11. Concurrency (CON)

Guidelines

CON00-J. Declare shared variables as volatile to ensure visibility and limit reordering of statements

CON01-J. Design APIs that ensure atomicity of composite operations and visibility of results

CON02-J. Always synchronize on the appropriate object

CON03-J. Do not use background threads during class initialization

CON04-J. Use the private lock object idiom instead of intrinsic synchronization

CON05-J. Ensure that threads do not fail during activation

CON06-J. Do not defer a thread that is holding a lock

CON07-J. Ensure atomicity of calls to thread-safe APIs

CON08-J. Do not call alien methods or constructors that synchronize on the same object as the calling class

CON09-J. Do not invoke alien methods that rely on invariants protected by the same lock object

CON10-J. Methods that override synchronized methods must also possess synchronization capabilities

CON11-J. Do not assume that declaring an object volatile guarantees visibility of its members

CON12-J. Avoid deadlock by requesting and releasing locks in the same order

CON13-J. Do not try to force thread shutdown

CON14-J. Do not let the "this" reference escape during object construction

CON15-J. Ensure actively held locks are released on exceptional conditions

CON16-J. Do not expect sleep() and yield() methods to have any synchronization semantics

CON17-J. Avoid using ThreadGroup APIs

CON18-J. Always invoke wait() and await() methods inside a loop

CON19-J. Use notifyAll() instead of notify() to resume waiting threads

CON20-J. Never apply a lock to methods making network calls

CON21-J. Facilitate thread reuse by using Thread Pools

CON22-J. Do not use incorrect forms of the double-checked locking idiom

CON23-J. Address the shortcomings of the Singleton design pattern

CON24-J. Use a unique channel to acquire locks on any file

CON25-J. Ensure atomicity when reading and writing 64-bit values

CON26-J. Do not publish partially-constructed objects

CON27-J. Do not execute classes that use ThreadLocal objects in a thread pool

Introduction

Memory that can be shared between threads is called shared memory or heap memory. The term variable is as used in this section refers to both fields and array elements [[JLS 05]]. Variables that are shared between threads are referred to as shared variables. All instance fields, static fields, and array elements are shared variables and are stored in heap memory. Local variables, formal method parameters, or exception handler parameters are never shared between threads and are not affected by the [memory model].

Two major concerns in concurrent Java programming are visibility and reordering.

Visibility refers to when a write to a variable becomes
Visibility refers to the requirement that every thread sees the value of the most recent update to a shared variable. This is essential in multi-threaded programs because the value of a shared variable may be cached and not written to main memory immediately. Consequently, another thread may retrieve a stale value of the variable when attempting to read it from the main memory. Using the volatile keyword mitigates this risk and so does correct synchronization.

The restricted or no reordering requirement refers to ensuring that the execution sequence of a set of statements does not vary when observed by multiple threads. Concurrent executions of code are typically interleaved and statements may be reordered by the compiler or runtime system to facilitate various optimizations. This results in execution orders that are not immediately obvious from an examination of the source-code. Failure to account for this hazard is a common source of data races. Restricting the set of possible reorderings makes it easier to reason about the safety of the code. This risk is mitigated by correctly synchronizing the code and in some cases, by using the volatile keyword.

Even if statements execute in the expected order (program order), caching can prevent the latest values from being reflected in the main memory (visibility hazard). Program order is the execution order that is expected when a single thread is running the statements sequentially, as written in a method.

The Java Language Specification defines the Java Memory Model (JMM) which provides certain guarantees to the Java programmer.

There are two requirements for writing provably correct multi-threaded code:

1. Happens-before consistency: If two accesses of a shared variable follow the happens-before relationship, data races arising from statement reorderings cannot occur. However, this is necessary but not sufficient for acceptable program behavior.

Consider the following example in which a and b are (shared) global variables or instance fields but r1 and r2 are local variables not accessible by other threads.

Initially, let a = 0 and b = 0.

Because, in Thread 1, the two assignments a = 10; and r1 = b; are not related, the compiler or runtime system is free to reorder them. Similarly in Thread 2, the statements may be freely reordered. Although it may seem counter-intuitive, the Java memory model allows a read to see a write that occurs later in the execution order.

A possible execution order showing actual assignments is:

In this ordering, r1 and r2 read the original values of the variables a and b even though they are expected to see the updated values, 10 and 20. Another possible execution order showing actual assignments is:

In this ordering, r1 and r2 read the values of a and b written from step 3 and 4, even before the statements corresponding to these steps have executed.

"The fact that we allow a read to see a write that comes later in the execution order can sometimes thus result in unacceptable behaviors." [[JLS 05]]. Both, the use of synchronization and the volatile keyword prevent a thread from observing inconsistent values of shared variables.

2. Sequential consistency: This property provides a very strong guarantee that the compiler will not optimize away or reorder any statements. It guarantees that the program is free from data races. It also ensures that each access of a variable is atomic and immediately visible to other threads.

For example, consider a set of statements that are being executed by multiple threads:

If statements 1, 2 and 3 are always executed sequentially by all threads as given in this program order, they are sequentially consistent with respect to each other. The sequential consistency property also requires that a read operation in some thread does not see the value of a future write operation taking place in the same or another thread. Similarly, a read operation is guaranteed to see the value of the last write to the variable from any thread.

The use of sequential consistency as the sole memory model mechanism makes it easy for a programmer to reason with the program's logic in a multithreading scenario, however, introduces a performance penalty because the compiler is prohibited from reordering code for performing complex optimizations. Using volatile variables reduces this performance penalty at the cost of strong sequential consistency guarantees.

Risk Assessment Summary

IDS17-J. Understand how escape characters are interpreted when String literals are compiled      The CERT Sun Microsystems Secure Coding Standard for Java      VOID CON00-J. Synchronize access to shared mutable variables