Both thread safety and liveness are concerns when using condition variables. The thread-safety property requires that all objects maintain consistent states in a multithreaded environment [Lea 2000]. The liveness property requires that every operation or function invocation execute to completion without interruption; for example, there is no deadlock.
Condition variables must be used inside a while
loop. (See CON36-C. Wrap functions that can spuriously wake up in a loop for more information.) To guarantee liveness, programs must test the while
loop condition before invoking the cnd_wait()
function. This early test checks whether another thread has already satisfied the condition predicate and has sent a notification. Invoking the cnd_wait()
function after the notification has been sent results in indefinite blocking.
To guarantee thread safety, programs must test the while
loop condition after returning from the cnd_wait()
function. When a given thread invokes the cnd_wait()
function, it will attempt to block until its condition variable is signaled by a call to cnd_broadcast()
or to cnd_signal()
.
The cnd_signal()
function unblocks one of the threads that are blocked on the specified condition variable at the time of the call. If multiple threads are waiting on the same condition variable, the scheduler can select any of those threads to be awakened (assuming that all threads have the same priority level). The cnd_broadcast()
function unblocks all of the threads that are blocked on the specified condition variable at the time of the call. The order in which threads execute following a call to cnd_broadcast()
is unspecified. Consequently, an unrelated thread could start executing, discover that its condition predicate is satisfied, and resume execution even though it was supposed to remain dormant. For these reasons, threads must check the condition predicate after the cnd_wait()
function returns. A while
loop is the best choice for checking the condition predicate both before and after invoking cnd_wait()
.
The use of cnd_signal()
is safe if each thread uses a unique condition variable. If multiple threads share a condition variable, the use of cnd_signal()
is safe only if the following conditions are met:
- All threads must perform the same set of operations after waking up, which means that any thread can be selected to wake up and resume for a single invocation of
cnd_signal()
. - Only one thread is required to wake upon receiving the signal.
The cnd_broadcast()
function can be used to unblock all of the threads that are blocked on the specified condition variable if the use of cnd_signal()
is unsafe.
Noncompliant Code Example (cnd_signal()
)
This noncompliant code example uses five threads that are intended to execute sequentially according to the step level assigned to each thread when it is created (serialized processing). The current_step
variable holds the current step level and is incremented when the respective thread completes. Finally, another thread is signaled so that the next step can be executed. Each thread waits until its step level is ready, and the cnd_wait()
function call is wrapped inside a while
loop, in compliance with CON36-C. Wrap functions that can spuriously wake up in a loop.
Code Block | ||||
---|---|---|---|---|
| ||||
#include <stdio.h>
#include <threads.h>
enum { NTHREADS = 5 };
mtx_t mutex;
cnd_t cond;
int run_step(void *t) {
static size_t current_step = 0;
size_t my_step = *(size_t *)t;
if (thrd_success != mtx_lock(&mutex) |
When a given thread waits (pthread_cond_wait()
or pthread_cond_timedwait()
) on a condition variable, it can be awakened as result of a signal operation (pthread_cond_signal()
). However, if multiple threads are waiting on the same condition variable, any of those threads can be picked up by the scheduler to be woken up (assuming that all threads have the same priority level and also that they have only one mutex associated with the condition variable CON37-C. Do not use more than one mutex for concurrent waiting operations on a condition variable).
This forces the user to create a predicate-testing-loop around the wait to guarantee that each thread only executes if its predicate test is true (recommendation on IEEE Std 1003.1 since 2001 release). As a consequence, if a given thread finds the predicate test to be false, it waits again, eventually resulting in a deadlock situation.
Therefore, the use of pthread_cond_signal()
is safe only if the following conditions are met:
- The condition variable is the same for each waiting thread;
- All threads must perform the same set of operations after waking up. This means that any thread can be selected to wake up and resume for a single invocation of
pthread_cond_signal()
; - Only one thread is required to wake upon receiving the signal.
The use of pthread_cond_signal()
can also be safe in the following situation:
- Each thread uses a unique condition variable;
- Each condition variable is associated with the same mutex (lock).
The use of pthread_cond_broadcast()
solves the problem since it wakes up all the threads associated with the respective condition variable, and since all (must) re-evaluate the predicate condition, one should find its test to be true, avoiding the deadlock situation.
Noncompliant Code Example
Code Block | ||
---|---|---|
| ||
#include <stdio.h> #include <stdlib.h> #include <pthread.h> #define NTHREADS 10 pthread_mutex_t mutex; pthread_cond_t cond; void *run_step(void *t) { static int time = 0; int step = (int)t; int result; if ((result = pthread_mutex_lock(&mutex)) != 0) { /* Handle error condition */ } printf("Thread %d has the lock\n", step); while (time != step) { printf("Thread %d is sleeping...\n", step); if ((result = pthread_cond_wait(&cond, &mutex)) != 0) { /* Handle error condition */ } printf("Thread %d woke up\n", step); } /* Do processing... */ printf("Thread %d is processing...\n", step); time++; /* Signal waiting tasks */ if ((result = pthread_cond_signal(&cond)) != 0) { /* Handle error condition */ } printf("Thread %d%zu has is exiting...the lock\n", my_step); ifwhile ((resultcurrent_step != pthread_mutex_unlock(&mutex)) != 0my_step) { printf("Thread %zu is sleeping...\n", my_step); if (thrd_success != cnd_wait(&cond, &mutex)) { /* Handle error condition */ } pthread_exit(NULL); } int main(int argc, char** argv) { int i; int result; pthread_attr_t attr; pthread_t threads[NTHREADS]; int step[NTHREADS]; printf("Thread %zu woke up\n", my_step); } /* Do processing ... */ printf("Thread %zu is processing...\n", my_step); current_step++; /* Signal awaiting task */ if ((resultthrd_success != pthreadcnd_mutex_initsignal(&mutex, NULL)) != 0cond)) { /* Handle error condition */ } printf("Thread %zu is exiting...\n", my_step); if ((resultthrd_success != pthreadmtx_cond_initunlock(&cond, NULLmutex)) != 0) { /* Handle error condition */ } if ((result = pthread_attr_init(&attr)) != 0return 0; } int main(void) { thrd_t threads[NTHREADS]; size_t step[NTHREADS]; if (thrd_success != mtx_init(&mutex, mtx_plain)) { /* Handle error condition */ } if ((resultthrd_success != pthreadcnd_attr_setdetachstateinit(&attr, PTHREAD_CREATE_JOINABLE)) != 0cond)) { /* Handle error condition */ } /* Create threads */ for (size_t i = 0; i < i<NTHREADSNTHREADS; i++i) { step[i] = i; if ((resultthrd_success != pthreadthrd_create(&threads[i], &attr, run_step, (void *)step[i])) != 0) { /* Handle error condition &step[i])) { /* Handle error */ } } /* Wait for all threads to complete */ for (size_t i = NTHREADS-1; i >!= 0; i--i) { if ((resultthrd_success != pthreadthrd_join(threads[i-1], NULL)) != 0) { /* Handle error condition */ } } if ((result = pthread_mutexmtx_destroy(&mutex)) != 0) { /* Handle error condition */ } if ((result = pthread_cond; cnd_destroy(&cond)) !=; return 0) { /* Handle error condition */ } if ((result = pthread_attr_destroy(&attr)) != 0) { /* Handle error condition */ } pthread_exit(NULL); } |
Risk Assessment
Signal a single thread instead of all waiting threads can pose a threat to the liveness property of the system.
Guideline | Severity | Likelihood | Remediation Cost | Priority | Level |
---|---|---|---|---|---|
CON38-C | low | unlikely | medium | P2 | L3 |
pthread_cond_wait()
and pthread_cond_timedwait()
take a condition variable and locked mutex as arguments. These functions unlock the mutex until the condition variable is signaled and then re-lock the mutex before returning. While a thread is waiting on a particular condition variable and mutex, other threads may only wait on the same condition variable if they also pass the same mutex as an argument. This requirement is noted in the Open Group Base Specifications Issue 6:
...as long as at least one thread is blocked on the condition variable. During this time, the effect of an attempt by any thread to wait on that condition variable using a different mutex is undefined.
It also specifies that pthread_cond_wait()
âmayâ fail if:
Wiki Markup \[EINVAL\] The value specified by cond or mutex is invalid. \[EPERM\] The mutex was not owned by the current thread at the time of the call.
Noncompliant Code Example
In this noncompliant code example, mutex1 protects count1 and mutex2 protects count2. A race condition exists between the waiter1 and waiter2 threads since they use the same condition variable with different mutexes. If both threads attempt to call pthread_cond_wait()
at the same time, one thread will succeed and the other thread will invoke undefined behavior.
;
} |
In this example, all threads share a condition variable. Each thread has its own distinct condition predicate because each thread requires current_step
to have a different value before proceeding. When the condition variable is signaled, any of the waiting threads can wake up.
The following table illustrates a possible scenario in which the liveness property is violated. If, by chance, the notified thread is not the thread with the next step value, that thread will wait again. No additional notifications can occur, and eventually the pool of available threads will be exhausted.
Deadlock: Out-of-Sequence Step Value
Time | Thread # |
| Action |
---|---|---|---|
0 | 3 | 0 | Thread 3 executes first time: predicate is |
1 | 2 | 0 | Thread 2 executes first time: predicate is |
2 | 4 | 0 | Thread 4 executes first time: predicate is |
3 | 0 | 0 | Thread 0 executes first time: predicate is |
4 | 1 | 1 | Thread 1 executes first time: predicate is |
5 | 3 | 2 | Thread 3 wakes up (scheduler choice): predicate is |
6 | — | — | Thread exhaustion! No more threads to run, and a conditional variable signal is needed to wake up the others |
This noncompliant code example violates the liveness property.
Compliant Solution (cnd_broadcast()
)
This compliant solution uses the cnd_broadcast()
function to signal all waiting threads instead of a single random thread. Only the run_step()
thread code from the noncompliant code example is modified, as follows:
Code Block | ||||
---|---|---|---|---|
| ||||
Code Block | ||||
| ||||
#include <stdio.h> #include <string<threads.h> #include <pthread.h> #include <assert.h> #include <unistd.h> #include <errno.h> pthread_mutex mtx_t mutex1mutex; pthread_mutexcnd_t mutex2cond; pthread_mutexattr_t attr; pthread_cond_t cv; int run_step(void *waiter1(t); { void *waiter2(); void *signaler(); int count1 = 0, count2 static size_t current_step = 0; #define COUNT_LIMIT 5 int main() { int ret; pthread_t thread1, thread2, thread3; if ((ret = pthread_mutexattr_init( &attr)) != 0 size_t my_step = *(size_t *)t; if (thrd_success != mtx_lock(&mutex)) { /* handleHandle error */ } if ((ret = pthread_mutexattr_settype( &attr, PTHREAD_MUTEX_ERRORCHECK))printf("Thread %zu has the lock\n", my_step); while (current_step != 0my_step) { /* handle error */ } printf("Thread %zu is sleeping...\n", my_step); if ((retthrd_success != pthreadcnd_mutex_initwait( &mutex1cond, &attrmutex)) !={ 0) { /* handleHandle error */ } if ((ret = pthread_mutex_init( &mutex2, &attr)) != 0) { printf("Thread %zu woke up\n", my_step); } /* Do handleprocessing error... */ } if ((ret = pthread_cond_init( &cv, NULL)) != 0) { /* handle error */ } printf("Thread %zu is processing...\n", my_step); current_step++; /* Signal ALL waiting tasks */ if ((retthrd_success != pthreadcnd_createbroadcast( &thread1, NULL, &waiter1, NULL)&cond)) { /* handleHandle error */ } if ((ret = pthread_create( &thread2, NULL, &waiter2, NULL))) { /* handle error */ } if ((ret = pthread_create( &thread3, NULL, &signaler, NULL)printf("Thread %zu is exiting...\n", my_step); if (thrd_success != mtx_unlock(&mutex)) { /* handleHandle error */ } if ((ret = pthread_join( thread1, NULL)) != 0) { /* handle error */ } if ((ret = pthread_join( thread2, NULL)) != 0) { /* handle error */ } if ((ret = pthread_join( thread3, NULL)) != 0) { /* handle error */ } return 0; } void *waiter1() { int ret; while (count1 < COUNT_LIMITreturn 0; } |
Awakening all threads guarantees the liveness property because each thread will execute its condition predicate test, and exactly one will succeed and continue execution.
Compliant Solution (Using cnd_signal()
with a Unique Condition Variable per Thread)
Another compliant solution is to use a unique condition variable for each thread (all associated with the same mutex). In this case, cnd_signal()
wakes up only the thread that is waiting on it. This solution is more efficient than using cnd_broadcast()
because only the desired thread is awakened.
The condition predicate of the signaled thread must be true; otherwise, a deadlock will occur.
Code Block | ||||
---|---|---|---|---|
| ||||
#include <stdio.h> #include <threads.h> enum { NTHREADS = 5 }; mtx_t mutex; cnd_t cond[NTHREADS]; int run_step(void *t) { static size_t current_step = 0; size_t my_step = *(size_t *)t; if (thrd_success != mtx_lock(&mutex)) { if ((ret = pthread_mutex_lock(&mutex1)) != 0) { /* handle error */ } if ((ret = pthread_cond_wait(&cv, &mutex1)) != 0) /* Handle error */ } printf("Thread %zu has the lock\n", my_step); while (current_step != my_step) { printf("Thread %zu is sleeping...\n", my_step); if (thrd_success != cnd_wait(&cond[my_step], &mutex)) { /* handleHandle error */ } printf("count1Thread %zu =woke %dup\n", ++count1my_step); if ((ret = pthread_mutex_unlock(&mutex1)) != 0) { } /* Do handleprocessing error... */ printf("Thread %zu } }is processing...\n", my_step); return NULLcurrent_step++; } void /*waiter2() { int ret; Signal next step thread */ whileif (count2((my_step + 1) < COUNT_LIMITNTHREADS) { if ((retthrd_success != pthreadcnd_mutex_locksignal(&mutex2)) != 0cond[my_step + 1])) { /* handleHandle error */ } } printf("Thread %zu is exiting...\n", my_step); if ((retthrd_success != pthreadmtx_cond_waitunlock(&cv, &mutex2)) != 0mutex)) { /* handleHandle error */ } return 0; } int main(void) { printf("count2 = %d\n", ++count2); thrd_t threads[NTHREADS]; size_t step[NTHREADS]; if ((retthrd_success != pthreadmtx_mutex_unlockinit(&mutex2)) != 0mutex, mtx_plain)) { /* handleHandle error */ } } } return NULL; } void *signaler(for (size_t i = 0; i< NTHREADS; ++i) { int ret; if while ((count1 < COUNT_LIMIT) || (count2 < COUNT_LIMIT(thrd_success != cnd_init(&cond[i])) { sleep(1); printf("signaling\n"); /* Handle error */ if} ((ret = pthread_cond_signal(&cv)) != 0) { } /* Create threads */ for (size_t i = 0; i /*< handle error */ } } return NULL; } |
Implementation Details: Linux
When the system is built on the following platform:
Red Hat Enterprise Linux Client release 5.5 (Tikanga)
kernel 2.6.18
gcc 4.3.5 with the --D_GNU_SOURCE flag
the above code works as expected. Waiter1 and waiter2 increment the variable once they are signaled and the correct mutex is acquired after pthread_cond_wait returns in each thread.
The man page for pthread_cond_wait on this configuration says that it âmayâ fail with a return value of EINVAL
if âdifferent mutexes were supplied for concurrent pthread_cond_timedwait()
or pthread_cond_wait()
operations on the same condition variable.â This does not happen however.
Implementation Details: OS X
When the system is built on the following platform:
OS X 10.6.4 (Snow Leopard)
gcc 4.2.1
pthread_cond_wait()
returns EINVAL
if it is called when another thread is waiting on the condition variable with a different mutex. This is arguably better since it forces the coder to fix the problem instead of allowing reliance on undefined behavior.
The man page for pthread_cond_wait()}] simply says that {{EINVAL
will be returned if âThe value specified by cond or the value specified by mutex is invalid.â but it doesnât say what invalid means.
Compliant Solution
This problem can be solved either by always using the same mutex whenever a particular condition variable is used, or by using separate condition variables. Which one is better depends on how the code is expected to work. Here we will use the âsame mutexâ solution.
Code Block | ||
---|---|---|
| ||
pthread_mutex_t mutex1; /* initialized as PTHREAD_MUTEX_ERRORCHECK */
pthread_cond_t cv;
int count1 = 0, count2 = 0;
void *waiter1() {
int ret;
while (count1 < COUNT_LIMIT) {
if ((ret = pthread_mutex_lock(&mutex1)) != 0) {
/* handle error */
}
if ((ret = pthread_cond_wait(&cv, &mutex1)) != 0) {
/* handle error */
}
printf("count1 = %d\n", ++count1);
if ((ret = pthread_mutex_unlock(&mutex1)) != 0) {
/* handle error */
}
}
return NULL;
}
void *waiter2() {
int ret;
while (count2 < COUNT_LIMIT) {
if ((ret = pthread_mutex_lock(&mutex1)) != 0) {
/* handle error */
}
if ((ret = pthread_cond_wait(&cv, &mutex1)) != 0) {
/* handle error */
}
printf("count2 = %d\n", ++count2);
if ((ret = pthread_mutex_unlock(&mutex1)) != 0) {
/* handle error */
}
}
return NULL;
}
|
Risk Assessment
Waiting on the same condition variable with two different mutexes could cause a thread to be signaled and resume execution with the wrong mutex locked. This could lead to unexpected program behavior if the same shared data were simultaneously accessed by two threads.
Therefore the severity is medium because improperly accessing shared data could lead to data integrity violation. Likelihood is probable because in such an implementation an error code would not be returned, and remediation cost is high because detection and correction of this problem are both manual.
Rule | Severity | Likelihood | Remediation Cost | Priority | Level |
---|---|---|---|---|---|
CON37-C | medium | probable | high | P4 | L3 |
Bibliography
NTHREADS; ++i) {
step[i] = i;
if (thrd_success != thrd_create(&threads[i], run_step,
&step[i])) {
/* Handle error */
}
}
/* Wait for all threads to complete */
for (size_t i = NTHREADS; i != 0; --i) {
if (thrd_success != thrd_join(threads[i-1], NULL)) {
/* Handle error */
}
}
mtx_destroy(&mutex);
for (size_t i = 0; i < NTHREADS; ++i) {
cnd_destroy(&cond[i]);
}
return 0;
} |
Compliant Solution (Windows, Condition Variables)
This compliant solution uses a CONDITION_VARIABLE
object, available on Microsoft Windows (Vista and later):
Code Block | ||||
---|---|---|---|---|
| ||||
#include <Windows.h>
#include <stdio.h>
CRITICAL_SECTION lock;
CONDITION_VARIABLE cond;
DWORD WINAPI run_step(LPVOID t) {
static size_t current_step = 0;
size_t my_step = (size_t)t;
EnterCriticalSection(&lock);
printf("Thread %zu has the lock\n", my_step);
while (current_step != my_step) {
printf("Thread %zu is sleeping...\n", my_step);
if (!SleepConditionVariableCS(&cond, &lock, INFINITE)) {
/* Handle error */
}
printf("Thread %zu woke up\n", my_step);
}
/* Do processing ... */
printf("Thread %zu is processing...\n", my_step);
current_step++;
LeaveCriticalSection(&lock);
/* Signal ALL waiting tasks */
WakeAllConditionVariable(&cond);
printf("Thread %zu is exiting...\n", my_step);
return 0;
}
enum { NTHREADS = 5 };
int main(void) {
HANDLE threads[NTHREADS];
InitializeCriticalSection(&lock);
InitializeConditionVariable(&cond);
/* Create threads */
for (size_t i = 0; i < NTHREADS; ++i) {
threads[i] = CreateThread(NULL, 0, run_step, (LPVOID)i, 0, NULL);
}
/* Wait for all threads to complete */
WaitForMultipleObjects(NTHREADS, threads, TRUE, INFINITE);
DeleteCriticalSection(&lock);
return 0;
} |
Risk Assessment
Failing to preserve the thread safety and liveness of a program when using condition variables can lead to indefinite blocking and denial of service (DoS).
Rule | Severity | Likelihood | Remediation Cost | Priority | Level |
---|---|---|---|---|---|
CON38-C | Low | Unlikely | Medium | P2 | L3 |
Automated Detection
Tool | Version | Checker | Description | ||||||
---|---|---|---|---|---|---|---|---|---|
CodeSonar |
| CONCURRENCY.BADFUNC.CNDSIGNAL | Use of Condition Variable Signal | ||||||
Cppcheck Premium |
| premium-cert-con38-c | Fully implemented | ||||||
Helix QAC |
| C1778, C1779 | |||||||
Klocwork |
| CERT.CONC.UNSAFE_COND_VAR_C | |||||||
Parasoft C/C++test |
| CERT_C-CON38-a | Use the 'cnd_signal()' function with a unique condition variable | ||||||
Polyspace Bug Finder |
| CERT C: Rule CON38-C | Checks for multiple threads waiting on same condition variable (rule fully covered) |
Related Vulnerabilities
Search for vulnerabilities resulting from the violation of this rule on the CERT website.
Related Guidelines
Key here (explains table format and definitions)
Taxonomy | Taxonomy item | Relationship |
---|---|---|
CERT Oracle Secure Coding Standard for Java | THI02-J. Notify all waiting threads rather than a single thread | Prior to 2018-01-12: CERT: Unspecified Relationship |
Bibliography
[IEEE Std 1003.1:2013] | XSH, System Interfaces, pthread_cond_broadcast XSH, System Interfaces, pthread_cond_signal |
[Lea 2000] |
...
\[[Open Group 2004|AA. Bibliography#Open Group 04]\] [{{pthread_cond_timedwait()/pthread_cond_wait()}}|http://www.opengroup.org/onlinepubs/009695399/functions/pthread_cond_timedwait.html] Wiki Markup