[cfe-dev] Strange "release_shared_capability" behavior in Clang thread safety analysis

Jason Henline via cfe-dev cfe-dev at lists.llvm.org
Fri Jul 29 10:29:30 PDT 2016 

While experimenting with Clang's thread safety analysis (
http://clang.llvm.org/docs/ThreadSafetyAnalysis.html) I ran into a compiler
warning I didn't understand. It seems that the release_shared_capability
attribute is not doing what I expect. The code to reproduce is below:

// Begin file: getvalue.cc
// Fake mutex class.
class __attribute__((capability("mutex"))) mutex {
public:
  void SharedLock() __attribute__((acquire_shared_capability())) {
    // Do nothing for this fake mutex.
  }
  void SharedUnlock() __attribute__((release_shared_capability())) {
    // Do nothing for this fake mutex.
  }
};

// Scoped lock class to do RAII locking for the fake mutex class above.
class __attribute__((scoped_lockable)) mutex_lock {
public:
  mutex_lock(mutex *Mutex) __attribute__((acquire_shared_capability(Mutex)))
  : Mutex(Mutex) {
    Mutex->SharedLock();
  }
  ~mutex_lock() __attribute__((release_shared_capability())) {
    Mutex->SharedUnlock();
  }

private:
  mutex *Mutex;
};

// Global mutex and a corresponding value for it to protect.
mutex Mutex;
int Value __attribute__((guarded_by(Mutex))) = 42;

// Explicitly lock and unlock the mutex to read the value.
int getValueExplicitUnlock() {
  Mutex.SharedLock();
  int LocalValue = Value;
  Mutex.SharedUnlock();
  return LocalValue;
}

// Use the scoped lock class to lock and unlock the mutex.
// This is where the problem happens.
int getValueScopedLock() {
  mutex_lock Lock(&Mutex);
  return Value;
}
// End file: getvalue.cc

Compiling with tip-of-tree clang with the -Wthread-safety flag, I get the
following warning:

# Begin shell session
$ clang++ -Wthread-safety -c getvalue.cc
getvalue.cc:37:10: warning: releasing mutex 'Lock' using shared access,
expected exclusive access
      [-Wthread-safety-analysis]
  return Value;
         ^
1 warning generated.
# End shell session

So there is a problem with my scoped lock in the getValueScopedLock
function, but there is no problem with the explicit locking and unlocking
in my getValueExplicitUnlock function.

The warning goes away if I switch the annotation on the ~mutex_lock
destructor to "release_capability" instead of "release_shared_capability".
Is this the expected behavior? It seems like an "acquire_shared_capability"
should be paired with a "release_shared_capability".

I also found a stack overflow question where someone else ran into this
problem:
http://stackoverflow.com/questions/33608378/clang-thread-safety-annotation-and-shared-capabilities
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.llvm.org/pipermail/cfe-dev/attachments/20160729/107969c9/attachment.html>

More information about the cfe-dev mailing list