Mutexes are used to prevent multiple threads from causing a data race by accessing shared resources at the same time. Sometimes, when locking mutexes, multiple threads hold each other's lock, and the program consequently deadlocks. Four conditions are required for deadlock to occur:
...
Noncompliant Code Example
This The behavior of this noncompliant code example has behavior that depends on the runtime environment and the platform's scheduler. However, with proper timing, the main()
function will deadlock when running thr1
and thr2
. Thread thr1
tries The program is susceptible to deadlock if thread thr1
attempts to lock ba2
's mutex , while thr2
tries at the same time thread thr2
attempts to lock ba1
's mutex in the deposit()
function, and the program will hang.
Code Block | ||||
---|---|---|---|---|
| ||||
#include <stdlib.h> #include <threads.h> typedef struct { int balance; mtx_t balance_mutex; } bank_account; typedef struct { bank_account *from; bank_account *to; int amount; } transaction; void create_bank_account(bank_account **ba, int initial_amount) { bank_account *nba = (bank_account *) int initial_amount) { bank_account *nba = (bank_account *)malloc( sizeof(bank_account) ); if (nba == NULL) { /* Handle error */ } nba->balance = initial_amount; if (thrd_success != mtx_init(&nba->balance_mutex, mtx_plain)) { /* Handle error */ } *ba = nba; } int deposit(void *ptr) { transaction *args = (transaction *)ptr; if (thrd_success != mtx_lock(&(args->from->balance_mutex))) { /* Handle error */ } /* Not enough balance to transfer */ if (args->from->balance < args->amount) { if (thrd_success != mtx_unlock(&(args->from->balance_mutex))) { /* Handle error */ } return -1; /* Indicate error */ } if (thrd_success != mtx_lock(&(args->to->balance_mutex))) { /* Handle error */ } args->from->balance -= args->amount; args->to->balance += args->amount; if (thrd_success != mtx_unlock(&(args->from->balance_mutex))) { /* Handle error */ } if (thrd_success != mtx_unlock(&(args->to->balance_mutex))) { /* Handle error */ } free(ptr); return 0; } int main(void) { thrd_t thr1, thr2; transaction *arg1; transaction *arg2; bank_account *ba1; bank_account *ba2; create_bank_account(&ba1, 1000); create_bank_account(&ba2, 1000); arg1 = (transaction *)malloc(sizeof(transaction)); if (arg1 == NULL) { /* Handle error */ } arg2 = (transaction *)malloc(sizeof(transaction)); if (arg2 == NULL) { /* Handle error */ } arg1->from = ba1; arg1->to = ba2; arg1->amount = 100; arg2->from = ba2; arg2->to = ba1; arg2->amount = 100; /* Perform the deposits */ if (thrd_success != thrd_create(&thr1, deposit, (void *)arg1)) { /* Handle error */ } if (thrd_success != thrd_create(&thr2, deposit, (void *)arg2)) { /* Handle error */ } return 0; } |
Compliant Solution
This compliant solution eliminates the circular wait condition by establishing a predefined order for locking in the deposit()
function. Each thread will lock on the basis of the bank_account
ID, which is set when the bank_account struct
is initialized.
Code Block | ||||
---|---|---|---|---|
| ||||
#include <stdlib.h> #include <threads.h> typedef struct { int balance; mtx_t balance_mutex; /* Should nevernot be changedchange after initializedinitialization */ unsigned int id; } bank_account; typedef struct { bank_account *from; bank_account *to; int amount; } transaction; unsigned int global_id = 1; void create_bank_account(bank_account **ba, int initial_amount) { bank_account *nba = (bank_account *) int initial_amount) { bank_account *nba = (bank_account *)malloc( sizeof(bank_account) ); if (nba == NULL) { /* Handle error */ } nba->balance = initial_amount; if (thrd_success != mtx_init(&nba->balance_mutex, mtx_plain)) { /* Handle error */ } nba->id = global_id++; *ba = nba; } int deposit(void *ptr) { transaction *args = (transaction *)ptr; int result = -1; mtx_t *first; mtx_t *second; if (args->from->id == args->to->id) { return -1; /* Indicate error */ } /* Ensure proper ordering for locking */ if (args->from->id < args->to->id) { first = &args->from->balance_mutex; second = &args->to->balance_mutex; } else { first = &args->to->balance_mutex; second = &args->from->balance_mutex; } if (thrd_success != mtx_lock(first)) { /* Handle error */ } if (thrd_success != mtx_lock(second)) { /* Handle error */ } /* Not enough balance to transfer */ if (args->from->balance >= args->amount) { args->from->balance -= args->amount; args->to->balance += args->amount; result = 0; } if (thrd_success != mtx_unlock(second)) { /* Handle error */ } if (thrd_success != mtx_unlock(first)) { /* Handle error */ } free(ptr); returnreturn result; } |
Risk Assessment
Deadlock prevents multiple threads from progressing; , halting program execution. A denial-of-service attack is possible because if the attacker can force deadlock situations. Deadlock is likely to occur in multithreaded programs that manage multiple shared resourcescreate the conditions for deadlock.
Rule | Severity | Likelihood | Remediation Cost | Priority | Level |
---|---|---|---|---|---|
CON35-C | Low | Probable | Medium | P4 | L3 |
Related Vulnerabilities
Search for vulnerabilities resulting from the violation of this rule on the CERT website.
Automated Detection
Tool | Version | Checker | Description | ||||||
---|---|---|---|---|---|---|---|---|---|
Astrée |
| deadlock | Supported by sound analysis (deadlock alarm) | ||||||
CodeSonar |
| CONCURRENCY.LOCK.ORDER | Conflicting lock order | ||||||
Coverity |
...
| ORDER_REVERSAL | Fully implemented | |||||||
Cppcheck Premium |
| premium-cert-con35-c | Partially implemented | ||||||
Helix QAC |
| C1772, C1773 | |||||||
Klocwork |
| CONC.DL | |||||||
Parasoft C/C++test |
| CERT_C-CON35-a | Do not acquire locks in different order | ||||||
PC-lint Plus |
| 2462 | Fully supported | ||||||
Polyspace Bug Finder |
| CERT C: Rule CON35-C | Checks for deadlock (rule partially covered) |
Related Guidelines
Key here (explains table format and definitions)
Taxonomy | Taxonomy item | Relationship |
---|---|---|
CERT Oracle Secure Coding Standard for Java | LCK07-J. Avoid deadlock by requesting and releasing locks in the same order |
Prior to 2018-01-12: CERT: Unspecified Relationship |
...