This is an archive of the discontinued LLVM Phabricator instance.

Differential D124966

Thread safety analysis: Handle compound assignment and ->* overloads
ClosedPublic

Authored by aaronpuchert on May 4 2022, 2:48 PM.

Details

Reviewers
aaron.ballman
delesley
Commits
rG44ae49e1a725: Thread safety analysis: Handle compound assignment and ->* overloads
Summary

Like regular assignment, compound assignment operators can be assumed to
write to their left-hand side operand. So we strengthen the requirements
there. (Previously only the default read access had been required.)

Just like operator->, operator->* can also be assumed to dereference the
left-hand side argument, so we require read access to the pointee. This
will generate new warnings if the left-hand side has a pt_guarded_by
attribute. This overload is rarely used, but it was trivial to add, so
why not. (Supporting the builtin operator requires changes to the TIL.)

Diff Detail

Unit TestsFailed

TimeTest
290 msx64 debian > Clangd Unit Tests._/ClangdTests/DiagnosticTest::ClangTidyEnablesClangWarning

Event Timeline

aaronpuchert created this revision.May 4 2022, 2:48 PM
Herald added a project: Restricted Project. · View Herald TranscriptMay 4 2022, 2:48 PM
aaronpuchert requested review of this revision.May 4 2022, 2:48 PM
Herald added a project: Restricted Project. · View Herald TranscriptMay 4 2022, 2:48 PM
Herald added a subscriber: cfe-commits. · View Herald Transcript
aaronpuchert added a subscriber: rupprecht.May 4 2022, 2:58 PM

@rupprecht, do you still do integration at Google? This patch might be interesting to try out, since it strengthens some warnings.

clang/test/SemaCXX/warn-thread-safety-analysis.cpp
85–86

In case you're wondering, making this a member function prevents instantiating the class with non-class types:

error: member pointer refers into non-class type 'int'
  U& operator->*(U T::*p) const { return ptr_->*p; }
                      ^
note: in instantiation of template class 'SmartPtr<int>' requested here
SmartPtr<int> p;
              ^
Harbormaster completed remote builds in B162801: Diff 427147.May 4 2022, 4:45 PM
aaron.ballman added inline comments.May 5 2022, 4:19 AM
clang/lib/Analysis/ThreadSafety.cpp
1994

If we're going to be handling these, should we also be handling overloads of ++ and --?

clang/test/SemaCXX/warn-thread-safety-analysis.cpp
4344

We should probably add test coverage for all the newly supported operators.

aaronpuchert marked 2 inline comments as done.May 6 2022, 6:35 AM
aaronpuchert added inline comments.
clang/lib/Analysis/ThreadSafety.cpp
1994

Yes, in some sense these are also compound assignment operators despite their looks. I'll add them as well.

Sadly streams use << and >> instead of <<= and >>=, and we can't really assume the former to write.

aaronpuchert updated this revision to Diff 427617.May 6 2022, 6:37 AM
aaronpuchert marked an inline comment as done.

Also consider ++ and -- as writing, test all operators.

aaronpuchert updated this revision to Diff 427623.May 6 2022, 6:52 AM

Use 1 instead of 0 just to be sure. We don't want to trigger warnings about division by zero.

Harbormaster completed remote builds in B163136: Diff 427623.May 6 2022, 7:25 AM
aaron.ballman accepted this revision.May 6 2022, 11:35 AM

LGTM! You should probably add a release note for this change so users know about it. (Do we need to update any documentation from this?)

This revision is now accepted and ready to land.May 6 2022, 11:35 AM
aaronpuchert added a comment.May 6 2022, 2:26 PM
In D124966#3497305, @aaron.ballman wrote:

LGTM! You should probably add a release note for this change so users know about it.

Good point, I'll add a note about compound assignment and increment/decrement. I'll leave out operator->* though if you don't mind because it's rarely overloaded.

Do we need to update any documentation from this?

I don't think so, we don't really specify what we consider as write and what not. It's more of a heuristic anyway, unless at some point we feel comfortable enough to do D52395.

aaronpuchert updated this revision to Diff 427750.May 6 2022, 2:28 PM

Add a release note.

aaronpuchert added inline comments.May 6 2022, 2:43 PM
clang/docs/ReleaseNotes.rst
173 ↗(On Diff #427750)

Or maybe I should add it here? Not sure why there is a blank line.

Harbormaster completed remote builds in B163226: Diff 427750.May 6 2022, 3:33 PM
aaron.ballman accepted this revision.May 9 2022, 4:24 AM
In D124966#3497781, @aaronpuchert wrote:
In D124966#3497305, @aaron.ballman wrote:

Do we need to update any documentation from this?

I don't think so, we don't really specify what we consider as write and what not. It's more of a heuristic anyway, unless at some point we feel comfortable enough to do D52395.

SGTM, thanks for verifying! Continues to LGTM.

clang/docs/ReleaseNotes.rst
173 ↗(On Diff #427750)

Either way is fine -- the blank line is an accident, but it'll go away at some point.

This revision was landed with ongoing or failed builds.May 9 2022, 6:36 AM
Closed by commit rG44ae49e1a725: Thread safety analysis: Handle compound assignment and ->* overloads (authored by aaronpuchert). · Explain Why
This revision was automatically updated to reflect the committed changes.
aaronpuchert added a commit: rG44ae49e1a725: Thread safety analysis: Handle compound assignment and ->* overloads.
aaronpuchert marked an inline comment as done.May 9 2022, 6:36 AM
aaronpuchert mentioned this in D129514: Thread safety analysis: Support builtin pointer-to-member operators.Jul 11 2022, 1:43 PM
aaronpuchert mentioned this in rGbfe63ab63e22: Thread safety analysis: Support builtin pointer-to-member operators.Jul 14 2022, 4:38 AM

Revision Contents

PathSize
clang/
lib/
Analysis/
13 lines
test/
SemaCXX/
11 lines

Diff 427147

clang/lib/Analysis/ThreadSafety.cpp

Show First 20 LinesShow All 1,984 Lines▼ Show 20 Lines if (ME && MD) {
checkAccess(CE->getImplicitObjectArgument(), AK_Read); checkAccess(CE->getImplicitObjectArgument(), AK_Read);
} }
} }
examineArguments(CE->getDirectCallee(), CE->arg_begin(), CE->arg_end()); examineArguments(CE->getDirectCallee(), CE->arg_begin(), CE->arg_end());
} else if (const auto *OE = dyn_cast<CXXOperatorCallExpr>(Exp)) { } else if (const auto *OE = dyn_cast<CXXOperatorCallExpr>(Exp)) {
auto OEop = OE->getOperator(); auto OEop = OE->getOperator();
switch (OEop) { switch (OEop) {
case OO_Equal: { case OO_Equal:
case OO_PlusEqual:
aaron.ballmanUnsubmitted
Done
ReplyInline Actions

If we're going to be handling these, should we also be handling overloads of ++ and --?

aaron.ballman: If we're going to be handling these, should we also be handling overloads of `++` and `--`?
aaronpuchertAuthorUnsubmitted
Done
ReplyInline Actions

Yes, in some sense these are also compound assignment operators despite their looks. I'll add them as well.

Sadly streams use << and >> instead of <<= and >>=, and we can't really assume the former to write.

aaronpuchert: Yes, in some sense these are also compound assignment operators despite their looks. I'll add…
case OO_MinusEqual:
case OO_StarEqual:
case OO_SlashEqual:
case OO_PercentEqual:
case OO_CaretEqual:
case OO_AmpEqual:
case OO_PipeEqual:
case OO_LessLessEqual:
case OO_GreaterGreaterEqual: {
const Expr *Target = OE->getArg(0); const Expr *Target = OE->getArg(0);
const Expr *Source = OE->getArg(1); const Expr *Source = OE->getArg(1);
checkAccess(Target, AK_Written); checkAccess(Target, AK_Written);
checkAccess(Source, AK_Read); checkAccess(Source, AK_Read);
break; break;
} }
case OO_Star: case OO_Star:
case OO_ArrowStar:
case OO_Arrow: case OO_Arrow:
case OO_Subscript: case OO_Subscript:
if (!(OEop == OO_Star && OE->getNumArgs() > 1)) { if (!(OEop == OO_Star && OE->getNumArgs() > 1)) {
// Grrr. operator* can be multiplication... // Grrr. operator* can be multiplication...
checkPtAccess(OE->getArg(0), AK_Read); checkPtAccess(OE->getArg(0), AK_Read);
} }
LLVM_FALLTHROUGH; LLVM_FALLTHROUGH;
default: { default: {
▲ Show 20 LinesShow All 472 LinesShow Last 20 Lines

clang/test/SemaCXX/warn-thread-safety-analysis.cpp

Show First 20 LinesShow All 76 Lines▼ Show 20 Linespublic:
T* operator->() const { return ptr_; } T* operator->() const { return ptr_; }
T& operator*() const { return *ptr_; } T& operator*() const { return *ptr_; }
T& operator[](int i) const { return ptr_[i]; } T& operator[](int i) const { return ptr_[i]; }
private: private:
T* ptr_; T* ptr_;
}; };
template<typename T, typename U>
U& operator->*(const SmartPtr<T>& ptr, U T::*p) { return ptr->*p; }
aaronpuchertAuthorUnsubmitted
Done
ReplyInline Actions

In case you're wondering, making this a member function prevents instantiating the class with non-class types:

error: member pointer refers into non-class type 'int'
  U& operator->*(U T::*p) const { return ptr_->*p; }
                      ^
note: in instantiation of template class 'SmartPtr<int>' requested here
SmartPtr<int> p;
              ^
aaronpuchert: In case you're wondering, making this a member function prevents instantiating the class with…
// For testing destructor calls and cleanup. // For testing destructor calls and cleanup.
class MyString { class MyString {
public: public:
MyString(const char* s); MyString(const char* s);
~MyString(); ~MyString();
}; };
▲ Show 20 LinesShow All 4,240 Lines▼ Show 20 Linespublic:
int getValue() const { return dat; } int getValue() const { return dat; }
void setValue(int i) { dat = i; } void setValue(int i) { dat = i; }
int operator[](int i) const { return dat; } int operator[](int i) const { return dat; }
int& operator[](int i) { return dat; } int& operator[](int i) { return dat; }
void operator()() { } void operator()() { }
Data& operator+=(int);
aaron.ballmanUnsubmitted
Done
ReplyInline Actions

We should probably add test coverage for all the newly supported operators.

aaron.ballman: We should probably add test coverage for all the newly supported operators.
private: private:
int dat; int dat;
}; };
class DataCell { class DataCell {
public: public:
DataCell(const Data& d) : dat(d) { } DataCell(const Data& d) : dat(d) { }
▲ Show 20 LinesShow All 50 Lines▼ Show 20 Lines void test2() {
*datap1_ = data_; // expected-warning {{reading variable 'datap1_' requires holding mutex 'mu_'}} \ *datap1_ = data_; // expected-warning {{reading variable 'datap1_' requires holding mutex 'mu_'}} \
// expected-warning {{reading variable 'data_' requires holding mutex 'mu_'}} // expected-warning {{reading variable 'data_' requires holding mutex 'mu_'}}
*datap2_ = data_; // expected-warning {{writing the value pointed to by 'datap2_' requires holding mutex 'mu_' exclusively}} \ *datap2_ = data_; // expected-warning {{writing the value pointed to by 'datap2_' requires holding mutex 'mu_' exclusively}} \
// expected-warning {{reading variable 'data_' requires holding mutex 'mu_'}} // expected-warning {{reading variable 'data_' requires holding mutex 'mu_'}}
data_ = *datap1_; // expected-warning {{writing variable 'data_' requires holding mutex 'mu_' exclusively}} \ data_ = *datap1_; // expected-warning {{writing variable 'data_' requires holding mutex 'mu_' exclusively}} \
// expected-warning {{reading variable 'datap1_' requires holding mutex 'mu_'}} // expected-warning {{reading variable 'datap1_' requires holding mutex 'mu_'}}
data_ = *datap2_; // expected-warning {{writing variable 'data_' requires holding mutex 'mu_' exclusively}} \ data_ = *datap2_; // expected-warning {{writing variable 'data_' requires holding mutex 'mu_' exclusively}} \
// expected-warning {{reading the value pointed to by 'datap2_' requires holding mutex 'mu_'}} // expected-warning {{reading the value pointed to by 'datap2_' requires holding mutex 'mu_'}}
data_ += 0; // expected-warning {{writing variable 'data_' requires holding mutex 'mu_' exclusively}}
data_[0] = 0; // expected-warning {{reading variable 'data_' requires holding mutex 'mu_'}} data_[0] = 0; // expected-warning {{reading variable 'data_' requires holding mutex 'mu_'}}
(*datap2_)[0] = 0; // expected-warning {{reading the value pointed to by 'datap2_' requires holding mutex 'mu_'}} (*datap2_)[0] = 0; // expected-warning {{reading the value pointed to by 'datap2_' requires holding mutex 'mu_'}}
data_(); // expected-warning {{reading variable 'data_' requires holding mutex 'mu_'}} data_(); // expected-warning {{reading variable 'data_' requires holding mutex 'mu_'}}
} }
// const operator tests // const operator tests
▲ Show 20 LinesShow All 503 Lines▼ Show 20 Lines
class SmartPtr_PtGuardedBy_Test { class SmartPtr_PtGuardedBy_Test {
Mutex mu1; Mutex mu1;
Mutex mu2; Mutex mu2;
SmartPtr<int> sp GUARDED_BY(mu1) PT_GUARDED_BY(mu2); SmartPtr<int> sp GUARDED_BY(mu1) PT_GUARDED_BY(mu2);
SmartPtr<Cell> sq GUARDED_BY(mu1) PT_GUARDED_BY(mu2); SmartPtr<Cell> sq GUARDED_BY(mu1) PT_GUARDED_BY(mu2);
static constexpr int Cell::*pa = &Cell::a;
void test1() { void test1() {
mu1.ReaderLock(); mu1.ReaderLock();
mu2.Lock(); mu2.Lock();
sp.get(); sp.get();
if (*sp == 0) doSomething(); if (*sp == 0) doSomething();
*sp = 0; *sp = 0;
sq->a = 0; sq->a = 0;
sq->*pa = 0;
if (sp[0] == 0) doSomething(); if (sp[0] == 0) doSomething();
sp[0] = 0; sp[0] = 0;
mu2.Unlock(); mu2.Unlock();
mu1.Unlock(); mu1.Unlock();
} }
void test2() { void test2() {
mu2.Lock(); mu2.Lock();
sp.get(); // expected-warning {{reading variable 'sp' requires holding mutex 'mu1'}} sp.get(); // expected-warning {{reading variable 'sp' requires holding mutex 'mu1'}}
if (*sp == 0) doSomething(); // expected-warning {{reading variable 'sp' requires holding mutex 'mu1'}} if (*sp == 0) doSomething(); // expected-warning {{reading variable 'sp' requires holding mutex 'mu1'}}
*sp = 0; // expected-warning {{reading variable 'sp' requires holding mutex 'mu1'}} *sp = 0; // expected-warning {{reading variable 'sp' requires holding mutex 'mu1'}}
sq->a = 0; // expected-warning {{reading variable 'sq' requires holding mutex 'mu1'}} sq->a = 0; // expected-warning {{reading variable 'sq' requires holding mutex 'mu1'}}
sq->*pa = 0; // expected-warning {{reading variable 'sq' requires holding mutex 'mu1'}}
if (sp[0] == 0) doSomething(); // expected-warning {{reading variable 'sp' requires holding mutex 'mu1'}} if (sp[0] == 0) doSomething(); // expected-warning {{reading variable 'sp' requires holding mutex 'mu1'}}
sp[0] = 0; // expected-warning {{reading variable 'sp' requires holding mutex 'mu1'}} sp[0] = 0; // expected-warning {{reading variable 'sp' requires holding mutex 'mu1'}}
if (sq[0].a == 0) doSomething(); // expected-warning {{reading variable 'sq' requires holding mutex 'mu1'}} if (sq[0].a == 0) doSomething(); // expected-warning {{reading variable 'sq' requires holding mutex 'mu1'}}
sq[0].a = 0; // expected-warning {{reading variable 'sq' requires holding mutex 'mu1'}} sq[0].a = 0; // expected-warning {{reading variable 'sq' requires holding mutex 'mu1'}}
mu2.Unlock(); mu2.Unlock();
} }
void test3() { void test3() {
mu1.Lock(); mu1.Lock();
sp.get(); sp.get();
if (*sp == 0) doSomething(); // expected-warning {{reading the value pointed to by 'sp' requires holding mutex 'mu2'}} if (*sp == 0) doSomething(); // expected-warning {{reading the value pointed to by 'sp' requires holding mutex 'mu2'}}
*sp = 0; // expected-warning {{reading the value pointed to by 'sp' requires holding mutex 'mu2'}} *sp = 0; // expected-warning {{reading the value pointed to by 'sp' requires holding mutex 'mu2'}}
sq->a = 0; // expected-warning {{reading the value pointed to by 'sq' requires holding mutex 'mu2'}} sq->a = 0; // expected-warning {{reading the value pointed to by 'sq' requires holding mutex 'mu2'}}
sq->*pa = 0; // expected-warning {{reading the value pointed to by 'sq' requires holding mutex 'mu2'}}
if (sp[0] == 0) doSomething(); // expected-warning {{reading the value pointed to by 'sp' requires holding mutex 'mu2'}} if (sp[0] == 0) doSomething(); // expected-warning {{reading the value pointed to by 'sp' requires holding mutex 'mu2'}}
sp[0] = 0; // expected-warning {{reading the value pointed to by 'sp' requires holding mutex 'mu2'}} sp[0] = 0; // expected-warning {{reading the value pointed to by 'sp' requires holding mutex 'mu2'}}
if (sq[0].a == 0) doSomething(); // expected-warning {{reading the value pointed to by 'sq' requires holding mutex 'mu2'}} if (sq[0].a == 0) doSomething(); // expected-warning {{reading the value pointed to by 'sq' requires holding mutex 'mu2'}}
sq[0].a = 0; // expected-warning {{reading the value pointed to by 'sq' requires holding mutex 'mu2'}} sq[0].a = 0; // expected-warning {{reading the value pointed to by 'sq' requires holding mutex 'mu2'}}
mu1.Unlock(); mu1.Unlock();
} }
▲ Show 20 LinesShow All 1,016 LinesShow Last 20 Lines