This is an archive of the discontinued LLVM Phabricator instance.

Differential D153132

[clang analysis][NFCI] Preparatory work for D153131.
ClosedPublic

Authored by courbet on Jun 16 2023, 6:06 AM.

Details

Reviewers
delesley
NoQ
aaronpuchert
Summary

Refactoring in preparation for D153131

Diff Detail

Event Timeline

courbet created this revision.Jun 16 2023, 6:06 AM
Herald added a reviewer: NoQ. · View Herald TranscriptJun 16 2023, 6:06 AM
Herald added a project: Restricted Project. · View Herald Transcript
courbet requested review of this revision.Jun 16 2023, 6:06 AM
Herald added a project: Restricted Project. · View Herald TranscriptJun 16 2023, 6:06 AM
courbet added a child revision: D153131: [clang analysis][thread-safety] Handle return-by-reference....Jun 16 2023, 6:07 AM
Harbormaster completed remote builds in B239396: Diff 532118.Jun 16 2023, 6:44 AM
aaronpuchert added a subscriber: aaronpuchert.Jun 16 2023, 5:14 PM

Is this actually required for the subsequent change? I don't see the connection.

That being said, I haven't spent a lot of thought on what belongs in ThreadSafetyAnalyzer and what in BuildLockset.

clang/lib/Analysis/ThreadSafety.cpp
1541

Why the alias? I find this just obfuscates.

1588

Hmm, functions of the same class naturally want to be together, but if you move them, it "destroys" the Git history.

courbet added a comment.Jun 18 2023, 11:02 PM

Is this actually required for the subsequent change? I don't see the connection.

In the followup change, we have to check the returns after the enter and exit CFG block are computed. We can't analyze the returns as they are seen because , because what matters for the returns is the locks that are live at the end of the function, not those that are live at the point where the return happens.

The BuildLockset class only lives for the duration of the analysis of a single block, while the ThreadSafetyAnalyzer lives for the whole function. So return checking is done in the ThreadSafetyAnalyzer, so we need the check/warn functions to be available here.

From a design perspective I think it might actually make more sens for them to be in the analyzer as warnIfMutexNotHeld and friends actually inspects quite a lot of the Analyzer state.

clang/lib/Analysis/ThreadSafety.cpp
1541

I'm using it one more time in the followup patch, but no strong opinion, removed.

1588

Yes, I decided to make review/history tracking esaier by not moving them, but I can move them if you want.

courbet updated this revision to Diff 532534.Jun 18 2023, 11:03 PM

remove type alias

Harbormaster completed remote builds in B239722: Diff 532534.Jun 18 2023, 11:35 PM
aaronpuchert added a comment.Sep 18 2023, 1:15 PM
In D153132#4431627, @courbet wrote:

Is this actually required for the subsequent change? I don't see the connection.

In the followup change, we have to check the returns after the enter and exit CFG block are computed. We can't analyze the returns as they are seen because , because what matters for the returns is the locks that are live at the end of the function, not those that are live at the point where the return happens.

Is this still the case? Or do we not need this anymore.

From a design perspective I think it might actually make more sens for them to be in the analyzer as warnIfMutexNotHeld and friends actually inspects quite a lot of the Analyzer state.

On that I agree.

aaronpuchert mentioned this in D153131: [clang analysis][thread-safety] Handle return-by-reference....Sep 26 2023, 3:23 PM
courbet added a comment.Sep 27 2023, 1:17 AM
In D153132#4647557, @aaronpuchert wrote:
In D153132#4431627, @courbet wrote:

Is this actually required for the subsequent change? I don't see the connection.

In the followup change, we have to check the returns after the enter and exit CFG block are computed. We can't analyze the returns as they are seen because , because what matters for the returns is the locks that are live at the end of the function, not those that are live at the point where the return happens.

Is this still the case? Or do we not need this anymore.

So the change we still actually need is for checkAccess() to take the fact set as a parameter (because we're checking two different fact sets depending on whether we're processing a return statement or not). I think that design-wise it's better if checkAccess is in the Analyzer rather than the BuildLockset, because checkAccess() no longer needs access to any state within BuildLockset.

From a design perspective I think it might actually make more sens for them to be in the analyzer as warnIfMutexNotHeld and friends actually inspects quite a lot of the Analyzer state.

On that I agree.

courbet added a comment.Sep 27 2023, 1:33 AM
In D153132#4651204, @courbet wrote:
In D153132#4647557, @aaronpuchert wrote:
In D153132#4431627, @courbet wrote:

Is this actually required for the subsequent change? I don't see the connection.

In the followup change, we have to check the returns after the enter and exit CFG block are computed. We can't analyze the returns as they are seen because , because what matters for the returns is the locks that are live at the end of the function, not those that are live at the point where the return happens.

Is this still the case? Or do we not need this anymore.

So the change we still actually need is for checkAccess() to take the fact set as a parameter (because we're checking two different fact sets depending on whether we're processing a return statement or not). I think that design-wise it's better if checkAccess is in the Analyzer rather than the BuildLockset, because checkAccess() no longer needs access to any state within BuildLockset.

The patch without those base changes for reference: https://github.com/llvm/llvm-project/commit/11d3339daf6f3543d73292b307057769711bce2e.

From a design perspective I think it might actually make more sens for them to be in the analyzer as warnIfMutexNotHeld and friends actually inspects quite a lot of the Analyzer state.

On that I agree.

aaronpuchert accepted this revision.Sep 28 2023, 8:16 PM

Got it, so it's because we want to work on a different fact set than what BuildLockset holds.

Yeah, I think this makes sense. And after all the methods aren't too far away from the other ThreadSafetyAnalyzer methods.

clang/lib/Analysis/ThreadSafety.cpp
1019–1030

You could also put them in the public section. In fact your change would seem to get us pretty close to being able to unfriend BuildLockset.

1604–1606

Something went wrong with the indentation here, also in the following ifs. Should be two spaces only.

This revision is now accepted and ready to land.Sep 28 2023, 8:16 PM
courbet updated this revision to Diff 557475.Sep 29 2023, 1:26 AM
courbet marked 2 inline comments as done.

Address comments

courbet added inline comments.Sep 29 2023, 1:28 AM
clang/lib/Analysis/ThreadSafety.cpp
1604–1606

This is weird. clang-format insists on putting 4 spaces there. I've reverted the changes manually.

GitHub <noreply@github.com> mentioned this in rGa0ea5a4af96e: Reland "[clang analysis][NFCI] Preparatory work for D153131. (#67420)… (#67775).Sep 29 2023, 1:30 AM
courbet closed this revision.Sep 29 2023, 1:39 AM
Harbormaster completed remote builds in B257678: Diff 557475.Sep 29 2023, 1:58 AM

Revision Contents

PathSize
clang/
lib/
Analysis/
129 lines

Diff 557475

clang/lib/Analysis/ThreadSafety.cpp

Context not available.
} }
void runAnalysis(AnalysisDeclContext &AC); void runAnalysis(AnalysisDeclContext &AC);
void warnIfMutexNotHeld(const FactSet &FSet, const NamedDecl *D,
const Expr *Exp, AccessKind AK, Expr *MutexExp,
ProtectedOperationKind POK, til::LiteralPtr *Self,
SourceLocation Loc);
void warnIfMutexHeld(const FactSet &FSet, const NamedDecl *D, const Expr *Exp,
Expr *MutexExp, til::LiteralPtr *Self,
SourceLocation Loc);
void checkAccess(const FactSet &FSet, const Expr *Exp, AccessKind AK,
ProtectedOperationKind POK);
void checkPtAccess(const FactSet &FSet, const Expr *Exp, AccessKind AK,
ProtectedOperationKind POK);
}; };
} // namespace } // namespace
aaronpuchertUnsubmitted
Not Done
ReplyInline Actions

Why the alias? I find this just obfuscates.

aaronpuchert: Why the alias? I find this just obfuscates.
courbetAuthorUnsubmitted
Done
ReplyInline Actions

I'm using it one more time in the followup patch, but no strong opinion, removed.

courbet: I'm using it one more time in the followup patch, but no strong opinion, removed.
Context not available.
unsigned CtxIndex; unsigned CtxIndex;
// helper functions // helper functions
void warnIfMutexNotHeld(const NamedDecl *D, const Expr *Exp, AccessKind AK,
Expr *MutexExp, ProtectedOperationKind POK,
til::LiteralPtr *Self, SourceLocation Loc);
void warnIfMutexHeld(const NamedDecl *D, const Expr *Exp, Expr *MutexExp,
til::LiteralPtr *Self, SourceLocation Loc);
void checkAccess(const Expr *Exp, AccessKind AK, void checkAccess(const Expr *Exp, AccessKind AK,
ProtectedOperationKind POK = POK_VarAccess); ProtectedOperationKind POK = POK_VarAccess) {
Analyzer->checkAccess(FSet, Exp, AK, POK);
}
void checkPtAccess(const Expr *Exp, AccessKind AK, void checkPtAccess(const Expr *Exp, AccessKind AK,
ProtectedOperationKind POK = POK_VarAccess); ProtectedOperationKind POK = POK_VarAccess) {
Analyzer->checkPtAccess(FSet, Exp, AK, POK);
}
void handleCall(const Expr *Exp, const NamedDecl *D, void handleCall(const Expr *Exp, const NamedDecl *D,
til::LiteralPtr *Self = nullptr, til::LiteralPtr *Self = nullptr,
Context not available.
/// Warn if the LSet does not contain a lock sufficient to protect access /// Warn if the LSet does not contain a lock sufficient to protect access
/// of at least the passed in AccessKind. /// of at least the passed in AccessKind.
void BuildLockset::warnIfMutexNotHeld(const NamedDecl *D, const Expr *Exp, void ThreadSafetyAnalyzer::warnIfMutexNotHeld(
AccessKind AK, Expr *MutexExp, const FactSet &FSet, const NamedDecl *D, const Expr *Exp, AccessKind AK,
ProtectedOperationKind POK, Expr *MutexExp, ProtectedOperationKind POK, til::LiteralPtr *Self,
aaronpuchertUnsubmitted
Not Done
ReplyInline Actions

Hmm, functions of the same class naturally want to be together, but if you move them, it "destroys" the Git history.

aaronpuchert: Hmm, functions of the same class naturally want to be together, but if you move them, it…
courbetAuthorUnsubmitted
Done
ReplyInline Actions

Yes, I decided to make review/history tracking esaier by not moving them, but I can move them if you want.

courbet: Yes, I decided to make review/history tracking esaier by not moving them, but I can move them…
til::LiteralPtr *Self, SourceLocation Loc) {
SourceLocation Loc) {
LockKind LK = getLockKindFromAccessKind(AK); LockKind LK = getLockKindFromAccessKind(AK);
CapabilityExpr Cp = SxBuilder.translateAttrExpr(MutexExp, D, Exp, Self);
CapabilityExpr Cp =
Analyzer->SxBuilder.translateAttrExpr(MutexExp, D, Exp, Self);
if (Cp.isInvalid()) { if (Cp.isInvalid()) {
warnInvalidLock(Analyzer->Handler, MutexExp, D, Exp, Cp.getKind()); warnInvalidLock(Handler, MutexExp, D, Exp, Cp.getKind());
return; return;
} else if (Cp.shouldIgnore()) { } else if (Cp.shouldIgnore()) {
return; return;
Context not available.
if (Cp.negative()) { if (Cp.negative()) {
// Negative capabilities act like locks excluded // Negative capabilities act like locks excluded
const FactEntry *LDat = FSet.findLock(Analyzer->FactMan, !Cp); const FactEntry *LDat = FSet.findLock(FactMan, !Cp);
if (LDat) { if (LDat) {
Analyzer->Handler.handleFunExcludesLock( Handler.handleFunExcludesLock(Cp.getKind(), D->getNameAsString(),
Cp.getKind(), D->getNameAsString(), (!Cp).toString(), Loc); (!Cp).toString(), Loc);
return; return;
} }
aaronpuchertUnsubmitted
Done
ReplyInline Actions

Something went wrong with the indentation here, also in the following ifs. Should be two spaces only.

aaronpuchert: Something went wrong with the indentation here, also in the following `if`s. Should be two…
courbetAuthorUnsubmitted
Done
ReplyInline Actions

This is weird. clang-format insists on putting 4 spaces there. I've reverted the changes manually.

courbet: This is weird. `clang-format` insists on putting 4 spaces there. I've reverted the changes…
// If this does not refer to a negative capability in the same class, // If this does not refer to a negative capability in the same class,
// then stop here. // then stop here.
if (!Analyzer->inCurrentScope(Cp)) if (!inCurrentScope(Cp))
return; return;
// Otherwise the negative requirement must be propagated to the caller. // Otherwise the negative requirement must be propagated to the caller.
LDat = FSet.findLock(Analyzer->FactMan, Cp); LDat = FSet.findLock(FactMan, Cp);
if (!LDat) { if (!LDat) {
Analyzer->Handler.handleNegativeNotHeld(D, Cp.toString(), Loc); Handler.handleNegativeNotHeld(D, Cp.toString(), Loc);
} }
return; return;
} }
const FactEntry *LDat = FSet.findLockUniv(Analyzer->FactMan, Cp); const FactEntry *LDat = FSet.findLockUniv(FactMan, Cp);
bool NoError = true; bool NoError = true;
if (!LDat) { if (!LDat) {
// No exact match found. Look for a partial match. // No exact match found. Look for a partial match.
LDat = FSet.findPartialMatch(Analyzer->FactMan, Cp); LDat = FSet.findPartialMatch(FactMan, Cp);
if (LDat) { if (LDat) {
// Warn that there's no precise match. // Warn that there's no precise match.
std::string PartMatchStr = LDat->toString(); std::string PartMatchStr = LDat->toString();
StringRef PartMatchName(PartMatchStr); StringRef PartMatchName(PartMatchStr);
Analyzer->Handler.handleMutexNotHeld(Cp.getKind(), D, POK, Cp.toString(), Handler.handleMutexNotHeld(Cp.getKind(), D, POK, Cp.toString(), LK, Loc,
LK, Loc, &PartMatchName); &PartMatchName);
} else { } else {
// Warn that there's no match at all. // Warn that there's no match at all.
Analyzer->Handler.handleMutexNotHeld(Cp.getKind(), D, POK, Cp.toString(), Handler.handleMutexNotHeld(Cp.getKind(), D, POK, Cp.toString(), LK, Loc);
LK, Loc);
} }
NoError = false; NoError = false;
} }
// Make sure the mutex we found is the right kind. // Make sure the mutex we found is the right kind.
if (NoError && LDat && !LDat->isAtLeast(LK)) { if (NoError && LDat && !LDat->isAtLeast(LK)) {
Analyzer->Handler.handleMutexNotHeld(Cp.getKind(), D, POK, Cp.toString(), Handler.handleMutexNotHeld(Cp.getKind(), D, POK, Cp.toString(), LK, Loc);
LK, Loc);
} }
} }
/// Warn if the LSet contains the given lock. /// Warn if the LSet contains the given lock.
void BuildLockset::warnIfMutexHeld(const NamedDecl *D, const Expr *Exp, void ThreadSafetyAnalyzer::warnIfMutexHeld(const FactSet &FSet,
Expr *MutexExp, til::LiteralPtr *Self, const NamedDecl *D, const Expr *Exp,
SourceLocation Loc) { Expr *MutexExp,
CapabilityExpr Cp = til::LiteralPtr *Self,
Analyzer->SxBuilder.translateAttrExpr(MutexExp, D, Exp, Self); SourceLocation Loc) {
CapabilityExpr Cp = SxBuilder.translateAttrExpr(MutexExp, D, Exp, Self);
if (Cp.isInvalid()) { if (Cp.isInvalid()) {
warnInvalidLock(Analyzer->Handler, MutexExp, D, Exp, Cp.getKind()); warnInvalidLock(Handler, MutexExp, D, Exp, Cp.getKind());
return; return;
} else if (Cp.shouldIgnore()) { } else if (Cp.shouldIgnore()) {
return; return;
} }
const FactEntry *LDat = FSet.findLock(Analyzer->FactMan, Cp); const FactEntry *LDat = FSet.findLock(FactMan, Cp);
if (LDat) { if (LDat) {
Analyzer->Handler.handleFunExcludesLock(Cp.getKind(), D->getNameAsString(), Handler.handleFunExcludesLock(Cp.getKind(), D->getNameAsString(),
Cp.toString(), Loc); Cp.toString(), Loc);
} }
} }
Context not available.
/// marked with guarded_by, we must ensure the appropriate mutexes are held. /// marked with guarded_by, we must ensure the appropriate mutexes are held.
/// Similarly, we check if the access is to an expression that dereferences /// Similarly, we check if the access is to an expression that dereferences
/// a pointer marked with pt_guarded_by. /// a pointer marked with pt_guarded_by.
void BuildLockset::checkAccess(const Expr *Exp, AccessKind AK, void ThreadSafetyAnalyzer::checkAccess(const FactSet &FSet, const Expr *Exp,
ProtectedOperationKind POK) { AccessKind AK,
ProtectedOperationKind POK) {
Exp = Exp->IgnoreImplicit()->IgnoreParenCasts(); Exp = Exp->IgnoreImplicit()->IgnoreParenCasts();
SourceLocation Loc = Exp->getExprLoc(); SourceLocation Loc = Exp->getExprLoc();
Context not available.
if (const auto *UO = dyn_cast<UnaryOperator>(Exp)) { if (const auto *UO = dyn_cast<UnaryOperator>(Exp)) {
// For dereferences // For dereferences
if (UO->getOpcode() == UO_Deref) if (UO->getOpcode() == UO_Deref)
checkPtAccess(UO->getSubExpr(), AK, POK); checkPtAccess(FSet, UO->getSubExpr(), AK, POK);
return; return;
} }
if (const auto *BO = dyn_cast<BinaryOperator>(Exp)) { if (const auto *BO = dyn_cast<BinaryOperator>(Exp)) {
switch (BO->getOpcode()) { switch (BO->getOpcode()) {
case BO_PtrMemD: // .* case BO_PtrMemD: // .*
return checkAccess(BO->getLHS(), AK, POK); return checkAccess(FSet, BO->getLHS(), AK, POK);
case BO_PtrMemI: // ->* case BO_PtrMemI: // ->*
return checkPtAccess(BO->getLHS(), AK, POK); return checkPtAccess(FSet, BO->getLHS(), AK, POK);
default: default:
return; return;
} }
} }
if (const auto *AE = dyn_cast<ArraySubscriptExpr>(Exp)) { if (const auto *AE = dyn_cast<ArraySubscriptExpr>(Exp)) {
checkPtAccess(AE->getLHS(), AK, POK); checkPtAccess(FSet, AE->getLHS(), AK, POK);
return; return;
} }
if (const auto *ME = dyn_cast<MemberExpr>(Exp)) { if (const auto *ME = dyn_cast<MemberExpr>(Exp)) {
if (ME->isArrow()) if (ME->isArrow())
checkPtAccess(ME->getBase(), AK, POK); checkPtAccess(FSet, ME->getBase(), AK, POK);
else else
checkAccess(ME->getBase(), AK, POK); checkAccess(FSet, ME->getBase(), AK, POK);
} }
const ValueDecl *D = getValueDecl(Exp); const ValueDecl *D = getValueDecl(Exp);
if (!D || !D->hasAttrs()) if (!D || !D->hasAttrs())
return; return;
if (D->hasAttr<GuardedVarAttr>() && FSet.isEmpty(Analyzer->FactMan)) { if (D->hasAttr<GuardedVarAttr>() && FSet.isEmpty(FactMan)) {
Analyzer->Handler.handleNoMutexHeld(D, POK, AK, Loc); Handler.handleNoMutexHeld(D, POK, AK, Loc);
} }
for (const auto *I : D->specific_attrs<GuardedByAttr>()) for (const auto *I : D->specific_attrs<GuardedByAttr>())
warnIfMutexNotHeld(D, Exp, AK, I->getArg(), POK, nullptr, Loc); warnIfMutexNotHeld(FSet, D, Exp, AK, I->getArg(), POK, nullptr, Loc);
} }
/// Checks pt_guarded_by and pt_guarded_var attributes. /// Checks pt_guarded_by and pt_guarded_var attributes.
/// POK is the same operationKind that was passed to checkAccess. /// POK is the same operationKind that was passed to checkAccess.
void BuildLockset::checkPtAccess(const Expr *Exp, AccessKind AK, void ThreadSafetyAnalyzer::checkPtAccess(const FactSet &FSet, const Expr *Exp,
ProtectedOperationKind POK) { AccessKind AK,
ProtectedOperationKind POK) {
while (true) { while (true) {
if (const auto *PE = dyn_cast<ParenExpr>(Exp)) { if (const auto *PE = dyn_cast<ParenExpr>(Exp)) {
Exp = PE->getSubExpr(); Exp = PE->getSubExpr();
Context not available.
if (CE->getCastKind() == CK_ArrayToPointerDecay) { if (CE->getCastKind() == CK_ArrayToPointerDecay) {
// If it's an actual array, and not a pointer, then it's elements // If it's an actual array, and not a pointer, then it's elements
// are protected by GUARDED_BY, not PT_GUARDED_BY; // are protected by GUARDED_BY, not PT_GUARDED_BY;
checkAccess(CE->getSubExpr(), AK, POK); checkAccess(FSet, CE->getSubExpr(), AK, POK);
return; return;
} }
Exp = CE->getSubExpr(); Exp = CE->getSubExpr();
Context not available.
if (!D || !D->hasAttrs()) if (!D || !D->hasAttrs())
return; return;
if (D->hasAttr<PtGuardedVarAttr>() && FSet.isEmpty(Analyzer->FactMan)) if (D->hasAttr<PtGuardedVarAttr>() && FSet.isEmpty(FactMan))
Analyzer->Handler.handleNoMutexHeld(D, PtPOK, AK, Exp->getExprLoc()); Handler.handleNoMutexHeld(D, PtPOK, AK, Exp->getExprLoc());
for (auto const *I : D->specific_attrs<PtGuardedByAttr>()) for (auto const *I : D->specific_attrs<PtGuardedByAttr>())
warnIfMutexNotHeld(D, Exp, AK, I->getArg(), PtPOK, nullptr, warnIfMutexNotHeld(FSet, D, Exp, AK, I->getArg(), PtPOK, nullptr,
Exp->getExprLoc()); Exp->getExprLoc());
} }
Context not available.
case attr::RequiresCapability: { case attr::RequiresCapability: {
const auto *A = cast<RequiresCapabilityAttr>(At); const auto *A = cast<RequiresCapabilityAttr>(At);
for (auto *Arg : A->args()) { for (auto *Arg : A->args()) {
warnIfMutexNotHeld(D, Exp, A->isShared() ? AK_Read : AK_Written, Arg, Analyzer->warnIfMutexNotHeld(FSet, D, Exp,
POK_FunctionCall, Self, Loc); A->isShared() ? AK_Read : AK_Written,
Arg, POK_FunctionCall, Self, Loc);
// use for adopting a lock // use for adopting a lock
if (!Scp.shouldIgnore()) if (!Scp.shouldIgnore())
Analyzer->getMutexIDs(ScopedReqsAndExcludes, A, Exp, D, Self); Analyzer->getMutexIDs(ScopedReqsAndExcludes, A, Exp, D, Self);
Context not available.
case attr::LocksExcluded: { case attr::LocksExcluded: {
const auto *A = cast<LocksExcludedAttr>(At); const auto *A = cast<LocksExcludedAttr>(At);
for (auto *Arg : A->args()) { for (auto *Arg : A->args()) {
warnIfMutexHeld(D, Exp, Arg, Self, Loc); Analyzer->warnIfMutexHeld(FSet, D, Exp, Arg, Self, Loc);
// use for deferring a lock // use for deferring a lock
if (!Scp.shouldIgnore()) if (!Scp.shouldIgnore())
Analyzer->getMutexIDs(ScopedReqsAndExcludes, A, Exp, D, Self); Analyzer->getMutexIDs(ScopedReqsAndExcludes, A, Exp, D, Self);
Context not available.