tags:

views:

335

answers:

5
+8  Q: 

May volatile be in user defined types to help writing thread-safe code

I know, it has been made quite clear in a couple of questions/answers before, that volatile is related to the visible state of the c++ memory model and not to multithreading.

On the other hand, this article by Alexandrescu uses the volatile keyword not as a runtime feature but rather as a compile time check to force the compiler into failing to accept code that could be not thread safe. In the article the keyword is used more like a required_thread_safety tag than the actual intended use of volatile.

Is this (ab)use of volatile appropriate? What possible gotchas may be hidden in the approach?

The first thing that comes to mind is added confusion: volatile is not related to thread safety, but by lack of a better tool I could accept it.

Basic simplification of the article:

If you declare a variable volatile, only volatile member methods can be called on it, so the compiler will block calling code to other methods. Declaring an std::vector instance as volatile will block all uses of the class. Adding a wrapper in the shape of a locking pointer that performs a const_cast to release the volatile requirement, any access through the locking pointer will be allowed.

Stealing from the article:

template <typename T>
class LockingPtr {
public:
   // Constructors/destructors
   LockingPtr(volatile T& obj, Mutex& mtx)
      : pObj_(const_cast<T*>(&obj)), pMtx_(&mtx)
   { mtx.Lock(); }
   ~LockingPtr()   { pMtx_->Unlock(); }
   // Pointer behavior
   T& operator*()  { return *pObj_; }
   T* operator->() { return pObj_; }
private:
   T* pObj_;
   Mutex* pMtx_;
   LockingPtr(const LockingPtr&);
   LockingPtr& operator=(const LockingPtr&);
};

class SyncBuf {
public:
   void Thread1() {
      LockingPtr<BufT> lpBuf(buffer_, mtx_);
      BufT::iterator i = lpBuf->begin();
      for (; i != lpBuf->end(); ++i) {
         // ... use *i ...
      }
   }
   void Thread2();
private:
   typedef vector<char> BufT;
   volatile BufT buffer_;
   Mutex mtx_; // controls access to buffer_
};

NOTE

After the first couple of answers have appeared I think I must clarify, as I might not have used the most appropriate words.

The use of volatile is not because of what it provides at runtime but because of what it means at compile time. That is, the same trick could be pulled with the const keyword if it was as rarely used in user defined types is as volatile is. That is, there is a keyword (that happens to be spelled volatile) that allows me to block member function calls, and Alexandrescu is using it to trick the compiler into failing to compile thread-unsafe code.

I see it as many metaprogramming tricks that are there not because of what they do at compile time, but rather for what it forces the compiler to do for you.

A: 

You must better not do that. volatile was not even invented to provide thread-safety. It was invented to access memory-mapped hardware registers properly. volatile keyword has no effect over CPU's out-of-order execution feature. You should use proper OS calls or CPU defined CAS instructions, memory fences, etc.

CAS

Memory Fence

Malkocoglu  2010-03-22 11:18:58
By just looking at the code provided, i see no gain making the BufT as volatile. The whole thread-safety thingie is Mutex's problem now. As BufT is private member, it should better be NOT volatile for performance reasons. But also I see that there is a problem with your code. Once the Thread1 locks Mutex, Thread2 will never gain access to BufT, so it will stuck at the first line of its body...
Malkocoglu  2010-03-22 11:30:53
If you read the article and code carefully you will see that the variable, when in use, is not `volatile` (the qualifier is removed through a `const_cast`). It is just a compile time trick. The whole thread safety, as @Malkocoglu points out, is correctly handled through the mutex. I guess confusion is the big drawback of the approach
David Rodríguez - dribeas  2010-03-22 12:21:42
-1: I hesitated downvoting this, but ultimately I did because volatile is not used in the article or this post in order to ensure out-of-order executions happen in a certian way. Its used in order to leverage the compiler's type system, so your post is not relevant to the question.
John Dibling  2010-03-22 14:40:55
I hate long questions that have a misleading title ;-)
Malkocoglu  2010-03-26 14:23:51
A: 

I don't know specifically whether Alexandrescu's advice is sound, but, for all that I respect him as a super-smart dude, his treatment of volatile's semantics suggests that he's stepped way outside his area of expertise. Volatile has absolutely no value in multithreading (see here for a good treatment of the subject) and so Alexandrescu's claim that volatile is useful for multithreaded access leads me to seriously wonder how much faith I can place in the rest of his article.

Marcelo Cantos  2010-03-22 11:19:22
I think you have misunderstood the article, the only reason that the `volatile` keyword is used is because of what it implies at compile time, not at runtime. During runtime, all uses (that compile) remove the `volatile` qualifier before operating on the instance: there is no `volatile` in the compiled code as all uses go through the `const_cast`-ed pointer inside the LockPtr which is non-volatile
David Rodríguez - dribeas  2010-03-22 12:19:15
From the article you link to, "Hans Boehm points out that there are only three portable uses for volatile". Hans Boehm is mistaken (although not in a way he should be ashamed of) - Alexandrescu has presented a fourth use of volatile, which is to rely on its const-style contagious behaviour rather than on its semantics relating to memory access.
Steve Jessop  2010-03-22 13:13:04
@David: The article leaves little room for interpretation: "It's intended to be used in conjunction with variables that are accessed and modified in different threads. Basically, without volatile, either writing multithreaded programs becomes impossible, or the compiler wastes vast optimization opportunities."I understand that the article's main thrust is the use of `volatile` as a kind of orthogonal const-qualifier. I never repudiated this. I merely expressed reservations about an article on `volatile` by someone who clearly didn't understand its original intent.
Marcelo Cantos  2010-03-22 13:21:04
@Marcelo: Alexandrescu is conflating two things: what `volatile` is defined to do, and how `volatile` was actually used by compiler-writers (he mentions MS in particular) adding threading to C and C++. Multithreading cannot be implemented merely as a library, it requires language support, and at least on Windows part of that language support came in the shape of additional semantics for `volatile`. With a coherent cache, volatile access is roughly the same as a memory barrier. Whether Alexandrescu blurred this distinction in ignorance or for simplicity, I do not know.
Steve Jessop  2010-03-22 13:53:36
+3  A: 

I think the issue is not about thread-safety provided by volatile. It dosen't and Andrei's article dosen't say it does. Here, a mutex is used to achieve that. The issue is, whether the use of volatilekeyword to provide static type-checking along with use of mutex for thread-safe code, is abuse of the volatile keyword? IMHO it's pretty smart, but i have come across developers who are not fans of strict-type-checking just for the sake of it.

IMO when you are writing code for multi-threaded environment, there is already enough caution to emphasize wherein you would expect people not to be ignorant of race-conditions and deadlocks.

A downside of this wrapped approach is that every operation on the type that is wrapped using LockingPtr must be through a member function. That will increase one level of indirection which might considerably affect developers comfort in a team.

But if you are a purist who believes in the spirit of C++ a.k.a strict-type-checking; this is a good alternative.

Abhay  2010-03-22 11:40:13
+1. I do not agree with the extra level of indirection discomfort. Anyone doing multithreading must surely know that locking a mutex is the costly operation there. An extra level of indirection will amount to almost nothing compared to the lock itself.
David Rodríguez - dribeas  2010-03-22 12:15:25
@dribeas: I meant syntactical discomfort. Believe me, some developers do not like to write wrapped-code instead of a *natural-to-the-eyes* simple direct code.
Abhay  2010-03-22 12:19:01
+3  A: 

This catches some kinds of thread-unsafe code (concurrent access), but misses others (deadlocks due to locking inversion). Neither is especially easy to test for, so it's a modest partial win. In practice, remembering to enforce a constraint that a particular private member is accessed only under some specified lock, hasn't been a big problem for me.

Two answers to this question have demonstrated that you're correct to say that confusion is a significant disadvantage - maintainers may have been so strongly conditioned to understand that volatile's memory-access semantics have nothing to do with thread-safety, that they will not even read the rest of the code/article before declaring it incorrect.

I think the other big disadvantage, outlined by Alexandrescu in the article, is that it doesn't work with non-class types. This might be a difficult restriction to remember. If you think that marking your data members volatile stops you using them without locking, and then expect the compiler to tell you when to lock, then you might accidentally apply that to an int, or to a member of template-parameter-dependent type. The resulting incorrect code will compile fine, but you may have stopped examining your code for errors of this kind. Imagine the errors which would occur, especially in template code, if it was possible to assign to a const int, but programmers nevertheless expected the compiler would check const-correctness for them...

I think the risk that the data member's type actually has any volatile member functions should be noted and then discounted, although it might bite somebody someday.

I wonder if there's anything to be said for compilers providing additional const-style type modifiers via attributes. Stroustrup says, "The recommendation is to use attributes to only control things that do not affect the meaning of a program but might help detect errors". If you could replace all mentions of volatile in the code with [[__typemodifier(needslocking)]] then I think it would be better. It would then be impossible to use the object without a const_cast, and hopefully you wouldn't write a const_cast without thinking about what it is you're discarding.

Steve Jessop  2010-03-22 13:35:38
There are a couple of interesting pearls in this answer: depending on a partial solution will probably make you forget about the cases where that will not help. Another good one is the potential use of attributes (even if I fail to see how to actually play the trick out of just attributes, it would require some type of `attribute_cast`). I had thought about classes that have `volatile` member functions but not having seen any in actual code I wondered how far reaching the problem would be. Thanks
David Rodríguez - dribeas  2010-03-22 14:17:45
stephan  2010-03-22 14:25:22
@dribeas: well, in the definition of `[[__typemodifier(X)]]` which I just invented in my head, `const_cast` can remove any type modifier, including user-invented ones, just as it currently removes `const` and `volatile`. Since user-defined type modifiers would have no meaning in the language other than preventing incompatible assignments, this is "safe" provided you don't use the result in a way which violates the invariants implied by the modifier in this program. I have not subjected this idea to thorough peer review, or indeed thought about it for longer than it took to type ;-)
Steve Jessop  2010-03-22 14:43:47
@stephan: probably, but Alexandrescu was writing in 2001. It's now 2010, and it's still undefined behaviour to use threads *at all* (not long now, we hope!). You're at the mercy of your implementation for this stuff. Perhaps his article should have addressed that properly, but I can forgive that he let it go without saying.
Steve Jessop  2010-03-22 14:45:27
@Steve: It is not undefined behavior to use threads. The standard says nothing about threads, not that they are undefined. Big difference.
John Dibling  2010-03-22 18:42:11
@John: no difference at all from the standard's POV. Compiler extensions are undefined *by the standard*. An implementation does define the behaviour of threads, although sometimes not with the detail and the precision with which the standard defines behaviour. Then again, an implementation can (and often does) define the behaviour of dereferencing a null pointer, and yet we still say that the behaviour of such code is "undefined".
Steve Jessop  2010-03-22 21:52:47
@Steve: Threads aren't compiler extensions any more than dialog boxes are. They are services provided by the operating system.
John Dibling  2010-03-22 22:08:36
That's not true. Threads are not just a library. They require compiler support throughout the code which runs multithreaded, for example to ensure that memory accesses are not re-ordered across a memory barrier by some compiler transformation. This is the historical role of `volatile`: it prevents access being reordered across calls to unknown code. Dialog boxes don't require all code in the app to be compiled with special limits on behaviour (at least, not modal ones or fully asynchronous ones - dialog boxes with make callbacks from other threads are of course another matter).
Steve Jessop  2010-03-22 22:27:09
Ah, found the article I wanted to link to in the first place: http://www.hpl.hp.com/techreports/2004/HPL-2004-209.html
Steve Jessop  2010-03-22 22:33:21
I will read that article...
John Dibling  2010-03-22 22:36:24
"it prevents access being reordered across calls to unknown code". Sorry, that's not quite right, `volatile` prevents accesses being reordered across *each other*, and prevents the object from having values written to it that don't appear in the code (e.g. using the memory as temporary storage for something else if the compiler knows it will be unconditionally overwritten before the next read), so is part of one possible road to a thread-safe memory model in C. Playing such tricks across calls to unknown code is generally prevented anyway, because of the possibility of aliasing.
Steve Jessop  2010-03-22 22:40:48
+1  A: 

Look at this from a different perspective. When you declare a variable as const, you are telling the compiler that the value cannot be changed by your code. But that doesn't mean that the value won't change. For example, if you do this:

const int cv = 123;
int* that = const_cast<int*>(&cv);
*that = 42;

...this evokes undefined behavior according to the standard, but in practice something will happen. Maybe the value will be changed. Maybe there will be a sigfault. Maybe flight simulator will launch -- who knows. The point is you don't know on a platform-independant basis what's going to happen. So the apparent promise of const is not fulfilled. The value may or may not actually be const.

Now, given that this is true, is using const an abuse of the language? Of course not. It is still a tool that the language provides to help you write better code. It will never be the end-all, be-all tool to ensure that values remain unchanged -- the programmer's brain is ultimately that tool -- but does that make const unuseful?

I say no, using const as a tool to help you write better code is not an abuse of the language. In fact I'd go one step further, and say it is the intent of that feature.

Now, the same is true of volatile. Declaring something as volatile will not make your program thread safe. It probably won't even make that variable or object thread safe. But the compiler will enforce CV-qualification semantics, and careful programmer can leverage this fact to help him write better code by helping the compiler to identify places where he might be writing a bug. Just like the compiler helps him when he tries to do this:

const int cv = 123;
cv = 42;  // ERROR - compiler complains that the programmer is potentially making a mistake

Forget about memory fences and atomicity of volatile objects and variables, just like you have long forgotten about cv's true constness. But use the tools that the language gives you to write better code. One of those tools is volatile.

John Dibling  2010-03-22 14:27:03

related questions

Of Memory Management, Heap Corruption, and C++
How do I make a GUI?
Alpha blending sprites in Nintendo DS Homebrew
Thread safe lazy contruction of a singleton in C++
Interview Programming Questions - In house Exam
Link issues (VC6)
What are the barriers to understanding pointers and what can be done to overcome them?
Why are professors or schools picking Java over C++ to teach to students?
What is the best way to create a sparse array in C++
C/C++ library for reading MIDI signals from a USB MIDI device
How do you pack a visual studio c++ project for release?
How to set up unit testing for Visual Studio C++
How do I configure and communicate with a serial port?
Lightweight IDE for Linux
Mapping Stream data to data structures in C#
CPU throttling in C++
Asynchronous multi-direction server-client communication over the same open socket?
Exceptions in C++
Heap corruption under Win32; how to locate?
Build for Windows NT 4.0 using Visual Studio 2005?
C++: Should I use nested classes in this case?
BerkeleyDB Concurrency
GTK implementation of MessageBox
Is gettimeofday() guaranteed to be of microsecond resolution?
How to use the C socket API in C++ on z/OS