This is an archive of the discontinued LLVM Phabricator instance.

Differential D49885

Thread safety analysis: Allow relockable scopes
ClosedPublic

Authored by aaronpuchert on Jul 26 2018, 4:05 PM.

Details

Reviewers
delesley
aaron.ballman
Commits
rGc3e37b7538e7: Thread safety analysis: Allow relockable scopes
rC340459: Thread safety analysis: Allow relockable scopes
rL340459: Thread safety analysis: Allow relockable scopes
Summary

It's already allowed to prematurely release a scoped lock, now we also
allow relocking it again, possibly even in another mode.

Arguably the solution is not very elegant, but maybe that can only be
solved by comprehensive refactoring.

Diff Detail

Repository
rL LLVM

Event Timeline

aaronpuchert created this revision.Jul 26 2018, 4:05 PM
Herald added a subscriber: cfe-commits. · View Herald TranscriptJul 26 2018, 4:05 PM
Harbormaster completed remote builds in B20755: Diff 157599.Jul 26 2018, 4:06 PM
aaronpuchert added a comment.Jul 26 2018, 4:47 PM

Imagine having a producer loop, where we check a loop condition while holding a mutex, but release it in the loop body to let other producers/consumers do their work. In that scenario it makes sense to allow "relocking" a scope.

RelockableScope Scope(mu);
while (WorkToDo()) {
    Scope.Unlock();
    // Produce something...
    Scope.Lock();
    PublishWork();
}
lib/Analysis/ThreadSafety.cpp
960–961 ↗(On Diff #157599)

Looks a bit weird, but clang-format told me to do that.

1318–1321 ↗(On Diff #157599)

Not sure about this part, but it's probably not worth worrying about. A user would have to call a member function on a scoped object after manually ending its lifetime by calling the destructor, see test RelockableScopedLock::destructLock.

1324–1325 ↗(On Diff #157599)

I hope this reasoning is sufficient to justify the following static_cast, otherwise I need to introduce LLVM-style RTTI into FactEntry.

aaron.ballman accepted this revision.Jul 28 2018, 10:51 AM

The changes look reasonable to me (after fixing a few nits), but please give @delesley a chance to weigh in before committing.

lib/Analysis/ThreadSafety.cpp
955 ↗(On Diff #157599)

Can elide the braces.

960–961 ↗(On Diff #157599)

This line looks correct to me, but the else statement above doesn't match our usual formatting rules, so I'm worried you're running clang-format in a way that's not picking up the LLVM coding style options.

1326 ↗(On Diff #157599)

auto * to remind folks that it's a pointer.

This revision is now accepted and ready to land.Jul 28 2018, 10:51 AM
aaronpuchert updated this revision to Diff 157872.Jul 28 2018, 12:37 PM

Formatting changes suggested by Aaron Ballman.

aaronpuchert marked 3 inline comments as done.Jul 28 2018, 12:43 PM
aaronpuchert added inline comments.
lib/Analysis/ThreadSafety.cpp
960–961 ↗(On Diff #157599)

You're right about the else, not sure what happened there.

aaronpuchert marked an inline comment as done.Aug 7 2018, 3:13 PM

@delesley Did you have a chance to look at this yet?

aaron.ballman closed this revision.Aug 10 2018, 10:34 AM

Committed in r339456; if @delesley has concerns with the commit, they can be addressed post-commit. Thank you for the patch!

hokein added a subscriber: hokein.Aug 13 2018, 5:53 AM

Hello, this patch seems introduce a new crash, and I have reverted it in r339558.

Here is the minimal test case:

class SCOPED_LOCKABLE FileLock {
 public:
  explicit FileLock()
      EXCLUSIVE_LOCK_FUNCTION(file_);
  ~FileLock() UNLOCK_FUNCTION(file_);
  //void Release() UNLOCK_FUNCTION(file_);
  void Lock() EXCLUSIVE_LOCK_FUNCTION(file_);
  Mutex file_;
};

void relockShared2() {
  FileLock file_lock;
  file_lock.Lock();
}
aaronpuchert reopened this revision.Aug 13 2018, 6:42 PM

This didn't cross my mind, because an ACQUIRES attribute with arguments on a function other than the constructor does not add the argument locks to the set of managed mutexes. So while I'm not sure why someone would do that, it's completely possible without warning. Indeed it would be possible to have ACQUIRES both with and without arguments on the same function.

This revision is now accepted and ready to land.Aug 13 2018, 6:42 PM
aaronpuchert updated this revision to Diff 160505.EditedAug 13 2018, 6:59 PM

Fix crash. The problem was that ACQUIRES with arguments did no longer have (only) this as argument, hence our assumption that we would have only ScopedLockableFactEntry's was false. So now we look a bit closer which kind of ACQUIRES we actually have.

Harbormaster completed remote builds in B21434: Diff 160505.Aug 13 2018, 6:59 PM
aaronpuchert added a comment.Aug 13 2018, 7:11 PM

The case distinction in case attr::AcquireCapability is not very beautiful, but it's due to the fact that scoped capabilities are not "real" capabilities and so we need to distinguish them.

What this still doesn't allow for is attributes on other classes than the scoped capability that reacquire it from the outside. So maybe this isn't the right solution, and we need to approach it in a different way. Maybe instead of modifying the BuildLockset::handleCall, we should change ThreadSafetyAnalyzer::addLock. I'll think about that, but not today.

test/SemaCXX/warn-thread-safety-analysis.cpp
2769–2781 ↗(On Diff #160505)

@hokein This is your test case, I just renamed some things.

aaronpuchert updated this revision to Diff 160719.Aug 14 2018, 4:37 PM

Found a much simpler solution. After introducing a new virtual function HandleLock() in FactEntry, I just needed to change two lines in ThreadSafetyAnalyzer::addLock. Changes in BuildLockset::handleCall are no longer necessary.

Harbormaster completed remote builds in B21492: Diff 160719.Aug 14 2018, 4:37 PM
aaronpuchert marked 4 inline comments as done.Aug 14 2018, 4:56 PM

@aaron.ballman Maybe you can have a look again — this is much more elegant. I'm not sure why I didn't see this in the first place.

test/SemaCXX/warn-thread-safety-analysis.cpp
2765–2768 ↗(On Diff #160719)

I have a local patch that addresses this, but I think it should be discussed separately as it introduces additional changes.

aaronpuchert updated this revision to Diff 161595.Aug 20 2018, 3:42 PM

Proper capitalization of member function, reduction of test code.

Harbormaster completed remote builds in B21689: Diff 161595.Aug 20 2018, 3:42 PM
aaronpuchert updated this revision to Diff 161596.Aug 20 2018, 3:45 PM

Formatting changes.

Harbormaster completed remote builds in B21690: Diff 161596.Aug 20 2018, 3:45 PM
aaronpuchert updated this revision to Diff 161598.Aug 20 2018, 4:01 PM

Reformat tests. I promise, this is the last one.

Harbormaster completed remote builds in B21691: Diff 161598.Aug 20 2018, 4:01 PM
delesley accepted this revision.Aug 20 2018, 4:13 PM

This looks good to me. Thanks for the patch.

lib/Analysis/ThreadSafety.cpp
932 ↗(On Diff #161596)

Minor nit. Use curly braces on the if, to match the else.

Closed by commit rL340459: Thread safety analysis: Allow relockable scopes (authored by aaronpuchert). · Explain WhyAug 22 2018, 3:15 PM
This revision was automatically updated to reflect the committed changes.
Herald added a subscriber: llvm-commits. · View Herald TranscriptAug 22 2018, 3:15 PM
aaronpuchert added inline comments.Aug 22 2018, 3:35 PM
lib/Analysis/ThreadSafety.cpp
932 ↗(On Diff #161596)

Removing the braces was suggested by @aaron.ballman in an earlier patch set, but I can just add them in again. I slightly favor having them, but I don't feel strongly either way.

aaronpuchert mentioned this in rC340575: Remove unnecessary const_cast [NFC].Aug 23 2018, 2:14 PM
aaronpuchert mentioned this in rL340575: Remove unnecessary const_cast [NFC].
aaronpuchert mentioned this in D98747: Thread safety analysis: Don't warn about managed locks on join points.Mar 24 2021, 2:16 PM
aaronpuchert mentioned this in D104261: Thread safety analysis: Always warn when dropping locks on back edges.Jun 28 2021, 9:41 AM
aaronpuchert mentioned this in D129755: Thread safety analysis: Support copy-elided production of scoped capabilities through arbitrary calls.Oct 7 2022, 2:54 PM

Revision Contents

PathSize
cfe/
trunk/
lib/
Analysis/
30 lines
test/
SemaCXX/
164 lines

Diff 162070

cfe/trunk/lib/Analysis/ThreadSafety.cpp

Show First 20 LinesShow All 136 Lines▼ Show 20 Linespublic:
bool declared() const { return Declared; } bool declared() const { return Declared; }
void setDeclared(bool D) { Declared = D; } void setDeclared(bool D) { Declared = D; }
virtual void virtual void
handleRemovalFromIntersection(const FactSet &FSet, FactManager &FactMan, handleRemovalFromIntersection(const FactSet &FSet, FactManager &FactMan,
SourceLocation JoinLoc, LockErrorKind LEK, SourceLocation JoinLoc, LockErrorKind LEK,
ThreadSafetyHandler &Handler) const = 0; ThreadSafetyHandler &Handler) const = 0;
virtual void handleLock(FactSet &FSet, FactManager &FactMan,
const FactEntry &entry, ThreadSafetyHandler &Handler,
StringRef DiagKind) const = 0;
virtual void handleUnlock(FactSet &FSet, FactManager &FactMan, virtual void handleUnlock(FactSet &FSet, FactManager &FactMan,
const CapabilityExpr &Cp, SourceLocation UnlockLoc, const CapabilityExpr &Cp, SourceLocation UnlockLoc,
bool FullyRemove, ThreadSafetyHandler &Handler, bool FullyRemove, ThreadSafetyHandler &Handler,
StringRef DiagKind) const = 0; StringRef DiagKind) const = 0;
// Return true if LKind >= LK, where exclusive > shared // Return true if LKind >= LK, where exclusive > shared
bool isAtLeast(LockKind LK) { bool isAtLeast(LockKind LK) {
return (LKind == LK_Exclusive) || (LK == LK_Shared); return (LKind == LK_Exclusive) || (LK == LK_Shared);
▲ Show 20 LinesShow All 715 Lines▼ Show 20 Lines handleRemovalFromIntersection(const FactSet &FSet, FactManager &FactMan,
SourceLocation JoinLoc, LockErrorKind LEK, SourceLocation JoinLoc, LockErrorKind LEK,
ThreadSafetyHandler &Handler) const override { ThreadSafetyHandler &Handler) const override {
if (!Managed && !asserted() && !negative() && !isUniversal()) { if (!Managed && !asserted() && !negative() && !isUniversal()) {
Handler.handleMutexHeldEndOfScope("mutex", toString(), loc(), JoinLoc, Handler.handleMutexHeldEndOfScope("mutex", toString(), loc(), JoinLoc,
LEK); LEK);
} }
} }
void handleLock(FactSet &FSet, FactManager &FactMan, const FactEntry &entry,
ThreadSafetyHandler &Handler,
StringRef DiagKind) const override {
Handler.handleDoubleLock(DiagKind, entry.toString(), entry.loc());
}
void handleUnlock(FactSet &FSet, FactManager &FactMan, void handleUnlock(FactSet &FSet, FactManager &FactMan,
const CapabilityExpr &Cp, SourceLocation UnlockLoc, const CapabilityExpr &Cp, SourceLocation UnlockLoc,
bool FullyRemove, ThreadSafetyHandler &Handler, bool FullyRemove, ThreadSafetyHandler &Handler,
StringRef DiagKind) const override { StringRef DiagKind) const override {
FSet.removeLock(FactMan, Cp); FSet.removeLock(FactMan, Cp);
if (!Cp.negative()) { if (!Cp.negative()) {
FSet.addLock(FactMan, llvm::make_unique<LockableFactEntry>( FSet.addLock(FactMan, llvm::make_unique<LockableFactEntry>(
!Cp, LK_Exclusive, UnlockLoc)); !Cp, LK_Exclusive, UnlockLoc));
Show All 24 Lines for (const auto *UnderlyingMutex : UnderlyingMutexes) {
// If this scoped lock manages another mutex, and if the underlying // If this scoped lock manages another mutex, and if the underlying
// mutex is still held, then warn about the underlying mutex. // mutex is still held, then warn about the underlying mutex.
Handler.handleMutexHeldEndOfScope( Handler.handleMutexHeldEndOfScope(
"mutex", sx::toString(UnderlyingMutex), loc(), JoinLoc, LEK); "mutex", sx::toString(UnderlyingMutex), loc(), JoinLoc, LEK);
} }
} }
} }
void handleLock(FactSet &FSet, FactManager &FactMan, const FactEntry &entry,
ThreadSafetyHandler &Handler,
StringRef DiagKind) const override {
for (const auto *UnderlyingMutex : UnderlyingMutexes) {
CapabilityExpr UnderCp(UnderlyingMutex, false);
// We're relocking the underlying mutexes. Warn on double locking.
if (FSet.findLock(FactMan, UnderCp))
Handler.handleDoubleLock(DiagKind, UnderCp.toString(), entry.loc());
else {
FSet.removeLock(FactMan, !UnderCp);
FSet.addLock(FactMan, llvm::make_unique<LockableFactEntry>(
UnderCp, entry.kind(), entry.loc()));
}
}
}
void handleUnlock(FactSet &FSet, FactManager &FactMan, void handleUnlock(FactSet &FSet, FactManager &FactMan,
const CapabilityExpr &Cp, SourceLocation UnlockLoc, const CapabilityExpr &Cp, SourceLocation UnlockLoc,
bool FullyRemove, ThreadSafetyHandler &Handler, bool FullyRemove, ThreadSafetyHandler &Handler,
StringRef DiagKind) const override { StringRef DiagKind) const override {
assert(!Cp.negative() && "Managing object cannot be negative."); assert(!Cp.negative() && "Managing object cannot be negative.");
for (const auto *UnderlyingMutex : UnderlyingMutexes) { for (const auto *UnderlyingMutex : UnderlyingMutexes) {
CapabilityExpr UnderCp(UnderlyingMutex, false); CapabilityExpr UnderCp(UnderlyingMutex, false);
auto UnderEntry = llvm::make_unique<LockableFactEntry>( auto UnderEntry = llvm::make_unique<LockableFactEntry>(
▲ Show 20 LinesShow All 322 Lines▼ Show 20 Linesvoid ThreadSafetyAnalyzer::addLock(FactSet &FSet,
// Check before/after constraints // Check before/after constraints
if (Handler.issueBetaWarnings() && if (Handler.issueBetaWarnings() &&
!Entry->asserted() && !Entry->declared()) { !Entry->asserted() && !Entry->declared()) {
GlobalBeforeSet->checkBeforeAfter(Entry->valueDecl(), FSet, *this, GlobalBeforeSet->checkBeforeAfter(Entry->valueDecl(), FSet, *this,
Entry->loc(), DiagKind); Entry->loc(), DiagKind);
} }
// FIXME: Don't always warn when we have support for reentrant locks. // FIXME: Don't always warn when we have support for reentrant locks.
if (FSet.findLock(FactMan, *Entry)) { if (FactEntry *Cp = FSet.findLock(FactMan, *Entry)) {
if (!Entry->asserted()) if (!Entry->asserted())
Handler.handleDoubleLock(DiagKind, Entry->toString(), Entry->loc()); Cp->handleLock(FSet, FactMan, *Entry, Handler, DiagKind);
} else { } else {
FSet.addLock(FactMan, std::move(Entry)); FSet.addLock(FactMan, std::move(Entry));
} }
} }
/// Remove a lock from the lockset, warning if the lock is not there. /// Remove a lock from the lockset, warning if the lock is not there.
/// \param UnlockLoc The source location of the unlock (only used in error msg) /// \param UnlockLoc The source location of the unlock (only used in error msg)
void ThreadSafetyAnalyzer::removeLock(FactSet &FSet, const CapabilityExpr &Cp, void ThreadSafetyAnalyzer::removeLock(FactSet &FSet, const CapabilityExpr &Cp,
▲ Show 20 LinesShow All 1,224 LinesShow Last 20 Lines

cfe/trunk/test/SemaCXX/warn-thread-safety-analysis.cpp

Show First 20 LinesShow All 2,615 Lines▼ Show 20 Linesvoid Foo::test5() {
// no warning on join point for managed lock. // no warning on join point for managed lock.
rlock.Release(); // expected-warning {{releasing mutex 'mu_' that was not held}} rlock.Release(); // expected-warning {{releasing mutex 'mu_' that was not held}}
} }
} // end namespace ReleasableScopedLock } // end namespace ReleasableScopedLock
namespace RelockableScopedLock {
class SCOPED_LOCKABLE RelockableExclusiveMutexLock {
public:
RelockableExclusiveMutexLock(Mutex *mu) EXCLUSIVE_LOCK_FUNCTION(mu);
~RelockableExclusiveMutexLock() EXCLUSIVE_UNLOCK_FUNCTION();
void Lock() EXCLUSIVE_LOCK_FUNCTION();
void Unlock() UNLOCK_FUNCTION();
};
struct SharedTraits {};
struct ExclusiveTraits {};
class SCOPED_LOCKABLE RelockableMutexLock {
public:
RelockableMutexLock(Mutex *mu, SharedTraits) SHARED_LOCK_FUNCTION(mu);
RelockableMutexLock(Mutex *mu, ExclusiveTraits) EXCLUSIVE_LOCK_FUNCTION(mu);
~RelockableMutexLock() UNLOCK_FUNCTION();
void Lock() EXCLUSIVE_LOCK_FUNCTION();
void Unlock() UNLOCK_FUNCTION();
void ReaderLock() SHARED_LOCK_FUNCTION();
void ReaderUnlock() UNLOCK_FUNCTION();
void PromoteShared() UNLOCK_FUNCTION() EXCLUSIVE_LOCK_FUNCTION();
void DemoteExclusive() UNLOCK_FUNCTION() SHARED_LOCK_FUNCTION();
};
Mutex mu;
int x GUARDED_BY(mu);
void print(int);
void relock() {
RelockableExclusiveMutexLock scope(&mu);
x = 2;
scope.Unlock();
x = 3; // expected-warning {{writing variable 'x' requires holding mutex 'mu' exclusively}}
scope.Lock();
x = 4;
}
void relockExclusive() {
RelockableMutexLock scope(&mu, SharedTraits{});
print(x);
x = 2; // expected-warning {{writing variable 'x' requires holding mutex 'mu' exclusively}}
scope.ReaderUnlock();
print(x); // expected-warning {{reading variable 'x' requires holding mutex 'mu'}}
scope.Lock();
print(x);
x = 4;
scope.DemoteExclusive();
print(x);
x = 5; // expected-warning {{writing variable 'x' requires holding mutex 'mu' exclusively}}
}
void relockShared() {
RelockableMutexLock scope(&mu, ExclusiveTraits{});
print(x);
x = 2;
scope.Unlock();
print(x); // expected-warning {{reading variable 'x' requires holding mutex 'mu'}}
scope.ReaderLock();
print(x);
x = 4; // expected-warning {{writing variable 'x' requires holding mutex 'mu' exclusively}}
scope.PromoteShared();
print(x);
x = 5;
}
void doubleUnlock() {
RelockableExclusiveMutexLock scope(&mu);
scope.Unlock();
scope.Unlock(); // expected-warning {{releasing mutex 'mu' that was not held}}
}
void doubleLock1() {
RelockableExclusiveMutexLock scope(&mu);
scope.Lock(); // expected-warning {{acquiring mutex 'mu' that is already held}}
}
void doubleLock2() {
RelockableExclusiveMutexLock scope(&mu);
scope.Unlock();
scope.Lock();
scope.Lock(); // expected-warning {{acquiring mutex 'mu' that is already held}}
}
void directUnlock() {
RelockableExclusiveMutexLock scope(&mu);
mu.Unlock();
// Debatable that there is no warning. Currently we don't track in the scoped
// object whether it is active, but just check if the contained locks can be
// reacquired. Here they can, because mu has been unlocked manually.
scope.Lock();
}
void directRelock() {
RelockableExclusiveMutexLock scope(&mu);
scope.Unlock();
mu.Lock();
// Similarly debatable that there is no warning.
scope.Unlock();
}
// Doesn't make a lot of sense, just making sure there is no crash.
void destructLock() {
RelockableExclusiveMutexLock scope(&mu);
scope.~RelockableExclusiveMutexLock();
scope.Lock(); // Should be UB, so we don't really care.
}
class SCOPED_LOCKABLE MemberLock {
public:
MemberLock() EXCLUSIVE_LOCK_FUNCTION(mutex);
~MemberLock() UNLOCK_FUNCTION(mutex);
void Lock() EXCLUSIVE_LOCK_FUNCTION(mutex);
Mutex mutex;
};
void relockShared2() {
MemberLock lock;
lock.Lock(); // expected-warning {{acquiring mutex 'lock.mutex' that is already held}}
}
class SCOPED_LOCKABLE WeirdScope {
private:
Mutex *other;
public:
WeirdScope(Mutex *mutex) EXCLUSIVE_LOCK_FUNCTION(mutex);
void unlock() EXCLUSIVE_UNLOCK_FUNCTION() EXCLUSIVE_UNLOCK_FUNCTION(other);
void lock() EXCLUSIVE_LOCK_FUNCTION() EXCLUSIVE_LOCK_FUNCTION(other);
~WeirdScope() EXCLUSIVE_UNLOCK_FUNCTION();
void requireOther() EXCLUSIVE_LOCKS_REQUIRED(other);
};
void relockWeird() {
WeirdScope scope(&mu);
x = 1;
scope.unlock(); // expected-warning {{releasing mutex 'scope.other' that was not held}}
x = 2; // \
// expected-warning {{writing variable 'x' requires holding mutex 'mu' exclusively}}
scope.requireOther(); // \
// expected-warning {{calling function 'requireOther' requires holding mutex 'scope.other' exclusively}}
scope.lock(); // expected-note {{mutex acquired here}}
x = 3;
scope.requireOther();
} // expected-warning {{mutex 'scope.other' is still held at the end of function}}
} // end namespace RelockableScopedLock
namespace TrylockFunctionTest { namespace TrylockFunctionTest {
class Foo { class Foo {
public: public:
Mutex mu1_; Mutex mu1_;
Mutex mu2_; Mutex mu2_;
bool c; bool c;
▲ Show 20 LinesShow All 2,710 LinesShow Last 20 Lines