This is an archive of the discontinued LLVM Phabricator instance.

Paths

Table of Contentst

-
clang/
-
lib/StaticAnalyzer/Checkers/
-
StaticAnalyzer/
-
Checkers/
-
PthreadLockChecker.cpp
-
test/Analysis/
-
Analysis/
-
Inputs/
-
system-header-simulator-for-pthread-lock.h
-
pthreadlock.c

Differential D87146

[analyzer] Implement shared semantics checks for XNU functions in PthreadLockChecker
Needs ReviewPublic

Authored by ASDenysPetrov on Sep 4 2020, 8:25 AM.

Download Raw Diff

Details

Reviewers

baloghadamsoftware
martong
NoQ
xazax.hun
vsavchenko
steakhal

Summary

Implement shared semantics checks for correct use of XNU functions for shared and exclusive mutexes.

Clarification:
Shared semantics says that if a lock has been acquired as shared, so it shall be released as shared as well. And vice versa, unique(usual) acquisition shall be followed by a unique unlock. This produces so-called pairs "shared-shared" and "unique-unique" Any mixed sequences of "shared-unique" or "unique-shared" are ill-formed and can lead to undefined behavior.

In particular affected functions lck_rw_lock_shared and lck_rw_unlock_shared are guided by documentaion here
https://developer.apple.com/library/archive/documentation/Darwin/Conceptual/KernelProgramming/synchronization/synchronization.html#//apple_ref/doc/uid/TP30000905-CH218-BABCHEIA
Quote: "You should always be careful when using these functions, as unlocking a lock held in shared mode using an exclusive call or vice-versa will lead to undefined results."

Diff Detail

Event Timeline

ASDenysPetrov created this revision.Sep 4 2020, 8:25 AM

Herald added subscribers: cfe-commits, Charusso, dkrupp and 6 others. · View Herald TranscriptSep 4 2020, 8:25 AM

ASDenysPetrov requested review of this revision.Sep 4 2020, 8:25 AM

ASDenysPetrov added a parent revision: D87138: [analyzer][NFC] Introduce refactoring of PthreadLockChecker.

Harbormaster completed remote builds in B70663: Diff 289960.Sep 4 2020, 8:57 AM

Fixed some missed conditions. Added more tests.

Minor fixes.

Test fix.

ASDenysPetrov added a child revision: D85984: [analyzer] Add a new checker alpha.cplusplus.CPlusPlus11Lock.Sep 6 2020, 4:15 AM

It would be nice if someone had time to look at this. Thanks.

In D87146#2294423, @ASDenysPetrov wrote:

It would be nice if someone had time to look at this. Thanks.

I am just looking, but I am not a pthread expert.

In D87146#2294514, @baloghadamsoftware wrote:

In D87146#2294423, @ASDenysPetrov wrote:

It would be nice if someone had time to look at this. Thanks.

I am just looking, but I am not a pthread expert.

Sorry, absolutely no competence.

@baloghadamsoftware

Sorry, absolutely no competence.

That's OK. I've added a clarification section to the summary to make it easier to understand my intentions.

Just a ping. Let me, please, do smth with this revision.

Hey, folk. Please, look at this revision.
This is the 2nd revision from the stack of 3. Its aim is preparing the field for the 3rd revision (also welcome to review). The 1st one has been closed.

Just want to load this revision in scope of the stack. I need you review for this. Thanks.

Could you please give a few links to some documentation about the functions you are trying to model?
Is https://developer.apple.com/library/archive/documentation/Darwin/Conceptual/KernelProgramming/synchronization/synchronization.html a legitimate resource for this?

It's really important to bake the proper semantic rules into the modeling.

@steakhal

Could you please give a few links to some documentation about the functions you are trying to model?

Yes, you a re right. I've edited the summary with the link.

Revision Contents

Path

Size

clang/

lib/

StaticAnalyzer/

Checkers/

PthreadLockChecker.cpp

110 lines

test/

Analysis/

Inputs/

system-header-simulator-for-pthread-lock.h

2 lines

pthreadlock.c

55 lines

Diff 290134

clang/lib/StaticAnalyzer/Checkers/PthreadLockChecker.cpp

Show All 27 Lines
using namespace ento;		using namespace ento;

namespace {		namespace {

struct LockState {		struct LockState {
enum Kind {		enum Kind {
Destroyed,		Destroyed,
Locked,		Locked,
		SharedLocked,
Unlocked,		Unlocked,
		SharedUnlocked,
UntouchedAndPossiblyDestroyed,		UntouchedAndPossiblyDestroyed,
UnlockedAndPossiblyDestroyed		UnlockedAndPossiblyDestroyed
} K;		} K;

private:		private:
LockState(Kind K) : K(K) {}		LockState(Kind K) : K(K) {}

public:		public:
static LockState getLocked() { return LockState(Locked); }		static LockState getLocked() { return LockState(Locked); }
		static LockState getSharedLocked() { return LockState(SharedLocked); }
static LockState getUnlocked() { return LockState(Unlocked); }		static LockState getUnlocked() { return LockState(Unlocked); }
		static LockState getSharedUnlocked() { return LockState(SharedUnlocked); }
static LockState getDestroyed() { return LockState(Destroyed); }		static LockState getDestroyed() { return LockState(Destroyed); }
static LockState getUntouchedAndPossiblyDestroyed() {		static LockState getUntouchedAndPossiblyDestroyed() {
return LockState(UntouchedAndPossiblyDestroyed);		return LockState(UntouchedAndPossiblyDestroyed);
}		}
static LockState getUnlockedAndPossiblyDestroyed() {		static LockState getUnlockedAndPossiblyDestroyed() {
return LockState(UnlockedAndPossiblyDestroyed);		return LockState(UnlockedAndPossiblyDestroyed);
}		}

bool operator==(const LockState &X) const { return K == X.K; }		bool operator==(const LockState &X) const { return K == X.K; }

bool isLocked() const { return K == Locked; }		bool isLocked() const { return K == Locked; }
		bool isSharedLocked() const { return K == SharedLocked; }
		bool isAnyLocked() const { return isLocked() \|\| isSharedLocked(); }
bool isUnlocked() const { return K == Unlocked; }		bool isUnlocked() const { return K == Unlocked; }
		bool isSharedUnlocked() const { return K == SharedUnlocked; }
		bool isAnyUnlocked() const { return isUnlocked() \|\| isSharedUnlocked(); }
bool isDestroyed() const { return K == Destroyed; }		bool isDestroyed() const { return K == Destroyed; }
bool isUntouchedAndPossiblyDestroyed() const {		bool isUntouchedAndPossiblyDestroyed() const {
return K == UntouchedAndPossiblyDestroyed;		return K == UntouchedAndPossiblyDestroyed;
}		}
bool isUnlockedAndPossiblyDestroyed() const {		bool isUnlockedAndPossiblyDestroyed() const {
return K == UnlockedAndPossiblyDestroyed;		return K == UnlockedAndPossiblyDestroyed;
}		}

Show All 27 Lines	CallDescriptionMap<FnCheck> PThreadCallbacks = {
// TODO: lck_rw_alloc_init(2 arguments) => returns the mutex.		// TODO: lck_rw_alloc_init(2 arguments) => returns the mutex.

// Acquire.		// Acquire.
{{"pthread_mutex_lock", 1}, &PthreadLockChecker::AcquirePthreadLock},		{{"pthread_mutex_lock", 1}, &PthreadLockChecker::AcquirePthreadLock},
{{"pthread_rwlock_rdlock", 1}, &PthreadLockChecker::AcquirePthreadLock},		{{"pthread_rwlock_rdlock", 1}, &PthreadLockChecker::AcquirePthreadLock},
{{"pthread_rwlock_wrlock", 1}, &PthreadLockChecker::AcquirePthreadLock},		{{"pthread_rwlock_wrlock", 1}, &PthreadLockChecker::AcquirePthreadLock},
{{"lck_mtx_lock", 1}, &PthreadLockChecker::AcquireXNULock},		{{"lck_mtx_lock", 1}, &PthreadLockChecker::AcquireXNULock},
{{"lck_rw_lock_exclusive", 1}, &PthreadLockChecker::AcquireXNULock},		{{"lck_rw_lock_exclusive", 1}, &PthreadLockChecker::AcquireXNULock},
{{"lck_rw_lock_shared", 1}, &PthreadLockChecker::AcquireXNULock},		{{"lck_rw_lock_shared", 1}, &PthreadLockChecker::AcquireXNULockShared},

// Try.		// Try.
{{"pthread_mutex_trylock", 1}, &PthreadLockChecker::TryPthreadLock},		{{"pthread_mutex_trylock", 1}, &PthreadLockChecker::TryPthreadLock},
{{"pthread_rwlock_tryrdlock", 1}, &PthreadLockChecker::TryPthreadLock},		{{"pthread_rwlock_tryrdlock", 1}, &PthreadLockChecker::TryPthreadLock},
{{"pthread_rwlock_trywrlock", 1}, &PthreadLockChecker::TryPthreadLock},		{{"pthread_rwlock_trywrlock", 1}, &PthreadLockChecker::TryPthreadLock},
{{"lck_mtx_try_lock", 1}, &PthreadLockChecker::TryXNULock},		{{"lck_mtx_try_lock", 1}, &PthreadLockChecker::TryXNULock},
{{"lck_rw_try_lock_exclusive", 1}, &PthreadLockChecker::TryXNULock},		{{"lck_rw_try_lock_exclusive", 1}, &PthreadLockChecker::TryXNULock},
{{"lck_rw_try_lock_shared", 1}, &PthreadLockChecker::TryXNULock},		{{"lck_rw_try_lock_shared", 1}, &PthreadLockChecker::TryXNULockShared},

// Release.		// Release.
{{"pthread_mutex_unlock", 1}, &PthreadLockChecker::ReleaseAnyLock},		{{"pthread_mutex_unlock", 1}, &PthreadLockChecker::ReleaseAnyLock},
{{"pthread_rwlock_unlock", 1}, &PthreadLockChecker::ReleaseAnyLock},		{{"pthread_rwlock_unlock", 1}, &PthreadLockChecker::ReleaseAnyLock},
{{"lck_mtx_unlock", 1}, &PthreadLockChecker::ReleaseAnyLock},		{{"lck_mtx_unlock", 1}, &PthreadLockChecker::ReleaseAnyLock},
{{"lck_rw_unlock_exclusive", 1}, &PthreadLockChecker::ReleaseAnyLock},		{{"lck_rw_unlock_exclusive", 1}, &PthreadLockChecker::ReleaseAnyLock},
{{"lck_rw_unlock_shared", 1}, &PthreadLockChecker::ReleaseAnyLock},		{{"lck_rw_unlock_shared", 1}, &PthreadLockChecker::ReleaseAnyLockShared},
{{"lck_rw_done", 1}, &PthreadLockChecker::ReleaseAnyLock},		{{"lck_rw_done", 1}, &PthreadLockChecker::ReleaseAnyLock},

// Destroy.		// Destroy.
{{"pthread_mutex_destroy", 1}, &PthreadLockChecker::DestroyPthreadLock},		{{"pthread_mutex_destroy", 1}, &PthreadLockChecker::DestroyPthreadLock},
{{"lck_mtx_destroy", 2}, &PthreadLockChecker::DestroyXNULock},		{{"lck_mtx_destroy", 2}, &PthreadLockChecker::DestroyXNULock},
// TODO: pthread_rwlock_destroy(1 argument).		// TODO: pthread_rwlock_destroy(1 argument).
// TODO: lck_rw_destroy(2 arguments).		// TODO: lck_rw_destroy(2 arguments).
};		};
▲ Show 20 Lines • Show All 52 Lines • ▼ Show 20 Lines	void InitLockAux(const CallEvent &Call, CheckerContext &C,
const Expr *MtxExpr, SVal MtxVal,		const Expr *MtxExpr, SVal MtxVal,
CheckerKind CheckKind) const;		CheckerKind CheckKind) const;

// Lock, Try-lock.		// Lock, Try-lock.
void AcquirePthreadLock(const CallEvent &Call, CheckerContext &C,		void AcquirePthreadLock(const CallEvent &Call, CheckerContext &C,
CheckerKind CheckKind) const;		CheckerKind CheckKind) const;
void AcquireXNULock(const CallEvent &Call, CheckerContext &C,		void AcquireXNULock(const CallEvent &Call, CheckerContext &C,
CheckerKind CheckKind) const;		CheckerKind CheckKind) const;
		void AcquireXNULockShared(const CallEvent &Call, CheckerContext &C,
		CheckerKind CheckKind) const;
void TryPthreadLock(const CallEvent &Call, CheckerContext &C,		void TryPthreadLock(const CallEvent &Call, CheckerContext &C,
CheckerKind CheckKind) const;		CheckerKind CheckKind) const;
void TryXNULock(const CallEvent &Call, CheckerContext &C,		void TryXNULock(const CallEvent &Call, CheckerContext &C,
CheckerKind CheckKind) const;		CheckerKind CheckKind) const;
		void TryXNULockShared(const CallEvent &Call, CheckerContext &C,
		CheckerKind CheckKind) const;
void TryFuchsiaLock(const CallEvent &Call, CheckerContext &C,		void TryFuchsiaLock(const CallEvent &Call, CheckerContext &C,
CheckerKind CheckKind) const;		CheckerKind CheckKind) const;
void TryC11Lock(const CallEvent &Call, CheckerContext &C,		void TryC11Lock(const CallEvent &Call, CheckerContext &C,
CheckerKind CheckKind) const;		CheckerKind CheckKind) const;
void AcquireLockAux(const CallEvent &Call, CheckerContext &C,		void AcquireLockAux(const CallEvent &Call, CheckerContext &C,
const Expr *MtxExpr, SVal MtxVal, bool IsTryLock,		const Expr *MtxExpr, SVal MtxVal, bool IsTryLock,
LockingSemantics Semantics, CheckerKind CheckKind) const;		bool IsShared, LockingSemantics Semantics,
		CheckerKind CheckKind) const;

// Release.		// Release.
void ReleaseAnyLock(const CallEvent &Call, CheckerContext &C,		void ReleaseAnyLock(const CallEvent &Call, CheckerContext &C,
CheckerKind CheckKind) const;		CheckerKind CheckKind) const;
		void ReleaseAnyLockShared(const CallEvent &Call, CheckerContext &C,
		CheckerKind CheckKind) const;
void ReleaseLockAux(const CallEvent &Call, CheckerContext &C,		void ReleaseLockAux(const CallEvent &Call, CheckerContext &C,
const Expr *MtxExpr, SVal MtxVal,		const Expr *MtxExpr, SVal MtxVal, bool IsShared,
		enum LockingSemantics Semantics,
CheckerKind CheckKind) const;		CheckerKind CheckKind) const;

// Destroy.		// Destroy.
void DestroyPthreadLock(const CallEvent &Call, CheckerContext &C,		void DestroyPthreadLock(const CallEvent &Call, CheckerContext &C,
CheckerKind CheckKind) const;		CheckerKind CheckKind) const;
void DestroyXNULock(const CallEvent &Call, CheckerContext &C,		void DestroyXNULock(const CallEvent &Call, CheckerContext &C,
CheckerKind CheckKind) const;		CheckerKind CheckKind) const;
void DestroyLockAux(const CallEvent &Call, CheckerContext &C,		void DestroyLockAux(const CallEvent &Call, CheckerContext &C,
Show All 12 Lines	void printState(raw_ostream &Out, ProgramStateRef State, const char *NL,
const char *Sep) const override;		const char *Sep) const override;

private:		private:
mutable std::unique_ptr<BugType> BT_doublelock[CK_NumCheckKinds];		mutable std::unique_ptr<BugType> BT_doublelock[CK_NumCheckKinds];
mutable std::unique_ptr<BugType> BT_doubleunlock[CK_NumCheckKinds];		mutable std::unique_ptr<BugType> BT_doubleunlock[CK_NumCheckKinds];
mutable std::unique_ptr<BugType> BT_destroylock[CK_NumCheckKinds];		mutable std::unique_ptr<BugType> BT_destroylock[CK_NumCheckKinds];
mutable std::unique_ptr<BugType> BT_initlock[CK_NumCheckKinds];		mutable std::unique_ptr<BugType> BT_initlock[CK_NumCheckKinds];
mutable std::unique_ptr<BugType> BT_lor[CK_NumCheckKinds];		mutable std::unique_ptr<BugType> BT_lor[CK_NumCheckKinds];
		mutable std::unique_ptr<BugType> BT_shared[CK_NumCheckKinds];

void initBugType(CheckerKind CheckKind) const {		void initBugType(CheckerKind CheckKind) const {
if (BT_doublelock[CheckKind])		if (BT_doublelock[CheckKind])
return;		return;
BT_doublelock[CheckKind].reset(		BT_doublelock[CheckKind].reset(
new BugType{CheckNames[CheckKind], "Double locking", "Lock checker"});		new BugType{CheckNames[CheckKind], "Double locking", "Lock checker"});
BT_doubleunlock[CheckKind].reset(		BT_doubleunlock[CheckKind].reset(
new BugType{CheckNames[CheckKind], "Double unlocking", "Lock checker"});		new BugType{CheckNames[CheckKind], "Double unlocking", "Lock checker"});
BT_destroylock[CheckKind].reset(new BugType{		BT_destroylock[CheckKind].reset(new BugType{
CheckNames[CheckKind], "Use destroyed lock", "Lock checker"});		CheckNames[CheckKind], "Use destroyed lock", "Lock checker"});
BT_initlock[CheckKind].reset(new BugType{		BT_initlock[CheckKind].reset(new BugType{
CheckNames[CheckKind], "Init invalid lock", "Lock checker"});		CheckNames[CheckKind], "Init invalid lock", "Lock checker"});
BT_lor[CheckKind].reset(new BugType{CheckNames[CheckKind],		BT_lor[CheckKind].reset(new BugType{CheckNames[CheckKind],
"Lock order reversal", "Lock checker"});		"Lock order reversal", "Lock checker"});
		BT_shared[CheckKind].reset(new BugType{
		CheckNames[CheckKind], "Shared semantics misuse", "Lock checker"});
}		}
};		};
} // end anonymous namespace		} // end anonymous namespace

// A stack of locks for tracking lock-unlock order.		// A stack of locks for tracking lock-unlock order.
REGISTER_LIST_WITH_PROGRAMSTATE(LockSet, const MemRegion *)		REGISTER_LIST_WITH_PROGRAMSTATE(LockSet, const MemRegion *)

// An entry for tracking lock states.		// An entry for tracking lock states.
▲ Show 20 Lines • Show All 60 Lines • ▼ Show 20 Lines	void PthreadLockChecker::printState(raw_ostream &Out, ProgramStateRef State,
const char NL, const char Sep) const {		const char NL, const char Sep) const {
LockMapTy LM = State->get<LockMap>();		LockMapTy LM = State->get<LockMap>();
if (!LM.isEmpty()) {		if (!LM.isEmpty()) {
Out << Sep << "Mutex states:" << NL;		Out << Sep << "Mutex states:" << NL;
for (auto I : LM) {		for (auto I : LM) {
I.first->dumpToStream(Out);		I.first->dumpToStream(Out);
if (I.second.isLocked())		if (I.second.isLocked())
Out << ": locked";		Out << ": locked";
		else if (I.second.isSharedLocked())
		Out << ": locked shared";
else if (I.second.isUnlocked())		else if (I.second.isUnlocked())
Out << ": unlocked";		Out << ": unlocked";
		else if (I.second.isSharedUnlocked())
		Out << ": unlocked shared";
else if (I.second.isDestroyed())		else if (I.second.isDestroyed())
Out << ": destroyed";		Out << ": destroyed";
else if (I.second.isUntouchedAndPossiblyDestroyed())		else if (I.second.isUntouchedAndPossiblyDestroyed())
Out << ": not tracked, possibly destroyed";		Out << ": not tracked, possibly destroyed";
else if (I.second.isUnlockedAndPossiblyDestroyed())		else if (I.second.isUnlockedAndPossiblyDestroyed())
Out << ": unlocked, possibly destroyed";		Out << ": unlocked, possibly destroyed";
Out << NL;		Out << NL;
}		}
Show All 9 Lines	void PthreadLockChecker::printState(raw_ostream &Out, ProgramStateRef State,
}		}

// TODO: Dump destroyed mutex symbols?		// TODO: Dump destroyed mutex symbols?
}		}

void PthreadLockChecker::AcquirePthreadLock(const CallEvent &Call,		void PthreadLockChecker::AcquirePthreadLock(const CallEvent &Call,
CheckerContext &C,		CheckerContext &C,
CheckerKind CheckKind) const {		CheckerKind CheckKind) const {
AcquireLockAux(Call, C, Call.getArgExpr(0), Call.getArgSVal(0), false,		AcquireLockAux(Call, C, Call.getArgExpr(0), Call.getArgSVal(0), false, false,
PthreadSemantics, CheckKind);		PthreadSemantics, CheckKind);
}		}

void PthreadLockChecker::AcquireXNULock(const CallEvent &Call,		void PthreadLockChecker::AcquireXNULock(const CallEvent &Call,
CheckerContext &C,		CheckerContext &C,
CheckerKind CheckKind) const {		CheckerKind CheckKind) const {
AcquireLockAux(Call, C, Call.getArgExpr(0), Call.getArgSVal(0), false,		AcquireLockAux(Call, C, Call.getArgExpr(0), Call.getArgSVal(0), false, false,
		XNUSemantics, CheckKind);
		}

		void PthreadLockChecker::AcquireXNULockShared(const CallEvent &Call,
		CheckerContext &C,
		CheckerKind CheckKind) const {
		AcquireLockAux(Call, C, Call.getArgExpr(0), Call.getArgSVal(0), false, true,
XNUSemantics, CheckKind);		XNUSemantics, CheckKind);
}		}

void PthreadLockChecker::TryPthreadLock(const CallEvent &Call,		void PthreadLockChecker::TryPthreadLock(const CallEvent &Call,
CheckerContext &C,		CheckerContext &C,
CheckerKind CheckKind) const {		CheckerKind CheckKind) const {
AcquireLockAux(Call, C, Call.getArgExpr(0), Call.getArgSVal(0), true,		AcquireLockAux(Call, C, Call.getArgExpr(0), Call.getArgSVal(0), true, false,
PthreadSemantics, CheckKind);		PthreadSemantics, CheckKind);
}		}

void PthreadLockChecker::TryXNULock(const CallEvent &Call, CheckerContext &C,		void PthreadLockChecker::TryXNULock(const CallEvent &Call, CheckerContext &C,
CheckerKind CheckKind) const {		CheckerKind CheckKind) const {
AcquireLockAux(Call, C, Call.getArgExpr(0), Call.getArgSVal(0), true,		AcquireLockAux(Call, C, Call.getArgExpr(0), Call.getArgSVal(0), true, false,
PthreadSemantics, CheckKind);		XNUSemantics, CheckKind);
		}

		void PthreadLockChecker::TryXNULockShared(const CallEvent &Call,
		CheckerContext &C,
		CheckerKind CheckKind) const {
		AcquireLockAux(Call, C, Call.getArgExpr(0), Call.getArgSVal(0), true, true,
		XNUSemantics, CheckKind);
}		}

void PthreadLockChecker::TryFuchsiaLock(const CallEvent &Call,		void PthreadLockChecker::TryFuchsiaLock(const CallEvent &Call,
CheckerContext &C,		CheckerContext &C,
CheckerKind CheckKind) const {		CheckerKind CheckKind) const {
AcquireLockAux(Call, C, Call.getArgExpr(0), Call.getArgSVal(0), true,		AcquireLockAux(Call, C, Call.getArgExpr(0), Call.getArgSVal(0), true, false,
PthreadSemantics, CheckKind);		PthreadSemantics, CheckKind);
}		}

void PthreadLockChecker::TryC11Lock(const CallEvent &Call, CheckerContext &C,		void PthreadLockChecker::TryC11Lock(const CallEvent &Call, CheckerContext &C,
CheckerKind CheckKind) const {		CheckerKind CheckKind) const {
AcquireLockAux(Call, C, Call.getArgExpr(0), Call.getArgSVal(0), true,		AcquireLockAux(Call, C, Call.getArgExpr(0), Call.getArgSVal(0), true, false,
PthreadSemantics, CheckKind);		PthreadSemantics, CheckKind);
}		}

void PthreadLockChecker::AcquireLockAux(const CallEvent &Call,		void PthreadLockChecker::AcquireLockAux(const CallEvent &Call,
CheckerContext &C, const Expr *MtxExpr,		CheckerContext &C, const Expr *MtxExpr,
SVal MtxVal, bool IsTryLock,		SVal MtxVal, bool IsTryLock,
		bool IsShared,
enum LockingSemantics Semantics,		enum LockingSemantics Semantics,
CheckerKind CheckKind) const {		CheckerKind CheckKind) const {
if (!ChecksEnabled[CheckKind])		if (!ChecksEnabled[CheckKind])
return;		return;

const MemRegion *lockR = MtxVal.getAsRegion();		const MemRegion *lockR = MtxVal.getAsRegion();
if (!lockR)		if (!lockR)
return;		return;

ProgramStateRef state = C.getState();		ProgramStateRef state = C.getState();
const SymbolRef *sym = state->get<DestroyRetVal>(lockR);		const SymbolRef *sym = state->get<DestroyRetVal>(lockR);
if (sym)		if (sym)
state = resolvePossiblyDestroyedMutex(state, lockR, sym);		state = resolvePossiblyDestroyedMutex(state, lockR, sym);

if (const LockState *LState = state->get<LockMap>(lockR)) {		if (const LockState *LState = state->get<LockMap>(lockR)) {
if (LState->isLocked()) {		if (LState->isAnyLocked()) {
reportBug(C, BT_doublelock, MtxExpr, CheckKind,		reportBug(C, BT_doublelock, MtxExpr, CheckKind,
"This lock has already been acquired");		"This lock has already been acquired");
return;		return;
} else if (LState->isDestroyed()) {		} else if (LState->isDestroyed()) {
reportBug(C, BT_destroylock, MtxExpr, CheckKind,		reportBug(C, BT_destroylock, MtxExpr, CheckKind,
"This lock has already been destroyed");		"This lock has already been destroyed");
return;		return;
}		}
Show All 34 Lines	void PthreadLockChecker::AcquireLockAux(const CallEvent &Call,
} else {		} else {
// XNU locking semantics return void on non-try locks		// XNU locking semantics return void on non-try locks
assert((Semantics == XNUSemantics) && "Unknown locking semantics");		assert((Semantics == XNUSemantics) && "Unknown locking semantics");
lockSucc = state;		lockSucc = state;
}		}

// Record that the lock was acquired.		// Record that the lock was acquired.
lockSucc = lockSucc->add<LockSet>(lockR);		lockSucc = lockSucc->add<LockSet>(lockR);
lockSucc = lockSucc->set<LockMap>(lockR, LockState::getLocked());		auto State = IsShared ? LockState::getSharedLocked() : LockState::getLocked();
		lockSucc = lockSucc->set<LockMap>(lockR, State);
C.addTransition(lockSucc);		C.addTransition(lockSucc);
}		}

void PthreadLockChecker::ReleaseAnyLock(const CallEvent &Call,		void PthreadLockChecker::ReleaseAnyLock(const CallEvent &Call,
CheckerContext &C,		CheckerContext &C,
CheckerKind CheckKind) const {		CheckerKind CheckKind) const {
ReleaseLockAux(Call, C, Call.getArgExpr(0), Call.getArgSVal(0), CheckKind);		ReleaseLockAux(Call, C, Call.getArgExpr(0), Call.getArgSVal(0), false,
		NotApplicable, CheckKind);
		}

		void PthreadLockChecker::ReleaseAnyLockShared(const CallEvent &Call,
		CheckerContext &C,
		CheckerKind CheckKind) const {
		ReleaseLockAux(Call, C, Call.getArgExpr(0), Call.getArgSVal(0), true,
		NotApplicable, CheckKind);
}		}

void PthreadLockChecker::ReleaseLockAux(const CallEvent &Call,		void PthreadLockChecker::ReleaseLockAux(const CallEvent &Call,
CheckerContext &C, const Expr *MtxExpr,		CheckerContext &C, const Expr *MtxExpr,
SVal MtxVal,		SVal MtxVal, bool IsShared,
		enum LockingSemantics Semantics,
CheckerKind CheckKind) const {		CheckerKind CheckKind) const {
if (!ChecksEnabled[CheckKind])		if (!ChecksEnabled[CheckKind])
return;		return;

const MemRegion *lockR = MtxVal.getAsRegion();		const MemRegion *lockR = MtxVal.getAsRegion();
if (!lockR)		if (!lockR)
return;		return;

ProgramStateRef state = C.getState();		ProgramStateRef state = C.getState();
const SymbolRef *sym = state->get<DestroyRetVal>(lockR);		const SymbolRef *sym = state->get<DestroyRetVal>(lockR);
if (sym)		if (sym)
state = resolvePossiblyDestroyedMutex(state, lockR, sym);		state = resolvePossiblyDestroyedMutex(state, lockR, sym);

if (const LockState *LState = state->get<LockMap>(lockR)) {		if (const LockState *LState = state->get<LockMap>(lockR)) {
if (LState->isUnlocked()) {		if (LState->isAnyUnlocked()) {
reportBug(C, BT_doubleunlock, MtxExpr, CheckKind,		reportBug(C, BT_doubleunlock, MtxExpr, CheckKind,
"This lock has already been unlocked");		"This lock has already been unlocked");
return;		return;
} else if (LState->isDestroyed()) {		} else if (LState->isDestroyed()) {
reportBug(C, BT_destroylock, MtxExpr, CheckKind,		reportBug(C, BT_destroylock, MtxExpr, CheckKind,
"This lock has already been destroyed");		"This lock has already been destroyed");
return;		return;
		} else if (LState->isLocked()) {
		if (IsShared) {
		reportBug(
		C, BT_shared, MtxExpr, CheckKind,
		"This lock has been acquired exclusively, but shared unlock used");
		return;
		}
		} else if (LState->isSharedLocked()) {
		if (!IsShared) {
		reportBug(
		C, BT_shared, MtxExpr, CheckKind,
		"This lock has been acquired as shared, but exclusive unlock used");
		return;
		}
}		}
}		}

LockSetTy LS = state->get<LockSet>();		LockSetTy LS = state->get<LockSet>();

if (!LS.isEmpty()) {		if (!LS.isEmpty()) {
const MemRegion *firstLockR = LS.getHead();		const MemRegion *firstLockR = LS.getHead();
if (firstLockR != lockR) {		if (firstLockR != lockR) {
reportBug(C, BT_lor, MtxExpr, CheckKind,		reportBug(C, BT_lor, MtxExpr, CheckKind,
"This was not the most recently acquired lock. Possible lock "		"This was not the most recently acquired lock. Possible lock "
"order reversal");		"order reversal");
return;		return;
}		}
// Record that the lock was released.		// Record that the lock was released.
state = state->set<LockSet>(LS.getTail());		state = state->set<LockSet>(LS.getTail());
}		}

state = state->set<LockMap>(lockR, LockState::getUnlocked());		auto State =
		IsShared ? LockState::getSharedUnlocked() : LockState::getUnlocked();
		state = state->set<LockMap>(lockR, State);
C.addTransition(state);		C.addTransition(state);
}		}

void PthreadLockChecker::DestroyPthreadLock(const CallEvent &Call,		void PthreadLockChecker::DestroyPthreadLock(const CallEvent &Call,
CheckerContext &C,		CheckerContext &C,
CheckerKind CheckKind) const {		CheckerKind CheckKind) const {
DestroyLockAux(Call, C, Call.getArgExpr(0), Call.getArgSVal(0),		DestroyLockAux(Call, C, Call.getArgExpr(0), Call.getArgSVal(0),
PthreadSemantics, CheckKind);		PthreadSemantics, CheckKind);
Show All 23 Lines	void PthreadLockChecker::DestroyLockAux(const CallEvent &Call,
const SymbolRef *sym = State->get<DestroyRetVal>(LockR);		const SymbolRef *sym = State->get<DestroyRetVal>(LockR);
if (sym)		if (sym)
State = resolvePossiblyDestroyedMutex(State, LockR, sym);		State = resolvePossiblyDestroyedMutex(State, LockR, sym);

const LockState *LState = State->get<LockMap>(LockR);		const LockState *LState = State->get<LockMap>(LockR);
// Checking the return value of the destroy method only in the case of		// Checking the return value of the destroy method only in the case of
// PthreadSemantics		// PthreadSemantics
if (Semantics == PthreadSemantics) {		if (Semantics == PthreadSemantics) {
if (!LState \|\| LState->isUnlocked()) {		if (!LState \|\| LState->isAnyUnlocked()) {
SymbolRef sym = Call.getReturnValue().getAsSymbol();		SymbolRef sym = Call.getReturnValue().getAsSymbol();
if (!sym) {		if (!sym) {
State = State->remove<LockMap>(LockR);		State = State->remove<LockMap>(LockR);
C.addTransition(State);		C.addTransition(State);
return;		return;
}		}
State = State->set<DestroyRetVal>(LockR, sym);		State = State->set<DestroyRetVal>(LockR, sym);
if (LState && LState->isUnlocked())		if (LState && LState->isAnyUnlocked())
State = State->set<LockMap>(		State = State->set<LockMap>(
LockR, LockState::getUnlockedAndPossiblyDestroyed());		LockR, LockState::getUnlockedAndPossiblyDestroyed());
else		else
State = State->set<LockMap>(		State = State->set<LockMap>(
LockR, LockState::getUntouchedAndPossiblyDestroyed());		LockR, LockState::getUntouchedAndPossiblyDestroyed());
C.addTransition(State);		C.addTransition(State);
return;		return;
}		}
} else {		} else {
if (!LState \|\| LState->isUnlocked()) {		if (!LState \|\| LState->isAnyUnlocked()) {
State = State->set<LockMap>(LockR, LockState::getDestroyed());		State = State->set<LockMap>(LockR, LockState::getDestroyed());
C.addTransition(State);		C.addTransition(State);
return;		return;
}		}
}		}

StringRef Message = LState->isLocked()		StringRef Message = LState->isAnyLocked()
? "This lock is still locked"		? "This lock is still locked"
: "This lock has already been destroyed";		: "This lock has already been destroyed";

reportBug(C, BT_destroylock, MtxExpr, CheckKind, Message);		reportBug(C, BT_destroylock, MtxExpr, CheckKind, Message);
}		}

void PthreadLockChecker::InitAnyLock(const CallEvent &Call, CheckerContext &C,		void PthreadLockChecker::InitAnyLock(const CallEvent &Call, CheckerContext &C,
CheckerKind CheckKind) const {		CheckerKind CheckKind) const {
Show All 18 Lines	void PthreadLockChecker::InitLockAux(const CallEvent &Call, CheckerContext &C,

const struct LockState *LState = State->get<LockMap>(LockR);		const struct LockState *LState = State->get<LockMap>(LockR);
if (!LState \|\| LState->isDestroyed()) {		if (!LState \|\| LState->isDestroyed()) {
State = State->set<LockMap>(LockR, LockState::getUnlocked());		State = State->set<LockMap>(LockR, LockState::getUnlocked());
C.addTransition(State);		C.addTransition(State);
return;		return;
}		}

StringRef Message = LState->isLocked()		StringRef Message = LState->isAnyLocked()
? "This lock is still being held"		? "This lock is still being held"
: "This lock has already been initialized";		: "This lock has already been initialized";

reportBug(C, BT_initlock, MtxExpr, CheckKind, Message);		reportBug(C, BT_initlock, MtxExpr, CheckKind, Message);
}		}

void PthreadLockChecker::reportBug(CheckerContext &C,		void PthreadLockChecker::reportBug(CheckerContext &C,
std::unique_ptr<BugType> BT[],		std::unique_ptr<BugType> BT[],
▲ Show 20 Lines • Show All 93 Lines • Show Last 20 Lines

clang/test/Analysis/Inputs/system-header-simulator-for-pthread-lock.h

	Show All 28 Lines
	extern int pthread_mutex_trylock(pthread_mutex_t *);			extern int pthread_mutex_trylock(pthread_mutex_t *);
	extern int pthread_mutex_destroy(pthread_mutex_t *);			extern int pthread_mutex_destroy(pthread_mutex_t *);
	extern int pthread_mutex_init(pthread_mutex_t mutex, const pthread_mutexattr_t mutexattr);			extern int pthread_mutex_init(pthread_mutex_t mutex, const pthread_mutexattr_t mutexattr);

	typedef int boolean_t;			typedef int boolean_t;
	extern void lck_mtx_lock(lck_mtx_t *);			extern void lck_mtx_lock(lck_mtx_t *);
	extern void lck_mtx_unlock(lck_mtx_t *);			extern void lck_mtx_unlock(lck_mtx_t *);
	extern boolean_t lck_mtx_try_lock(lck_mtx_t *);			extern boolean_t lck_mtx_try_lock(lck_mtx_t *);
				extern boolean_t lck_rw_try_lock_shared(lck_rw_t *);
				extern boolean_t lck_rw_try_lock_exclusive(lck_rw_t *);
	extern void lck_mtx_destroy(lck_mtx_t lck, lck_grp_t grp);			extern void lck_mtx_destroy(lck_mtx_t lck, lck_grp_t grp);

	extern void lck_rw_lock_exclusive(lck_rw_t *lck);			extern void lck_rw_lock_exclusive(lck_rw_t *lck);
	extern void lck_rw_unlock_exclusive(lck_rw_t *lck);			extern void lck_rw_unlock_exclusive(lck_rw_t *lck);
	extern void lck_rw_lock_shared(lck_rw_t *lck);			extern void lck_rw_lock_shared(lck_rw_t *lck);
	extern void lck_rw_unlock_shared(lck_rw_t *lck);			extern void lck_rw_unlock_shared(lck_rw_t *lck);

clang/test/Analysis/pthreadlock.c

Show First 20 Lines • Show All 236 Lines • ▼ Show 20 Lines	void ok31(void) {
pthread_mutex_init(&local_mtx, NULL);		pthread_mutex_init(&local_mtx, NULL);
pthread_mutex_lock(&local_mtx);		pthread_mutex_lock(&local_mtx);
fake_system_function_that_takes_a_mutex(&local_mtx);		fake_system_function_that_takes_a_mutex(&local_mtx);
pthread_mutex_lock(&local_mtx); // no-warning		pthread_mutex_lock(&local_mtx); // no-warning
pthread_mutex_unlock(&local_mtx);		pthread_mutex_unlock(&local_mtx);
pthread_mutex_destroy(&local_mtx);		pthread_mutex_destroy(&local_mtx);
}		}

		void ok32(void) {
		if (lck_rw_try_lock_exclusive(&rw) != 0) // no-warning
		lck_rw_unlock_exclusive(&rw); // no-warning
		}

		void ok33(void) {
		if (lck_rw_try_lock_shared(&rw) != 0) // no-warning
		lck_rw_unlock_shared(&rw); // no-warning
		}

void		void
bad1(void)		bad1(void)
{		{
pthread_mutex_lock(&mtx1); // no-warning		pthread_mutex_lock(&mtx1); // no-warning
pthread_mutex_lock(&mtx1); // expected-warning{{This lock has already been acquired}}		pthread_mutex_lock(&mtx1); // expected-warning{{This lock has already been acquired}}
}		}

void		void
▲ Show 20 Lines • Show All 244 Lines • ▼ Show 20 Lines
void bad31(void) {		void bad31(void) {
int ret = pthread_mutex_destroy(&mtx1); // no-warning		int ret = pthread_mutex_destroy(&mtx1); // no-warning
pthread_mutex_lock(&mtx1); // expected-warning{{This lock has already been destroyed}}		pthread_mutex_lock(&mtx1); // expected-warning{{This lock has already been destroyed}}
if (ret != 0)		if (ret != 0)
pthread_mutex_lock(&mtx1);		pthread_mutex_lock(&mtx1);
}		}

void bad32(void) {		void bad32(void) {
		pthread_mutex_lock(pmtx);
		fake_system_function();
		pthread_mutex_lock(pmtx); // expected-warning{{This lock has already been acquired}}
		}

		void bad33(void) {
lck_rw_lock_shared(&rw);		lck_rw_lock_shared(&rw);
lck_rw_unlock_exclusive(&rw); // FIXME: warn - should be shared?		lck_rw_lock_shared(&rw); // expected-warning{{This lock has already been acquired}}
		}

		void bad34(void) {
lck_rw_lock_exclusive(&rw);		lck_rw_lock_exclusive(&rw);
lck_rw_unlock_shared(&rw); // FIXME: warn - should be exclusive?		lck_rw_lock_exclusive(&rw); // expected-warning{{This lock has already been acquired}}
}		}

void bad33(void) {		void bad35(void) {
pthread_mutex_lock(pmtx);		lck_rw_lock_exclusive(&rw);
fake_system_function();		lck_rw_lock_shared(&rw); // expected-warning{{This lock has already been acquired}}
pthread_mutex_lock(pmtx); // expected-warning{{This lock has already been acquired}}		}

		void bad36(void) {
		lck_rw_lock_shared(&rw);
		lck_rw_lock_exclusive(&rw); // expected-warning{{This lock has already been acquired}}
		}

		void bad37(void) {
		lck_rw_lock_exclusive(&rw);
		lck_rw_unlock_shared(&rw); // expected-warning{{This lock has been acquired exclusively, but shared unlock used}}
		}

		void bad38(void) {
		lck_rw_lock_shared(&rw);
		lck_rw_unlock_exclusive(&rw); // expected-warning{{This lock has been acquired as shared, but exclusive unlock used}}
		}

		void bad39(void) {
		if (lck_rw_try_lock_exclusive(&rw) != 0) // no-warning
		lck_rw_unlock_shared(&rw); // expected-warning{{This lock has been acquired exclusively, but shared unlock used}}
		}

		void bad40(void) {
		if (lck_rw_try_lock_shared(&rw) != 0) // no-warning
		lck_rw_unlock_exclusive(&rw); // expected-warning{{This lock has been acquired as shared, but exclusive unlock used}}
}		}