A consistent locking policy guarantees that multiple threads cannot simultaneously access or modify shared data. Atomic variables eliminate the need for locks by guaranteeing thread safety when certain operations are performed on them. The thread-safe operations on atomic variables are specified in the C Standard, subclauses 7.17.7 and 7.17.8 [ISO/IEC 9899:2011]. While atomic operations can be combined, combined operations do not provide the thread safety provided by individual atomic operations.
Every time an atomic variable appears on the left side of an assignment operator, including a compound assignment operator such as
*=, an atomic write is performed on the variable. The use of the increment (++
) or decrement
(--) operators on an atomic variable constitutes an atomic read-and-write operation and is consequently thread-safe. Any reference of an atomic variable anywhere else in an expression indicates a distinct atomic read on the variable.
If the same atomic variable appears twice in an expression, then two atomic reads, or an atomic read and an atomic write, are required. Such a pair of atomic operations is not thread-safe, as another thread can modify the atomic variable between the two operations. Consequently, an atomic variable must not be referenced twice in the same expression.
Noncompliant Code Example (
This noncompliant code example declares a shared
flag variable and provides a
toggle_flag() method that negates the current value of
Execution of this code may result in unexpected behavior because the value of
flag is read, negated, and written back. This occurs even though the read and write are both atomic.
Consider, for example, two threads that call
toggle_flag(). The expected effect of toggling
flag twice is that it is restored to its original value. However, the scenario in the following table leaves
flag in the incorrect state.
toggle_flag() without Compare-and-Exchange
Reads the current value of
Reads the current value of
Toggles the temporary variable in the cache to
Toggles the temporary variable in the different cache to
Writes the cache variable's value to
Writes the different cache variable's value to
As a result, the effect of the call by t2 is not reflected in
flag; the program behaves as if
toggle_flag() was called only once, not twice.
Compliant Solution (
This compliant solution uses a compare-and-exchange to guarantee that the correct value is stored in
flag. All updates are visible to other threads. The call to
atomic_compare_exchange_weak() is in a loop in conformance with .
An alternative solution is to use the
atomic_flag data type for managing Boolean values atomically. However,
atomic_flag does not support a toggle operation.
Compliant Solution (Compound Assignment)
This compliant solution uses the
^= assignment operation to toggle
flag. This operation is guaranteed to be atomic, according to the C Standard, 22.214.171.124, paragraph 3. This operation performs a bitwise-exclusive-or between its arguments, but for Boolean arguments, this is equivalent to negation.
An alternative solution is to use a mutex to protect the atomic operation, but this solution loses the performance benefits of atomic variables.
Noncompliant Code Example
This noncompliant code example takes an atomic global variable
n and computes
n + (n - 1) + (n - 2) + ... + 1, using the formula
n * (n + 1) / 2:
The value of
n may change between the two atomic reads of
n in the expression, yielding an incorrect result.
This compliant solution passes the atomic variable as a function argument, forcing the variable to be copied and guaranteeing a correct result. Note that the function's formal parameter need not be atomic, and the atomic variable can still be passed as an actual argument.
When operations on atomic variables are assumed to be atomic, but are not atomic, surprising data races can occur, leading to corrupted data and invalid control flow.
|Axivion Bauhaus Suite|
|Multiple Accesses of Atomic|
MISRA 2012 Rule 13.2
C1114, C1115, C1116
Do not refer to an atomic variable twice in an expression
|Polyspace Bug Finder|
|CERT C: Rule CON40-C|
Rule fully covered.
|1114, 1115, 1116|
Key here (explains table format and definitions)
|CWE 2.11||CWE-366, Race Condition within a Thread||2017-07-07: CERT: Rule subset of CWE|
CERT-CWE Mapping Notes
Key here for mapping notes
CWE-366 and CON40-C
CON40-C = Subset( CON43-C) Intersection( CON32-C, CON40-C) = Ø
CWE-366 = Union( CON40-C, list) where list =
- C data races that do not involve an atomic variable used twice within an expression
126.96.36.199, "Compound Assignment"