SEI CERT C++ Coding Standard

Space shortcuts

Page tree

Versions Compared

Old Version 1

changes.mady.by.user David Keaton

Saved on

compared with

New Version 2

changes.mady.by.user David Keaton

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

This statement implies that destroying a mutex while a thread is waiting on it is undefined behavior.

Noncompliant Code Example

This noncompliant code example creates several threads that each invoke the do_work() function, passing a unique number as an ID.

...

Code Block
bgColor#ffcccc
langc
#include <mutex>
#include <thread>

const size_t max_threads = 10;

void do_work(size_t i, std::mutex *lockp)
{
  std::lock_guard<std::mutex> guard(*lockp);

  // Access data protected by the lock.
}

void start_threads(void)
{
  std::thread threads[max_threads];
  std::mutex lock;

  for (size_t i = 0; i < max_threads; ++i) {
    threads[i] = std::thread(do_work, i, &lock);
  }
}

Compliant Solution

This compliant solution eliminates the race condition by extending the lifetime of the lock:

Code Block
bgColor#ccccff
langc
#include <mutex>
#include <thread>

const size_t max_threads = 10;

void do_work(size_t i, std::mutex *lockp)
{
  std::lock_guard<std::mutex> guard(*lockp);

  // Access data protected by the lock.
}

std::mutex lock;

void start_threads(void)
{
  std::thread threads[max_threads];

  for (size_t i = 0; i < max_threads; ++i) {
    threads[i] = std::thread(do_work, i, &lock);
  }
}

Compliant Solution

This compliant solution eliminates the race condition by joining the threads before the lock's destructor is invoked:

Code Block
bgColor#ccccff
langc
#include <mutex>
#include <thread>

const size_t max_threads = 10;

void do_work(size_t i, std::mutex *lockp)
{
  std::lock_guard<std::mutex> guard(*lockp);

  // Access data protected by the lock.
}
void run_threads(void)
{
  std::thread threads[max_threads];
  std::mutex lock;

  for (size_t i = 0; i < max_threads; ++i) {
    threads[i] = std::thread(do_work, i, &lock);
  }

  for (size_t i = 0; i < max_threads; ++i) {
    threads[i].join();
  }
}


Risk Assessment

Destroying a mutex while it is locked may result in invalid control flow and data corruption.

Rule

Severity

Likelihood

Remediation Cost

Priority

Level

CON50-CPP

Medium

Probable

High

P4

L3

Automated Detection

Tool

Version

Checker

Description

Fortify SCA

5.0

 

Can detect violations of this rule with CERT C Rule Pack

Parasoft C/C++test9.5BD-RES-FREE, BD-RES-INVFREE 

Related Vulnerabilities

Search for vulnerabilities resulting from the violation of this rule on the CERT website.

Related Guidelines

MITRE CWECWE-667, Improper Locking

Bibliography

[ISO/IEC 9899:2011]7.26.4.1, "The mtx_destroy Function"

...