UNDER CONSTRUCTION
Both thread safety and liveness are concerns when using condition variables. The thread-safety property requires that all objects maintain consistent states in a multithreaded environment [Lea 2000]. The liveness property requires that every operation or function invocation execute to completion without interruption; for example, there is no deadlock.
Condition variables must be used inside a while loop. (see See CON54-CPP. Wrap functions that can spuriously wake up in a loop for more information.) . To guarantee liveness, programs must test the while loop condition before invoking the condition_variable::wait() member function. This early test checks whether another thread has already satisfied the condition predicate and has sent a notification. Invoking wait() after the notification has been sent results in indefinite blocking.
...
The notify_one() member function unblocks one of the threads that are blocked on the specified condition variable at the time of the call. If multiple threads are waiting on the same condition variable, the scheduler can select any of those threads to be awakened (assuming that all threads have the same priority level).
The notify_all() member function unblocks all of the threads that are blocked on the specified condition variable at the time of the call. The order in which threads execute following a call to notify_all() is unspecified. Consequently, an unrelated thread could start executing, discover that its condition predicate is satisfied, and resume execution even though it was supposed to remain dormant.
For these reasons, threads must check the condition predicate after the wait() function returns. A while loop is the best choice for checking the condition predicate both before and after invoking wait().
...
This noncompliant code example uses five threads that are intended to execute sequentially according to the step level assigned to each thread when it is created (serialized processing). The current_step currentStep variable holds the current step level and is incremented when the respective thread completes. Finally, another thread is signaled so that the next step can be executed. Each thread waits until its step level is ready, and the wait() call is wrapped inside a while loop, in compliance with CON54-CPP. Wrap functions that can spuriously wake up in a loop.
| Code Block | ||||
|---|---|---|---|---|
| ||||
#include <stdio.h><condition_variable> #include <threads.h> enum { NTHREADS = 5 }; mtx_t<iostream> #include <mutex> #include <thread> std::mutex mutex; cnd_tstd::condition_variable cond; intvoid run_step(void *tsize_t myStep) { static int current_stepsize_t currentStep = 0; size_t my_step = *(size_t *)tstd::unique_lock<std::mutex> lk(mutex); std::cout if (thrd_success != mtx_lock(&mutex)) { /* Handle error */ } printf("Thread %zu<< "Thread " << myStep << " has the lock\n", my_step); << std::endl; while (current_stepcurrentStep != my_step)myStep) { printf(std::cout << "Thread %zu" << myStep << " is sleeping...\n", my_step); << std::endl; if (thrd_success != wait(&cond, &mutex)) { /* Handle error */ } printf("Thread %zu woke up\n", my_step); } /* Do processing ... */ printf("Thread %zucond.wait(lk); std::cout << "Thread " << myStep << " woke up" << std::endl; } // Do processing... std::cout << "Thread " << myStep << " is processing...\n", my_step) << std::endl; current_stepcurrentStep++; /*/ Signal awaiting task */. if (thrd_success != cond.notify_one(&cond)) {); std::cout << /*"Thread Handle" error<< */ } printf("Thread %zumyStep << " is exiting...\n", my_step); if (thrd_success != mtx_unlock(&mutex)) << std::endl; } int main() { constexpr size_t /*numThreads Handle= error */ } return 0; } int main(void5; std::thread threads[numThreads]; // Create threads. for (size_t i = 0; i < numThreads; ++i) { thrd_t threads[NTHREADSi]; size_t step[NTHREADS]; if (thrd_success != mtx_init(&mutex, mtx_plain)) { /* Handle error */ } if (thrd_success != cnd_init(&cond)= std::thread(run_step, i); } // Wait for all threads to complete. for (size_t i = numThreads; i != 0; --i) { /* Handle error */threads[i - 1].join(); } /* Create threads */ for (size_t i = 0; i < NTHREADS; ++i) { step[i] = i; if (thrd_success != thrd_create(&threads[i], run_step, &step[i])) { /* Handle error */ } } /* Wait for all threads to complete */ for (size_t i = NTHREADS; i != 0; --i) { if (thrd_success != thrd_join(threads[i-1], NULL)) { /* Handle error */ } } mtx_destroy(&mutex); cnd_destroy(&cond); return 0; } |
In this example, all threads share a condition variable. Each thread has its own distinct condition predicate because each thread requires current_step to have a different value before proceeding. When the condition variable is signaled, any of the waiting threads can wake up. The following table illustrates a possible scenario in which the liveness property is violated. If, by chance, the notified thread is not the thread with the next step value, that thread will wait again. No additional notifications can occur, and eventually the pool of available threads will be exhausted.
Deadlock: Out-of-Sequence Step Value
Time | Thread # |
| Action |
|---|---|---|---|
0 | 3 | 0 | Thread 3 executes first time: predicate is |
1 | 2 | 0 | Thread 2 executes first time: predicate is |
2 | 4 | 0 | Thread 4 executes first time: predicate is |
3 | 0 | 0 | Thread 0 executes first time: predicate is |
4 | 1 | 1 | Thread 1 executes first time: predicate is |
5 | 3 | 2 | Thread 3 wakes up (scheduler choice): predicate is |
6 | — | — | Thread exhaustion! No more threads to run, and a conditional variable signal is needed to wake up the others |
This noncompliant code example violates the liveness property.
Compliant Solution (notify_all())
This compliant solution uses notify_all() to signal all waiting threads instead of a single random thread. Only the run_step() thread code from the noncompliant code example is modified, as follows:
| Code Block | ||||
|---|---|---|---|---|
| ||||
#include <stdio.h>
#include <threads.h>
mtx_t mutex;
cnd_t cond;
int run_step(void *t) {
static size_t current_step = 0;
size_t my_step = *(size_t *)t;
if (thrd_success != mtx_lock(&mutex)) {
/* Handle error */
}
printf("Thread %zu has the lock\n", my_step);
while (current_step != my_step) {
printf("Thread %zu is sleeping...\n", my_step);
if (thrd_success != wait(&cond, &mutex)) {
/* Handle error */
}
printf("Thread %zu woke up\n", my_step);
}
/* Do processing ... */
printf("Thread %zu is processing...\n", my_step);
current_step++;
/* Signal ALL waiting tasks */
if (thrd_success != notify_all(&cond)) {
/* Handle error */
}
printf("Thread %zu is exiting...\n", my_step);
if (thrd_success != mtx_unlock(&mutex)) {
/* Handle error */
}
return 0;
} |
Awakening all threads guarantees the liveness property because each thread will execute its condition predicate test, and exactly one will succeed and continue execution.
Compliant Solution (Using notify_one() with a Unique Condition Variable per Thread)
Another compliant solution is to use a unique condition variable for each thread (all associated with the same mutex). In this case, notify_one() wakes up only the thread that is waiting on it. This solution is more efficient than using notify_all() because only the desired thread is awakened.
Note that the condition predicate of the signaled thread must be true; otherwise, a deadlock will occur.
| Code Block | ||||
|---|---|---|---|---|
| ||||
#include <stdio.h>
#include <threads.h>
enum { NTHREADS = 5 };
mtx_t mutex;
cnd_t cond[NTHREADS];
int run_step(void *t) {
static size_t current_step = 0;
size_t my_step = *(size_t *)t;
if (thrd_success != mtx_lock(&mutex)) {
/* Handle error */
}
printf("Thread %zu has the lock\n", my_step);
while (current_step != my_step) {
printf("Thread %zu is sleeping...\n", my_step);
if (thrd_success != wait(&cond[my_step], &mutex)) {
/* Handle error */
}
printf("Thread %zu woke up\n", my_step);
}
/* Do processing ... */
printf("Thread %zu is processing...\n", my_step);
current_step++;
/* Signal next step thread */
if ((my_step + 1) < NTHREADS) {
if (thrd_success != notify_one(&cond[my_step + 1])) {
/* Handle error */
}
}
printf("Thread %zu is exiting...\n", my_step);
if (thrd_success != mtx_unlock(&mutex)) {
/* Handle error */
}
return 0;
}
int main(void) {
thrd_t threads[NTHREADS];
size_t step[NTHREADS];
if (thrd_success != mtx_init(&mutex, mtx_plain)) {
/* Handle error */
}
for (size_t i = 0; i< NTHREADS; ++i) {
if (thrd_success != cnd_init(&cond[i])) {
/* Handle error */
}
}
/* Create threads */
for (size_t i = 0; i < NTHREADS; ++i) {
step[i] = i;
if (thrd_success != thrd_create(&threads[i], run_step,
&step[i])) {
/* Handle error */
}
}
/* Wait for all threads to complete */
for (size_t i = NTHREADS; i != 0; --i) {
if (thrd_success != thrd_join(threads[i-1], NULL)) {
/* Handle error */
}
}
mtx_destroy(&mutex);
for (size_t i = 0; i < NTHREADS; ++i) {
cnd_destroy(&cond[i]);
}
return 0;
} |
Risk Assessment
Failing to preserve the thread safety and liveness of a program when using condition variables can lead to indefinite blocking and denial of service (DoS).
} |
In this example, all threads share a single condition variable. Each thread has its own distinct condition predicate because each thread requires currentStep to have a different value before proceeding. When the condition variable is signaled, any of the waiting threads can wake up. The following table illustrates a possible scenario in which the liveness property is violated. If, by chance, the notified thread is not the thread with the next step value, that thread will wait again. No additional notifications can occur, and eventually the pool of available threads will be exhausted.
Deadlock: Out-of-Sequence Step Value
Time | Thread # |
| Action |
|---|---|---|---|
0 | 3 | 0 | Thread 3 executes the first time: the predicate is |
1 | 2 | 0 | Thread 2 executes the first time: the predicate is |
2 | 4 | 0 | Thread 4 executes the first time: the predicate is |
3 | 0 | 0 | Thread 0 executes the first time: the predicate is |
4 | 1 | 1 | Thread 1 executes the first time: the predicate is |
5 | 3 | 2 | Thread 3 wakes up (scheduler choice): the predicate is |
6 | — | — | Thread exhaustion! There are no more threads to run, and a conditional variable signal is needed to wake up the others. |
This noncompliant code example violates the liveness property.
Compliant Solution (notify_all())
This compliant solution uses notify_all() to signal all waiting threads instead of a single random thread. Only the run_step() thread code from the noncompliant code example is modified.
| Code Block | ||||
|---|---|---|---|---|
| ||||
#include <condition_variable>
#include <iostream>
#include <mutex>
#include <thread>
std::mutex mutex;
std::condition_variable cond;
void run_step(size_t myStep) {
static size_t currentStep = 0;
std::unique_lock<std::mutex> lk(mutex);
std::cout << "Thread " << myStep << " has the lock" << std::endl;
while (currentStep != myStep) {
std::cout << "Thread " << myStep << " is sleeping..." << std::endl;
cond.wait(lk);
std::cout << "Thread " << myStep << " woke up" << std::endl;
}
// Do processing ...
std::cout << "Thread " << myStep << " is processing..." << std::endl;
currentStep++;
// Signal ALL waiting tasks.
cond.notify_all();
std::cout << "Thread " << myStep << " is exiting..." << std::endl;
}
// ... main() unchanged ... |
Awakening all threads guarantees the liveness property because each thread will execute its condition predicate test, and exactly one will succeed and continue execution.
Compliant Solution (Using notify_one() with a Unique Condition Variable per Thread)
Another compliant solution is to use a unique condition variable for each thread (all associated with the same mutex). In this case, notify_one() wakes up only the thread that is waiting on it. This solution is more efficient than using notify_all() because only the desired thread is awakened.
The condition predicate of the signaled thread must be true; otherwise, a deadlock will occur.
| Code Block | ||||
|---|---|---|---|---|
| ||||
#include <condition_variable>
#include <iostream>
#include <mutex>
#include <thread>
constexpr size_t numThreads = 5;
std::mutex mutex;
std::condition_variable cond[numThreads];
void run_step(size_t myStep) {
static size_t currentStep = 0;
std::unique_lock<std::mutex> lk(mutex);
std::cout << "Thread " << myStep << " has the lock" << std::endl;
while (currentStep != myStep) {
std::cout << "Thread " << myStep << " is sleeping..." << std::endl;
cond[myStep].wait(lk);
std::cout << "Thread " << myStep << " woke up" << std::endl;
}
// Do processing ...
std::cout << "Thread " << myStep << " is processing..." << std::endl;
currentStep++;
// Signal next step thread.
if ((myStep + 1) < numThreads) {
cond[myStep + 1].notify_one();
}
std::cout << "Thread " << myStep << " is exiting..." << std::endl;
}
// ... main() unchanged ... |
Risk Assessment
Failing to preserve the thread safety and liveness of a program when using condition variables can lead to indefinite blocking and denial of service (DoS).
Rule | Severity | Likelihood | Remediation Cost | Priority | Level |
|---|---|---|---|---|---|
CON55-CPP | Low | Unlikely | Medium | P2 | L3 |
Automated Detection
Tool | Version | Checker | Description | ||||||
|---|---|---|---|---|---|---|---|---|---|
| CodeSonar |
| CONCURRENCY.BADFUNC.CNDSIGNAL | Use of Condition Variable Signal | ||||||
| Helix QAC |
| C++1778, C++1779 | |||||||
| Klocwork |
| CERT.CONC.UNSAFE_COND_VAR | |||||||
| Parasoft C/C++test |
| CERT_CPP-CON55-a | Do not use the 'notify_one()' function when multiple threads are waiting on the same condition variable | ||||||
| Polyspace Bug Finder |
| Checks for multiple threads waiting for same condition variable (rule fully covered) |
Rule
Severity
Likelihood
Remediation Cost
Priority
Level
CON55-CPP
Low
Unlikely
Medium
P2
Related Vulnerabilities
Search for vulnerabilities resulting from the violation of this rule on the CERT website.
Related Guidelines
Bibliography
| [IEEE Std 1003.1:2013] | XSH, System Interfaces, pthread_cond_broadcastXSH, System Interfaces, pthread_cond_signal |
| [Lea 2000] |
...
...