701.06104
Shao Jie Zhang. 2011. Scalable automatic linearizability checking. In ICSE. ACM, 1185–1187. https://doi.org/10.1145/1985793.
1986037
He Zhu, Gustavo Petri, and Suresh Jagannathan. 2015. Poling: SMT Aided Linearizability Proofs. In CAV (2) (LNCS), Vol. 9207.
Springer, 3–19. https://doi.org/10.1007/978-3-319-21668-3_1
Proc. ACM Program. Lang., Vol. 3, No. POPL, Article 58. Publication date: January 2019.
Decoupling Lock-Free Data Structures from Memory Reclamation for Static Analysis 58:33
A MISSING BENCHMARK PROGRAMS
OGC
s19 s20
free(a), true
Fig. 9. Observer specifying that
no memory is reclaimed.
In Section 6 we evaluated our tool on various data structures
and SMR algorithms. With reference to Table 1, the observers
for HP, EBR, GC, and None are OBase × OHP , OBase × OEBR, OGC ,
and OBase , respectively. They can be found in Figures 6, 7 and 9.
The code for the Coarse stack can be found in Figure 10,
the Coarse queue in Figure 11, Treiber’s stack in Figure 12, the
Optimized Treiber’s stack in Figure 13, Michael&Scott’s queue in
Figure 14, and the DGLM queue in Figure 15. The logic for HP,
EBR,GC, andNone is highlighted with H, E, G, and N, respectively.
The code for the Hazard Pointers implementation can be found in Figure 3, the code for the
Epoch-Based Reclamation implementation in Figure 16.
107 /* Coarse Stack */
108 struct Node { data_t data; Node* next; };
109 shared Node* ToS;
110 atomic init() { ToS = NULL; }
111 void push(data_t input) {
112 Node* node = new Node ();
113 node ->data = input;
114 atomic {
115 node ->next = ToS;
116 ToS = node;
117 }
118 }
119 data_t pop() {
120 atomic {
121 Node* top = ToS;
122 if (top == NULL) return EMPTY;
123 data_t output = top ->data;
124 ToS = Tos ->next;
125 G N retire(top);
126 return output;
127 } }
Fig. 10. Coarse Stack implementation. No SMR is needed due to the use of atomic blocks.
Proc. ACM Program. Lang., Vol. 3, No. POPL, Article 58. Publication date: January 2019.
58:34 Roland Meyer and Sebastian Wolff
128 /* Coarse Queue */
129 struct Node { data_t data; Node* next; };
130 shared Node* Head , Tail;
131 atomic init() { Head = new Node (); Head ->next = NULL; Tail = Head; }
132 void enqueue(data_t input) {
133 Node* node = new Node ();
134 node ->data = input;
135 node ->next = NULL;
136 atomic {
137 Tail ->next = node;
138 Tail = node;
139 }
140 }
141 data_t dequeue () {
142 atomic {
143 Node* head = Head;
144 Node* next = head ->next;
145 if (next == NULL) return EMPTY;
146 data_t output = next ->data;
147 Head = next;
148 G N retire(head);
149 return output;
150 } }
Fig. 11. Coarse Queue implementation. No SMR is needed due to the use of atomic blocks.
151 /* Treiber 's stack */
152 struct Node { data_t data; Node* next; };
153 shared Node* ToS;
154 atomic init() { ToS = NULL; }
155 void push(data_t input) {
156 E leaveQ ();
157 Node* node = new Node ();
158 node ->data = input;
159 while (true) {
160 Node* top = ToS;
161 H protect(top , 0);
162 H if (top != ToS) continue;
163 node ->next = top;
164 if (CAS(&ToS , top , node))
165 break
166 }
167 H unprotect (0);
168 E enterQ ();
169 }
170 data_t pop() {
171 E leaveQ ();
172 while (true) {
173 Node* top = ToS;
174 if (top == NULL) return EMPTY;
175 H protect(top , 0);
176 H if (top != ToS) continue;
177 Node* next = top ->next;
178 if (CAS(&ToS , top , next)) {
179 data_t output = top ->data;
180 H E G retire(top);
181 H unprotect (0);
182 E enterQ ();
183 return output;
184 } } }
Fig. 12. Treiber’s non-blocking stack [Treiber 1986] with hazard pointer code. The implementation requires
a single hazard pointer per thread.
Proc. ACM Program. Lang., Vol. 3, No. POPL, Article 58. Publication date: January 2019.
Decoupling Lock-Free Data Structures from Memory Reclamation for Static Analysis 58:35
185 /* Optimized Treiber 's stack */
186 struct Node { data_t data; Node* next; };
187 shared Node* ToS;
188 atomic init() { ToS = NULL; }
189 void push(data_t input) {
190 Node* node = new Node ();
191 node ->data = input;
192 while (true) {
193 Node* top = ToS;
194 node ->next = top;
195 if (CAS(&ToS , top , node))
196 break
197 }
198 }
199 data_t pop() {
200 while (true) {
201 Node* top = ToS;
202 if (top == NULL) return EMPTY;
203 H protect(top , 0);
204 H if (top != ToS) continue;
205 Node* next = top ->next;
206 if (CAS(&ToS , top , next)) {
207 data_t output = top ->data;
208 H retire(top);
209 H unprotect (0);
210 return output;
211 } } }
Fig. 13. Optimized version of Treiber’s non-blocking stack [Treiber 1986] with hazard pointer code due to
[Michael 2002]. The push operation does not require hazard pointers. The implementation of push is the
same as in Figure 8.
Proc. ACM Program. Lang., Vol. 3, No. POPL, Article 58. Publication date: January 2019.
58:36 Roland Meyer and Sebastian Wolff
212 /* Michael&Scott 's queue */
213 struct Node { data_t data; Node* next; };
214 shared Node* Head , Tail;
215 atomic init() { Head = new Node (); Head ->next = NULL; Tail = Head; }
216 void enqueue(data_t input) {
217 E leaveQ;
218 Node* node = new Node ();
219 node ->data = input;
220 node ->next = NULL;
221 while (true) {
222 Node* tail = Tail;
223 H protect(tail , 0);
224 H if (tail != Tail) continue;
225 Node* next = tail ->next;
226 if (tail != Tail) continue;
227 if (next != NULL) {
228 CAS(&Tail , tail , next);
229 continue;
230 }
231 if (CAS(&tail ->next , next , node))
232 break
233 }
234 CAS(&Tail , tail , node);
235 E enterQ;
236 H unprotect (0);
237 }
238 data_t dequeue () {
239 E leaveQ;
240 while (true) {
241 Node* head = Head;
242 H protect(head , 0);
243 H if (head != Head) continue;
244 Node* tail = Tail;
245 Node* next = head ->next;
246 H protect(next , 1);
247 if (head != Head) continue;
248 if (next == NULL) return EMPTY;
249 if (head == tail) {
250 CAS(&Tail , tail , next);
251 continue;
252 } else {
253 data_t output = next ->data;
254 if (CAS(&Head , head , next)) {
255 H E G retire(head);
256 E enterQ;
257 H unprotect (0); unprotect (1);
258 return output;
259 } } } }
Fig. 14. Michael&Scott’s non-blocking queue with SMR code. The added lines are marked with E and H
for the modifications needed for using EBR/QSBR and HP [Michael 2004], respectively. The HP version
requires two hazard pointers per thread which are set using calls of the form protect(ptr, k).
Proc. ACM Program. Lang., Vol. 3, No. POPL, Article 58. Publication date: January 2019.
Decoupling Lock-Free Data Structures from Memory Reclamation for Static Analysis 58:37
260 /* DGLM queue */
261 struct Node { data_t data; Node* next; };
262 shared Node* Head , Tail;
263 atomic init() { Head = new Node (); Head ->next = NULL; Tail = Head; }
264 void enqueue(data_t input) {
265 E leaveQ;
266 Node* node = new Node ();
267 node ->data = input;
268 node ->next = NULL;
269 while (true) {
270 Node* tail = Tail;
271 H protect(tail , 0);
272 H if (tail != Tail) continue;
273 Node* next = tail ->next;
274 if (tail != Tail) continue;
275 if (next != NULL) {
276 CAS(&Tail , tail , next);
277 continue;
278 }
279 if (CAS(&tail ->next , next , node))
280 break
281 }
282 CAS(&Tail , tail ,node);
283 H unprotect (0);
284 E enterQ;
285 }
286 data_t dequeue () {
287 E leaveQ;
288 while (true) {
289 Node* head = Head;
290 H protect(head , 0);
291 H if (head != Head) continue;
292 Node* next = head ->next;
293 H protect(next , 1);
294 if (head != Head) continue;
295 if (next == NULL) return EMPTY;
296 data_t output = next ->data;
297 if (CAS(&Head , head , next)) {
298 Node* tail = Tail;
299 if (head == tail) {
300 CAS(Tail , tail , next);
301 }
302 H E G retire(head);
303 H unprotect (0); unprotect (1);
304 E enterQ;
305 return output;
306 } } }
Fig. 15. DGLM non-blocking queue [Doherty et al. 2004b] with hazard pointer code. The implementation
is similar to Michael&Scott’s non-blocking queue but allows the Head to overtake the Tail.
Proc. ACM Program. Lang., Vol. 3, No. POPL, Article 58. Publication date: January 2019.
58:38 Roland Meyer and Sebastian Wolff
307 enum epoch_t { 0, 1, 2 };
308 struct EBRRec { EBRRec* next; epoch_t epoch; }
309 shared EBRRec* Records;
310 shared epoch_t Epoch;
311 threadlocal EBRRec* myRec;
312 threadlocal List <void*> bag0;
313 threadlocal List <void*> bag1;
314 threadlocal List <void*> bag2;
315 void join() {
316 myRec = new EBRRec ();
317 while (true) {
318 EBRRec* rec = Records;
319 myRec ->next = rec;
320 if (CAS(Records , rec , myRec))
321 break;
322 }
323 myEpoch = Epoch;
324 myRec ->epoch = myEpoch;
325 }
326
327 void part() {
328 }
329
330 void enterQ () {
331 }
332
333 void retire(Node* ptr) {
334 bag0.add(ptr);
335 }
336 void reclaim () {
337 if (*) {
338 if (myEpoch != Epoch) {
339 for (Node* ptr : bag2) {
340 delete ptr;
341 }
342 bag2 = bag1;
343 bag1 = bag0;
344 bag0 = List <void*>::empty ();
345 myEpoch = Epoch;
346 myRec ->epoch = myEpoch;
347 }
348
349 EBRrec* cur = Records;
350 while (cur != NULL) {
351 if (epoch != cur ->epoch) {
352 break;
353 }
354 cur = cur ->next;
355 }
356 CAS(Epoch , epoch , (epoch +1)%3);
357 }
358 }
Fig. 16. Implementation for epoch-based reclamation. Note that parting of a thread prevents the other
threads from any subsequent reclamation.
Proc. ACM Program. Lang., Vol. 3, No. POPL, Article 58. Publication date: January 2019.
Decoupling Lock-Free Data Structures from Memory Reclamation for Static Analysis 58:39
B EXTENDED DISCUSSION OF SMR ALGORITHMS
We extend the discussion of SMR algorithms from Section 7.
Hazard Pointers (HP), continued. We already discussed HP throughout the paper. We gave a
formal specification in Section 4, Figure 6. The presented observer handles each hazard pointer
individually. In practice, a common pattern is to protect the nodes of a list in a hand-over-hand
fashion: (1) hazard pointer h0 is set to protect node a, (2) h1 is set to protect the successor node
a′, (3) h1 is transferred into h0 meaning that now also h0 protects a′, (4) h1 is set to protect the
successor a′′ of a′, and so on. Using this pattern, node a′ is continuously protected; the protections
of h0 and h1 overlap in time. If a′ is retired after step 2 it must not be deleted as long as h0 protects
it. However, OHP does not account for this. Because it considers every hazard pointer individually,
the protection by h0 appears after a′ is retired. So the OHP does allow for a′ being deleted.
Such spurious deletions are likely to cause false alarms during an analysis. The reason for this is
that one typically performs consistency checks ensuring that a′′ is still a successor of a′ before
moving on. Due to the spurious deletion this check results in an unsafe memory access reported
as bug by most analyses. To overcome this problem, one can modify OHP such that it supports
protections by multiple hazard pointers. To that end, it needs to track multiple hazard pointers
simultaneously. Defining such an observer for a fixed number of hazard pointers per thread is
straight forward and omitted here.
Free-Lists. The simplest mechanism to avoid use-after-free bugs is to not free anymemory. Instead,
retired memory is stored in a free-list. Memory in that list can be reused immediately. Instead of
an allocation it is checked whether there is memory available in the free-list. If so, it is removed
from the list and reused. Otherwise, fresh memory is allocated. There are two major drawbacks
with this approach. First, the memory consumption of an application can never shrink. Once
allocated, memory always remains allocated for the process. Second, the possibility for memory
being immediately reused allows for harmful ABAs [Michael and Scott 1996]. To overcome this,
pointers are instrumented to carry an integer tag, or modification counter. Updating a pointer then
not only updates the pointer but also increases the tag. To solve avoid harmful ABAs, comparisons
of pointers consider their corresponding tags too. This requires to use double-word CAS operations
or to steal unused bits of pointers to use as storage for the tag.
That retired nodes are never freed can be formalized with observers easily. Moving retired nodes
from the free-list to the data structure, however, does not fit into our development—we assume
that reuse is implemented by the SMR algorithm freeing nodes and the data structure reallocating
the memory. One could follow the approach by Abdulla et al. [2013]; Haziza et al. [2016]. Instead
of retiring nodes they use explicit frees and allow the data structure to access freed memory. As
discussed in Section 5, such accesses result in pointer races and lead to verification failure. To
counteract this, Haziza et al. [2016] introduce a relaxed version of pointer races to tolerate certain
unsafe accesses. We refrain from doing so since we believe that this would jeopardize our reduction
result. We rather focus on proper SMR algorithms which actually reclaim memory.
Reference Counting (RC). Reference counting adds to every node a counter representing the
number of pointers currently pointing to that node. This count is increased whenever a new pointer
is created and decreased when an existing pointer is destroyed. When the count drops to zero upon
decrease, then the node is deleted. However, in order to update the reference count of a node, a
pointer to that node is required. A RC implementation must ensure that a node cannot be deleted
between reading a pointer to it and increasing its reference count. This becomes problematic if
the implementation is supposed to be lock-free. Then, one has to either (i) perform the read and
update atomically with a double-word CAS [Detlefs et al. 2001], which is not available on most
Proc. ACM Program. Lang., Vol. 3, No. POPL, Article 58. Publication date: January 2019.
58:40 Roland Meyer and Sebastian Wolff
ODTA
s21 s22 s23 s24 s25
leaveQ(t ), t = u exit(t ), t = u
retire(t, a),
a = v free(a), a = v
enterQ(t ), t = u
recovered(t, t ′), t ′ = u
OFrozen
s26 s27 s28 s29
freeze(t, a),
t = u ∧ a = v exit(t ), t = u free(a), a = v
Fig. 17. Observers for specifying DTA. Observer ODTA extends OEBR from Figure 7 in that a recovered
thread stops protecting addresses. Observer OFrozen prevents frozen addresses from being deleted.
hardware, or (ii) use hazard pointers to protect nodes form being freed in the aforementioned time
frame [Herlihy et al. 2005]. Moreover, reference counting has shown to be less efficient than EBR
and HPs [Hart et al. 2007]
Since RC is implemented on top of HP, one can consider the RC implementation as part of the
data structure on top of an HP implementation. Alternatively, to directly fit RC into our theory, one
could to instrument the program under scrutiny such that creating new and destroying existing
pointers accounts for an increase and decrease in the reference count, respectively. For pointers
a.next one can easily come up with an observer that prevents deleting the referenced address. To
account for pointer variables, one has to either assume a fixed number of shared and thread-local
pointer variables or generalize observers to be able to observe such variables. We believe that such
a generalization is possible.
Drop the Anchor (DTA) [Braginsky et al. 2013]. A version of EBR which uses HP to fight thread
failures. DTA has no notion of global epoch; instead each thread has a local epoch which is always
updated on operation invocation to a value higher than all other thread epochs. Additionally,
the thread epochs are written to the nodes of the data structure to denote when the node was
added/removed. Then, a node can be deallocated if its removal time is smaller than all thread
epochs. To allow for deallocations after thread failure, a version of hazard pointers is used. Here, a
hazard pointer does not protect a single node, but a certain (configurable) number k of consecutive
nodes starting from the protected node. When a threads local epoch lacks behind too much, it is
marked as potentially crashed, or stuck. Then, the sublist of nodes protected by the crashed thread
is replaced with a fresh copy. The removed sublist is said to be frozen. On the one hand, the sublist
can be reclaimed only if the crashed thread resurrects. On the other hand, the sublist is marked
such that a resurrected thread can detect what happened. For future deallocations the crashed
thread can be ignored because it does not acquire new pointers into the data structure.
To fit DTA into our framework we consider the recovery logic to be part of the data structure
rather than the SMR algorithm. Using a feedback mechanism for the recovery, similar to QSBR
quiescent phases, allows for DTA to be specified with the observer observers OBase ×ODTA ×OFrozen.
For observers ODTA and OFrozen refer to Figure 17. The observers assume API functions recovered(t)
and freeze(ptr) to signal that a failed thread has been recovered and that an address is frozen,
respectively.
Proc. ACM Program. Lang., Vol. 3, No. POPL, Article 58. Publication date: January 2019.
Decoupling Lock-Free Data Structures from Memory Reclamation for Static Analysis 58:41
Optimistic Access (OA) [Cohen and Petrank 2015b]. OA relies on the assumption that accessing
freed memory never leads to system crashes. Hence, memory reads are performed optimistically in
that they may accesses reclaimed memory. To detect such situations, each thread has a warning
bit, i.e., a simplified thread local epoch. The warning bit is set if any thread performs reclamation.
Hence, if the warning bit is set after a memory accesses, then the result may be undefined as it
stems from reclaimed memory. If so the thread needs to restart its operation—a common pattern
in lock-free code. To protect writes from corrupting the data structure, they must not write to
reclaimed memory. This is done by using hazard pointers. The node to be written is protected with
a hazard pointer and the integrity of the protection is guaranteed if the warning bit is not set before
and after the protection.
The specification of OA is identical to the one of hazard pointers as discussed in Section 4. Since
data structure implementations using OA access the warning bit, this bit has to be retained in the
data structure. To update the bit, the semantics of free can be adapted. This adaptation can be
problematic in our theory: a free may not be mimicked and thus the update of the warning bit
may break our development. To fight this, one could introduce spurious updates of the warning bit.
Another problem with OA is that it deliberately accesses potentially reclaimed memory. That is,
it raises pointer races. To support this one would need a relaxation of pointer races like the one by
Haziza et al. [2016]. This might lead to a severe state space explosion.
Automatic Optimistic Access (AOA) [Cohen and Petrank 2015a]. Extends OA by using a normalized
form applicable for lock-free code and by using the properties of OA (namely, a node must not
be collected if it is reachable from the shared variables or from a hazard pointer) to release the
programmer from the burden of explicitly adding retire calls to the code. Moreover, the normal-
ization of the code allows for automatically adding the necessary code to perform OA. Hence, the
authors consider AOA to be a restricted form of garbage collection.
Since AOA is an extension of OA, it has the same requirements as OA. We believe that a
generalization to OA allows for AOA support.
StackTrack (ST) [Alistarh et al. 2014]. The basic idea is to use transactions to perform optimistic
memory accesses. The transactional memory guarantees that a transaction aborts if it reads from
memory that has been freed concurrently. Since not every operation can be performed in a single
transaction, it is split up into multiple transactions. To guarantee that references are not freed
between two transactions without being noticed by the executing thread, the relevant pointers are
protected using hazard pointers.
ThreadScan (TS) [Alistarh et al. 2015]. Modified version of hazard pointers which uses signaling
to protect nodes on demand. More specifically, whenever a thread starts reclaiming memory, it uses
the operating system’s signaling infrastructure to inform all other threads about the reclamation
intent. Then, the other threads are interrupted and execute the signal handler. This handler scans
the list of to-be-deleted nodes of the reclaiming thread and marks those entries the executing
thread holds thread-local references to. The reclaimer waits until all other threads have signaled
completion of the marking process. Then, the reclaimer deletes all unmarked nodes.
To verify data structures using TS with our theory, one has to integrate signaling into the
programing language from Section 3. For a specification with observers we assume the following
API: reclaim(), retire(ptr), mark(ptr), and markdone(). Function reclaim() is called by a thread
when it starts reclaiming memory. Function retire(ptr) behaves as for ordinary HP. Function
makr(ptr) is used by the signal handler of threads to mark addresses that shall not be reclaimed.
After a thread has completed the marking, function markdone() is called. We use mark(ptr) instead
Proc. ACM Program. Lang., Vol. 3, No. POPL, Article 58. Publication date: January 2019.
58:42 Roland Meyer and Sebastian Wolff
OTS−mark
s30 s31
s32
mark(t, a), a = v
retire(t, a), a = v
reclaim(t ), true
free(a), a = v
OTS−done
s33 s34
s35
reclaim(t ), true
markdone(t ), t = u
free(a), a = v
Fig. 18. Observer OTS−mark states that marked addresses must not be deleted. Additionally, it guarantees
that addresses retired after reclamation starts are not deleted either—this is required because after a
thread executed its signal handler to mark addresses, it continues its execution and ca retire addresses;
those address must not be deleted by a reclamation phase that started earlier. Observer OTS−done states
that deletions can be performed only if all threads have finished marking nodes.
of protect(ptr) because it does guarantee protection only during the current reclamation phase.
Then, the observer OBase × OTS−mark × OTS−done from Figure 18 specifies TS.
Dynamic Collect (DC) [Dragojevic et al. 2011]. DC is an abstract framework to describe SMR
schemes like hazard pointers, that is, schemes where single addresses can be protected. A DC object
supplies the user with the ability to (i) register, (ii) deregister, (iii) update, and (iv) collect entries.
Intuitively, this means to dynamically (i) create, (ii) purge, and (iii) update hazard pointers, and to
(iv) query all hazard pointers together with their values. Moreover, the authors explore how such a
dynamic collect object could be implemented efficiently using transactions.
The specification of DC objects follows the one of hazard pointers. That the implementation
of such objects may use transactions is irrelevant for the use with our results since we use the
specification rather than the implementation of the SMR algorithm for an analysis.
Beware&Cleanup (BC) [Gidenstam et al. 2005]. This technique combines hazard pointers and
reference counting. HPs are used to protect thread-local references (pointers). RC is used for nodes.
The reference count of a node, however, reflects only the number of existing references from other
nodes. That is, acquiring/purging thread-local pointers does not affect the reference count of nodes.
Additionally, BC features a reclamation procedure which guarantees that the number of unre-
claimed nodes is finite at all times. To that end, the references contained in logically deleted nodes
(those that await reclamation) are altered to point to nodes still contained in the data structure.
However, updating logically deleted nodes is a modification of the data structure. As stated by the
authors, BC requires this modification to retain semantics.
Similar to ordinary RC, BC can be handled with our approach when considering the reference
counting as part of the data structure that is done on top of HP. With respect to the aforementioned
instrumentation for RC, BC has the advantage that no generalization of our observers is required
since pointer variables are covered by HP rather than RC.
Isolde [Yang and Wrigstad 2017]. Isolde combines epoch-based reclamation and reference count-
ing. Similar to Beware&Cleanup, reference counting is used for incoming pointers from nodes.
References due to thread-local pointers are ignored for the count. Instead, EBR is used for pointer
variables. The main contribution of this work is a type system for the proposed reclamation
approach.
Proc. ACM Program. Lang., Vol. 3, No. POPL, Article 58. Publication date: January 2019.
Decoupling Lock-Free Data Structures from Memory Reclamation for Static Analysis 58:43
OQS−fast
s36 s37 s38 s39
s40
s41 s42 s43 s44
leaveQ(t ), t = u exit(t ), t = u retire(t, a), a = v
free(a), a = venterQ(t ), t = u
leaveQ(t ), t = u exit(t ), t = u retire(t, a), a = v
enterQ(t ), t = u
$# $# $#$#
$ := goSlow(t ), true
# := goFast(t ), true
Fig. 19. Observer specifying a version of QSBR for QSense which can be switched on and off on demand.
Cadence [Balmau et al. 2016]. Cadence is an optimized implementation of hazard pointers. A
major drawback of HP under weak memory is that each protection must be followed by a memory
fence in order be visible to other threads. This may degrade performance because it requires a fence
for every node when traversing a data structure. To avoid those fences, the authors observe that a
context switch in modern operating systems can act as a fence. Hence, Cadence adds sufficiently
many dummy processes which simply sleep for a predefined time interval T in an infinite loop.
This way, every process is forced into a context switch afterT time has elapsed. For hazard pointers
this means that a protection is visible to other threads at most T time after the protection took
place. So for memory reclamation, processes wait an additional time T between retiring and trying
to delete a node.
As a hazard pointer implementation, Cadence uses the exact same specification as ordinary HP.
QSense [Balmau et al. 2016]. Combination of QSBR and Cadence. By default, QSBR is used. If a
thread failure/delay is detected, then the system switches to Cadence, i.e., HP. Only if all threads
make progress, the system switchs from Cadence back to QSBR.
For a specification of QSense with observers, we assume an EBR and HP API which is extended
by two functions goSlow() and goFast() that switch from QSBR to Cadence, and vice versa. Then,
QSense can be specified by OBase × OQS−fast × OQS−slow . Observer OQS−fast can be found in Figure 19.
It is a variant of OEBR which can be switched on and off on demand. Observer OQS−slow follows
from OHP with a similar construction.
Hazard Eras (HE) [Ramalhete and Correia 2017]. A hazard pointer implementation that borrows a
global clock from QSBR. HE augments nodes with two additional time stamp fields: a creation time
and a retire time. Whenever a node is created/retired, its corresponding field is set to the current
value of the global clock. Additionally, the global clock is advanced if a node is retired. Unlike with
hazard pointers, a protection does not announce the pointer of the to-be-protected node but the
current global clock. Then, the deletion of a retired node is deferred if some thread has announced
a time that lies in between that nodes creation and retirement time.
This adaptation of hazard pointers was specifically designed to feature the same API as HP. For
a specification of HE, however, we need to make explicit the time stamps that are announced and
Proc. ACM Program. Lang., Vol. 3, No. POPL, Article 58. Publication date: January 2019.
58:44 Roland Meyer and Sebastian Wolff
contained in nodes. To support this SMR algorithm in our theory, one would need to adapt the
definition of histories such that an event containing an address a is extended to also contain the
values of a time stamp selector. We believe that such a generalization can be implemented with
minor changes to our development.
Interval-Based Reclamation (IBR) [Wen et al. 2018]. Reclamation scheme similar to HE. Like in
HE, there is a global clock and nodes carry a creation and retirement time stamp. Unlike in HE,
the global clock is advanced after a configurable number of allocations. For protection, a thread
announces a time interval. Then, every node the creation-retirement interval of which has a non-
empty intersection with the announced interval is protected. That is, upon operation start a thread
announces an interval containing only the current global epoch. Whenever a pointer is read, the
announced interval is extended to include the current epoch.
DEBRA [Brown 2015]. DEBRA is an QSBR implementation. There is also a version that adds
fault tolerance using signals and non-local gotos. The main idea is to neutralize threads by sending
them a signal. The signal handler then forces the thread to enter a quiescent state and restart its
operation. Intuitively, the restart is done via non-local goto: it resets the thread’s state back to when
it started executing the operation.
Since this work gives an QSBR implementation, it uses the same specification as ordinary QSBR.
[Dice et al. 2016]. Optimized HP implementation for weak memory which exploits memory page
management of modern operating systems. More specifically, the authors observe that issuing
a write-protect to a memory page forces each processor to first finish pending writes to the to-
be-protected memory page. One can exploit this behavior write-protecting all pages that contain
hazard pointers before starting to reclaim memory.
Since this work gives a HP implementation, it uses the exact same specification as ordinary HP.
Proc. ACM Program. Lang., Vol. 3, No. POPL, Article 58. Publication date: January 2019.
Decoupling Lock-Free Data Structures from Memory Reclamation for Static Analysis 58:45
C MISSING DETAILS
We provide details missing in the main paper.
C.1 Programs
Definition C.1 (Lifted Memory). We lift a memory m to sets by m(E) := {m(e) | e ∈ E} \ {seg}.
Definition C.2 (In-use Addresses). The in-use addresses in a memory m are
adr(m) := (range(m) ∪ dom(m)) ∩ Adr
where we use {a.next} ∩ Adr = a and similarly for data selectors.
Definition C.3 (Fresh Addresses). The fresh addresses in τ , denoted by fresh(τ ) ⊆ Adr , are:
fresh(ϵ) = Adr
fresh(τ .act) = fresh(τ ) \ {a} if act = (t , free(a), up)
fresh(τ .act) = fresh(τ ) \ {a} if act = (t , free(p), up) ∧mτ (p) = a
fresh(τ .act) = fresh(τ ) \ {a} if act = (t , p := malloc, up) ∧mτ .act(p) = a
fresh(τ .act) = fresh(τ ) otherwise.
Definition C.4 (Freed Addresses). The freed addresses in τ , denoted by freed(τ ) ⊆ Adr , are:
freed(ϵ) = 
freed(τ .act) = freed(τ ) ∪ {a} if act = (t , free(a), up)
freed(τ .act) = freed(τ ) ∪ {a} if act = (t , free(p), up) ∧mτ (p) = a
freed(τ .act) = freed(τ ) \ {a} if act = (t , p := malloc, up) ∧mτ .act(p) = a
freed(τ .act) = freed(τ ) otherwise.
Definition C.5 (Allocated Addresses). The allocated addresses in τ are those addresses that are
neither fresh nor freed: allocatedτ := Adr \ (fresh(τ ) ∪ freed(τ )).
Definition C.6 (Induced Histories). The history induced by a computation τ , denoted byH(τ ), is
defined by:
H(ϵ) = ϵ
H(τ .(t , free(a), up)) =H(τ ). free(a)
H(τ .(t , free(p), up)) =H(τ ). free(mτ (p))
H(τ .(t , enter func(p¯, x¯), up)) =H(τ ). func(t ,mτ (p¯),mτ (x¯))
H(τ .(t , exit, up)) =H(τ ). exit(t)
H(τ .act) =H(τ ) otherwise.
Assumption 1 (Environment Frees). For any τ .act ∈ [[D(OSMR)]]Adr with act = (t , free(a), up)
we have ctrl(τ ) = ctrl(τ .act).
C.2 Compositionality
Consider D(R), a data structure D using an SMR implementation R. We split the variables of D(R)
into the variables of D and R. That is, we have PVar = PVarD ⊎ PVarR where PVarD and PVarR are
the pointer variables of D and R, respectively. Similarly, we have DVar = DVarD ⊎ DVarR.
We use ctrl ∗t (τ ) to make precise the return label for calls of R performed by thread t of D in
computation τ . That is, ctrl ∗t (τ ) = (pcD, pcR) where pcD and pcR are labels for the next command to
Proc. ACM Program. Lang., Vol. 3, No. POPL, Article 58. Publication date: January 2019.
58:46 Roland Meyer and Sebastian Wolff
be executed in D and R, respectively. If pcR = ⊥, this meas that t is currently executing D code and
is not inside an SMR call. That pcR , ⊥ means t is inside an SMR function and executing R code.
In such cases, pcD holds the return location. With respect to Section 3, this means that pcD holds
a label to the corresponding exit command. We assume that program steps change pcD only if
pcR = ⊥. For simplicity, we write ctrl ∗(τ ) and mean a map from threads t to ctrl ∗t (τ ).
Now, we introduce a separation of memory into the parts of D and R. The separation is denoted
bym∗τ = (mDτ ,mRτ ) and is inductively defined similarly tomτ . In the base case, we havemPϵ (p) = seg,
mPϵ (x) = 0, and mPϵ (e) = ⊥ for all p ∈ PVarP , x ∈ DVarP , and e < PVarP ∪ DVarP for P ∈ {D, R}. In
the induction step we have m∗τ .act = (mDτ .act ,mRτ .act) for act = (t , com, up) as follows.
• If com ≡ free(p), then mDτ .act = mDτ [up] and mRτ .act = mRτ [up].
• If ctrl R(τ ) = ⊥, then then mDτ .act = mDτ [up].
• If ctrl R(τ ) , ⊥ and com . free(p), mRτ .act = mRτ [up].
(Recall that we assume that D does not perform any free, instead uses R to perform them safely.)
Now, we can make precise the requirement on D(R) to enable compositional verification. As
stated in Section 4, we require that R influencesD only through frees. Formally, we need a separation
of the memory regions they use and that they do not use regions that do not belong to them. We
define this separation on the level of computations.
Definition C.7 (Compositional Computations). A computation τ ∈ [[D(R)]]Adr is compositional, if
for every prefix σ .act of τ we have:
(i) mσ .act = mDσ .act ⊎mRσ .act ,
(ii) mσ .act(e) = mDσ .act(e) for all e ∈ PVarD ∪ PVarR, and
(iii) if act = (t , com, up) with com ≡ expr := p.sel and mσ (p) = a, then mσ (a.sel) = mDσ (a.sel).
By definition, ϵ is compositional. Moreover, if τ .act is compositional, so is τ . We lift this definition
to programs by considering the set of their computations.
Definition C.8 (Compositional Programs). We say D(R) is compositional if all τ ∈ [[D(R)]]Adr are.
Recall from Section 4 that R |= OSMR if H([[MGC(R)]]Adr ) ⊆ S(OSMR). Together with composi-
tionality of D(R) we can show that D(R) and D(OSMR) reach the same control states wrt. D.
LemmaC.9. Assume R |= OSMR. Letτ ∈ [[D(OSMR)]]Adr be compositional. There isσ ∈ [[D(OSMR)]]Adr
such that ctrlD(τ ) = ctrl(σ ), mDτ = mσ , fresh(τ ) ⊆ fresh(σ ), and freed(τ ) ⊆ freed(σ ).
Proof of Lemma C.9. We proceed by induction over the structure of τ . In the base case, we have
ϵ and the claim follows by definition. So consider some compositional τ .act such that we have
already constructed for τ a σ with the desired properties. Now, we need to construct a σ ′ for τ .act.
Let act = (t , com, up). We distinguish three cases.
Case ctrl Rt (τ ) , ⊥ and com . free(p).
In this case act stems from t executing SMR code of R. By compositionality of τ we havemDτ .act = mDτ .
SomDτ .act = mσ by induction. Since com is not a free, we get fresh(τ .act) ⊆ fresh(τ ) ⊆ fresh(σ ) and
freed(τ .act) ⊆ freed(τ ) ⊆ freed(σ ). Now, recall that we assumed that actions of R do not change
the control of D. That is, we have ctrlD(τ .act) = ctrlD(τ ) = ctrl(σ ). Altogether, this means that
σ ′ = σ is an adequate choice.
Case com ≡ free(p).
Recall that we have assumed that only R performs frees. Hence, we getH(τ ).free(a) ∈ S(OSMR)
Proc. ACM Program. Lang., Vol. 3, No. POPL, Article 58. Publication date: January 2019.
Decoupling Lock-Free Data Structures from Memory Reclamation for Static Analysis 58:47
from R |= OSMR. That is, for act ′ = (⊥, free(a), up) we have σ .act ′ ∈ [[D(OSMR)]]Adr . By definition
we get mDτ .act = mDτ [up] = mσ [up] = mσ .act′ . Moreover, we have
fresh(τ .act) = fresh(τ ) ⊆ fresh(σ ) = fresh(σ .act ′)
and freed(τ .act)freed(τ ) ∪ {a} ⊆ freed(σ ) ∪ {a} = freed(σ .act ′) .
As in the previous case, we get ctrlD(τ .act) = ctrlD(τ ) = ctrl(σ ) because act stems from executing
R. Altogether, σ ′ = σ .act ′ is an adequate choice.
Case ctrl Rt (τ ) = ⊥.
We choose σ ′ = σ .act. We have to show that com is enabled and produces the same update up
after σ . This follows from ctrlD(τ ) = ctrl(σ ) and compositionality of τ .act. The former states that
com can be executed. The latter implies that the same update is performed. To see this, note that
compositionality gives mτ (p) = mDτ (p). So by induction mτ (p) = mσ (p). And similarly for data
variables and selectors appearing on the right-hand side of assignments. Since the freed and fresh
addresses are not changed, σ ′ = σ .act is an adequate choice.
The above case distinction is complete. This concludes the claim. □
Weuse the above lemma to establish Theorem 4.2. Here, we focus on establishing safety properties.
Hence, correctness boils down to control state reachability. We assume that the correctness of D(R)
depends only on D. Let Bad be those control locations of D that a correct program must not reach.
Definition C.10 (Correctness). A data structure D(R) is correct if there is no τ ∈ [[D(R)]]Adr with
ctrlD(τ ) ∈ Bad. Similarly, D(OSMR) is correct if there is no σ ∈ [[D(OSMR)]]Adr with ctrl(σ ) ∈ Bad.
With this notion of correctness avoiding bad control states, we are able to prove Theorem 4.2.
Proof of Theorem 4.2. Let R |= OSMR. To show that the correctness of D(OSMR) implies the
correctness of D(R) we show the contra positive. So let D(R) be incorrect. By definition, there
is τ ∈ [[D(R)]]Adr with ctrlD(τ ) ∈ Bad. From Lemma C.9 we get σ ∈ [[D(OSMR)]]Adr such that
ctrl(σ ) = ctrlD(τ ). That is, ctrl(σ ) ∈ Bad. Thus, D(OSMR) is incorrect. This concludes the claim. □
A Remark on Checking Compositionality. Compositionality can be checked using the techniques
from Section 5. If D breaks compositionality, then this manifests as a pointer race (unsafe access) in
[[D(OSMR)]]Adr . One can show that such pointer races are absent if [[D(OSMR)]]one is pointer race free.
So our verification approach establishes that if D(R) breaks compositionality, then it is due to R.
To check whether or not R breaks compositionality, one could use the same pointer race freedom
approach as for D. However, since the precise shape of R is a parameter to our development, such a
proof is beyond the scope of this paper. As an alternative approach, one can check whether or not
R modifies the memory of D. This may allow for a much simpler (data flow) analysis.
Proc. ACM Program. Lang., Vol. 3, No. POPL, Article 58. Publication date: January 2019.
58:48 Roland Meyer and Sebastian Wolff
C.3 Reduction
Definition C.11 (Valid Expressions). The valid pointer expressions in a computationτ ∈ [[D(OSMR)]]Adr ,
denoted by validτ ⊆ PExp, are defined by:
validϵ := PVar
validτ .(t,p:=q,up) := validτ ∪ {p} if q ∈ validτ
validτ .(t,p:=q,up) := validτ \ {p} if q < validτ
validτ .(t,p.next:=q,up) := validτ ∪ {a.next} if mτ (p) = a ∈ Adr ∧ q ∈ validτ
validτ .(t,p.next:=q,up) := validτ \ {a.next} if mτ (p) = a ∈ Adr ∧ q < validτ
validτ .(t,p:=q.next,up) := validτ ∪ {p} if mτ (q) = a ∈ Adr ∧ a.next ∈ validτ
validτ .(t,p:=q.next,up) := validτ \ {p} if mτ (q) = a ∈ Adr ∧ a.next < validτ
validτ .(t,free(a),up) := validτ \ invalida
validτ .(t,p:=malloc,up) := validτ ∪ {p,a.next} if [p 7→ a] ∈ up
validτ .(t,assert p=q,up) := validτ ∪ {p, q} if {p, q} ∩ validτ , 
validτ .(t,act,up) := validτ otherwise.
We have invalida := {p | mτ (p) = a} ∪ {b .next | mτ (b .next) = a} ∪ {a.next}.
Definition C.12 (Replacements). A replacement of address a to b in a history h, denoted by h[a/b],
replaces in h every occurrence of a with b, and vice versa, as follows:
ϵ[a/b] = ϵ(
h.func(c¯, d¯))[a/b] = (h[a/b]) . (func(c¯ ′, d¯))
with c ′i = a if ci = b, c ′i = b if ci = a, and c ′i = c otherwise
h.evt[a/b] = h[a/b] otherwise.
C.4 Generalized Reduction
In Section 5 we required the absence of harmful ABAs and elision support as premise for the
reduction result. We present a strictly weaker premise that implies the same reduction result.
Definition C.13 (Reduction Compatibility). The set [[D(OSMR)]]one is reduction compatible if:
∀τ .act ∈ [[D(OSMR)]]Adr ∀σa .act ∈ [[D(OSMR)]]{a } ∀σb ∈ [[D(OSMR)]]{b } .
τ ∼ σa ∧ τ ⋖σa ∧ τ ≃a σa ∧ τ .act ∼ σa .act ∧ τ .act ⋖σa .act ∧
τ .act ≃a σa .act ∧ τ ∼ σb ∧ τ ⋖σb ∧ τ ≃b σb ∧ σa ∼ σb ∧ a , b ∧
act ∈ { (_, assert _, _), (_, p := malloc, [p 7→ a, _]) }
=⇒ τ .act ∼ σ ′b ∧ τ .act ⋖σ ′b ∧ τ .act ≃b σ ′b
and
∀h,a,b . a , b =⇒ F(h.free(a), b) = F (h, b) .
The analog of the results from Section 5 hold for the above generalized definition.
Proposition C.14. Let [[D(OSMR)]]one be reduction compatible and pointer race free. Then, for all
τ ∈ [[D(OSMR)]]Adr and all a ∈ Adr there is σ ∈ [[D(OSMR)]]one with τ ∼ σ , τ ≃a σ , and τ ⋖a σ .
Theorem C.15. We have [[D(OSMR)]]Adr ∼ [[D(OSMR)]]one provided [[D(OSMR)]]one is reduction
compatible and pointer race free.
Proc. ACM Program. Lang., Vol. 3, No. POPL, Article 58. Publication date: January 2019.
Decoupling Lock-Free Data Structures from Memory Reclamation for Static Analysis 58:49
The following lemma shows that the above is indeed a generalization of the results presented in
the paper.
Lemma C.16. Pointer race freedom (Definition 5.13) of [[D(OSMR)]]one , the absence of harmful ABAs
(Definition 5.17), and elision support (Definition 5.14) implies reduction compatibility (Definition C.13).
Altogether, the results from Section 5 follow from combining Proposition C.14, Theorem C.15,
and Lemma C.16.
Proc. ACM Program. Lang., Vol. 3, No. POPL, Article 58. Publication date: January 2019.
58:50 Roland Meyer and Sebastian Wolff
D PROOFS FOR THE REDUCTION RESULTS
We prove the presented results. To do so, we establish useful lemmas and develop the elision of
addresses formally. Hereafter, we abbreviate pointer race by PR and pointer race free by PRF.
D.1 Useful Lemmas
Lemma D.1. If τ1 ∼ τ2, then τ2 ∼ τ1.
Lemma D.2. If τ1 ∼ τ2 ∼ τ3, then τ1 ∼ τ3.
Lemma D.3. If mτ1 (validτ1 ) ⊆ mτ2 (validτ2 ) and τ1 ≃A τ2 ≃B τ3, then τ1 ≃A∩B τ3.
Lemma D.4. If adr(mτ1 |validτ1 ) ⊆ adr(mτ2 |validτ2 ) and τ1 ⋖τ2 ⋖τ3, then τ1 ⋖τ3.
Lemma D.5. We have adr(mτ |validτ ) = (validτ ∩ Adr) ∪mτ (validτ ).
Lemma D.6. If τ ∈ [[D(OSMR)]]Adr , then validτ ⊆ dom(mτ ).
Lemma D.7. If τ ∼ σ , then validτ = validσ .
Lemma D.8. If evt ∈ {func(t , a¯, d¯), exit(t), free(a)}, thenh1 ∈F (h2.evt, a) ⇐⇒ evt.h1 ∈F (h2, a).
Lemma D.9. If τ ∈ [[D(OSMR)]]Adr and a ∈ fresh(τ ), then a < range(mτ ).
Lemma D.10. If τ ∈ [[D(OSMR)]]Adr and a ∈ fresh(τ ), then a < mτ (validτ ) and a.next < validτ .
Lemma D.11. If τ ∈ [[D(OSMR)]]Adr PRF and a ∈ freed(τ ), then a<mτ (validτ ) and a.next<validτ .
Lemma D.12. If τ ∈ [[D(OSMR)]]Adr and mτ (pexp) = seg, then pexp ∈ validτ .
Lemma D.13. If τ ∈ [[D(OSMR)]]Adr PRF and mτ (pexp) = ⊥, then {pexp} ∩ Adr ⊈ mτ (validτ ).
Lemma D.14. If τ ∈ [[D(OSMR)]]Adr PRF, then PVar ⊆ dom(mτ ).
D.2 Technical Preparations
The following lemma states that pointer race freedom guarantees a separation of the valid and
invalid memory. It may only overlap for those addresses that are tracked precisely using the memory
equivalence.
Lemma D.15. If τ ∈ [[D(OSMR)]]A PRF, then adr(mτ |validτ ) ∩mτ (PExp \ validτ ) ⊆ A.
Towards a proof of the core result, Proposition C.14, we show that certain actions of a computation
τ can be mimicked in another computation σ by simply executing the same command in both
executions. As discussed in Section 5, the induced update may differ. Basically, the following lemma
proves the technical cases of the proof of Proposition C.14.
Lemma D.16. Let τ .act ∈ [[D(OSMR)]]Adr and σ ∈ [[D(OSMR)]]A such that
τ ∼ σ ∧ τ ≃A σ ∧ τ ⋖A σ ∧ act = (t , com, up)
∧ σ .act < [[D(OSMR)]]A =⇒ com is an assignment
∧ com contains p.next or p.data =⇒ p ∈ validτ
∧ com ≡ func(p¯, x¯) =⇒ mτ (p¯) = mσ (p¯)
∧ com ≡ free(a) =⇒ (∀b ∈Adr \ {a} ∀γ ∈ {τ ,σ }. F (γ .act, b) = F (γ , b))
∧ com ≡ p := malloc ∧mτ .act(p) = a < A =⇒ F(τ , a) ⊆ F (σ , a) .
Then there is some act ′ = (t , com, up′) with σ .act ′ ∈ [[D(OSMR)]]A and
τ .act ∼ σ .act ′ ∧ τ .act ≃A σ .act ′ ∧ τ .act ⋖σ .act ′ .
Proc. ACM Program. Lang., Vol. 3, No. POPL, Article 58. Publication date: January 2019.
Decoupling Lock-Free Data Structures from Memory Reclamation for Static Analysis 58:51
D.3 Elision Technique
Definition D.17. An address mapping is a bijection swapadr : Adr → Adr . For convenience,
we extend swapadr such that swapadr (⊥) = ⊥, swapadr (seg) = seg, and swapadr (d) = d for any
d ∈ Dom. The address mapping induces an expression mapping swapexp with
swapexp(p) = p swapexp(a.next) = swapadr (a).next
swapexp(x) = x swapexp(a.data) = swapadr (a).data
and a history mapping swaphist with
swaphist(ϵ) = ϵ
swaphist(h.free(a)) = swaphist(h).free(swapadr (a))
swaphist(h.func(t , a¯, d¯)) = swaphist(h).func(t , swapadr (a¯), d¯)
swaphist(h.exit(t)) = swaphist(h).exit(t)
for any SMR API function func. We use swapadr (a¯) = swapadr (a1), . . . , swapadr (ak ).
Note that h[a/b] = swaphist(h) for swaphist being the history mapping induced by the address
mapping swapadr with swapadr (a) = b, swapadr (b) = a, and swapadr (c) = c in all other cases.
Lemma D.18. If swapadr is an address mapping, then swap−1adr is also an address mapping.
Definition D.19. If swapadr is an address mapping, then we write swap−1exp and swap−1hist for the
expression and history mapping induced by the inverse address mapping swap−1adr .
Lemma D.20. If swaphist(h1) = swaphist(h2), then h1 = h2.
Lemma D.21. We have swaphist(h) ∈ swaphist(H ) ⇐⇒ h ∈ H .
Lemma D.22. For every ⊗ ∈ {\,∪,∩} we have:
swapadr (A1) ⊗ swapadr (A2) = swapadr (A1 ⊗ A2)
swapexp(B1) ⊗ swapexp(B2) = swapexp(B1 ⊗ B2)
swaphist(C1) ⊗ swaphist(C2) = swaphist(C1 ⊗ C2)
Lemma D.23. For all h we have swap−1hist(swaphist(h)) = h.
Lemma D.24. For all h we have h ∈ H(OSMR) ⇐⇒ swaphist(h) ∈ H(OSMR).
Lemma D.25. If swaphist(H(τ )) = H(σ ), then swaphist(F (τ , a)) = F (σ , swapadr (a)) for all a.
Theorem D.26. For every computation τ ∈ [[D(OSMR)]]A and every address mapping swapadr , there
is some σ ∈ [[D(OSMR)]]swapadr (A) such that:
mσ ◦ swapexp = swapadr ◦mτ H(σ ) = swaphist(H(τ )) freed(σ ) = swapadr (freed(τ ))
validσ = swapexp(validτ ) ctrl(σ ) = ctrl(τ ) fresh(σ ) = swapadr (fresh(τ ))
Lemma D.27. Let OSMR support elision. If τ ∈ [[D(OSMR)]]A and a < adr(mτ |validτ ) ∪A, then there
is σ ∈ [[D(OSMR)]]A with τ ∼ σ , τ ≃A σ , τ ⋖σ , and a ∈ fresh(σ ). Moreover, mτ (e) , mτ (e′) implies
mσ (e) , mσ (e′) for all e, e′ ∈ PVar ∪ {b .next | b ∈ mτ (validτ )}.
Lemma D.28. Let OSMR support elision. If τ ∈ [[D(OSMR)]]A and a < adr(mτ |validτ ) ∪A, then there
is σ ∈ [[D(OSMR)]]A with τ ∼ σ , τ ≃A σ , τ ⋖σ , and a ∈ fresh(σ ).
Proc. ACM Program. Lang., Vol. 3, No. POPL, Article 58. Publication date: January 2019.
58:52 Roland Meyer and Sebastian Wolff
D.4 Proofs of Useful Lemmas (Appendix D.1)
Proof of Lemmas D.1 to D.4. By definition. □
Proof of Lemma D.5. By definition we have:
dom(mτ |validτ ) ∩ Adr = (validτ ∪ DVar ∪ {a.next | a ∈ mτ (validτ )}) ∩ Adr
= (validτ ∩ Adr) ∪ ({a.next | a ∈ mτ (validτ )} ∩ Adr)
= (validτ ∩ Adr) ∪ ({a | a ∈ mτ (validτ )})
= (validτ ∩ Adr) ∪mτ (validτ )
Moreover, we have
range(mτ |validτ ) ∩ Adr = mτ (dom(mτ |validτ )) ∩ Adr
= mτ (dom(mτ |validτ ) ∩ PExp) = mτ (validτ )
With this, we conclude as follows:
adr(mτ |validτ ) ∩ Adr = (dom(mτ |validτ ) ∩ range(mτ |validτ )) ∩ Adr
= (validτ ∩ Adr) ∪mτ (validτ ) ∪mτ (validτ )
= (validτ ∩ Adr) ∪mτ (validτ )
□
Proof of Lemma D.6. The claim holds for ϵ since validτ = PVar and PVar ⊆ dom(mϵ ) by
definition. Towards a contradiction, assume the claim does not hold. Then, there is a shortest
computation τ .act ∈ [[D(OSMR)]]Adr with validτ .act ⊈ dom(mτ .act). That is, there is pexp ∈ validτ .act
with mτ .act(pexp) = ⊥. First, consider the case where we have pexp < validτ . To validate pexp,
act must be (i) an allocation p := malloc with mτ .act(p) = a and pexp ∈ {p,a.next}, (ii) an
assertion of the form assert pexp = q with q ∈ validτ , or (iii) an assignment pexp := qexp with
qexp ∈ validτ . Case (i) cannot apply as it results in pexp ∈ dom(mτ .act) by definition. Case (ii)
cannot apply because mτ (pexp) = mτ (q) together with q ∈ dom(mτ ) = dom(mτ .act) by minimality
gives pexp ∈ dom(mτ .act). So case (iii) must apply. qexp ∈ validτ yieldsmτ (qexp) , ⊥ by minimality.
We get mτ .act(pexp) , ⊥ what contradicts the choice of pexp. Overall, pexp ∈ validτ must hold.
Consider now the pexp ∈ validτ . By minimality, we have mτ (pexp) , ⊥. So act must update
pexp to ⊥. To do so, act must be (i) free(a) and pexp ≡ a.next, or (ii) an assignment pexp := qexp
with mτ (qexp) = ⊥. The former case cannot apply as it results in pexp < validτ .act by definition.
So the latter case applies. By minimality, we have qexp < validτ . Hence, pexp < validτ .act . This
contradicts the choice of pexp. □
Proof of Lemma D.7. We conclude as follows using the definition of τ ∼ σ , set theory, and the
definition of restrictions:
τ ∼ σ =⇒ mτ |validτ = mσ |validσ
=⇒ dom(mτ |validτ ) = dom(mσ |validσ )
=⇒ dom(mτ |validτ ) ∩ PExp = dom(mσ |validσ ) ∩ PExp
=⇒ validτ = validσ
where the last implication is due to Lemma D.6. □
Proc. ACM Program. Lang., Vol. 3, No. POPL, Article 58. Publication date: January 2019.
Decoupling Lock-Free Data Structures from Memory Reclamation for Static Analysis 58:53
Proof of Lemma D.8. The direction from right to left follows by definition. So consider the
direction from left to right. Leth1 ∈ F (h2.evt, a). Towards a contradiction, assume evt.h1 < F (h2, a).
Since frees(evt) ⊆ {a}, we must have h2.evt.h1 < S(OSMR) by definition. Then, h1 < F (h2.evt, a)
by definition. This contradicts the assumption. □
Proof of Lemma D.9. Towards a contradiction, let τ .act ∈ [[D(OSMR)]]Adr be the shortest com-
putation such that there is some a ∈ fresh(τ .act) with a ∈ range(mτ .act). That is, there is some
pexp ∈ PExp with mτ .act(pexp) = a. By monotonicity, we have a ∈ fresh(τ ). By minimality then, we
must have mτ (pexp) , a. Hence, act updates pexp to a. This means it must be an allocation or a
pointer assignment. In the former case, we must have act = (t , pexp := malloc, [p 7→ a, . . . ]). Then,
a < fresh(τ .act) holds by definition. So this case cannot apply as it contradicts the assumption. That
is, act is of the form act = (t , pexp = qexp, up) with mτ (qexp) = a. This means a ∈ range(mτ ). This,
contradicts the minimality of τ .act and thus concludes the claim. □
Proof of Lemma D.10. Towards a contradiction, assume there is a shortestτ .act ∈ [[D(OSMR)]]Adr
such that there is some a ∈ fresh(τ .act) with a ∈ mτ .act(validτ .act) ∨ a.next ∈ validτ .act . Note
that τ .act is indeed the shortest such computation since the claim holds for ϵ . By monotonicity,
we have a ∈ fresh(τ ). By minimality of τ .act we have a < mτ (validτ ) and a.next < validτ . If
a.next ∈ validτ .act holds, then act must be an assignment of the form p.next := q with mτ (p) = a.
This means a ∈ range(mτ ). So Lemma D.9 gives a < fresh(τ ). This contradicts a ∈ fresh(τ ) from
above. Hence, this cannot apply and we must have a.next < validτ .act . So by assumption we have
a ∈ mτ .act(validτ .act). By definition, there is some pexp ∈ validτ .act withmτ .act(pexp) = a. Again by
minimality, we have pexp < validτ or mτ (pexp) , a. Consider pexp < validτ . That is, act validates
pexp. To do so, act must be an assignment, an allocation, or an assertion:
• If act is of the form act = (t , pexp := qexp, up), then qexp ∈ validτ and mτ (qexp) = a must
hold. The latter, leads to qexp < validτ by minimality of τ .act. Hence, act cannot be an
assignment.
• If act is of the form act = (t , p := malloc, [p 7→ a, . . . ]), then pexp ≡ p must hold. (Note that
for pexp ≡ a.next we get mτ .act(pexp) = seg , a.) This, results in a < fresh(τ .act) which
contradicts the assumption. Hence, act cannot be an allocation.
• If act is of the form act = (t , assert p = q, up), then wlog. pexp ≡ p and q ∈ validτ and
a = mτ .act(pexp) = mτ (pexp) = mτ (q) must hold. Again by minimality, we get q < validτ
which contradicts the assumption. Hence, act cannot be an assertion.
So pexp ∈ validτ must hold and thus mτ (pexp) , a. That is, act updates pexp to a. To do so, act
must be an assignment or an allocation. We then conclude a contradiction as before. □
Proof of Lemma D.11. To the contrary, assume there is a shortest τ .act ∈ [[D(OSMR)]]Adr PRF
with a ∈ freed(τ .act) and a ∈ mτ .act(validτ .act) ∨ a.next ∈ validτ .act . Note that τ .act is indeed
the shortest such computation since the claim is vacuously true for ϵ . First, consider the case
where we have a ∈ freed(τ ). We get a < mτ (validτ ) and a.next < validτ by minimality of
τ .act. If a.next ∈ validτ .act holds, then act must be an assignment of the form p.next := q with
mτ (p) = a. Moreover, p < validτ must hold because a < mτ (validτ ). Hence, act raises a pointer
race. This contradicts the assumption. So we must have a ∈ mτ .act(validτ .act). This allows us to
derive a contradiction along the lines of the proof of Lemma D.10. So consider the case where
we have a < freed(τ ) now. Then, act must execute the command free(a). As a consequence, we
get a.next < validτ .act and pexp < validτ .act for all pexp with mτ (pexp) = a. That is, we have
a < mτ .act(validτ .act) and a.next < validτ .act . This contradicts the assumption and concludes the
claim. □
Proc. ACM Program. Lang., Vol. 3, No. POPL, Article 58. Publication date: January 2019.
58:54 Roland Meyer and Sebastian Wolff
Proof of Lemma D.12. To the contrary, assume there is a shortest τ .act ∈ [[D(OSMR)]]Adr with
some pexp < validτ .act andmτ .act(pexp) = seg. By minimality,mτ (pexp) , seg or pexp ∈ validτ .act .
As a first case, consider mτ (pexp) , seg. Then, act updates pexp to seg. That is, act is an allocation
or an assignment. If act = (t , p := malloc, [p 7→ a, pexp 7→ seg, . . . ]), then pexp ≡ a.next
must hold. This gives pexp ∈ validτ .act by definition. So this case cannot apply by assumption.
If act = (t , pexp := qexp, [pexp 7→ up]), then we must have mτ (qexp) = seg. By minimality, this
gives qexp ∈ validτ . And by definition, pexp ∈ validτ .act then. This contradicts the assumption.
So we must have pexp ∈ validτ .act . That is, act makes pexp invalid. To do so, act must be an
assignment or a free. If act = (t , pexp := qexp, up), then we must have qexp < validτ . By minimality,
this gives mτ (qexp) , seg. So we get mτ .act(pexp) , seg what contradicts the assumption. If
act = (t , free(a), [a.next 7→ ⊥, . . . ]), then we must have pexp ≡ a.next or mτ (pexp) = a. In the
former case, we get mτ .act(pexp) = ⊥ , seg. In the latter case, we get mτ .act(pexp) = a , seg.
Hence, we get mτ .act(pexp) , seg what contradicts the assumption. This concludes the claim. □
Proof of Lemma D.13. To the contrary, assume a shortest PRF τ .act ∈ [[D(OSMR)]]Adr such that
there is some pexp with mτ .act(pexp) = ⊥ and {pexp} ∩Adr ⊆ mτ .act(validτ .act). By minimality, we
have mτ (pexp) , ⊥ or {pexp} ∩ Adr ⊈ mτ (validτ ). First, consider mτ (pexp) , ⊥. In order for act
to update pexp to ⊥, it must be a free or an assignment. If act = (t , free(a), [a.next 7→ ⊥, . . . ]),
then we must have pexp ≡ a.next. By definition, we get a ∈ freed(τ .act). Then, Lemma D.11 gives
a < mτ .act(validτ .act). This contradicts the choice of pexp to satisfy {pexp} ∩ Adr ⊈ mτ (validτ ).
If act = (t , pexp := qexp, [pexp 7→ ⊥]), then mτ (qexp) = ⊥ must hold. If qexp ∈ PVar , then we
have {qexp} ∩ Adr =  ⊆ mτ (validτ ). Since this contradicts minimality, qexp must be of the form
qexp ≡ b .next. By minimality, we have b < mτ (validτ ). This means act raises a pointer race. This
contradicts the assumption of τ .act being PRF. Altogether, this means mτ (pexp) = ⊥ holds.
So consider {pexp} ∩ Adr ⊈ mτ (validτ ). By definition, pexp must be of the form a.next. We get
a < mτ (validτ ). To arrive at {pexp} ∩ Adr ⊆ mτ .act(validτ .act) we must get a ∈ mτ .act(validτ .act).
To get this, act must be an allocation: act = (t , p := malloc, [p 7→ a,a.next 7→ seg, . . . ]). This,
results in mτ .act(pexp) = seg , ⊥. This contradicts the assumption and concludes the claim. □
Proof of Lemma D.14. Follows from LemmaD.13 and {p}∩Adr =  for every p ∈ PVar together
with the fact that  ⊆ mτ (validτ ) is always true. □
D.5 Proofs of Technical Preparations (Appendix D.2)
Proof of Lemma D.15. We proceed by induction over the structure of computations.
IB: For τ = ϵ choose σ = τ . This satisfies the claim.
IH: For every τ ∈ [[D(OSMR)]]A RPRF we have adr(mτ |validτ ) ∩mτ (PExp \ validτ ) ⊆ A.
IS: Consider now τ .act ∈ [[D(OSMR)]]A RPRF. Let act = (t , com, up). By induction we have
adr(mτ |validτ ) ∩mτ (PExp \ validτ ) ⊆ A. By Lemma D.5 this means:
mτ (validτ ) ∩mτ (PExp \ validτ ) ⊆A
and (validτ ∩ Adr) ∩mτ (PExp \ validτ ) ⊆A .
The claim follows immediately if act does not update pointer expressions and does not modify
the validity of pointer expressions. Otherwise, com must be one of the following: a pointer
assignment, an allocation, a free, or an assertion for pointer equality. We do a case distinction
over com. Note that it suffices to show:
mτ .act(validτ .act) ∩mτ .act(PExp \ validτ .act) ⊆A
and (validτ .act ∩ Adr) ∩mτ .act(PExp \ validτ .act) ⊆A
Proc. ACM Program. Lang., Vol. 3, No. POPL, Article 58. Publication date: January 2019.
Decoupling Lock-Free Data Structures from Memory Reclamation for Static Analysis 58:55
because this implies the desired adr(mτ .act |validτ .act )∩mτ .act(PExp\validτ .act) ⊆ A by LemmaD.5.
Case com ≡ p = q.
Let a = mτ (q). Then, the update is up = [p 7→ a]. So we have mτ .act(p) = a = mτ (q). By
definition, we have validτ .act ∩ Adr = validτ ∩ Adr .
• If q ∈ validτ we get:
mτ .act(validτ .act) = mτ [p 7→ a](validτ ∪ {p}) = mτ [p 7→ a]((validτ \ {p}) ∪ {p})
= mτ [p 7→ a](validτ \ {p}) ∪mτ [p 7→ a]({p}) ⊆ mτ (validτ ) ∪ {a} = mτ (validτ )
where a ∈ mτ (validτ ) because q ∈ validτ and mτ (q) = a. Moreover, we have:
mτ .act(PExp \ validτ .act) = mτ [p 7→ a](PExp \ (validτ ∪ {p}))
= mτ [p 7→ a]((PExp \ validτ ) \ {p}) = mτ ((PExp \ validτ ) \ {p}) ⊆ mτ (PExp \ validτ ) .
Altogether we get:
mτ .act(validτ .act) ∩mτ .act(PExp \ validτ .act) ⊆ mτ (validτ ) ∩mτ (PExp \ validτ ) and
(validτ .act ∩ Adr) ∩mτ .act(PExp \ validτ .act) ⊆ (validτ ∩ Adr) ∩mτ (PExp \ validτ ) .
• If q < validτ we proceed analogously and get:
mτ .act(validτ .act) = mτ [p 7→ a](validτ \ {p}) = mτ (validτ \ {p}) ⊆ mτ (validτ )
and
mτ .act(PExp \ validτ .act) = mτ [p 7→ a](PExp \ (validτ \ {p}))
⊆ mτ [p 7→ a]((PExp \ (validτ ∪ {p})) ∪ {p})
= mτ [p 7→ a](PExp \ (validτ ∪ {p})) ∪ {mτ [p 7→ a](p)}
= mτ (PExp \ (validτ ∪ {p})) ∪ {a} ⊆ mτ (PExp \ validτ ) ∪ {a} = mτ (PExp \ validτ )
where the last equality holds because q ∈ PExp \ validτ and mτ (q) = a. Altogether we get
mτ .act(validτ .act) ∩mτ .act(PExp \ validτ .act) ⊆ mτ (validτ ) ∩mτ (PExp \ validτ ) and
(validτ .act ∩ Adr) ∩mτ .act(PExp \ validτ .act) ⊆ (validτ ∩ Adr) ∩mτ (PExp \ validτ ) .
This concludes the property.
Case com ≡ p = q.next with mτ (q) ∈ Adr.
Let mτ (q) = a and mτ (a.next) = b. Then the update is up = [p 7→ b]. By definition, we have
validτ .act ∩ Adr = validτ ∩ Adr .
• If a.next ∈ validτ we get:
mτ .act(validτ .act) = mτ [p 7→ b](validτ ∪ {p}) = mτ [p 7→ b]((validτ \ {p}) ∪ {p})
= mτ [p 7→ b](validτ \ {p}) ∪mτ [p 7→ b]({p}) ⊆ mτ (validτ ) ∪ {b} = mτ (validτ )
Proc. ACM Program. Lang., Vol. 3, No. POPL, Article 58. Publication date: January 2019.
58:56 Roland Meyer and Sebastian Wolff
where b ∈ mτ (validτ ) holds because a.next ∈ validτ and mτ (a.next) = b. Moreover, the
following holds:
mτ .act(PExp \ validτ .act) = mτ [p 7→ b](PExp \ (validτ ∪ {p}))
= mτ [p 7→ b]((PExp \ validτ ) \ {p}) = mτ ((PExp \ validτ ) \ {p}) ⊆ mτ (PExp \ validτ )
Altogether we get conclude this case by:
mτ .act(validτ .act) ∩mτ .act(PExp \ validτ .act) ⊆ mτ (validτ ) ∩mτ (PExp \ validτ ) and
(validτ .act ∩ Adr) ∩mτ .act(PExp \ validτ .act) ⊆ (validτ ∩ Adr) ∩mτ (PExp \ validτ ) .
• If a.next < validτ we proceed analogously and get:
mτ .act(validτ .act) = mτ [p 7→ b](validτ \ {p}) = mτ (validτ \ {p}) ⊆ mτ (validτ )
and
mτ .act(PExp \ validτ .act) = mτ [p 7→ b](PExp \ (validτ \ {p}))
⊆ mτ [p 7→ b]((PExp \ (validτ ∪ {p})) ∪ {p})
= mτ [p 7→ b](PExp \ (validτ ∪ {p})) ∪ {mτ [p 7→ b](p)}
= mτ (PExp \ (validτ ∪ {p})) ∪ {b} ⊆ mτ (PExp \ validτ ) ∪ {b} = mτ (PExp \ validτ )
where the last equality holds by a.next ∈ PExp \ validτ and mτ (a.next) = b. Altogether
we conclude by:
mτ .act(validτ .act) ∩mτ .act(PExp \ validτ .act) ⊆ mτ (validτ ) ∩mτ (PExp \ validτ ) and
(validτ .act ∩ Adr) ∩mτ .act(PExp \ validτ .act) ⊆ (validτ ∩ Adr) ∩mτ (PExp \ validτ ) .
This concludes the property.
Case com ≡ p.next = q with mτ (p) ∈ Adr.
Similar to the previous case.
Case com ≡ p := malloc.
Let up = [p 7→ a,a.next 7→ seg,a.data 7→ d]. Then, a ∈ fresh(τ ) ∪ (freed(τ ) ∩A) holds due
to the semantics.
We have validτ .act ∩ Adr = (validτ ∩ Adr) ∪ {a} and:
mτ .act(validτ .act) = mτ .act((validτ \ {p,a.next}) ∪ {p,a.next})
= mτ .act(validτ \ {p,a.next}) ∪ {a}
= mτ (validτ \ {p,a.next}) ∪ {a} ⊆ mτ (validτ ) ∪ {a} .
Moreover, we have:
mτ .act(PExp \ validτ .act) = mτ .act(PExp \ (validτ ∪ {p,a.next}))
= mτ (PExp \ (validτ ∪ {p,a.next})) ⊆ mτ (PExp \ validτ ) .
Proc. ACM Program. Lang., Vol. 3, No. POPL, Article 58. Publication date: January 2019.
Decoupling Lock-Free Data Structures from Memory Reclamation for Static Analysis 58:57
Altogether, we get:(
mτ .act(validτ .act) ∪ (validτ .act ∩ Adr)
)
∩mτ .act(PExp \ validτ .act)
⊆
(
mτ (validτ ) ∪ (validτ ∩ Adr) ∪ {a}
)
∩mτ (PExp \ validτ ) ⊆ A .
For the last inclusion, consider two cases. If a ∈ freed(τ ), then we must have a ∈ A. Otherwise,
a ∈ fresh(τ ). Then, Lemma D.9 provides a < mτ (PExp \ validτ ).
Case com ≡ free(a).
The update is up = [a.next = ⊥,a.data = ⊥].
We get validτ .act ∩ Adr ⊆ (validτ ∩ Adr) \ {a} because we have validτ .act ⊆ validτ and
a.next < validτ .act by definition.
Next we have
mτ .act(validτ .act) ⊆ mτ (validτ ) \ {a} .
To see this, note
mτ .act(validτ .act) ⊆ mτ (validτ .act) ⊆ mτ (validτ )
where the first inclusion holds because a.next,a.data < validτ .act and the second inclusion
holds by validτ .act ⊆ validτ . To the contrary, assume a ∈ mτ .act(validτ .act) was true. Then
there is a pointer expression pexp ∈ validτ .act withmτ .act(pexp) = a. Since a.next < validτ .act
we must have pexp . a.next. So mτ (pexp) = mτ .act(pexp) = a. Hence, by definition we have
pexp < validτ .act . This contradicts the assumption. Thus, a < mτ .act(validτ .act) must indeed
hold.
Finally we have
mτ .act(PExp \ validτ .act) ⊆ mτ (PExp \ validτ ) ∪ {a} .
To see this, consider some b ∈ mτ .act(PExp \ validτ .act) with b < mτ (PExp \ validτ ). There is
some pexp ∈ PExp with pexp < validτ .act and mτ .act(pexp) = b , ⊥. Due to b , ⊥ we know
that pexp . a.next. Hence, mτ (pexp) = mτ .act(pexp) = b. So we must have pexp ∈ validτ
as for otherwise we would get pexp ∈ PExp \ validτ and thus b ∈ mτ (PExp \ validτ ) which
contradicts the choice of b. To sum this up: we now know that pexp is not a.next and is
invalidated by act. Hence, b = a must hold as for otherwise pexp would not be invalidated by
act. That is, b ∈ {a}. This concludes the claim.
Altogether, we can now conclude as follows:
(validτ .act ∩ Adr) ∩mτ .act(PExp \ validτ .act)
⊆
(
(validτ ∩ Adr) \ {a}
)
∩
(
mτ (PExp \ validτ ) ∪ {a}
)
⊆ (validτ ∩ Adr) ∩mτ (PExp \ validτ )
and
mτ .act(validτ .act) ∩mτ .act(PExp \ validτ .act)
⊆ (mτ (validτ ) \ {a}) ∩ (mτ (PExp \ validτ ) ∪ {a})
= mτ (validτ ) ∩mτ (PExp \ validτ ) .
Case com ≡ assert p = q.
Proc. ACM Program. Lang., Vol. 3, No. POPL, Article 58. Publication date: January 2019.
58:58 Roland Meyer and Sebastian Wolff
We have mτ = mτ .act by the semantics. If validτ = validτ .act , then the claim follows immedi-
ately. Otherwise, we have validτ .act = validτ ∪ {p, q} and validτ ∪ {p, q} ,  by definition.
And by the semantics we have mτ (p) = mτ (q). So we get:
mτ .act(validτ .act) = mτ (validτ ∪ {p, q}) = mτ (validτ ) ∪ {mτ (p)} = mτ (validτ )
where the last inclusion holds because validτ ∪ {p, q} ,  yields mτ (p) ∈ mτ (validτ ).
Moreover, we have validτ .act ∩ Adr = validτ ∩ Adr and:
mτ .act(PExp \ validτ .act) ⊆ mτ (PExp \ validτ )
Then, we conclude by induction:
mτ .act(validτ .act) ∩mτ .act(PExp \ validτ .act) ⊆ mτ (validτ ) ∩mτ (PExp \ validτ )
and
(validτ .act ∩ Adr) ∩mτ .act(PExp \ validτ .act) ⊆ (validτ ∩ Adr) ∩mτ (PExp \ validτ ) .
□
Proof of Lemma D.16. Unrolling the premise gives:
(P1) ctrl(τ ) = ctrl(σ )
(P2) mτ |validτ = mσ |validσ
(P3) ∀ p ∈ PVar . mτ (p) = a ⇐⇒ mσ (p) = a
(P4) ∀b ∈ mτ (validτ ). mτ (b .next) = a ⇐⇒ mσ (b .next) = a
(P5) ∀a ∈ A. a ∈ allocatedτ ⇐⇒ a ∈ allocatedσ
(P6) ∀b ∈ adr(mτ |validτ ) ∪A. F (τ , b) ⊆ F (σ , b)
(P7) act = (t , com, up)
(P8) com is not an assignment =⇒ σ .act ∈ [[D(OSMR)]]A
(P9) com contains p.next or p.data =⇒ p ∈ validτ
(P10) com ≡ func(p¯, x¯) =⇒ mτ (p¯) = mσ (p¯)
(P11) com ≡ free(a) =⇒ ∀b ∈ Adr \ {a}. F (τ .act, b) = F (τ , b)
(P12) com ≡ free(a) =⇒ ∀b ∈ Adr \ {a}. F (σ .act, b) = F (σ , b)
(P13) com ≡ p := malloc ∧mτ .act(p) < A =⇒ F(τ , mτ .act(p)) ⊆ F (σ , mτ .act(p))
We have to show that there is some act ′ = (t , com, up′) which satisfies the claim. That is, our
goal is to show for all threads t and all addresses a ∈ A:
(G1) ctrl(τ .act) = ctrl(σ .act ′)
(G2) mτ .act |validτ .act = mσ .act′ |validσ .act′
(G3) ∀ p ∈ PVar . mτ .act(p) = a ⇐⇒ mσ .act′(p) = a
(G4) ∀b ∈ mτ .act(validτ .act). mτ .act(b .next) = a ⇐⇒ mσ .act′(b .next) = a
(G5) a ∈ allocatedτ .act ⇐⇒ a ∈ allocatedσ .act′
(G6) ∀b ∈ adr(mτ .act |validτ .act ) ∪A. F (τ .act, b) ⊆ F (σ .act ′, b)
IfA = , then Properties (G3) to (G5) are vacuously true. For the remainder of the proof, we assume
A ,  and fix some arbitrary addresses a ∈ A. Because act ′ executes the same command com as
act, we get Property (G1) from Property (P1). Hence, we do not comment on Property (G1) in the
following. Also note that the following holds due to Property (P2) together with Lemma D.7:
validτ = validσ (A1)
Case com ≡ p = q.
Proc. ACM Program. Lang., Vol. 3, No. POPL, Article 58. Publication date: January 2019.
Decoupling Lock-Free Data Structures from Memory Reclamation for Static Analysis 58:59
The update is up = [p 7→ b] with mτ (q) = b. We choose up′ = [p 7→ b ′] such that mσ (q) = b ′. Note
that we have b = b ′ if q ∈ validτ . Otherwise, this equality may not hold.
Property (G5) holds by definition together with Property (P5). It remains to show Properties (G2)
to (G4) and (G6).
Ad Property (G2). First consider the case where we have q ∈ validτ . By Auxiliary (A1) we also
have q ∈ validσ . We get
mτ .act |validτ .act = mτ [p 7→ b]|validτ ∪{p} = (mτ |validτ )[p 7→ b] .
The second equality holds because mτ (q) = b. That is, we preserve b .data in mτ |validτ and only
need to update the mapping of p. Similarly, we get
mσ .act′ |validσ .act′ = mσ [p 7→ b ′]|validσ ∪{p} = (mσ |validσ )[p 7→ b ′] .
By Property (P2) we have mσ |validσ = mτ |validτ . Moreover, it provides mτ (q) = mσ (q) because q is
valid. This means b = b ′. So we conclude by
mσ .act′ |validσ .act′ = (mσ |validσ )[p 7→ b ′] = (mτ |validτ )[p 7→ b] = mτ .act |validτ .act .
Now consider the case q < validτ . By Auxiliary (A1) we also have q < validσ . We get
mτ .act |validτ .act = mτ [p 7→ b]|validτ \{p} = mτ |validτ \{p} .
The last equality holds because the update does not survive the restriction to a set which is
guaranteed not to contain p. Similarly, we get
mσ .act′ |validσ .act′ = mσ [p 7→ b ′]|validσ \{p} = mσ |validσ \{p} .
We now get:
mτ |validτ \{p} = (mτ |validτ )|validτ \{p} = (mσ |validσ )|validτ \{p} = (mσ |validσ )|validσ \{p} = mσ |validσ \{p}
The first equality is by definition of restrictions, the second equality is due to Property (P2), the
third one is by Auxiliary (A1), and the last is again by definition. This concludes the property.
Ad Property (G3). Only the valuation of p is changed by both act and act ′. So by Property (P3) it
suffices to show mτ .act(p)=a ⇐⇒ mσ .act′(p)=a. This follows easily:
mτ .act(p) = a ⇐⇒ mτ (q) = a ⇐⇒ mσ (q) = a ⇐⇒ mσ .act′(p) = a
where the first and last equivalence hold due to the updates up and up′ and the second equality
holds by Property (P3).
Ad Property (G4). Let c ∈ mτ .act(validτ .act). We have c ∈ mτ (validτ ). To see this, consider
some pexp ∈ validτ .act such that mτ .act(pexp) = c . If pexp . p, then mτ .act(pexp) = mτ (pexp)
and pexp ∈ validτ by definition. So c ∈ mτ (validτ ) follows immediately. Otherwise, in the case
of pexp ≡ p, we have mτ .act(p) = mτ (q). Moreover, p ∈ validτ .act implies q ∈ validτ . Hence,
c ∈ mτ (validτ ). We then conclude as follows:
mτ .act(c .next) = a ⇐⇒ mτ (c .next) = a ⇐⇒ mσ (c .next) = a ⇐⇒ mσ .act′(c .next) = a
where the first/last equivalence hold because act/act ′ does not update any pointer selector and the
second equivalence holds by c ∈ mτ (validτ ) from above together with Property (P4).
Proc. ACM Program. Lang., Vol. 3, No. POPL, Article 58. Publication date: January 2019.
58:60 Roland Meyer and Sebastian Wolff
Ad Property (G6). It suffices to show adr(mτ .act |validτ .act ) ⊆ adr(mτ |validτ ) because of Property (P6)
together with the fact that act/act ′ do not emit an event. We have:
adr(mτ .act |validτ .act )
= (validτ .act ∩ Adr) ∪mτ .act(validτ .act)
⊆ ((validτ ∪ {p}) ∩ Adr) ∪mτ .act(validτ .act)
= (validτ ∩ Adr) ∪mτ .act(validτ .act)
where the first equality is due to Lemma D.5. It remains to show mτ .act(validτ .act) ⊆ mτ (validτ ).
• If q < validτ we get:
mτ .act(validτ .act) = mτ .act(validτ \ {p}) = mτ (validτ \ {p}) ⊆ mτ (validτ ) .
• If q ∈ validτ we get:
mτ .act(validτ .act) = mτ .act((validτ \ {p}) ∪ {p}) = mτ (validτ \ {p}) ∪ {b}
⊆ mτ (validτ ) ∪ {b} = mτ (validτ )
where the last equality holds because of mτ (q) = b together with q ∈ validτ by assumption.
This concludes the property.
Case com ≡ p = q.next.
By Property (P9) we have q ∈ validτ . And by the semantics we have mτ (q) ∈ Adr . Then the update
is up = [p 7→ c] with mτ (q) = b and mτ (b .next) = c . Property (P2) gives mσ (q) = mτ (q) = b. So
we choose up′ = [p 7→ c ′] with mτ (b .next) = c ′.
Property (G5) holds by definition together with Property (P5). It remains to show Properties (G2)
to (G4) and (G6).
Ad Property (G2). First consider the case where we have b .next ∈ validτ . By Auxiliary (A1) this
implies b .next ∈ validσ . That is, p is validated by the assignment. We get
mτ .act |validτ .act = mτ [p 7→ c]|validτ ∪{p} = (mτ |validτ )[p 7→ c] .
The second equality holds because mτ (b .next) = c . That is, we preserve c .data in mτ |validτ and
only need to update the mapping of p. Similarly, we get
mσ .act′ |validσ .act′ = mσ [p 7→ c ′]|validσ ∪{p} = (mσ |validσ )[p 7→ c ′] .
By Property (P2) we have mσ |validσ = mτ |validτ . Moreover, it provides mτ (b .next) = mσ (b .next)
because b .next is valid. This means c = c ′. So we conclude by
mσ .act′ |validσ .act′ = (mσ |validσ )[p 7→ c ′] = (mτ |validτ )[p 7→ c] = mτ .act |validτ .act .
Now consider the case b .next < validτ . By Auxiliary (A1) we also have b .next < validσ . We get
mτ .act |validτ .act = mτ [p 7→ c]|validτ \{p} = mτ |validτ \{p} .
The last equality holds because the update does not survive the restriction to a set which is
guaranteed not to contain p. Similarly, we have
mσ .act′ |validσ .act′ = mσ [p 7→ c ′]|validσ \{p} = mσ |validσ \{p} .
We now get:
mτ |validτ \{p} = (mτ |validτ )|validτ \{p} = (mσ |validσ )|validτ \{p} = (mσ |validσ )|validσ \{p} = mσ |validσ \{p}
Proc. ACM Program. Lang., Vol. 3, No. POPL, Article 58. Publication date: January 2019.
Decoupling Lock-Free Data Structures from Memory Reclamation for Static Analysis 58:61
The first equality is by definition of restrictions, the second equality is due to Property (P2), the
third one is by Auxiliary (A1), and the last is again by definition. This concludes the property.
Ad Property (G3). Only the valuation of p is changed by both act and act ′. So by Property (P3) it
suffices to show mτ .act(p) = a ⇐⇒ mσ .act′(p) = a. This follows easily:
mτ .act(p) = a ⇐⇒ mτ (b .next) = a ⇐⇒ mσ (b .next) = a ⇐⇒ mσ .act′(p) = a
where the first/last equivalence holds due to the update up/up′. The second equality holds by
Property (P4) because q ∈ validτ from above yields b = mτ (q) ∈ mτ (validτ ).
Ad Property (G4). Let a˜ ∈ mτ .act(validτ .act). We have a˜ ∈ mτ (validτ ). To see this, consider
some pexp ∈ validτ .act such that mτ .act(pexp) = a˜. If pexp . p, then mτ .act(pexp) = mτ (pexp)
and pexp ∈ validτ by definition. So a˜ ∈ mτ (validτ ) follows immediately. Otherwise, in the case
of pexp ≡ p, we have mτ .act(p) = mτ (q). Moreover, p ∈ validτ .act implies q ∈ validτ . Hence,
a˜ ∈ mτ (validτ ). We then conclude as follows:
mτ .act(a˜.next) = a ⇐⇒ mτ (a˜.next) = a ⇐⇒ mσ (a˜.next) = a ⇐⇒ mσ .act′(a˜.next) = a
where the first/last equivalence hold because act/act ′ does not update any pointer selector and the
second equivalence holds by a˜ ∈ mτ (validτ ) from above together with Property (P4).
Ad Property (G6). It suffices to show adr(mτ .act |validτ .act ) ⊆ adr(mτ |validτ ) because of Property (P6)
together with the fact that act/act ′ do not emit an event. We have:
adr(mτ .act |validτ .act ) = (validτ .act ∩ Adr) ∪mτ .act(validτ .act)
⊆ ((validτ ∪ {p}) ∩ Adr) ∪mτ .act(validτ .act) = (validτ ∩ Adr) ∪mτ .act(validτ .act)
where the first equality is due to Lemma D.5. It remains to show mτ .act(validτ .act) ⊆ mτ (validτ ).
• If b .next < validτ we get:
mτ .act(validτ .act) = mτ .act(validτ \ {p}) = mτ (validτ \ {p}) ⊆ mτ (validτ )
• If b .next ∈ validτ we get:
mτ .act(validτ .act) = mτ .act((validτ \ {p}) ∪ {p}) = mτ (validτ \ {p}) ∪ {c}
⊆ mτ (validτ ) ∪ {c} = mτ (validτ )
where the last equality holds because of mτ (b .next) = c together with b .next ∈ validτ by
assumption.
This concludes the property.
Case com ≡ p.next = q.
This case is analogous to the previous one.
Case com ≡ x = op(x1, . . . , xn).
The update is up = [x 7→ d]with d = op(mτ (x1), . . . ,mτ (xn)). We have x1, . . . , xn ∈ dom(mτ |validτ )
by definition. So Property (P2) gives d = op(mσ (x1), . . . ,mσ (xn)). Hence, we choose up′ = [x 7→ d].
That is, the same update is performed, up = up′.
We immediately get Properties (G2) to (G6) from Properties (P2) to (P6).
Case com ≡ x = q.data.
Proc. ACM Program. Lang., Vol. 3, No. POPL, Article 58. Publication date: January 2019.
58:62 Roland Meyer and Sebastian Wolff
By Property (P9) we have q ∈ validτ . And by the semantics we havemτ (q) ∈ Adr . Then, the update
is up = [x 7→ d] with mτ (q) = b and mτ (b .data) = d . We get b .data ∈ dom(mτ |validτ ) because
q ∈ validτ . From Auxiliary (A1) and Property (P2) we get q ∈ validσ , mσ (q) = mτ (q) = b, and
mσ (b .data) = mτ (b .data) = d . So we choose up′ = up.
Then, Properties (G2) to (G6) follow immediately from Properties (P2) to (P6).
Case com ≡ p.data = y.
By Property (P9) we have p ∈ validτ . And by the semantics we havemτ (p) ∈ Adr . Then, the update
is up = [b .data 7→ d]withmτ (p) = b andmτ (y) = d . From Property (P2) we getmσ (p) = mτ (p) = b
and mσ (y) = mτ (y) = d . Hence we get up′ = up.
Then, Properties (G2) to (G6) follow immediately from Properties (P2) to (P6).
Case com ≡ p := malloc.
The update is up = [p 7→ b,b .next 7→ seg,b .data 7→ d] with b ∈ fresh(τ ) ∪ freed(τ ) and arbitrary
d . By Property (P8) we know b ∈ fresh(σ ) ∪ freed(σ ). We choose
up′ = [p 7→ b,b .next 7→ seg,b .data 7→ d] .
We first show two auxiliary statements:
mτ .act(validτ .act) = mτ (validτ \ {p,b .next}) ∪ {b} (A2)
mσ .act(validσ .act) = mσ (validσ \ {p,b .next}) ∪ {b} (A3)
Ad Auxiliary (A2). Note that act changes only the valuation of p and b .next. Moreover, by
definition, we have validτ .act = validτ ∪ {p,b .next}. So we conclude as follows:
mτ .act(validτ .act) = mτ .act(validτ ∪ {p,b .next})
= mτ .act(validτ \ {p,b .next}) ∪mτ .act({p,b .next})
= mτ (validτ \ {p,b .next}) ∪ {b} .
Ad Auxiliary (A3). Similar to Auxiliary (A2).
Ad Property (G2). Auxiliary (A2) with validτ .act = validτ ∪ {p,b .next} gives the following:
dom(mτ .act |validτ .act ) = validτ .act ∪ DVar ∪ {c .data | c ∈ mτ .act(validτ .act)}
= (validτ \ {p,b .next}) ∪ {p,b .next} ∪ DVar
∪ {c .data | c ∈ mτ (validτ \ {p,b .next})} ∪ {b .data}
= dom(mτ |validτ \{p,b .next}) ∪ {p,b .next,b .data} .
By definition then, we have:
mτ .act |validτ .act = (mτ |validτ \{p,b .next})[p 7→ b,b .next 7→ seg,b .data 7→ d]
= ((mτ |validτ )|validτ \{p,b .next})[p 7→ b,b .next 7→ seg,b .data 7→ d] .
Along the same lines, using Auxiliary (A3), we get:
mσ .act′ |validσ .act′ = ((mσ |validσ )|validσ \{p,b .next})[p 7→ b,b .next 7→ seg,b .data 7→ d]
The above equalities now allow us to conclude the claim using Property (P2) and auxiliary (A1):
(mτ |validτ )|validτ \{p,b .next} = (mσ |validσ )|validσ \{p,b .next}
Proc. ACM Program. Lang., Vol. 3, No. POPL, Article 58. Publication date: January 2019.
Decoupling Lock-Free Data Structures from Memory Reclamation for Static Analysis 58:63
Ad Property (G3). For p we have mτ .act(p) = mσ .act(p). For q , p we have mτ .act(q) = mτ (q) and
mσ .act(q) = mσ (q). Hence, the claim follows from Property (P3).
Ad Property (G4). For b .next we have mτ .act(b .next) = mσ .act(b .next). For c .next , b .next we
have mτ .act(c .next) = mτ (c .next) and mσ .act′(c .next) = mσ (c .next). Hence, the claim follows
from Property (P4).
Ad Property (G5). Follows from Property (P5) because allocatedτ .act = allocatedτ ∪ {b} and
allocatedσ .act′ = freed(σ ) \ {b}.
Ad Property (G6). From Auxiliary (A2) and Lemma D.5 we get:
adr(mτ .act |validτ .act ) = (validτ .act ∩ Adr) ∪mτ .act(validτ .act)
= ((validτ ∪ {p,b .next}) ∩ Adr) ∪mτ (validτ \ {p,b .next}) ∪ {b}
= (validτ ∩ Adr) ∪mτ (validτ \ {p,b .next}) ∪ {b}
⊆ (validτ ∩ Adr) ∪mτ (validτ ) ∪ {b} = adr(mτ |validτ ) ∪ {b}
We have F (τ .act, c) = F (τ , c) and F (σ .act ′, c) = F (σ , c) for all c ∈ Adr because act/act ′ does
not emit an event. Hence, due to Property (P6), it remains to show that F (τ , b) ⊆ F (σ , b). If b ∈ A,
then we get the desired inclusion from Property (P6). Otherwise, we get it from Property (P13).
Case com ≡ free(b).
The update is up = [b .next 7→ ⊥,b .data 7→ ⊥]. By Property (P8) we can choose act ′ = act.
Ad Property (G2). First, note that validτ .act = validσ .act′ . To see this, consider pexp ∈ validτ .act .
By definition, this means pexp ∈ validτ , pexp . b .next, andmτ (pexp) , b. From Auxiliary (A1) we
get pexp ∈ validσ . From Property (P2) we get mσ (pexp) = mτ (pexp) , b. Hence, pexp ∈ validσ .act′
must hold by definition. This establishes validτ .act ⊆ validσ .act′ . The reverse inclusion follows
analogously. So we have validτ .act = validσ .act′ indeed.
Now, we get
dom(mτ .act |validτ .act ) = validτ .act ∪ DVar ∪ {c .data | c ∈ mτ .act(validτ .act)}
= validτ .act ∪ DVar ∪ {c .data | c ∈ mτ (validτ .act)} = dom(mτ |validτ .act )
where the first and last equality hold by the definition of restrictions and the second equality holds
because c .next, c .data < validτ .act . Then we get
mτ .act |validτ .act = mτ |validτ .act
because c .next, c .data < dom(mτ .act) holds due to the update up. Similarly, we conclude
mσ .act′ |validσ .act′ = mσ |validσ .act′ .
Note that we have
mτ |validτ .act = (mτ |validτ )|validτ .act = (mσ |validσ )|validτ .act = (mσ |validσ )|validσ .act′ = mσ |validσ .act′
where the first holds by validτ .act ⊆ validτ , the second equality holds by Property (P2), the third
equality is shown above, and the last equality holds by validσ .act ⊆ validσ . Hence, we conclude as
follows:
mτ .act |validτ .act = mτ |validτ .act = mσ |validσ .act′ = mσ .act′ |validσ .act′ .
Proc. ACM Program. Lang., Vol. 3, No. POPL, Article 58. Publication date: January 2019.
58:64 Roland Meyer and Sebastian Wolff
Ad Property (G3). The updates up/up′ do not change the valuation of any pointer variable. Hence,
the claim follows immediately from Property (P3).
Ad Property (G4). Consider b .next. We have mτ .act(b .next) = ⊥ = mσ .act′(b .next) due to the
updates. This means mτ .act(b .next) = a ⇐⇒ mσ .act′(b .next) = a.
Consider now c ∈ mτ .act(validτ .act) \ {b}. There is some pexp ∈ validτ .act with mτ .act(pexp) = c .
By definition of validity, we have pexp ∈ validτ . We also get pexp . b .next from pexp being valid.
Hence, mτ .act(pexp) = mτ (pexp) = c . So we have c ∈ mτ (validτ ). Now we conclude as follows:
mτ .act(c .next) ⇐⇒ mτ (c .next) ⇐⇒ mσ (c .next) ⇐⇒ mσ .act′(c .next)
where the first/last equivalence hold because up/up′ does not modify c .next (since c , b by choice)
and the second equivalence holds by c ∈ mτ (validτ ) together with Property (P4).
Ad Property (G5). Follows from Property (P5) together with allocatedτ .act = allocatedτ \ {b} and
allocatedσ .act′ = allocatedσ \ {b}.
Ad Property (G6). Let c ∈ adr(mτ .act |validτ .act ) ∪A. Let h ∈ F (τ .act, c). We show h ∈ F (σ .act ′, c).
If c = b, we get free(c).h ∈ F (τ , c) from Lemma D.8. Property (P6) gives free(c).h ∈ F (σ , c).
Again by Lemma D.8, we have h ∈ F (σ .act, c). This concludes the property due to the choice of
act = act ′.
If c , b, we have h ∈ F (τ , c) by Property (P11). Property (P6) gives free(c).h ∈ F (σ , c). And
Property (P12) yields h ∈ F (σ .act, c). This concludes the property.
Case com ≡ assert p = q.
The updates are up = up′ = . We have mτ .act = mτ and mσ .act′ = mσ . Moreover, we have
validτ .act ⊆ validτ ∪ {p, q} and validσ .act′ ⊆ validσ ∪ {p, q}. And due to the semantics we have
mτ (p) = mτ (q). By Property (P8) we must also have mσ (p) = mσ (q).
Properties (G3) and (G5) follow immediately from Properties (P3) and (P5). For the remaining
properties we show auxiliary statements first:
mτ .act(validτ .act) = mτ (validτ ) (A4)
mσ .act′(validσ .act′) = mσ (validσ ) (A5)
validτ .act = validσ .act′ (A6)
Ad Auxiliary (A4). Since mτ .act = mτ , it suffices to show that mτ (validτ .act) = mτ (validτ )
holds. If validτ .act = validτ , then claim follows immediately. So assume validτ .act , validτ . By
definition, we get validτ .act = validτ ∪ {p, q} and {p, q} ∩ validτ , . Wlog. let p ∈ validτ . So
mτ (p) ∈ mτ (validτ ). And because mτ (p) = mτ (q) we also get mτ (q) ∈ mτ (validτ ). Hence, we
conclude by:
mτ (validτ .act) = mτ (validτ ∪ {p, q}) = mτ (validτ ) .
Ad Auxiliary (A5). Analogous to Auxiliary (A4).
Ad Auxiliary (A6). There are two cases. First, assume {p, q} ∩ validτ = . Then, Auxiliary (A1)
gives {p, q} ∩ validσ = . By definition, this gives validτ .act = validτ and validσ .act′ = validσ .
Hence, the claim follows from Auxiliary (A1).
Second, {p, q} ∩ validτ , . Wlog. p ∈ validτ . By Auxiliary (A1) we have p ∈ validσ . And by
definition, we get validτ .act = validτ ∪ {p, q} and validσ .act′ = validσ ∪ {p, q}. Again, we conclude
by Auxiliary (A1).
Proc. ACM Program. Lang., Vol. 3, No. POPL, Article 58. Publication date: January 2019.
Decoupling Lock-Free Data Structures from Memory Reclamation for Static Analysis 58:65
Ad Property (G2). We consider two cases. First, assume {p, q} ∩ validτ = . Then, we have
validτ .act = validτ . So Auxiliary (A5) together with Auxiliary (A1) gives validσ .act′ = validσ .
Hence, we can conclude using mτ .act = mτ and mσ .act′ = mσ :
mτ .act |validτ .act = mτ |validτ = mσ |validσ = mσ .act′ |validσ .act′
where the second equality holds by Property (P2).
Second, assume {p, q} ∩ validτ , . Then, validτ .act = validτ ∪ p, q. So Auxiliary (A5) to-
gether with Auxiliary (A1) gives validσ .act′ = validσ ∪ {p, q}. Using Auxiliaries (A4) and (A5) and
Property (P2) we now get:
dom(mτ .act |validτ .act )
= validτ .act ∪ DVar ∪ {c .data | c ∈ mτ .act(validτ .act)}
= validτ ∪ {p, q} ∪ DVar ∪ {c .data | c ∈ mτ (validτ )}
= dom(mτ |validτ ) ∪ {p, q}
= dom(mσ |validσ ) ∪ {p, q}
= validσ ∪ {p, q} ∪ DVar ∪ {c .data | c ∈ mσ (validσ )}
= validσ .act′ ∪ DVar ∪ {c .data | c ∈ mσ .act′(validσ .act′)}
= dom(mσ .act′ |validσ .act′ )
By Property (P2) together with mτ .act = mτ and mσ .act′ = mσ it suffices to show
mτ .act(p) = mσ .act′(p) and mτ .act(q) = mσ .act′(q)
to conclude the claim. Wlog. p ∈ validτ . Then, mτ (p) = mσ (p). Hence, mτ .act(p) = mσ .act′(p).
And the assertion in com requires p and q to have the same valuation, mτ .act(q) = mσ .act′(q). This
concludes the claim.
Ad Property (G4). Follows from mτ .act = mτ and mσ .act′ = mσ together with Property (P4) and
Auxiliary (A4).
Ad Property (G6).We have F (τ .act, c) = F (τ , c) and F (σ .act ′, c) = F (σ , c) for all c ∈ Adr since
act/act ′ does not emit an event. Now, using Lemma D.5 and Auxiliary (A4) we get:
adr(mτ .act |validτ .act ) = (validτ .act ∩ Adr) ∪mτ .act(validτ .act)
⊆ ((validτ ∪ p, q) ∩ Adr) ∪mτ (validτ )
= (validτ ∩ Adr) ∪mτ (validτ ) = adr(mτ |validτ ) .
This concludes the claim by Property (P6).
Case com ≡ assert p , q.
We have up = up′ = . By Property (P8) act is enabled after σ . Properties (G2) to (G6) follow
immediately from Properties (P2) to (P6).
Case com ≡ assert x ≺ y with ≺∈ {=,,, <}.
We have up = up′ =  by definition. By Property (P8) act is enabled after σ . Properties (G2) to (G6)
follow immediately from Properties (P2) to (P6).
Case com ≡ enter func(p¯, x¯).
Proc. ACM Program. Lang., Vol. 3, No. POPL, Article 58. Publication date: January 2019.
58:66 Roland Meyer and Sebastian Wolff
We have up = up′ = . As in the previous case, act/act ′ does not have an effect on the memory,
validity, freeness, and freshness. Hence, Properties (G2) to (G5) follow from Properties (P2) to (P5).
For the remaining property note that Property (P10) provides mτ (p¯) = mσ (p¯). And Property (P2)
gives mτ (x¯) = mσ (x¯). Hence, act and act ′ emit the same event. That is, we haveH(τ .act) = h1.evt
andH(σ .act ′) = h2.evt. Thus, Property (G6) follows from Property (P6) together with Lemma D.8.
Case com ≡ exit.
Analogous to the previous case since both τ and σ emit the same event for exit commands by
definition.
□
D.6 Proofs of Elision Technique (Appendix D.3)
Proof of Lemma D.18. Follows immediately from the fact that swapadr is a bijection. □
Proof of Lemma D.20. Towards a contradiction, assume there is a shortest h.evt such that there
are histories h1.evt1 , h2.evt2 with swapadr (h1.evt1) = h.evt = swapadr (h2.evt2). Note that h1.evt1,
h2.evt2, and h′.evt ′ all must have the same length. Also note that h.evt is indeed a shortest such
computation because the claim holds for the empty history ϵ . Let evt be of the form evt ≡ func(t , a¯, d¯).
Let evti ≡ funci (t i , a¯i , d¯i ). Then, swaphist(evti ) = funci (t i , swapadr (a¯i ), d¯i ). By choice of evti we
have swapadr (evti ) = func(t , a¯, d¯). To arrive there, we must have funci = func, swapadr (a¯i ) = a¯, and
d¯i = d¯ . Hence, a¯i = swap−1adr (a¯). Consequently, we have a¯1 = a¯2 because swapadr is a bijection. So we
have evt1 = evt2. And by minimality ofh′.evt ′ we geth1 = h2. Altogether, we haveh1.evt1 = h2.evt2.
This contradicts the assumption. The remaining cases for exit and free events follow analogously.
This concludes the claim. □
Proof of Lemma D.21. If h ∈ H holds, then we get h′ ∈ swaphist(H ) immediately due to
swaphist(h) = h′. For the reverse direction, we know that there is some h˜ ∈ H with swaphist(h˜) = h′.
Lemma D.20 yields h˜ = h. So h ∈ H . This concludes the claim. □
Proof of Lemma D.22. Let a′ ∈ Adr . Since swapadr is a bijection, there is a ∈ Adr such that
a′ = swapadr (a) and a′ < swapadr (Adr \ {a}). Hence we have a < A1 =⇒ a′ < swapadr (A1). And
a ∈ A1 =⇒ a′ ∈ swapadr (A1) by choice of a. So altogether we have: a′ ∈ swapadr (A1) ⇐⇒ a ∈ A1.
Similarly, a′∈ swapadr (A2) ⇐⇒ a ∈A2. Thus: a′∈ swapadr (A1) ⊗ swapadr (A2) ⇐⇒ a ∈A1 ⊗ A2.
And with the same arguments we derive a ∈ A1 ⊗ A2 ⇐⇒ a′ ∈ swapadr (A1 ⊗ A2). This concludes
the first equality.
Similarly, we have
a′.next ∈ swapexp(B1) ⇐⇒ a.next ∈ B1 and a′.next ∈ swapexp(B2) ⇐⇒ a.next ∈ B2 .
As before, we derive a′.next ∈ swapexp(B1) ⊗ swapexp(B2) ⇐⇒ a.next ∈ B1 ⊗ B2. And with the
same arguments we get a.next ∈ B1 ⊗ B2 ⇐⇒ a′.next ∈ swapexp(B1 ⊗ B2). This concludes the
second equality.
Consider now some history h′. Since swapadr is a bijection, there is h with swaphist(h) = h′. Then,
Lemma D.21 yields h′ ∈ swaphist(C1) ⇐⇒ h ∈ C1. Similarly, h′ ∈ swaphist(C2) ⇐⇒ h ∈ C2
follows. So h′ ∈ swaphist(C1) ⊗ swaphist(C2) ⇐⇒ h ∈ C1 ⊗ C2. Again by Lemma D.21 we get
h ∈ C1 ⊗ C2 ⇐⇒ h′ ∈ swaphist(C1 ⊗ C2). This concludes the third equality. □
Proc. ACM Program. Lang., Vol. 3, No. POPL, Article 58. Publication date: January 2019.
Decoupling Lock-Free Data Structures from Memory Reclamation for Static Analysis 58:67
Proof of Lemma D.23. Consider some event evt ≡ func(t , a¯, d¯). Then we have:
swap−1hist(swaphist(evt)) = swap−1hist(swaphist(func(t , a¯, d¯))) = swap−1hist(func(t , swapadr (a¯), d¯))
= func(t , swap−1adr (swapadr (a¯)), d¯) = func(t , a¯, d¯)
Analogously, swap−1hist(swaphist(free(a))) = free(a) and swap−1hist(swaphist(exit(t))) = exit(t).
The overall claim follows then from inductively applying the above to h. In the base case one
has swap−1hist(swaphist(ϵ)) = ϵ by definition. For h.evt one has
swap−1hist(swaphist(h.evt)) = swap−1hist(swaphist(h).swaphist(evt))
= swap−1hist(swaphist(h)).swap−1hist(swaphist(evt)) = h.evt
where the last equality is due to induction (for h) and due to the above reasoning (for evt). □
Proof of Lemma D.24. We first show the following auxiliary:
(l,φ)−→h (l′,φ) ⇐⇒ (l, swapadr ◦ φ)−−−−−−−→swaphist (h) (l′, swapadr ◦ φ) .
To that end, let (l,φ)−−→evt (l′,φ) be some observer step and let u¯ = dom(φ) be the observer variables.
We show that also
(l,φ ′)−−−−−−−−→swaphist (evt) (l′,φ ′) with φ ′ = swapadr ◦ φ
is an observer step. The event evt is of the form evt ≡ func(v¯). By the definition, there is a transition
l−−−−−−→func(r¯ ), g l′ such that g[r¯ 7→ v¯, u¯ 7→ φ(u¯)] true .
Now, turn to swaphist(evt). It is of the form swaphist(evt) ≡ func(w¯) with w¯ = swapadr (v¯). Hence,
the above transition matches. It remains to show that it is enabled. To that end, we need show that
g[r¯ 7→ w¯, u¯ 7→ φ ′(u¯)] true. Intuitively, this holds because guards are composed of (in)equalities
which are stable under the bijection swapadr . Formally, we know that g is equivalent to
g
∨
i
∧
j
vari, j,1 ≜ vari, j,2 with vari, j,k ∈ {p1,p2, u, v} and ≜∈ {=,,} .
Hence, we have to show
(var ≜ var ′)[r¯ 7→ v¯, u¯ 7→ φ(u¯)] true
⇐⇒ (var ≜ var ′)[r¯ 7→ w¯, u¯ 7→ φ ′(u¯)] true
for every i, j and var = vari, j,1 and var ′ = vari, j,2. We conclude this as follows:
(var ≜ var ′)[r¯ 7→ v¯, u¯ 7→ φ(u¯)] true
⇐⇒ var[r¯ 7→ v¯, u¯ 7→ φ(u¯)] ≜ var ′[r¯ 7→ v¯, u¯ 7→ φ(u¯)]
⇐⇒ swapadr (var[r¯ 7→ v¯, u¯ 7→ φ(u¯)]) ≜ swapadr (var ′[r¯ 7→ v¯, u¯ 7→ φ(u¯)])
⇐⇒ var[r¯ 7→ swapadr (v¯), u¯ 7→ swapadr (φ(u¯))]
≜ var ′[r¯ 7→ swapadr (v¯), u¯ 7→ swapadr (φ(u¯))]
⇐⇒ var[r¯ 7→ w¯, u¯ 7→ φ ′(u¯)] ≜ var ′[r¯ 7→ w¯, u¯ 7→ φ ′(u¯)]
⇐⇒ (var ≜ var ′)[r¯ 7→ w¯, u¯ 7→ φ ′(u¯)] true
where the second equivalence holds because swapadr is a bijections, and the third equivalence holds
because var/var ′ are either contained in r¯ or u¯ by the definition of observers. This concludes the
auxiliary claim.
Altogether, the overall implication " =⇒ "
(l,φ)−→h (l′,φ) =⇒ (l, swapadr ◦ φ)−−−−−−−→swaphist (h) (l′, swapadr ◦ φ)
Proc. ACM Program. Lang., Vol. 3, No. POPL, Article 58. Publication date: January 2019.
58:68 Roland Meyer and Sebastian Wolff
follows by applying the above argument inductively to every event in the history h.
For the reverse direction "⇐= " we use Lemma D.18. That is, we apply the above result to
(l, swapadr ◦ φ)−−−−−−−→swaphist (h) (l′, swapadr ◦ φ) using the address mapping swap−1adr . This yields:
(l, swapadr ◦ φ)−−−−−−−→swaphist (h) (l′, swapadr ◦ φ)
=⇒ (l, swap−1adr ◦ swapadr ◦ φ)−−−−−−−−−−−−−−→
swap−1hist (swaphist (h)) (l′, swap−1adr ◦ swapadr ◦ φ) .
Then, Lemma D.23 together with swap−1adr ◦ swapadr = id gives:
(l, swap−1adr ◦ swapadr ◦ φ)−−−−−−−−−−−−−−→
swap−1hist (swaphist (h)) (l′, swap−1adr ◦ swapadr ◦ φ)
=⇒ (l, swapadr ◦ φ)−−−−−−−→swaphist (h) (l′, swapadr ◦ φ)
This concludes the proof. □
Proof of Lemma D.25. Let a ∈ Adr . We conclude as follows:
h ∈ F (τ , a)
⇐⇒ H(τ ).h ∈ H(OSMR) ∧ frees(h) ⊆ {a}
⇐⇒ swaphist(H(τ )).swaphist(h) ∈ H(OSMR) ∧ frees(swaphist(h)) ⊆ {swapadr (a)}
⇐⇒ swaphist(h) ∈ F (σ , swapadr (a))
where the second equivalence holds because of Lemma D.24. This concludes the claim. □
Proof of Theorem D.26. We proceed by induction over the structure of computations.
IB: For τ = ϵ or τ = act choose σ = τ . This immediately satisfies the claim.
IH: For every τ ∈ [[D(OSMR)]]A there is some σ that satisfies the properties of the theorem.
IS: Consider now τ .act ∈ [[D(OSMR)]]A. By induction, there is some σ with the following proper-
ties:
(P1) σ ∈ [[D(OSMR)]]swapadr (A)
(P2) ∀pexp ∈ PExp. mσ (swapexp(pexp)) = swapadr (mτ (pexp))
(P3) ∀dexp ∈ DExp. mσ (swapexp(dexp)) = mτ (dexp)
(P4) validσ = swapexp(validτ )
(P5) freed(σ ) = swapadr (freed(τ ))
(P6) fresh(σ ) = swapadr (fresh(τ ))
(P7) H(σ ) = swaphist(H(τ ))
(P8) ctrl(σ ) = ctrl(τ )
Let act = (t , com, up). We show that there is some act ′ = (t , com′, up′) such that σ .act ′
satisfies the claim. That is, our goal is to show the following:
(G1) σ .act ′ ∈ [[D(OSMR)]]swapadr (A)
(G2) ∀pexp ∈ PExp. mσ .act′(swapexp(pexp)) = swapadr (mτ .act(pexp))
(G3) ∀dexp ∈ DExp. mσ .act′(swapexp(dexp)) = mτ .act(dexp)
(G4) validσ .act′ = swapexp(validτ .act)
(G5) freed(σ .act ′) = swapadr (freed(τ .act))
(G6) fresh(σ .act ′) = swapadr (fresh(τ .act))
(G7) H(σ .act ′) = swaphist(H(τ .act))
(G8) ctrl(σ .act ′) = ctrl(τ .act)
We choose com′ = com for all cases except com = free(a). For deletions, we replace the
address: com = free(swapadr (a)). Hence, Property (G8) will follow from Property (P8) together
with Assumption 1; we will not comment on this property hereafter. For Property (G1) we will
Proc. ACM Program. Lang., Vol. 3, No. POPL, Article 58. Publication date: January 2019.
Decoupling Lock-Free Data Structures from Memory Reclamation for Static Analysis 58:69
only argue that act ′ is enabled after σ . This, together with Property (P1) yields the desired
property.
We do a case distinction on the executed command com.
Case com ≡ p := q.
We have up = [p 7→ a] with a = mτ (q). Choose up′ = [p 7→ swapadr (a)].
Properties (G5) to (G7) follow immediately from Properties (P5) to (P7) because the fresh
and freed addresses are not changed and no event is emitted, formally: fresh(τ .act) = fresh(τ ),
fresh(σ .act ′) = fresh(σ ), freed(τ .act) = freed(τ ), freed(σ .act ′) = freed(σ ), H(τ .act) = H(τ ),
andH(σ .act ′) = H(σ ). So it remains to show Properties (G1) to (G4).
Ad Property (G1).We have to show that swapadr (a) = mσ (q) holds. By choice of a, we have
to show mσ (q) = swapadr (mτ (q)). This follows from Property (P2) with swapexp(q) = q.
Ad Property (G2). For p ∈ PExp the claim follows by choice of up′. So consider pexp ∈ PExp
with pexp . p. Then, we conclude as follows:
mσ .act′(swapexp(pexp)) = mσ (swapexp(pexp)) = swapadr (mτ (pexp))
= swapadr (mτ .act(pexp))
where the first equality holds because only p is updated by up′ and swapexp(pexp) , p, the
second equality holds by Property (P2), and the third equality holds because only p is updated
by up.
Ad Property (G3). Neither up nor up′ update data expressions. So mτ .act(dexp) = mτ (dexp)
and mσ .act′(dexp) = mσ (dexp) for every dexp ∈ DExp. Hence, the claim follows from Prop-
erty (P3).
Ad Property (G4). By swapexp(q) = q we have q ∈ validτ ⇐⇒ q ∈ validσ . Hence, we
conclude using Property (P4), Lemma D.22, and the definition of validity and swapexp:
validσ .act′ = validσ ⊗ {p} = swapexp(validτ ) ⊗ swapexp({p})
= swapexp(validτ ⊗ {p}) = swapexp(validτ .act)
with ⊗ := ∪ if q ∈ validτ and ⊗ := \ otherwise.
Case com ≡ p = q.next with mτ (q) ∈ Adr.
We have up = [p 7→ b] with a = mτ (q) and b = mτ (a.next). Choose up′ = [p 7→ swapadr (b)].
Properties (G5) to (G7) follow immediately from Properties (P5) to (P7) because the fresh
and freed addresses are not changed and no event is emitted.
Ad Property (G1). Let a′ = mσ (q) and b ′ = mσ (a′.next). For the claim to hold we have to
show: b ′ = swapadr (b). First, note that we have:
a′ = mσ (q) = mσ (swapexp(q)) = swapadr (mτ (q)) = swapadr (a)
by Property (P2). Then, we conclude as follows:
b ′ = mσ (a′.next) = mσ (swapadr (a).next) = mσ (swapexp(a.next))
= swapadr (mτ (a.next)) = swapadr (b)
Proc. ACM Program. Lang., Vol. 3, No. POPL, Article 58. Publication date: January 2019.
58:70 Roland Meyer and Sebastian Wolff
Ad Property (G2). For p ∈ PExp the claim follows by choice of up′. For pexp ∈ PExp with
pexp . p the claim follows from Property (P2) together with the fact that up and up′ do not
modify pexp.
Ad Property (G3). Neither up nor up′ update data expressions. Hence, the claim follows
from Property (P3).
Ad Property (G4). By swapexp(q) = q we have q ∈ validτ ⇐⇒ q ∈ validσ . Sicne Prop-
erty (G1) from above gives a′ = swapadr (a), we have swapexp(a.next) = a′.next. Hence,
a.next ∈ validτ ⇐⇒ a′.next ∈ validσ holds by Property (P4). This means we have
p ∈ validτ .act ⇐⇒ p ∈ validσ .act′ because mτ (q) ∈ Adr . Together with Property (P4) this
concludes the claim because only the validity of p is altered by act/act ′.
Case com ≡ p.next = q with mτ (p) ∈ Adr.
The update is of the form up = [a.next 7→ b] with a = mτ (p) and b = mτ (q). For up′ we
choose up′ = [swapadr (a).next 7→ swapadr (b)].
Properties (G5) to (G7) follow immediately from Properties (P5) to (P7) because the fresh
and freed addresses are not changed and no event is emitted.
Ad Property (G1). Let a′ = mσ (p) and b ′ = mσ (q). For the claim to hold we have to show:
a′ = swapadr (a) and b ′ = swapadr (b). This follows immediately from Property (P2).
Ad Property (G2). For a.next ∈ PExp we have:
mσ .act′(swapexp(a.next)) = mσ .act′(swapadr (a).next) = swapadr (b)
= swapadr (mτ .act(a.next))
where the first equality is by definition, the second equality is due to up′, and the last equality
is due to up. For pexp ∈ PExp with pexp . a.next the claim follows from Property (P2)
together with the fact that up and up′ do not modify pexp and swapexp(pexp), respectively.
Ad Property (G3). Neither up nor up′ update data expressions. Hence, the claim follows
from Property (P3).
Ad Property (G4). We have q ∈ validτ ⇐⇒ q ∈ validσ due to swapexp(q) = q and
Property (P4). Hence, a.next ∈ validτ .act ⇐⇒ swapadr (a).next ∈ validσ .act′ because
mτ (p) ∈ Adr . Together with Property (P4) this concludes the property because only the
validity of a.next/swapadr (a).next is altered by act/act ′.
Case com ≡ p := q.next or com ≡ q.next := p with mτ (q) < Adr.
The updates are up =  = up′ because the command segfaults. By definition of validity we
get validτ .act = validτ . We have mσ (q) = swapadr (mτ (q)) = mτ (q) < Adr by Property (P2).
Hence, act also segfaults in σ and we conclude Property (G1). The remaining properties
follow because the heap, the valid expressions, the freed addresses, the fresh addresses, and
the history remain unchanged.
Case com ≡ x = op(x1, . . . , xn).
The update is up = [x 7→ d] with d = op(mτ (x1), . . . ,mτ (x1)). Choose up′ = up.
Proc. ACM Program. Lang., Vol. 3, No. POPL, Article 58. Publication date: January 2019.
Decoupling Lock-Free Data Structures from Memory Reclamation for Static Analysis 58:71
Since the pointer expression valuations, the validity, the freed address, and the fresh address
are not altered and no event is emitted by act/act ′, Properties (G2) and (G4) to (G7) follow
immediately from Properties (P2) and (P4) to (P7)
Ad Property (G1). By Property (P3) we have mσ (xi ) = mτ (xi ). Hence, act ′ is enabled after
σ .
Ad Property (G3).We have mσ .act′(swapexp(x)) = mσ .act′(x) = d = mτ .act(x). And because
no other data expressions are updated by up/up′, the claim follows from Property (P3).
Case com ≡ x = q.data with mτ (q) ∈ Adr.
The update is up = [x 7→ d] with a = mτ (q) and d = mτ (a.data). Choose up′ = up.
Since the pointer expression valuations, the validity, the freed address, and the fresh address
are not altered and no event is emitted by act/act ′, Properties (G2) and (G4) to (G7) follow
immediately from Properties (P2) and (P4) to (P7)
Ad Property (G1). Let a′ = mσ (q) and d ′ = mσ (a′.data). For enabledness of act ′, we have
to show that d ′ = d . To see this, first note that
a′ = mσ (q) = mσ (swapexp(q)) = swapadr (mτ (q)) = swapadr (a)
Property (P2). Together Property (P3) we conclude as follows:
d ′ = mσ (a′.data) = mσ (swapexp(a.data)) = mτ (a.data) = d .
Ad Property (G3). We have mσ .act′(x) = d = mτ .act(x) = mτ .act(swapexp(x)). And because
no other data expressions are updated by up/up′, the claim follows from Property (P3).
Case com ≡ p.data = y with mτ (p) ∈ Adr.
By the semantics the update is up = [a.data 7→ d] with a = mτ (p) and d = mτ (p). We choose
up′ = [swapadr (a).data 7→ d].
Since the pointer expression valuations, the validity, the freed address, and the fresh address
are not altered and no event is emitted by act/act ′, Properties (G2) and (G4) to (G7) follow
immediately from Properties (P2) and (P4) to (P7)
Ad Property (G1). For enabledness of act ′ we have to show that mσ (p) = swapadr (a) and
mσ (x) = d hold. This follows immediately from Properties (P2) and (P3).
Ad Property (G3). We have:
mσ .act′(swapexp(a.data)) = mσ .act′(swapadr (a).data) = d = mτ .act(a.data) .
And because no other data expressions are updated by up/up′, the claim follows from Prop-
erty (P3).
Case com ≡ p.data = y or com ≡ x = p.data with mτ (p) < Adr.
The updates are up =  = up′. We have mσ (p) = swapadr (mτ (p)) = mτ (p) < Adr by
Property (P2). So we conclude Property (G1). Then, the claim follows because the heap, the
valid expressions, the freed addresses, the fresh addresses, and the history remain unchanged.
Proc. ACM Program. Lang., Vol. 3, No. POPL, Article 58. Publication date: January 2019.
58:72 Roland Meyer and Sebastian Wolff
Case com ≡ p := malloc.
The update is
up = [p 7→ a,a.next 7→ seg,a.data 7→ d]
with a ∈ fresh(τ ) ∪ (freed(τ ) ∩A) and some d ∈ Dom. Choose
up′ = [p 7→ swapadr (a), swapadr (a).next 7→ seg, swapadr (a).data 7→ d] .
Then, Property (G7) follows immediately from Property (P7) because no event is emitted.
Ad Property (G1). We have to show that swapadr (a) ∈ fresh(σ ) ∪ (freed(σ ) ∩ swapadr (A)).
By Properties (P5) and (P6) and Lemma D.22 we have:
fresh(σ ) ∪ (freed(σ ) ∩ swapadr (A))
= swapadr (fresh(τ )) ∪ (swapadr (freed(τ )) ∩ swapadr (A))
= swapadr (fresh(τ ) ∪ (freed(τ ) ∩A))
So since a ∈ fresh(τ ) ∪ (freed(τ ) ∩A) holds by enabledness of act, the above yields the desired
swapadr (a) ∈ fresh(σ ) ∪ (freed(σ ) ∩ swapadr (A)). Hence, act ′ is enabled after σ .
Ad Property (G2). We have
mσ .act′(swapexp(p)) = mσ .act′(p) = swapadr (a) = swapadr (mτ .act(p))
and
mσ .act′(swapexp(a.next)) = mσ .act′(swapadr (a).next) = seg
= swapadr (seg) = swapadr (mτ .act(a.next))
Since no other pointer expressions are updated, the claim follows from Property (P2).
Ad Property (G3). We have:
mσ .act′(swapexp(a.data)) = mσ .act′(swapadr (a).data) = d = mτ .act(a.data)
Since no other data expression is updated, the follows from Property (P3).
Ad Property (G4). We conclude using Property (P4) and Lemma D.22 as follows:
validσ .act′ = validσ ∪ {p, swapadr (a).next} = swapexp(validτ ) ∪ swapexp({p,a.next})
= swapexp(validτ ∪ {p,a.next}) = swapexp(validτ .act)
Ad Property (G5). We conclude using Property (P5) and Lemma D.22 as follows:
freed(σ .act ′) = freed(σ ) \ swapadr (a) = swapadr (freed(τ )) \ swapadr (a)
= swapadr (freed(τ ) \ a) = swapadr (freed(τ .act))
Ad Property (G6). We conclude using Property (P6) and Lemma D.22 as follows:
fresh(σ .act ′) = fresh(σ ) \ swapadr (a) = swapadr (fresh(τ )) \ swapadr (a)
= swapadr (fresh(τ ) \ a) = swapadr (fresh(τ .act))
Proc. ACM Program. Lang., Vol. 3, No. POPL, Article 58. Publication date: January 2019.
Decoupling Lock-Free Data Structures from Memory Reclamation for Static Analysis 58:73
Case com ≡ free(a).
The update is up = [a.next 7→ ⊥,a.data 7→ ⊥]. Choose com′ = free(swapadr (a)) and
up′ = [swapadr (a).next 7→ ⊥, swapadr (a).data 7→ ⊥].
Ad Property (G1). By the semantics we have free(a) ∈ F (τ , a). By Property (P7) together
with Lemma D.25 we get free(swapadr (a)) ∈ F (σ , swapadr (a)). Hence, act ′ is enabled after
σ .
Ad Property (G2). We have
mσ .act′(swapexp(p)) = mσ .act′(p) = swapadr (a) = swapadr (mτ .act(p))
and
mσ .act′(swapexp(a.next)) = mσ .act′(swapadr (a).next) = ⊥ = mτ .act(a.next) .
Since no other pointer expressions are affected by up/up′ the claim follows from Property (G2).
Ad Property (G3). We have
mσ .act′(swapexp(a.data)) = mσ .act′(swapadr (a).data) = ⊥ = mτ .act(a.data) .
Since no other data expressions are modified by up/up′ the claim follows from Property (G3).
Ad Property (G4). Consider some pexp′ ∈ PExp. Since swapadr is a bijection, there is some
pexp ∈ PExp such that swapexp(pexp) = pexp′. First, we get:
pexp′ ∈ validσ ⇐⇒ swapexp(pexp) ∈ validσ
⇐⇒ swapexp(pexp) ∈ swapexp(validτ ) ⇐⇒ pexp ∈ validτ
where the second equivalence is due to Property (P4) and the third equivalence holds since
swapadr is a bijection. Second, we have:
mσ (pexp′) , swapadr (a) ⇐⇒ mσ (swapexp(pexp)) , swapadr (a)
⇐⇒ swapadr (mτ (pexp)) , swapadr (a) ⇐⇒ mτ (pexp) , a
where the second equivalence is due to Property (P2) and the third equivalence holds because
swapadr is a bijection. Last, we have:
pexp′ ∩ Adr , {swapadr (a)} ⇐⇒ swapexp(pexp) ∩ Adr , {swapadr (a)}
⇐⇒ pexp ∩ Adr , {a}
Altogether, this gives:
pexp′ ∈ validσ .act′
⇐⇒ pexp′ ∈ validσ ∧mσ (pexp′) , swapadr (a) ∧ pexp′ ∩ Adr , {swapadr (a)}
⇐⇒ pexp ∈ validτ ∧mτ (pexp) , a ∧ pexp ∩ Adr , {a}
⇐⇒ pexp ∈ validτ .act
⇐⇒ swapexp(pexp) ∈ swapexp(validτ .act)
⇐⇒ pexp′ ∈ swapexp(validτ .act)
where the last but first equivalence holds because swapadr is a bijection.
Proc. ACM Program. Lang., Vol. 3, No. POPL, Article 58. Publication date: January 2019.
58:74 Roland Meyer and Sebastian Wolff
Ad Property (G5). We conclude using Property (P5) and Lemma D.22:
freed(σ .act ′) = freed(σ ) ∪ {swapadr (a)} = swapadr (freed(τ )) ∪ {swapadr (a)}
= swapadr (freed(τ ) ∪ {a}) = swapadr (freed(τ .act))
Ad Property (G6). We conclude using Property (P6) and Lemma D.22:
fresh(σ .act ′) = fresh(σ ) \ {swapadr (a)} = swapadr (fresh(τ )) \ {swapadr (a)}
= swapadr (fresh(τ ) \ {a}) = swapadr (fresh(τ .act))
Ad Property (G7). We conclude using Property (P7)
H(σ .act ′) =H(σ ).free(swapadr (a)) = swaphist(H(τ )).swaphist(free(a))
= swaphist(H(τ ).free(a)) = swaphist(H(τ .act))
Case com ≡ assert cond.
The update is up = . Choose up′ = .
Since the memory, the freed address, and the fresh address are not altered and no event is
emitted by act/act ′, Properties (G2), (G3) and (G5) to (G7) follow immediately from Proper-
ties (P2), (P3) and (P5) to (P7).
Ad Property (G1). First, consider the case where cond is a condition over data variables
x, y. By Property (P3) we have mσ (x) = mτ (x) and mσ (y) = mτ (y). Hence, act ′ is enabled
after σ . Now, consider the case where cond is a condition over pointer variables p, q. We
have mσ (p) = swapadr (mτ (p)) and mσ (q) = swapadr (mτ (q)). So we get mσ (p) = mσ (q) iff
mτ (p) = mτ (q). Hence, act ′ is enabled after σ . This concludes the claim.
Ad Property (G4). Note that we have:
validσ .act′ , validσ
⇐⇒ cond ≡ p = q ∧ {p, q} ∩ validσ ,  ∧ {p, q} ⊈ validσ
⇐⇒ cond ≡ p = q ∧ {p, q} ∩ swapexp(validτ ) ,  ∧ {p, q} ⊈ swapexp(validτ )
⇐⇒ cond ≡ p = q ∧ {p, q} ∩ validτ ,  ∧ {p, q} ⊈ validτ
⇐⇒ validτ .act , validτ
where the second equivalence is by Property (P4). Consider the case validσ .act′ , validσ . We
conclude by Property (P4) and Lemma D.22:
validσ .act′ = validσ ∪ {p, q} = swapexp(validτ ) ∪ swapexp({p, q})
= swapexp(validτ ∪ {p, q}) = swapexp(validτ .act)
In all other cases, we have validτ .act = validτ and validσ .act′ = validσ . Then, the claim follows
immediately from Property (P4).
Case com ≡ enter func(p¯, x¯).
The update is up =  and we choose up′ = .
Since the memory, the validity, the freed address, and the fresh address are not altered,
Properties (G2) to (G6) follow immediately from Properties (P2) to (P6).
Proc. ACM Program. Lang., Vol. 3, No. POPL, Article 58. Publication date: January 2019.
Decoupling Lock-Free Data Structures from Memory Reclamation for Static Analysis 58:75
Ad Property (G1). Consider some i . By Property (P1) we have mτ (pi ) ∈ Adr . Hence, we
have swapadr (mτ (pi )) ∈ Adr by definition. So Property (P2) yields mσ (pi ) ∈ Adr . Hence, act
is enabled.
Ad Property (G7). If mτ (pi ) < Adr , then Lemmas D.12 and D.14 give mτ (pi ) = seg and
pi ∈ validτ . So we have mσ (pi ) = swapadr (mτ (pi )) = mτ (pi ) < Adr . Hence, neither act/act ′
emit an event and we concludeH(σ .act ′) = H(σ ) = swaphist(H(τ )) = swaphist(H(τ .act)) by
Property (P7). Otherwise, act emits the event func(t , a¯, d¯) with a¯ = mτ (p¯) and d¯ = mτ (x¯). By
Property (P2) we have mσ (p¯) = swapadr (a¯). Hence, act ′ emits the event func(t , swapadr (a)).
So we conclude using Property (P7):
H(σ .act ′) =H(σ ).func(t , swapadr (a¯), d¯) = swaphist(H(τ )).swaphist(func(t , a¯, d¯))
= swaphist(H(τ ).func(t , a¯, d¯)) = swaphist(H(τ .act))
Case com ≡ exit.
Follows analogously to the previous case.
The case distinction is complete and thus concludes the claim. □
Proof of Lemma D.27. Let OSMR support elision (Definition 5.14). Let b ∈ fresh(τ ) \ A. Let
swapadr : Adr → Adr be the address mapping defined by swapadr (a) = b, swapadr (b) = a, and
swapadr (c) = c for a , c , b. Theorem D.26 yields σ ∈ [[D(OSMR)]]swapadr (A) with• mσ ◦ swapexp = swapadr ◦mτ ,
• H(σ ) = swaphist(H(τ )),
• validσ = swapexp(validτ ),
• fresh(σ ) = swapadr (fresh(τ )),
• freed(σ ) = swapadr (freed(τ )), and
• ctrl(σ ) = ctrl(τ ).
We show that σ satisfies the claim. First, note that swapadr (A) = A by a,b < A. So we have
σ ∈ [[D(OSMR)]]A.
We first show the following auxiliaries:
a.next,b .next < validτ (A7)
f = f −1 for f ∈ {swapadr , swapexp, swaphist} (A8)
∀pexp ∈ validτ . pexp ≡ swapexp(pexp) (A9)
∀pexp ∈ validτ . mτ (pexp) = swapadr (mτ (pexp)) (A10)
∀c ∈ mτ (validτ ). c .data ≡ swapexp(c .data) (A11)
∀c ∈ Adr \ {a,b}. F (τ , c) ⊆ F (σ , c) (A12)
Ad Auxiliary (A7). Holds by a < adr(mτ |validτ ), and by b ∈ fresh(τ ) together with Lemma D.11.
Ad Auxiliary (A8). Holds by choice of swapadr .
Ad Auxiliary (A9). Holds by Auxiliary (A7) and the definition of swapadr and its induced swapexp .
Ad Auxiliary (A10). Holds due to a < adr(mτ |validτ ) giving a < mτ (validτ ) by Lemma D.5, and
b ∈ fresh(τ ) giving b < range(mτ ) by Lemma D.9 and thus b < mτ (validτ ).
Proc. ACM Program. Lang., Vol. 3, No. POPL, Article 58. Publication date: January 2019.
58:76 Roland Meyer and Sebastian Wolff
Ad Auxiliary (A11). From c ∈ mτ (validτ ) we get some pexp ∈ validτ with mτ (pexp) = c . Thus,
c = mτ (pexp) = swapadr (mτ (pexp)) = swapadr (c) by Auxiliary (A10).
Ad Auxiliary (A12). Let c ∈ Adr \ {a, c}. Then,
F (τ , c) = F (H(τ ), c) = F (swaphist(H(τ )), c) = F (H(σ ), c) = F (σ , c)
where the second equality holds because OSMR supports elision (Definition 5.14i) by assumption
and the third equality holds by the properties given by Theorem D.26 listed above. So we have the
desired F (τ , c) ⊆ F (σ , c).
Ad τ ∼ σ . We already have ctrl(σ ) = ctrl(τ ). We get:
dom(mσ |validσ ) = validσ ∪ DVar ∪ {c .data | c ∈ mσ (validσ )}
= swapexp(validτ ) ∪ DVar ∪ {c .data | c ∈ swapadr (mτ (swap−1exp(validτ )))}
= swapexp(validτ ) ∪ DVar ∪ {c .data | c ∈ swapadr (mτ (swapexp(validτ )))}
= validτ ∪ DVar ∪ {c .data | c ∈ swapadr (mτ (validτ ))}
= validτ ∪ DVar ∪ {c .data | c ∈ mτ (validτ )} = dom(mτ |validτ )
where the first equality is by definition, the second by the properties of σ , the third by Auxiliary (A8),
the fourth by Auxiliary (A9), the fifth by Auxiliary (A10), and the last again by definition. Then, we
get for pexp ∈ dom(mσ |validσ ) ∩ PExp:
mσ (pexp) = swapadr (mτ (swap−1exp(pexp))) = swapadr (mτ (pexp)) = mτ (pexp)
using the properties of σ , the fact that pexp ∈ validτ must holds, and Auxiliaries (A8) to (A10).
Moreover, we get for dexp ∈ dom(mσ |validσ ) ∩ DExp:
mσ (dexp) = mτ (swap−1exp(dexp)) = mτ (dexp) .
by Auxiliary (A11) together with the fact that c .data ∈ dom(mσ |validσ ) = dom(mτ |validτ ) implies
c ∈ mτ (validτ ). Altogether, this yields mτ |validτ = mσ |validσ . So we have τ ∼ σ .
Ad τ ≃A σ . Let c ∈ A. We show τ ≃c σ . We have a , c , b and thus swapadr (c) = c . So using
Auxiliary (A8) we get:
c ∈ allocatedσ ⇐⇒ c < fresh(σ ) ∪ freed(σ ) ⇐⇒ c < swapadr (fresh(τ )) ∪ swapadr (freed(τ ))
⇐⇒ c < swapadr (fresh(τ ) ∪ freed(τ )) ⇐⇒ c ∈ swapadr (allocatedτ )
⇐⇒ swapadr (c) ∈ swapadr (swapadr (allocatedτ )) ⇐⇒ c ∈ allocatedτ
From Auxiliary (A12) we get F (τ , c) ⊆ F (σ , c). For p ∈ PVar we have:
c = mσ (p) ⇐⇒ c = swapadr (mτ (swapexp(p))) ⇐⇒ swapadr (c) = swapadr (swapadr (mτ (p)))
⇐⇒ c = mτ (p)
Now, consider c ′ ∈ mτ (validτ ). We have:
c = mσ (c ′.next) ⇐⇒ c = swapadr (mτ (swapexp(c ′.next)))
⇐⇒ swapadr (c) = swapadr (swapadr (mτ (swapexp(c ′.next))))
⇐⇒ c = mτ (swapexp(c ′.next))
In order to conclude, it remains to show that swapexp(c ′.next) = c .next. To that end, it suffices to
show that c ′ , a and c ′ , b. The former follows from a < adr(mτ |validτ ) together with Lemma D.5.
The latter follows form b ∈ fresh(τ ) together with Lemma D.10.
Proc. ACM Program. Lang., Vol. 3, No. POPL, Article 58. Publication date: January 2019.
Decoupling Lock-Free Data Structures from Memory Reclamation for Static Analysis 58:77
Ad τ ⋖σ . Follows from Auxiliary (A12) with a,b < adr(mτ |validτ ) by Lemmas D.5 and D.10.
Ad a ∈ fresh(σ ). We have b ∈ fresh(τ ). So a = swapadr (b) ∈ swapadr (fresh(τ )) = fresh(σ ).
Ad Implication. Consider some e, e′ ∈ PVar ∪ {a.next | a ∈ mτ (validτ )} with mτ (e) , mτ (e′). If
e ∈ PVar , then swapexp(e) = e. Otherwise, e ≡ c .next with c ∈ mτ (validτ ). By assumption together
with Lemma D.5, c , a. And by Lemma D.10, c , b. So swapexp(e) = e must hold. Similarly, we get
swapexp(e′) = e′. Then, we have:
mσ (e) = swapadr (mτ (swapexp(e))) = swapadr (mτ (e))
and mσ (e′) = swapadr (mτ (swapexp(e′))) = swapadr (mτ (e′)).
Since swapadr is a bijection, mτ (e) , mτ (e′) implies the desired mσ (e) , mσ (e′). □
Proof of Lemma D.28. Follows from Lemma D.27. □
D.7 Proofs of the Generalized Reduction (Appendix C.4)
Proof of Proposition C.14. Let [[D(OSMR)]]gc+k be reduction compatible according to Defini-
tion C.13 and poitner race free (PRF) according to Definition 5.13. We proceed by induction on the
structure of computations.
IB: Consider τ = ϵ . Then, σ = ϵ satisfies the claim.
IH: For every τ ∈ [[D(OSMR)]]Adr and every a ∈ Adr there exists some σ ∈ [[D(OSMR)]]{a } with
τ ∼ σ , τ ≃a σ , and τ ⋖σ .
IS: Consider now τ .act ∈ [[D(OSMR)]]Adr . Let act be of the form act = (t , com, up). Let a ∈ Adr be
some addresses. Invoke the induction hypothesis for τ and a to get some σ ∈ [[D(OSMR)]]{a }
with τ ∼ σ , τ ≃a σ , and τ ⋖σ . We show that there is some σis ∈ [[D(OSMR)]]{a } with τ .act ∼ σis,
τ .act ≃a σis, and τ .act ⋖σis. To do so, we do a case distinction on com.
Case com is an assignment.
We want to use Lemma D.16 to find some act ′ which mimics act. We have to show that
LemmaD.16 is enabled. To that end, consider com contains p.next or p.data. By the semantics,
we know mτ (p) ∈ Adr . By Lemma D.14 we have mσ (p) , ⊥. Towards a contradiction,
assume mσ (p) = seg. By Lemma D.12 this means p ∈ validσ . So we have mτ (p) = seg
due to τ ∼ σ . This contradicts enabledness of act after τ . Altogether, this means we must
have mσ (p) ∈ Adr . So com is enabled after σ . That is, there is some update up′ such that
σ .(t , com, up′) ∈ [[D(OSMR)]]{a } . Due to the premise, we know that σ .(t , com, up′) is PRF. That
is, we have p ∈ validσ . Thus, p ∈ validτ by τ ∼ σ . Hence, Lemma D.16 is enabled.
Now, Lemma D.16 yields some act ′ such that σ .act ′ ∈ [[D(OSMR)]]a , τ .act ∼ σ .act ′, τ .act ≃A
σ .act ′, and τ .act ⋖σ .act ′. That is, σis := σ .act ′ satisfies the claim.
Case σ .act ∈ [[D(OSMR)]]{a } and com . p := malloc and com . func(p¯, x¯).
As for assignments, we use Lemma D.16 to get some act ′ and choose σis := σ .act ′. (Note that
assertions over data variables are always enabled. Similarly, this case covers all exit actions.)
Case σ .act ∈ [[D(OSMR)]]{a } and com ≡ func(p¯, x¯) and mτ (p¯) = mσ (p¯).
As for assignments, we use Lemma D.16 to get some act ′ and choose σis := σ .act ′.
Proc. ACM Program. Lang., Vol. 3, No. POPL, Article 58. Publication date: January 2019.
58:78 Roland Meyer and Sebastian Wolff
Case σ .act ∈ [[D(OSMR)]]{a } and com ≡ func(p¯, x¯) and mτ (p¯) , mσ (p¯).
We show that σis := σ .act is an adequate choice. Let mτ (p¯) = b¯1, mσ (p¯) = b¯2, and mτ (x¯) = d¯ .
By τ ∼ σ we have mσ (x¯) = d¯ . By mτ (p¯) , mσ (p¯) we have b¯1 , b¯2. The task is to show:
∀ c ∈ adr(mτ .act |validτ .act ) ∪ {a}. F (τ .act, c) ⊆ F (σ .act, c) .
To that end, consider some arbitrary c ∈ adr(mτ .act |validτ .act ) ∪ {a}. Because act does not alter
the heap or validity of expressions, we have c ∈ adr(mτ |validτ ) ∪ {a} by definition. From
τ ≃a σ and τ ⋖σ we get F (τ , c) ⊆ F (σ , c). This implies
F (H(τ ).func(b¯1, d¯), c) ⊆ F (H(σ ).func(b¯1, d¯), c) . (1)
To see this, leth ∈ F (H(τ ).func(b¯1, d¯), c). Sowe have func(b¯1, d¯).h ∈ F (H(τ ), c) by LemmaD.8.
Using τ ≃a σ and τ ⋖ σ then yields func(b¯1, d¯).h ∈ F (H(σ ), c). Again by Lemma D.8, we
conclude h ∈ F (H(σ ).func(b¯1, d¯), c).
Now, recall that σ .act ∈ [[D(OSMR)]]{a } is PRF by assumption. That is, the SMR call executed
by act is not racy. From this we get:
F (H(σ ).func(b¯1, d¯), c) ⊆ F (H(σ ).func(b¯2, d¯), c) . (2)
To see this, we have to show that b2,i = c ∨ pi ∈ validσ =⇒ b1,i = b2,i holds for every i .
If pi ∈ validσ , then we have b2,i = mσ (pi ) = mτ (pi ) = b1,i due to τ ∼ σ . So consider now
the case where we have b2,i = c and pi < validσ . Towards a contradiction, assume c , a. So
c ∈ adr(mσ |validσ ) must hold by choice. Moreover, we get c ∈ mσ ({pi }) ⊆ mσ (PExp \ validσ ).
Then, Lemma D.15 yields c ∈ a which contradicts the assumption. This means we must
have c = a. Hence, mσ (pi ) = c implies mτ (pi ) = c due to τ ≃a σ . That is, b1,i = b2,i as
desired. Altogether, this proves the desired implication required to apply race freedom of the
invocation.
Combining (1) and (2) we conclude as follows:
F (τ .act, c) = F (H(τ ).func(a¯, d¯), c) ⊆ F (H(σ ).func(a¯, d¯), c)
⊆ F (H(σ ).func(b¯, d¯), c) = F (σ .act, c)
The first equality holds by the semantics, i.e., mτ (pi ) ∈ Adr . To see the last equality, assume
to the contrary that we had mσ (pi ) < Adr . By Lemma D.14 this means mσ (pi ) = seg. By
Lemma D.12, we must have pi ∈ validσ then. This, however, yields mτ (pi ) = seg what
contradicts mτ (pi ) ∈ Adr .
Since act does not modify thememory nor the validity of expressions nor the freed and fresh
addresses, the above implies the desired τ .anact ∼ σ .act, τ .act ≃a σ .act, and τ .act ⋖σ .act.
Case com ≡ p := malloc.
Let the update be up = [p 7→ b,b .next 7→ seg,b .data 7→ d]. We have b ∈ fresh(τ ) ∪ freed(τ ).
If b = a, then we use, similar to the case of assignments, Lemma D.16 to get some act ′ and
choose σis := σ .act ′ with the desired τ .act ∼ σis, τ .act ≃a σis, and τ .act ⋖σis.
So consider b , a hereafter. By the induction hypothesis there is γ ∈ [[D(OSMR)]]{b } with
τ ∼ γ , τ ⋖γ , and τ ≃b γ . Lemma D.2 gives γ ∼ σ . Moreover, b ∈ fresh(γ ) ∪ freed(γ ) follows
from τ ≃b γ . So act is enabled after γ , that is, γ .act ∈ [[D(OSMR)]]{b } . Then, Lemma D.16
gives act ′ = (t , com, up′) such that γ .act ′ ∈ [[D(OSMR)]]{b } , τ .act ∼ γ .act ′, τ .act ⋖ σ .act ′,
τ .act ≃b σ .act ′. Because p,b .next,b .data ∈ dom(mτ .act |validτ .act ) holds by definition we must
have up = up′. To sum this up, we have:
Proc. ACM Program. Lang., Vol. 3, No. POPL, Article 58. Publication date: January 2019.
Decoupling Lock-Free Data Structures from Memory Reclamation for Static Analysis 58:79
• τ .act ∈ [[D(OSMR)]]Adr
• γ .act ∈ [[D(OSMR)]]{b }
• σ ∈ [[D(OSMR)]]{a }
• τ ∼ γ , τ ⋖γ , τ ≃b γ
• τ .act ∼ γ .act, τ .act ⋖γ .act, τ .act ≃b γ .act
• τ ∼ σ , τ ⋖σ , τ ≃a σ
• a , b
• γ ∼ σ
• act = (_, p := malloc, [p 7→ b, _])
Nowwe can use reduction compatibility (Definition C.13). This yields someσis ∈ [[D(OSMR)]]{a }
with the desired τ .act ∼ σis, τ .act ⋖σis, and τ .act ≃A σis. This concludes the claim.
Case σ .act < [[D(OSMR)]]{a } and com ≡ free(b).
The update is up = [b .next 7→ ⊥,b .data 7→ ⊥]. By definition, we have free(b) ∈ F (τ , b).
And the assumption that free(b) is not enabled after σ implies free(b) < F (σ , b). Note that
b , a must hold as for otherwise τ ≃a σ implies F (τ , b) = F (σ , b) what would contradict
free(b) < F (σ , b).
Because of τ ⋖σ we conclude that b < adr(mτ |validτ ) must hold as for otherwise we had
free(b) ∈ F (σ , b) what contradicts the assumption of act not being enabled after σ . By
τ ∼ σ this means b < mσ (validσ ). We now show that σis = σ is an adequate choice, that is,
that we do not need to mimic act at all.
Ad τ .act ∼ σ . We have ctrl(τ ) = ctrl(σ ) due to τ ∼ σ . Moreover, Assumption 1 gives
ctrl(τ ) = ctrl(τ .act). That is, we have ctrl(τ .act) = ctrl(σ ).
To show mτ .act |validτ .act = mσ |validσ it suffices to show that mτ |validτ = mτ .act |validτ .act holds
because of τ ∼ σ . To arrive at this equality, we first show validτ = validτ .act . The inclusion
validτ .act ⊆ validτ holds by definition. To see validτ ⊆ validτ .act , consider pexp ∈ validτ .
Then, pexp . b .next must hold as for otherwise we had b ∈ adr(mτ |validτ ) which does not
hold as shown before. Moreover, mτ (pexp) , b must hold as for otherwise we would again
get b ∈ adr(mτ |validτ ). Hence, by the definition of validity, we have pexp ∈ validτ .act .
With this we get:
dom(mτ .act |validτ .act ) = validτ .act ∪ DVar ∪ {c .data | c ∈ mτ .act(validτ .act)}
= validτ .act ∪ DVar ∪ {c .data | c ∈ mτ (validτ .act)}
= validτ ∪ DVar ∪ {c .data | c ∈ mτ (validτ )} = dom(mτ |validτ )
where the first equality is by definition, the second equality holds because b .next < validτ .act
together with the update up, the third equality holds by validτ = validτ .act from above, and
the last equality holds by definition again. The same reasoning as above also allows us to
conclude that b .next,b .data < dom(mτ .act |validτ .act ) must hold because b < mτ (validτ ) due
to b < adr(mτ |validτ ). Hence, mτ |validτ = mτ .act |validτ .act follows immediately. Altogether, this
gives the desired τ .act ∼ σ .
Ad τ .act ⋖σ . Let c ∈ adr(mτ .act |validτ .act ). We get c ∈ adr(mτ |validτ ) by definition. This
means b , c due to the above. Moreover, by τ ⋖σ we have F (τ , c) ⊆ F (σ , c). So it suffices to
show that F (τ , c) = F (τ .act, c) holds. This holds by reduction compatibility (Definition C.13).
Ad τ .act ≃a σ . First, recall b , a. So τ ≃a σ gives
a ∈ allocatedτ .act ⇐⇒ a ∈ allocatedτ ⇐⇒ a ∈ allocatedσ .
Proc. ACM Program. Lang., Vol. 3, No. POPL, Article 58. Publication date: January 2019.
58:80 Roland Meyer and Sebastian Wolff
And similarly to τ .act ⋖σ , we use reduction compatibility (Definition C.13) together with
b , a and τ ≃a σ to get F (τ .act, a) = F (τ , a) ⊆ F (σ , a). Since act does not modify the
valuation of pointer variables, we get mτ .act(p) = mτ (p) for all p ∈ PVar . Hence, we have:
∀p ∈ PVar . mτ .act(p) = b ⇐⇒ mτ (p) = b ⇐⇒ mσ (p) = b .
It remains to show
∀c ∈ mτ .act(validτ .act). mτ .act(c .next) = a ⇐⇒ mσ (c .next) = a .
So consider c ∈ mτ .act(validτ .act). Then there is some pexp ∈ validτ .act with mτ .act(pexp) = c .
By definition, pexp ∈ validτ . And because b .next < validτ .act by definition, we must have
pexp . b .next. So we get mτ (pexp) = mτ .act(pexp) = c . Hence, c ∈ mτ (validτ ). We already
showed b < adr(mτ |validτ ). That is, c , b must hold. So we conclude as follows:
mτ .act(c .next) = a ⇐⇒ mτ (c .next) = a ⇐⇒ mσ (c .next) = a
where the first equivalence holds because up does not update c .next (due to c , b) and the
second equivalence holds by τ ≃a σ . This concludes the claim.
Case σ .act < [[D(OSMR)]]{a } and com ≡ assert p ≜ q with ≜ ∈ {=,,}.
Letmτ (p) = b,mτ (q) = c ,mσ (p) = b ′, andmσ (q) = c ′. By the semantics we have b ≜ c . Since
act is not enable after σ , we have ¬(b ′ ≜ c ′). That is, we have b = c ⇐⇒ b ′ , c ′. Note that
{b, c,b ′, c ′} ∩ {a} =  must hold as for otherwise τ ≃a σ would yield b ′ ≜ c ′. In order to find
an appropriate σis we use reduction compatibility (Definition C.13).
By the induction hypothesis there is γ ∈ [[D(OSMR)]]b with τ ∼ γ , τ ⋖γ , and τ ≃b γ . By
Lemma D.2 we have γ ∼ σ . The latter yieldsmγ (p) = b andmγ (q) = b ⇐⇒ mτ (q) = b. This
means mγ (p) ≜ mγ (q). So act is enabled after γ : γ .act ∈ [[D(OSMR)]]{b } . Then, Lemma D.16
gives act ′ = (t , com, up′) such that γ .act ′ ∈ [[D(OSMR)]]{b } , τ .act ∼ γ .act ′, τ .act ⋖ σ .act ′,
τ .act ≃b σ .act ′. Because up =  = up′ must hold by the semantics we have act = act ′. To
sum this up, we have:
• τ .act ∈ [[D(OSMR)]]Adr
• γ .act ∈ [[D(OSMR)]]{b }
• σ ∈ [[D(OSMR)]]{a }
• τ ∼ γ , τ ⋖γ , τ ≃b γ
• τ .act ∼ γ .act, τ .act ⋖γ .act, τ .act ≃b γ .act
• τ ∼ σ , τ ⋖σ , τ ≃a σ
• a , b
• γ ∼ σ
• act = (_, assert _, _)
Nowwe can use reduction compatibility (Definition C.13). This yields someσis ∈ [[D(OSMR)]]{a }
with the desired τ .act ∼ σis, τ .act ⋖σis, and τ .act ≃A σis. This concludes the claim.
The above case distinction is complete. This concludes the induction. □
Proof of Theorem C.15. Follows immediately from Proposition C.14. □
Proof of Lemma C.16. Consider some τ .act, σa .act, and σb satisfying the premise of the impli-
cation from Definition C.13. We show that there is some γ with τ .act ∼ γ , τ .act ⋖γ , and τ .act ≃b γ
indeed. We distinguish two cases.
Proc. ACM Program. Lang., Vol. 3, No. POPL, Article 58. Publication date: January 2019.
Decoupling Lock-Free Data Structures from Memory Reclamation for Static Analysis 58:81
Case act = (_, assert p ≜ q, _).
Definition C.13 gives τ ∼ σa , τ .act ∼ σa .act, τ ∼ σb , τ ⋖ σb , and τ ≃b σb . From the absence of
harmful ABAs (Definition 5.17) we get γ with σa .act ∼ γ , σb ≃b γ , and σb ⋖ γ . Then, we get
τ .act ∼ γ by Lemma D.2. We get τ ⋖γ by Lemma D.4. And we get τ ≃b γ by Lemma D.3. We show
that σ ′b := γ is an adequate choice. To do so, we show two auxiliary properties first.
mτ .act(validτ .act) = mτ (validτ ) (A13)
adr(mτ .act |validτ .act ) = adr(mτ |validτ ) (A14)
Ad Auxiliary (A13). We have mτ .act = mτ because act is an assertion. So it remains to show that
mτ (validτ .act) = mτ (validτ ) holds. If validτ .act = validτ , then the claim follows immediately.
So consider the case where we have validτ .act , validτ . Wlog. we have p ∈ validτ . By definition,
validτ .act = validτ ∪ {p, q} = validτ ∪ {q} and p ≜ q ≡ p = q follows. Hence, mτ (p) = mτ (q). So
mτ (validτ .act) = mτ (validτ ) ∪ {mτ (p)} = mτ (validτ )
where the last equality holds because p ∈ validτ and thus mτ (p) ∈ mτ (validτ ).
Ad Auxiliary (A14). Note that we have:
validτ .act ∩ Adr ⊆ (validτ ∪ {p, q}) ∩ Adr = validτ ∩ Adr
and validτ ∩ Adr ⊆ validτ .act ∩ Adr
So, validτ .act ∩ Adr = validτ ∩ Adr holds. We conclude as follows:
adr(mτ .act |validτ .act ) = (validτ .act ∩ Adr) ∪mτ .act(validτ .act) = (validτ ∩ Adr) ∪mτ (validτ )
= adr(mτ |validτ )
where the first and last equality are due to Lemma D.5 and the second equality is due to the note
above and Auxiliary (A13).
Ad τ .act ⋖γ . We already have τ ⋖ γ . Assume for the moment that we have τ .act ⋖ τ . Then,
Lemma D.4 together with Auxiliary (A14) yields the desired τ .act ⋖γ . So it remains to show that
τ .act ⋖ τ holds indeed. This follows immediately from the fact that act does not emit an event
and Auxiliary (A14) so that we have F (τ .act, c) = F (τ , c) for every c ∈ Adr . This concludes the
property.
Ad τ .act ≃b γ . We already have τ ≃b γ . Assume for the moment we have τ .act ≃b τ . Then,
Auxiliary (A14) together with Lemma D.3 yields the desired τ .act ≃b γ . So it remains to show
that τ .act ≃b τ holds indeed. This follows from the definition due to that we have: mτ = mτ .act ,
freed(τ .act) = freed(τ ), fresh(τ .act) = fresh(τ ),H(τ .act) = H(τ ), and Auxiliary (A13).
Case act = (_, p := malloc, [p 7→ b, _]).
Definition C.13 gives σa .act ∈ [[D(OSMR)]]{a } and σb ∈ [[D(OSMR)]]{b } with σa ∼ σb , σa ∼ σb ,
τ ∼ σb , τ ≃b σb , τ ⋖σb , and a , b. Since act is enabled after σa we have a ∈ fresh(σa) ∪ freed(σa).
From [[D(OSMR)]]one being PRF together with Lemmas D.5, D.10 and D.11 we get a < adr(mσa |validσa ).
So σa ∼ σb gives a < adr(mσb |validσb ). Then, Lemma D.28 gives γ ∈ [[D(OSMR)]]{b } with σb ∼ γ ,
σb ≃b γ , σb ⋖γ , and a ∈ fresh(γ ). Combining this with τ ∼ σb , τ ≃b σb , and τ ⋖σb using Lemmas D.2
to D.4 gives τ ∼ γ , τ ⋖γ , and τ ≃b γ . The latter provides F (τ , b) ⊆ F (γ , b). This together with
a ∈ fresh(γ ) yields F (τ , a) ⊆ F (γ , a) by elision support according to Definition 5.14ii. Moreover,
Proc. ACM Program. Lang., Vol. 3, No. POPL, Article 58. Publication date: January 2019.
58:82 Roland Meyer and Sebastian Wolff
since a ∈ fresh(γ ) we have γ .act ∈ [[D(OSMR)]]b . Then, Lemma D.16 gives act ′ = (t , com, up′) with
τ .act ∼ γ .act ′, τ .act ≃b γ .act ′, and τ .act ⋖σ .act ′. Then σ ′b := σ .act ′ is an adequate choice.
□
Proc. ACM Program. Lang., Vol. 3, No. POPL, Article 58. Publication date: January 2019.
