In threading, pthreads can optionally be set to cancel immediately or defer until a specific cancellation point. Canceling asynchronously (immediately) is dangerous, however, because most threads are in fact not safe to cancel immediately.
The IEEE standards page states that
only functions that are cancel-safe may be called from a thread that is asynchronously cancelable.
Canceling asynchronously would follow the same route as passing a signal into the thread to kill it, posing problems similar to those in CON37-C. Do not call signal() in a multithreaded program, which is strongly related to SIG02-C. Avoid using signals to implement normal functionality. POS44-C and SIG02-C expand on the dangers of canceling a thread suddenly, which can create a data race condition.
Noncompliant Code Example
...
It is also possible that the main thread cancels the worker thread before it has invoked pthread_setcanceltype(). If this happens, the cancelation cancellation will be delayed until the worker thread calls pthread_setcanceltype().
...
In this example, the worker thread arranges to release the global_lock mutex if it gets interrupted.:
| Code Block | ||||
|---|---|---|---|---|
| ||||
void release_global_lock(void* dummy) {
int result;
if ((result = pthread_mutex_unlock(&global_lock)) != 0) {
/* handle error */
}
}
void* worker_thread(void* dummy) {
int i, c;
int result;
if ((result = pthread_setcanceltype(PTHREAD_CANCEL_ASYNCHRONOUS,&i)) != 0) {
/* handle error */
}
while (1) {
if ((result = pthread_mutex_lock(&global_lock)) != 0) {
/* handle error */
}
pthread_cleanup_push( release_global_lock, NULL);
c = b;
b = a;
a = c;
pthread_cleanup_pop(1);
}
return NULL;
}
|
...
Furthermore, though less likely, the program can still deadlock if the worker thread gets canceled after the global_lock is acquired but before pthread_cleanup_push() is invoked. In this case, the worker thread is canceled while holding global_lock, and the program will deadlock.
Compliant Solution
From IEEE standards page:
The cancelability state and type of any newly created threads, including the thread in which main() was first invoked, shall be PTHREAD_CANCEL_ENABLE and PTHREAD_CANCEL_DEFERRED respectively.
Because the default condition for POSIX, according to the IEEE standards, is PTHREAD_CANCEL_DEFERRED, it is not necessary to invoke pthread_setcanceltype() in the compliant solution.:
| Code Block | ||||
|---|---|---|---|---|
| ||||
void* worker_thread(void* dummy) {
int c;
int result;
while (1) {
if ((result = pthread_mutex_lock(&global_lock)) != 0) {
/* handle error */
}
c = b;
b = a;
a = c;
if ((result = pthread_mutex_unlock(&global_lock)) != 0) {
/* handle error */
}
/* now we're safe to cancel, creating cancel point */
pthread_testcancel();
}
return NULL;
}
|
Because this code limits cancelation cancellation of the worker thread to the end of the while loop, the worker thread can preserve the data invariant that a != b. Consequently, the program might print that a is 5 and b is 10 or that a is 10 and b is 5, but they will always be revealed to have different values when the worker thread is canceled.
...
The CERT Oracle Secure Coding Standard for Java: THI05-J. Do not use Thread.stop() to terminate threads
In Java, similar reasoning resulted in the deprecation of Thread.stop().
...
Bibliography
...
...