This is an archive of the discontinued LLVM Phabricator instance.

Differential D124966

Thread safety analysis: Handle compound assignment and ->* overloads
ClosedPublic

Authored by aaronpuchert on May 4 2022, 2:48 PM.

Details

Reviewers
aaron.ballman
delesley
Commits
rG44ae49e1a725: Thread safety analysis: Handle compound assignment and ->* overloads
Summary

Like regular assignment, compound assignment operators can be assumed to
write to their left-hand side operand. So we strengthen the requirements
there. (Previously only the default read access had been required.)

Just like operator->, operator->* can also be assumed to dereference the
left-hand side argument, so we require read access to the pointee. This
will generate new warnings if the left-hand side has a pt_guarded_by
attribute. This overload is rarely used, but it was trivial to add, so
why not. (Supporting the builtin operator requires changes to the TIL.)

Diff Detail

Event Timeline

aaronpuchert created this revision.May 4 2022, 2:48 PM
Herald added a project: Restricted Project. · View Herald TranscriptMay 4 2022, 2:48 PM
aaronpuchert requested review of this revision.May 4 2022, 2:48 PM
Herald added a project: Restricted Project. · View Herald TranscriptMay 4 2022, 2:48 PM
Herald added a subscriber: cfe-commits. · View Herald Transcript
aaronpuchert added a subscriber: rupprecht.May 4 2022, 2:58 PM

@rupprecht, do you still do integration at Google? This patch might be interesting to try out, since it strengthens some warnings.

clang/test/SemaCXX/warn-thread-safety-analysis.cpp
85–86

In case you're wondering, making this a member function prevents instantiating the class with non-class types:

error: member pointer refers into non-class type 'int'
  U& operator->*(U T::*p) const { return ptr_->*p; }
                      ^
note: in instantiation of template class 'SmartPtr<int>' requested here
SmartPtr<int> p;
              ^
Harbormaster completed remote builds in B162801: Diff 427147.May 4 2022, 4:45 PM
aaron.ballman added inline comments.May 5 2022, 4:19 AM
clang/lib/Analysis/ThreadSafety.cpp
1993

If we're going to be handling these, should we also be handling overloads of ++ and --?

clang/test/SemaCXX/warn-thread-safety-analysis.cpp
4344

We should probably add test coverage for all the newly supported operators.

aaronpuchert marked 2 inline comments as done.May 6 2022, 6:35 AM
aaronpuchert added inline comments.
clang/lib/Analysis/ThreadSafety.cpp
1993

Yes, in some sense these are also compound assignment operators despite their looks. I'll add them as well.

Sadly streams use << and >> instead of <<= and >>=, and we can't really assume the former to write.

aaronpuchert updated this revision to Diff 427617.May 6 2022, 6:37 AM
aaronpuchert marked an inline comment as done.

Also consider ++ and -- as writing, test all operators.

aaronpuchert updated this revision to Diff 427623.May 6 2022, 6:52 AM

Use 1 instead of 0 just to be sure. We don't want to trigger warnings about division by zero.

Harbormaster completed remote builds in B163136: Diff 427623.May 6 2022, 7:25 AM
aaron.ballman accepted this revision.May 6 2022, 11:35 AM

LGTM! You should probably add a release note for this change so users know about it. (Do we need to update any documentation from this?)

This revision is now accepted and ready to land.May 6 2022, 11:35 AM
aaronpuchert added a comment.May 6 2022, 2:26 PM
In D124966#3497305, @aaron.ballman wrote:

LGTM! You should probably add a release note for this change so users know about it.

Good point, I'll add a note about compound assignment and increment/decrement. I'll leave out operator->* though if you don't mind because it's rarely overloaded.

Do we need to update any documentation from this?

I don't think so, we don't really specify what we consider as write and what not. It's more of a heuristic anyway, unless at some point we feel comfortable enough to do D52395.

aaronpuchert updated this revision to Diff 427750.May 6 2022, 2:28 PM

Add a release note.

aaronpuchert added inline comments.May 6 2022, 2:43 PM
clang/docs/ReleaseNotes.rst
194–204

Or maybe I should add it here? Not sure why there is a blank line.

Harbormaster completed remote builds in B163226: Diff 427750.May 6 2022, 3:33 PM
aaron.ballman accepted this revision.May 9 2022, 4:24 AM
In D124966#3497781, @aaronpuchert wrote:
In D124966#3497305, @aaron.ballman wrote:

Do we need to update any documentation from this?

I don't think so, we don't really specify what we consider as write and what not. It's more of a heuristic anyway, unless at some point we feel comfortable enough to do D52395.

SGTM, thanks for verifying! Continues to LGTM.

clang/docs/ReleaseNotes.rst
194–204

Either way is fine -- the blank line is an accident, but it'll go away at some point.

This revision was landed with ongoing or failed builds.May 9 2022, 6:36 AM
Closed by commit rG44ae49e1a725: Thread safety analysis: Handle compound assignment and ->* overloads (authored by aaronpuchert). · Explain Why
This revision was automatically updated to reflect the committed changes.
aaronpuchert added a commit: rG44ae49e1a725: Thread safety analysis: Handle compound assignment and ->* overloads.
aaronpuchert marked an inline comment as done.May 9 2022, 6:36 AM
aaronpuchert mentioned this in D129514: Thread safety analysis: Support builtin pointer-to-member operators.Jul 11 2022, 1:43 PM
aaronpuchert mentioned this in rGbfe63ab63e22: Thread safety analysis: Support builtin pointer-to-member operators.Jul 14 2022, 4:38 AM

Revision Contents

PathSize
clang/
docs/
3 lines
lib/
Analysis/
25 lines
test/
SemaCXX/
37 lines

Diff 428065

clang/docs/ReleaseNotes.rst

Show First 20 LinesShow All 185 Lines▼ Show 20 Lines- Clang now appropriately issues an error in C when a definition of a function
function with a prototype. e.g., ``void f(int); void f() {}`` is now properly function with a prototype. e.g., ``void f(int); void f() {}`` is now properly
diagnosed. diagnosed.
- The ``-Wimplicit-function-declaration`` warning diagnostic now defaults to - The ``-Wimplicit-function-declaration`` warning diagnostic now defaults to
an error in C99 and later. Prior to C2x, it may be downgraded to a warning an error in C99 and later. Prior to C2x, it may be downgraded to a warning
with ``-Wno-error=implicit-function-declaration``, or disabled entirely with with ``-Wno-error=implicit-function-declaration``, or disabled entirely with
``-Wno-implicit-function-declaration``. As of C2x, support for implicit ``-Wno-implicit-function-declaration``. As of C2x, support for implicit
function declarations has been removed, and the warning options will have no function declarations has been removed, and the warning options will have no
effect. effect.
- The ``-Wimplicit-int`` warning diagnostic now defaults to an error in C99 and - The ``-Wimplicit-int`` warning diagnostic now defaults to an error in C99 and
later. Prior to C2x, it may be downgraded to a warning with later. Prior to C2x, it may be downgraded to a warning with
``-Wno-error=implicit-int``, or disabled entirely with ``-Wno-implicit-int``. ``-Wno-error=implicit-int``, or disabled entirely with ``-Wno-implicit-int``.
As of C2x, support for implicit int has been removed, and the warning options As of C2x, support for implicit int has been removed, and the warning options
will have no effect. Specifying ``-Wimplicit-int`` in C89 mode will now issue will have no effect. Specifying ``-Wimplicit-int`` in C89 mode will now issue
warnings instead of being a noop. warnings instead of being a noop.
- No longer issue a "declaration specifiers missing, defaulting to int" - No longer issue a "declaration specifiers missing, defaulting to int"
diagnostic in C89 mode because it is not an extension in C89, it was valid diagnostic in C89 mode because it is not an extension in C89, it was valid
code. The diagnostic has been removed entirely as it did not have a code. The diagnostic has been removed entirely as it did not have a
diagnostic group to disable it, but it can be covered wholly by diagnostic group to disable it, but it can be covered wholly by
``-Wimplicit-int``. ``-Wimplicit-int``.
aaronpuchertAuthorUnsubmitted
Done
ReplyInline Actions

Or maybe I should add it here? Not sure why there is a blank line.

aaronpuchert: Or maybe I should add it here? Not sure why there is a blank line.
aaron.ballmanUnsubmitted
Done
ReplyInline Actions

Either way is fine -- the blank line is an accident, but it'll go away at some point.

aaron.ballman: Either way is fine -- the blank line is an accident, but it'll go away at some point.
- ``-Wmisexpect`` warns when the branch weights collected during profiling - ``-Wmisexpect`` warns when the branch weights collected during profiling
conflict with those added by ``llvm.expect``. conflict with those added by ``llvm.expect``.
- ``-Wthread-safety-analysis`` now considers overloaded compound assignment and
increment/decrement operators as writing to their first argument, thus
requiring an exclusive lock if the argument is guarded.
Non-comprehensive list of changes in this release Non-comprehensive list of changes in this release
------------------------------------------------- -------------------------------------------------
- Improve __builtin_dump_struct: - Improve __builtin_dump_struct:
- Support bitfields in struct and union. - Support bitfields in struct and union.
- Improve the dump format, dump both bitwidth(if its a bitfield) and field - Improve the dump format, dump both bitwidth(if its a bitfield) and field
▲ Show 20 LinesShow All 254 LinesShow Last 20 Lines

clang/lib/Analysis/ThreadSafety.cpp

Show First 20 LinesShow All 1,982 Lines▼ Show 20 Lines if (ME && MD) {
} else { } else {
// Should perhaps be AK_Written if !MD->isConst(). // Should perhaps be AK_Written if !MD->isConst().
checkAccess(CE->getImplicitObjectArgument(), AK_Read); checkAccess(CE->getImplicitObjectArgument(), AK_Read);
} }
} }
examineArguments(CE->getDirectCallee(), CE->arg_begin(), CE->arg_end()); examineArguments(CE->getDirectCallee(), CE->arg_begin(), CE->arg_end());
} else if (const auto *OE = dyn_cast<CXXOperatorCallExpr>(Exp)) { } else if (const auto *OE = dyn_cast<CXXOperatorCallExpr>(Exp)) {
auto OEop = OE->getOperator(); OverloadedOperatorKind OEop = OE->getOperator();
switch (OEop) { switch (OEop) {
case OO_Equal: { case OO_Equal:
aaron.ballmanUnsubmitted
Done
ReplyInline Actions

If we're going to be handling these, should we also be handling overloads of ++ and --?

aaron.ballman: If we're going to be handling these, should we also be handling overloads of `++` and `--`?
aaronpuchertAuthorUnsubmitted
Done
ReplyInline Actions

Yes, in some sense these are also compound assignment operators despite their looks. I'll add them as well.

Sadly streams use << and >> instead of <<= and >>=, and we can't really assume the former to write.

aaronpuchert: Yes, in some sense these are also compound assignment operators despite their looks. I'll add…
const Expr *Target = OE->getArg(0); case OO_PlusEqual:
const Expr *Source = OE->getArg(1); case OO_MinusEqual:
checkAccess(Target, AK_Written); case OO_StarEqual:
checkAccess(Source, AK_Read); case OO_SlashEqual:
case OO_PercentEqual:
case OO_CaretEqual:
case OO_AmpEqual:
case OO_PipeEqual:
case OO_LessLessEqual:
case OO_GreaterGreaterEqual:
checkAccess(OE->getArg(1), AK_Read);
LLVM_FALLTHROUGH;
case OO_PlusPlus:
case OO_MinusMinus:
checkAccess(OE->getArg(0), AK_Written);
break; break;
}
case OO_Star: case OO_Star:
case OO_ArrowStar:
case OO_Arrow: case OO_Arrow:
case OO_Subscript: case OO_Subscript:
if (!(OEop == OO_Star && OE->getNumArgs() > 1)) { if (!(OEop == OO_Star && OE->getNumArgs() > 1)) {
// Grrr. operator* can be multiplication... // Grrr. operator* can be multiplication...
checkPtAccess(OE->getArg(0), AK_Read); checkPtAccess(OE->getArg(0), AK_Read);
} }
LLVM_FALLTHROUGH; LLVM_FALLTHROUGH;
default: { default: {
▲ Show 20 LinesShow All 472 LinesShow Last 20 Lines

clang/test/SemaCXX/warn-thread-safety-analysis.cpp

Show First 20 LinesShow All 76 Lines▼ Show 20 Linespublic:
T* operator->() const { return ptr_; } T* operator->() const { return ptr_; }
T& operator*() const { return *ptr_; } T& operator*() const { return *ptr_; }
T& operator[](int i) const { return ptr_[i]; } T& operator[](int i) const { return ptr_[i]; }
private: private:
T* ptr_; T* ptr_;
}; };
template<typename T, typename U>
U& operator->*(const SmartPtr<T>& ptr, U T::*p) { return ptr->*p; }
aaronpuchertAuthorUnsubmitted
Done
ReplyInline Actions

In case you're wondering, making this a member function prevents instantiating the class with non-class types:

error: member pointer refers into non-class type 'int'
  U& operator->*(U T::*p) const { return ptr_->*p; }
                      ^
note: in instantiation of template class 'SmartPtr<int>' requested here
SmartPtr<int> p;
              ^
aaronpuchert: In case you're wondering, making this a member function prevents instantiating the class with…
// For testing destructor calls and cleanup. // For testing destructor calls and cleanup.
class MyString { class MyString {
public: public:
MyString(const char* s); MyString(const char* s);
~MyString(); ~MyString();
}; };
▲ Show 20 LinesShow All 4,240 Lines▼ Show 20 Linespublic:
int getValue() const { return dat; } int getValue() const { return dat; }
void setValue(int i) { dat = i; } void setValue(int i) { dat = i; }
int operator[](int i) const { return dat; } int operator[](int i) const { return dat; }
int& operator[](int i) { return dat; } int& operator[](int i) { return dat; }
void operator()() { } void operator()() { }
Data& operator+=(int);
aaron.ballmanUnsubmitted
Done
ReplyInline Actions

We should probably add test coverage for all the newly supported operators.

aaron.ballman: We should probably add test coverage for all the newly supported operators.
Data& operator-=(int);
Data& operator*=(int);
Data& operator/=(int);
Data& operator%=(int);
Data& operator^=(int);
Data& operator&=(int);
Data& operator|=(int);
Data& operator<<=(int);
Data& operator>>=(int);
Data& operator++();
Data& operator++(int);
Data& operator--();
Data& operator--(int);
private: private:
int dat; int dat;
}; };
class DataCell { class DataCell {
public: public:
DataCell(const Data& d) : dat(d) { } DataCell(const Data& d) : dat(d) { }
▲ Show 20 LinesShow All 50 Lines▼ Show 20 Lines void test2() {
*datap1_ = data_; // expected-warning {{reading variable 'datap1_' requires holding mutex 'mu_'}} \ *datap1_ = data_; // expected-warning {{reading variable 'datap1_' requires holding mutex 'mu_'}} \
// expected-warning {{reading variable 'data_' requires holding mutex 'mu_'}} // expected-warning {{reading variable 'data_' requires holding mutex 'mu_'}}
*datap2_ = data_; // expected-warning {{writing the value pointed to by 'datap2_' requires holding mutex 'mu_' exclusively}} \ *datap2_ = data_; // expected-warning {{writing the value pointed to by 'datap2_' requires holding mutex 'mu_' exclusively}} \
// expected-warning {{reading variable 'data_' requires holding mutex 'mu_'}} // expected-warning {{reading variable 'data_' requires holding mutex 'mu_'}}
data_ = *datap1_; // expected-warning {{writing variable 'data_' requires holding mutex 'mu_' exclusively}} \ data_ = *datap1_; // expected-warning {{writing variable 'data_' requires holding mutex 'mu_' exclusively}} \
// expected-warning {{reading variable 'datap1_' requires holding mutex 'mu_'}} // expected-warning {{reading variable 'datap1_' requires holding mutex 'mu_'}}
data_ = *datap2_; // expected-warning {{writing variable 'data_' requires holding mutex 'mu_' exclusively}} \ data_ = *datap2_; // expected-warning {{writing variable 'data_' requires holding mutex 'mu_' exclusively}} \
// expected-warning {{reading the value pointed to by 'datap2_' requires holding mutex 'mu_'}} // expected-warning {{reading the value pointed to by 'datap2_' requires holding mutex 'mu_'}}
data_ += 1; // expected-warning {{writing variable 'data_' requires holding mutex 'mu_' exclusively}}
data_ -= 1; // expected-warning {{writing variable 'data_' requires holding mutex 'mu_' exclusively}}
data_ *= 1; // expected-warning {{writing variable 'data_' requires holding mutex 'mu_' exclusively}}
data_ /= 1; // expected-warning {{writing variable 'data_' requires holding mutex 'mu_' exclusively}}
data_ %= 1; // expected-warning {{writing variable 'data_' requires holding mutex 'mu_' exclusively}}
data_ ^= 1; // expected-warning {{writing variable 'data_' requires holding mutex 'mu_' exclusively}}
data_ &= 1; // expected-warning {{writing variable 'data_' requires holding mutex 'mu_' exclusively}}
data_ |= 1; // expected-warning {{writing variable 'data_' requires holding mutex 'mu_' exclusively}}
data_ <<= 1; // expected-warning {{writing variable 'data_' requires holding mutex 'mu_' exclusively}}
data_ >>= 1; // expected-warning {{writing variable 'data_' requires holding mutex 'mu_' exclusively}}
++data_; // expected-warning {{writing variable 'data_' requires holding mutex 'mu_' exclusively}}
data_++; // expected-warning {{writing variable 'data_' requires holding mutex 'mu_' exclusively}}
--data_; // expected-warning {{writing variable 'data_' requires holding mutex 'mu_' exclusively}}
data_--; // expected-warning {{writing variable 'data_' requires holding mutex 'mu_' exclusively}}
data_[0] = 0; // expected-warning {{reading variable 'data_' requires holding mutex 'mu_'}} data_[0] = 0; // expected-warning {{reading variable 'data_' requires holding mutex 'mu_'}}
(*datap2_)[0] = 0; // expected-warning {{reading the value pointed to by 'datap2_' requires holding mutex 'mu_'}} (*datap2_)[0] = 0; // expected-warning {{reading the value pointed to by 'datap2_' requires holding mutex 'mu_'}}
data_(); // expected-warning {{reading variable 'data_' requires holding mutex 'mu_'}} data_(); // expected-warning {{reading variable 'data_' requires holding mutex 'mu_'}}
} }
// const operator tests // const operator tests
▲ Show 20 LinesShow All 503 Lines▼ Show 20 Lines
class SmartPtr_PtGuardedBy_Test { class SmartPtr_PtGuardedBy_Test {
Mutex mu1; Mutex mu1;
Mutex mu2; Mutex mu2;
SmartPtr<int> sp GUARDED_BY(mu1) PT_GUARDED_BY(mu2); SmartPtr<int> sp GUARDED_BY(mu1) PT_GUARDED_BY(mu2);
SmartPtr<Cell> sq GUARDED_BY(mu1) PT_GUARDED_BY(mu2); SmartPtr<Cell> sq GUARDED_BY(mu1) PT_GUARDED_BY(mu2);
static constexpr int Cell::*pa = &Cell::a;
void test1() { void test1() {
mu1.ReaderLock(); mu1.ReaderLock();
mu2.Lock(); mu2.Lock();
sp.get(); sp.get();
if (*sp == 0) doSomething(); if (*sp == 0) doSomething();
*sp = 0; *sp = 0;
sq->a = 0; sq->a = 0;
sq->*pa = 0;
if (sp[0] == 0) doSomething(); if (sp[0] == 0) doSomething();
sp[0] = 0; sp[0] = 0;
mu2.Unlock(); mu2.Unlock();
mu1.Unlock(); mu1.Unlock();
} }
void test2() { void test2() {
mu2.Lock(); mu2.Lock();
sp.get(); // expected-warning {{reading variable 'sp' requires holding mutex 'mu1'}} sp.get(); // expected-warning {{reading variable 'sp' requires holding mutex 'mu1'}}
if (*sp == 0) doSomething(); // expected-warning {{reading variable 'sp' requires holding mutex 'mu1'}} if (*sp == 0) doSomething(); // expected-warning {{reading variable 'sp' requires holding mutex 'mu1'}}
*sp = 0; // expected-warning {{reading variable 'sp' requires holding mutex 'mu1'}} *sp = 0; // expected-warning {{reading variable 'sp' requires holding mutex 'mu1'}}
sq->a = 0; // expected-warning {{reading variable 'sq' requires holding mutex 'mu1'}} sq->a = 0; // expected-warning {{reading variable 'sq' requires holding mutex 'mu1'}}
sq->*pa = 0; // expected-warning {{reading variable 'sq' requires holding mutex 'mu1'}}
if (sp[0] == 0) doSomething(); // expected-warning {{reading variable 'sp' requires holding mutex 'mu1'}} if (sp[0] == 0) doSomething(); // expected-warning {{reading variable 'sp' requires holding mutex 'mu1'}}
sp[0] = 0; // expected-warning {{reading variable 'sp' requires holding mutex 'mu1'}} sp[0] = 0; // expected-warning {{reading variable 'sp' requires holding mutex 'mu1'}}
if (sq[0].a == 0) doSomething(); // expected-warning {{reading variable 'sq' requires holding mutex 'mu1'}} if (sq[0].a == 0) doSomething(); // expected-warning {{reading variable 'sq' requires holding mutex 'mu1'}}
sq[0].a = 0; // expected-warning {{reading variable 'sq' requires holding mutex 'mu1'}} sq[0].a = 0; // expected-warning {{reading variable 'sq' requires holding mutex 'mu1'}}
mu2.Unlock(); mu2.Unlock();
} }
void test3() { void test3() {
mu1.Lock(); mu1.Lock();
sp.get(); sp.get();
if (*sp == 0) doSomething(); // expected-warning {{reading the value pointed to by 'sp' requires holding mutex 'mu2'}} if (*sp == 0) doSomething(); // expected-warning {{reading the value pointed to by 'sp' requires holding mutex 'mu2'}}
*sp = 0; // expected-warning {{reading the value pointed to by 'sp' requires holding mutex 'mu2'}} *sp = 0; // expected-warning {{reading the value pointed to by 'sp' requires holding mutex 'mu2'}}
sq->a = 0; // expected-warning {{reading the value pointed to by 'sq' requires holding mutex 'mu2'}} sq->a = 0; // expected-warning {{reading the value pointed to by 'sq' requires holding mutex 'mu2'}}
sq->*pa = 0; // expected-warning {{reading the value pointed to by 'sq' requires holding mutex 'mu2'}}
if (sp[0] == 0) doSomething(); // expected-warning {{reading the value pointed to by 'sp' requires holding mutex 'mu2'}} if (sp[0] == 0) doSomething(); // expected-warning {{reading the value pointed to by 'sp' requires holding mutex 'mu2'}}
sp[0] = 0; // expected-warning {{reading the value pointed to by 'sp' requires holding mutex 'mu2'}} sp[0] = 0; // expected-warning {{reading the value pointed to by 'sp' requires holding mutex 'mu2'}}
if (sq[0].a == 0) doSomething(); // expected-warning {{reading the value pointed to by 'sq' requires holding mutex 'mu2'}} if (sq[0].a == 0) doSomething(); // expected-warning {{reading the value pointed to by 'sq' requires holding mutex 'mu2'}}
sq[0].a = 0; // expected-warning {{reading the value pointed to by 'sq' requires holding mutex 'mu2'}} sq[0].a = 0; // expected-warning {{reading the value pointed to by 'sq' requires holding mutex 'mu2'}}
mu1.Unlock(); mu1.Unlock();
} }
▲ Show 20 LinesShow All 1,016 LinesShow Last 20 Lines