-
Notifications
You must be signed in to change notification settings - Fork 10.8k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Clarify support for exclusive_trylock_function annotation on constructors #92408
Comments
Prior to this CL, base::AutoTryLock's constructor was annotated with EXCLUSIVE_LOCK_FUNCTION, a Thread Safety Analysis [1] annotation that indicates that the function infallibly acquires the lock. In reality, it just *tries* to acquire the lock, so potentially-unguarded access was flying under the radar. It appears it's structurally impossible to annotate a constructor as a fallible locking operation. The EXCLUSIVE_TRYLOCK_FUNCTION(...) annotation exists, but it requires a boolean parameter corresponding to the function's return type. Constructors have no return type, so it seems this annotation simply cannot be applied to constructors. This problem is described in a newly-filed LLVM issue [2]. As a workaround, this CL annotates `bool AutoLock::is_acquired()` with EXCLUSIVE_TRYLOCK_FUNCTION(true) instead of the constructor. The accessor does not really acquire the lock, but that's an implementation detail from the caller's perspective. The effect is that the analysis now requires callers to check is_acquired() before using guarded data. [1]: https://clang.llvm.org/docs/ThreadSafetyAnalysis.html [2]: llvm/llvm-project#92408 Bug: 340196356 Change-Id: I98a37e9c9260eee417250190b770a2e2d8cee720 Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/5542379 Commit-Queue: Dan McArdle <dmcardle@chromium.org> Reviewed-by: Hongchan Choi <hongchan@chromium.org> Cr-Commit-Position: refs/heads/main@{#1301979}
What we ultimately landed here has its own downsides: it suggests that the "is the lock acquired?" oracle function is Ultimately, IMO, the right solution is something like a new |
Prior to this CL, base::AutoTryLock's constructor was annotated with EXCLUSIVE_LOCK_FUNCTION, a Thread Safety Analysis [1] annotation that indicates that the function infallibly acquires the lock. In reality, it just *tries* to acquire the lock, so potentially-unguarded access was flying under the radar. It appears it's structurally impossible to annotate a constructor as a fallible locking operation. The EXCLUSIVE_TRYLOCK_FUNCTION(...) annotation exists, but it requires a boolean parameter corresponding to the function's return type. Constructors have no return type, so it seems this annotation simply cannot be applied to constructors. This problem is described in a newly-filed LLVM issue [2]. As a workaround, this CL annotates `bool AutoLock::is_acquired()` with EXCLUSIVE_TRYLOCK_FUNCTION(true) instead of the constructor. The accessor does not really acquire the lock, but that's an implementation detail from the caller's perspective. The effect is that the analysis now requires callers to check is_acquired() before using guarded data. [1]: https://clang.llvm.org/docs/ThreadSafetyAnalysis.html [2]: llvm/llvm-project#92408 Bug: 340196356 Change-Id: I98a37e9c9260eee417250190b770a2e2d8cee720 Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/5542379 Commit-Queue: Dan McArdle <dmcardle@chromium.org> Reviewed-by: Hongchan Choi <hongchan@chromium.org> Cr-Commit-Position: refs/heads/main@{#1301979} NOKEYCHECK=True GitOrigin-RevId: f97ab60f89600edf9068e5a7a87c6413009de5ed
Prior to this CL, base::AutoTryLock's constructor was annotated with EXCLUSIVE_LOCK_FUNCTION, a Thread Safety Analysis [1] annotation that indicates that the function infallibly acquires the lock. In reality, it just *tries* to acquire the lock, so potentially-unguarded access was flying under the radar. It appears it's structurally impossible to annotate a constructor as a fallible locking operation. The EXCLUSIVE_TRYLOCK_FUNCTION(...) annotation exists, but it requires a boolean parameter corresponding to the function's return type. Constructors have no return type, so it seems this annotation simply cannot be applied to constructors. This problem is described in a newly-filed LLVM issue [2]. As a workaround, this CL annotates `bool AutoLock::is_acquired()` with EXCLUSIVE_TRYLOCK_FUNCTION(true) instead of the constructor. The accessor does not really acquire the lock, but that's an implementation detail from the caller's perspective. The effect is that the analysis now requires callers to check is_acquired() before using guarded data. [1]: https://clang.llvm.org/docs/ThreadSafetyAnalysis.html [2]: llvm/llvm-project#92408 Bug: 340196356 Change-Id: I98a37e9c9260eee417250190b770a2e2d8cee720 Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/5542379 Commit-Queue: Dan McArdle <dmcardle@chromium.org> Reviewed-by: Hongchan Choi <hongchan@chromium.org> Cr-Commit-Position: refs/heads/main@{#1301979} CrOS-Libchrome-Original-Commit: f97ab60f89600edf9068e5a7a87c6413009de5ed
The mutex demo in the Thread Safety Analysis documentation demonstrates a number of
MutexLocker
constructors that assume various properties about the given mutex, but it notably omits a constructor that performsTryLock
, instead providing that as a method onMutexLocker
itself.In attempting to address a bug related to a similar scoped lockable that tries to lock a given mutex we considered the possibility of annotating the constructor with
exclusive_trylock_function(true)
and adding an implicitoperator bool()
that returns whether locking succeeded.I'm not sure whether the analyzer should support something like this, but is it ever appropriate today to mark a constructor with
exclusive_trylock_function
, given that constructors don't return anything? If not, could we make it an error to help prevent misuse, similar to the way it is prohibited on anything other than a function?The text was updated successfully, but these errors were encountered: