 
                            Both thread safety and liveness are concerns when using condition variables. The thread-safety property requires that all objects maintain consistent states in a multithreaded environment [Lea 2000]. The liveness property requires that every operation or function invocation execute to completion without interruption; for example, there is no deadlock.
Condition variables must be used inside a while loop. (See CON36-C. Wrap functions that can spuriously wake up in a loop for more information.) To guarantee liveness, programs must test the while loop condition before invoking the cnd_wait() function. This early test checks whether another thread has already satisfied the condition predicate and has sent a notification. Invoking the cnd_wait() function after the notification has been sent results in indefinite blocking.
To guarantee thread safety, programs must test the while loop condition after returning from the cnd_wait() function. When a given thread invokes the cnd_wait() function, it will attempt to block until its condition variable is signaled by a call to cnd_broadcast() or to cnd_signal().
The cnd_signal() function unblocks one of the threads that are blocked on the specified condition variable at the time of the call. If multiple threads are waiting on the same condition variable, the scheduler can select any of those threads to be awakened (assuming that all threads have the same priority level). The cnd_broadcast() function unblocks all of the threads that are blocked on the specified condition variable at the time of the call. The order in which threads execute following a call to cnd_broadcast() is unspecified. Consequently, an unrelated thread could start executing, discover that its condition predicate is satisfied, and resume execution even though it was supposed to remain dormant. For these reasons, threads must check the condition predicate after the cnd_wait() function returns. A while loop is the best choice for checking the condition predicate both before and after invoking cnd_wait().
The use of cnd_signal() is safe if each thread uses a unique condition variable. If multiple threads share a condition variable, the use of cnd_signal() is safe only if the following conditions are met:
- All threads must perform the same set of operations after waking up, which means that any thread can be selected to wake up and resume for a single invocation of cnd_signal().
- Only one thread is required to wake upon receiving the signal.
The cnd_broadcast() function can be used to unblock all of the threads that are blocked on the specified condition variable if the use of cnd_signal() is unsafe.
Noncompliant Code Example (cnd_signal())
This noncompliant code example uses five threads that are intended to execute sequentially according to the step level assigned to each thread when it is created (serialized processing). The current_step variable holds the current step level and is incremented when the respective thread completes. Finally, another thread is signaled so that the next step can be executed. Each thread waits until its step level is ready, and the cnd_wait() function call is wrapped inside a while loop, in compliance with CON36-C. Wrap functions that can spuriously wake up in a loop.
| Code Block | ||||
|---|---|---|---|---|
| 
 | ||||
| #include <stdio.h>
#include <threads.h>
enum { NTHREADS = 5 };
mtx_t mutex;
cnd_t cond;
int run_step(void *t) {
  static size_t current_step = 0;
  size_t my_step = *(size_t *)t;
  if (thrd_success != mtx_lock(&mutex)) {
    /* Handle error */
  }
  printf("Thread %zu has the lock\n", my_step);
  while (current_step != my_step) {
    printf("Thread %zu is sleeping | 
When a given thread waits (cnd_wait() or cnd_timedwait()) on a condition variable, it can be awakened as a result of a signal operation (cnd_signal()). However, if multiple threads are waiting on the same condition variable, any of those threads can be picked up by the scheduler to be awakened (assuming that all threads have the same priority level). 
The user is forced to create a predicate-testing loop around the wait condition to guarantee that each thread executes only if its predicate test is true (recommendation in IEEE Std 1003.1 since the 2001 release [IEEE Std 1003.1-2004]). As a consequence, if a given thread finds the predicate test to be false, it waits again, eventually resulting in a deadlock situation.
The use of cnd_signal() is safe only if the following conditions are met:
- All threads must perform the same set of operations after waking up, which means that any thread can be selected to wake up and resume for a single invocation of cnd_signal().
- Only one thread is required to wake upon receiving the signal.
The use of cnd_signal() can also be safe if each thread uses a unique condition variable.
The use of cnd_broadcast() avoids these problems because it wakes up all the threads associated with the condition variable, and because all the threads must reevaluate the predicate condition, one thread will find its test to be true, avoiding deadlock.
Noncompliant Code Example (cnd_signal())
The following noncompliant code example consists of a given number of threads (5) that should execute one after another according to the step level assigned to each thread when it is created (serialized processing). The current_step variable holds the current step level and is incremented as soon as the respective thread finishes its processing. Finally, another thread is signaled so that the next step can be executed.
| Code Block | ||||
|---|---|---|---|---|
| 
 | ||||
| #include <stdio.h> #include <stdlib.h> #include <threads.h> #define NTHREADS 5 mtx_t mutex; cnd_t cond; void *run_step(void *t) { static int current_step = 0; int my_step = (int)t; int result; if ((result = mtx_lock(&mutex)) != thrd_success) { /* Handle error condition */ } printf("Thread %d has the lock\n", my_step); while (current_step != my_step) { printf("Thread %d is sleeping...\n", my_step); if ((result = cnd_wait(&cond, &mutex)) != thrd_success) { /* Handle error condition */ } printf("Thread %d woke up\n", my_step); } /* Do processing... */ printf("Thread %d is processing...\n", my_step); current_step++; /* Signal a waiting task */ if ((result = cnd_signal(&cond)) != thrd_success) { /* Handle error condition */ } printf("Thread %d is exiting...\n", my_step); if ((resultthrd_success != mtxcnd_unlockwait(&cond, &mutex)) != thrd_success) { { /* Handle error condition */ } thrd_exit(NULL); } int main(int argc, char** argv) { int i printf("Thread %zu woke up\n", my_step); int} result; /* thrd_t threads[NTHREADS]; int step[NTHREADS]; if ((result = mtx_init(&mutex, mtx_plain)) != thrd_success) { Do processing ... */ printf("Thread %zu is processing...\n", my_step); current_step++; /* HandleSignal errorawaiting conditiontask */ } if ((resultthrd_success != cnd_initsignal(&cond)) != thrd_success) { /* Handle error condition */ } /* Create threads */ for (i = 0; i < NTHREADS; i++printf("Thread %zu is exiting...\n", my_step); if (thrd_success != mtx_unlock(&mutex)) { step[i] = i; if ((result = thrd_create(&threads[i], run_step, (void *)step[i])) != thrd_success) { /* Handle error */ } return 0; } int main(void) { thrd_t threads[NTHREADS]; size_t step[NTHREADS]; if (thrd_success != mtx_init(&mutex, mtx_plain)) { /* Handle error condition */ } } /* Wait for all threads to completeif (thrd_success != cnd_init(&cond)) { /* Handle error */ } /* Create threads */ for (size_t i = NTHREADS-10; i >=< 0NTHREADS; ++i--) { if ((result step[i] = i; if (thrd_success != thrd_joincreate(&threads[i], run_step, NULL)) != thrd_success) { /* Handle error condition */ } } if ((result = mtx_destroy(&mutex &step[i])) != thrd_success) { { /* Handle error condition */ } if ((result = cnd_destroy(&cond)) != thrd_success) { /* Handle error condition */ } thrd_exit(NULL); } } /* Wait for all threads to complete */ for (size_t i = NTHREADS; i != 0; --i) { if (thrd_success != thrd_join(threads[i-1], NULL)) { /* Handle error */ } } mtx_destroy(&mutex); cnd_destroy(&cond); return 0; } | 
In this example, all threads share a condition variable. Each thread has its own distinct condition predicate because each thread In this example, each thread has its own predicate because each requires current_step to have a different value before proceeding. Upon the signal operation (pthread_cond_signal())When the condition variable is signaled, any of the waiting threads can wake up.
The following table illustrates a possible scenario in which the liveness property is violated. If, by chance, it the notified thread is not the thread with the next step value, that thread will wait again (pthread_cond_wait()), resulting in a deadlock situation because no more signal operations will occur.. No additional notifications can occur, and eventually the pool of available threads will be exhausted.
Deadlock: Out-of-Sequence Step ValueConsider the following example:
| Time | Thread # | 
 | Action | 
|---|---|---|---|
| 0 | 3 | 0 | Thread 3 executes first time: predicate is  | 
| 1 | 2 | 0 | Thread 2 executes first time: predicate is  | 
| 2 | 4 | 0 | Thread 4 executes first time: predicate is  | 
| 3 | 0 | 0 | Thread 0 executes first time: predicate is  | 
| 4 | 1 | 1 | Thread 1 executes first time: predicate is  | 
| 5 | 3 | 2 | Thread 3 wakes up (scheduler choice): predicate is  | 
| 6 | — | — | 
| Thread exhaustion! No more threads to run, and a conditional variable signal is needed to wake up the others | 
This noncompliant code example violates the liveness property.
Compliant Solution (
...
cnd_broadcast())
This compliant solution uses the cnd_broadcast() method function to signal all waiting threads instead of a single random onethread. Only the run_step() thread code from the noncompliant code example is modified, as follows:
| Code Block | ||||
|---|---|---|---|---|
| 
 | ||||
| void *run_step(void *t) { static int#include <stdio.h> #include <threads.h> mtx_t mutex; cnd_t cond; int run_step(void *t) { static size_t current_step = 0; intsize_t my_step = *(intsize_t *)t; int result; if ((resultthrd_success != mtx_lock(&mutex)) != thrd_success) {{ /* Handle error condition */ } printf("Thread %d%zu has the lock\n", my_step); while (current_step != my_step) { printf("Thread %d%zu is sleeping...\n", my_step); if ((resultthrd_success != cnd_wait(&cond, &mutex)) != thrd_success) { /* Handle error condition */ } printf("Thread %d%zu woke up\n", my_step); } /* Do processing ... */ printf("Thread %d%zu is processing...\n", my_step); current_step++; /* Signal ALL waiting tasks */ if ((resultthrd_success != cnd_broadcast(&cond)) != thrd_success) { /* Handle error condition */ } printf("Thread %d%zu is exiting...\n", my_step); if ((resultthrd_success != mtx_unlock(&mutex)) != 0) { { /* Handle error condition */ } thrd_exit(NULL)return 0; } | 
The fact that Awakening all threads will be awake solves the problem because each one ends up executing its predicate test; one will find its test to be true and will continue the execution until the endguarantees the liveness property because each thread will execute its condition predicate test, and exactly one will succeed and continue execution.
Compliant Solution (Using cnd_signal()
...
with a Unique Condition Variable per Thread)
Another way to solve the signal issue compliant solution is to use a unique condition variable for each thread (maintaining a single mutex all associated with itthe same mutex). In this case, the signal operation ( cnd_signal()) wakes up only the only thread that is waiting on it. This solution is more efficient than using cnd_broadcast() because only the desired thread is awakened.
The condition NOTE: The predicate of the signaled thread must be true; otherwise, a deadlock can will occur.
| Code Block | ||||
|---|---|---|---|---|
| 
 | ||||
| #include <stdio.h> #include <stdlib.h> #include <threads.h> #defineenum { NTHREADS = 5 }; mtx_t mutex; cnd_t cond[NTHREADS]; voidint *run_step(void *t) { static intsize_t current_step = 0; intsize_t my_step = *(intsize_t *)t; int result; if ((resultthrd_success != mtx_lock(&mutex)) != thrd_success) { /* Handle error condition */ } printf("Thread %d%zu has the lock\n", my_step); while (current_step != my_step) { printf("Thread %d%zu is sleeping...\n", my_step); if ((resultthrd_success != cnd_wait(&cond[my_step], &mutex)) != thrd_success) { /* Handle error condition */ } printf("Thread %d%zu woke up\n", my_step); } /* Do processing ... */ printf("Thread %d%zu is processing...\n", my_step); current_step++; /* Signal next step thread */ if ((my_step + 1) < NTHREADS) { if ((resultthrd_success != cnd_signal(&cond[my_step + 1])) != thrd_success) { /* Handle error condition */ } } printf("Thread %d%zu is exiting...\n", my_step); if ((resultthrd_success != mtx_unlock(&mutex)) != thrd_success) { /* Handle error condition */ } thrd_exit(NULL)return 0; } int main(int argc, char** argvvoid) { int i; int resultthrd_t threads[NTHREADS]; thrdsize_t threads[NTHREADS]; int step[NTHREADS]; if ((resultthrd_success != mtx_init(&mutex, mtx_plain)) != thrd_success) { /* Handle error condition */ } for (size_t i = 0; i< NTHREADS; i++i) { if ((resultthrd_success != cnd_init(&cond[i])) != thrd_success) { /* Handle error condition */ } } /* Create threads */ for (size_t i = 0; i < NTHREADS; i++i) { step[i] = i; if ((resultthrd_success != thrd_create(&threads[i], run_step, (void *) &step[i])) != thrd_success) { /* Handle error condition */ } } /* Wait for all threads to complete */ for (size_t i = NTHREADS-1; i >!= 0; i--i) { if ((resultthrd_success != thrd_join(threads[i-1], NULL)) != thrd_success) { /* Handle error condition */ } } if ((result = mtx_destroy(&mutex)) != thrd_success) { /* Handle error condition */ }; for (size_t i = 0; i < NTHREADS; i++i) { if ((result = cnd_destroy(&cond[i])); != thrd_success) { } /* Handle error condition */ } } thrd_exit(NULL); } | 
In this compliant code, each thread has associated a unique condition variable that is signaled when that particular thread needs to be awakened. This solution turns out to be more efficient because only the desired thread is awakened.
Risk Assessment
Signaling a single thread instead of all waiting threads can pose a threat to the liveness property of the system.
| Guideline | Severity | Likelihood | Remediation Cost | Priority | Level | 
|---|---|---|---|---|---|
| CON38-C | low | unlikely | medium | P2 | L3 | 
| return 0;
} | 
Compliant Solution (Windows, Condition Variables)
This compliant solution uses  a CONDITION_VARIABLE object, available on Microsoft Windows (Vista and later):
| Code Block | ||||
|---|---|---|---|---|
| 
 | ||||
| #include <Windows.h>
#include <stdio.h>
 
CRITICAL_SECTION lock;
CONDITION_VARIABLE cond;
 
DWORD WINAPI run_step(LPVOID t) {
  static size_t current_step = 0;
  size_t my_step = (size_t)t;
  EnterCriticalSection(&lock);  
  printf("Thread %zu has the lock\n", my_step);
  while (current_step != my_step) {
    printf("Thread %zu is sleeping...\n", my_step);
 
    if (!SleepConditionVariableCS(&cond, &lock, INFINITE)) {
      /* Handle error */
    }
    printf("Thread %zu woke up\n", my_step);
  }
  /* Do processing ... */
  printf("Thread %zu is processing...\n", my_step);
  current_step++;
 
  LeaveCriticalSection(&lock);
 
  /* Signal ALL waiting tasks */
  WakeAllConditionVariable(&cond);
 
  printf("Thread %zu is exiting...\n", my_step);
  return 0;
}
 
enum { NTHREADS = 5 };
 
int main(void) {
  HANDLE threads[NTHREADS];
  
  InitializeCriticalSection(&lock);
  InitializeConditionVariable(&cond);
 
  /* Create threads */
  for (size_t i = 0; i < NTHREADS; ++i) {
    threads[i] = CreateThread(NULL, 0, run_step, (LPVOID)i, 0, NULL);
  }
 
  /* Wait for all threads to complete */
  WaitForMultipleObjects(NTHREADS, threads, TRUE, INFINITE);
 
  DeleteCriticalSection(&lock);
 
  return 0;
} | 
Risk Assessment
Failing to preserve the thread safety and liveness of a program when using condition variables can lead to indefinite blocking and denial of service (DoS).
| Rule | Severity | Likelihood | Detectable | Repairable | Priority | Level | 
|---|---|---|---|---|---|---|
| CON38-C | Low | Unlikely | No | Yes | P2 | L3 | 
Automated Detection
| Tool | Version | Checker | Description | ||||||
|---|---|---|---|---|---|---|---|---|---|
| CodeSonar | 
 | CONCURRENCY.BADFUNC.CNDSIGNAL | Use of Condition Variable Signal | ||||||
| Cppcheck Premium | 
 | premium-cert-con38-c | |||||||
| Helix QAC | 
 | C1778, C1779 | |||||||
| Klocwork | 
 | CERT.CONC.UNSAFE_COND_VAR_C | |||||||
| Parasoft C/C++test | 
 | CERT_C-CON38-a | Use the 'cnd_signal()' function with a unique condition variable | ||||||
| Polyspace Bug Finder | 
 | CERT C: Rule CON38-C | Checks for multiple threads waiting on same condition variable (rule fully covered) | 
Related Vulnerabilities
Search for vulnerabilities resulting from the violation of this rule on the CERT website.
Related Guidelines
Key here (explains table format and definitions)
| Taxonomy | Taxonomy item | Relationship | 
|---|
...
| CERT Oracle Secure Coding Standard for Java | 
| THI02-J. Notify all waiting threads rather than a single thread | Prior to 2018-01-12: CERT: Unspecified Relationship | 
Bibliography
| [ | 
| IEEE Std 1003.1:2013] | XSH, System Interfaces, pthread_cond_ | 
| broadcastXSH, System Interfaces, pthread_cond_ | 
...
| signal | |
| [Lea 2000] | 
...