Clarify support for exclusive_trylock_function annotation on constructors #92408
Labels
Comments
aarongable
pushed a commit
to chromium/chromium
that referenced
this issue
May 16, 2024
Prior to this CL, base::AutoTryLock's constructor was annotated with EXCLUSIVE_LOCK_FUNCTION, a Thread Safety Analysis [1] annotation that indicates that the function infallibly acquires the lock. In reality, it just *tries* to acquire the lock, so potentially-unguarded access was flying under the radar. It appears it's structurally impossible to annotate a constructor as a fallible locking operation. The EXCLUSIVE_TRYLOCK_FUNCTION(...) annotation exists, but it requires a boolean parameter corresponding to the function's return type. Constructors have no return type, so it seems this annotation simply cannot be applied to constructors. This problem is described in a newly-filed LLVM issue [2]. As a workaround, this CL annotates `bool AutoLock::is_acquired()` with EXCLUSIVE_TRYLOCK_FUNCTION(true) instead of the constructor. The accessor does not really acquire the lock, but that's an implementation detail from the caller's perspective. The effect is that the analysis now requires callers to check is_acquired() before using guarded data. [1]: https://clang.llvm.org/docs/ThreadSafetyAnalysis.html [2]: llvm/llvm-project#92408 Bug: 340196356 Change-Id: I98a37e9c9260eee417250190b770a2e2d8cee720 Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/5542379 Commit-Queue: Dan McArdle <dmcardle@chromium.org> Reviewed-by: Hongchan Choi <hongchan@chromium.org> Cr-Commit-Position: refs/heads/main@{#1301979}
|
What we ultimately landed here has its own downsides: it suggests that the "is the lock acquired?" oracle function is Ultimately, IMO, the right solution is something like a new |
github-actions bot
pushed a commit
to kaidokert/chrome_base_mirror
that referenced
this issue
May 17, 2024
Prior to this CL, base::AutoTryLock's constructor was annotated with EXCLUSIVE_LOCK_FUNCTION, a Thread Safety Analysis [1] annotation that indicates that the function infallibly acquires the lock. In reality, it just *tries* to acquire the lock, so potentially-unguarded access was flying under the radar. It appears it's structurally impossible to annotate a constructor as a fallible locking operation. The EXCLUSIVE_TRYLOCK_FUNCTION(...) annotation exists, but it requires a boolean parameter corresponding to the function's return type. Constructors have no return type, so it seems this annotation simply cannot be applied to constructors. This problem is described in a newly-filed LLVM issue [2]. As a workaround, this CL annotates `bool AutoLock::is_acquired()` with EXCLUSIVE_TRYLOCK_FUNCTION(true) instead of the constructor. The accessor does not really acquire the lock, but that's an implementation detail from the caller's perspective. The effect is that the analysis now requires callers to check is_acquired() before using guarded data. [1]: https://clang.llvm.org/docs/ThreadSafetyAnalysis.html [2]: llvm/llvm-project#92408 Bug: 340196356 Change-Id: I98a37e9c9260eee417250190b770a2e2d8cee720 Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/5542379 Commit-Queue: Dan McArdle <dmcardle@chromium.org> Reviewed-by: Hongchan Choi <hongchan@chromium.org> Cr-Commit-Position: refs/heads/main@{#1301979} NOKEYCHECK=True GitOrigin-RevId: f97ab60f89600edf9068e5a7a87c6413009de5ed
jrguzman-ms
pushed a commit
to msft-mirror-aosp/platform.external.libchrome
that referenced
this issue
May 18, 2024
Prior to this CL, base::AutoTryLock's constructor was annotated with EXCLUSIVE_LOCK_FUNCTION, a Thread Safety Analysis [1] annotation that indicates that the function infallibly acquires the lock. In reality, it just *tries* to acquire the lock, so potentially-unguarded access was flying under the radar. It appears it's structurally impossible to annotate a constructor as a fallible locking operation. The EXCLUSIVE_TRYLOCK_FUNCTION(...) annotation exists, but it requires a boolean parameter corresponding to the function's return type. Constructors have no return type, so it seems this annotation simply cannot be applied to constructors. This problem is described in a newly-filed LLVM issue [2]. As a workaround, this CL annotates `bool AutoLock::is_acquired()` with EXCLUSIVE_TRYLOCK_FUNCTION(true) instead of the constructor. The accessor does not really acquire the lock, but that's an implementation detail from the caller's perspective. The effect is that the analysis now requires callers to check is_acquired() before using guarded data. [1]: https://clang.llvm.org/docs/ThreadSafetyAnalysis.html [2]: llvm/llvm-project#92408 Bug: 340196356 Change-Id: I98a37e9c9260eee417250190b770a2e2d8cee720 Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/5542379 Commit-Queue: Dan McArdle <dmcardle@chromium.org> Reviewed-by: Hongchan Choi <hongchan@chromium.org> Cr-Commit-Position: refs/heads/main@{#1301979} CrOS-Libchrome-Original-Commit: f97ab60f89600edf9068e5a7a87c6413009de5ed
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
The mutex demo in the Thread Safety Analysis documentation demonstrates a number of
MutexLockerconstructors that assume various properties about the given mutex, but it notably omits a constructor that performsTryLock, instead providing that as a method onMutexLockeritself.In attempting to address a bug related to a similar scoped lockable that tries to lock a given mutex we considered the possibility of annotating the constructor with
exclusive_trylock_function(true)and adding an implicitoperator bool()that returns whether locking succeeded.I'm not sure whether the analyzer should support something like this, but is it ever appropriate today to mark a constructor with
exclusive_trylock_function, given that constructors don't return anything? If not, could we make it an error to help prevent misuse, similar to the way it is prohibited on anything other than a function?The text was updated successfully, but these errors were encountered: