This is an archive of the discontinued LLVM Phabricator instance.

Differential D84603

Thread safety analysis: More consistent warning message
ClosedPublic

Authored by aaronpuchert on Jul 26 2020, 11:51 AM.

Details

Reviewers
aaron.ballman
Commits
rG8ca00c5cdc0b: Thread safety analysis: More consistent warning message
Summary

Other warning messages for negative capabilities also mention their
kind, and the double space was ugly.

Diff Detail

Event Timeline

aaronpuchert created this revision.Jul 26 2020, 11:51 AM
Herald added a project: Restricted Project. · View Herald TranscriptJul 26 2020, 11:51 AM
Herald added a subscriber: cfe-commits. · View Herald Transcript
aaronpuchert mentioned this in D84604: Thread safety analysis: Consider global variables in scope.Jul 26 2020, 12:08 PM
Harbormaster failed remote builds in B65730: Diff 280741!Jul 26 2020, 1:16 PM
aaron.ballman added inline comments.Jul 27 2020, 10:56 AM
clang/lib/Analysis/ThreadSafety.cpp
1644

It's a bit odd that we aren't using DiagKind as below, I assume that's because this is a negative test and the others are positive tests, but doesn't this introduce a terminology difference where a positive failure may call it a mutex and a negative failure may call it a negative capability? Should this be hooked in to ClassifyDiagnostic() (perhaps we need a ClassifyNegativeDiagnostic()?

aaronpuchert added inline comments.Jul 27 2020, 11:47 AM
clang/lib/Analysis/ThreadSafety.cpp
1644

My thinking was that whatever the positive capability is called, we should only talk about a "negative capability" instead of a "negative mutex" or a "negative role". Also because not holding a capability is in some way its own kind of capability.

clang/test/SemaCXX/warn-thread-safety-negative.cpp
46

Here we're always referring to a "negative capability", I believe it's hardcoded into the message.

aaronpuchert added a comment.Aug 19 2020, 5:02 AM

Ping.

aaronpuchert added a comment.Aug 24 2020, 10:19 AM

@aaron.ballman, can you have a look again? I think this change is consistent with what we're already doing.

aaron.ballman added inline comments.Aug 26 2020, 8:43 AM
clang/lib/Analysis/ThreadSafety.cpp
1644

I may still be confused or thinking of this differently, but I would assume that a negative mutex would be a mutex that's explicitly not held, which you may want to ensure on a function boundary to avoid deadlock. From that, I'd have guessed we would want the diagnostic to read cannot call function 'bar' while mutex 'mu' is held or calling function 'bar' requires mutex 'mu' to not be held because that's more clear than talking about negative capabilities (when the user is thinking in terms of mutexes which are or aren't held).

aaronpuchert added inline comments.Aug 26 2020, 3:02 PM
clang/lib/Analysis/ThreadSafety.cpp
1644

Now I get it. I don't see an issue with that, but we need to distinguish between EXCLUDES(mu) and REQUIRES(!mu). The former will produce "cannot call function 'bar' while mutex 'mu' is held" and we probably want the latter to produce a different warning message.

Now one argument for the existing scheme remains that with -Wthread-safety-negative, if you see a warning like "acquiring mutex 'mu' requires negative capability '!mu'" on a lock operation, you know you can fix that by adding REQUIRES(!mu) to your function.

If we say "warning: acquiring mutex 'mu' requires mutex 'mu' not to be held" it might not be as clear what we want.

aaron.ballman added inline comments.Aug 27 2020, 8:03 AM
clang/lib/Analysis/ThreadSafety.cpp
1644

Now I get it. I don't see an issue with that, but we need to distinguish between EXCLUDES(mu) and REQUIRES(!mu). The former will produce "cannot call function 'bar' while mutex 'mu' is held" and we probably want the latter to produce a different warning message.

Ahhh, that's a good point.

Now one argument for the existing scheme remains that with -Wthread-safety-negative, if you see a warning like "acquiring mutex 'mu' requires negative capability '!mu'" on a lock operation, you know you can fix that by adding REQUIRES(!mu) to your function.

If we say "warning: acquiring mutex 'mu' requires mutex 'mu' not to be held" it might not be as clear what we want.

Hm, that's a good point as well.

Now that I understand the situation a bit better, I will be happy with either route, so I leave the decision in your capable hands. (If we get it wrong, we can always change the diagnostics later.) Do you have a preferred approach?

aaronpuchert added inline comments.Aug 27 2020, 4:32 PM
clang/lib/Analysis/ThreadSafety.cpp
1644

There are basically two warnings related to negative capabilities: one is about acquiring a capability without holding a negative capability, the other about calling a function without holding a negative capability. Negative capabilities can't be acquired or released, nor do they protect anything.

The other warning message also says "negative capability '!mu'", but mentions the original capability kind earlier:

def warn_acquire_requires_negative_cap : Warning<
  "acquiring %0 '%1' requires negative capability '%2'">,

I think that makes sense because there is a relation between the "positive" capability of whatever kind that we want to acquire and the negative capability that we need. The situation here is different: I just have some CallExpr to a function with REQUIRES(!...).

For that we have two different warnings, depending on whether we know the capability to be held or not:

void foo() REQUIRES(!mu);
void bar() REQUIRES(!mu) {
  mu.Lock();
  foo();        // warning: cannot call function 'foo' while mutex 'mu' is held
  mu.Unlock();
}
void baz() {
  foo();        // warning: calling function 'foo' requires holding [negative capability] '!mu'
}

The warning here is about the baz case where the analysis doesn't know whether I hold the capability (e.g. it could be acquired higher in the stack without the function being annotated), but I also don't explicitly hold the negative capability. Since negative capabilities can't be acquired, the only possible fix is to propagate the REQUIRES(!mu) until mu goes out of scope. And for that the capability kind is not really relevant.

What I could change in addition is to drop the "holding" for negative capabilities, because you can't really hold them, they are the absence of holding something. The other warning also says "requires negative capability" instead of "requires holding negative capability".

aaron.ballman added inline comments.Aug 28 2020, 7:28 AM
clang/lib/Analysis/ThreadSafety.cpp
1644

Thank you for the detailed explanation! I think dropping the "holding" so that it says it requires a negative capability makes sense.

Since negative capabilities can't be acquired, the only possible fix is to propagate the REQUIRES(!mu) until mu goes out of scope. And for that the capability kind is not really relevant.

I think that makes sense for the simple case where there's only one REQUIRES clause, but I was thinking about a more complex case where you have something like:

void foo() REQUIRES(!mu) REQUIRES(logging_role);
void baz() {
  foo();
}

and you're mixing capability kinds on the same declaration. However, because we mention the name of the thing we require in the diagnostic, I think that will still be plenty clear even without the capability kind and so we're likely fine.

aaronpuchert updated this revision to Diff 288820.Aug 29 2020, 5:14 PM

Remove "holding" and moved to a separate message because the overlap was getting smaller.

Also introduced a separate function because it's more consistent with the other functions and because we can't easily distinguish between negative and positive capabilities otherwise.

Herald added a subscriber: danielkiss. · View Herald TranscriptAug 29 2020, 5:14 PM
aaronpuchert marked 4 inline comments as done.Aug 29 2020, 5:18 PM
aaronpuchert added inline comments.
clang/include/clang/Analysis/Analyses/ThreadSafety.h
205

Should probably be "a negative capability", silly copy-and-paste error.

Harbormaster completed remote builds in B70028: Diff 288820.Aug 29 2020, 5:56 PM
aaron.ballman accepted this revision.Aug 31 2020, 6:27 AM

LGTM aside from a suggestion for a comment, thank you!

clang/include/clang/Analysis/Analyses/ThreadSafety.h
205

Warn when calling a function and a negative capability is not held.?

This revision is now accepted and ready to land.Aug 31 2020, 6:27 AM
Closed by commit rG8ca00c5cdc0b: Thread safety analysis: More consistent warning message (authored by aaronpuchert). · Explain WhySep 1 2020, 2:16 PM
This revision was automatically updated to reflect the committed changes.
aaronpuchert marked an inline comment as done.
aaronpuchert added a commit: rG8ca00c5cdc0b: Thread safety analysis: More consistent warning message.

Revision Contents

PathSize
clang/
include/
clang/
Analysis/
Analyses/
8 lines
Basic/
3 lines
lib/
Analysis/
3 lines
Sema/
7 lines
test/
SemaCXX/
2 lines
2 lines

Diff 289283

clang/include/clang/Analysis/Analyses/ThreadSafety.h

Show First 20 LinesShow All 196 Lines▼ Show 20 Linespublic:
/// \param LockName -- The name for the lock expression, to be printed in the /// \param LockName -- The name for the lock expression, to be printed in the
/// diagnostic. /// diagnostic.
/// \param Neg -- The name of the negative capability to be printed in the /// \param Neg -- The name of the negative capability to be printed in the
/// diagnostic. /// diagnostic.
/// \param Loc -- The location of the protected operation. /// \param Loc -- The location of the protected operation.
virtual void handleNegativeNotHeld(StringRef Kind, Name LockName, Name Neg, virtual void handleNegativeNotHeld(StringRef Kind, Name LockName, Name Neg,
SourceLocation Loc) {} SourceLocation Loc) {}
/// Warn when calling a function that a negative capability is not held.
aaronpuchertAuthorUnsubmitted
Done
ReplyInline Actions

Should probably be "a negative capability", silly copy-and-paste error.

aaronpuchert: Should probably be "**a** negative capability", silly copy-and-paste error.
aaron.ballmanUnsubmitted
Done
ReplyInline Actions

Warn when calling a function and a negative capability is not held.?

aaron.ballman: `Warn when calling a function and a negative capability is not held.`?
/// \param D -- The decl for the function requiring the negative capability.
/// \param LockName -- The name for the lock expression, to be printed in the
/// diagnostic.
/// \param Loc -- The location of the protected operation.
virtual void handleNegativeNotHeld(const NamedDecl *D, Name LockName,
SourceLocation Loc) {}
/// Warn when a function is called while an excluded mutex is locked. For /// Warn when a function is called while an excluded mutex is locked. For
/// example, the mutex may be locked inside the function. /// example, the mutex may be locked inside the function.
/// \param Kind -- the capability's name parameter (role, mutex, etc). /// \param Kind -- the capability's name parameter (role, mutex, etc).
/// \param FunName -- The name of the function /// \param FunName -- The name of the function
/// \param LockName -- A StringRef name for the lock expression, to be printed /// \param LockName -- A StringRef name for the lock expression, to be printed
/// in the error message. /// in the error message.
/// \param Loc -- The location of the function call. /// \param Loc -- The location of the function call.
virtual void handleFunExcludesLock(StringRef Kind, Name FunName, virtual void handleFunExcludesLock(StringRef Kind, Name FunName,
▲ Show 20 LinesShow All 42 LinesShow Last 20 Lines

clang/include/clang/Basic/DiagnosticSemaKinds.td

  • This file is larger than 256 KB, so syntax highlighting is disabled by default.
Show First 20 LinesShow All 3,471 Lines▼ Show 20 Linesdef warn_acquired_before_after_cycle : Warning<
"Cycle in acquired_before/after dependencies, starting with '%0'">, "Cycle in acquired_before/after dependencies, starting with '%0'">,
InGroup<ThreadSafetyAnalysis>, DefaultIgnore; InGroup<ThreadSafetyAnalysis>, DefaultIgnore;
// Thread safety warnings negative capabilities // Thread safety warnings negative capabilities
def warn_acquire_requires_negative_cap : Warning< def warn_acquire_requires_negative_cap : Warning<
"acquiring %0 '%1' requires negative capability '%2'">, "acquiring %0 '%1' requires negative capability '%2'">,
InGroup<ThreadSafetyNegative>, DefaultIgnore; InGroup<ThreadSafetyNegative>, DefaultIgnore;
def warn_fun_requires_negative_cap : Warning<
"calling function %0 requires negative capability '%1'">,
InGroup<ThreadSafetyAnalysis>, DefaultIgnore;
// Thread safety warnings on pass by reference // Thread safety warnings on pass by reference
def warn_guarded_pass_by_reference : Warning< def warn_guarded_pass_by_reference : Warning<
"passing variable %1 by reference requires holding %0 " "passing variable %1 by reference requires holding %0 "
"%select{'%2'|'%2' exclusively}3">, "%select{'%2'|'%2' exclusively}3">,
InGroup<ThreadSafetyReference>, DefaultIgnore; InGroup<ThreadSafetyReference>, DefaultIgnore;
def warn_pt_guarded_pass_by_reference : Warning< def warn_pt_guarded_pass_by_reference : Warning<
"passing the value that %1 points to by reference requires holding %0 " "passing the value that %1 points to by reference requires holding %0 "
▲ Show 20 LinesShow All 7,451 LinesShow Last 20 Lines

clang/lib/Analysis/ThreadSafety.cpp

Show First 20 LinesShow All 1,635 Lines▼ Show 20 Lines if (Cp.negative()) {
// If this does not refer to a negative capability in the same class, // If this does not refer to a negative capability in the same class,
// then stop here. // then stop here.
if (!Analyzer->inCurrentScope(Cp)) if (!Analyzer->inCurrentScope(Cp))
return; return;
// Otherwise the negative requirement must be propagated to the caller. // Otherwise the negative requirement must be propagated to the caller.
LDat = FSet.findLock(Analyzer->FactMan, Cp); LDat = FSet.findLock(Analyzer->FactMan, Cp);
if (!LDat) { if (!LDat) {
Analyzer->Handler.handleMutexNotHeld("", D, POK, Cp.toString(), Analyzer->Handler.handleNegativeNotHeld(D, Cp.toString(), Loc);
aaron.ballmanUnsubmitted
Done
ReplyInline Actions

It's a bit odd that we aren't using DiagKind as below, I assume that's because this is a negative test and the others are positive tests, but doesn't this introduce a terminology difference where a positive failure may call it a mutex and a negative failure may call it a negative capability? Should this be hooked in to ClassifyDiagnostic() (perhaps we need a ClassifyNegativeDiagnostic()?

aaron.ballman: It's a bit odd that we aren't using `DiagKind` as below, I assume that's because this is a…
aaronpuchertAuthorUnsubmitted
Done
ReplyInline Actions

My thinking was that whatever the positive capability is called, we should only talk about a "negative capability" instead of a "negative mutex" or a "negative role". Also because not holding a capability is in some way its own kind of capability.

aaronpuchert: My thinking was that whatever the positive capability is called, we should only talk about a…
aaron.ballmanUnsubmitted
Done
ReplyInline Actions

I may still be confused or thinking of this differently, but I would assume that a negative mutex would be a mutex that's explicitly not held, which you may want to ensure on a function boundary to avoid deadlock. From that, I'd have guessed we would want the diagnostic to read cannot call function 'bar' while mutex 'mu' is held or calling function 'bar' requires mutex 'mu' to not be held because that's more clear than talking about negative capabilities (when the user is thinking in terms of mutexes which are or aren't held).

aaron.ballman: I may still be confused or thinking of this differently, but I would assume that a negative…
aaronpuchertAuthorUnsubmitted
Done
ReplyInline Actions

Now I get it. I don't see an issue with that, but we need to distinguish between EXCLUDES(mu) and REQUIRES(!mu). The former will produce "cannot call function 'bar' while mutex 'mu' is held" and we probably want the latter to produce a different warning message.

Now one argument for the existing scheme remains that with -Wthread-safety-negative, if you see a warning like "acquiring mutex 'mu' requires negative capability '!mu'" on a lock operation, you know you can fix that by adding REQUIRES(!mu) to your function.

If we say "warning: acquiring mutex 'mu' requires mutex 'mu' not to be held" it might not be as clear what we want.

aaronpuchert: Now I get it. I don't see an issue with that, but we need to distinguish between `EXCLUDES(mu)`…
aaron.ballmanUnsubmitted
Done
ReplyInline Actions

Now I get it. I don't see an issue with that, but we need to distinguish between EXCLUDES(mu) and REQUIRES(!mu). The former will produce "cannot call function 'bar' while mutex 'mu' is held" and we probably want the latter to produce a different warning message.

Ahhh, that's a good point.

Now one argument for the existing scheme remains that with -Wthread-safety-negative, if you see a warning like "acquiring mutex 'mu' requires negative capability '!mu'" on a lock operation, you know you can fix that by adding REQUIRES(!mu) to your function.

If we say "warning: acquiring mutex 'mu' requires mutex 'mu' not to be held" it might not be as clear what we want.

Hm, that's a good point as well.

Now that I understand the situation a bit better, I will be happy with either route, so I leave the decision in your capable hands. (If we get it wrong, we can always change the diagnostics later.) Do you have a preferred approach?

aaron.ballman: > Now I get it. I don't see an issue with that, but we need to distinguish between EXCLUDES(mu)…
aaronpuchertAuthorUnsubmitted
Done
ReplyInline Actions

There are basically two warnings related to negative capabilities: one is about acquiring a capability without holding a negative capability, the other about calling a function without holding a negative capability. Negative capabilities can't be acquired or released, nor do they protect anything.

The other warning message also says "negative capability '!mu'", but mentions the original capability kind earlier:

def warn_acquire_requires_negative_cap : Warning<
  "acquiring %0 '%1' requires negative capability '%2'">,

I think that makes sense because there is a relation between the "positive" capability of whatever kind that we want to acquire and the negative capability that we need. The situation here is different: I just have some CallExpr to a function with REQUIRES(!...).

For that we have two different warnings, depending on whether we know the capability to be held or not:

void foo() REQUIRES(!mu);
void bar() REQUIRES(!mu) {
  mu.Lock();
  foo();        // warning: cannot call function 'foo' while mutex 'mu' is held
  mu.Unlock();
}
void baz() {
  foo();        // warning: calling function 'foo' requires holding [negative capability] '!mu'
}

The warning here is about the baz case where the analysis doesn't know whether I hold the capability (e.g. it could be acquired higher in the stack without the function being annotated), but I also don't explicitly hold the negative capability. Since negative capabilities can't be acquired, the only possible fix is to propagate the REQUIRES(!mu) until mu goes out of scope. And for that the capability kind is not really relevant.

What I could change in addition is to drop the "holding" for negative capabilities, because you can't really hold them, they are the absence of holding something. The other warning also says "requires negative capability" instead of "requires holding negative capability".

aaronpuchert: There are basically two warnings related to negative capabilities: one is about acquiring a…
aaron.ballmanUnsubmitted
Done
ReplyInline Actions

Thank you for the detailed explanation! I think dropping the "holding" so that it says it requires a negative capability makes sense.

Since negative capabilities can't be acquired, the only possible fix is to propagate the REQUIRES(!mu) until mu goes out of scope. And for that the capability kind is not really relevant.

I think that makes sense for the simple case where there's only one REQUIRES clause, but I was thinking about a more complex case where you have something like:

void foo() REQUIRES(!mu) REQUIRES(logging_role);
void baz() {
  foo();
}

and you're mixing capability kinds on the same declaration. However, because we mention the name of the thing we require in the diagnostic, I think that will still be plenty clear even without the capability kind and so we're likely fine.

aaron.ballman: Thank you for the detailed explanation! I think dropping the "holding" so that it says it…
LK_Shared, Loc);
} }
return; return;
} }
const FactEntry *LDat = FSet.findLockUniv(Analyzer->FactMan, Cp); const FactEntry *LDat = FSet.findLockUniv(Analyzer->FactMan, Cp);
bool NoError = true; bool NoError = true;
if (!LDat) { if (!LDat) {
// No exact match found. Look for a partial match. // No exact match found. Look for a partial match.
▲ Show 20 LinesShow All 921 LinesShow Last 20 Lines

clang/lib/Sema/AnalysisBasedWarnings.cpp

Show First 20 LinesShow All 1,886 Lines▼ Show 20 Lines public:
void handleNegativeNotHeld(StringRef Kind, Name LockName, Name Neg, void handleNegativeNotHeld(StringRef Kind, Name LockName, Name Neg,
SourceLocation Loc) override { SourceLocation Loc) override {
PartialDiagnosticAt Warning(Loc, PartialDiagnosticAt Warning(Loc,
S.PDiag(diag::warn_acquire_requires_negative_cap) S.PDiag(diag::warn_acquire_requires_negative_cap)
<< Kind << LockName << Neg); << Kind << LockName << Neg);
Warnings.emplace_back(std::move(Warning), getNotes()); Warnings.emplace_back(std::move(Warning), getNotes());
} }
void handleNegativeNotHeld(const NamedDecl *D, Name LockName,
SourceLocation Loc) override {
PartialDiagnosticAt Warning(
Loc, S.PDiag(diag::warn_fun_requires_negative_cap) << D << LockName);
Warnings.emplace_back(std::move(Warning), getNotes());
}
void handleFunExcludesLock(StringRef Kind, Name FunName, Name LockName, void handleFunExcludesLock(StringRef Kind, Name FunName, Name LockName,
SourceLocation Loc) override { SourceLocation Loc) override {
PartialDiagnosticAt Warning(Loc, S.PDiag(diag::warn_fun_excludes_mutex) PartialDiagnosticAt Warning(Loc, S.PDiag(diag::warn_fun_excludes_mutex)
<< Kind << FunName << LockName); << Kind << FunName << LockName);
Warnings.emplace_back(std::move(Warning), getNotes()); Warnings.emplace_back(std::move(Warning), getNotes());
} }
void handleLockAcquiredBefore(StringRef Kind, Name L1Name, Name L2Name, void handleLockAcquiredBefore(StringRef Kind, Name L1Name, Name L2Name,
▲ Show 20 LinesShow All 437 LinesShow Last 20 Lines

clang/test/SemaCXX/warn-thread-safety-analysis.cpp

Show First 20 LinesShow All 4,979 Lines▼ Show 20 Linespublic:
void foo() { void foo() {
mu.Lock(); // warning? needs !mu? mu.Lock(); // warning? needs !mu?
baz(); // expected-warning {{cannot call function 'baz' while mutex 'mu' is held}} baz(); // expected-warning {{cannot call function 'baz' while mutex 'mu' is held}}
bar(); bar();
mu.Unlock(); mu.Unlock();
} }
void bar() { void bar() {
bar2(); // expected-warning {{calling function 'bar2' requires holding '!mu'}} bar2(); // expected-warning {{calling function 'bar2' requires negative capability '!mu'}}
} }
void bar2() EXCLUSIVE_LOCKS_REQUIRED(!mu) { void bar2() EXCLUSIVE_LOCKS_REQUIRED(!mu) {
baz(); baz();
} }
void baz() EXCLUSIVE_LOCKS_REQUIRED(!mu) { void baz() EXCLUSIVE_LOCKS_REQUIRED(!mu) {
mu.Lock(); mu.Lock();
▲ Show 20 LinesShow All 793 LinesShow Last 20 Lines

clang/test/SemaCXX/warn-thread-safety-negative.cpp

Show All 37 Lines
class Foo { class Foo {
Mutex mu; Mutex mu;
int a GUARDED_BY(mu); int a GUARDED_BY(mu);
public: public:
void foo() { void foo() {
mu.Lock(); // expected-warning {{acquiring mutex 'mu' requires negative capability '!mu'}} mu.Lock(); // expected-warning {{acquiring mutex 'mu' requires negative capability '!mu'}}
aaronpuchertAuthorUnsubmitted
Not Done
ReplyInline Actions

Here we're always referring to a "negative capability", I believe it's hardcoded into the message.

aaronpuchert: Here we're always referring to a "negative capability", I believe it's hardcoded into the…
baz(); // expected-warning {{cannot call function 'baz' while mutex 'mu' is held}} baz(); // expected-warning {{cannot call function 'baz' while mutex 'mu' is held}}
bar(); bar();
mu.Unlock(); mu.Unlock();
} }
void bar() { void bar() {
baz(); // expected-warning {{calling function 'baz' requires holding '!mu'}} baz(); // expected-warning {{calling function 'baz' requires negative capability '!mu'}}
} }
void baz() EXCLUSIVE_LOCKS_REQUIRED(!mu) { void baz() EXCLUSIVE_LOCKS_REQUIRED(!mu) {
mu.Lock(); mu.Lock();
a = 0; a = 0;
mu.Unlock(); mu.Unlock();
} }
Show All 38 Lines