JDK-6803402 : Race condition in AbstractQueuedSynchronizer
  • Type: Bug
  • Component: core-libs
  • Sub-Component: java.util.concurrent
  • Affected Version: 7
  • Priority: P2
  • Status: Resolved
  • Resolution: Fixed
  • OS: generic
  • CPU: generic
  • Submitted: 2009-02-10
  • Updated: 2010-05-09
  • Resolved: 2009-03-13
The Version table provides details related to the release that this issue/RFE will be addressed.

Unresolved : Release in which this issue/RFE will be addressed.
Resolved: Release in which this issue/RFE has been resolved.
Fixed : Release in which this issue/RFE has been fixed. The release containing this fix may be available for download as an Early Access Release or a General Availability Release.

To download the current JDK release, click here.
JDK 7 Other
7 b51Fixed OpenJDK6Fixed
Related Reports
Relates :  
JDK-6801020 - Concurrent Semaphore release may cause some require thread not signaled
Description
Martin Buchholz reports:

While writing a test for this, I unearthed yet another race condition in AQS.
Fortunately, it's in new jdk7 code.

In the expression
(h = head) != tail &&
head may be read as null,
then head and tail are both initialized before tail on RHS is read,
yielding NPE

Caused by: java.lang.NullPointerException
	at java.util.concurrent.locks.AbstractQueuedSynchronizer.hasQueuedPredecessors(AbstractQueuedSynchronizer.java:1510)
	at java.util.concurrent.Semaphore$FairSync.tryAcquireShared(Semaphore.java:245)
	at java.util.concurrent.locks.AbstractQueuedSynchronizer.acquireSharedInterruptibly(AbstractQueuedSynchronizer.java:1263)
	at java.util.concurrent.Semaphore.acquire(Semaphore.java:312)

We need to read fields in the reverse order.

@@ -1445,8 +1502,10 @@
         // The correctness of this depends on head being initialized
         // before tail and on head.next being accurate if the current
         // thread is first in queue.
-        Node h, s;
-        return (h = head) != tail &&
+        Node t = tail; // Read fields in reverse initialization order
+        Node h = head;
+        Node s;
+        return h != t &&
             ((s = h.next) == null || s.thread != Thread.currentThread());
     }
Comments
EVALUATION Refer to this message for the changeset push notification: http://mail.openjdk.java.net/pipermail/net-dev/2009-February/000639.html
12-03-2009
SUGGESTED FIX See description
10-02-2009
EVALUATION See description.
10-02-2009