Data races lead to undefined behavior; but how bad can they really be? In my previous post I talked about benign data races and I gave several examples taken from the Windows kernel. Those examples worked because the kernel was compiled with a specific compiler for a specific processor. But in general, if you want your code to be portable, you can’t have data races, period.
You just cannot reason about something that is specifically defined to be “undefined.” So, obviously, you cannot prove the correctness of a program that has data races. However, very few people engage in proofs of correctness. In most cases the argument goes, “I can’t see how this can fail, therefore it must be correct” (maybe not in so many words). I call this “proof by lack of imagination.” If you want to become a concurrency expert, you have to constantly stretch your imagination. So let’s do a few stretches.
One of the readers of my previous post, Duarte Nunes, posted a very interesting example of a benign data race. Here’s the code:
int owner = 0;
int count = 0;
std::mutex mtx;
bool TryEnter() {
if (owner == std::this_thread::get_id()) {
count += 1;
return true;
}
if (mtx.try_lock()) {
owner = std::this_thread::get_id();
return true;
}
return false;
}
void Exit() {
if (count != 0) {
count -= 1;
return;
}
owner = 0;
mtx.unlock();
}
I highlighted in blue the parts that are executed under the lock (in a correct program, Exit will always be called after the lock has been acquired). Notice that the variable count is always accessed under the lock, so no data races there. However, the variable owner may be read outside of the lock– I highlighted that part of code in red. That’s the data race we are talking about.
Try to analyze this code and imagine what could go wrong. Notice that the compiler or the processor can’t be too malicious. The code still has to work correctly if the data race is removed, for instance if the racy read is put under the lock.
Here’s an attempt at the “proof” of correctness. First, Duarte observed that “The valid values for the owner variable are zero and the id of any thread in the process.” That sort of makes sense, doesn’t it? Now, the only way the racy read can have any effect is if the value of owner is equal to the current thread’s ID. But that’s exactly the value that could have been written only by the current thread– and under the lock.
There are two possibilities when reading owner: either we are still under that lock, in which case the read is not at all racy; or we have already released the lock. But the release of the lock happens only after the current thread zeroes owner.
Notice that this is a single-thread analysis and, within a single thread, events must be ordered (no need to discuss memory fences or acquire/release semantics at this point). A read following a write in the same thread cannot see the value that was there before the write. That would break regular single-threaded programs. Of course, other threads may have overwritten this zero with their own thread IDs, but never with the current thread ID. Or so the story goes…
Brace yourself: Here’s an example how a compiler or the processor may “optimize” the program:
void Exit() {
if (count != 0) {
count -= 1;
return;
}
owner = 42;
owner = 0;
mtx.unlock();
}
You might argue that this is insane and no compiler in its right mind would do a thing like this; but the truth is: It’s a legal program transformation. The effect of this modification is definitely not observable in the current thread. Neither is it observable by other threads in the absence of data races. Now, the unfortunate thread whose ID just happens to be 42 might observe this value and take the wrong turn. But it can only observe it through a racy read. For instance, it would never see this value if it read owner under the lock. Moreover, it would never see it if the variable owner were defined as ‘atomic’:
std::atomic<int> owner = 0
Stores and loads of atomic variables are, by default, sequentially consistent. Unfortunately sequential consistency, even on an x86, requires memory fences, which can be quite costly. It would definitely be an overkill in our example. So here’s the trick: Tell the compiler to forgo sequential consistency on a per read/write basis. For instance, here’s how you read an atomic variable without imposing any ordering constraints:
owner.load(memory_order_relaxed)
Such ‘relaxed’ operations will not introduce any memory fences– at least not on any processor I know about.
Here’s the version of the code that is exactly equivalent to the original, except that it’s correct and portable:
std::atomic<int> owner = 0; int count = 0; std::mutex mtx; bool TryEnter() { if (owner.load(memory_order_relaxed) == std::this_thread::get_id()) { count += 1; return true; } if (mtx.try_lock()) { owner.store(std::this_thread::get_id(), memory_order_relaxed); return true; } return false; } void Exit() { if (count != 0) { count -= 1; return; } owner.store(0, memory_order_relaxed); mtx.unlock(); }
So what has changed? Can’t the compiler still do the same dirty trick, and momentarily store 42 in the owner variable? No, it can’t! Since the variable is declared ‘atomic,’ the compiler can no longer assume that the write can’t be observed by other threads.
The new version has no data races: The Standard specifically states that ‘atomic’ variables don’t contribute to data races, even in their most relaxed form.
[…] “Relaxed” atomic operations are not synchronization operations even though, like synchronization operations, they cannot contribute to data races.
With those changes, I believe that our “proof” of correctness may actually be turned into a more rigorous proof using the axioms of the C++ memory model (although I’m not prepared to present one). We can have our cake (correct, portable code) and eat it too (no loss of performance). And, by the way, the same trick may be used in the case of lossy counters from my previous post.
Warning: I do not recommend this style of coding, or the use of weak atomics, to anybody who is not implementing operating system kernels or concurrency libraries.
Acknowledgments
I’d like to thank Luis Ceze, Hans Boehm, and Anthony Williams for useful remarks and for verifying my assumptions about the C++ memory model.
Bartosz Milewski's Programming Cafe 
October 30, 2014 at 12:27 am
The mutex/lock stuff in C/C++ is very low level. There really isn’t much abstraction in that or threading in general – it’s pretty close to what the machine actually does.
If you look at HDLs (Verilog/VHDL) there’s a more abstract concept of “drivers”, and “resolution” for when multiple threads are trying to assign to the same thing, and also the concept of “receivers” for things just watching an object’s value.
Maybe C++ should add resolved types 😉