This is an archive of the discontinued LLVM Phabricator instance.

Differential D87194

Thread safety analysis: Use access specifiers to decide about scope
Changes PlannedPublic

Authored by aaronpuchert on Sep 5 2020, 8:25 AM.

Details

Reviewers
aaron.ballman
Summary

Public members are always in scope, protected members in derived classes
with sufficient access.

Diff Detail

Unit TestsFailed

TimeTest
400 mslinux > HWAddressSanitizer-x86_64.TestCases::sizes.cpp

Event Timeline

aaronpuchert created this revision.Sep 5 2020, 8:25 AM
Herald added a project: Restricted Project. · View Herald TranscriptSep 5 2020, 8:25 AM
Herald added a subscriber: cfe-commits. · View Herald Transcript
aaronpuchert requested review of this revision.Sep 5 2020, 8:25 AM
Harbormaster completed remote builds in B70739: Diff 290094.Sep 5 2020, 8:26 AM
aaronpuchert mentioned this in D84604: Thread safety analysis: Consider global variables in scope.Oct 29 2020, 4:42 PM
aaronpuchert planned changes to this revision.Oct 30 2020, 8:03 AM

Need to rebase this on top of D84604 plus a subsequent fix.

aaron.ballman added inline comments.Nov 2 2020, 8:47 AM
clang/lib/Analysis/ThreadSafety.cpp
1317

This should probably have a FIXME?

1323–1325

llvm::any_of()?

clang/test/SemaCXX/warn-thread-safety-negative.cpp
168

Given that this is touching on declaration contexts, it would also be good to have some tests checking for differences between declaration contexts (like out-of-line method definitions)

aaronpuchert added inline comments.Nov 2 2020, 1:29 PM
clang/test/SemaCXX/warn-thread-safety-negative.cpp
168

Isn't there a semantic and a lexical declaration context, and aren't we consistently using the semantic context?

aaronpuchert updated this revision to Diff 302388.Nov 2 2020, 1:31 PM
aaronpuchert marked 2 inline comments as done.

Rebased on D84604, included static members, and addressed review comments.

aaronpuchert added a subscriber: rupprecht.Nov 2 2020, 1:34 PM

@rupprecht, maybe you can try it again?

Harbormaster completed remote builds in B77316: Diff 302388.Nov 2 2020, 2:12 PM
rupprecht added a comment.Nov 2 2020, 3:20 PM
In D87194#2369485, @aaronpuchert wrote:

@rupprecht, maybe you can try it again?

Some more interesting errors this time :)

The ones I originally saw look correct now (i.e. it's flagging the things that are valid, but not the things out of visibility). I tried building the rest of this package, and I guess scoping isn't considered in this case though?

class Foo {
 public:
  static void Bar();
 private:
  struct Params {
    Mutex mu_;
  }
  static Params* GetParams();
};

// In the .cc file:
void Foo::Bar() {
  Params& params = *GetParams();
  MutexLock lock(params.mu_);  // error: acquiring mutex 'params.mu_' requires negative capability '!params.mu_'
}

/* static */ Params* Foo::GetParams() {
  static Params params;
  return &params;
}

On one hand, it's totally valid. On the other hand, annotating the method like static void Bar() REQUIRES(!params.mu_); isn't possible because params is a local variable.

(I'm new to threading analysis, so maybe I'm just using the wrong annotations)

aaronpuchert planned changes to this revision.Nov 3 2020, 12:32 PM

That's a good point, while mu_ is public, params is a local variable.

I need to take into account the left-hand side of a til::Project, which we're currently ignoring.

Revision Contents

PathSize
clang/
lib/
Analysis/
42 lines
test/
SemaCXX/
55 lines

Diff 302388

clang/lib/Analysis/ThreadSafety.cpp

Show All 10 Lines
// //
// See http://clang.llvm.org/docs/ThreadSafetyAnalysis.html // See http://clang.llvm.org/docs/ThreadSafetyAnalysis.html
// for more information. // for more information.
// //
//===----------------------------------------------------------------------===// //===----------------------------------------------------------------------===//
#include "clang/Analysis/Analyses/ThreadSafety.h" #include "clang/Analysis/Analyses/ThreadSafety.h"
#include "clang/AST/Attr.h" #include "clang/AST/Attr.h"
#include "clang/AST/CXXInheritance.h"
#include "clang/AST/Decl.h" #include "clang/AST/Decl.h"
#include "clang/AST/DeclCXX.h" #include "clang/AST/DeclCXX.h"
#include "clang/AST/DeclGroup.h" #include "clang/AST/DeclGroup.h"
#include "clang/AST/Expr.h" #include "clang/AST/Expr.h"
#include "clang/AST/ExprCXX.h" #include "clang/AST/ExprCXX.h"
#include "clang/AST/OperationKinds.h" #include "clang/AST/OperationKinds.h"
#include "clang/AST/Stmt.h" #include "clang/AST/Stmt.h"
#include "clang/AST/StmtVisitor.h" #include "clang/AST/StmtVisitor.h"
▲ Show 20 LinesShow All 1,233 Lines▼ Show 20 Lines
ClassifyDiagnostic(const AttrTy *A) { ClassifyDiagnostic(const AttrTy *A) {
for (const auto *Arg : A->args()) { for (const auto *Arg : A->args()) {
if (const ValueDecl *VD = getValueDecl(Arg)) if (const ValueDecl *VD = getValueDecl(Arg))
return ClassifyDiagnostic(VD); return ClassifyDiagnostic(VD);
} }
return "mutex"; return "mutex";
} }
static bool accessibleMember(const ValueDecl *VD,
const CXXMethodDecl *CurrentMethod) {
AccessSpecifier Access = VD->getAccess();
if (Access == AS_public)
return true;
// FIXME: We are ignoring friends for now.
if (!CurrentMethod)
return false;
const auto *ValueDeclRecord = cast<CXXRecordDecl>(VD->getDeclContext()),
*MethodRecord =
cast<CXXRecordDecl>(CurrentMethod->getDeclContext());
// If we're in the same class, all members are accessible.
if (ValueDeclRecord == MethodRecord)
return true;
// Otherwise we're out of luck for private members.
if (Access == AS_private)
return false;
// Protected members might be accessible in derived classes.
assert(Access == AS_protected);
CXXBasePaths Paths;
return MethodRecord->isDerivedFrom(ValueDeclRecord, Paths) &&
llvm::any_of(Paths, [](const CXXBasePath &Path) {
return Path.Access != AS_none;
});
}
bool ThreadSafetyAnalyzer::inCurrentScope(const CapabilityExpr &CapE) { bool ThreadSafetyAnalyzer::inCurrentScope(const CapabilityExpr &CapE) {
const threadSafety::til::SExpr *SExp = CapE.sexpr(); const threadSafety::til::SExpr *SExp = CapE.sexpr();
assert(SExp && "Null expressions should be ignored"); assert(SExp && "Null expressions should be ignored");
if (const auto *LP = dyn_cast<til::LiteralPtr>(SExp)) { if (const auto *LP = dyn_cast<til::LiteralPtr>(SExp)) {
const ValueDecl *VD = LP->clangDecl(); const ValueDecl *VD = LP->clangDecl();
// Variables defined in a function are always inaccessible. // Variables defined in a function are always inaccessible.
if (!VD->isDefinedOutsideFunctionOrMethod()) if (!VD->isDefinedOutsideFunctionOrMethod())
return false; return false;
// For now we consider static class members to be inaccessible.
if (isa<CXXRecordDecl>(VD->getDeclContext())) if (isa<CXXRecordDecl>(VD->getDeclContext()))
return false; return accessibleMember(VD, CurrentMethod);
// Global variables are always in scope. // Global variables are always in scope.
return true; return true;
} }
// Members are in scope from methods of the same class. if (const auto *P = dyn_cast<til::Project>(SExp))
if (const auto *P = dyn_cast<til::Project>(SExp)) { return accessibleMember(P->clangDecl(), CurrentMethod);
if (!CurrentMethod)
return false;
const ValueDecl *VD = P->clangDecl();
return VD->getDeclContext() == CurrentMethod->getDeclContext();
}
return false; return false;
} }
aaron.ballmanUnsubmitted
Done
ReplyInline Actions

This should probably have a FIXME?

aaron.ballman: This should probably have a FIXME?
/// Add a new lock to the lockset, warning if the lock is already there. /// Add a new lock to the lockset, warning if the lock is already there.
/// \param ReqAttr -- true if this is part of an initial Requires attribute. /// \param ReqAttr -- true if this is part of an initial Requires attribute.
void ThreadSafetyAnalyzer::addLock(FactSet &FSet, void ThreadSafetyAnalyzer::addLock(FactSet &FSet,
std::unique_ptr<FactEntry> Entry, std::unique_ptr<FactEntry> Entry,
StringRef DiagKind, bool ReqAttr) { StringRef DiagKind, bool ReqAttr) {
if (Entry->shouldIgnore()) if (Entry->shouldIgnore())
return; return;
aaron.ballmanUnsubmitted
Done
ReplyInline Actions

llvm::any_of()?

aaron.ballman: `llvm::any_of()`?
if (!ReqAttr && !Entry->negative()) { if (!ReqAttr && !Entry->negative()) {
// look for the negative capability, and remove it from the fact set. // look for the negative capability, and remove it from the fact set.
CapabilityExpr NegC = !*Entry; CapabilityExpr NegC = !*Entry;
const FactEntry *Nen = FSet.findLock(FactMan, NegC); const FactEntry *Nen = FSet.findLock(FactMan, NegC);
if (Nen) { if (Nen) {
FSet.removeLock(FactMan, NegC); FSet.removeLock(FactMan, NegC);
} }
▲ Show 20 LinesShow All 1,280 LinesShow Last 20 Lines

clang/test/SemaCXX/warn-thread-safety-negative.cpp

Show First 20 LinesShow All 118 Lines▼ Show 20 Lines
} }
class StaticMembers { class StaticMembers {
public: public:
void pub() EXCLUSIVE_LOCKS_REQUIRED(!publicMutex); void pub() EXCLUSIVE_LOCKS_REQUIRED(!publicMutex);
void prot() EXCLUSIVE_LOCKS_REQUIRED(!protectedMutex); void prot() EXCLUSIVE_LOCKS_REQUIRED(!protectedMutex);
void priv() EXCLUSIVE_LOCKS_REQUIRED(!privateMutex); void priv() EXCLUSIVE_LOCKS_REQUIRED(!privateMutex);
void test() { void test() {
pub(); pub(); // expected-warning {{calling function 'pub' requires negative capability '!publicMutex'}}
prot(); prot(); // expected-warning {{calling function 'prot' requires negative capability '!protectedMutex'}}
priv(); priv(); // expected-warning {{calling function 'priv' requires negative capability '!privateMutex'}}
} }
static Mutex publicMutex; static Mutex publicMutex;
protected: protected:
static Mutex protectedMutex; static Mutex protectedMutex;
private: private:
static Mutex privateMutex; static Mutex privateMutex;
}; };
void testStaticMembers() { void testStaticMembers() {
StaticMembers x; StaticMembers x;
x.pub(); x.pub(); // expected-warning {{calling function 'pub' requires negative capability '!publicMutex'}}
x.prot();
x.priv();
}
class Base {
public:
void pub() EXCLUSIVE_LOCKS_REQUIRED(!publicMutex);
void prot() EXCLUSIVE_LOCKS_REQUIRED(!protectedMutex);
void priv() EXCLUSIVE_LOCKS_REQUIRED(!privateMutex);
void test() {
pub(); // expected-warning {{calling function 'pub' requires negative capability '!publicMutex'}}
prot(); // expected-warning {{calling function 'prot' requires negative capability '!protectedMutex'}}
priv(); // expected-warning {{calling function 'priv' requires negative capability '!privateMutex'}}
}
static Mutex publicMutex;
protected:
static Mutex protectedMutex;
private:
static Mutex privateMutex;
};
class Derived : private Base {
aaron.ballmanUnsubmitted
Not Done
ReplyInline Actions

Given that this is touching on declaration contexts, it would also be good to have some tests checking for differences between declaration contexts (like out-of-line method definitions)

aaron.ballman: Given that this is touching on declaration contexts, it would also be good to have some tests…
aaronpuchertAuthorUnsubmitted
Not Done
ReplyInline Actions

Isn't there a semantic and a lexical declaration context, and aren't we consistently using the semantic context?

aaronpuchert: Isn't there a semantic and a lexical declaration context, and aren't we consistently using the…
public:
void pubDerived() EXCLUSIVE_LOCKS_REQUIRED(!publicMutex);
void protDerived() EXCLUSIVE_LOCKS_REQUIRED(!protectedMutex);
void inDerivedClass() {
pub(); // expected-warning {{calling function 'pub' requires negative capability '!publicMutex'}}
prot(); // expected-warning {{calling function 'prot' requires negative capability '!protectedMutex'}}
priv();
}
};
class MoreDerived : public Derived {
public:
void inDerivedClassWithInacessibleBase() {
pubDerived(); // expected-warning {{calling function 'pubDerived' requires negative capability '!publicMutex'}}
protDerived();
}
};
void outside() {
Base x;
x.pub(); // expected-warning {{calling function 'pub' requires negative capability '!publicMutex'}}
x.prot(); x.prot();
x.priv(); x.priv();
} }
} // end namespace ScopeTest } // end namespace ScopeTest
namespace DoubleAttribute { namespace DoubleAttribute {
Show All 14 Lines