This is an archive of the discontinued LLVM Phabricator instance.

Differential D26340

[analyzer] Add SpinLockChecker for the Magenta kernel
Needs ReviewPublic

Authored by khazem on Nov 6 2016, 6:32 PM.

Details

Reviewers
dcoughlin
dergachev.a
zaks.anna
Summary

This patch adds a new Static Analyzer checker for the correct use of spin locks in the Magenta kernel. The checker checks that a lock is not locked twice in a row, nor unlocked twice in a row.

The checker was authored by Farid Molazem Tabrizi.

Diff Detail

Event Timeline

khazem updated this revision to Diff 77000.Nov 6 2016, 6:32 PM
khazem retitled this revision from to [analyzer] Add SpinLockChecker for the Magenta kernel.
khazem updated this object.
khazem added reviewers: zaks.anna, dergachev.a, dcoughlin.
khazem added subscribers: phosek, seanklein.
Herald added a subscriber: mgorny. · View Herald TranscriptNov 6 2016, 6:32 PM
khazem added a subscriber: cfe-commits.Nov 6 2016, 8:07 PM
khazem updated this revision to Diff 77005.Nov 6 2016, 8:11 PM

Minor edit, the list of libraries in CMakeLists.txt is now in alphabetical order.

NoQ added a subscriber: NoQ.Nov 7 2016, 9:17 AM
dcoughlin edited edge metadata.Nov 7 2016, 10:03 AM

Thanks for upstreaming this! (And it was great to meet you at the developer conference.)

lib/StaticAnalyzer/Checkers/SpinLockChecker.cpp
61

In the LLVM/clang codebase we try very hard to avoid running constructors for globals, as this can have adverse effects on startup time. Typically we try to lazily initialize things like these or have them refer to constant data that the linker will handle automatically (such as a c string constant).

Can these be a C string constant instead? Or can they be instance members of the SpinLockChecker class? (See the note about CallDescription below, which may be helpful.)

118

In the analyzer codebase we try to use IdentifierInfo pointers to compare identifiers. Since these are interned it lets us perform pointer comparisons rather than expensive string comparisons.

There is a CallDescription class in CallEvent.h that encapsulates this logic. You can see an example of how it is used in SimpleStreamChecker.cpp.

182

For these kinds of diagnostics it is often very helpful to emit a path note indicating where the first unlock was.

To do this, you can add a custom bug report visitor that will get called on each node in the path to a diagnostic and emit a note, if appropriate. In this case you would look for nodes with calls to unlock taking the same region as the one you are now reporting for.

There is an example of how to implement a bug report visitor in 'SuperDeallocBRVisitor'.

192

It would be good to emit a path note for the first lock, too.

khazem added a comment.Nov 8 2016, 3:19 PM

Good to meet you too, thanks for the useful comments and pointers to helpful examples! I'm going to update the diff twice: the first one to address your first two comments, and the second one to address your last two.

khazem updated this revision to Diff 77275.Nov 8 2016, 3:21 PM
khazem edited edge metadata.

The strings for Spin{Unl,L}ockFuncName and LockErrorCategory are now initialized when constructing a SpinLockChecker object rather than being static globals, in order to avoid adverse effects on startup time.

Also, the Spin*FuncName variables are now of type CallDescription. This is to enable pointer rather than string comparisons of the function name.

khazem updated this revision to Diff 77277.Nov 8 2016, 3:23 PM

If a double-lock or double-release is detected, path notes are now emitted on the _first_ lock or release event. Also updated the tests to check for these notes.

khazem marked 4 inline comments as done.Nov 9 2016, 12:30 PM

Devin, based on Artem's review of the other checker that I have posted [1] I am wondering about merging both this SpinLockChecker and the MutexChecker into PthreadLockChecker. Do you think it is still worth landing this SpinLockChecker, or do you suppose that abandoning this patch and working on merging all the checkers would be a good idea? I've noted how the checkers might be merged in my reply to Artem: [2].

[1] https://reviews.llvm.org/D26342
[2] https://reviews.llvm.org/D26342#590881

dcoughlin added a comment.Nov 9 2016, 4:02 PM

Thanks for adding the path notes and adopting CallDescription. I've added some additional comments inline, which are mostly minor nits.

Two additional important changes -- and I should have noted these in the initial review -- is that it would be good to remove a MemRegion mapping from the program state when a MemRegion escapes and also when it becomes dead. These should both be small changes.

Escaping
Removing the mapping when the lock escapes will avoid false positives when the lock is passed to a function that the analyzer doesn't inline (for example, if it is in another translation unit) that unlocks it:

void foo(lock_t *l) {
  spin_lock(l);
  ...
  do_stuff_and_unlock(l);
  ..
  spin_lock();
}

If do_stuff_and_unlock() is in another translation unit the analyzer won't see the unlock and so will report a false positive if you don't remove the mapping when the lock escapes.

If you remove the mapping when the lock escapes, the analyzer will optimistically assume the best-case scenario the next time it sees a lock or unlock operation. There is an example of how to do this in ObjCContainersChecker::checkPointerEscape()

Removing Dead Symbols
It is also important for performance to remove mappings that are no longer relevant. There is a cost to keep around mappings in the program state: both memory (because the analyzer keeps some states around for use in the bug reporter visitor) and time (because the analyzer has to iterate over the map when determining whether two states are the same). There is an example of how to do this in ObjCLoopChecker::checkDeadSymbols.

include/clang/StaticAnalyzer/Checkers/Checkers.td
728

Nit: I think it would good to add a little bit more context to disambiguate so that future maintainers will be able to do a web search to learn about what these checkers are for. For example, maybe something like "Checkers for the Magenta kernel"?

lib/StaticAnalyzer/Checkers/SpinLockChecker.cpp
209

Nit: it is enough to have the message be "Spinlock is unlocked twice in a row". I don't think it is necessary to explicitly mention the execution path (especially now that you have a path note for the first unlock).

225

Nit: Same here.

test/Analysis/spinlock_correct.c
2

Nit: Typically in the analyzer codebase we try to keep the number of test files to a minimum. Can these three test files all be combined into one?

2

Another nit: The analyzer relies on always having core checkers enabled because they model important aspects of the language. You should change this to ... -analyzer-checker=core,magenta.SpinLock ...

dcoughlin added a comment.Nov 9 2016, 4:26 PM
In D26340#590882, @khazem wrote:

Devin, based on Artem's review of the other checker that I have posted [1] I am wondering about merging both this SpinLockChecker and the MutexChecker into PthreadLockChecker. Do you think it is still worth landing this SpinLockChecker, or do you suppose that abandoning this patch and working on merging all the checkers would be a good idea? I've noted how the checkers might be merged in my reply to Artem: [2].

Merging seems reasonable to me. It is also a good way to make it less likely that the Magenta checkers accidentally regress since the main logic of the checker will be exercised when checking a much more common API.

karkhaz added a subscriber: karkhaz.Dec 28 2016, 7:09 PM

Revision Contents

PathSize
include/
clang/
StaticAnalyzer/
Checkers/
13 lines
lib/
StaticAnalyzer/
Checkers/
1 line
198 lines
test/
Analysis/
30 lines
20 lines
35 lines

Diff 77005

include/clang/StaticAnalyzer/Checkers/Checkers.td

Show First 20 LinesShow All 76 Lines▼ Show 20 Lines
def MPI : Package<"mpi">, InPackage<OptIn>; def MPI : Package<"mpi">, InPackage<OptIn>;
def LLVM : Package<"llvm">; def LLVM : Package<"llvm">;
def Debug : Package<"debug">; def Debug : Package<"debug">;
def CloneDetectionAlpha : Package<"clone">, InPackage<Alpha>, Hidden; def CloneDetectionAlpha : Package<"clone">, InPackage<Alpha>, Hidden;
def Magenta : Package<"magenta">;
//===----------------------------------------------------------------------===// //===----------------------------------------------------------------------===//
// Core Checkers. // Core Checkers.
//===----------------------------------------------------------------------===// //===----------------------------------------------------------------------===//
let ParentPackage = Core in { let ParentPackage = Core in {
def DereferenceChecker : Checker<"NullDereference">, def DereferenceChecker : Checker<"NullDereference">,
HelpText<"Check for dereferences of null pointers">, HelpText<"Check for dereferences of null pointers">,
▲ Show 20 LinesShow All 624 Lines▼ Show 20 Lines
let ParentPackage = CloneDetectionAlpha in { let ParentPackage = CloneDetectionAlpha in {
def CloneChecker : Checker<"CloneChecker">, def CloneChecker : Checker<"CloneChecker">,
HelpText<"Reports similar pieces of code.">, HelpText<"Reports similar pieces of code.">,
DescFile<"CloneChecker.cpp">; DescFile<"CloneChecker.cpp">;
} // end "clone" } // end "clone"
//===----------------------------------------------------------------------===//
// Magenta checkers.
dcoughlinUnsubmitted
Not Done
ReplyInline Actions

Nit: I think it would good to add a little bit more context to disambiguate so that future maintainers will be able to do a web search to learn about what these checkers are for. For example, maybe something like "Checkers for the Magenta kernel"?

dcoughlin: Nit: I think it would good to add a little bit more context to disambiguate so that future…
//===----------------------------------------------------------------------===//
let ParentPackage = Magenta in {
def SpinLockChecker : Checker<"SpinLock">,
HelpText<"Check for correct handling of spinlocks">,
DescFile<"SpinLockChecker.cpp">;
} // end "magenta"

lib/StaticAnalyzer/Checkers/CMakeLists.txt

Show First 20 LinesShow All 64 Lines▼ Show 20 Linesadd_clang_library(clangStaticAnalyzerCheckers
PaddingChecker.cpp PaddingChecker.cpp
PointerArithChecker.cpp PointerArithChecker.cpp
PointerSubChecker.cpp PointerSubChecker.cpp
PthreadLockChecker.cpp PthreadLockChecker.cpp
RetainCountChecker.cpp RetainCountChecker.cpp
ReturnPointerRangeChecker.cpp ReturnPointerRangeChecker.cpp
ReturnUndefChecker.cpp ReturnUndefChecker.cpp
SimpleStreamChecker.cpp SimpleStreamChecker.cpp
SpinLockChecker.cpp
StackAddrEscapeChecker.cpp StackAddrEscapeChecker.cpp
StdLibraryFunctionsChecker.cpp StdLibraryFunctionsChecker.cpp
StreamChecker.cpp StreamChecker.cpp
TaintTesterChecker.cpp TaintTesterChecker.cpp
TestAfterDivZeroChecker.cpp TestAfterDivZeroChecker.cpp
TraversalChecker.cpp TraversalChecker.cpp
UndefBranchChecker.cpp UndefBranchChecker.cpp
UndefCapturedBlockVarChecker.cpp UndefCapturedBlockVarChecker.cpp
Show All 21 Lines

lib/StaticAnalyzer/Checkers/SpinLockChecker.cpp

  • This file was added.
//== SpinLockChecker.cpp - SpinLock checker ---------------------*- C++ -*--==//
//
// The LLVM Compiler Infrastructure
//
// This file is distributed under the University of Illinois Open Source
// License. See LICENSE.TXT for details.
//
//===----------------------------------------------------------------------===//
//
// This defines SpinLockChecker, a check for the Magenta kernel. It
// checks that there are no execution paths where spinlocks are locked
// twice in a row, or unlocked twice in a row.
//
//===----------------------------------------------------------------------===//
#include "ClangSACheckers.h"
#include "clang/StaticAnalyzer/Core/BugReporter/BugType.h"
#include "clang/StaticAnalyzer/Core/CheckerManager.h"
#include "clang/StaticAnalyzer/Core/PathSensitive/CallEvent.h"
#include "clang/StaticAnalyzer/Core/PathSensitive/CheckerContext.h"
#include "llvm/ADT/SmallString.h"
using namespace clang;
using namespace ento;
namespace {
typedef llvm::SmallString<16> ErrorCategoryStr;
typedef llvm::SmallString<32> FunctionNameStr;
struct LockInfo {
enum Kind { Locked, Released } K;
LockInfo(Kind kind) : K(kind) {}
bool operator==(const LockInfo &LI) const { return K == LI.K; }
void Profile(llvm::FoldingSetNodeID &ID) const { ID.AddInteger(K); }
bool isLocked() const { return K == Locked; }
bool isReleased() const { return K == Released; }
static LockInfo getLocked() { return LockInfo(Locked); }
static LockInfo getReleased() { return LockInfo(Released); }
static ErrorCategoryStr getLockErrorCategory() { return LockErrCategory; }
static FunctionNameStr getSpinLockFuncName() { return SpinLockFuncName; }
static FunctionNameStr getSpinUnlockFuncName() { return SpinUnlockFuncName; }
private:
static const ErrorCategoryStr LockErrCategory;
static const FunctionNameStr SpinLockFuncName;
static const FunctionNameStr SpinUnlockFuncName;
};
const ErrorCategoryStr LockInfo::LockErrCategory("Lock Error");
dcoughlinUnsubmitted
Done
ReplyInline Actions

In the LLVM/clang codebase we try very hard to avoid running constructors for globals, as this can have adverse effects on startup time. Typically we try to lazily initialize things like these or have them refer to constant data that the linker will handle automatically (such as a c string constant).

Can these be a C string constant instead? Or can they be instance members of the SpinLockChecker class? (See the note about CallDescription below, which may be helpful.)

dcoughlin: In the LLVM/clang codebase we try very hard to avoid running constructors for globals, as this…
const FunctionNameStr LockInfo::SpinLockFuncName("spin_lock");
const FunctionNameStr LockInfo::SpinUnlockFuncName("spin_unlock");
}
/// We keep track of the locks in a map. SpinLockMap maps the
/// memory region of a spinlock to its status (locked, released).
/// The reason that we keep track of spinlocks as memory region is
/// that the lock/unlock functions take lock arguments as pointers.
REGISTER_MAP_WITH_PROGRAMSTATE(SpinLockMap, const MemRegion *, LockInfo)
namespace {
class SpinLockChecker : public Checker<check::PreCall> {
/// When facing a spin_unlock function call, check the record of the
/// corresponding lock in SpinLockMap and make sure that there are no
/// problems such as double unlocks.
void processSpinUnlockCall(const CallEvent &Call, CheckerContext &C,
const MemRegion *SpinLockLocation) const;
/// When facing a spin_lock function call, check the record of the
/// corresponding lock in SpinLockMap and make sure that there are no
/// problems such as double locks.
void processSpinLockCall(const CallEvent &Call, CheckerContext &C,
const MemRegion *SpinLockLocation) const;
void reportDoubleLock(const CallEvent &Call, CheckerContext &C,
const MemRegion *Mem) const;
void reportDoubleUnlock(ExplodedNode *Node, CheckerContext &C,
const MemRegion *Mem) const;
std::unique_ptr<BugType> DoubleLockBugType;
std::unique_ptr<BugType> DoubleUnlockBugType;
public:
SpinLockChecker();
void checkPreCall(const CallEvent &Call, CheckerContext &C) const;
};
}
void ento::registerSpinLockChecker(CheckerManager &Mgr) {
Mgr.registerChecker<SpinLockChecker>();
}
SpinLockChecker::SpinLockChecker() {
DoubleLockBugType.reset(
new BugType(this, "Double SpinLock", LockInfo::getLockErrorCategory()));
DoubleUnlockBugType.reset(
new BugType(this, "Double SpinUnlock", LockInfo::getLockErrorCategory()));
}
/// Run the necessary processing before a spin_lock/spin_unlock function call
void SpinLockChecker::checkPreCall(const CallEvent &Call,
CheckerContext &C) const {
if (!Call.getCalleeIdentifier())
return;
FunctionNameStr CalleeName = Call.getCalleeIdentifier()->getName();
dcoughlinUnsubmitted
Done
ReplyInline Actions

In the analyzer codebase we try to use IdentifierInfo pointers to compare identifiers. Since these are interned it lets us perform pointer comparisons rather than expensive string comparisons.

There is a CallDescription class in CallEvent.h that encapsulates this logic. You can see an example of how it is used in SimpleStreamChecker.cpp.

dcoughlin: In the analyzer codebase we try to use IdentifierInfo pointers to compare identifiers. Since…
if (CalleeName != LockInfo::getSpinLockFuncName() &&
CalleeName != LockInfo::getSpinUnlockFuncName())
return;
if (Call.getNumArgs() == 0)
return;
// Memory region of the spinlock
const MemRegion *SpinLockLocation = Call.getArgSVal(0).getAsRegion();
// If SpinLockLocation is NULL, this is likely due to changes in the
// signature of spin_lock/spin_unlock functions, and we have to update
// the checker accordingly. For now, we terminate with an error
// message.
if (!SpinLockLocation)
llvm_unreachable("No spinlock pointer passed to spin_lock/spin_unlock!");
if (CalleeName == LockInfo::getSpinLockFuncName())
processSpinLockCall(Call, C, SpinLockLocation);
else
processSpinUnlockCall(Call, C, SpinLockLocation);
}
void SpinLockChecker::processSpinLockCall(
const CallEvent &Call, CheckerContext &C,
const MemRegion *SpinLockLocation) const {
ProgramStateRef St = C.getState();
const LockInfo *LI = St->get<SpinLockMap>(SpinLockLocation);
if (LI && LI->isLocked()) {
// This spinlock has been locked before!
reportDoubleLock(Call, C, SpinLockLocation);
return;
}
St = St->set<SpinLockMap>(SpinLockLocation, LockInfo::getLocked());
C.addTransition(St);
}
void SpinLockChecker::processSpinUnlockCall(
const CallEvent &Call, CheckerContext &C,
const MemRegion *SpinLockLocation) const {
ProgramStateRef St = C.getState();
const LockInfo *LI = St->get<SpinLockMap>(SpinLockLocation);
if (LI && LI->isReleased()) {
// Unlocking a key twice! Does not cause an error, but may be an
// indication of an incorrect logic (maybe the spinlock was supposed to
// be locked again before the second unlocking attempt).
ExplodedNode *Node = C.generateNonFatalErrorNode(St);
if (!Node)
return;
reportDoubleUnlock(Node, C, SpinLockLocation);
}
St = St->set<SpinLockMap>(SpinLockLocation, LockInfo::getReleased());
C.addTransition(St);
}
void SpinLockChecker::reportDoubleUnlock(
ExplodedNode *Node, CheckerContext &C,
const MemRegion *SpinLockLocation) const {
auto Report = llvm::make_unique<BugReport>(
*DoubleUnlockBugType,
"Execution path found where spinlock is unlocked twice in a row", Node);
Report->markInteresting(SpinLockLocation);
C.emitReport(std::move(Report));
dcoughlinUnsubmitted
Done
ReplyInline Actions

For these kinds of diagnostics it is often very helpful to emit a path note indicating where the first unlock was.

To do this, you can add a custom bug report visitor that will get called on each node in the path to a diagnostic and emit a note, if appropriate. In this case you would look for nodes with calls to unlock taking the same region as the one you are now reporting for.

There is an example of how to implement a bug report visitor in 'SuperDeallocBRVisitor'.

dcoughlin: For these kinds of diagnostics it is often very helpful to emit a path note indicating where…
}
void SpinLockChecker::reportDoubleLock(
const CallEvent &Call, CheckerContext &C,
const MemRegion *SpinLockLocation) const {
ExplodedNode *Node = C.generateErrorNode();
if (!Node)
return;
auto Report = llvm::make_unique<BugReport>(
dcoughlinUnsubmitted
Done
ReplyInline Actions

It would be good to emit a path note for the first lock, too.

dcoughlin: It would be good to emit a path note for the first lock, too.
*DoubleLockBugType,
"Execution path found where spinlock is locked twice in a row", Node);
Report->addRange(Call.getSourceRange());
Report->markInteresting(SpinLockLocation);
C.emitReport(std::move(Report));
}
dcoughlinUnsubmitted
Not Done
ReplyInline Actions

Nit: it is enough to have the message be "Spinlock is unlocked twice in a row". I don't think it is necessary to explicitly mention the execution path (especially now that you have a path note for the first unlock).

dcoughlin: Nit: it is enough to have the message be "Spinlock is unlocked twice in a row". I don't think…
dcoughlinUnsubmitted
Not Done
ReplyInline Actions

Nit: Same here.

dcoughlin: Nit: Same here.

test/Analysis/spinlock_correct.c

  • This file was added.
// RUN: %clang_cc1 -analyze -analyzer-checker=magenta.SpinLock -verify %s
// expected-no-diagnostics
dcoughlinUnsubmitted
Not Done
ReplyInline Actions

Nit: Typically in the analyzer codebase we try to keep the number of test files to a minimum. Can these three test files all be combined into one?

dcoughlin: Nit: Typically in the analyzer codebase we try to keep the number of test files to a minimum.
dcoughlinUnsubmitted
Not Done
ReplyInline Actions

Another nit: The analyzer relies on always having core checkers enabled because they model important aspects of the language. You should change this to ... -analyzer-checker=core,magenta.SpinLock ...

dcoughlin: Another nit: The analyzer relies on always having core checkers enabled because they model…
typedef unsigned int lock_t;
static lock_t l;
void spin_lock(lock_t *lock);
void spin_unlock(lock_t *lock);
int bar();
int foo() {
int a = bar();
if (a > 0) {
spin_lock(&l);
}
if (a < -10) {
spin_lock(&l);
}
if (a > 0)
spin_unlock(&l);
if (a < -10)
spin_unlock(&l);
return 0;
}

test/Analysis/spinlock_double_lock.c

  • This file was added.
// RUN: %clang_cc1 -analyze -analyzer-checker=magenta.SpinLock -verify %s
typedef unsigned int lock_t;
static lock_t l;
void spin_lock(lock_t *lock);
void spin_unlock(lock_t *lock);
int bar();
int foo() {
int a = bar();
if (a > 0)
spin_lock(&l);
if (a > 10)
spin_lock(&l); // expected-warning{{Execution path found where spinlock is locked twice in a row}}
return 0;
}

test/Analysis/spinlock_double_release.c

  • This file was added.
// RUN: %clang_cc1 -analyze -analyzer-checker=magenta.SpinLock -verify %s
typedef unsigned int lock_t;
typedef struct S {
int a;
lock_t l;
} S_t;
static S_t st;
void spin_lock(lock_t *lock);
void spin_unlock(lock_t *lock);
int bar();
void bar1(lock_t *y) {
spin_unlock(y);
}
void bar2(lock_t *x) {
spin_unlock(x); // expected-warning{{Execution path found where spinlock is unlocked twice in a row}}
}
int foo() {
int a = bar();
if (a > 0) {
spin_lock(&st.l);
bar1(&st.l);
}
lock_t *c = &st.l;
bar2(c);
return 0;
}