Accessing the automatic or thread-local variables of one thread from another thread is implementation-defined behavior and can cause invalid memory accesses because the execution of threads can be interwoven within the constraints of the synchronization model. As a result, the referenced stack frame or thread-local variable may no longer be valid when another thread tries to access it. Shared static variables can be protected by thread synchronization mechanisms.
However, automatic (local) variables cannot be shared in the same manner because the referenced stack frame's thread would need to stop executing, or some other mechanism must be employed to ensure that the referenced stack frame is still valid. Do not access automatic or thread-local objects from a thread other than the one with which the object is associated. See DCL30-C. Declare objects with appropriate storage durations for information on how to declare objects with appropriate storage durations when data is not being shared between threads.
Noncompliant Code Example (Automatic Storage Duration)
This noncompliant code example passes the address of a variable to a child thread, which prints it out. The variable has automatic storage duration. Depending on the execution order, the child thread might reference the variable after the variable's lifetime in the parent thread. This would cause the child thread to access an invalid memory location.
Noncompliant Code Example (Automatic Storage Duration)
One practice is to ensure that all objects with automatic storage duration shared between threads are declared such that their lifetime extends past the lifetime of the threads. This can be accomplished using a thread synchronization mechanism, such as
thrd_join(). In this code example,
val is declared in
thrd_join() is called. Because the parent thread waits until the child thread completes before continuing its execution, the shared objects have a lifetime at least as great as the thread.
However, the C Standard, 6.2.4 paragraphs 4 and 5 [ISO/IEC 9899:2011], states:
The result of attempting to indirectly access an object with thread storage duration from a thread other than the one with which the object is associated is implementation-defined. . . .
The result of attempting to indirectly access an object with automatic storage duration from a thread other than the one with which the object is associated is implementation-defined.
Therefore this example relies on implementation-defined behavior and is nonportable.
Compliant Solution (Static Storage Duration)
This compliant solution stores the value in an object having static storage duration. The lifetime of this object is the entire execution of the program; consequently, it can be safely accessed by any thread.
Compliant Solution (Allocated Storage Duration)
This compliant solution stores the value passed to the child thread in a dynamically allocated object. Because this object will persist until explicitly freed, the child thread can safely access its value.
Noncompliant Code Example (Thread-Specific Storage)
In this noncompliant code example, the value is stored in thread-specific storage of the parent thread. However, because thread-specific data is available only to the thread that stores it, the
child_thread() function will set
result to a null value.
Compliant Solution (Thread-Specific Storage)
This compliant solution illustrates how thread-specific storage can be combined with a call to a thread synchronization mechanism, such as
thrd_join(). Because the parent thread waits until the child thread completes before continuing its execution, the child thread is guaranteed to access a valid live object.
This compliant solution uses pointer-to-integer and integer-to-pointer conversions, which have implementation-defined behavior. (See INT36-C. Converting a pointer to integer or integer to pointer.)
Compliant Solution (Thread-Local Storage, Windows, Visual Studio)
Similar to the preceding compliant solution, this compliant solution uses thread-local storage combined with thread synchronization to ensure the child thread is accessing a valid live object. It uses the Visual Studio–specific
__declspec(thread) language extension to provide the thread-local storage and the
WaitForSingleObject() API to provide the synchronization.
Noncompliant Code Example (OpenMP,
It is important to note that local data can be used securely with threads when using other thread interfaces, so the programmer need not always copy data into nonlocal memory when sharing data with threads. For example, the
shared keyword in The OpenMP® API Specification for Parallel Programming [OpenMP] can be used in combination with OpenMP's threading interface to share local memory without having to worry about whether local automatic variables remain valid.
In this noncompliant code example, a variable
j is declared outside a
#pragma and not listed as a private variable. In OpenMP, variables outside a
parallel #pragma are shared unless designated as
Compliant Solution (OpenMP,
In this compliant solution, the variable
j is declared outside of the
#pragma but is explicitly labeled as
Threads that reference the stack of other threads can potentially overwrite important information on the stack, such as function pointers and return addresses. The compiler may not generate warnings if the programmer allows one thread to access another thread's local variables, so a programmer may not catch a potential error at compile time. The remediation cost for this error is high because analysis tools have difficulty diagnosing problems with concurrency and race conditions.
|Declare objects shared between POSIX threads with appropriate storage durations|
|4926, 4927, 4928||Enforced by QAC|
Key here (explains table format and definitions)
|CERT C Secure Coding Standard||DCL30-C. Declare objects with appropriate storage durations||Prior to 2018-01-12: CERT: Unspecified Relationship|
|[ISO/IEC 9899:2011]||6.2.4, "Storage Durations of Objects"|
|[OpenMP]||The OpenMP® API Specification for Parallel Programming|