I l @ ve RuBoard |
Thread-Safety Problems with Copy-on-Write (COW)Standard C++ is silent on the subject of threads. Unlike Java, C++ has no built-in support for threads, and does not attempt to address thread-safety issues through the language. So why an Item on thread- and concurrency- related issues? Simply because more and more of us are writing multithreaded (MT) programs, and no discussion of copy-on-write String implementations is complete if it does not cover thread-safety issues. Good C++ threading classes and frameworks have existed nearly as long as C++ itself. Today, they include facilities such as those in ACE, [2] the omnithread library available as part of omniORB, [3] and many commercial libraries. Chances are that today you're already using one of these libraries, or using your own in-house wrapper around your operating system's native services.
In conjunction with this Item, see also Appendix : Optimizations That Aren't (In a Multithreaded World). That appendix overlaps with and builds upon the results we'll see in this Item. It demonstrates not only the effects that mistaken optimizations can have on you and your production code, but also how to detect them and protect yourself against them. This Item presents a summary of results for which more details are shown in Appendix : Test Results for Single-Threaded Versus Multithread-Safe String Implementations.
It is the responsibility of code that uses an object to ensure that access to the object is serialized as needed. For example, if a certain String object could be modified by two different threads, it's not the poor String object's job to defend itself from abuse. It's the job of the code that uses the String to make sure that two threads never try to modify the same String object at the same time. The problem with the code in Item 15 is twofold. First, the copy-on-write (COW) implementation is designed to hide the fact that two different visible String objects could be sharing a common hidden state. Hence, it's the String class's responsibility to ensure that the calling code never modifies a String whose representation is shared. The String code shown already does precisely that, by performing a deep copy (unsharing the representation), if necessary, the moment a caller tries to modify the String . This part is fine in general. Unfortunately, it now brings us to the second problem, which is that the code in String that unshares the representation isn't thread-safe. Imagine two String objects s1 and s2 such that:
The problem is (d). At the same time, both s1 and s2 will attempt to unshare their shared representation, and the code to do that is not thread-safe. Specifically, consider the very first line of code in String::AboutToModify() : void String::AboutToModify( size_t n, bool markUnshareable /* = false */ ) { if( data_->refs > 1 && data_->refs != Unshareable ) { /* ... etc. ... */ This if -condition is not thread-safe. For one thing, evaluating even data_->refs > 1 may not be atomic. If so, it's possible that if thread 1 tries to evaluate data_->refs > 1 while thread 2 is updating the value of refs , the value read from data_->refs might be anything ”1, 2, or even something that's neither the original value nor the new value. The problem is that String isn't following the basic thread-safety requirement that code that uses an object must ensure that access to the object is serialized as needed. Here, String has to ensure that no two threads are going to use the same refs value in a dangerous way at the same time. The traditional way to accomplish this is to serialize access to the shared StringBuf (or just its refs member) using a mutex or semaphore. In this case, at minimum the "comparing an int " operation must be guaranteed to be atomic. This brings us to the second issue: Even if reading and updating refs were atomic, and even if we knew we were running on a single-CPU machine so that the threads were interleaved rather than truly concurrent, there are still two parts to the if condition. The problem is that the thread executing the above code could be interrupted after it evaluates the first part of the condition, but before it evaluates the second part. In our example:
Having covered that, we're ready to see how to solve these safety problems. Protecting COW StringsIn all that follows , remember that the goal is not to protect Optimized::String against every possible abuse. After all, the code using the String object is still responsible for knowing whether any given visible String object could be used by different threads and doing the proper concurrency control if it is ”that's just normal. The problem here is that because of the extra sharing going on under the covers, the calling code can't just perform its normal duty of care because it doesn't know which String objects really are completely distinct and which only look distinct but are actually invisibly joined. The goal, then, is simply for Optimized::String to get back up to the level at which it's safe enough so that other code that uses String can assume that distinct String objects really are distinct, and therefore do the usual proper concurrency control as needed.
I'm going to answer (b) first because it's more general. What's needed here is a lock-management device such as a mutex. [4] The key to what we're about to do is quite simple. It turns out that if we do things right, we need only lock access to the reference count itself.
Before doing anything else, we need to add a Mutex member object into Optimized::StringBuf . Let's call the member m : namespace Optimized { class StringBuf { public: StringBuf(); // start off empty ~StringBuf(); // delete the buffer StringBuf( const StringBuf& other, size_t n = 0 ); // initialize to copy of other, // and ensure len >= n void Reserve( size_t n ); // ensure len >= n char* buf; // allocated buffer size_t len; // length of buffer size_t used; // # chars actually used unsigned refs; // reference count Mutex m; // serialize work on this object private: // No copying... // StringBuf( const StringBuf& ); StringBuf& operator=( const StringBuf& ); }; The only function that necessarily operates on two StringBuf objects at once is the copy constructor. String only calls StringBuf 's copy constructor from two places (from String 's own copy constructor and from AboutToModify() ). Note that String only needs to serialize access to the reference count, because by definition no String will do any work on a StringBuf that's shared. (If it is shared, it will be read in order to take a copy. But we don't need to worry about anyone else trying to change or Reserve() or otherwise alter/move the buffer.) The default constructor needs no locks: String::String() : data_(new StringBuf) { } The destructor need only lock its interrogation and update of the refs count: String::~String() { bool bDelete = false; data_->m . Lock(); //--------------------------- if( data_->refs == Unshareable --data_->refs < 1 ) { bDelete = true; } data_->m . Unlock(); //------------------------- if( bDelete ) { delete data_; } } For the String copy constructor, note that we can assume the other String 's data buffer won't be modified or moved during this operation, because it's the responsibility of the caller to serialize access to visible objects. We must still, however, serialize access to the reference count itself, as we did above: String::String( const String& other ) { bool bSharedIt = false; other . data_->m . Lock(); // --------------------- if( other.data_->refs != Unshareable ) { bSharedIt = true; data_ = other.data_; ++data_->refs; } other . data_->m . Unlock(); // ------------------- if( !bSharedIt ) { data_ = new StringBuf( *other.data_ ); } } So making the String copy constructor safe wasn't very hard at all. This brings us to AboutToModify() , which turns out to be very similar. But notice that this sample code actually acquires the lock during the entire deep copy operation ”really, the lock is strictly needed only when looking at the refs value and again when updating the refs value at the end. But let's go ahead and lock the whole operation instead of getting slightly better concurrency by releasing the lock during the deep copy and then reacquiring it just to update refs : void String::AboutToModify( size_t n, bool markUnshareable /* = false */ ) { data_->m . Lock(); // --------------------------- if( data_->refs > 1 && data_->refs != Unshareable ) { StringBuf* newdata = new StringBuf( *data_, n ); --data_->refs; // now all the real work is data_->m . Unlock(); // ----------------------- data_ = newdata; // done, so take ownership } else { data_->m . Unlock(); // ----------------------- data_->Reserve( n ); } data_->refs = markUnshareable ? Unshareable : 1; } None of the other functions need to be changed. Append() and operator[]() don't need locks because once AboutToModify() completes, we're guaranteed that we're not using a shared representation. Length() doesn't need a lock because by definition, we're okay if our StringBuf is not shared (there's no one else to change the used count on us), and we're okay if it is shared (the other thread would take its own copy before doing any work and hence still wouldn't modify our used count on us): void String::Append( char c ) { AboutToModify( data_->used+1 ); data_->buf[used++">data_->used++] = c; } size_t String::Length() const { return data_->used; } char& String::operator[]( size_t n ) { AboutToModify( data_->len, true ); return data_->buf[n]; } const char String::operator[]( size_t n ) const { return data_->buf[n]; } } Again, note the interesting thing in all of this: The only locking we needed to do involved the refs count itself. With that observation and the above general-purpose solution under our belts, let's look back to the (a) part of the question:
Some operating systems provide these kinds of functions. Note: These functions are usually significantly more efficient than general-purpose synchronization primitives such as mutexes . It is, however, a fallacy to say that we can use atomic integer operations "instead of locks" because locking is still required ”the locking is just generally less expensive than other alternatives, but it's not free by a long shot, as we will see. Here is a thread-safe implementation of String that assumes we have three functions: an IntAtomicGet() , and IntAtomicDecrement() and IntAtomicIncrement() that safely return the new value. We'll do essentially the same thing we did above, but use only atomic integer operations to serialize access to the refs count: namespace Optimized { String::String() : data_(new StringBuf) { } String::~String() { if( IntAtomicGet( data_->refs ) == Unshareable IntAtomicDecrement( data_->refs ) < 1 ) { delete data_; } } String::String( const String& other ) { if( IntAtomicGet( other.data_->refs ) != Unshareable ) { data_ = other.data_; IntAtomicIncrement( data_->refs ); } else { data_ = new StringBuf( *other.data_ ); } } void String::AboutToModify( size_t n, bool markUnshareable /* = false */ ) { int refs = IntAtomicGet( data_->refs ); if( refs > 1 && refs != Unshareable ) { StringBuf* newdata = new StringBuf( *data_, n ); if( IntAtomicDecrement( data_->refs ) < 1 ) { // just in case two threads delete newdata; // are trying this at once } else { // now all the real work is data_ = newdata; // done, so take ownership } } else { data_->Reserve( n ); } data_->refs = markUnshareable ? Unshareable : 1; } void String::Append( char c ) { AboutToModify( data_->used+1 ); data_->buf[used++">data_->used++] = c; } size_t String::Length() const { return data_->used; } char& String::operator[]( size_t n ) { AboutToModify( data_->len, true ); return data_->buf[n]; } const char String::operator[]( size_t n ) const { return data_->buf[n]; } }
Without atomic integer operations, copy-on-write typically incurs a significant performance penalty. Even with atomic integer operations, COW can make common String operations take nearly 50% longer, even in single-threaded programs. In general, copy-on-write is often a bad idea in multithread-ready code. That's because the calling code can no longer know whether two distinct String objects actually share the same representation under the covers, so String must incur overhead to do enough serialization so that calling code can take its normal share of responsibility for thread safety. Depending on the availability of more-efficient options such as atomic integer operations, the impact on performance ranges from moderate to profound. Some Empirical ResultsIn this test environment, I tested the following six main flavors of string implementations. Name Description (refined versions of code shown earlier) --------------- --------------------------------------- Plain Non-use-counted string; all others are modeled on this COW_Unsafe Plain + COW, not thread-safe COW_AtomicInt Plain + COW + thread-safe COW_AtomicInt2 COW_AtomicInt + StringBuf in same buffer as the data COW_CritSec Plain + COW + thread-safe (Win32 critical sections) COW_Mutex Plain + COW + thread-safe (Win32 mutexes) (COW_CritSec with Win32 mutexes instead of Win32 critical sections) I also threw in a seventh flavor to measure the result of optimizing memory allocation instead of optimizing copying: Plain_FastAlloc Plain + an optimized memory allocator I focused on comparing Plain with COW_AtomicInt . COW_AtomicInt was generally the most efficient thread-safe COW implementation. The results were as follows:
This second result may be the more surprising one to many ”particularly the result that COW_AtomicInt is slower in cases in which there are more copy operations than mutating operations in the entire system! Note that in both cases traditional thread-unsafe COW did perform better than Plain . This shows that COW can be an optimization for purely single-threaded environments, but it is less often appropriate for thread-safe code.
Let's briefly raise and answer two natural questions. First, why measure something as inefficient as COW_CritSec ? The answer is simple: Because at least one popular commercial basic_string implementation used this method as recently as 2000 (and perhaps still does, I haven't seen their code lately), despite the fact that COW_CritSec is nearly always a pessimization. Be sure to check whether your library vendor is doing this, because if the library is built for possible multithreaded use, you will bear the performance cost all the time, even if your program is single-threaded. Second, what's COW_AtomicInt2 ? It's the same as COW_AtomicInt except that instead of allocating a StringBuf and then separately allocating the data buffer, the StringBuf and data are in the same allocated block of memory. Note that all other COW_* variants use a fast allocator for the StringBuf object (so that there's no unfair double allocation cost), and the purpose of COW_AtomicInt2 is mainly to demonstrate that I have actually addressed that concern. COW_AtomicInt2 is actually slightly slower than COW_AtomicInt for most operations, because of the extra logic. I also tested the relative performance of various integer operations (incrementing int , incrementing volatile int , and incrementing int using the Win32 atomic integer operations) to ensure that COW_AtomicInt results were not unfairly skewed by poor implementations or function call overhead. SummaryA few important points about this test harness and these results:
|
I l @ ve RuBoard |