Packing pointers into double-word width atomics

[eggyal]

Under Using Strict Provenance, the standard library documents:

(Yes, if you’ve been using AtomicUsize for pointers in concurrent datastructures, you should be using AtomicPtr instead. If that messes up the way you atomically manipulate pointers, we would like to know why, and what needs to be done to fix it.)

(I've not been able to locate a discussion similar to the following, and assume that this is the best place to reply to that invitation—but please do point me elsewhere if not!).

Some concurrent algorithms (I am particularly thinking of some epoch-based memory reclamation schemes) solve the ABA problem by packing both a pointer and an integer (e.g. an epoch) into a single (double-word width) atomic variable (e.g. a 128-bit atomic, manipulated using cmpxchg16b, on x86_64 architectures).

To do this with the existing atomic types requires using the appropriate double-word width atomic integer (e.g. AtomicU128 on 64-bit architectures), and converting the relevant single-word width subpart to/from a pointer.

If such pointer may be to different allocated objects over the course of the algorithm, it clearly is not possible to derive provenance in those conversions via strict provenance's .with_addr() method (because any "base" pointer from which provenance is derived would also have to be updated atomically with any update to this atomic).

I am not sure what the best solution to this might be. Perhaps something like an AtomicDoublePtr<T, U> type or similar?

Somewhat related to #286 and #480.

[RalfJung]

Yeah this is unfortunately not supported currently. A similar situation arises with types like (u64, u32) that would fit into 16 bytes but are not safe to transmute to u128 due to padding.

IMO the best solution is to have some way to do atomic operations on MaybeUninit<u128> -- or else on any T that is 16 bytes large (or 8 bytes, or some other size supported for atomics). I am not sure what the best way is to expose that from the standard library, though. Maybe a generic Atomic<T> with something like const { assert!(valid_atomic_size(size_of::<T>())) }? Or maybe we can have a magic trait that is implemented only for types that have the right size? @lcnr @BoxyUwU how terrible of an idea would that be?

[lcnr]

Or maybe we can have a magic trait that is implemented only for types that have the right size?

That's possible. It's also a stability hazard for user-defined types so idk if that is desirable 🤔 you could have an explicit AtomicSized derive which checks that the type has a valid size but is opt-in?

[RalfJung]

And then a (T, U) tuple would only be AtomicSized if it has the right size and both T and U are AtomicSized? That could work. It would also be a limitation since one can form a tuple of the right size from types that don't have the right size, like ([u8; 3], u8).

OTOH it's not a new stability hazard, it is exactly the same hazard as transmute::<LibraryType, u128>.

[eggyal]

Whilst I agree that there is a broader problem of atomically manipulating types that can't transmute to the containing atomic due to padding etc, my point was more about maintaining pointer provenance: something that AtomicPtr does but AtomicUsize does not.

When packing a pointer into a larger atomic, there is no equivalent to AtomicPtr, and I don't think this would be solved by having some more general means of packing smaller types into larger atomics? Do we not need a specific type for pointers here?

[Diggsey]

@eggyal There is a hierarchy:

usize -> *mut -> MaybeUninit
[nothing] -> [provenance] -> [uninitialized bytes]

Where stuff to the right can store everything that stuff to the left can. @RalfJung is proposing tackling the atomic manipulation of generic types, which would include MaybeUninit, and so would automatically cover all the other use-cases, whereas an AtomicDoublePtr type would solve the provenance issue, but wouldn't allow you to atomically manipulate eg. types with padding, since padding may be uninitialized.

[eggyal]

Ah, my misunderstanding. I hadn't appreciated that provenance is propagated through uninitialized bytes!

[lcnr]

And then a (T, U) tuple would only be AtomicSized if it has the right size and both T and U are AtomicSized? That could work. It would also be a limitation since one can form a tuple of the right size from types that don't have the right size, like ([u8; 3], u8).

hmm, would that work? Given that the tuple is larger than T and U I feel like it's not obvious that copying (T, U) works if T and U can be individually handled by atomic operations.

[RalfJung]

Ah, my misunderstanding. I hadn't appreciated that provenance is propagated through uninitialized bytes!

Uninitialized bytes do not have provenance. However, MaybeUninit can hold any kind of byte -- uninit, init, and init with provenance. That's why it works as a universal container that can store any data without UB and without losing anything in the roundtrip.

hmm, would that work? Given that the tuple is larger than T and U I feel like it's not obvious that copying (T, U) works if T and U can be individually handled by atomic operations.

That's why I said "if it has the right size and both fields are AtomicSized".

I don't know which rules you had in mind, since this is not a structural property. But clearly if the concern is future compatibility, then to use (T, U) in an atomic type, the authors of T and U must opt-in somehow.

[RalfJung]

There is however a classic issue with atomic operations on types with padding -- how should compare_exchange be specified? Comparing uninitialized bytes is UB. So we'd have to some very specific stunts I think... like, only allow types where "which bytes are padding" is statically known (no unions, no enums), and then specify compare_exchange to only compare the non-padding bytes but also say that it can always spuriously fail if there are any padding bytes.

I am sure we already discussed this at some point, but I am not sure if we have an issue for that... @chorman0773 do you remember?

So in that sense the situation of having two pointers is simpler, since there are no padding bytes. OTOH, by virtue of this being pointers, the issue in #480 would come up but now there'd be two provenances to worry about...

[Diggsey]

how should compare_exchange be specified? Comparing uninitialized bytes is UB.

IMO there's only two sane options, either it should be UB to do the comparison, or it should be specified that input values are frozen before being compared, with spurious failures being the logical consequence of that.

[bjorn3]

or it should be specified that input values are frozen before being compared, with spurious failures being the logical consequence of that.

That wouldn't have a forward progress guarantee as the compiler can always freeze it to the wrong value if the freeze happens as part of the compare_exchange. Freeze only requires the output of the freeze to be consistent between uses of the same freeze, not for it to be consistent between freezes.

https://llvm.org/docs/LangRef.html#freeze-instruction

All uses of a value returned by the same ‘freeze’ instruction are guaranteed to always observe the same value, while different ‘freeze’ instructions may yield different values.

[Diggsey]

That wouldn't have a forward progress guarantee as the compiler can always freeze it to the wrong value if the freeze happens as part of the compare_exchange

I think that's unavoidable if the compare/exchange loop happens in user code, since I don't think there's any guarantee that padding bytes are preserved?

Plausibly fetch_update could be made to work, since the implementation could make sure to use MaybeUninit to store the old value in that case.

[bjorn3]

I think that's unavoidable if the compare/exchange loop happens in user code, since I don't think there's any guarantee that padding bytes are preserved?

If the user freezes themself once before the compare exchange loop rather than delegate it to compare_exchange there is no forward progress problem, but if compare_exchange does it, the compiler is allowed to produce an infinite loop.

[chorman0773]

Depends on how its done. If the value is frozen into an aligned [u8;N] before being stored/compare_exchanged, then it will be frozen in memory.

…

On Thu, Jul 18, 2024 at 10:18 bjorn3 ***@***.***> wrote: I think that's unavoidable if the compare/exchange loop happens in user code, since I don't think there's any guarantee that padding bytes are preserved? If the user freezes themself once before the compare exchange loop rather than delegate it to compare_exchange there is no forward progress problem, but if compare_exchange does it, the compiler is allowed to produce an infinite loop. — Reply to this email directly, view it on GitHub <#517 (comment)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/ABGLD243JNHTNGFBCKWX5STZM7FD5AVCNFSM6AAAAABLBGWXCSVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDEMZWGY2TMNZWGM> . You are receiving this because you were mentioned.Message ID: ***@***.***>

[bjorn3]

If the current argument has padding, the compiler can always freeze the padding such that it doesn't match the actual value in the atomic, and thus force the compare_exchange to fail.