The double-checked locking idiom is a software design pattern used to reduce the overhead of acquiring a lock by first testing the locking criterion without actually acquiring the lock. Double-checked locking improves performance by limiting synchronization to the rare case of computing the field's value or constructing a new instance for the field to reference and by foregoing synchronization during the common case of retrieving an already-created instance or value.
Incorrect forms of the double-checked locking idiom include those that allow publication of an uninitialized or partially initialized object. Consequently, only those forms of the double-checked locking idiom that correctly establish a happens-before relationship both for the
helper reference and for the complete construction of the
Helper instance are permitted.
The double-checked locking idiom is frequently used to implement a singleton factory pattern that performs lazy initialization. Lazy initialization defers the construction of a member field or an object referred to by a member field until an instance is actually required rather than computing the field value or constructing the referenced object in the class's constructor. Lazy initialization helps to break harmful circularities in class and instance initialization. It also enables other optimizations [Bloch 2005].
Lazy initialization uses either a class or an instance method, depending on whether the member object is static. The method checks whether the instance has already been created and, if not, creates it. When the instance already exists, the method simply returns the instance:
Lazy initialization must be synchronized in multithreaded applications to prevent multiple threads from creating extraneous instances of the member object:
Noncompliant Code Example
The double-checked locking pattern uses block synchronization rather than method synchronization and installs an additional null reference check before attempting synchronization. This noncompliant code example uses an incorrect form of the double-checked locking idiom:
According to Pugh [Pugh 2004],
Writes that initialize the
Helperobject and the write to the
helperfield can be done or perceived out of order. As a result, a thread which invokes
getHelper()could see a non-null reference to a
helperobject, but see the default values for fields of the
helperobject, rather than the values set in the constructor.
Even if the compiler does not reorder those writes, on a multiprocessor, the processor or the memory system may reorder those writes, as perceived by a thread running on another processor.
This code also violates TSM03-J. Do not publish partially initialized objects.
Compliant Solution (Volatile)
This compliant solution declares the
helper field volatile:
Compliant Solution (Static Initialization)
This compliant solution initializes the
helper field in the declaration of the static variable [Manson 2006].
Variables that are declared static and initialized at declaration or from a static initializer are guaranteed to be fully constructed before being made visible to other threads. However, this solution forgoes the benefits of lazy initialization.
Compliant Solution (Initialize-on-Demand, Holder Class Idiom)
This compliant solution uses the initialize-on-demand, holder class idiom that implicitly incorporates lazy initialization by declaring a static variable within a static
Holder inner class:
Initialization of the static
helper field is deferred until the
getInstance() method is called. The necessary happens-before relationships are created by the combination of the class loader's actions loading and initializing the
Holder instance and the guarantees provided by the Java memory model (JMM). This idiom is a better choice than the double-checked locking idiom for lazily initializing static fields [Bloch 2008]. However, this idiom cannot be used to lazily initialize instance fields [Bloch 2001].
Compliant Solution (
This compliant solution (originally suggested by Alexander Terekhov [Pugh 2004]) uses a
ThreadLocal object to track whether each individual thread has participated in the synchronization that creates the needed happens-before relationships. Each thread stores a non-null value into its thread-local
perThreadInstance only inside the synchronized
createHelper() method; consequently, any thread that sees a null value must establish the necessary happens-before relationships by invoking
Noncompliant Code Example (Immutable)
In this noncompliant code example, the
Helper class is made immutable by declaring its fields final. The JMM guarantees that immutable objects are fully constructed before they become visible to any other thread. The block synchronization in the
getHelper() method guarantees that all threads that can see a non-null value of the helper field will also see the fully initialized
However, this code is not guaranteed to succeed on all Java Virtual Machine platforms because there is no happens-before relationship between the first read and third read of
helper. Consequently, it is possible for the third read of
helper to obtain a stale null value (perhaps because its value was cached or reordered by the compiler), causing the
getHelper() method to return a null pointer.
Compliant Solution (Immutable)
This compliant solution uses a local variable to reduce the number of unsynchronized reads of the
helper field to 1. As a result, if the read of
helper yields a non-null value, it is cached in a local variable that is inaccessible to other threads and is safely returned.
LCK10-J-EX0: Use of the noncompliant form of the double-checked locking idiom is permitted for 32-bit primitive values (for example,
float) [Pugh 2004], although this usage is discouraged. The noncompliant form establishes the necessary happens-before relationship between threads that see an initialized version of the primitive value. The second happens-before relationship (for the initialization of the fields of the referent) is of no practical value because unsynchronized reads and writes of primitive values up to 32-bits are guaranteed to be atomic. Consequently, the noncompliant form establishes the only needed happens-before relationship in this case. Note, however, that the noncompliant form fails for
double because unsynchronized reads or writes of 64-bit primitives lack a guarantee of atomicity and consequently require a second happens-before relationship to guarantee that all threads see only fully assigned 64-bit values (see VNA05-J. Ensure atomicity when reading and writing 64-bit values for more information).
Using incorrect forms of the double-checked locking idiom can lead to synchronization problems and can expose partially initialized objects.
|CodeSonar||4.2||FB.MT_CORRECTNESS.DC_DOUBLECHECK||Possible double check of field|
Item 48, "Synchronize Access to Shared Mutable Data"
Item 71, "Use Lazy Initialization Judiciously"
|[Manson 2004]||JSR 133 (Java Memory Model) FAQ|
|[Manson 2008]||Data-Race-ful Lazy Initialization for Performance|