android-4.0.1_r1/s

<?xml version="1.0"?> <!-- -*- sgml -*- -->
<!DOCTYPE chapter PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN"
          "http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd"
[ <!ENTITY % vg-entities SYSTEM "../../docs/xml/vg-entities.xml"> %vg-entities; ]>


<chapter id="hg-manual" xreflabel="Helgrind: thread error detector">
  <title>Helgrind: a thread error detector</title>

<para>To use this tool, you must specify
<option>--tool=helgrind</option> on the Valgrind
command line.</para>


<sect1 id="hg-manual.overview" xreflabel="Overview">
<title>Overview</title>

<para>Helgrind is a Valgrind tool for detecting synchronisation errors
in C, C++ and Fortran programs that use the POSIX pthreads
threading primitives.</para>

<para>The main abstractions in POSIX pthreads are: a set of threads
sharing a common address space, thread creation, thread joining,
thread exit, mutexes (locks), condition variables (inter-thread event
notifications), reader-writer locks, spinlocks, semaphores and
barriers.</para>

<para>Helgrind can detect three classes of errors, which are discussed
in detail in the next three sections:</para>

<orderedlist>
 <listitem>
  <para><link linkend="hg-manual.api-checks">
        Misuses of the POSIX pthreads API.</link></para>
 </listitem>
 <listitem>
  <para><link linkend="hg-manual.lock-orders">
        Potential deadlocks arising from lock
        ordering problems.</link></para>
 </listitem>
 <listitem>
  <para><link linkend="hg-manual.data-races">
        Data races -- accessing memory without adequate locking
                      or synchronisation</link>.
  </para>
 </listitem>
</orderedlist>

<para>Problems like these often result in unreproducible,
timing-dependent crashes, deadlocks and other misbehaviour, and
can be difficult to find by other means.</para>

<para>Helgrind is aware of all the pthread abstractions and tracks
their effects as accurately as it can.  On x86 and amd64 platforms, it
understands and partially handles implicit locking arising from the
use of the LOCK instruction prefix.
</para>

<para>Helgrind works best when your application uses only the POSIX
pthreads API.  However, if you want to use custom threading
primitives, you can describe their behaviour to Helgrind using the
<varname>ANNOTATE_*</varname> macros defined
in <varname>helgrind.h</varname>.  This functionality was added in
release 3.5.0 of Valgrind, and is considered experimental.</para>


<para>Following those is a section containing
<link linkend="hg-manual.effective-use">
hints and tips on how to get the best out of Helgrind.</link>
</para>

<para>Then there is a
<link linkend="hg-manual.options">summary of command-line
options.</link>
</para>

<para>Finally, there is
<link linkend="hg-manual.todolist">a brief summary of areas in which Helgrind
could be improved.</link>
</para>

</sect1>


<sect1 id="hg-manual.api-checks" xreflabel="API Checks">
<title>Detected errors: Misuses of the POSIX pthreads API</title>

<para>Helgrind intercepts calls to many POSIX pthreads functions, and
is therefore able to report on various common problems.  Although
these are unglamourous errors, their presence can lead to undefined
program behaviour and hard-to-find bugs later on.  The detected errors
are:</para>

<itemizedlist>
 <listitem><para>unlocking an invalid mutex</para></listitem>
 <listitem><para>unlocking a not-locked mutex</para></listitem>
 <listitem><para>unlocking a mutex held by a different
                 thread</para></listitem>
 <listitem><para>destroying an invalid or a locked mutex</para></listitem>
 <listitem><para>recursively locking a non-recursive mutex</para></listitem>
 <listitem><para>deallocation of memory that contains a
                 locked mutex</para></listitem>
 <listitem><para>passing mutex arguments to functions expecting
                 reader-writer lock arguments, and vice
                 versa</para></listitem>
 <listitem><para>when a POSIX pthread function fails with an
                 error code that must be handled</para></listitem>
 <listitem><para>when a thread exits whilst still holding locked
                 locks</para></listitem>
 <listitem><para>calling <function>pthread_cond_wait</function>
                 with a not-locked mutex, an invalid mutex,
                 or one locked by a different
                 thread</para></listitem>
 <listitem><para>inconsistent bindings between condition
                 variables and their associated mutexes</para></listitem>
 <listitem><para>invalid or duplicate initialisation of a pthread
                 barrier</para></listitem>
 <listitem><para>initialisation of a pthread barrier on which threads
                 are still waiting</para></listitem>
 <listitem><para>destruction of a pthread barrier object which was
                 never initialised, or on which threads are still
                 waiting</para></listitem>
 <listitem><para>waiting on an uninitialised pthread
                 barrier</para></listitem>
 <listitem><para>for all of the pthreads functions that Helgrind
                 intercepts, an error is reported, along with a stack
                 trace, if the system threading library routine returns
                 an error code, even if Helgrind itself detected no
                 error</para></listitem>
</itemizedlist>

<para>Checks pertaining to the validity of mutexes are generally also
performed for reader-writer locks.</para>

<para>Various kinds of this-can't-possibly-happen events are also
reported.  These usually indicate bugs in the system threading
library.</para>

<para>Reported errors always contain a primary stack trace indicating
where the error was detected.  They may also contain auxiliary stack
traces giving additional information.  In particular, most errors
relating to mutexes will also tell you where that mutex first came to
Helgrind's attention (the "<computeroutput>was first observed
at</computeroutput>" part), so you have a chance of figuring out which
mutex it is referring to.  For example:</para>

<programlisting><![CDATA[
Thread #1 unlocked a not-locked lock at 0x7FEFFFA90
   at 0x4C2408D: pthread_mutex_unlock (hg_intercepts.c:492)
   by 0x40073A: nearly_main (tc09_bad_unlock.c:27)
   by 0x40079B: main (tc09_bad_unlock.c:50)
  Lock at 0x7FEFFFA90 was first observed
   at 0x4C25D01: pthread_mutex_init (hg_intercepts.c:326)
   by 0x40071F: nearly_main (tc09_bad_unlock.c:23)
   by 0x40079B: main (tc09_bad_unlock.c:50)
]]></programlisting>

<para>Helgrind has a way of summarising thread identities, as
you see here with the text "<computeroutput>Thread
#1</computeroutput>".  This is so that it can speak about threads and
sets of threads without overwhelming you with details.  See
<link linkend="hg-manual.data-races.errmsgs">below</link>
for more information on interpreting error messages.</para>

</sect1>


<sect1 id="hg-manual.lock-orders" xreflabel="Lock Orders">
<title>Detected errors: Inconsistent Lock Orderings</title>

<para>In this section, and in general, to "acquire" a lock simply
means to lock that lock, and to "release" a lock means to unlock
it.</para>

<para>Helgrind monitors the order in which threads acquire locks.
This allows it to detect potential deadlocks which could arise from
the formation of cycles of locks.  Detecting such inconsistencies is
useful because, whilst actual deadlocks are fairly obvious, potential
deadlocks may never be discovered during testing and could later lead
to hard-to-diagnose in-service failures.</para>

<para>The simplest example of such a problem is as
follows.</para>

<itemizedlist>
 <listitem><para>Imagine some shared resource R, which, for whatever
  reason, is guarded by two locks, L1 and L2, which must both be held
  when R is accessed.</para>
 </listitem>
 <listitem><para>Suppose a thread acquires L1, then L2, and proceeds
  to access R.  The implication of this is that all threads in the
  program must acquire the two locks in the order first L1 then L2.
  Not doing so risks deadlock.</para>
 </listitem>
 <listitem><para>The deadlock could happen if two threads -- call them
  T1 and T2 -- both want to access R.  Suppose T1 acquires L1 first,
  and T2 acquires L2 first.  Then T1 tries to acquire L2, and T2 tries
  to acquire L1, but those locks are both already held.  So T1 and T2
  become deadlocked.</para>
 </listitem>
</itemizedlist>

<para>Helgrind builds a directed graph indicating the order in which
locks have been acquired in the past.  When a thread acquires a new
lock, the graph is updated, and then checked to see if it now contains
a cycle.  The presence of a cycle indicates a potential deadlock involving
the locks in the cycle.</para>

<para>In simple situations, where the cycle only contains two locks,
Helgrind will show where the required order was established:</para>

<programlisting><![CDATA[
Thread #1: lock order "0x7FEFFFAB0 before 0x7FEFFFA80" violated
   at 0x4C23C91: pthread_mutex_lock (hg_intercepts.c:388)
   by 0x40081F: main (tc13_laog1.c:24)
  Required order was established by acquisition of lock at 0x7FEFFFAB0
   at 0x4C23C91: pthread_mutex_lock (hg_intercepts.c:388)
   by 0x400748: main (tc13_laog1.c:17)
  followed by a later acquisition of lock at 0x7FEFFFA80
   at 0x4C23C91: pthread_mutex_lock (hg_intercepts.c:388)
   by 0x400773: main (tc13_laog1.c:18)
]]></programlisting>

<para>When there are more than two locks in the cycle, the error is
equally serious.  However, at present Helgrind does not show the locks
involved, so as to avoid flooding you with information.  That could be
fixed in future.  For example, here is a an example involving a cycle
of five locks from a naive implementation the famous Dining
Philosophers problem
(see <computeroutput>helgrind/tests/tc14_laog_dinphils.c</computeroutput>).
In this case Helgrind has detected that all 5 philosophers could
simultaneously pick up their left fork and then deadlock whilst
waiting to pick up their right forks.</para>

<programlisting><![CDATA[
Thread #6: lock order "0x6010C0 before 0x601160" violated
   at 0x4C23C91: pthread_mutex_lock (hg_intercepts.c:388)
   by 0x4007C0: dine (tc14_laog_dinphils.c:19)
   by 0x4C25DF7: mythread_wrapper (hg_intercepts.c:178)
   by 0x4E2F09D: start_thread (in /lib64/libpthread-2.5.so)
   by 0x51054CC: clone (in /lib64/libc-2.5.so)
]]></programlisting>

</sect1>


<sect1 id="hg-manual.data-races" xreflabel="Data Races">
<title>Detected errors: Data Races</title>

<para>A data race happens, or could happen, when two threads access a
shared memory location without using suitable locks or other
synchronisation to ensure single-threaded access.  Such missing
locking can cause obscure timing dependent bugs.  Ensuring programs
are race-free is one of the central difficulties of threaded
programming.</para>

<para>Reliably detecting races is a difficult problem, and most
of Helgrind's internals are devoted to do dealing with it.
We begin with a simple example.</para>


<sect2 id="hg-manual.data-races.example" xreflabel="Simple Race">
<title>A Simple Data Race</title>

<para>About the simplest possible example of a race is as follows.  In
this program, it is impossible to know what the value
of <computeroutput>var</computeroutput> is at the end of the program.
Is it 2 ?  Or 1 ?</para>

<programlisting><![CDATA[
#include <pthread.h>

int var = 0;

void* child_fn ( void* arg ) {
   var++; /* Unprotected relative to parent */ /* this is line 6 */
   return NULL;
}

int main ( void ) {
   pthread_t child;
   pthread_create(&child, NULL, child_fn, NULL);
   var++; /* Unprotected relative to child */ /* this is line 13 */
   pthread_join(child, NULL);
   return 0;
}
]]></programlisting>

<para>The problem is there is nothing to
stop <varname>var</varname> being updated simultaneously
by both threads.  A correct program would
protect <varname>var</varname> with a lock of type
<function>pthread_mutex_t</function>, which is acquired
before each access and released afterwards.  Helgrind's output for
this program is:</para>

<programlisting><![CDATA[
Thread #1 is the program's root thread

Thread #2 was created
   at 0x511C08E: clone (in /lib64/libc-2.8.so)
   by 0x4E333A4: do_clone (in /lib64/libpthread-2.8.so)
   by 0x4E33A30: pthread_create@@GLIBC_2.2.5 (in /lib64/libpthread-2.8.so)
   by 0x4C299D4: pthread_create@* (hg_intercepts.c:214)
   by 0x400605: main (simple_race.c:12)

Possible data race during read of size 4 at 0x601038 by thread #1
   at 0x400606: main (simple_race.c:13)
 This conflicts with a previous write of size 4 by thread #2
   at 0x4005DC: child_fn (simple_race.c:6)
   by 0x4C29AFF: mythread_wrapper (hg_intercepts.c:194)
   by 0x4E3403F: start_thread (in /lib64/libpthread-2.8.so)
   by 0x511C0CC: clone (in /lib64/libc-2.8.so)
 Location 0x601038 is 0 bytes inside global var "var"
 declared at simple_race.c:3
]]></programlisting>

<para>This is quite a lot of detail for an apparently simple error.
The last clause is the main error message.  It says there is a race as
a result of a read of size 4 (bytes), at 0x601038, which is the
address of <computeroutput>var</computeroutput>, happening in
function <computeroutput>main</computeroutput> at line 13 in the
program.</para>

<para>Two important parts of the message are:</para>

<itemizedlist>
 <listitem>
  <para>Helgrind shows two stack traces for the error, not one.  By
   definition, a race involves two different threads accessing the
   same location in such a way that the result depends on the relative
   speeds of the two threads.</para>
  <para>
   The first stack trace follows the text "<computeroutput>Possible
   data race during read of size 4 ...</computeroutput>" and the
   second trace follows the text "<computeroutput>This conflicts with
   a previous write of size 4 ...</computeroutput>".  Helgrind is
   usually able to show both accesses involved in a race.  At least
   one of these will be a write (since two concurrent, unsynchronised
   reads are harmless), and they will of course be from different
   threads.</para>
  <para>By examining your program at the two locations, you should be
   able to get at least some idea of what the root cause of the
   problem is.</para>
 </listitem>
 <listitem>
  <para>For races which occur on global or stack variables, Helgrind
   tries to identify the name and defining point of the variable.
   Hence the text "<computeroutput>Location 0x601038 is 0 bytes inside
   global var "var" declared at simple_race.c:3</computeroutput>".</para>
  <para>Showing names of stack and global variables carries no
   run-time overhead once Helgrind has your program up and running.
   However, it does require Helgrind to spend considerable extra time
   and memory at program startup to read the relevant debug info.
   Hence this facility is disabled by default.  To enable it, you need
   to give the <varname>--read-var-info=yes</varname> option to
   Helgrind.</para>
 </listitem>
</itemizedlist>

<para>The following section explains Helgrind's race detection
algorithm in more detail.</para>

</sect2>


<sect2 id="hg-manual.data-races.algorithm" xreflabel="DR Algorithm">
<title>Helgrind's Race Detection Algorithm</title>

<para>Most programmers think about threaded programming in terms of
the basic functionality provided by the threading library (POSIX
Pthreads): thread creation, thread joining, locks, condition
variables, semaphores and barriers.</para>

<para>The effect of using these functions is to impose
constraints upon the order in which memory accesses can
happen.  This implied ordering is generally known as the
"happens-before relation".  Once you understand the happens-before
relation, it is easy to see how Helgrind finds races in your code.
Fortunately, the happens-before relation is itself easy to understand,
and is by itself a useful tool for reasoning about the behaviour of
parallel programs.  We now introduce it using a simple example.</para>

<para>Consider first the following buggy program:</para>

<programlisting><![CDATA[
Parent thread:                         Child thread:

int var;

// create child thread
pthread_create(...)
var = 20;                              var = 10;
                                       exit

// wait for child
pthread_join(...)
printf("%d\n", var);
]]></programlisting>

<para>The parent thread creates a child.  Both then write different
values to some variable <computeroutput>var</computeroutput>, and the
parent then waits for the child to exit.</para>

<para>What is the value of <computeroutput>var</computeroutput> at the
end of the program, 10 or 20?  We don't know.  The program is
considered buggy (it has a race) because the final value
of <computeroutput>var</computeroutput> depends on the relative rates
of progress of the parent and child threads.  If the parent is fast
and the child is slow, then the child's assignment may happen later,
so the final value will be 10; and vice versa if the child is faster
than the parent.</para>

<para>The relative rates of progress of parent vs child is not something
the programmer can control, and will often change from run to run.
It depends on factors such as the load on the machine, what else is
running, the kernel's scheduling strategy, and many other factors.</para>

<para>The obvious fix is to use a lock to
protect <computeroutput>var</computeroutput>.  It is however
instructive to consider a somewhat more abstract solution, which is to
send a message from one thread to the other:</para>

<programlisting><![CDATA[
Parent thread:                         Child thread:

int var;

// create child thread
pthread_create(...)
var = 20;
// send message to child
                                       // wait for message to arrive
                                       var = 10;
                                       exit

// wait for child
pthread_join(...)
printf("%d\n", var);
]]></programlisting>

<para>Now the program reliably prints "10", regardless of the speed of
the threads.  Why?  Because the child's assignment cannot happen until
after it receives the message.  And the message is not sent until
after the parent's assignment is done.</para>

<para>The message transmission creates a "happens-before" dependency
between the two assignments: <computeroutput>var = 20;</computeroutput>
must now happen-before <computeroutput>var = 10;</computeroutput>.
And so there is no longer a race
on <computeroutput>var</computeroutput>.
</para>

<para>Note that it's not significant that the parent sends a message
to the child.  Sending a message from the child (after its assignment)
to the parent (before its assignment) would also fix the problem, causing
the program to reliably print "20".</para>

<para>Helgrind's algorithm is (conceptually) very simple.  It monitors all
accesses to memory locations.  If a location -- in this example,
<computeroutput>var</computeroutput>,
is accessed by two different threads, Helgrind checks to see if the
two accesses are ordered by the happens-before relation.  If so,
that's fine; if not, it reports a race.</para>

<para>It is important to understand that the happens-before relation
creates only a partial ordering, not a total ordering.  An example of
a total ordering is comparison of numbers: for any two numbers
<computeroutput>x</computeroutput> and
<computeroutput>y</computeroutput>, either
<computeroutput>x</computeroutput> is less than, equal to, or greater
than
<computeroutput>y</computeroutput>.  A partial ordering is like a
total ordering, but it can also express the concept that two elements
are neither equal, less or greater, but merely unordered with respect
to each other.</para>

<para>In the fixed example above, we say that
<computeroutput>var = 20;</computeroutput> "happens-before"
<computeroutput>var = 10;</computeroutput>.  But in the original
version, they are unordered: we cannot say that either happens-before
the other.</para>

<para>What does it mean to say that two accesses from different
threads are ordered by the happens-before relation?  It means that
there is some chain of inter-thread synchronisation operations which
cause those accesses to happen in a particular order, irrespective of
the actual rates of progress of the individual threads.  This is a
required property for a reliable threaded program, which is why
Helgrind checks for it.</para>

<para>The happens-before relations created by standard threading
primitives are as follows:</para>

<itemizedlist>
 <listitem><para>When a mutex is unlocked by thread T1 and later (or
  immediately) locked by thread T2, then the memory accesses in T1
  prior to the unlock must happen-before those in T2 after it acquires
  the lock.</para>
 </listitem>
 <listitem><para>The same idea applies to reader-writer locks,
  although with some complication so as to allow correct handling of
  reads vs writes.</para>
 </listitem>
 <listitem><para>When a condition variable (CV) is signalled on by
  thread T1 and some other thread T2 is thereby released from a wait
  on the same CV, then the memory accesses in T1 prior to the
  signalling must happen-before those in T2 after it returns from the
  wait.  If no thread was waiting on the CV then there is no
  effect.</para>
 </listitem>
 <listitem><para>If instead T1 broadcasts on a CV, then all of the
  waiting threads, rather than just one of them, acquire a
  happens-before dependency on the broadcasting thread at the point it
  did the broadcast.</para>
 </listitem>
 <listitem><para>A thread T2 that continues after completing sem_wait
  on a semaphore that thread T1 posts on, acquires a happens-before
  dependence on the posting thread, a bit like dependencies caused
  mutex unlock-lock pairs.  However, since a semaphore can be posted
  on many times, it is unspecified from which of the post calls the
  wait call gets its happens-before dependency.</para>
 </listitem>
 <listitem><para>For a group of threads T1 .. Tn which arrive at a
  barrier and then move on, each thread after the call has a
  happens-after dependency from all threads before the
  barrier.</para>
 </listitem>
 <listitem><para>A newly-created child thread acquires an initial
  happens-after dependency on the point where its parent created it.
  That is, all memory accesses performed by the parent prior to
  creating the child are regarded as happening-before all the accesses
  of the child.</para>
 </listitem>
 <listitem><para>Similarly, when an exiting thread is reaped via a
  call to <function>pthread_join</function>, once the call returns, the
  reaping thread acquires a happens-after dependency relative to all memory
  accesses made by the exiting thread.</para>
 </listitem>
</itemizedlist>

<para>In summary: Helgrind intercepts the above listed events, and builds a
directed acyclic graph represented the collective happens-before
dependencies.  It also monitors all memory accesses.</para>

<para>If a location is accessed by two different threads, but Helgrind
cannot find any path through the happens-before graph from one access
to the other, then it reports a race.</para>

<para>There are a couple of caveats:</para>

<itemizedlist>
 <listitem><para>Helgrind doesn't check for a race in the case where
  both accesses are reads.  That would be silly, since concurrent
  reads are harmless.</para>
 </listitem>
 <listitem><para>Two accesses are considered to be ordered by the
  happens-before dependency even through arbitrarily long chains of
  synchronisation events.  For example, if T1 accesses some location
  L, and then <function>pthread_cond_signals</function> T2, which later
  <function>pthread_cond_signals</function> T3, which then accesses L, then
  a suitable happens-before dependency exists between the first and second
  accesses, even though it involves two different inter-thread
  synchronisation events.</para>
 </listitem>
</itemizedlist>

</sect2>


<sect2 id="hg-manual.data-races.errmsgs" xreflabel="Race Error Messages">
<title>Interpreting Race Error Messages</title>

<para>Helgrind's race detection algorithm collects a lot of
information, and tries to present it in a helpful way when a race is
detected.  Here's an example:</para>

<programlisting><![CDATA[
Thread #2 was created
   at 0x511C08E: clone (in /lib64/libc-2.8.so)
   by 0x4E333A4: do_clone (in /lib64/libpthread-2.8.so)
   by 0x4E33A30: pthread_create@@GLIBC_2.2.5 (in /lib64/libpthread-2.8.so)
   by 0x4C299D4: pthread_create@* (hg_intercepts.c:214)
   by 0x4008F2: main (tc21_pthonce.c:86)

Thread #3 was created
   at 0x511C08E: clone (in /lib64/libc-2.8.so)
   by 0x4E333A4: do_clone (in /lib64/libpthread-2.8.so)
   by 0x4E33A30: pthread_create@@GLIBC_2.2.5 (in /lib64/libpthread-2.8.so)
   by 0x4C299D4: pthread_create@* (hg_intercepts.c:214)
   by 0x4008F2: main (tc21_pthonce.c:86)

Possible data race during read of size 4 at 0x601070 by thread #3
   at 0x40087A: child (tc21_pthonce.c:74)
   by 0x4C29AFF: mythread_wrapper (hg_intercepts.c:194)
   by 0x4E3403F: start_thread (in /lib64/libpthread-2.8.so)
   by 0x511C0CC: clone (in /lib64/libc-2.8.so)
 This conflicts with a previous write of size 4 by thread #2
   at 0x400883: child (tc21_pthonce.c:74)
   by 0x4C29AFF: mythread_wrapper (hg_intercepts.c:194)
   by 0x4E3403F: start_thread (in /lib64/libpthread-2.8.so)
   by 0x511C0CC: clone (in /lib64/libc-2.8.so)
 Location 0x601070 is 0 bytes inside local var "unprotected2"
 declared at tc21_pthonce.c:51, in frame #0 of thread 3
]]></programlisting>

<para>Helgrind first announces the creation points of any threads
referenced in the error message.  This is so it can speak concisely
about threads without repeatedly printing their creation point call
stacks.  Each thread is only ever announced once, the first time it
appears in any Helgrind error message.</para>

<para>The main error message begins at the text
"<computeroutput>Possible data race during read</computeroutput>".  At
the start is information you would expect to see -- address and size
of the racing access, whether a read or a write, and the call stack at
the point it was detected.</para>

<para>A second call stack is presented starting at the text
"<computeroutput>This conflicts with a previous
write</computeroutput>".  This shows a previous access which also
accessed the stated address, and which is believed to be racing
against the access in the first call stack.</para>

<para>Finally, Helgrind may attempt to give a description of the
raced-on address in source level terms.  In this example, it
identifies it as a local variable, shows its name, declaration point,
and in which frame (of the first call stack) it lives.  Note that this
information is only shown when <varname>--read-var-info=yes</varname>
is specified on the command line.  That's because reading the DWARF3
debug information in enough detail to capture variable type and
location information makes Helgrind much slower at startup, and also
requires considerable amounts of memory, for large programs.
</para>

<para>Once you have your two call stacks, how do you find the root
cause of the race?</para>

<para>The first thing to do is examine the source locations referred
to by each call stack.  They should both show an access to the same
location, or variable.</para>

<para>Now figure out how how that location should have been made
thread-safe:</para>

<itemizedlist>
 <listitem><para>Perhaps the location was intended to be protected by
  a mutex?  If so, you need to lock and unlock the mutex at both
  access points, even if one of the accesses is reported to be a read.
  Did you perhaps forget the locking at one or other of the
  accesses?</para>
 </listitem>
 <listitem><para>Alternatively, perhaps you intended to use a some
  other scheme to make it safe, such as signalling on a condition
  variable.  In all such cases, try to find a synchronisation event
  (or a chain thereof) which separates the earlier-observed access (as
  shown in the second call stack) from the later-observed access (as
  shown in the first call stack).  In other words, try to find
  evidence that the earlier access "happens-before" the later access.
  See the previous subsection for an explanation of the happens-before
  relation.</para>
  <para>
  The fact that Helgrind is reporting a race means it did not observe
  any happens-before relation between the two accesses.  If
  Helgrind is working correctly, it should also be the case that you
  also cannot find any such relation, even on detailed inspection
  of the source code.  Hopefully, though, your inspection of the code
  will show where the missing synchronisation operation(s) should have
  been.</para>
 </listitem>
</itemizedlist>

</sect2>


</sect1>

<sect1 id="hg-manual.effective-use" xreflabel="Helgrind Effective Use">
<title>Hints and Tips for Effective Use of Helgrind</title>

<para>Helgrind can be very helpful in finding and resolving
threading-related problems.  Like all sophisticated tools, it is most
effective when you understand how to play to its strengths.</para>

<para>Helgrind will be less effective when you merely throw an
existing threaded program at it and try to make sense of any reported
errors.  It will be more effective if you design threaded programs
from the start in a way that helps Helgrind verify correctness.  The
same is true for finding memory errors with Memcheck, but applies more
here, because thread checking is a harder problem.  Consequently it is
much easier to write a correct program for which Helgrind falsely
reports (threading) errors than it is to write a correct program for
which Memcheck falsely reports (memory) errors.</para>

<para>With that in mind, here are some tips, listed most important first,
for getting reliable results and avoiding false errors.  The first two
are critical.  Any violations of them will swamp you with huge numbers
of false data-race errors.</para>


<orderedlist>

  <listitem>
    <para>Make sure your application, and all the libraries it uses,
    use the POSIX threading primitives.  Helgrind needs to be able to
    see all events pertaining to thread creation, exit, locking and
    other synchronisation events.  To do so it intercepts many POSIX
    pthreads functions.</para>

    <para>Do not roll your own threading primitives (mutexes, etc)
    from combinations of the Linux futex syscall, atomic counters, etc.
    These throw Helgrind's internal what's-going-on models
    way off course and will give bogus results.</para>

    <para>Also, do not reimplement existing POSIX abstractions using
    other POSIX abstractions.  For example, don't build your own
    semaphore routines or reader-writer locks from POSIX mutexes and
    condition variables.  Instead use POSIX reader-writer locks and
    semaphores directly, since Helgrind supports them directly.</para>

    <para>Helgrind directly supports the following POSIX threading
    abstractions: mutexes, reader-writer locks, condition variables
    (but see below), semaphores and barriers.  Currently spinlocks
    are not supported, although they could be in future.</para>

    <para>At the time of writing, the following popular Linux packages
    are known to implement their own threading primitives:</para>

    <itemizedlist>
     <listitem><para>Qt version 4.X.  Qt 3.X is harmless in that it
      only uses POSIX pthreads primitives.  Unfortunately Qt 4.X
      has its own implementation of mutexes (QMutex) and thread reaping.
      Helgrind 3.4.x contains direct support
      for Qt 4.X threading, which is experimental but is believed to
      work fairly well.  A side effect of supporting Qt 4 directly is
      that Helgrind can be used to debug KDE4 applications.  As this
      is an experimental feature, we would particularly appreciate
      feedback from folks who have used Helgrind to successfully debug
      Qt 4 and/or KDE4 applications.</para>
     </listitem>
     <listitem><para>Runtime support library for GNU OpenMP (part of
      GCC), at least for GCC versions 4.2 and 4.3.  The GNU OpenMP runtime
      library (<filename>libgomp.so</filename>) constructs its own
      synchronisation primitives using combinations of atomic memory
      instructions and the futex syscall, which causes total chaos since in
      Helgrind since it cannot "see" those.</para>
     <para>Fortunately, this can be solved using a configuration-time
      option (for GCC).  Rebuild GCC from source, and configure using
      <varname>--disable-linux-futex</varname>.
      This makes libgomp.so use the standard
      POSIX threading primitives instead.  Note that this was tested
      using GCC 4.2.3 and has not been re-tested using more recent GCC
      versions.  We would appreciate hearing about any successes or
      failures with more recent versions.</para>
     </listitem>
    </itemizedlist>
  </listitem>

  <listitem>
    <para>Avoid memory recycling.  If you can't avoid it, you must use
    tell Helgrind what is going on via the
    <function>VALGRIND_HG_CLEAN_MEMORY</function> client request (in
    <computeroutput>helgrind.h</computeroutput>).</para>

    <para>Helgrind is aware of standard heap memory allocation and
    deallocation that occurs via
    <function>malloc</function>/<function>free</function>/<function>new</function>/<function>delete</function>
    and from entry and exit of stack frames.  In particular, when memory is
    deallocated via <function>free</function>, <function>delete</function>,
    or function exit, Helgrind considers that memory clean, so when it is
    eventually reallocated, its history is irrelevant.</para>

    <para>However, it is common practice to implement memory recycling
    schemes.  In these, memory to be freed is not handed to
    <function>free</function>/<function>delete</function>, but instead put
    into a pool of free buffers to be handed out again as required.  The
    problem is that Helgrind has no
    way to know that such memory is logically no longer in use, and
    its history is irrelevant.  Hence you must make that explicit,
    using the <function>VALGRIND_HG_CLEAN_MEMORY</function> client request
    to specify the relevant address ranges.  It's easiest to put these
    requests into the pool manager code, and use them either when memory is
    returned to the pool, or is allocated from it.</para>
  </listitem>

  <listitem>
    <para>Avoid POSIX condition variables.  If you can, use POSIX
    semaphores (<function>sem_t</function>, <function>sem_post</function>,
    <function>sem_wait</function>) to do inter-thread event signalling.
    Semaphores with an initial value of zero are particularly useful for
    this.</para>

    <para>Helgrind only partially correctly handles POSIX condition
    variables.  This is because Helgrind can see inter-thread
    dependencies between a <function>pthread_cond_wait</function> call and a
    <function>pthread_cond_signal</function>/<function>pthread_cond_broadcast</function>
    call only if the waiting thread actually gets to the rendezvous first
    (so that it actually calls
    <function>pthread_cond_wait</function>).  It can't see dependencies
    between the threads if the signaller arrives first.  In the latter case,
    POSIX guidelines imply that the associated boolean condition still
    provides an inter-thread synchronisation event, but one which is
    invisible to Helgrind.</para>

    <para>The result of Helgrind missing some inter-thread
    synchronisation events is to cause it to report false positives.
    </para>

    <para>The root cause of this synchronisation lossage is
    particularly hard to understand, so an example is helpful.  It was
    discussed at length by Arndt Muehlenfeld ("Runtime Race Detection
    in Multi-Threaded Programs", Dissertation, TU Graz, Austria).  The
    canonical POSIX-recommended usage scheme for condition variables
    is as follows:</para>

<programlisting><![CDATA[
b   is a Boolean condition, which is False most of the time
cv  is a condition variable
mx  is its associated mutex

Signaller:                             Waiter:

lock(mx)                               lock(mx)
b = True                               while (b == False)
signal(cv)                                wait(cv,mx)
unlock(mx)                             unlock(mx)
]]></programlisting>

    <para>Assume <computeroutput>b</computeroutput> is False most of
    the time.  If the waiter arrives at the rendezvous first, it
    enters its while-loop, waits for the signaller to signal, and
    eventually proceeds.  Helgrind sees the signal, notes the
    dependency, and all is well.</para>

    <para>If the signaller arrives
    first, <computeroutput>b</computeroutput> is set to true, and the
    signal disappears into nowhere.  When the waiter later arrives, it
    does not enter its while-loop and simply carries on.  But even in
    this case, the waiter code following the while-loop cannot execute
    until the signaller sets <computeroutput>b</computeroutput> to
    True.  Hence there is still the same inter-thread dependency, but
    this time it is through an arbitrary in-memory condition, and
    Helgrind cannot see it.</para>

    <para>By comparison, Helgrind's detection of inter-thread
    dependencies caused by semaphore operations is believed to be
    exactly correct.</para>

    <para>As far as I know, a solution to this problem that does not
    require source-level annotation of condition-variable wait loops
    is beyond the current state of the art.</para>
  </listitem>

  <listitem>
    <para>Make sure you are using a supported Linux distribution.  At
    present, Helgrind only properly supports glibc-2.3 or later.  This
    in turn means we only support glibc's NPTL threading
    implementation.  The old LinuxThreads implementation is not
    supported.</para>
  </listitem>

  <listitem>
    <para>Round up all finished threads using
    <function>pthread_join</function>.  Avoid
    detaching threads: don't create threads in the detached state, and
    don't call <function>pthread_detach</function> on existing threads.</para>

    <para>Using <function>pthread_join</function> to round up finished
    threads provides a clear synchronisation point that both Helgrind and
    programmers can see.  If you don't call
    <function>pthread_join</function> on a thread, Helgrind has no way to
    know when it finishes, relative to any
    significant synchronisation points for other threads in the program.  So
    it assumes that the thread lingers indefinitely and can potentially
    interfere indefinitely with the memory state of the program.  It
    has every right to assume that -- after all, it might really be
    the case that, for scheduling reasons, the exiting thread did run
    very slowly in the last stages of its life.</para>
  </listitem>

  <listitem>
    <para>Perform thread debugging (with Helgrind) and memory
    debugging (with Memcheck) together.</para>

    <para>Helgrind tracks the state of memory in detail, and memory
    management bugs in the application are liable to cause confusion.
    In extreme cases, applications which do many invalid reads and
    writes (particularly to freed memory) have been known to crash
    Helgrind.  So, ideally, you should make your application
    Memcheck-clean before using Helgrind.</para>

    <para>It may be impossible to make your application Memcheck-clean
    unless you first remove threading bugs.  In particular, it may be
    difficult to remove all reads and writes to freed memory in
    multithreaded C++ destructor sequences at program termination.
    So, ideally, you should make your application Helgrind-clean
    before using Memcheck.</para>

    <para>Since this circularity is obviously unresolvable, at least
    bear in mind that Memcheck and Helgrind are to some extent
    complementary, and you may need to use them together.</para>
  </listitem>

  <listitem>
    <para>POSIX requires that implementations of standard I/O
    (<function>printf</function>, <function>fprintf</function>,
    <function>fwrite</function>, <function>fread</function>, etc) are thread
    safe.  Unfortunately GNU libc implements this by using internal locking
    primitives that Helgrind is unable to intercept.  Consequently Helgrind
    generates many false race reports when you use these functions.</para>

    <para>Helgrind attempts to hide these errors using the standard
    Valgrind error-suppression mechanism.  So, at least for simple
    test cases, you don't see any.  Nevertheless, some may slip
    through.  Just something to be aware of.</para>
  </listitem>

  <listitem>
    <para>Helgrind's error checks do not work properly inside the
    system threading library itself
    (<computeroutput>libpthread.so</computeroutput>), and it usually
    observes large numbers of (false) errors in there.  Valgrind's
    suppression system then filters these out, so you should not see
    them.</para>

    <para>If you see any race errors reported
    where <computeroutput>libpthread.so</computeroutput> or
    <computeroutput>ld.so</computeroutput> is the object associated
    with the innermost stack frame, please file a bug report at
    <ulink url="&vg-url;">&vg-url;</ulink>.
    </para>
  </listitem>

</orderedlist>

</sect1>


<sect1 id="hg-manual.options" xreflabel="Helgrind Command-line Options">
<title>Helgrind Command-line Options</title>

<para>The following end-user options are available:</para>

<!-- start of xi:include in the manpage -->
<variablelist id="hg.opts.list">

  <varlistentry id="opt.track-lockorders"
                xreflabel="--track-lockorders">
    <term>
      <option><![CDATA[--track-lockorders=no|yes
      [default: yes] ]]></option>
    </term>
    <listitem>
      <para>When enabled (the default), Helgrind performs lock order
      consistency checking.  For some buggy programs, the large number
      of lock order errors reported can become annoying, particularly
      if you're only interested in race errors.  You may therefore find
      it helpful to disable lock order checking.</para>
    </listitem>
  </varlistentry>

  <varlistentry id="opt.history-level"
                xreflabel="--history-level">
    <term>
      <option><![CDATA[--history-level=none|approx|full
      [default: full] ]]></option>
    </term>
    <listitem>
      <para><option>--history-level=full</option> (the default) causes
        Helgrind collects enough information about "old" accesses that
        it can produce two stack traces in a race report -- both the
        stack trace for the current access, and the trace for the
        older, conflicting access.</para>
      <para>Collecting such information is expensive in both speed and
        memory, particularly for programs that do many inter-thread
        synchronisation events (locks, unlocks, etc).  Without such
        information, it is more difficult to track down the root
        causes of races.  Nonetheless, you may not need it in
        situations where you just want to check for the presence or
        absence of races, for example, when doing regression testing
        of a previously race-free program.</para>
      <para><option>--history-level=none</option> is the opposite
        extreme.  It causes Helgrind not to collect any information
        about previous accesses.  This can be dramatically faster
        than <option>--history-level=full</option>.</para>
      <para><option>--history-level=approx</option> provides a
        compromise between these two extremes.  It causes Helgrind to
        show a full trace for the later access, and approximate
        information regarding the earlier access.  This approximate
        information consists of two stacks, and the earlier access is
        guaranteed to have occurred somewhere between program points
        denoted by the two stacks. This is not as useful as showing
        the exact stack for the previous access
        (as <option>--history-level=full</option> does), but it is
        better than nothing, and it is almost as fast as
        <option>--history-level=none</option>.</para>
    </listitem>
  </varlistentry>

  <varlistentry id="opt.conflict-cache-size"
                xreflabel="--conflict-cache-size">
    <term>
      <option><![CDATA[--conflict-cache-size=N
      [default: 1000000] ]]></option>
    </term>
    <listitem>
      <para>This flag only has any effect
        at <option>--history-level=full</option>.</para>
      <para>Information about "old" conflicting accesses is stored in
        a cache of limited size, with LRU-style management.  This is
        necessary because it isn't practical to store a stack trace
        for every single memory access made by the program.
        Historical information on not recently accessed locations is
        periodically discarded, to free up space in the cache.</para>
      <para>This option controls the size of the cache, in terms of the
        number of different memory addresses for which
        conflicting access information is stored.  If you find that
        Helgrind is showing race errors with only one stack instead of
        the expected two stacks, try increasing this value.</para>
      <para>The minimum value is 10,000 and the maximum is 30,000,000
        (thirty times the default value).  Increasing the value by 1
        increases Helgrind's memory requirement by very roughly 100
        bytes, so the maximum value will easily eat up three extra
        gigabytes or so of memory.</para>
    </listitem>
  </varlistentry>

</variablelist>
<!-- end of xi:include in the manpage -->

<!-- start of xi:include in the manpage -->
<!--  commented out, because we don't document debugging options in the
      manual.  Nb: all the double-dashes below had a space inserted in them
      to avoid problems with premature closing of this comment.
<para>In addition, the following debugging options are available for
Helgrind:</para>

<variablelist id="hg.debugopts.list">

  <varlistentry id="opt.trace-malloc" xreflabel="- -trace-malloc">
    <term>
      <option><![CDATA[- -trace-malloc=no|yes [no]
      ]]></option>
    </term>
    <listitem>
      <para>Show all client <function>malloc</function> (etc) and
      <function>free</function> (etc) requests.</para>
    </listitem>
  </varlistentry>

  <varlistentry id="opt.cmp-race-err-addrs"
                xreflabel="- -cmp-race-err-addrs">
    <term>
      <option><![CDATA[- -cmp-race-err-addrs=no|yes [no]
      ]]></option>
    </term>
    <listitem>
      <para>Controls whether or not race (data) addresses should be
        taken into account when removing duplicates of race errors.
        With <varname>- -cmp-race-err-addrs=no</varname>, two otherwise
        identical race errors will be considered to be the same if
        their race addresses differ.  With
        With <varname>- -cmp-race-err-addrs=yes</varname> they will be
        considered different.  This is provided to help make certain
        regression tests work reliably.</para>
    </listitem>
  </varlistentry>

  <varlistentry id="opt.hg-sanity-flags" xreflabel="- -hg-sanity-flags">
    <term>
      <option><![CDATA[- -hg-sanity-flags=<XXXXXX> (X = 0|1) [000000]
      ]]></option>
    </term>
    <listitem>
      <para>Run extensive sanity checks on Helgrind's internal
        data structures at events defined by the bitstring, as
        follows:</para>
      <para><computeroutput>010000 </computeroutput>after changes to
        the lock order acquisition graph</para>
      <para><computeroutput>001000 </computeroutput>after every client
        memory access (NB: not currently used)</para>
      <para><computeroutput>000100 </computeroutput>after every client
        memory range permission setting of 256 bytes or greater</para>
      <para><computeroutput>000010 </computeroutput>after every client
        lock or unlock event</para>
      <para><computeroutput>000001 </computeroutput>after every client
        thread creation or joinage event</para>
      <para>Note these will make Helgrind run very slowly, often to
        the point of being completely unusable.</para>
    </listitem>
  </varlistentry>

</variablelist>
-->
<!-- end of xi:include in the manpage -->


</sect1>


<sect1 id="hg-manual.client-requests" xreflabel="Helgrind Client Requests">
<title>Helgrind Client Requests</title>

<para>The following client requests are defined in
<filename>helgrind.h</filename>.  See that file for exact details of their
arguments.</para>

<itemizedlist>

  <listitem>
    <para><function>VALGRIND_HG_CLEAN_MEMORY</function></para>
    <para>This makes Helgrind forget everything it knows about a
    specified memory range.  This is particularly useful for memory
    allocators that wish to recycle memory.</para>
  </listitem>
  <listitem>
    <para><function>ANNOTATE_HAPPENS_BEFORE</function></para>
  </listitem>
  <listitem>
    <para><function>ANNOTATE_HAPPENS_AFTER</function></para>
  </listitem>
  <listitem>
    <para><function>ANNOTATE_NEW_MEMORY</function></para>
  </listitem>
  <listitem>
    <para><function>ANNOTATE_RWLOCK_CREATE</function></para>
  </listitem>
  <listitem>
    <para><function>ANNOTATE_RWLOCK_DESTROY</function></para>
  </listitem>
  <listitem>
    <para><function>ANNOTATE_RWLOCK_ACQUIRED</function></para>
  </listitem>
  <listitem>
    <para><function>ANNOTATE_RWLOCK_RELEASED</function></para>
    <para>These are used to describe to Helgrind, the behaviour of
    custom (non-POSIX) synchronisation primitives, which it otherwise
    has no way to understand.  See comments
    in <filename>helgrind.h</filename> for further
    documentation.</para>
  </listitem>

</itemizedlist>

</sect1>


<sect1 id="hg-manual.todolist" xreflabel="To Do List">
<title>A To-Do List for Helgrind</title>

<para>The following is a list of loose ends which should be tidied up
some time.</para>

<itemizedlist>
  <listitem><para>For lock order errors, print the complete lock
    cycle, rather than only doing for size-2 cycles as at
    present.</para>
  </listitem>
  <listitem><para>The conflicting access mechanism sometimes
    mysteriously fails to show the conflicting access' stack, even
    when provided with unbounded storage for conflicting access info.
    This should be investigated.</para>
  </listitem>
  <listitem><para>Document races caused by GCC's thread-unsafe code
    generation for speculative stores.  In the interim see
    <computeroutput>http://gcc.gnu.org/ml/gcc/2007-10/msg00266.html
    </computeroutput>
    and <computeroutput>http://lkml.org/lkml/2007/10/24/673</computeroutput>.
    </para>
  </listitem>
  <listitem><para>Don't update the lock-order graph, and don't check
    for errors, when a "try"-style lock operation happens (e.g.
    <function>pthread_mutex_trylock</function>).  Such calls do not add any real
    restrictions to the locking order, since they can always fail to
    acquire the lock, resulting in the caller going off and doing Plan
    B (presumably it will have a Plan B).  Doing such checks could
    generate false lock-order errors and confuse users.</para>
  </listitem>
  <listitem><para> Performance can be very poor.  Slowdowns on the
    order of 100:1 are not unusual.  There is limited scope for
    performance improvements.
    </para>
  </listitem>

</itemizedlist>

</sect1>

</chapter>