A consistent locking policy guarantees that multiple threads cannot simultaneously access or modify shared data. If When two or more operations need to must be performed as a single atomic operation, it is necessary to implement a consistent locking policy by must be implemented using either using intrinsic synchronization or the java.util.concurrent
utilities. In the absence of such a policy, the code is susceptible to race conditions.
Given an invariant involving multiple objects, a programmer may incorrectly assume that individually atomic operations require no additional locking; however, this is not the caseWhen presented with a set of operations, where each is guaranteed to be atomic, it is tempting to assume that a single operation consisting of individually atomic operations is guaranteed to be collectively atomic without additional locking. Similarly, programmers may might incorrectly assume that using use of a thread-safe Collection
does not require explicit synchronization is sufficient to preserve an invariant that involves the collection's elements without additional synchronization. A thread-safe class can only guarantee atomicity of its individual methods. A grouping of calls to such methods requires additional synchronization for the group.
Consider, for example, a scenario where in which the standard thread-safe API does not provide lacks a single method both to both find a particular person's record in a Hashtable
and update the corresponding to update that person's payroll information. In such cases, the two method invocations must be performed atomically.
Enumerations and iterators also require either explicit synchronization on the collection object (client-side locking) or use of a private final lock object.
Compound operations on shared variables are also non-atomic . See CON01(see VNA02-J. Ensure that compound operations on shared variables are atomic for more information).
CON30VNA04-J. Do not use method chaining implementations in a multithreaded environmentEnsure that calls to chained methods are atomic describes a specialized case of this guidelinerule.
Noncompliant Code Example (AtomicReference
)
This noncompliant code example wraps references to BigInteger
objects within within thread-safe AtomicReference
objects. :
Code Block | ||
---|---|---|
| ||
final class Adder { private final AtomicReference<BigInteger> first; private final AtomicReference<BigInteger> second; public Adder(BigInteger f, BigInteger s) { first = new AtomicReference<BigInteger>(f); second = new AtomicReference<BigInteger>(s); } public void update(BigInteger f, BigInteger s) { // Unsafe first.set(f); second.set(s); } public BigInteger add() { // Unsafe return first.get().add(second.get()); } } |
An AtomicReference
is an object reference that can be updated atomically. However, operations that combine more than one atomic reference are not non-atomic. In this noncompliant code example, one thread may call update()
while a second thread may call add()
. This might cause the add()
method to add the new value of first
to the old value of second
, yielding an erroneous result.
Compliant Solution (
...
Method Synchronization)
This compliant solution declares the update()
and add()
methods as synchronized to guarantee atomicity. :
Code Block | ||
---|---|---|
| ||
final class Adder { // ... private final AtomicReference<BigInteger> first; private final AtomicReference<BigInteger> second; public Adder(BigInteger f, BigInteger s) { first = new AtomicReference<BigInteger>(f); second = new AtomicReference<BigInteger>(s); } public synchronized void update(BigInteger f, BigInteger s){ first.set(f); second.set(s); } public synchronized BigInteger add() { return first.get().add(second.get()); } } |
Noncompliant Code Example (synchronizedList()
)
This noncompliant code example uses a java.util.ArrayList<E>
collection, which is not thread-safe. However, the example uses Collections.synchronizedList
is used as a synchronization wrapper for the ArrayList
. An array is used It subsequently uses an array, rather than an iterator, to iterate over Arraylist
instead of an iterator the ArrayList
to avoid a ConcurrentModificationException
.
Code Block | ||
---|---|---|
| ||
final class IPHolder { private final List<InetAddress> ips = Collections.synchronizedList(new ArrayList<InetAddress>()); public void addAndPrintIPAddresses(InetAddress address) { ips.add(address); InetAddress[] addressCopy = (InetAddress[]) ips.toArray(new InetAddress[0]); // Iterate through array addressCopy ... } } |
Individually, the collection methods add()
and toArray()
collection methods are atomic. However, when they are called in succession , for example (as shown in the addAndPrintIPAddresses()
method), there are is no guarantees guarantee that the combined operation is atomic. A race condition exists in the The addAndPrintIPAddresses()
method contains a race condition that allows one thread to add to the list , and a second thread to race in and also modify the list before the first thread completes. Consequently, the addressCopy
array may contain more IP addresses then than expected.
Compliant Solution (Synchronized Block)
The The race condition can be eliminated by synchronizing on the underlying list's lock. This compliant solution encapsulates all references to the array list within synchronized blocks. :
Code Block | ||
---|---|---|
| ||
final class IPHolder { private final List<InetAddress> ips = Collections.synchronizedList(new ArrayList<InetAddress>()); public void addIPAddressaddAndPrintIPAddresses(InetAddress address) { synchronized (ips) { ips.add(address); } } public void addAndPrintIPAddresses(InetAddress[] address) { synchronized (ips) {addressCopy = addIPAddress(address); InetAddress[] addressCopy = (InetAddress[]) ips.toArray(new InetAddress[0]); // Iterate through array addressCopy ... } } } |
This technique is also called client-side locking \ [[Goetz 06|AA. Java References#Goetz 06]\], because the class holds a lock on an object that might be accessible to other classes. Client-side locking is not always an appropriate strategy; see [CON31-J. Avoid client-side locking when using classes that do not commit to their locking strategy] for more information. Goetz 2006] because the class holds a lock on an object that might be accessible to other classes. Client-side locking is not always an appropriate strategy (see LCK11-J. Avoid client-side locking when using classes that do not commit to their locking strategy for more information). Wiki Markup
This code does not violate CON40 LCK04-J. Do not synchronize on a collection view if the backing collection is accessible because, because while although it does synchronize synchronizes on a collection view (the synchronizedList
result), the backing collection is inaccessible , and therefore consequently cannot be modified by any code.
Note that this compliant solution does not actually use the synchronization offered by Collections.synchronizedList()
. If no other code in this solution used it, it could be eliminated.
Noncompliant Code Example (synchronizedMap()
)
This noncompliant code example defines a class {{KeyedCounter}} which is not the Wiki Markup KeyedCounter
class that is not thread-safe. Although the {{HashMap
}} is wrapped in a {{synchronizedMap}}, the overall increment operation is not atomic \[[Lee 09|AA. Java References#Lee 09]\]. synchronizedMap()
, the overall increment operation is not atomic [Lee 2009].
Code Block | ||
---|---|---|
| ||
final class KeyedCounter { private final Map<String, Integer> map = Collections.synchronizedMap(new HashMap<String, Integer>()); public void increment(String key) { Integer old = map.get(key); int oldValue = (old == null) ? 0 : old.intValue(); if (oldValue == Integer.MAX_VALUE) { throw new ArithmeticException("Out of range"); } map.put( key, valueoldValue + 1); } public Integer getCount(String key) { return map.get(key); } } |
Compliant Solution (
...
Synchronization)
To ensure atomicity, this This compliant solution uses ensures atomicity by using an internal private lock object to synchronize the statements of the increment()
and getCount()
methods. :
Code Block | ||
---|---|---|
| ||
final class KeyedCounter { private final Map<String, Integer> map = new HashMap<String, Integer>(); private final Object lock = new Object(); public void increment(String key) { synchronized (lock) { Integer old = map.get(key); int oldValue = (old == null) ? 0 : old.intValue(); if (oldValue == Integer.MAX_VALUE) { throw new ArithmeticException("Out of range"); } map.put(key, valueoldValue + 1); } } public Integer getCount(String key) { synchronized (lock) { return map.get(key); } } } |
This compliant solution does not use avoids using Collections.synchronizedMap()
because locking on the unsynchronized map provides sufficient thread-safety for this application. The guideline CON40 LCK04-J. Do not synchronize on a collection view if the backing collection is accessible provides more information about synchronizing on synchronizedMap
objects.To prevent overflow, the caller must ensure that the increment()
method is called no more than Integer.MAX_VALUE
times for any key. Refer to INT00-J. Perform explicit range checking to ensure integer operations do not overflow for more information. ()
objects.
Compliant Solution (ConcurrentHashMap
)
The previous compliant solution is safe for multithreaded use , however, it but does not scale well because of excessive synchronization, which can lead to contention and deadlockdecreased performance.
The {{ Wiki Markup ConcurrentHashMap
}} class used in this compliant solution provides several utility methods for performing atomic operations and is often a good choice for algorithms that must scale \ [[Lee 09|AA. Java References#Lee 09]\]. Lee 2009].
Note that this compliant solution still requires synchronization, because without it, the test to prevent overflow and the increment will not happen atomically, so two threads calling increment()
can still cause overflow. The synchronization block is smaller and does not include the lookup or addition of new values, so it has less impact on performance than the previous compliant solution.
Code Block | ||
---|---|---|
| ||
final class KeyedCounter { private final ConcurrentMap<String, AtomicInteger> map = new ConcurrentHashMap<String, AtomicInteger>(); private final Object lock = new Object(); public void increment(String key) { AtomicInteger value = new AtomicInteger(); AtomicInteger old = map.putIfAbsent(key, value); if (old != null) { value = old; } synchronized (lock) { if (value.get() == Integer.MAX_VALUE) { throw new ArithmeticException("Out of range"); } value.incrementAndGet(); // Increment the value atomically } } public Integer getCount(String key) { AtomicInteger value = map.get(key); return (value == null) ? null : value.get(); } // Other accessors ... } |
According to Goetz et al. \[[Goetz 06|AA. Java References#Goetz 06]\] section to Section 5.2.1. ConcurrentHashMap, " Wiki Markup ConcurrentHashMap
," of the work of Goetz and colleagues [Goetz 2006]:
ConcurrentHashMap
, along with the other concurrent collections, further improve on the synchronized collection classes by providing iterators that do not throwConcurrentModificationException
, as a result eliminating the need to lock the collection during iteration. The iterators returned byConcurrentHashMap
are weakly consistent instead of fail-fast. A weakly consistent iterator can tolerate concurrent modification, traverses elements as they existed when the iterator was constructed, and may (but is not guaranteed to) reflect modifications to the collection after the construction of the iterator.
Note that methods such as ConcurrentHashMap.size()
and ConcurrentHashMap.isEmpty()
are allowed to return an approximate result for performance reasons. Code should not rely avoid relying on these return values for deriving when exact results are required.
Risk Assessment
Failing Failure to ensure that the atomicity of two or more operations that need to must be performed as a single atomic operation can result in in race conditions in multithreaded applications.
Rule | Severity | Likelihood | Remediation Cost | Priority | Level |
---|
VNA03-J |
Low |
Probable |
Medium | P4 | L3 |
Automated Detection
TODO
Related Vulnerabilities
Search for vulnerabilities resulting from the violation Some static analysis tools are capable of detecting violations of this rule on the CERT website.
References
...
Tool | Version | Checker | Description | ||||||
---|---|---|---|---|---|---|---|---|---|
CodeSonar |
| JAVA.CONCURRENCY.VOLATILE | Useless volatile Modifier (Java) | ||||||
Coverity | 7.5 | ATOMICITY | Implemented | ||||||
Parasoft Jtest |
| CERT.VNA03.SSUG CERT.VNA03.MRAV | Make the get method for a field synchronized if the set method is synchronized Access related Atomic variables in a synchronized block | ||||||
ThreadSafe |
| CCE_CC_NON_ATOMIC_GCP | Implemented |
Related Guidelines
CWE-362, Concurrent Execution Using Shared Resource with Improper Synchronization ("Race Condition") |
Bibliography
[API 2014] | |
Section |
...
4.4.1, |
...
"Client-side |
...
Locking" |
...
|
...
5.2.1, |
...
" | |
Section 8.2, Synchronization and Collection Classes | |
[Lee 2009] | Map & Compound Operation |
...
\[[Lee 09|AA. Java References#Lee 09]\] "Map & Compound Operation"VOID CON06-J. Do not defer a thread that is holding a lock 11. Concurrency (CON)