You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 135 Next »

Compound operations are operations that consist of more than one discrete operation. Expressions that include postfix and prefix increment (++), postfix or prefix decrement (--), or compound assignment operators always result in compound operations. Compound assignment expressions use operators such as *=, /=, %=, +=, -=, <<=, >>=, >>>=, ^= and |= [[JLS 05]]. Compound operations on shared variables must be performed atomically to prevent [data races] and [race conditions].

For information about the atomicity of a grouping of calls to independently atomic methods that belong to thread-safe classes, see CON07-J. Do not assume that a group of calls to independently atomic methods is atomic.

The Java Language Specification also permits reads and writes of 64-bit values to be non-atomic. (For more information, see CON25-J. Ensure atomicity when reading and writing 64-bit values.)

Noncompliant Code Example (Logical Negation)

This noncompliant code example declares a shared boolean flag variable and provides a toggle() method that negates the current value of flag.

final class Flag {
  private boolean flag = true;
 
  public void toggle() {  // Unsafe
    flag = !flag; 
  }

  public boolean getFlag() { // Unsafe 
    return flag;
  }
}

Execution of this code may result in a data race because the value of flag is read, negated, and written back.

Consider, for example, two threads that call toggle(). The expected effect of toggling flag twice is that it is restored to its original value. However, the following scenario leaves flag in the incorrect state:

Time

flag=

Thread

Action

1

true

t1

reads the current value of flag, true, into a temporary variable

2

true

t2

reads the current value of flag, (still) true, into a temporary variable

3

true

t1

toggles the temporary variable to false

4

true

t2

toggles the temporary variable to false

5

false

t1

writes the temporary variable's value to flag

6

false

t2

writes the temporary variable's value to flag

As a result, the effect of the call by t2 is not reflected in flag; the program behaves as if the call was never made.

Noncompliant Code Example (Bitwise Negation)

Similarly, the toggle() method can use the compound assignment operator ^= to negate the current value of flag.

final class Flag {
  private boolean flag = true;
 
  public void toggle() {  // Unsafe
    flag ^= true;  // Same as flag = !flag; 
  }

  public boolean getFlag() { // Unsafe 
    return flag;
  }
}

This code is also not thread-safe. A data race exists because ^= is a non-atomic compound operation.

Noncompliant Code Example (volatile)

Declaring flag as volatile does not help either:

final class Flag {
  private volatile boolean flag = true;
 
  public void toggle() {  // Unsafe
    flag ^= true; 
  }

  public boolean getFlag() { // Safe
    return flag;
  }
}

This code remains unsuitable for multithreaded use because declaring a variable as volatile does not guarantee the atomicity of compound operations on it.

Compliant Solution (Synchronization)

This compliant solution declares both the toggle() and getFlag() methods as synchronized.

final class Flag {
  private boolean flag = true;
 
  public synchronized void toggle() { 
    flag ^= true; // Same as flag = !flag; 
  }

  public synchronized boolean getFlag() { 
    return flag;
  }
}

This guards reads and writes to the flag field with a lock on the instance, that is, this. This compliant solution ensures that changes are visible to all the threads. Now, only two execution orders are possible, one of which is shown below.

Time

flag=

Thread

Action

1

true

t1

reads the current value of flag, true, into a temporary variable

2

true

t1

toggles the temporary variable to false

3

false

t1

writes the temporary variable's value to flag

4

false

t2

reads the current value of flag, false, into a temporary variable

5

false

t2

toggles the temporary variable to true

6

true

t2

writes the temporary variable's value to flag

The second execution order involves the same operations, but t2 starts and finishes before t1.

Compliance with CON04-J. Synchronize using an internal private final lock object can reduce the likelihood of misuse by ensuring that untrusted callers cannot access the lock object.

Compliant Solution (Volatile-Read, Synchronized-Write)

In this compliant solution, the getFlag() method is not synchronized, and flag is declared as volatile. This solution is compliant because the read of flag in the getFlag() method is an atomic operation and the volatile qualification assures visibility. The toggle() method still requires synchronization because it performs a non-atomic operation.

final class Flag {
  private volatile boolean flag = true;
 
  public synchronized void toggle() { 
    flag ^= true; // Same as flag = !flag; 
  }

  public boolean getFlag() { 
    return flag;
  }
}

This approach may not be used when a getter method performs operations other than just returning the value of a volatile field without having to use any synchronization. Unless read performance is critical, this technique may not offer significant advantages over synchronization [[Goetz 06]].

CON11-J. Do not assume that declaring an object reference volatile guarantees visibility of its members also addresses the volatile-read, synchronized-write pattern.

Compliant Solution (Read-Write Lock)

This compliant solution uses a read-write lock to ensure atomicity and visibility.

final class Flag {
  private boolean flag = true;
  private final ReadWriteLock lock = new ReentrantReadWriteLock();
  private final Lock readLock = lock.readLock();
  private final Lock writeLock = lock.writeLock();
  
  public synchronized void toggle() { 
    writeLock.lock();
    try {
      flag ^= true; // Same as flag = !flag;
    } finally {
      writeLock.unlock();
    }
  }

  public boolean getFlag() { 
    readLock.lock();
    try {
      return flag;
    } finally {
      readLock.unlock();
    }
  }
}

Read-write locks allow shared state to be accessed by multiple readers or a single writer but never both.

In practice, read-write locks can improve performance for frequently accessed read-mostly data structures on multiprocessor systems; under other conditions they perform slightly worse than exclusive locks due to their greater complexity [[Goetz 06]].

Profiling the application can determine the suitability of read-write locks.

Compliant Solution (AtomicBoolean)

This compliant solution declares flag as an AtomicBoolean type.

import java.util.concurrent.atomic.AtomicBoolean;

final class Flag {
  private AtomicBoolean flag = new AtomicBoolean(true);
 
  public void toggle() { 
    boolean temp;
    do {
      temp = flag.get();
    } while(!flag.compareAndSet(temp, !temp));
  }

  public AtomicBoolean getFlag() { 
    return flag;
  }
}

The flag variable is updated using the compareAndSet() method of the AtomicBoolean class. All updates are visible to other threads.

Noncompliant Code Example (Addition)

In this noncompliant code example, multiple threads can invoke the setValues() method to set the a and b fields. Because this class does not test for integer overflow, a user of the Adder class must ensure that the arguments to the setValues() method can be added without overflow. (For more information, see INT00-J. Perform explicit range checking to ensure integer operations do not overflow.)

final class Adder {
  private int a;
  private int b;

  public int getSum() {
    return a + b;
  }

  public void setValues(int a, int b) {
    this.a = a;
    this.b = b;
  }
}

The getSum() method contains a data race. For example, if a and b currently have the values 0 and Integer.MAX_VALUE, respectively, and one thread calls getSum() while another calls setValues(Integer.MAX_VALUE, 0), getSum() might return 0 or Integer.MAX_VALUE, or it might overflow and wrap. Overflow will occur when the first thread reads a and b, after the second thread has set the value of a to Integer.MAX_VALUE but before it has set the value of b to 0.

Note that declaring the variables as volatile does not resolve the issue because these compound operations involve reads and writes of multiple variables.

Noncompliant Code Example (Overflow Check, Atomic Integer Fields)

The issues described in the previous noncompliant code example can also occur when the a and b fields of type int are replaced with atomic integers, as shown in the noncompliant code example below.

final class Adder {
  private final AtomicInteger a = new AtomicInteger();
  private final AtomicInteger b = new AtomicInteger();

  public int getSum() throws ArithmeticException {
    // Check for integer overflow
    if (b.get() > 0 ? a.get() > Integer.MAX_VALUE - b.get() : a.get() < Integer.MIN_VALUE - b.get()) {
      throw new ArithmeticException("Not in range");
    }
    return a.get() + b.get(); // or, return a.getAndAdd(b.get());
  }

  public void setValues(int a, int b) {
    this.a.set(a);
    this.b.set(b);
  }
}

For example, when a thread is executing setValues(), another thread may invoke getSum() and retrieve an incorrect result. Furthermore, in the absence of synchronization, data races occur in the check for integer overflow. For instance, a thread can call setValues() after a second thread that is attempting to add the numbers has read a, but before it has read b. In this case, the second thread will get an improper sum.

Even worse, a thread can call setValues() after a second thread has verified that overflow will not occur, but before the second thread reads the values to be added. That would cause the second thread to add two values without checking for overflow, yielding an incorrect sum. Even though a check for integer overflow is installed, it is ineffective because of the time-of-check, time-of-use (TOCTOU) condition between the overflow check and the addition operation.

Compliant Solution (Addition, Synchronized)

This compliant solution synchronizes the setValues() and getSum() methods to ensure atomicity.

final class Adder {
  private int a;
  private int b;

  public synchronized int getSum() throws ArithmeticException {
    // Check for integer overflow
    if (b > 0 ? a > Integer.MAX_VALUE - b : a < Integer.MIN_VALUE - b) {
      throw new ArithmeticException("Not in range");
    }

    return a + b;
  }

  public synchronized void setValues(int a, int b) {
    this.a = a;
    this.b = b;
  }
}

Unlike the noncompliant code examples, if a and b currently have the value 0, and one thread calls getSum() while another calls setValues(1, 1), getSum() may return 0 or 2, depending on which thread obtains the intrinsic lock first. The locking strategy guarantees that getSum() never returns the unacceptable value 1.

This compliant solution also ensures that there is no TOCTOU condition between checking for overflow and adding the fields.

Risk Assessment

If operations on shared variables are not atomic, unexpected results can be produced. For example, information can be disclosed inadvertently because one user can receive information about other users.

Rule

Severity

Likelihood

Remediation Cost

Priority

Level

CON01- J

medium

probable

medium

P8

L2

Automated Detection

The following table summarizes the examples flagged as violations by SureLogic Flashlight:

Noncompliant Code Example

Flagged

Message

bitwise compound operation

Yes

Instance fields with empty locksets

addition

Yes

Instance fields with empty locksets

volatile variable

No

No obvious issues

overflow check, atomic integer fields

No

No obvious issues

The following table summarizes the examples flagged as violations by SureLogic JSure:

Noncompliant Code Example

Flagged

Message

Details

Dynamic analysis tools with a Java concurrency focus, such as SureLogic Flashlight and Coverity Dynamic Analysis will uncover the race conditions shown in the noncompliant code examples above. To do that however, those tools must observe the noncompliant code being called by two or more threads, such as in an integration or stress-test environment. The tools use a dynamic lockset analysis to observe race conditions that occur as the program runs. This analysis intersects the set of locks observed when each piece of shared state in the program is accessed. If the lockset for a piece of shared state is empty, the tool may have observed a race condition and reports that to the user.

Heuristics-based static analysis tools, such as FindBugs and PMD, do not detect problems with the noncompliant code examples shown above without some "hint" that the program code is intended to be thread-safe. For example, consider the compliant code below where the use of a synchronized method is a hint to the analysis tool that the class is meant to be used concurrently.

public class Foo {
  private boolean flag = true;

  public synchronized boolean toggleAndGet() {
    flag ^= true; // Same as flag = !flag;
    return flag;
  }
}

FindBugs and PMD will not report a warning about this implementation because they do not note any problems.

SureLogic JSure, an analysis-based verification tool, will complain that the lock is unknown to the tool and ask the user to annotate what state the lock protects. In other words, the tool wants to know the locking policy that the programmer intends for this class. To express this intent, the programmer adds two annotations:

@RegionLock("FlagLock is this protects flag")
@Promise("@Unique(return) for new()")
public class Foo {
  private boolean flag = true;

  public synchronized boolean toggleAndGet() {
    flag ^= true; // Same as flag = !flag;
    return flag;
  }
}

The @RegionLock annotation creates a locking policy, named FlagLock, that specifies that reads and writes to the flag field are to be guarded by a lock on the receiver, that is, this. The second annotation, @Promise is used to place an annotation on the default constructor generated by the compiler. The @Unique("return") annotation promises that the receiver is not aliased during object construction, that is, that a race condition cannot occur during construction. (CON14-J. Do not let the "this" reference escape during object construction provides further details.) If the constructor was explicit in the code, the annotations would be as follows:

@RegionLock("FlagLock is this protects flag")
public class Foo {
  private boolean flag;

  @Unique("return")
  public Foo() {
    flag = true;
  }

  public synchronized boolean toggleAndGet() {
    flag ^= true; // Same as flag = !flag;
    return flag;
  }
}

The JSure verification tool provides a strong assurance that the annotated model holds for all possible executions of the program. If the following noncompliant code is later added to the class, JSure will report the violation of the locking policy to the user.

  public boolean getValue() {
    return flag;
  }

If the noncompliant getValue() method shown above is defined in the code for Foo, FindBugs can also report a problem, again if the locking model is annotated. However, it uses a different annotation than JSure:

public class Foo {
  @GuardedBy("this")
  private boolean flag = true;

  public synchronized boolean toggleAndGet() {
    flag ^= true; // Same as flag = !flag;
    return flag;
  }

  public boolean getValue() {
    return flag;
  }
}

With the @GuardedBy annotation in place, and only with this annotation in place, FindBugs reports that the field is not guarded against concurrent access in the getValue() method.

Related Vulnerabilities

Any vulnerabilities resulting from the violation of this rule are listed on the CERT website.

References

[[API 06]] Class AtomicInteger
[[JLS 05]] Chapter 17, Threads and Locks, Section 17.4.5 Happens-Before Order, Section 17.4.3 Programs and Program Order, Section 17.4.8 Executions and Causality Requirements
[[Tutorials 08]] Java Concurrency Tutorial
[[Lea 00]] Section 2.2.7 The Java Memory Model, Section 2.1.1.1 Objects and Locks
[[Bloch 08]] Item 66: Synchronize access to shared mutable data
[[Goetz 06]] 2.3. "Locking"
[[MITRE 09]] CWE ID 667 "Insufficient Locking," CWE ID 413 "Insufficient Resource Locking," CWE ID 366 "Race Condition within a Thread," CWE ID 567 "Unsynchronized Access to Shared Data"


11. Concurrency (CON)      11. Concurrency (CON)      CON02-J. Do not synchronize on objects that may be reused

  • No labels