| Wiki Markup |
|---|
Compound operations on shared variables (consisting of more than one discrete operation) must be performed atomically. Errors can arise from compound operations that need to be perceived atomically but are not \[[JLS 05|AA. Java References#JLS 05]\]. |
Compound assignment expressions include operators Compound operations are operations that consist of more than one discrete operation. Expressions that include postfix or prefix increment (++), postfix or prefix decrement (--), or compound assignment operators always result in compound operations. Compound assignment expressions use operators such as *=, /=, %=, +=, -=, <<=, >>=, >>>=, ^=, or and |=. The postfix and prefix increment (++) and decrement (--) operations can also be treated as compound expressions. [JLS 2015]. Compound operations on shared variables must be performed atomically to prevent data races and race conditions.
For information about the For atomicity of a grouping of calls to independently atomic methods of the existing Java APIthat belong to thread-safe classes, see CON07VNA03-J. Do not assume that a grouping group of calls to independently atomic methods is atomic.
The Java Language Specification also permits reads and writes of 64-bit values to be non-atomic though this is not an issue with most modern JVMs (see CON25(see rule VNA05-J. Ensure atomicity when reading and writing 64-bit values).
Noncompliant Code Example (
...
Logical Negation)
This noncompliant code example declares a shared boolean flag variable flag and uses an optimization in the and provides a toggle() method to negate that negates the current value of the flag.:
| Code Block | ||
|---|---|---|
| ||
final class FooFlag { private boolean flag = true; public void toggle() { // unsafeUnsafe flag ^= true; // same as flag = !flag; } public boolean getFlag() { // unsafe Unsafe return flag; } } |
However, Execution of this code is not thread-safe. Multiple threads may not observe the latest state of the flag because ^= constitutes a non-atomic operation.may result in a data race because the value of flag is read, negated, and written back.
Consider, for example, For example, consider two threads that call toggle(). Theoretically the The expected effect of toggling flag twice should restore is that it is restored to its original value. But However, the following scenario could occur, leaving leaves flag in the wrong incorrect state.:
Time |
|---|
flag= | Thread | Action |
|---|---|---|
1 | true | t1 |
Reads the current value of | ||
2 | true | t2 |
Reads the current value of | ||
3 | true | t1 |
Toggles the temporary variable to false | ||
4 | true | t2 |
Toggles the temporary variable to false | ||
5 | false | t1 |
Writes the temporary variable's value to | ||
6 | false | t2 |
Writes the temporary variable's value to |
As a result, the effect of the call by t1 2 is not reflected in flag; the program behaves as if the call was never made toggle() was called only once, not twice.
Noncompliant Code Example (
...
Bitwise Negation)
The toggle() method may also use the compound assignment operator ^= to negate the current value of flag:This noncompliant code example derives from the preceding one but declares the flag as volatile.
| Code Block | ||
|---|---|---|
| ||
final class FooFlag { private volatile boolean flag = true; public void toggle() { // unsafeUnsafe flag ^= true; // Same as flag = !flag; } public boolean getFlag() { // safeUnsafe return flag; } } |
It is still insecure for multithreaded use because volatile does not guarantee the visibility of updates to the shared variable flag when a compound operation is performed.
Compliant Solution (synchronization)
This code is also not thread-safe. A data race exists because ^= is a non-atomic compound operation.
Noncompliant Code Example (Volatile)
Declaring flag volatile also fails to solve the problem:This compliant solution synchronized the toggle() method to ensure that the flag is made visible to all the threads.
| Code Block | ||
|---|---|---|
| ||
final class FooFlag { private volatile boolean flag = true; public synchronized void toggle() { // Unsafe flag ^= true; // same as flag = !flag; } public synchronized boolean getFlag() { // Safe return flag; } } |
Compliant Solution (java.util.concurrent.atomic.AtomicBoolean)
This code remains unsuitable for multithreaded use because declaring a variable volatile fails to guarantee the atomicity of compound operations on the variable.
Compliant Solution (Synchronization)
This compliant solution declares both the toggle() and getFlag() methods as synchronized:This compliant solution uses the java.util.concurrent.atomic.AtomicBoolean type to declare the flag.
| Code Block | ||
|---|---|---|
| ||
final class FooFlag { private AtomicBooleanboolean flag = new AtomicBoolean(true)true; public synchronized void toggle() { flag boolean^= temptrue; // Same as do {flag = !flag; } public synchronized temp = flag.getboolean getFlag(); { }return while(!flag.compareAndSet(temp, !temp)); } public AtomicBoolean getFlag() { return flag; flag; } } |
It ensures that updates to the variable are carried out by using the compareAndSet() method of the class AtomicBoolean. All updates are made visible to other threads.
Noncompliant Code Example (addition)
In this noncompliant code example, the two fields a and b may be set by multiple threads, using the setValues() method.
| Code Block | ||
|---|---|---|
| ||
class Adder {
private int a;
private int b;
public int getSum() {
return a + b;
}
public void setValues(int a, int b) {
this.a = a;
this.b = b;
}
}
|
The getSum() method may return a different sum every time it is invoked from different threads. For instance, if a and b currently have the value 0, and one thread calls getSum() while another calls setValues(1, 1), then getSum() might return 0, 1, or 2. Of these, the value 1 is unacceptable; it is returned when the first thread reads a and b, after the second thread has set the value of a but before it has set the value of b.
Note that declaring the variables as volatile does not resolve the issue. Also, this code does not prevent integer overflow. See INT00-J. Perform explicit range checking to ensure integer operations do not overflow for more information.
Noncompliant Code Example (overflow check, atomic integer fields)
The issues described in the previous noncompliant code example can also arise when the fields a and b of type int are replaced with atomic integers.
This solution guards reads and writes to the flag field with a lock on the instance, that is, this. Furthermore, synchronization ensures that changes are visible to all threads. Now, only two execution orders are possible, one of which is shown in the following scenario:
Time | flag= | Thread | Action |
|---|---|---|---|
1 | true | t1 | Reads the current value of |
2 | true | t1 | Toggles the temporary variable to false |
3 | false | t1 | Writes the temporary variable's value to |
4 | false | t2 | Reads the current value of |
5 | false | t2 | Toggles the temporary variable to true |
6 | true | t2 | Writes the temporary variable's value to |
The second execution order involves the same operations, but t2 starts and finishes before t1.
Compliance with LCK00-J. Use private final lock objects to synchronize classes that may interact with untrusted code can reduce the likelihood of misuse by ensuring that untrusted callers cannot access the lock object.
Compliant Solution (Volatile-Read, Synchronized-Write)
In this compliant solution, the getFlag() method is not synchronized, and flag is declared as volatile. This solution is compliant because the read of flag in the getFlag() method is an atomic operation and the volatile qualification assures visibility. The toggle() method still requires synchronization because it performs a non-atomic operation.
| Code Block | ||
|---|---|---|
| ||
final class Flag {
private volatile boolean flag = true;
public synchronized void toggle() {
flag ^= true; // Same as flag = !flag;
}
public boolean getFlag() {
return flag;
}
}
|
This approach must not be used for getter methods that perform any additional operations other than returning the value of a volatile field without use of synchronization. Unless read performance is critical, this technique may lack significant advantages over synchronization [Goetz 2006].
Compliant Solution (Read-Write Lock)
This compliant solution uses a read-write lock to ensure atomicity and visibility:
| Code Block | ||
|---|---|---|
| ||
final class Flag {
private boolean flag = true;
private final ReadWriteLock lock = new ReentrantReadWriteLock();
private final Lock readLock = lock.readLock();
private final Lock writeLock = lock.writeLock(); | ||
| Code Block | ||
| ||
class Adder { private final AtomicInteger a = new AtomicInteger(); private final AtomicInteger b = new AtomicInteger(); public int getSum() throws ArithmeticException { // Check for integer overflow if( b.get() > 0 ? a.get() > Integer.MAX_VALUE - b.get() : a.get() < Integer.MIN_VALUE - b.get() ) { throw new ArithmeticException("Not in range"); } return a.get() + b.get(); // or, return a.getAndAdd(b.get()); } public void setValues(int a, int btoggle() { thiswriteLock.a.setlock(a); this.b.set(b); } } |
For example, when a thread is executing setValues() another may invoke getSum() and retrieve an incorrect result. Furthermore, in the absence of synchronization, there are data races in the check for integer overflow. For instance, a thread can call setValues() after a second thread has read a, but before it has read b in order to add them together; in which case, the second thread will get an improper addition. Even worse, a thread can call setValues() after a second thread has verified that overflow will not occur, but before the second thread reads the values to add. This would cause the second thread to add two values that have not been checked for overflow, and overflow when adding them.
Note that even though a check for integer overflow is installed, there is a time-of-check-time-of-use (TOCTOU) condition between the overflow check and the addition operation.
Compliant Solution (addition, synchronized)
This compliant solution synchronizes the setValues() and getSum() methods so that the entire operation is atomic.
| Code Block | ||
|---|---|---|
| ||
class Adder {
private int a;
private int b;
public synchronized int getSum() throws ArithmeticException {
// Check for integer overflow
if( b > 0 ? a > Integer.MAX_VALUE - b : a < Integer.MIN_VALUE - b ) {
throw new ArithmeticException("Not in range");
}
return a + b;
}
public synchronized void setValues(int a, int b) {
this.a = a;
this.b = b;
}
}
|
Unlike the noncompliant code example, if a and b currently have the value 0, and one thread calls getSum() while another calls setValues(1, 1), getSum() may return return 0, or 2, depending on which thread obtains the intrinsic lock first. The locking guarantees that getSum() will never return the unacceptable value 1.
This compliant solution also ensures that there is no TOCTOU condition between checking for overflow and adding the fields.
Risk Assessment
If operations on shared variables are not atomic, unexpected results may be produced. For example, there can be inadvertent information disclosure as one user may be able to receive information about other users.
Rule | Severity | Likelihood | Remediation Cost | Priority | Level |
|---|---|---|---|---|---|
CON01- J | medium | probable | medium | P8 | L2 |
Automated Detection
Dynamic analysis tools with a Java concurrency focus, such as SureLogic Flashlight and Coverity Dynamic Analysis will uncover the race conditions shown in the noncompliant code examples above. To accomplish this, however, these tools would have to observe the noncompliant code being called by two or more threads. Such as in an integration or stress test environment. These tools use a dynamic lockset analysis to detect race conditions. This analysis intersects the set of locks that are observed to be held when each piece of shared state in the program is accessed. If the lockset for a piece of shared state is empty then a race condition may have been observed and the tool reports this to the use.
Heurisitics-based static analysis tools, such as FindBugs and PMD, do not detect problems with the noncompliant solutions shown above without some "hint" that the program code is intended to be thread-safe. For example, consider the compliant code below where the use of a synchronized method is a hint to the analysis tool that the class is intended to be used concurrently.
...
public class Foo {
private boolean flag = true;
public synchronized boolean toggleAndGet() {
flag ^= true; // same as flag = !flag;
return flag;
}
}
try {
flag ^= true; // Same as flag = !flag;
} finally {
writeLock.unlock();
}
}
public boolean getFlag() {
readLock.lock();
try {
return flag;
} finally {
readLock.unlock();
}
}
}
|
Read-write locks allow shared state to be accessed by multiple readers or a single writer but never both. According to Goetz [Goetz 2006]:
In practice, read-write locks can improve performance for frequently accessed read-mostly data structures on multiprocessor systems; under other conditions they perform slightly worse than exclusive locks due to their greater complexity.
Profiling the application can determine the suitability of read-write locks.
Compliant Solution (AtomicBoolean)
This compliant solution declares flag to be of type AtomicBoolean:
| Code Block | ||
|---|---|---|
| ||
import java.util.concurrent.atomic.AtomicBoolean;
final class Flag {
private AtomicBoolean flag = new AtomicBoolean(true);
public void toggle() {
boolean temp;
do {
temp = flag.get();
} while (!flag.compareAndSet(temp, !temp));
}
public AtomicBoolean getFlag() {
return flag;
}
}
|
The flag variable is updated using the compareAndSet() method of the AtomicBoolean class. All updates are visible to other threads.
Noncompliant Code Example (Addition of Primitives)
In this noncompliant code example, multiple threads can invoke the setValues() method to set the a and b fields. Because this class fails to test for integer overflow, users of the Adder class must ensure that the arguments to the setValues() method can be added without overflow (see NUM00-J. Detect or prevent integer overflow for more information).
| Code Block | ||
|---|---|---|
| ||
final class Adder {
private int a;
private int b;
public int getSum() {
return a + b;
}
public void setValues(int a, int b) {
this.a = a;
this.b = b;
}
}
|
The getSum() method contains a race condition. For example, when a and b currently have the values 0 and Integer.MAX_VALUE, respectively, and one thread calls getSum() while another calls setValues(Integer.MAX_VALUE, 0), the getSum() method might return either 0 or Integer.MAX_VALUE, or it might overflow. Overflow will occur when the first thread reads a and b after the second thread has set the value of a to Integer.MAX_VALUE but before it has set the value of b to 0.
Note that declaring the variables as volatile fails to resolve the issue because these compound operations involve reads and writes of multiple variables.
Noncompliant Code Example (Addition of Atomic Integers)
In this noncompliant code example, a and b are replaced with atomic integers:
| Code Block | ||
|---|---|---|
| ||
final class Adder {
private final AtomicInteger a = new AtomicInteger();
private final AtomicInteger b = new AtomicInteger();
public int getSum() {
return a.get() + b.get();
}
public void setValues(int a, int b) {
this.a.set(a);
this.b.set(b);
}
}
|
The simple replacement of the two int fields with atomic integers fails to eliminate the race condition because the compound operation a.get() + b.get() is still non-atomic.
Compliant Solution (Addition)
This compliant solution synchronizes the setValues() and getSum() methods to ensure atomicity:
| Code Block | ||
|---|---|---|
| ||
final class Adder {
private int a;
private int b |
FindBugs and PMD will not report a warning about this implementation as they do not note any problems.
SureLogic JSure, an analysis-based verification tool, will complain that the lock is unknown to the tool and ask the user to annotate what state the lock protects, i.e., the tool wants to know the locking policy that the programmer intends for this class. To express this intent, the programmer adds two annotations:
| Code Block | ||
|---|---|---|
| java | java | @RegionLock("FlagLock is this protects flag") @Promise("@Unique(return) for new()") public class Foo { private boolean flag = true; public synchronized booleanint toggleAndGetgetSum() { flag// ^=Check true;for //overflow same as flag = !flag; return flag return a + b; } public synchronized void setValues(int a, int b) { this.a = a; this.b = b; } } |
The @RegionLock annotation creates a locking policy, named FlagLock, that specifies that reads and writes to the field flag are to be guarded by a lock on the receiver, i.e., this. The second annotation, @Promise is used to place an annotation on the default constructor generated by the compiler. The @Unique("return") annotation promises that the receiver is not aliased during object construction, i.e., that a race condition cannot occur during construction. (CON14-J. Do not let the "this" reference escape during object construction provides further details.) If the constructor was explicit in the code then the annotations would be:
...
@RegionLock("FlagLock is this protects flag")
public class Foo {
private boolean flag;
@Unique("return")
public Foo() {
flag = true;
}
public synchronized boolean toggleAndGet() {
flag ^= true; // same as flag = !flag;
return flag;
}
}
The JSure verification tool provides a strong assurance that the annotated model holds for all possible executions of the program. If the below noncompliant code is later added to the class,
...
public boolean getValue() {
return flag;
}
then JSure will report the violation of the locking policy to the user.
If the noncompliant getValue() method shown above is defined in the code for Foo, then FindBugs can also report a problem, again if the locking model is annotated. However, it uses a different annotation than JSure.
...
public class Foo {
@GuardedBy("this")
private boolean flag = true;
public synchronized boolean toggleAndGet() {
flag ^= true; // same as flag = !flag;
return flag;
}
public boolean getValue() {
return flag;
}
}
operations within the synchronized methods are now atomic with respect to other synchronized methods that lock on that object's monitor (that is, its intrinsic lock). It is now possible, for example, to add overflow checking to the synchronized getSum() method without introducing the possibility of a race condition.
Risk Assessment
When operations on shared variables are not atomic, unexpected results can be produced. For example, information can be disclosed inadvertently because one user can receive information about other users.
Rule | Severity | Likelihood | Remediation Cost | Priority | Level |
|---|---|---|---|---|---|
VNA02-J | Medium | Probable | Medium | P8 | L2 |
Automated Detection
Some available static analysis tools can detect the instances of non-atomic update of a concurrently shared value. The result of the update is determined by the interleaving of thread execution. These tools can detect the instances where thread-shared data is accessed without holding an appropriate lock, possibly causing a race condition.
| Tool | Version | Checker | Description | ||||||
|---|---|---|---|---|---|---|---|---|---|
| CodeSonar | 4.2 | FB.MT_CORRECTNESS.IS2_INCONSISTENT_SYNC FB.MT_CORRECTNESS.IS_FIELD_NOT_GUARDED FB.MT_CORRECTNESS.STCAL_INVOKE_ON_STATIC_CALENDAR_INSTANCE FB.MT_CORRECTNESS.STCAL_INVOKE_ON_STATIC_DATE_FORMAT_INSTANCE FB.MT_CORRECTNESS.STCAL_STATIC_CALENDAR_INSTANCE FB.MT_CORRECTNESS.STCAL_STATIC_SIMPLE_DATE_FORMAT_INSTANCE | Inconsistent synchronization Field not guarded against concurrent access Call to static Calendar Call to static DateFormat Static Calendar field Static DateFormat | ||||||
| Coverity | 7.5 | GUARDED_BY_VIOLATION | Implemented | ||||||
| Parasoft Jtest |
| CERT.VNA02.SSUG CERT.VNA02.MRAV | Make the get method for a field synchronized if the set method is synchronized Access related Atomic variables in a synchronized block | ||||||
| PVS-Studio |
| V6074 | |||||||
| ThreadSafe |
| CCE_SL_INCONSISTENT | Implemented |
Related Guidelines
CWE-366, Race Condition within a Thread |
Bibliography
[API 2014] | |
Item 66, "Synchronize Access to Shared Mutable Iata" | |
Section 2.3, "Locking" | |
[JLS 2015] | Chapter 17, "Threads and Locks" |
[Lea 2000] | Section 2.1.1.1, "Objects and Locks" |
...
With the @GuardedBy annotation in place, and only with this annotation in place, FindBugs reports that the field is not guarded against concurrent access in the getValue() method.
Related Vulnerabilities
Search for vulnerabilities resulting from the violation of this rule on the CERT website.
References
| Wiki Markup |
|---|
\[[API 06|AA. Java References#API 06]\] Class AtomicInteger
\[[JLS 05|AA. Java References#JLS 05]\] [Chapter 17, Threads and Locks|http://java.sun.com/docs/books/jls/third_edition/html/memory.html], section 17.4.5 Happens-before Order, section 17.4.3 Programs and Program Order, section 17.4.8 Executions and Causality Requirements
\[[Tutorials 08|AA. Java References#Tutorials 08]\] [Java Concurrency Tutorial|http://java.sun.com/docs/books/tutorial/essential/concurrency/index.html]
\[[Lea 00|AA. Java References#Lea 00]\] Sections, 2.2.7 The Java Memory Model, 2.2.5 Deadlock, 2.1.1.1 Objects and locks
\[[Bloch 08|AA. Java References#Bloch 08]\] Item 66: Synchronize access to shared mutable data
\[[Daconta 03|AA. Java References#Daconta 03]\] Item 31: Instance Variables in Servlets
\[[JavaThreads 04|AA. Java References#JavaThreads 04]\] Section 5.2 Atomic Variables
\[[Goetz 06|AA. Java References#Goetz 06]\] 2.3. "Locking"
\[[MITRE 09|AA. Java References#MITRE 09]\] [CWE ID 667|http://cwe.mitre.org/data/definitions/667.html] "Insufficient Locking", [CWE ID 413|http://cwe.mitre.org/data/definitions/413.html] "Insufficient Resource Locking", [CWE ID 366|http://cwe.mitre.org/data/definitions/366.html] "Race Condition within a Thread", [CWE ID 567|http://cwe.mitre.org/data/definitions/567.html] "Unsynchronized Access to Shared Data" |
11. Concurrency (CON) 11. Concurrency (CON) CON02-J. Always synchronize on the appropriate object