This is an archive of the discontinued LLVM Phabricator instance.

Differential D87066

Thread safety analysis: Improve documentation for scoped capabilities
ClosedPublic

Authored by aaronpuchert on Sep 2 2020, 6:02 PM.

Details

Reviewers
aaron.ballman
Commits
rGbbb3baf6205c: Thread safety analysis: Improve documentation for scoped capabilities
Summary

They are for more powerful than the current documentation implies, this
adds

  • adopting a lock,
  • deferring a lock,
  • manually unlocking the scoped capability,
  • relocking the scoped capability, possibly in a different mode,
  • try-relocking the scoped capability.

Also there is now a generic explanation how attributes on scoped
capabilities work. There has been confusion in the past about how to
annotate them (see e.g. PR33504), hopefully this clears things up.

Diff Detail

Event Timeline

aaronpuchert created this revision.Sep 2 2020, 6:02 PM
Herald added a project: Restricted Project. · View Herald TranscriptSep 2 2020, 6:02 PM
Herald added a subscriber: cfe-commits. · View Herald Transcript
aaronpuchert requested review of this revision.Sep 2 2020, 6:02 PM
aaronpuchert added a comment.Sep 2 2020, 6:03 PM

Not sure about the added comments, I can also remove them if they're not helpful.

@aaron.ballman, this addresses your earlier comment D81332#2079489.

Harbormaster completed remote builds in B70495: Diff 289612.Sep 2 2020, 6:56 PM
aaron.ballman added inline comments.Sep 3 2020, 6:52 AM
clang/docs/ThreadSafetyAnalysis.rst
928

This makes it sound like we're missing a diagnostic, but IIRC, this is intended behavior. Maybe we want to say there is purposefully no warning on double unlock and why? Or add a FIXME if I'm remembering wrong and this isn't intended behavior.

aaronpuchert added inline comments.Sep 3 2020, 9:25 AM
clang/docs/ThreadSafetyAnalysis.rst
914

s/t_mutex/Mutex/g

928

It is intentional (we have special handling for the destructor), and I also think it makes sense. I just wanted to clarify the difference between this and Unlock: calling Unlock twice is not allowed, but calling Unlock and then (implicitly) the destructor is allowed.

I could rephrase this as "There is no warning if the scope was already unlocked before." Could also add an "intentional" or "deliberate", but since it's documented I think the reader can infer that.

aaronpuchert updated this revision to Diff 289826.Sep 3 2020, 3:43 PM
aaronpuchert marked an inline comment as done.
  • More detailed description how scoped capabilities work.
  • Make the comment wording more consistent with existing comments and the previous explanation.
  • Properly implement the destructor in the presence of an Unlock() function: we need to keep track of the status then.
  • Add try-acquire functions on scoped lock.
  • Fix compiler errors.
aaronpuchert edited the summary of this revision. (Show Details)Sep 3 2020, 3:44 PM
Harbormaster completed remote builds in B70594: Diff 289826.Sep 3 2020, 4:25 PM
aaron.ballman accepted this revision.Sep 4 2020, 6:28 AM

Ah, this reads more clearly to me, thank you for the additional changes. LGTM!

This revision is now accepted and ready to land.Sep 4 2020, 6:28 AM
Closed by commit rGbbb3baf6205c: Thread safety analysis: Improve documentation for scoped capabilities (authored by aaronpuchert). · Explain WhySep 6 2020, 11:38 AM
This revision was automatically updated to reflect the committed changes.
aaronpuchert added a commit: rGbbb3baf6205c: Thread safety analysis: Improve documentation for scoped capabilities.

Revision Contents

PathSize
clang/
docs/
68 lines

Diff 290145

clang/docs/ThreadSafetyAnalysis.rst

Show First 20 LinesShow All 396 Lines▼ Show 20 Lines
*Previously*: ``SCOPED_LOCKABLE`` *Previously*: ``SCOPED_LOCKABLE``
``SCOPED_CAPABILITY`` is an attribute on classes that implement RAII-style ``SCOPED_CAPABILITY`` is an attribute on classes that implement RAII-style
locking, in which a capability is acquired in the constructor, and released in locking, in which a capability is acquired in the constructor, and released in
the destructor. Such classes require special handling because the constructor the destructor. Such classes require special handling because the constructor
and destructor refer to the capability via different names; see the and destructor refer to the capability via different names; see the
``MutexLocker`` class in :ref:`mutexheader`, below. ``MutexLocker`` class in :ref:`mutexheader`, below.
Scoped capabilities are treated as capabilities that are implicitly acquired
on construction and released on destruction. They are associated with
the set of (regular) capabilities named in thread safety attributes on the
constructor. Acquire-type attributes on other member functions are treated as
applying to that set of associated capabilities, while ``RELEASE`` implies that
a function releases all associated capabilities in whatever mode they're held.
TRY_ACQUIRE(<bool>, ...), TRY_ACQUIRE_SHARED(<bool>, ...) TRY_ACQUIRE(<bool>, ...), TRY_ACQUIRE_SHARED(<bool>, ...)
--------------------------------------------------------- ---------------------------------------------------------
*Previously:* ``EXCLUSIVE_TRYLOCK_FUNCTION``, ``SHARED_TRYLOCK_FUNCTION`` *Previously:* ``EXCLUSIVE_TRYLOCK_FUNCTION``, ``SHARED_TRYLOCK_FUNCTION``
These are attributes on a function or method that tries to acquire the given These are attributes on a function or method that tries to acquire the given
capability, and returns a boolean value indicating success or failure. capability, and returns a boolean value indicating success or failure.
▲ Show 20 LinesShow All 468 Lines▼ Show 20 Lines public:
// Assert that is mutex is currently held for read operations. // Assert that is mutex is currently held for read operations.
void AssertReaderHeld() ASSERT_SHARED_CAPABILITY(this); void AssertReaderHeld() ASSERT_SHARED_CAPABILITY(this);
// For negative capabilities. // For negative capabilities.
const Mutex& operator!() const { return *this; } const Mutex& operator!() const { return *this; }
}; };
// Tag types for selecting a constructor.
struct adopt_lock_t {} inline constexpr adopt_lock = {};
struct defer_lock_t {} inline constexpr defer_lock = {};
struct shared_lock_t {} inline constexpr shared_lock = {};
// MutexLocker is an RAII class that acquires a mutex in its constructor, and // MutexLocker is an RAII class that acquires a mutex in its constructor, and
// releases it in its destructor. // releases it in its destructor.
class SCOPED_CAPABILITY MutexLocker { class SCOPED_CAPABILITY MutexLocker {
private: private:
Mutex* mut; Mutex* mut;
bool locked;
public: public:
MutexLocker(Mutex *mu) ACQUIRE(mu) : mut(mu) { // Acquire mu, implicitly acquire *this and associate it with mu.
MutexLocker(Mutex *mu) ACQUIRE(mu) : mut(mu), locked(true) {
mu->Lock(); mu->Lock();
} }
// Assume mu is held, implicitly acquire *this and associate it with mu.
aaronpuchertAuthorUnsubmitted
Done
ReplyInline Actions

s/t_mutex/Mutex/g

aaronpuchert: `s/t_mutex/Mutex/g`
MutexLocker(Mutex *mu, adopt_lock_t) REQUIRES(mu) : mut(mu), locked(true) {}
// Acquire mu in shared mode, implicitly acquire *this and associate it with mu.
MutexLocker(Mutex *mu, shared_lock_t) ACQUIRE_SHARED(mu) : mut(mu), locked(true) {
mu->ReaderLock();
}
// Assume mu is held in shared mode, implicitly acquire *this and associate it with mu.
MutexLocker(Mutex *mu, adopt_lock_t, shared_lock_t) REQUIRES_SHARED(mu)
: mut(mu), locked(true) {}
// Assume mu is not held, implicitly acquire *this and associate it with mu.
MutexLocker(Mutex *mu, defer_lock_t) EXCLUDES(mu) : mut(mu), locked(false) {}
aaron.ballmanUnsubmitted
Done
ReplyInline Actions

This makes it sound like we're missing a diagnostic, but IIRC, this is intended behavior. Maybe we want to say there is purposefully no warning on double unlock and why? Or add a FIXME if I'm remembering wrong and this isn't intended behavior.

aaron.ballman: This makes it sound like we're missing a diagnostic, but IIRC, this is intended behavior. Maybe…
aaronpuchertAuthorUnsubmitted
Done
ReplyInline Actions

It is intentional (we have special handling for the destructor), and I also think it makes sense. I just wanted to clarify the difference between this and Unlock: calling Unlock twice is not allowed, but calling Unlock and then (implicitly) the destructor is allowed.

I could rephrase this as "There is no warning if the scope was already unlocked before." Could also add an "intentional" or "deliberate", but since it's documented I think the reader can infer that.

aaronpuchert: It is intentional (we have special handling for the destructor), and I also think it makes…
// Release *this and all associated mutexes, if they are still held.
// There is no warning if the scope was already unlocked before.
~MutexLocker() RELEASE() { ~MutexLocker() RELEASE() {
if (locked)
mut->GenericUnlock();
}
// Acquire all associated mutexes exclusively.
void Lock() ACQUIRE() {
mut->Lock();
locked = true;
}
// Try to acquire all associated mutexes exclusively.
bool TryLock() TRY_ACQUIRE(true) {
return locked = mut->TryLock();
}
// Acquire all associated mutexes in shared mode.
void ReaderLock() ACQUIRE_SHARED() {
mut->ReaderLock();
locked = true;
}
// Try to acquire all associated mutexes in shared mode.
bool ReaderTryLock() TRY_ACQUIRE_SHARED(true) {
return locked = mut->ReaderTryLock();
}
// Release all associated mutexes. Warn on double unlock.
void Unlock() RELEASE() {
mut->Unlock(); mut->Unlock();
locked = false;
}
// Release all associated mutexes. Warn on double unlock.
void ReaderUnlock() RELEASE() {
mut->ReaderUnlock();
locked = false;
} }
}; };
#ifdef USE_LOCK_STYLE_THREAD_SAFETY_ATTRIBUTES #ifdef USE_LOCK_STYLE_THREAD_SAFETY_ATTRIBUTES
// The original version of thread safety analysis the following attribute // The original version of thread safety analysis the following attribute
// definitions. These use a lock-based terminology. They are still in use // definitions. These use a lock-based terminology. They are still in use
// by existing thread safety code, and will continue to be supported. // by existing thread safety code, and will continue to be supported.
▲ Show 20 LinesShow All 65 LinesShow Last 20 Lines