数据竞争和竞争条件
安全的 Rust 代码保证没有数据竞争,数据竞争的定义如下:
- 两个或多个线程同时访问同一内存位置
- 其中至少有一个是写操作
- 其中至少有一个是非同步的
数据竞争会导致未定义行为,因此在安全的 Rust 代码中是不可能发生的。数据竞争主要通过 Rust 的所有权系统来防止:不可能对可变引用创建别名,因此不可能发生数据竞争。内部可变性使得情况更加复杂,这也是我们拥有 Send 和 Sync 特征的主要原因(有关这方面的更多信息,请参见下一节)。
然而,Rust 并不能防止一般的竞争条件。
在不控制调度程序的情况下,这在数学上是不可能的,而这在正常的操作系统环境中是事实。如果确实控制了抢占,则可以防止一般的竞争 - RTIC 等框架就使用了这种技术。但是,实际控制调度程序的情况非常少见。
因此,Rust 在同步不正确的情况下发生死锁或出现异常行为被认为是“安全的”:这被称为一般的竞争条件或资源竞争。显然,这样的程序不是很好,但 Rust 当然不能防止所有逻辑错误。
无论如何,竞争条件本身不会违反 Rust 程序中的内存安全。只有与其他一些不安全的代码结合使用时,竞争条件才会真正违反内存安全。例如,一个正确的程序如下所示
#![allow(unused)] fn main() { use std::thread; use std::sync::atomic::{AtomicUsize, Ordering}; use std::sync::Arc; let data = vec![1, 2, 3, 4]; // Arc so that the memory the AtomicUsize is stored in still exists for // the other thread to increment, even if we completely finish executing // before it. Rust won't compile the program without it, because of the // lifetime requirements of thread::spawn! let idx = Arc::new(AtomicUsize::new(0)); let other_idx = idx.clone(); // `move` captures other_idx by-value, moving it into this thread thread::spawn(move || { // It's ok to mutate idx because this value // is an atomic, so it can't cause a Data Race. other_idx.fetch_add(10, Ordering::SeqCst); }); // Index with the value loaded from the atomic. This is safe because we // read the atomic memory only once, and then pass a copy of that value // to the Vec's indexing implementation. This indexing will be correctly // bounds checked, and there's no chance of the value getting changed // in the middle. However our program may panic if the thread we spawned // managed to increment before this ran. A race condition because correct // program execution (panicking is rarely correct) depends on order of // thread execution. println!("{}", data[idx.load(Ordering::SeqCst)]); }
如果我们事先进行边界检查,然后使用未经检查的值不安全地访问数据,就会导致数据竞争
#![allow(unused)] fn main() { use std::thread; use std::sync::atomic::{AtomicUsize, Ordering}; use std::sync::Arc; let data = vec![1, 2, 3, 4]; let idx = Arc::new(AtomicUsize::new(0)); let other_idx = idx.clone(); // `move` captures other_idx by-value, moving it into this thread thread::spawn(move || { // It's ok to mutate idx because this value // is an atomic, so it can't cause a Data Race. other_idx.fetch_add(10, Ordering::SeqCst); }); if idx.load(Ordering::SeqCst) < data.len() { unsafe { // Incorrectly loading the idx after we did the bounds check. // It could have changed. This is a race condition, *and dangerous* // because we decided to do `get_unchecked`, which is `unsafe`. println!("{}", data.get_unchecked(idx.load(Ordering::SeqCst))); } } }