Double lock check in C ++: new for temp pointer, then assign it to an instance

No, you cannot even assume that foo = p; is atomic. Perhaps it can load 16 bits of a 32-bit pointer, and then swap it before loading the rest.

If at this moment another thread is Instance() and calls Instance() , you are frying, because the pointer foo invalid.

For true security, you will have to protect the entire testing and tuning mechanism, although this means using mutexes even after creating the pointer. In other words (and I assume that scoped_lock() will release the lock when it goes out of scope here (I have little experience with Boost)), something like:

 Foo& Instance() { scoped_lock lock(mutex); if (foo != 0) foo = new Foo(); return *foo; } 

If you do not want to use mutexes (for performance reasons, presumably), then the option that I used in the past is to create all singletones before the threads begin.

In other words, if you have this control (you cannot), just instantiate each singleton in main before starting other threads. Then do not use the mutex at all. At this point, you will not have problems with threads, and you can simply use the canonical don't-care-about-threads-at-all version:

 Foo& Instance() { if (foo != 0) foo = new Foo(); return *foo; } 

And yes, it makes your code more dangerous for people who couldn’t bother to read your API documents, but (IMNSHO) they deserve everything they get :-)

Why don't you just use a real mutex, ensuring that only one thread tries to create foo ?

 Foo& Instance() { if (!foo) { pthread_mutex_lock(&lock); if (!foo) { Foo *p = new Foo; foo = p; } pthread_mutex_unlock(&lock); } return *foo; } 

This is a lock with verification and testing with free readers. Replace the reader-writer lock above if you want readings to be guaranteed safe in an atom-free environment.

to change . If you really want free readers, first write foo and then write the flag variable fooCreated = 1 . Checking fooCreated != 0 safe; if fooCreated != 0 , then foo initialized.

 Foo& Instance() { if (!fooCreated) { pthread_mutex_lock(&lock); if (!fooCreated) { foo = new Foo; fooCreated = 1; } pthread_mutex_unlock(&lock); } return *foo; } 

The new operator in C ++ always invokes a two-step process:
1.) memory allocation identical to plain malloc
2.) call the constructor for the given data type

 Foo* p = new Foo; foo = p; 

the above code will make creating a singleton in 3 steps, which is even vulnerable to the problem you are trying to solve.

Thanks for all your input. After consulting with Joe Duffy, an excellent book, “Parallel Programming in Windows,” I now think I should use the code below. This is pretty much the code from his book, with the exception of some renaming and the InterlockedXXX line. The following implementation uses:

• mutable keyword for both the temporary and the "actual" pointer to protect against reordering using the compiler .
• InterlockedCompareExchangePointer to protect against CPU reordering.

So this should be pretty safe (... right?):

 template <typename T> class LazyInit { public: typedef T* (*Factory)(); LazyInit(Factory f = 0) : factory_(f) , singleton_(0) { ::InitializeCriticalSection(&cs_); } T& get() { if (!singleton_) { ::EnterCriticalSection(&cs_); if (!singleton_) { T* volatile p = factory_(); // Joe uses _WriterBarrier(); then singleton_ = p; // But I thought better to make singleton_ = p atomic (as I understand, // on Windows, pointer assignments are atomic ONLY if they are aligned) // In addition, the MSDN docs say that InterlockedCompareExchangePointer // sets up a full memory barrier. ::InterlockedCompareExchangePointer((PVOID volatile*)&singleton_, p, 0); } ::LeaveCriticalSection(&cs_); } #if SUPPORT_IA64 _ReadBarrier(); #endif return *singleton_; } virtual ~LazyInit() { ::DeleteCriticalSection(&cs_); } private: CRITICAL_SECTION cs_; Factory factory_; T* volatile singleton_; };