SEI CERT C Coding Standard

Space shortcuts

Page tree

Versions Compared

Old Version 8

changes.mady.by.user Alexandre Santos

Saved on

compared with

New Version 9

changes.mady.by.user David Svoboda

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

When a given thread waits (pthread_cond_wait() or pthread_cond_timedwait()) on a condition variable, it can be awakened as result of a signal operation operation (pthread_cond_signal()). However, if multiple threads are waiting on the same condition variable, any of those threads can be picked up by the scheduler to be awaked (assuming that all threads have the same priority level and also that they have only one mutex associated with the condition variable CON37-C. Do not use more than one mutex for concurrent waiting operations on a condition variable).

This forces the user to create a predicatea predicate-testing-loop around the wait condition to guarantee that each thread only executes if its predicate test is true (recommendation on IEEE Std 1003IEEE Std 1003.1 since 2001 release). As a consequence, if a given thread finds the predicate test to be false, it waits again, eventually resulting in a deadlock situation.

...

The use of pthread_cond_broadcast() solves the problem since it wakes up all the threads associated with the respective condition variable, and since all (must) re-evaluate the predicate condition, one should find its test to be true, avoiding the deadlock situation.

Noncompliant Code Example (pthread_cond_signal())

The following noncompliant code example consists on a given number of threads (5) that should execute one after another according to the step level that is assigned to them when created (serialized processing). The current_step variable holds the current step level and is incremented as soon as the respective thread finishes its processing. Finally, another thread is signaled so that the next step can be executed.

Code Block
bgColor#FFcccc
#include <stdio.h>
#include <stdlib.h>
#include <pthread.h>

#define NTHREADS  5

pthread_mutex_t mutex;
pthread_cond_t cond;


int main(int argc, char** argvvoid *run_step(void *t) {
  static int i current_step = 0;
  int result;
  pthread_attr_t attrmy_step = (int)t;
  pthread_t threads[NTHREADS];int result;

  int step[NTHREADS];

  if (if ((result = pthread_mutex_initlock(&mutex, NULL)) != 0) {
    /* Handle error condition */
  }

  printf("Thread if%d ((resulthas = pthread_cond_init(&cond, NULL))the lock\n", my_step);

  while (current_step != 0my_step) {
    /* Handle error condition */printf("Thread %d is sleeping...\n", my_step);

  }
  if ((result = pthread_attrcond_initwait(&attrcond, &mutex)) != 0) {
      /* Handle error condition */
    }

   if ((result = pthread_attr_setdetachstate(&attr, PTHREAD_CREATE_JOINABLE)) != 0) {
    /* Handle error condition */
  printf("Thread %d woke up\n", my_step);
  }

  /* Create threadsDo processing... */
  for printf(i"Thread =%d 0; i < NTHREADS; i++) {
    step[i] = i;
  is processing...\n", my_step);

  current_step++;

  /* Signal a waiting task */
  if ((result = pthread_cond_create(&threads[i], &attr, run_step, (void *)step[i]signal(&cond)) != 0) {
      /* Handle error condition */
    }

  }

  /* Wait for all threads to complete */
  for (i = NTHREADS-1; i >= 0; i--) {
    printf("Thread %d is exiting...\n", my_step);

  if ((result = pthread_join(threads[i], NULLmutex_unlock(&mutex)) != 0) {
      /* Handle error condition */
    }

  pthread_exit(NULL);
}


int  if ((result = pthread_mutex_destroy(&mutex)) != 0main(int argc, char** argv) {
  int i;
 /* Handle error condition */
  }int result;
  pthread_attr_t attr;
  pthread_t threads[NTHREADS];
  int step[NTHREADS];

  if ((result = pthread_condmutex_destroyinit(&condmutex, NULL)) != 0) {
    /* Handle error condition */
  }
  if ((result = pthread_attrcond_destroyinit(&attrcond, NULL)) != 0) {
    /* Handle error condition */
  }

   if ((result = pthread_attr_exitinit(NULL);
}


void *run_step(void *t&attr)) != 0) {
  static int current_step = 0;
  int my_step = (int)t;
  int result;
/* Handle error condition */
  }
  if ((result = pthread_mutexattr_locksetdetachstate(&mutexattr, PTHREAD_CREATE_JOINABLE)) != 0) {
    /* Handle error condition */
  }

  printf("Thread %d has the lock\n", my_step);
/* Create threads */
  whilefor (current_stepi != my_step= 0; i < NTHREADS; i++) {
    printf("Thread %d is sleeping...\n", my_step);

step[i] = i;
    if ((result = pthread_cond_waitcreate(&condthreads[i], &mutexattr, run_step, (void *)step[i])) != 0) {
      /* Handle error condition */
    }
  }

  /* Wait for printf("Thread %d woke up\n", my_step);
  }

  /* Do processing... */
  printf("Thread %d is processing...\n", my_step);

  current_step++;

  /* Signal a waiting task */all threads to complete */
  for (i = NTHREADS-1; i >= 0; i--) {
    if ((result = pthread_join(threads[i], NULL)) != 0) {
      /* Handle error condition */
    }
  }

  if ((result = pthread_condmutex_signaldestroy(&condmutex)) != 0) {
    /* Handle error condition */
  }

  if printf(("Threadresult %d is exiting...\n", my_step);
= pthread_cond_destroy(&cond)) != 0) {
    /* Handle error condition */
  }
  if ((result = pthread_mutexattr_unlockdestroy(&mutexattr)) != 0) {
    /* Handle error condition */
  }

  pthread_exit(NULL);
}

In the above code, each thread has its own predicate because each requires current_step to have a different value before proceeding.  Having Having into consideration that upon the signal operation (pthread_cond_signal()) any of the waiting threads can wake up and that if by chance it is not the one with the next step value, that one will wait again pthread_cond_wait(), thus resulting in a deadlock situation because no more signal operations will occur.

...

Therefore, this noncompliant code example violates the [BB. Definitions#liveness[liveness property.

Compliant Solution (using pthread_cond_broadcast())

This compliant solution uses the pthread_cond_broadcast() method to signal all waiting threads instead of a single "random" one.
Only the run_step() thread code from the noncompliant code example is modified, as follows:

...

The fact that all tasks will be waken up solves the problem because all tasks end up executing its predicate test, and therefore one will find it to be true and continue the execution until the end.

Compliant Solution (using pthread_cond_signal() but with a unique condition variable per thread)

Another way to solve the signal issue is to use a unique condition variable for each thread (maintaining a single mutex associated with it). In this case, the signal operation (pthread_cond_signal()) will wake up the only thread waiting on it.
NOTE: the predicate of the signaled thread must be true, otherwise a deadlock may occur anyway.

Code Block
bgColor#ccccff
#include <stdio.h>
#include <stdlib.h>
#include <pthread.h>

#define NTHREADS  5

pthread_mutex_t mutex;
pthread_cond_t cond[NTHREADS];


int main(int argc, char** argvvoid *run_step(void *t) {
  static int i current_step = 0;
  int result;
  pthread_attr_t attr;
  pthread_t threads[NTHREADS]my_step = (int)t;
  int step[NTHREADS]result;

  if ((result = pthread_mutex_initlock(&mutex, NULL)) != 0) {
    /* Handle error condition */
  }

  for printf(i"Thread =%d 0;has i< NTHREADS; i++) {the lock\n", my_step);

    ifwhile ((result = pthread_cond_init(&cond[i], NULL))current_step != 0my_step) {
    printf("Thread %d is sleeping...\n", my_step);

    if ((result = pthread_cond_wait(&cond[my_step], &mutex)) != 0) {
      /* Handle error condition */
    }

    printf("Thread %d woke up\n", my_step);
  }

  /* Do processing... */
  printf("Thread %d is processing...\n", my_step);

  current_step++;

  /* HandleSignal next errorstep conditionthread */
    }
  }

  if ((resultmy_step = pthread_attr_init(&attr)) != 0) {
    /* Handle error condition */
  }
+ 1) < NTHREADS) {
    if ((result = pthread_attrcond_setdetachstatesignal(&attr, PTHREAD_CREATE_JOINABLEcond[my_step+1])) != 0) {
      /* Handle error condition */
    }

  /* Create threads */}

  for printf(i"Thread =%d 0; i < NTHREADS; i++) {
    step[i] = i;
    is exiting...\n", my_step);

  if ((result = pthread_mutex_create(&threads[i], &attr, run_step, (void *)step[i]unlock(&mutex)) != 0) {
      /* Handle error condition */
    }
  }

  /* Wait for all threads to complete */
  for (i = NTHREADS-1; i >= 0; i--) {
   
  }

  pthread_exit(NULL);
}


int main(int argc, char** argv) {
  int i;
  int result;
  pthread_attr_t attr;
  pthread_t threads[NTHREADS];
  int step[NTHREADS];

  if ((result = pthread_mutex_join(threads[i]init(&mutex, NULL)) != 0) {
      /* Handle error condition */
  }

   }for (i = 0; i< NTHREADS; i++) {
  }

  if ((result = pthread_mutexcond_destroy(&mutexinit(&cond[i], NULL)) != 0) {
      /* Handle error condition */
    }

  for (i = 0; i < NTHREADS; i++) {
    }

  if ((result = pthread_condattr_destroyinit(&cond[i]attr)) != 0) {
      /* Handle error condition */
    }
  }

  if ((result = pthread_attr_destroy(&attr_attr_setdetachstate(&attr, PTHREAD_CREATE_JOINABLE)) != 0) {
    /* Handle error condition */
  }

   pthread_exit(NULL);
}


void *run_step(void *t) {/* Create threads */
  static int current_stepfor (i = 0; i < NTHREADS; i++) {
   int my_step[i] = (int)ti;
  int result;

  if ((result = pthread_mutex_lock(&mutexcreate(&threads[i], &attr, run_step, (void *)step[i])) != 0) {
      /* Handle error condition */
    }

  printf("Thread %d has the lock\n", my_step);  }

  while (current_step != my_step) {/* Wait for all threads to complete */
  for  printf("Thread %d is sleeping...\n", my_step);

(i = NTHREADS-1; i >= 0; i--) {
    if ((result = pthread_cond_wait(&cond[my_stepjoin(threads[i], &mutexNULL)) != 0) {
      /* Handle error condition */
    }

    printf("Thread %d woke up\n", my_step);
  }

  /* Do processing...Handle error condition */
  printf("Thread %d is processing...\n", my_step);

  current_step++;

  /* Signal next step thread */
  if ((my_step + 1) < NTHREADS}
  }

  if ((result = pthread_mutex_destroy(&mutex)) != 0) {
    /* Handle error condition */
  }

  for (i = 0; i < NTHREADS; i++) {
    if ((result = pthread_cond_signaldestroy(&cond[my_step+1i])) != 0) {
      /* Handle error condition */
    }
  }

  printf("Thread %d is exiting...\n", my_step);
  }

  if ((result = pthread_mutexattr_unlockdestroy(&mutexattr)) != 0) {
    /* Handle error condition */
  }

  pthread_exit(NULL);
}

In the above code each thread has associated a unique condition variable which is signaled when that particular thread needs to be waken up. This solution turns to be more efficient because only the desired thread will be waken up.

Risk Assessment

Signal a single thread instead of all waiting threads can pose a threat to the liveness property of the system.

Guideline

Severity

Likelihood

Remediation Cost

Priority

Level

CON38-C

low

unlikely

medium

P2

L3

Other Languages

Related Guidelines

The CERT Oracle Secure Coding Standard for Java:
This rule is a translation from the Java rule THI04-J. Notify all waiting threads instead of a single thread.

Related Vulnerabilities

CON37-C. Do not use more than one mutex for concurrent waiting operations on a condition variable

Bibliography

Wiki Markup
\[[Open Group|AA. Bibliography#OpenGroup04]\] [pthread_cond_signal()&nbsp; pthread_cond_broadcast()|http://www.opengroup.org/onlinepubs/7990989775/xsh/pthread_cond_signal.html]\\

...

CON37-C. Do not use more than one mutex for concurrent waiting operations on a condition variable      14. Concurrency (CON)       49. Miscellaneous (MSC)