...
The use of pthread_cond_broadcast() solves the problem since it wakes up all the threads associated with the respective condition variable, and since all (must) re-evaluate the predicate condition, one should find its test to be true, avoiding the deadlock situation.
Noncompliant Code Example (pthread_cond_signal())
| Code Block | ||
|---|---|---|
| ||
#include <stdio.h>
#include <stdlib.h>
#include <pthread.h>
#define NTHREADS 10
pthread_mutex_t mutex;
pthread_cond_t cond;
void *run_step(void *t) {
static int time = 0;
int step = (int)t;
int result;
if ((result = pthread_mutex_lock(&mutex)) != 0) {
/* Handle error condition */
}
printf("Thread %d has the lock\n", step);
while (time != step) {
printf("Thread %d is sleeping...\n", step);
if ((result = pthread_cond_wait(&cond, &mutex)) != 0) {
/* Handle error condition */
}
printf("Thread %d woke up\n", step);
}
/* Do processing... */
printf("Thread %d is processing...\n", step);
time++;
/* Signal waiting tasks */
if ((result = pthread_cond_signal(&cond)) != 0) {
/* Handle error condition */
}
printf("Thread %d is exiting...\n", step);
if ((result = pthread_mutex_unlock(&mutex)) != 0) {
/* Handle error condition */
}
pthread_exit(NULL);
}
int main(int argc, char** argv) {
int i;
int result;
pthread_attr_t attr;
pthread_t threads[NTHREADS];
int step[NTHREADS];
if ((result = pthread_mutex_init(&mutex, NULL)) != 0) {
/* Handle error condition */
}
if ((result = pthread_cond_init(&cond, NULL)) != 0) {
/* Handle error condition */
}
if ((result = pthread_attr_init(&attr)) != 0) {
/* Handle error condition */
}
if ((result = pthread_attr_setdetachstate(&attr, PTHREAD_CREATE_JOINABLE)) != 0) {
/* Handle error condition */
}
/* Create threads */
for (i=0; i<NTHREADS; i++) {
step[i] = i;
if ((result = pthread_create(&threads[i], &attr, run_step, (void *)step[i])) != 0) {
/* Handle error condition */
}
}
/* Wait for all threads to complete */
for (i = NTHREADS-1; i >= 0; i--) {
if ((result = pthread_join(threads[i], NULL)) != 0) {
/* Handle error condition */
}
}
if ((result = pthread_mutex_destroy(&mutex)) != 0) {
/* Handle error condition */
}
if ((result = pthread_cond_destroy(&cond)) != 0) {
/* Handle error condition */
}
if ((result = pthread_attr_destroy(&attr)) != 0) {
/* Handle error condition */
}
pthread_exit(NULL);
}
|
Risk Assessment
Signal a single thread instead of all waiting threads can pose a threat to the liveness property of the system.
Guideline | Severity | Likelihood | Remediation Cost | Priority | Level |
|---|---|---|---|---|---|
CON38-C | low | unlikely | medium | P2 | L3 |
...
Compliant Solution (pthread_cond_
...
...as long as at least one thread is blocked on the condition variable. During this time, the effect of an attempt by any thread to wait on that condition variable using a different mutex is undefined.
...
broadcast())
| Wiki Markup |
|---|
...
\[EINVAL\]
The value specified by cond or mutex is invalid.
\[EPERM\]
The mutex was not owned by the current thread at the time of the call.This compliant solution uses the {{pthread_cond_broadcast()}} method to signal all waiting threads. Before {{await()}} returns, the current thread reacquires the lock associated with this condition. When the thread returns, it is guaranteed to hold this lock \[[API 2006|AA. Bibliography#API 06]\] The thread that is ready can perform its task, while all the threads whose condition predicates are false resume waiting. |
Only the run() method from the noncompliant code example is modified, as follows:
| Code Block | ||
|---|---|---|
| ||
Compliant Solution (pthread_cond_signal() but with one condition variable per thread)
| Code Block | ||
|---|---|---|
| ||
Risk Assessment
Signal a single thread instead of all waiting threads can pose a threat to the liveness property of the system.
Guideline |
|---|
Noncompliant Code Example
In this noncompliant code example, mutex1 protects count1 and mutex2 protects count2. A race condition exists between the waiter1 and waiter2 threads since they use the same condition variable with different mutexes. If both threads attempt to call pthread_cond_wait() at the same time, one thread will succeed and the other thread will invoke undefined behavior.
| Code Block | ||
|---|---|---|
| ||
#include <stdio.h>
#include <string.h>
#include <pthread.h>
#include <assert.h>
#include <unistd.h>
#include <errno.h>
pthread_mutex_t mutex1;
pthread_mutex_t mutex2;
pthread_mutexattr_t attr;
pthread_cond_t cv;
void *waiter1();
void *waiter2();
void *signaler();
int count1 = 0, count2 = 0;
#define COUNT_LIMIT 5
int main() {
int ret;
pthread_t thread1, thread2, thread3;
if ((ret = pthread_mutexattr_init( &attr)) != 0) {
/* handle error */
}
if ((ret = pthread_mutexattr_settype( &attr, PTHREAD_MUTEX_ERRORCHECK)) != 0) {
/* handle error */
}
if ((ret = pthread_mutex_init( &mutex1, &attr)) != 0) {
/* handle error */
}
if ((ret = pthread_mutex_init( &mutex2, &attr)) != 0) {
/* handle error */
}
if ((ret = pthread_cond_init( &cv, NULL)) != 0) {
/* handle error */
}
if ((ret = pthread_create( &thread1, NULL, &waiter1, NULL))) {
/* handle error */
}
if ((ret = pthread_create( &thread2, NULL, &waiter2, NULL))) {
/* handle error */
}
if ((ret = pthread_create( &thread3, NULL, &signaler, NULL))) {
/* handle error */
}
if ((ret = pthread_join( thread1, NULL)) != 0) {
/* handle error */
}
if ((ret = pthread_join( thread2, NULL)) != 0) {
/* handle error */
}
if ((ret = pthread_join( thread3, NULL)) != 0) {
/* handle error */
}
return 0;
}
void *waiter1() {
int ret;
while (count1 < COUNT_LIMIT) {
if ((ret = pthread_mutex_lock(&mutex1)) != 0) {
/* handle error */
}
if ((ret = pthread_cond_wait(&cv, &mutex1)) != 0) {
/* handle error */
}
printf("count1 = %d\n", ++count1);
if ((ret = pthread_mutex_unlock(&mutex1)) != 0) {
/* handle error */
}
}
return NULL;
}
void *waiter2() {
int ret;
while (count2 < COUNT_LIMIT) {
if ((ret = pthread_mutex_lock(&mutex2)) != 0) {
/* handle error */
}
if ((ret = pthread_cond_wait(&cv, &mutex2)) != 0) {
/* handle error */
}
printf("count2 = %d\n", ++count2);
if ((ret = pthread_mutex_unlock(&mutex2)) != 0) {
/* handle error */
}
}
return NULL;
}
void *signaler() {
int ret;
while ((count1 < COUNT_LIMIT) || (count2 < COUNT_LIMIT)) {
sleep(1);
printf("signaling\n");
if ((ret = pthread_cond_signal(&cv)) != 0) {
/* handle error */
}
}
return NULL;
}
|
Implementation Details: Linux
When the system is built on the following platform:
Red Hat Enterprise Linux Client release 5.5 (Tikanga)
kernel 2.6.18
gcc 4.3.5 with the --D_GNU_SOURCE flag
the above code works as expected. Waiter1 and waiter2 increment the variable once they are signaled and the correct mutex is acquired after pthread_cond_wait returns in each thread.
The man page for pthread_cond_wait on this configuration says that it âmayâ fail with a return value of EINVAL if âdifferent mutexes were supplied for concurrent pthread_cond_timedwait() or pthread_cond_wait() operations on the same condition variable.â This does not happen however.
Implementation Details: OS X
When the system is built on the following platform:
OS X 10.6.4 (Snow Leopard)
gcc 4.2.1
pthread_cond_wait() returns EINVAL if it is called when another thread is waiting on the condition variable with a different mutex. This is arguably better since it forces the coder to fix the problem instead of allowing reliance on undefined behavior.
The man page for pthread_cond_wait()}] simply says that {{EINVAL will be returned if âThe value specified by cond or the value specified by mutex is invalid.â but it doesnât say what invalid means.
Compliant Solution
This problem can be solved either by always using the same mutex whenever a particular condition variable is used, or by using separate condition variables. Which one is better depends on how the code is expected to work. Here we will use the âsame mutexâ solution.
| Code Block | ||
|---|---|---|
| ||
pthread_mutex_t mutex1; /* initialized as PTHREAD_MUTEX_ERRORCHECK */
pthread_cond_t cv;
int count1 = 0, count2 = 0;
void *waiter1() {
int ret;
while (count1 < COUNT_LIMIT) {
if ((ret = pthread_mutex_lock(&mutex1)) != 0) {
/* handle error */
}
if ((ret = pthread_cond_wait(&cv, &mutex1)) != 0) {
/* handle error */
}
printf("count1 = %d\n", ++count1);
if ((ret = pthread_mutex_unlock(&mutex1)) != 0) {
/* handle error */
}
}
return NULL;
}
void *waiter2() {
int ret;
while (count2 < COUNT_LIMIT) {
if ((ret = pthread_mutex_lock(&mutex1)) != 0) {
/* handle error */
}
if ((ret = pthread_cond_wait(&cv, &mutex1)) != 0) {
/* handle error */
}
printf("count2 = %d\n", ++count2);
if ((ret = pthread_mutex_unlock(&mutex1)) != 0) {
/* handle error */
}
}
return NULL;
}
|
Risk Assessment
Waiting on the same condition variable with two different mutexes could cause a thread to be signaled and resume execution with the wrong mutex locked. This could lead to unexpected program behavior if the same shared data were simultaneously accessed by two threads.
Therefore the severity is medium because improperly accessing shared data could lead to data integrity violation. Likelihood is probable because in such an implementation an error code would not be returned, and remediation cost is high because detection and correction of this problem are both manual.
Rule | Severity | Likelihood | Remediation Cost | Priority | Level |
|---|---|---|---|---|---|
CON37 CON38-C | medium low | probable unlikely | high medium | P4 P2 | L3 |
Bibliography
...