Concurrency Concepts

In 2003, the Northeast Blackout affected 55 million people across the United States and Canada. Investigation revealed that a software bug—involving unsynchronized access to shared state in the alarm monitoring system—prevented operators from seeing critical alerts as the grid began to fail. The bug had existed for years but manifested only under a specific combination of conditions.

This is the nature of data races: they lurk silently in code, working correctly most of the time, until conditions align to produce catastrophic failure. A data race can:

• Pass all tests yet fail in production
• Work for years then suddenly break with a new CPU or compiler
• Produce different behavior on every run
• Corrupt data in ways that aren't discovered until much later
• Be nearly impossible to reproduce for debugging

Data races are the single most important bug class in concurrent programming, and understanding them deeply is essential for any engineer working with threads.

A data race occurs when all of the following conditions are met:

1. Two or more threads access the same memory location
2. At least one access is a write
3. The accesses are not ordered by synchronization (no happens-before relationship)
4. The accesses can occur concurrently (both could happen 'at the same time')

The formal definition:

A data race is a situation where two memory accesses in different threads target the same location, at least one is a write, and there is no happens-before relationship between them.

Note what is not required for a data race:

• Both threads don't need to write—one reader and one writer is sufficient
• The accesses don't need to actually happen simultaneously—potential concurrency is enough
• The program doesn't need to produce wrong results—the race exists regardless of outcomes

Data races aren't just bugs—in C and C++, they're undefined behavior. This has profound implications that many developers don't fully appreciate.

Undefined behavior means anything can happen:

The language specification places no constraints on program behavior when a data race exists. The compiler is free to assume data races don't exist and optimize accordingly. This can cause:

1. Value corruption — Torn reads/writes where a 64-bit value is partially updated may produce values that were never written by any thread.

2. Optimization breakage — The compiler might cache a value in a register, never re-reading from memory even though another thread changed it.

3. Infinite loops — A loop that checks a flag might be optimized to check once (since 'no race exists,' the flag can't change).

4. Time travel — Due to compiler reordering, effects of a data race may appear to happen before their causes.

5. Speculative execution effects — Side-channel information leakage, as demonstrated by Spectre vulnerabilities.

The non-determinism problem:

Even when data races don't trigger dramatic effects, they introduce non-determinism:

• The same code with the same inputs can produce different outputs
• Behavior may change with different thread schedules, CPU loads, or timing
• Adding debug output (printf, logging) changes timing and may hide bugs
• Bugs may appear only in production, under load, or on certain hardware

This makes data race bugs extremely difficult to diagnose. A 'Heisenbug' that disappears when you try to observe it is often a data race.

The most classic data race pattern is the lost update, where two threads try to update the same value and one update is lost.

Consider incrementing a counter:

counter = counter + 1;

This looks like one operation, but it's actually three:

1. Read: Load current value of counter into register
2. Modify: Add 1 to the register value
3. Write: Store the register value back to counter

With two threads executing concurrently, the interleaving can cause updates to be lost:

Expected result: 2 (both increments applied) Actual result: 1 (Thread 2's increment overwrote Thread 1's)

The update from Thread 1 was lost because Thread 2 read the old value before Thread 1's write was visible.

This generalizes to any read-modify-write pattern:

• Bank account: balance = balance - withdrawal (lost withdrawals → wrong balance)
• Inventory: stock = stock - order (lost orders → overselling)
• Statistics: total += measurement (lost data → wrong statistics)
• Reference counting: refcount-- (lost decrement → memory leak)

In all these cases, the pattern is the same: read, compute, write—without atomicity, the race exists.

Torn reads/writes occur when a multi-byte value is partially updated by one thread while another thread reads it, resulting in a chimeric value that was never written.

When tearing can occur:

The C standard does not guarantee that any type is accessed atomically. Whether tearing occurs depends on:

1. Data size vs. native word size — Writing a 64-bit value on a 32-bit CPU requires two memory operations. Another thread may see half old, half new.

2. Alignment — Misaligned data may cross cache lines, requiring multiple memory accesses.

3. Hardware architecture — Even correctly-sized, aligned data may not be atomic on all hardware.

Example: 64-bit value on 32-bit CPU

The reader sees 0x00000000FFFFFFFF—a value that Thread 1 never intended to write! This is a torn read.

Real-world consequences:

• Pointers: A torn pointer read could produce an invalid address, causing a crash or accessing arbitrary memory
• Floating point: A torn double could be NaN, Inf, or a denormalized number, causing calculation errors
• Timestamps: A torn timestamp could appear to be far in the past or future
• Counters: A torn counter could jump backwards or show impossible values

What guarantees atomicity?

In practice, most modern 64-bit platforms guarantee atomic access for naturally-aligned 64-bit values. But this is a hardware/ABI guarantee, not a language guarantee. Always use atomic types when multiple threads access the same data.

Data races are notoriously difficult to detect through testing alone because they depend on thread scheduling, which varies non-deterministically. Fortunately, powerful tools exist:

1. ThreadSanitizer (TSan)

Instrumentation-based detection built into Clang and GCC. Tracks all memory accesses and synchronization to detect races at runtime.

• Compile with -fsanitize=thread
• Slowdown: ~10-20×
• Memory overhead: ~10×
• Detects races as they occur, with precise stack traces

2. Helgrind (Valgrind tool)

Dynamic race detection using Valgrind's binary instrumentation.

• Run with valgrind --tool=helgrind ./program
• Slower than TSan (~20-30×)
• Detects races, lock order violations, misuse of pthreads API

3. Intel Inspector

Commercial race detection for Intel platforms.

• Precise detection with lower overhead than Helgrind
• GUI for exploring races and fix recommendations

4. Static Analysis

Tools like Coverity, PVS-Studio, and Clang's static analyzer can identify potential races without running code.

• Fast, no runtime overhead
• May produce false positives
• Cannot detect all races (undecidable in general)

Limitations of race detection:

• Dynamic tools only find executed races — Code paths not exercised during testing won't be checked
• Scheduling-dependent — A race may not manifest during the instrumented run
• No guarantee of completeness — Race detection is undecidable in general; tools catch most practical cases but can miss some
• Overhead may hide races — The slowdown from instrumentation changes timing, potentially preventing manifestation

Despite limitations, race detectors catch the vast majority of races in practice and are essential tools for concurrent programming.

The fundamental principle for preventing data races:

If a memory location is accessed by multiple threads and at least one access is a write, all accesses must be synchronized.

There are several strategies to achieve this:

Strategy 1: Mutual Exclusion (Locks)

Protect all accesses to shared data with a mutex. Only one thread can hold the lock at a time, preventing concurrent access.

Strategy 2: Atomic Operations

Use atomic types and operations (C11 _Atomic, C++ std::atomic) for simple shared state. The hardware guarantees atomicity.

Strategy 3: Message Passing

Instead of sharing memory, have threads communicate by sending messages (channels, queues). Shared state is eliminated.

Strategy 4: Immutability

Data that is never modified after creation is inherently safe for concurrent reads. Many functional programming patterns leverage this.

Strategy 5: Thread Confinement

Design so that each piece of data is only accessed by one thread. No sharing = no races.

Different programming languages handle data races differently:

C and C++

Data races are undefined behavior. The program may do anything—crash, produce wrong results, appear to work, or format your hard drive (in theory). The language provides atomics and threading primitives, but race prevention is entirely the programmer's responsibility.

Java

Data races produce weak but defined behavior. The Java Memory Model specifies what happens: you may see stale or partly-updated values, but certain cases (like torn long/double writes) are prevented for volatile variables. Race prevention is still your job, but undefined behavior is avoided.

Go

The Go race detector catches races at runtime, and races are considered bugs, but behavior is not undefined—you get unpredictable-but-safe behavior. Go encourages message passing via channels: "Do not communicate by sharing memory; share memory by communicating."

Rust

Data races are impossible (in safe Rust). The ownership and borrowing system prevents multiple threads from having mutable access to the same data simultaneously. This is checked at compile time—if your code compiles, it's data-race free.

*Python's GIL prevents simultaneous bytecode execution but doesn't prevent race conditions in logic.

**JavaScript's main thread is single-threaded, but Web Workers can share memory via SharedArrayBuffer, requiring explicit atomics.

Data races have caused numerous real-world failures. Understanding these helps appreciate why race prevention matters.

Therac-25 (1985-1987)

A radiation therapy machine that massively overdosed patients due to software race conditions. When operators typed commands quickly, race conditions between the user interface and hardware control software could set lethal radiation doses. Six patients received massive overdoses; three died. The root cause included missing synchronization between concurrent software routines.

2003 Northeast Blackout

As mentioned earlier, a race condition in the alarm system software prevented operators from seeing cascading failures in the power grid. The race had existed for years but triggered only under specific conditions—55 million people lost power.

Knight Capital (2012)

A trading firm lost $440 million in 45 minutes due to software deployment errors that activated old, disabled code. While not purely a data race, the incident involved unsynchronized state between components behaving as if old orders were valid. Improper concurrent access to shared state contributed to catastrophic behavior.

Linux Kernel Privilege Escalation (CVE-2016-5195, 'Dirty COW')

A race condition in the Linux kernel's copy-on-write mechanism allowed unprivileged users to gain root access. The race had existed for nearly a decade. Attackers could race two threads to write to memory they shouldn't have access to, exploiting a narrow window in the kernel's memory handling.

Writing race-free concurrent code requires disciplined practices:

1. Document thread-safety invariants

For every shared variable, document:

• Which threads may access it
• Which lock protects it (if any)
• The memory ordering used (for atomics)

2. Minimize sharing

The safest race is one that can't happen because data isn't shared. Design for thread confinement and message passing where possible.

3. Hold locks for the minimum time

Long critical sections increase contention and the window for mistakes. Enter, do the minimum necessary, exit.

4. Use established patterns

Producer-consumer, readers-writers, and other patterns have well-understood solutions. Use them rather than inventing ad-hoc synchronization.

5. Review concurrent code carefully

Every concurrent code review should ask:

• Is this variable accessed by multiple threads?
• If so, what synchronization protects it?
• Could instruction reordering break this?

We've examined data races—the fundamental hazard that makes concurrent programming challenging:

What's next:

We've seen that data races occur when concurrent accesses aren't properly synchronized. But what exactly needs synchronization? The next page examines critical regions—the sections of code where race conditions can occur, and the formal requirements for safely executing them.