[clang] Thread Safety Analysis: Warn when using negative reentrant capability (PR #141599)

Sun Jul 13 13:47:29 PDT 2025

aaronpuchert wrote:

> > On a related note, do we emit `-Wthread-safety-negative` for reentrant locks? I don't remember that we carved out an exception for that, and we probably should.
> 
> We do - and it's deliberate on my part as I've been trying to indicate that there might be valid use cases for that. While conceptually contradictory, there might be cases where developers want to ensure a reentrant mutex is NOT held before entering a function.

Correct me if I'm wrong, but in my understanding, `-Wthread-safety-negative` is not a prerequisite for using negative capabilities in the manner you describe. The [only warning message under that flag](https://clang.llvm.org/docs/DiagnosticsReference.html#wthread-safety-negative) is "acquiring _A_ ‘_B_’ requires negative capability ‘_C_’", which warns when we're _acquiring_ the mutex without holding the negative capability:
```c++
class Foo
{
  Mutex mu;

public:
  void direct()
  {
    mu.Lock();   // warning: acquiring mutex 'mu' requires negative capability '!mu' [-Wthread-safety-negative]
    mu.Unlock();
  }

  void indirect()
  {
    requireNegative(); // warning: calling function 'require_neg' requires holding '!mu' [-Wthread-safety-analysis]
  }

  void requireNegative() REQUIRES(!mu);
};
```
Note that the warnings are under different flags. You seem to want the second one, which is under `-Wthread-safety-analysis`. But do we want the first one? That would seem contradictory.

https://github.com/llvm/llvm-project/pull/141599