Both thread safety and liveness are concerns when using condition variables. The thread-safety property requires that all objects maintain consistent states in a multithreaded environment [Lea 2000]. The liveness property requires that every operation or function invocation execute to completion without interruption; for example, there is no deadlock.
Condition variables must be used inside a
while loop. (See CON36-C. Wrap functions that can spuriously wake up in a loop for more information.) To guarantee liveness, programs must test the
while loop condition before invoking the
cnd_wait() function. This early test checks whether another thread has already satisfied the condition predicate and has sent a notification. Invoking the
cnd_wait() function after the notification has been sent results in indefinite blocking.
To guarantee thread safety, programs must test the
while loop condition after returning from the
cnd_wait() function. When a given thread invokes the
cnd_wait() function, it will attempt to block until its condition variable is signaled by a call to
cnd_broadcast() or to
cnd_signal() function unblocks one of the threads that are blocked on the specified condition variable at the time of the call. If multiple threads are waiting on the same condition variable, the scheduler can select any of those threads to be awakened (assuming that all threads have the same priority level). The
cnd_broadcast() function unblocks all of the threads that are blocked on the specified condition variable at the time of the call. The order in which threads execute following a call to
cnd_broadcast() is unspecified. Consequently, an unrelated thread could start executing, discover that its condition predicate is satisfied, and resume execution even though it was supposed to remain dormant. For these reasons, threads must check the condition predicate after the
cnd_wait() function returns. A
while loop is the best choice for checking the condition predicate both before and after invoking
The use of
cnd_signal() is safe if each thread uses a unique condition variable. If multiple threads share a condition variable, the use of
cnd_signal() is safe only if the following conditions are met:
- All threads must perform the same set of operations after waking up, which means that any thread can be selected to wake up and resume for a single invocation of
- Only one thread is required to wake upon receiving the signal.
cnd_broadcast() function can be used to unblock all of the threads that are blocked on the specified condition variable if the use of
cnd_signal() is unsafe.
Noncompliant Code Example (
This noncompliant code example uses five threads that are intended to execute sequentially according to the step level assigned to each thread when it is created (serialized processing). The
current_step variable holds the current step level and is incremented when the respective thread completes. Finally, another thread is signaled so that the next step can be executed. Each thread waits until its step level is ready, and the
cnd_wait() function call is wrapped inside a
while loop, in compliance with CON36-C. Wrap functions that can spuriously wake up in a loop.
In this example, all threads share a condition variable. Each thread has its own distinct condition predicate because each thread requires
current_step to have a different value before proceeding. When the condition variable is signaled, any of the waiting threads can wake up.
The following table illustrates a possible scenario in which the liveness property is violated. If, by chance, the notified thread is not the thread with the next step value, that thread will wait again. No additional notifications can occur, and eventually the pool of available threads will be exhausted.
Deadlock: Out-of-Sequence Step Value
Thread 3 executes first time: predicate is
Thread 2 executes first time: predicate is
Thread 4 executes first time: predicate is
Thread 0 executes first time: predicate is
Thread 1 executes first time: predicate is
Thread 3 wakes up (scheduler choice): predicate is
Thread exhaustion! No more threads to run, and a conditional variable signal is needed to wake up the others
This noncompliant code example violates the liveness property.
Compliant Solution (
This compliant solution uses the
cnd_broadcast() function to signal all waiting threads instead of a single random thread. Only the
run_step() thread code from the noncompliant code example is modified, as follows:
Compliant Solution (Using
cnd_signal() with a Unique Condition Variable per Thread)
Another compliant solution is to use a unique condition variable for each thread (all associated with the same mutex). In this case,
cnd_signal() wakes up only the thread that is waiting on it. This solution is more efficient than using
cnd_broadcast() because only the desired thread is awakened.
The condition predicate of the signaled thread must be true; otherwise, a deadlock will occur.
Compliant Solution (Windows, Condition Variables)
This compliant solution uses a
CONDITION_VARIABLE object, available on Microsoft Windows (Vista and later):
Use the 'cnd_signal()' function with a unique condition variable
|Polyspace Bug Finder|
|CERT C: Rule CON38-C||Checks for multiple threads waiting on same condition variable (rule fully covered)|
Key here (explains table format and definitions)
|CERT Oracle Secure Coding Standard for Java||THI02-J. Notify all waiting threads rather than a single thread||Prior to 2018-01-12: CERT: Unspecified Relationship|
|[IEEE Std 1003.1:2013]||XSH, System Interfaces, |
XSH, System Interfaces,