| blob | bda4e9ae03f91403cbc29871bc2d04244d476736 |
1 /* Thread Safety Annotations and Analysis.
2 Copyright (C) 2007, 2008, 2009, 2010, 2011 Free Software Foundation, Inc.
3 Contributed by Le-Chun Wu <lcwu@google.com>.
5 This file is part of GCC.
7 GCC is free software; you can redistribute it and/or modify
8 it under the terms of the GNU General Public License as published by
9 the Free Software Foundation; either version 3, or (at your option)
10 any later version.
12 GCC is distributed in the hope that it will be useful,
13 but WITHOUT ANY WARRANTY; without even the implied warranty of
14 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
15 GNU General Public License for more details.
17 You should have received a copy of the GNU General Public License
18 along with GCC; see the file COPYING3. If not see
19 <http://www.gnu.org/licenses/>. */
22 /* This file contains an analysis pass that uses the thread safety attributes
23 to identify and warn about potential issues that could result in data
24 races and deadlocks. The thread safety attributes currently support only
25 lock-based synchronization. They help developers document the locks that
26 need to be used to safely read and write shared variables and also the
27 order in which they intend to acquire locks. Here is the list of the
28 attributes that this analysis pass uses:
30 __attribute__ ((lockable))
31 __attribute__ ((scoped_lockable))
32 __attribute__ ((guarded_by(x)))
33 __attribute__ ((guarded))
34 __attribute__ ((point_to_guarded_by(x)))
35 __attribute__ ((point_to_guarded))
36 __attribute__ ((acquired_after(__VA_ARGS__)))
37 __attribute__ ((acquired_before(__VA_ARGS__)))
38 __attribute__ ((exclusive_lock(__VA_ARGS__)))
39 __attribute__ ((shared_lock(__VA_ARGS__)))
40 __attribute__ ((exclusive_trylock(__VA_ARGS__)))
41 __attribute__ ((shared_trylock(__VA_ARGS__)))
42 __attribute__ ((unlock(__VA_ARGS__)))
43 __attribute__ ((exclusive_locks_required(__VA_ARGS__)))
44 __attribute__ ((shared_locks_required(__VA_ARGS__)))
45 __attribute__ ((locks_excluded(__VA_ARGS__)))
46 __attribute__ ((lock_returned(x)))
47 __attribute__ ((no_thread_safety_analysis))
48 __attribute__ ((ignore_reads_begin))
49 __attribute__ ((ignore_reads_end))
50 __attribute__ ((ignore_writes_begin))
51 __attribute__ ((ignore_writes_end))
52 __attribute__ ((unprotected_read))
54 If multi-threaded code is annotated with these attributes, this analysis
55 pass can detect the following potential thread safety issues:
57 * Accesses to shared variables and function calls are not guarded by
58 proper (read or write) locks
59 * Locks are not acquired in the specified order
60 * A cycle in the lock acquisition order
61 * Try to acquire a lock that is already held by the same thread
62 - Useful when locks are non-reentrant
63 * Locks are not acquired and released in the same routine (or in the
64 control-equivalent blocks)
65 - Having critical sections starting and ending in the same routine
66 is a better practice
68 The analysis pass uses a single-pass (or single iteration) data-flow
69 analysis to maintain live lock sets at each program point, using the
70 attributes to decide when to add locks to the live sets and when to
71 remove them from the sets. With the live lock sets and the attributes
72 attached to shared variables and functions, we are able to check whether
73 the variables and functions are well protected. Note that the reason why
74 we don't need iterative data flow analysis is because critical sections
75 across back edges are considered a bad practice. */
100 /* A per-BB data structure used for topological traversal and data flow
101 analysis. */
102 struct bb_threadsafe_info
103 {
104 /* Indicating whether the BB has been visited in the analysis. */
107 /* Flags indicating whether we should ignore reads or writes in the
108 analysis. The flags are set and unset during the analysis when seeing
109 function calls annotated with ignore_{reads|writes}_{begin|end}
110 attributes. */
114 /* Number of predecessors visited. Used for topological traversal of BBs. */
117 /* Live out exclusive/shared lock sets. */
121 /* Locks released by the Release routine of a scoped lock (e.g.
122 std::unique_lock::Release()). When a lock is released by such routines
123 on certain control-flow paths but not all, we consider it weakly
124 released and keep track of it in this set so that later when we encounter
125 the destructor of the scoped lock (which is also an UNLOCK function),
126 we will not emit a bogus warning. */
129 /* Working live lock sets. These sets are used and updated during the
130 analysis of statements. */
134 /* The outgoing edge that a successful trylock call takes. */
135 edge trylock_live_edge;
137 /* Sets of live-out locks acquired by a successful trylock. */
140 };
143 /* This data structure is created when we see a function call that is a
144 trylock. A map entry that maps the trylock call to its associated
145 trylock_info structure is inserted to trylock_info_map (see below).
146 The map (and the trylock_info structure) will later be used when we
147 analyze a block-ending if-statement whose condition expression is
148 fed by a trylock. */
149 struct trylock_info
150 {
151 /* The set of locks the trylock call tries to acquire. */
154 /* Indicating whether the locks acquired by trylock is exclusive
155 (i.e. writer lock) or not. */
158 /* Specify the trylock return value on a successful lock acquisition. */
160 };
162 /* Access mode used for indicating whether an access to a shared variable
163 is a read or a write. */
164 enum access_mode
165 {
166 TSA_READ,
167 TSA_WRITE
168 };
170 /* True if the parser is currently parsing a lock attribute. */
173 /* A map of which each entry maps a lock, say A, to a set of locks that
174 lock A should be acquired after. This map is first populated when we
175 parse the lock declarations that are annotated with "acquired_after"
176 or "acquired_before" attributes. Later at the beginning of the thread
177 safety analysis (see build_transitive_acquired_after_sets()), we
178 calculate the transitive closures of the acquired_after sets for the
179 locks and modify the map. For example, if we have global variables
180 declarations like the following:
182 Mutex mu1;
183 Mutex mu2 __attribute__ ((acquired_after(mu1)));
184 Mutex mu3 __attribute__ ((acquired_after(mu2)));
186 After parsing, the contents of the map is shown below:
188 lock acquired_after set
189 --------------------------
190 mu2 -> { mu1 }
191 mu3 -> { mu2 }
193 After we call build_transitive_acquired_after_sets(), the map would be
194 modified as shown below:
196 lock acquired_after set
197 --------------------------
198 mu2 -> { mu1 }
199 mu3 -> { mu2, mu1 } */
202 /* This flag is used for indicating whether transitive acquired_after sets
203 for the locks have been built so that we only build them once per
204 compilation unit. */
207 /* These two variables are used during the process of building acquired_after
208 transitive closures. A lock is considered finalized (and then added to the
209 finalized_locks set) when every member of its current acquired_after set
210 (1) is finalized, or
211 (2) doesn't have an acquired_after set (i.e. a root in the partial order
212 of the acquired_after relations)
214 Once a lock is finalized, we never have to calculate its acquired_after set
215 again during the transitive closure building process. This helps make the
216 calculation converge faster.
218 The reason why we needed to use global variables (instead of passing them
219 in as parameters) is because we use pointer_set_traverse routine to visit
220 set members, and the routine only take one additional parameter (besides
221 the set and the applied function). */
225 /* This map contains the locks specified in attributes that couldn't be bound
226 to any decl tree in scope when they were parsed. We would try to bind them
227 during the analysis. */
230 /* A map of which each entry maps a scoped lock to the lock it acquires
231 at construction. An entry is created and added to the map when we see
232 the constructor of a scoped lock. It is later used when we see the
233 destructor of the scoped lock because the destructor doesn't take an
234 argument that specifies the lock. */
237 /* Each entry maps a lock to the source location at which it was last
238 acquired. */
241 /* Each entry maps a lock to its canonicalized expression (see
242 get_canonical_lock_expr()). */
245 /* Each entry is a gimple call statement. Calls to the same function with
246 symbolically identical arguments will hash to the same entry. */
249 /* Each entry maps a trylock call expr to its trylock_info. */
252 /* Source location of the currently processed expression. In our analysis,
253 we actually tried to pass the source location around through function
254 parameters. However, in the cases where we need to use pointer_set_traverse
255 or pointer_map_traverse, this global variable is used. */
258 /* Buffer for pretty print the lock expression in the warning messages. */
261 /* Forward declaration */
267 /* This function hashes an expr tree to a hash value by doing the following:
268 - for a decl, returns the pointer hash of the tree,
269 - for an integer constant, returns the sum of low and high parts,
270 - for other expressions, sums up the hash values of all operands and
271 multiplies it by the opcode,
272 - for all other trees, returns 0. */
274 static hashval_t
276 {
286 {
291 {
295 }
298 }
299 else
301 }
303 /* Given two lock expressions/trees, determine whether they are equal.
304 This is basically a wrapper around operand_equal_p so please see its
305 comments for how two expression trees are considered equal
306 (in fold-const.c). */
308 static int
310 {
315 }
317 /* This function hashes a gimple call statement to a hash value.
318 Calls to the same function would be hashed to the same value. */
320 static hashval_t
322 {
327 else
328 {
331 NULL_TREE));
332 }
333 }
335 /* Given two gimple call statements, determine whether they are equal.
336 Two calls are consider equal if they call the same function with the
337 same arguments (which is determined using operand_equal_p). This is
338 a helper function used by gimple_call_tab hash table. */
340 static int
342 {
356 {
363 }
372 {
379 }
382 }
384 /* This is a helper function passed in (as a parameter) to the
385 pointer_set_traverse routine when we traverse the acquired_after set
386 of a lock, say lock A, to populate the transitive closure. It should
387 not be called by other functions. Parameter LOCK is a member of lock A's
388 acquired_after set and TRANSITIVE_LOCKS is the set of locks that will
389 eventually be added to lock A's acquired_after set. */
391 static bool
393 {
399 /* Add LOCK's acquired_after set to lock A's transitive closure. */
403 /* If LOCK, which is a member of lock A's acquired_after set, is not
404 finalized, lock A is not finalized. */
409 }
411 /* This is a helper function passed in (as a parameter) to the
412 pointer_map_traverse routine when we traverse lock_acquired_after_map
413 to update the acquired_after set for each lock. It should not be
414 called by other functions.
416 This function iterates over members of LOCK's acquired_after set
417 (i.e. ACQ_AFTER_SET) and adds their acquired_after sets to
418 "transitive_lock", which is then union-ed with ACQ_AFTER_SET.
419 If there is any new member added to the ACQ_AFTER_SET, we need to
420 set *UPDATED to true so that the main loop that calculates the transitive
421 closures will iterate again (see build_transitive_acquired_after_sets()).
422 Also if every member of ACQ_AFTER_SET is finalized, LOCK is also finalized
423 and added to the finalized_locks set. */
425 static bool
428 {
433 /* Skip locks whose acquired_after set is already finalized. */
439 /* Before we traverse the acq_after_set, set finalized to true. If any
440 of acq_after_set's members is not finalized, the flag will be set to
441 false. */
447 /* Before we union transitive_locks with acq_after_set, get the original
448 member number of acq_after_set. */
449 old_num_elements =
453 transitive_locks);
455 new_num_elements =
460 /* If new member number is greater than the original, which means some new
461 members (locks) were added to acq_after_set, set *update to true. */
463 {
467 }
468 else
469 /* If no new locks were added to ACQ_AFTER_SET, LOCK is also finalized. */
475 }
477 /* This function builds transitive acquired_after sets (i.e. transitive
478 closures) for locks and updates the lock_acquired_after_map. It iteratively
479 traverses the lock_acquired_after_map, updating the acquired_after sets
480 until the transitive closures converge. This function is called at most
481 once per compilation unit. */
483 static void
485 {
491 {
498 }
501 }
503 /* A helper function used by pointer_map_traverse to destroy ACQ_AFTER_SET
504 when deleting the lock_acquired_after_map. */
506 static bool
509 {
512 }
514 /* Function to delete the lock_expr_tab, lock_acquired_after_map, and
515 unbound_lock_map. This is called at the end of a compilation unit.
516 (See toplev.c) */
518 void
520 {
521 /* lock_expr_tab is garbage collected. */
524 /* Free the lock acquired_after map and the sets */
526 {
531 }
535 /* Free the unbound lock map */
537 {
540 }
541 }
543 /* Given a BASE object of a field access (i.e. base->a or base->foo()),
544 this function tells whether BASE is a this pointer (i.e. this->a or
545 this->foo()). */
547 static bool
549 {
550 tree this_ptr;
563 else
565 }
568 /* Get the function declaration from a gimple call stmt (CALL). This handles
569 both ordinary function calls and virtual methods. */
571 static tree
573 {
575 /* If the callee fndecl is NULL, check if it is a virtual function,
576 and if so, try to get its decl through the reference object. */
578 {
581 {
583 /* Check to make sure objtype is a valid type.
584 OBJ_TYPE_REF_OBJECT does not always return the correct static type
585 of the callee. For example: Given
586 foo(void* ptr) { ((Foo*) ptr)->doSomething(); }
587 objtype will be void, not Foo. Whether or not this happens
588 depends on the details of how a particular call is lowered to
589 GIMPLE, and there is no easy fix that works in all cases. For
590 now, we simply rely on gcc's type information; if that information
591 is not accurate, then the analysis will be less precise.
592 */
595 }
596 }
598 }
601 /* Given a CALL gimple statment, check if its function decl is annotated
602 with "lock_returned" attribute. If so, return the lock specified in
603 the attribute. Otherise, return NULL_TREE. */
605 static tree
607 {
609 tree attr = (fdecl
613 {
616 }
617 else
619 }
621 /* Given a lock expression (LOCKABLE), this function returns the
622 var/field/parm decl part of the lockable. For example, if the lockable
623 is a[2].foo->mu, it returns the decl tree of mu. */
625 static tree
627 {
629 {
633 {
634 /* If the lockable is a compiler-generated temp variable that
635 has a debug expr specifying the original var decl (see
636 lookup_tmp_var() in gimplify.c), return the original var decl. */
640 {
643 }
645 }
647 /* Handle the case of mu.Lock(), i.e. Lock(&mu). */
650 {
651 /* If the lockable is an SSA_NAME of a temp variable (with or
652 without a name), we get to get the original variable decl
653 by back-tracing its SSA def (as shown in the following example).
654 D.2_1 = &this->mu;
655 Lock (D.2_1);
656 Note that the SSA name doesn't always have a def statement
657 (e.g. "this" pointer). */
661 {
669 else
671 }
672 else
674 }
676 /* Handle the case of Foo.mu.Lock() or Foo->mu.Lock() */
682 }
683 }
685 /* Build a fully-qualified name of a lock that is a class member with the
686 given BASE object tree and the LOCK_FIELD tree. This helper function is
687 usually used when handling lock_returned, lock, and unlock attributes.
688 For example, given the following code
690 class Bar {
691 public:
692 bool MyLock() __attributes__ ((exclusive_lock(mu1_)));
693 void MyUnlock() __attributes__ ((unlock(mu1_)));
694 int a_ __attribute__ ((guarded_by(mu1_)));
695 private:
696 Mutex mu1_;
697 };
699 Bar *b1, *b2;
701 void func()
702 {
703 b1->MyLock(); // S1
704 b1->a_ = 5; // S2
705 b2->a_ = 3; // S3
706 b1->MyUnlock(); // S4
707 }
709 When analyzing statement S1, instead of adding "mu1_" to the live lock
710 set, we need to build the fully-qualified name, b1->mu1, first and add
711 the fully-qualified name to the live lock set. The same goes for the unlock
712 statement in S4. Without using the fully-qualified lock names, we won't
713 be able to tell the lock requirement difference between S2 and S3. */
715 static tree
717 {
718 tree lock;
721 NULL_TREE);
723 /* When the base is a pointer, i.e. b1->MyLock() (or MyLock(base)
724 internally), we need to create a new base that is INDIRECT_REF so that
725 we could form a correct fully-qualified lock expression with the
726 lock_field (e.g. b1->lock_field). On the other hand, if the base is an
727 address_taken operation (i.e. base.foo() or foo(&base)), we need to get
728 rid of the ADDR_EXPR operator before we form the new lock expression. */
730 {
731 /* Note that if the base object is neither an ADDR_EXPR, nor a pointer,
732 most likely we have done IPA-SRA optimization and the DECL is a
733 cloned method, where reference parameters are changed to be passed
734 by value. So in this case, we don't need to do anything. */
737 canon_base);
738 }
739 else
746 }
748 /* Given a lock expression, this function returns a canonicalized
749 expression (for matching locks in the analysis). Basically this
750 function does the following to canonicalize the expression:
752 - Fold temp variables. e.g.
754 D.1 = &q->mu; ==> foo (&q->mu);
755 foo (D.1);
757 - Fold SSA names. e.g.
759 q.0_1 = q; ==> q->mu;
760 q.0_1->mu;
762 - Replace function calls that return a lock with the actual lock returned
763 (if it is annotated with "lock_returned" attribute).
765 - Subexpressions of the lock are canonicalized recursively.
767 When matching two expressions, we currently only do it symbolically.
768 That is, if two different pointers, say p and q, point to the same
769 location, they will not map to the same canonical expr.
771 This function can also be called to get a canonical form of an expression
772 which may not be a lock. For example, when trying to canonicalize the base
773 object expression. And in that case, IS_TEMP_EXPR is set to true so that
774 the expression will not be inserted into the LOCK_EXPR_TAB.
776 When this function is called with a non-null NEW_LEFTMOST_BASE_VAR and the
777 lefmost base of LOCK is a PARM_DECL, we are trying to replace a formal
778 parameter with an actual argument (i.e. NEW_LEFTMOST_BASE_VAR). This
779 function will return an expression whose leftmost base/operands is replaced
780 with the given new base var. For example, if LOCK is a->b[3]->c and
781 NEW_LEFTMOST_BASE_VAR is x, the function will return (the canonical form
782 of) x->b[3]->c. */
784 tree
786 tree new_leftmost_base_var)
787 {
788 hashval_t hash;
789 tree canon_lock;
793 {
797 /* Fall through to the following case. */
799 {
800 /* If the lock is a compiler-generated temp variable that
801 has a debug expr specifying the original var decl (see
802 lookup_tmp_var() in gimplify.c), return the original var decl. */
806 {
809 }
811 }
813 {
814 /* If the LOCK is a field decl and BASE_OBJ is not NULL, build a
815 component_ref expression for the canonical lock. */
817 {
822 NULL_TREE);
823 }
825 }
827 {
828 /* If the lock is an SSA_NAME of a temp variable (with or
829 without a name), we can possibly get the original variable decl
830 by back-tracing its SSA def (as shown in the following example).
832 D.2_1 = &this->mu;
833 Lock (D.2_1);
835 Note that the SSA name doesn't always have a def statement
836 (e.g. "this" pointer). */
840 {
843 {
862 }
864 {
868 {
871 {
874 }
875 else
878 }
879 /* We deal with a lockable object wrapped in a smart pointer
880 here. For example, given the following code
882 auto_ptr<Mutex> mu;
883 mu->Lock();
885 We would like to ignore the "operator->" (or "operator.")
886 and simply return mu. We also treat the "get" method of
887 a smart pointer the same as operator->. And we only do it
888 when LOCK is indeed a lock expr, not some temp expr. */
896 && !is_temp_expr
900 {
907 }
909 /* For a gimple call statement not annotated with
910 "lock_returned" attr, try to get the canonical lhs of
911 the statement. */
914 {
918 {
921 INSERT);
924 }
927 }
928 }
929 }
931 NULL_TREE);
932 }
934 {
936 tree canon_base;
937 /* For expressions that denote locks,
938 When the expr is a pointer to a lockable type (i.e. mu.Lock()
939 or Lock(&mu) internally), we don't need the address-taken
940 operator (&). */
946 new_leftmost_base_var);
949 new_leftmost_base_var);
953 }
955 {
956 /* Handle the case of Foo.mu.Lock() or Foo->mu.Lock().
957 If the base is "this" pointer or a base class, get the component
958 only. */
961 tree canon_base;
964 NULL_TREE);
968 new_leftmost_base_var);
970 /* If either the base or the component is a compiler-generated base
971 object field, skip it. For example, if a lock expressions is
972 foo->D.2801.mu, where D.2801 is the base field in foo which is
973 a derived class, we want the canonical form of the lock to be
974 foo->mu. */
977 NULL_TREE);
980 {
983 else
984 /* return canon_base, but recalculate it so that it is stored
985 in the hash table. */
988 new_leftmost_base_var);
989 }
995 }
997 {
1001 new_leftmost_base_var);
1004 ? index
1007 NULL_TREE));
1013 }
1016 {
1020 new_leftmost_base_var);
1022 /* If CANON_BASE is an ADDR_EXPR (e.g. &a), doing an indirect or
1023 memory reference on top of it is equivalent to accessing the
1024 variable itself. That is, *(&a) == a. So if that's the case,
1025 simply return the variable. Otherwise, build an indirect ref
1026 expression. */
1029 else
1033 }
1037 {
1041 NULL_TREE);
1046 NULL_TREE);
1051 }
1054 }
1058 /* Return the original lock expr if the lock expr is not something we can
1059 handle now. */
1063 /* Now that we have built a canonical lock expr, check whether it's already
1064 in the lock_expr_tab. If so, grab and return it. Otherwise, insert the
1065 new lock expr to the map. */
1073 /* If the lock is created temporarily (e.g. to form a full-path
1074 lock name), don't insert it in the lock_expr_tab as the lock
1075 tree will be manually freed later. */
1077 {
1080 }
1083 }
1085 /* Dump the LOCK name/expr in char string to OUT_BUF. If LOCK is a
1086 simple decl, we just use the identifier node of the lock. Otherwise,
1087 we use the tree pretty print mechanism to do that. */
1091 {
1095 else
1096 {
1101 }
1103 }
1105 /* A helper function that checks if the left-most operand of
1106 EXPR is a field decl, and if so, returns true. For example, if EXPR is
1107 'a.b->c[2]', it will check if 'a' is a field decl. */
1109 static bool
1111 {
1114 else
1116 }
1118 /* Check whether the given LOCK is a member of LOCK_SET and return the lock
1119 contained in the set if so. This check is more complicated than just
1120 calling pointer_set_contains with LOCK and LOCKSET because we need to
1121 get the canonical form of the lock. Also the LOCK_SET may contain the
1122 universal lock (i.e. error_mark_node). IGNORE_UNIVERSAL_LOCK indicates
1123 whether to ignore it. In order to be conservative (not to emit false
1124 positives), we don't want to ignore the universal lock when checking for
1125 locks required, but should ignore it when checking for locks excluded. */
1127 static tree
1130 {
1131 /* If the universal lock is in the LOCK_SET and it is not to be ignored,
1132 just assume the LOCK is in the LOCK_SET and returns it. */
1137 /* If the lock is a field and the base is not 'this' pointer nor a base
1138 class, we need to check the lock set with the fully-qualified lock name.
1139 Otherwise, we could be confused by the same lock field of a different
1140 object. */
1145 {
1146 /* canonical lock is a fully-qualified name. */
1149 NULL_TREE);
1153 }
1154 /* Check the lock set with the given lock directly as it could already be
1155 in canonical form. */
1158 /* If the lock is not yet bound to a decl, try to bind it now. */
1160 {
1162 /* If there is any unbound lock in the attribute, the unbound lock map
1163 must not be null. */
1168 {
1175 else
1177 }
1178 else
1180 }
1181 else
1183 }
1185 /* This function checks whether LOCK is in the current live lock sets
1186 (EXCL_LOCKS and SHARED_LOCKS) and emits warning message if it's not.
1187 This function is called when analyzing the expression that either accesses
1188 a shared variable or calls a function whose DECL is annotated with
1189 guarded_by, point_to_guarded_by, or {exclusive|shared}_locks_required
1190 attributes.
1192 IS_INDIRECT_REF indicates whether the (variable) access is indirect or not.
1194 LOCUS specifies the source location of the expression that accesses the
1195 shared variable or calls the guarded function.
1197 MODE indicates whether the access is a read or a write. */
1199 static void
1204 {
1209 {
1212 /* When the base obj tree is not an ADDR_EXPR, which means it is a
1213 pointer (i.e. base->foo(), or foo(base) internally), we will need
1214 to create a new base that is INDIRECT_REF so that we would be able
1215 to form a correct full expression for a lock later. On the other hand,
1216 if the base obj is an ADDR_EXPR (i.e. base.foo(), or foo(&base)
1217 internally), we need to remove the address-taken operation. Note
1218 that this is an issue only for class member functions. If DECL
1219 is a class field, the base_obj is good. */
1221 {
1224 NULL_TREE);
1226 {
1230 canon_base);
1231 /* If the base object is neither an ADDR_EXPR, nor a pointer,
1232 and DECL is a cloned method, most likely we have done IPA-SRA
1233 optimization, where reference parameters are changed to be
1234 passed by value. So in this case, just use the CANON_BASE. */
1237 else
1239 }
1240 else
1242 }
1243 }
1244 else
1245 {
1248 else
1250 }
1252 /* We want to use fully-qualified expressions (i.e. including base_obj
1253 if any) for DECL when emitting warning messages. */
1255 {
1257 {
1262 }
1263 }
1264 else
1265 /* If DECL is a function, call DECL_ORIGIN first in case it is a clone so
1266 that we can avoid using the cloned name in the warning messages. */
1270 {
1271 /* If LOCK is NULL, either the attribute is a "guarded" attribute that
1272 doesn't specify a particular lock, or the lock name/expression
1273 is not supported. Just check whether there is any live lock at this
1274 point. */
1276 {
1278 {
1284 else
1288 }
1289 else
1290 {
1292 {
1298 else
1302 }
1303 }
1304 }
1306 }
1310 NULL_TREE);
1313 {
1315 {
1316 /* We want to use fully-qualified expressions (i.e. including
1317 base_obj if any) for LOCK when emitting warning
1318 messages. */
1320 {
1322 {
1325 /* Get the canonical lock tree */
1328 NULL_TREE);
1329 }
1330 }
1337 else
1342 }
1343 else
1344 {
1346 {
1348 {
1349 /* We want to use fully-qualified expressions (i.e.
1350 including base_obj if any) for LOCK when
1351 emitting warning messages. */
1353 {
1356 /* Get the canonical lock tree */
1359 NULL_TREE);
1360 }
1361 }
1368 else
1373 }
1374 }
1375 }
1376 }
1378 /* This data structure is created to overcome the limitation of the
1379 pointer_set_traverse routine which only takes one data pointer argument.
1380 Unfortunately when we are trying to decide whether a lock (with an optional
1381 base object) is in a set or not, we will need 2 input parameters and 1
1382 output parameter. Therefore we use the following data structure. */
1384 struct lock_match_info
1385 {
1386 /* The lock which we want to check if it is in the acquired_after set. */
1387 tree lock;
1389 /* The base object of the lock if lock is a class member. */
1390 tree base;
1392 /* Whether we find a match or not. */
1394 };
1396 /* This is a helper function passed in (as a parameter) to the
1397 pointer_set_traverse routine we invoke to traverse the acquired_after
1398 set to find a match for the lock recorded in the match info
1399 (parameter INFO). This function should not be called by other functions.
1400 Parameter LOCK is a member of the acquired_after set.
1401 If LOCK is a class field, we would reconstruct the LOCK name by
1402 combining it with the base object (recorded in INFO) and do a match.
1403 If we find a match, record the result in INFO->match and return false
1404 so that pointer_set_traverse would stop iterating through the rest of
1405 the set. Also see the comments for function acquired_after_set_contains()
1406 below. */
1408 static bool
1410 {
1416 {
1417 tree tmp_lock;
1422 {
1425 }
1426 /* Since we know tmp_lock is not going to be used any more, we might
1427 as well free it even though it's not necessary. */
1429 }
1432 }
1434 /* Check if the LOCK is in the ACQ_AFTER_SET. This check is more complicated
1435 than simply calling pointer_set_contains to see whether ACQ_AFTER_SET
1436 contains LOCK because the ACQ_AFTER_SET could only contains the "bare"
1437 name of the LOCK. For example, suppose we have the following code:
1439 class Foo {
1440 public:
1441 Mutex mu1;
1442 Mutex mu2 attribute__ ((acquired_after(mu1)));
1443 ...
1444 };
1446 main()
1447 {
1448 Foo *foo = new Foo();
1449 ...
1450 foo->mu1.Lock();
1451 ...
1452 foo->mu2.Lock();
1453 ...
1454 }
1456 The lock_acquired_after_map would be
1458 lock acquired_after set
1459 --------------------------
1460 mu2 -> { mu1 }
1462 In our analysis, when we look at foo->mu2.Lock() and want to know whether
1463 foo->mu1 (which was acquired earlier) is in mu2's acquired_after set
1464 (in this case, ACQ_AFTER_SET = { mu1 }, LOCK = foo->mu1, BASE = foo),
1465 a call to pointer_set_contains(mu2_acquired_after_set, foo->mu1) would
1466 return false as it is "mu1", not "foo->mu1", in mu2's acquired_after set.
1467 Therefore we will need to iterate through each member of mu2's
1468 acquired_after set, reconstructing the lock name with the BASE (which is
1469 foo in this example), and check again. */
1471 static bool
1474 {
1483 /* Now that a simple call to pointer_set_contains returns false and
1484 the LOCK appears to be a class member (as BASE is not null),
1485 we need to look at each element of ACQ_AFTER_SET, reconstructing
1486 their names, and check again. */
1499 }
1501 /* Returns the base object if EXPR is a component ref tree,
1502 NULL_TREE otherwise.
1504 Note that this routine is different from get_base_address or
1505 get_base_var in that, for example, if we have an expression x[5].a,
1506 this routine will return x[5], while the other two routines will
1507 return x. Also if the expr is b[3], this routine will return NULL_TREE
1508 while the other two will return b. */
1510 static tree
1512 {
1517 else
1519 }
1521 /* Given an expression, EXPR, returns the leftmost operand/base of EXPR.
1522 For example, if EXPR is 'a.b->c[2]', it will return 'a'. Unlike
1523 get_base_var, this routine allows the leftmost var to be a field decl. */
1525 tree
1527 {
1531 }
1533 /* This is helper function passed in (as a parameter) to pointer_set_traverse
1534 when we traverse live lock sets to check for acquired_after requirement.
1535 This function should not be called by other functions. The parameter
1536 LIVE_LOCK is a member of the live lock set we are traversing, and parameter
1537 LOCK is the lock we are about to add to the live lock set.
1538 In this function, we first check if LIVE_LOCK is in the acquired_after
1539 set of LOCK. If so, that's great (but we will also check whether LOCK is
1540 in LIVE_LOCK's acquired_after set to see if there is a cycle in the
1541 after_after relationship). Otherwise, we will emit a warning. */
1543 static bool
1545 {
1547 tree lock_decl;
1548 tree base;
1551 tree live_lock_decl;
1555 /* If lock_acquired_after_map is never created, which means the user code
1556 doesn't contain any acquired_after attributes, then simply return.
1557 This should be changed later if we decide to warn about unspecified
1558 locking order for two locks held simultaneously by a thread. */
1562 /* Since the lock_acquired_after_map is keyed by the decl tree of
1563 the lock variable (see handle_acquired_after_attribute() in c-common.c),
1564 we cannot use the full expression of the lock to look up the
1565 lock_acquired_after_map. Instead, we need to get the lock decl
1566 component of the expression. e.g. If the lock is a[2].foo->mu,
1567 we cannot use the whole expression tree. We have to use the decl tree
1568 of mu. */
1571 entry = (lock_decl
1574 /* Check if LIVE_LOCK is in LOCK's acquired_after set. */
1575 live_lock_in_locks_acq_after_set = (entry
1583 entry = (live_lock_decl
1586 /* Check if LOCK is in LIVE_LOCK's acquired_after set. */
1587 lock_in_live_locks_acq_after_set = (entry
1593 {
1594 /* When LIVE_LOCK is not in LOCK's acquired_after set, we will emit
1595 warning messages only when LIVE_LOCK is annotated as being acquired
1596 after LOCK. Basically what we are saying here is that if the two
1597 locks don't have an acquired_after relationship based on the
1598 annotations (attributes), we will not check for (and warn about)
1599 their locking order. This is an escape hatch for locks that could
1600 be held simultaneously but their acquisition order is not expressible
1601 using the current attribute/annotation scheme. */
1603 {
1612 else
1618 }
1620 }
1630 }
1632 /* Main driver to check the lock acquisition order. LOCK is the lock we are
1633 about to add to the live lock set. LIVE_EXCL_LOCKS and LIVE_SHARED_LOCKS
1634 are the current live lock sets. LOCUS is the source location at which LOCK
1635 is acquired. */
1637 static void
1642 {
1649 }
1651 /* Given a CALL expr and an integer constant tree POS_ARG that specifies the
1652 argument position, returns the corresponding argument by iterating
1653 through the call's actual parameter list. */
1655 static tree
1657 {
1665 /* The ipa-sra optimization can occasionally delete arguments, thus
1666 invalidating the index. */
1668 {
1671 else
1673 }
1675 /* The lock position specified in the attributes is 1-based, so we need to
1676 subtract 1 from it when accessing the call arguments. */
1678 }
1680 /* Given a call (CALL) and its function decl (FDECL), return the actual
1681 argument that corresponds to the given formal parameter (PARAM_DECL). */
1683 static tree
1685 {
1686 tree parm;
1690 parm;
1696 }
1699 /* A helper function that adds the LOCKABLE, acquired by CALL, to the
1700 corresponding lock sets (LIVE_EXCL_LOCKS or LIVE_SHARED_LOCKS) depending
1701 on the boolean parameter IS_EXCLUSIVE_LOCK. If the CALL is a trylock call,
1702 create a trylock_info data structure which will be used later. */
1704 static void
1709 {
1713 {
1714 /* Insert the lock to either exclusive or shared live lock set. */
1717 else
1719 }
1720 else
1721 {
1722 /* If the primitive is a trylock, create a trylock_info structure and
1723 insert it to trylock_info_map, which will be used later when we
1724 analyze the if-statement whose condition is fed by the trylock. */
1728 {
1733 }
1734 else
1735 {
1739 }
1741 }
1742 }
1744 /* This function handles function calls that acquire or try to acquire
1745 locks (i.e. the functions annotated with exclusive_lock, shared_lock,
1746 exclusive_trylock, or shared_trylock attribute). Besides adding to the
1747 live lock sets the lock(s) it acquires (except for trylock calls), this
1748 function also does the following:
1750 - Checks the lock acquisition order between the lock it acquires and
1751 existing live locks.
1753 - Checks if any existing live lock is being acquired again
1754 (i.e. re-entered).
1756 - If the function call is a constructor of a scoped lock, adds an entry
1757 with the acquired lock to scopedlock_to_lock_map.
1759 - If the function call is a trylock, creates a trylock_info structure and
1760 inserts it to trylock_info_map.
1762 - Records the source location of this function call in lock_locus_map
1763 (as this is where the lock is acquired).
1765 This function handles one lock at a time, so if a locking primitive
1766 acquires multiple locks, this function is called multiple times (see
1767 process_function_attrs() below).
1769 Besides the call itself (CALL), we also pass in the function decl (FDECL).
1770 While the function decl of a call can be easily extracted by calling
1771 gimple_call_fndecl in most cases, it becomes a bit tricky when the function
1772 is virtual as gimple_call_fndecl will simply return NULL. We will need to
1773 get the function decl through the reference object in this case.
1774 Since we have already done all the things necessary to get the function
1775 decl earlier (see handle_call_gs()), instead of doing the whole dance again
1776 here, we might as well pass in the function decl that we extracted earlier.
1778 The lock to be acquired is either the base object (i.e. BASE_OBJ)
1779 when the primitive is a member function of a lockable class (e.g. "mu" in
1780 mu->Lock()), or specified by an attribute parameter and passed in as ARG.
1781 If ARG is an integer constant, it specifies the position of the primitive's
1782 argument that corresponds to the lock to be acquired. */
1784 static void
1790 {
1793 tree lockable;
1794 tree lockable_type;
1796 /* If ARG is not NULL, it specifies the lock to acquire. Otherwise,
1797 BASE_OBJ is the lock. */
1801 {
1802 /* If the arg is the universal lock (represented as the error_mark_node),
1803 we don't need to do all the checks mentioned in the comments above.
1804 Just add it to the lock set and return. */
1808 }
1809 /* When ARG is an integer that specifies the position of the
1810 call's argument corresponding to the lock, or if its leftmost base is
1811 a formal parameter, we need to grab the corresponding actual argument
1812 of the call. */
1814 {
1816 /* If ipa-sra has rewritten the call, then recover as gracefully as
1817 possible. */
1819 {
1820 /* Add the universal lock to the lockset to suppress subsequent
1821 errors. */
1824 else
1833 }
1834 }
1836 {
1837 tree new_base
1841 }
1848 NULL_TREE);
1850 /* If there are unbound locks when the thread safety attributes were parsed,
1851 we should try to bind them now if we see any lock declaration that
1852 matches the name of the unbound lock. */
1857 {
1862 }
1869 /* Check if the lock primitive is actually a constructor of a scoped lock.
1870 If so, insert to scopedlock_to_lock_map the scoped lock object along
1871 with the lock it acquires. */
1873 && lockable_type
1875 {
1877 {
1885 }
1886 }
1888 /* Check if the lock is already held. */
1891 {
1893 {
1901 else
1906 }
1907 /* Normally when we have detected a lock re-entrant issue here, we can
1908 simply return. However, if this primitive is a trylock, we still
1909 need to create an entry in the trylock_info_map (which will happen
1910 later) regardless. Otherwise, the assertion that every trylock call
1911 always has an entry in the map will fail later. */
1914 }
1916 /* Check the lock acquisition order. */
1919 /* Record the source location where the lock is acquired. */
1927 }
1929 /* A helper function that removes the LOCKABLE from either LIVE_EXCL_LOCKS or
1930 LIVE_SHARED_LOCKS, and returns the canonical form of LOCKABLE. If LOCKABLE
1931 does not exist in either lock set, return NULL_TREE. */
1933 static tree
1936 {
1937 tree lock_contained;
1939 /* Try to remove the actual lock. */
1950 /* If either of lock sets contains the universal lock, then pretend that
1951 we've removed it, to avoid a warning about unlocking a lock that was
1952 not acquired. */
1960 }
1962 /* This function handles function calls that release locks (i.e. the
1963 functions annotated with the "unlock" attribute). Besides taking the
1964 lock out of the live lock set, it also checks whether the user code
1965 is trying to release a lock that's not currently held. For the
1966 explanations on parameters FDECL, ARG, and BASE_OBJ, please see the
1967 comments for handle_lock_primitive_attrs above. */
1969 static void
1973 {
1978 tree lock_released;
1981 /* Check if the unlock attribute specifies a lock or the position of the
1982 primitive's argument corresponding to the lock. */
1984 {
1985 /* When ARG is an integer that specifies the position of the
1986 call's argument corresponding to the lock, or if its leftmost base is
1987 a formal parameter, we need to grab the corresponding actual argument
1988 of the call. */
1990 {
1992 /* If ipa-sra has rewritten the call, then fail as gracefully as
1993 possible -- just leave the lock in the lockset. */
1995 {
2001 }
2002 }
2004 {
2008 }
2011 else
2016 }
2017 else
2018 {
2019 /* If ipa-sra has killed arguments, then base_obj may be NULL.
2020 Attempt to recover gracefully by leaving the lock in the lockset. */
2022 {
2030 }
2032 /* Check if the primitive is an unlock routine (e.g. the destructor or
2033 a release function) of a scoped_lock. If so, get the lock that is
2034 being released from scopedlock_to_lock_map. */
2036 {
2040 /* A scoped lock should be a local variable. */
2042 {
2044 scoped_lock);
2046 {
2049 /* Since this is a scoped lock, if the unlock routine is
2050 not the destructor, we assume it is a release function
2051 (e.g. std::unique_lock::release()). And therefore the
2052 lock is considered weakly released and should be added
2053 to the weak released lock set. */
2056 }
2057 }
2058 }
2059 /* If the function is not a destructor of a scoped_lock, base_obj
2060 is the lock. */
2064 NULL_TREE);
2065 }
2067 /* Remove the lock from the live lock set and, if it is not currently held,
2068 warn about the issue. */
2070 live_shared_locks))
2072 {
2074 {
2077 }
2078 }
2083 {
2084 /* If the unlock function is not a weak release and the lock is currently
2085 in the weak release set, we need to remove it from the set as it is
2086 no longer considered weakly released after this point. */
2088 }
2093 }
2095 /* A helper function for handling function "locks_excluded" attribute.
2096 Check if LOCK is in the current live lock sets and emit warnings if so.
2098 LOCK: the lock being examined.
2099 FDECL: function decl of the call.
2100 BASE_OBJ: base object if FDECL is a method (member function).
2101 LIVE_EXCL_LOCKS: current live exclusive lock set.
2102 LIVE_SHARED LOCKS: current live shared lock set.
2103 LOCUS: location info of the call. */
2105 static void
2110 {
2111 tree lock_contained;
2113 /* LOCK could be NULL if the front-end/parser cannot recognize it.
2114 Simply ignore it and return. */
2118 /* When the base obj tree is not an ADDR_EXPR, which means it is a
2119 pointer (i.e. base->foo() or foo(base)), we will need to create
2120 a new base that is INDIRECT_REF so that we would be able to form
2121 a correct full expression for a lock later. On the other hand,
2122 if the base obj is an ADDR_EXPR (i.e. base.foo() or foo(&base)),
2123 we need to remove the address-taken operation. */
2125 {
2128 NULL_TREE);
2130 {
2134 canon_base);
2135 /* If the base object is neither an ADDR_EXPR, nor a pointer,
2136 and DECL is a cloned method, most likely we have done IPA-SRA
2137 optimization, where reference parameters are changed to be
2138 passed by value. So in this case, just use the CANON_BASE. */
2141 else
2143 }
2144 else
2146 }
2150 NULL_TREE);
2152 /* Check if the excluded lock is in the live lock sets when the
2153 function is called. If so, issue a warning. */
2158 {
2168 else
2174 }
2175 }
2177 /* Function lock requirement type. */
2180 FLR_EXCL_LOCK_REQUIRED,
2181 FLR_SHARED_LOCK_REQUIRED,
2182 FLR_LOCK_EXCLUDED
2183 };
2185 /* Handle function lock requirement attributes ("exclusive_locks_required",
2186 "shared_locks_required", and "locks_excluded").
2188 CALL: function/method call that's currently being examined.
2189 FDECL: function/method decl of the call.
2190 BASE_OBJ: base object if FDECL is a method (member function).
2191 ATTR: attribute of type FUNC_LOCK_REQ_TYPE.
2192 REQ_TYPE: function lock requirement type.
2193 LIVE_EXCL_LOCKS: current live exclusive lock set.
2194 LIVE_SHARED LOCKS: current live shared lock set.
2195 LOCUS: location info of the call. */
2197 static void
2203 {
2204 tree arg;
2205 tree lock;
2208 {
2212 /* If lock is the error_mark_node, just set it to NULL_TREE so that
2213 we will reduce the level of checking later. (i.e. Only check whether
2214 there is any live lock at this point in check_lock_required and
2215 ignore the lock in check_func_lock_excluded.) */
2219 {
2221 /* Ignore attribute if ipa-sra has killed the argument. */
2224 /* If the lock is a function argument, we don't want to
2225 prepend the base object to the lock name. Set the
2226 TMP_BASE_OBJ to NULL. */
2228 }
2229 /* If LOCK's leftmost base is a formal parameter, we need to grab the
2230 corresponding actual argument of the call and replace the formal
2231 parameter with the actual argument in LOCK. */
2233 {
2238 }
2250 else
2251 {
2255 }
2256 }
2257 }
2259 /* The main routine that handles the thread safety attributes for
2260 functions. CALL is the call expression being analyzed. FDECL is its
2261 corresponding function decl tree. LIVE_EXCL_LOCKS and LIVE_SHARED_LOCKS
2262 are the live lock sets when the control flow reaches this call expression.
2263 LOCUS is the source location of the call expression. */
2265 static void
2269 {
2280 /* First check if the function call is annotated with any escape-hatch
2281 related attributes and set/reset the corresponding flags if so. */
2295 /* If the given function is a clone, and if some of the parameters of the
2296 clone have been optimized away, then the function attribute is no longer
2297 correct, and we should suppress certain warnings. Clones are often created
2298 when -fipa-sra is enabled, which happens by default at -O2 starting from
2299 GCC-4.5. The clones could be created as early as when constructing SSA.
2300 ipa-sra is particularly fond of optimizing away the "this" pointer,
2301 which is a problem because that makes it impossible to determine the
2302 base object, which then causes spurious errors. It's better to just
2303 remain silent in this case. */
2311 /* If the function is a class member, the first argument of the function
2312 (i.e. "this" pointer) would be the base object. Note that here we call
2313 DECL_ORIGIN on fdecl first before we check whether it's a METHOD_TYPE
2314 because if fdecl is a cloned method, the TREE_CODE of its type would be
2315 FUNCTION_DECL instead of METHOD_DECL, which would lead us to not grab
2316 its base object. */
2321 /* Check whether this is a locking primitive of any kind. */
2324 {
2327 }
2330 {
2333 }
2336 {
2339 }
2342 {
2345 }
2347 /* Handle locking primitives */
2349 {
2351 {
2354 /* If the locking primitive is a trylock, the first argument of
2355 the attribute specifies the return value of a successful lock
2356 acquisition. */
2358 {
2362 }
2364 /* If the primitive is a trylock, after we consume the first
2365 argument of the attribute, there might not be any argument
2366 left. So we need to check if arg is NULL again here. */
2368 {
2369 /* If the locking primitive attribute specifies multiple locks
2370 in its arguments, we iterate through the argument list and
2371 handle each of the locks individually. */
2377 }
2378 else
2379 {
2380 /* If the attribute does not have any argument left, the lock to
2381 be acquired is the base obj (e.g. "mu" in mu->TryLock()). */
2385 locus);
2386 }
2387 /* If the primitive is a trylock, fill in the return value on
2388 successful lock acquisition in the trylock_info that was
2389 created in handle_lock_primitive_attrs. */
2391 {
2397 }
2398 }
2399 else
2400 {
2401 /* If the attribute does not have any argument, the lock to be
2402 acquired is the base obj (e.g. "mu" in mu->Lock()). */
2407 locus);
2408 }
2409 }
2410 /* Handle unlocking primitive */
2413 {
2415 {
2416 /* If the unlocking primitive attribute specifies multiple locks
2417 in its arguments, we iterate through the argument list and
2418 handle each of the locks individually. */
2419 tree arg;
2421 {
2422 /* If the unlock arg is an error_mark_node, which means an
2423 unsupported lock name/expression was encountered during
2424 parsing, the conservative approach to take is not to check
2425 the lock acquire/release mismatch issue in the current
2426 function by setting the flag to 0. Note that the flag will
2427 be restored to its original value after finishing analyzing
2428 the current function. */
2430 {
2433 }
2436 }
2437 }
2438 else
2439 /* If the attribute does not have any argument, the lock to be
2440 released is the base obj (e.g. "mu" in mu->Unlock()). */
2443 }
2445 /* suppress warnings if the function arguments are no longer accurate. */
2447 {
2448 /* Handle the attributes specifying the lock requirements of
2449 functions. */
2453 FLR_EXCL_LOCK_REQUIRED,
2455 locus);
2460 FLR_SHARED_LOCK_REQUIRED,
2462 locus);
2467 FLR_LOCK_EXCLUDED,
2469 locus);
2470 }
2471 }
2473 /* The main routine that handles the attributes specifying variables' lock
2474 requirements. */
2476 static void
2481 {
2482 tree attr;
2484 /* A flag indicating whether the attribute is {point_to_}guarded_by with
2485 a lock specified or simply {point_to_}guarded. */
2492 {
2495 {
2499 }
2500 }
2501 else
2502 {
2505 {
2508 }
2509 }
2511 /* If the variable does not have an attribute specifying that it should
2512 be protected by a lock, simply return. */
2516 /* If the variable is a compiler-created temporary pointer, grab the
2517 original variable's decl from the debug expr (as we don't want to
2518 print out the temp name in the warnings. For reasons why we only
2519 need to do this for pointers, see lookup_tmp_var() in gimplify.c. */
2521 {
2525 }
2528 {
2532 }
2536 }
2538 /* This routine is called when we see an indirect reference in our
2539 analysis of expressions. In an indirect reference, the pointer itself
2540 is accessed as a read. The parameter MODE indicates how the memory
2541 location pointed to by the PTR is being accessed (either read or write). */
2543 static void
2547 {
2548 tree vdecl;
2550 /* The pointer itself is accessed as a read */
2555 {
2558 {
2564 }
2565 }
2566 else
2572 else
2577 }
2580 /* The main routine that handles gimple call statements. This will update
2581 the set of held locks.
2582 CALL -- the gimple call statement.
2583 CURRENT_BB_INFO -- a pointer to the lockset structures for the current
2584 basic block.
2585 */
2586 static void
2588 {
2593 tree arg;
2594 tree lhs;
2595 location_t locus;
2599 else
2602 /* The callee fndecl could be NULL, e.g., when the function is passed in
2603 as an argument. */
2605 {
2608 {
2609 /* If an object, x, is guarded by a lock, whether or not
2610 calling x.foo() requires an exclusive lock depends on
2611 if foo() is const. */
2616 /* A method should have at least one argument, i.e."this" pointer */
2620 /* If the base object (i.e. "this" object) is a SSA name of a temp
2621 variable, as shown in the following example (assuming the source
2622 code is 'base.method_call()'):
2624 D.5041_2 = &this_1(D)->base;
2625 result.0_3 = method_call (D.5041_2);
2627 we will need to get the rhs of the SSA def of the temp variable
2628 in order for the analysis to work correctly. */
2630 {
2634 {
2640 }
2641 }
2643 /* Analyze the base object ("this") if we are not instructed to
2644 ignore it. */
2647 {
2649 {
2650 /* Handle smart/scoped pointers. They are not actual
2651 pointers but they can be annotated with
2652 "point_to_guarded_by" attribute and have overloaded "->"
2653 and "*" operators, so we treat them as normal pointers. */
2661 else
2662 /* Handle the case of x.foo() or foo(&x) */
2667 rw_mode);
2668 }
2669 else
2670 {
2671 /* Handle the case of x->foo() or foo(x) */
2676 }
2677 }
2679 /* Advance to the next argument */
2682 }
2683 }
2685 /* Analyze the call's arguments if we are not instructed to ignore the
2686 reads. */
2688 && (!fdecl
2690 {
2692 {
2695 {
2696 /* In analyze_expr routine, an address-taken expr (e.g. &x) will
2697 be skipped because the variable itself is not actually
2698 accessed. However, if an argument which is an address-taken
2699 expr, say &x, is passed into a function for a reference
2700 parameter, we want to treat it as a use of x because this is
2701 what users expect and most likely x will be used in the
2702 callee body anyway. */
2705 {
2707 /* The argument could be an SSA_NAME. Try to get the rhs of
2708 its SSA_DEF. */
2710 {
2714 {
2721 }
2722 }
2723 /* For an argument which is an ADDR_EXPR, say &x, that
2724 corresponds to a reference parameter, remove the
2725 address-taken operator and only pass 'x' to
2726 analyze_expr. */
2729 }
2734 TSA_READ);
2735 }
2739 }
2740 }
2742 /* Analyze the call's lhs if it exists and we are not instructed to ignore
2743 the writes. */
2750 /* Process the attributes associated with the callee func decl.
2751 Note that we want to process the arguments first so that the callee
2752 func decl attributes have no effects on the arguments. */
2757 }
2759 /* The main routine that handles decls and expressions. It in turn calls
2760 other helper routines to analyze different kinds of trees.
2762 EXPR is the expression/decl being analyzed.
2763 BASE_OBJ is the base component of EXPR if EXPR is a component reference
2764 (e.g. b.a).
2765 EXCL_LOCKS and SHARED_LOCKS are the live lock sets when the control flow
2766 reaches EXPR.
2767 LOCUS is the source location of EXPR.
2768 MODE indicates whether the access is a read or a write. */
2770 static void
2775 {
2776 tree vdecl;
2779 {
2782 /* For an address-taken expression (i.e. &x), the memory location of
2783 the operand is not actually accessed. So no thread safe check
2784 necessary here. */
2789 {
2793 }
2795 /* For a component reference, we need to look at both base and
2796 component trees. */
2798 {
2806 }
2808 /* For all other expressions, just iterate through their operands
2809 and call analyze_expr on them recursively */
2812 {
2817 }
2820 }
2822 /* If EXPR is a ssa name, grab its original variable decl. */
2824 {
2826 /* If VDECL is a nameless temp variable and we are analyzing an indirect
2827 reference, we will need to grab and analyze the RHS of its SSA def
2828 because the RHS is the actual pointer that gets dereferenced.
2829 For example, in the following snippet of gimple IR, when we first
2830 analyzed S1, we only saw a direct access to foo.a_. Later, when
2831 analyzing the RHS of S2 (i.e. *D1803_1), which is an indirect
2832 reference, we need to look at foo.a_ again because what's really
2833 being referenced is *foo.a_.
2835 S1: D.1803_1 = foo.a_;
2836 S2: res.1_4 = *D.1803_1; */
2838 {
2844 }
2845 }
2848 else
2854 else
2857 }
2859 /* This is a helper function called by handle_cond_gs() to check if
2860 GS is a trylock call (or a simple expression fed by a trylock
2861 call that involves only logic "not" operations). And if so, grab and
2862 return the corresponding trylock_info structure. Otherwise, return NULL.
2863 In the process, *LOCK_ON_TRUE_PATH is set to indicate whether the true
2864 (control flow) path should be taken when the lock is successfully
2865 acquired. */
2869 {
2871 {
2873 {
2876 {
2879 }
2881 {
2882 /* If the expr is a logic "not" operation, negate the value
2883 pointed to by lock_on_true_apth and continue trace back
2884 the expr's operand. */
2888 }
2889 else
2891 }
2893 {
2896 /* The function decl could be null in some cases, e.g.
2897 a function pointer passed in as a parameter. */
2903 {
2907 }
2908 else
2910 }
2911 else
2913 }
2918 }
2920 /* This routine determines whether the given condition statment (COND_STMT) is
2921 fed by a trylock call through expressions involving only "not", "equal"
2922 "not-equal" operations. Here are several examples where the condition
2923 statements are fed by trylock calls:
2925 (1) if (mu.Trylock()) {
2926 ...
2927 }
2929 (2) bool a = mu.Trylock();
2930 bool b = !a;
2931 if (b) {
2932 ...
2933 }
2935 (3) int a = pthread_mutex_trylock(mu);
2936 bool b = (a == 1);
2937 if (!b) {
2938 ...
2939 }
2941 (4) int a = pthread_mutex_trylock(mu);
2942 bool b = (a != 0);
2943 bool c = b;
2944 if (c == true) {
2945 ...
2946 }
2948 If COND_STMT is determined to be fed by a trylock call, this routine
2949 populates the data structure pointed to by CURRENT_BB_INFO, and
2950 sets *LOCK_ON_TRUE_PATH to indicate whether the true (control flow) path
2951 should be taken when the lock is successfully acquired. */
2953 static void
2955 {
2965 /* We only handle condition expressions with "equal" or "not-equal"
2966 operations. */
2970 /* In the new gimple tuple IR, a single operand if-condition such as
2972 if (a) {
2973 }
2975 would be represented as
2977 GIMPLE_COND <NE_EXPR, a, 0, TRUE_LABEL, FALSE_LABEL>
2979 Here we are trying this case and grab the SSA definition of a. */
2985 {
2988 }
2990 /* Iteratively back-tracing the SSA definitions to determine if the
2991 condition expression is fed by a trylock call. If so, record the
2992 edge that indicates successful lock acquisition. */
2994 {
2996 {
2998 {
3001 }
3004 {
3008 }
3010 {
3015 }
3017 {
3021 {
3024 }
3027 {
3031 }
3034 {
3038 }
3039 else
3043 {
3045 /* Depending on the operation (eq or neq) and whether the
3046 succ_retval of the trylock is the same as the constant
3047 integer operand, we might need to toggle the value
3048 pointed to bylock_on_true_path. For example, if the
3049 succ_retval of TryLock() is 0 and the cond expression is
3050 (mu.TryLock() != 0), we need to negate the
3051 lock_on_true_path value. */
3061 else
3064 }
3065 else
3067 }
3068 else
3070 }
3072 {
3076 {
3078 /* If the succ_retval of the trylock is 0 (or boolean
3079 "false"), we need to negate the value pointed to by
3080 lock_on_true_path. */
3086 else
3089 }
3090 else
3092 }
3093 else
3095 }
3102 else
3104 }
3106 /* This is a helper function to populate the LOCK_SET with the locks
3107 specified in ATTR's arguments. */
3109 static void
3111 {
3112 tree arg;
3115 {
3118 /* If the lock is an integer specifying the argument position, grab
3119 the corresponding formal parameter. */
3121 {
3124 tree parm;
3126 parm;
3132 }
3134 /* Canonicalize the lock before we add it to the lock set. */
3139 /* Add the lock to the lock set. */
3142 /* If there are unbound locks when the thread safety attributes were
3143 parsed, we should try to bind them now if we see any lock declaration
3144 that matches the name of the unbound lock. */
3149 {
3154 }
3155 }
3156 }
3158 /* This is a helper function passed in (as a parameter) to pointer_set_traverse
3159 when we traverse the set containing locks that are not properly released
3160 and emit a warning message for each of them. By improper release, we meant
3161 the places these locks are released are not control equivalent to where
3162 they are acquired. The improperly-released lock set was calculated when we
3163 reach a joint point during the data flow analysis. Any lock that is not
3164 in all of the preceding basic blocks' live-out sets is considered not
3165 released locally. REPORTED set contains the locks for which we have
3166 already printed out a warning message. We use this set to avoid emitting
3167 duplicate warnings for a lock. Here is an example why duplicate warnings
3168 could be emitted if we don't keep a REPORTED set.
3170 B1:
3171 mu.Lock()
3173 / \ \
3174 / \ \
3175 B2: B3: B4:
3176 mu.Unlock()
3177 \ / /
3178 \ / /
3180 B5:
3182 When we reach B5, "mu" would be in the live out sets of B3 and B4, but
3183 not that of B2. If we do a live out set intersection between B2 and B3
3184 first, and then intersect the resulting set with B4's live out set, we
3185 could've emitted the warning message for "mu" twice if we had not kept
3186 a reported set. */
3188 static bool
3190 {
3199 /* If this unreleased lock has been reported or is a universal lock (i.e.
3200 error_mark_node), don't emit a warning message for it again. */
3203 {
3206 {
3214 }
3215 else
3217 OPT_Wthread_safety,
3224 }
3227 }
3229 /* This is a helper function passed in (as a parameter) to traverse_pointer_set
3230 when we iterate through the set of locks that are not released at the end
3231 of a function. A warning message is emitted for each of them unless they
3232 were not acquired in the current function (i.e. acquired before calling
3233 the current function). */
3235 static bool
3237 {
3238 /* If the unreleased lock was actually acquired before calling the current
3239 function, we don't emit a warning for it as the lock is not expected to
3240 be released in the current function anyway. Also if the lock is a
3241 universal lock (i.e. error_mark_node), don't emit a warning either. */
3244 {
3257 }
3260 }
3262 /* This is a helper function passed in (as a parameter) to
3263 pointer_map_traverse when we delete lock_locus_map. */
3265 static bool
3268 {
3271 }
3273 /* This is a helper function passed in (as a parameter) to
3274 pointer_map_traverse when we delete trylock_info_map. */
3276 static bool
3279 {
3285 }
3287 /* Helper function for walk_gimple_stmt() that is called on each gimple
3288 statement. Except for call statements and SSA definitions of namesless
3289 temp variables, the operands of the statements will be analyzed by
3290 analyze_op_r(). */
3292 static tree
3295 {
3301 {
3303 /* The arguments of the call is already analyzed in handle_call_gs.
3304 Set *handled_ops to true to skip calling analyze_op_r later. */
3306 }
3311 }
3313 /* Helper function for walk_gimple_stmt() that is called on each operand of
3314 a visited gimple statement. */
3316 static tree
3318 {
3324 location_t locus;
3326 /* Analyze the statement operand if we are not instructed to ignore the
3327 reads or writes and if it is not a constant. */
3331 {
3334 else
3340 }
3345 }
3347 /* Perform thread safety analysis using the attributes mentioned above
3348 (see comments at the beginning of the file). The analysis pass uses
3349 a single-pass (or single iteration) data-flow analysis to calculate
3350 live lock sets at each program point, using the attributes to decide
3351 when to add locks to the live sets and when to remove them from the
3352 sets. With the live lock sets and the attributes attached to shared
3353 variables and functions, we are able to check whether the variables
3354 and functions are well protected. Note that the reason why we don't
3355 need iterative data flow analysis is because critical sections across
3356 back edges are considered a bad practice.
3358 The single-iteration data flow analysis is performed by visiting
3359 each basic block only once in a topological order. The topological
3360 traversal is achieved by maintaining a work list (or ready list) which
3361 is seeded with the successors of the function's entry block. A basic
3362 block is added to the work list when all of its predecessors have been
3363 visited. During the traversal, back edges are ignored. */
3365 static unsigned int
3367 {
3369 basic_block bb;
3370 edge e;
3371 edge_iterator ei;
3372 tree fdecl_attrs;
3376 tree attr;
3381 /* Skip the compiler-generated functions. */
3385 /* Constructors and destructors should only be accessed by a single
3386 thread and therefore are ignored here. */
3391 /* If the current function is annotated as a locking or unlocking primitive,
3392 or if it is marked to be skipped (with no_thread_safety_analysis
3393 attribute), ignore it. */
3403 /* If this is the first function of the current compilation unit, we need
3404 to build the transitive acquired_after sets for the locks. */
3406 {
3409 }
3411 /* Mark the back edges in the cfg so that we can skip them later
3412 in our (single-iteration) data-flow analysis. */
3415 /* Allocate lock-related global maps. */
3421 /* Initialize the pretty printer buffer for warning emitting. */
3424 /* Allocate the threadsafe info array.
3425 Use XCNEWVEC to clear out the info. */
3428 /* Since the back/complex edges are not traversed in the analysis,
3429 mark them as visited. */
3431 {
3433 {
3436 }
3437 }
3439 /* Populate ENTRY_BLOCK's live out sets with "exclusive_locks_required"
3440 and "shared_locks_required" attributes. */
3455 live_excl_locks_at_entry;
3457 live_shared_locks_at_entry;
3462 /* Allocate the worklist of BBs for topological traversal, which is
3463 basically an array of pointers to basic blocks. */
3466 /* Seed the worklist by adding the successors of the entry block
3467 to the worklist. */
3469 {
3471 }
3473 /* The basic blocks in the current function are traversed in a topological
3474 order. Both "visit_ptr" and "append_ptr" are indices to the worklist
3475 array and initialized to zero. "append_ptr" is incremented whenever a BB
3476 is added to the work list, while "visit_ptr" is incremented when we
3477 visit a BB. When "visit_ptr" catches up with "append_ptr", the traversal
3478 is done. */
3480 {
3483 gimple_stmt_iterator gsi;
3489 /* First create the live-in lock sets for bb by intersecting all of its
3490 predecessors' live-out sets */
3492 {
3498 /* Skip the back/complex edge. */
3502 /* If this is the first predecessor of bb's, simply copy the
3503 predecessor's live-out sets and reads/writes_ignored flags
3504 to bb's live (working) sets and corresponding flags. */
3506 {
3517 /* If the pred bb has a trylock call and its edge to the current
3518 bb is the one for successful lock acquisition, add the
3519 trylock live sets to the bb's live working sets. */
3521 {
3533 }
3535 }
3538 pred_liveout_excl_locks =
3540 pred_liveout_shared_locks =
3543 /* If the pred bb has a trylock call and its edge to the current
3544 bb is the one for successful lock acquisition, add the
3545 trylock live sets to the pred bb's live-out sets. */
3547 {
3550 /* The following code will clobber the original contents of
3551 edge_exclusive_locks set and/or edge_shared_locks set of
3552 the pred bb, but that is fine because they will not be
3553 used in the future (as this edge is visited only once in
3554 our single-iteration data-flow analysis). */
3556 {
3557 pred_liveout_excl_locks =
3561 }
3564 {
3565 pred_liveout_shared_locks =
3569 }
3570 }
3572 /* Logical-and'ing the current BB's reads/writes_ignored flags with
3573 predecessor's flags. These flags will be true at the beginning
3574 of a BB only when they are true at the end of all the
3575 precedecessors. */
3581 /* Intersect the current (working) live set with the predecessor's
3582 live-out set. Locks that are not in the intersection (i.e.
3583 complement set) should be reported as improperly released. */
3586 pred_liveout_excl_locks,
3587 unreleased_locks);
3590 pred_liveout_shared_locks,
3591 unreleased_locks);
3593 /* Take the union of the weak released lock sets of the
3594 predecessors. */
3599 /* If a lock is released by a Release function of a scoped lock on
3600 some control-flow paths (but not all), the lock would still be
3601 live on other paths, which is OK as the destructor of the scoped
3602 lock will eventually release the lock. We don't want to emit
3603 bogus warnings about the release inconsistency at the
3604 control-flow join point. To avoid that, we simply add those
3605 weakly-released locks in the REPORTED_UNRELEASED_LOCKS set. */
3607 reported_unreleased_locks,
3610 /* Emit warnings for the locks that are not properly released.
3611 That is, the places they are released are not control
3612 equivalent to where they are acquired. */
3615 warn_locally_unreleased_locks,
3616 reported_unreleased_locks);
3619 }
3624 /* Now iterate through each statement of the bb and analyze its
3625 operands. */
3627 {
3632 }
3634 /* Now that we have visited the current bb, check if any of its
3635 successors can be added to the work list. */
3637 {
3638 basic_block succ_bb;
3642 /* Since we skip the back edges, we shouldn't see a visited basic
3643 block again here. */
3648 }
3654 }
3656 /* If there are still live locks at the end of the function that are held
3657 at the entry of the function (i.e. not in the function's locks_required
3658 sets), emit warning messages for them.
3659 Note that the exit block may not be reachable from the entry (e.g. when
3660 there are abort() or exit() calls that collectively dominate the exit
3661 block). We need to check whether its liveout_exclusive_locks and
3662 liveout_shared_locks are empty before trying to traverse them.
3663 TODO: Besides the exit block, we also need to check the basic blocks
3664 that don't have any successors as they are practically "exit" blocks
3665 as well. */
3667 {
3676 }
3678 /* Free the allocated data structures. */
3680 {
3682 {
3685 }
3692 }
3706 /* The flag that controls the warning of mismatched lock acquire/release
3707 could be turned off when we see an unlock primitive with an unsupported
3708 lock name/expression (see process_function_attrs). We need to restore
3709 the original value of the flag after we finish analyzing the current
3710 function. */
3715 }
3717 static bool
3719 {
3721 }
3724 {
3725 {
3726 GIMPLE_PASS,
3738 TODO_dump_func /* todo_flags_finish */
3739 }
3740 };