Thread Safety Analysis: Support passing scoped locks between functions with appropriate annotations

This is helpful when multiple functions operate on the same
capabilities, but we still want to use scoped lockable types for
readability and exception safety.
- Introduce support for thread safety annotations on function parameters
  marked with the 'scoped_lockable' attribute.
- Add semantic checks for annotated function parameters, ensuring
  correct usage.
- Enhance the analysis to recognize and handle parameters annotated for
  thread safety, extending the scope of analysis to track these across
  function boundries.
- Verify that the underlying mutexes of function arguments match the
  expectations set by the annotations.
Limitation: This does not work when the attribute arguments are class
members, because attributes on function parameters are parsed
differently from attributes on functions.

Author: malek203

clang/docs/ThreadSafetyAnalysis.rst

@@ -216,13 +216,14 @@ the scoped capability manages the specified capabilities in the given order.
 
   void require(MutexLocker& scope REQUIRES(mu1)) {
     scope.Unlock();
-    a = 0; // Warning!  Requires mu1.
+    a=0; // Warning!  Requires mu1.
     scope.Lock();
   }
 
   void testParameter() {
-    MutexLocker scope(&mu1), scope2(&mu2);
-    require(scope2); // Warning! Mutex managed by 'scope2' is 'mu2' instead of 'mu1'
+    MutexLocker scope(&mu1);
+    MutexLocker scope2(&mu2);
+    require(scope2); // Warning! Mutex managed by 'scope' is 'mu2' instead of 'mu1'
     require(scope); // OK.
     scope.Unlock();
     require(scope); // Warning!  Requires mu1.
@@ -336,7 +337,7 @@ the scoped capability manages the specified capabilities in the given order.
     mu.Unlock();
   }
 
-  void exclude(MutexLocker& scope LOCKS_EXCLUDED(mu)) {
+  void exclude(MutexLocker& scope LOCKS_EXCLUDED(mu)){
     scope.Unlock(); // Warning! mu is not locked.
     scope.Lock();
   } // Warning! mu still held at the end of function.

clang/include/clang/Analysis/Analyses/ThreadSafety.h

@@ -268,8 +268,7 @@ class ThreadSafetyHandler {
   virtual void handleExpectFewerUnderlyingMutexes(SourceLocation Loc,
                                                   SourceLocation DLoc,
                                                   Name ScopeName,
-                                                  StringRef Kind, Name Actual) {
-  }
+                                                  StringRef Kind, Name Actual) {}
 
   /// Warn that L1 cannot be acquired before L2.
   virtual void handleLockAcquiredBefore(StringRef Kind, Name L1Name,

clang/lib/Analysis/ThreadSafety.cpp

@@ -126,8 +126,8 @@ class FactEntry : public CapabilityExpr {
   SourceLocation AcquireLoc;
 
 public:
-  FactEntry(FactEntryKind FK, const CapabilityExpr &CE, LockKind LK,
-            SourceLocation Loc, SourceKind Src)
+  FactEntry(FactEntryKind FK, const CapabilityExpr &CE, LockKind LK, SourceLocation Loc,
+            SourceKind Src)
       : CapabilityExpr(CE), Kind(FK), LKind(LK), Source(Src), AcquireLoc(Loc) {}
   virtual ~FactEntry() = default;
 
@@ -1969,7 +1969,7 @@ void BuildLockset::handleCall(const Expr *Exp, const NamedDecl *D,
     else
       llvm_unreachable("Unknown call kind");
   }
-  const auto *CalledFunction = dyn_cast<FunctionDecl>(D);
+  const FunctionDecl *CalledFunction = dyn_cast<FunctionDecl>(D);
   if (CalledFunction && Args.has_value()) {
     for (auto [Param, Arg] : zip(CalledFunction->parameters(), *Args)) {
       CapExprSet DeclaredLocks;
@@ -1980,7 +1980,7 @@ void BuildLockset::handleCall(const Expr *Exp, const NamedDecl *D,
           Analyzer->getMutexIDs(A->isShared() ? SharedLocksToAdd
                                               : ExclusiveLocksToAdd,
                                 A, Exp, D, Self);
-          Analyzer->getMutexIDs(DeclaredLocks, A, Exp, D, Self);
+          Analyzer->getMutexIDs(DeclaredLocks, A, nullptr, Param);
           break;
         }
 
@@ -1992,7 +1992,7 @@ void BuildLockset::handleCall(const Expr *Exp, const NamedDecl *D,
             Analyzer->getMutexIDs(SharedLocksToRemove, A, Exp, D, Self);
           else
             Analyzer->getMutexIDs(ExclusiveLocksToRemove, A, Exp, D, Self);
-          Analyzer->getMutexIDs(DeclaredLocks, A, Exp, D, Self);
+          Analyzer->getMutexIDs(DeclaredLocks, A, nullptr, Param);
           break;
         }
 
@@ -2002,31 +2002,30 @@ void BuildLockset::handleCall(const Expr *Exp, const NamedDecl *D,
             Analyzer->warnIfMutexNotHeld(FSet, D, Exp,
                                          A->isShared() ? AK_Read : AK_Written,
                                          Arg, POK_FunctionCall, Self, Loc);
-          Analyzer->getMutexIDs(DeclaredLocks, A, Exp, D, Self);
+          Analyzer->getMutexIDs(DeclaredLocks, A, nullptr, Param);
           break;
         }
 
         case attr::LocksExcluded: {
           const auto *A = cast<LocksExcludedAttr>(At);
           for (auto *Arg : A->args())
             Analyzer->warnIfMutexHeld(FSet, D, Exp, Arg, Self, Loc);
-          Analyzer->getMutexIDs(DeclaredLocks, A, Exp, D, Self);
+          Analyzer->getMutexIDs(DeclaredLocks, A, nullptr, Param);
           break;
         }
 
         default:
           break;
         }
       }
-      if (DeclaredLocks.empty())
+      if (DeclaredLocks.size() == 0)
         continue;
-      CapabilityExpr Cp(Analyzer->SxBuilder.translate(Arg, nullptr),
-                        StringRef("mutex"), false);
+      CapabilityExpr Cp = Analyzer->SxBuilder.translateAttrExpr(Arg, nullptr);
       if (const auto *CBTE = dyn_cast<CXXBindTemporaryExpr>(Arg->IgnoreCasts());
           Cp.isInvalid() && CBTE) {
         if (auto Object = Analyzer->ConstructedObjects.find(CBTE->getSubExpr());
             Object != Analyzer->ConstructedObjects.end())
-          Cp = CapabilityExpr(Object->second, StringRef("mutex"), false);
+          Cp = CapabilityExpr(Object->second, StringRef(), false);
       }
       const FactEntry *Fact = FSet.findLock(Analyzer->FactMan, Cp);
       if (!Fact) {
@@ -2035,7 +2034,8 @@ void BuildLockset::handleCall(const Expr *Exp, const NamedDecl *D,
                                              Exp->getExprLoc());
         continue;
       }
-      const auto *Scope = cast<ScopedLockableFactEntry>(Fact);
+      const auto *Scope =
+          cast<ScopedLockableFactEntry>(Fact);
       for (const auto &[a, b] :
            zip_longest(DeclaredLocks, Scope->getUnderlyingMutexes())) {
         if (!a.has_value()) {
@@ -2046,7 +2046,7 @@ void BuildLockset::handleCall(const Expr *Exp, const NamedDecl *D,
           Analyzer->Handler.handleExpectMoreUnderlyingMutexes(
               Exp->getExprLoc(), D->getLocation(), Scope->toString(),
               a.value().getKind(), a.value().toString());
-        } else if (!a.value().equals(b.value())) {
+        } else if (!a.value().matches(b.value())) {
           Analyzer->Handler.handleUnmatchedUnderlyingMutexes(
               Exp->getExprLoc(), D->getLocation(), Scope->toString(),
               a.value().getKind(), a.value().toString(), b.value().toString());
@@ -2541,7 +2541,7 @@ void ThreadSafetyAnalyzer::runAnalysis(AnalysisDeclContext &AC) {
       }
       if (UnderlyingLocks.empty())
         continue;
-      CapabilityExpr Cp(SxBuilder.createVariable(Param), StringRef(), false);
+      CapabilityExpr Cp (SxBuilder.createVariable(Param), StringRef(), false);
       auto ScopedEntry = std::make_unique<ScopedLockableFactEntry>(
           Cp, Param->getLocation(), FactEntry::Declared);
       for (const CapabilityExpr &M : UnderlyingLocks)

clang/lib/Sema/AnalysisBasedWarnings.cpp

@@ -1802,8 +1802,7 @@ class ThreadSafetyReporter : public clang::threadSafety::ThreadSafetyHandler {
   OptionalNotes makeManagedMismatchNoteForParam(SourceLocation DeclLoc) {
     return DeclLoc.isValid()
                ? getNotes(PartialDiagnosticAt(
-                     DeclLoc,
-                     S.PDiag(diag::note_managed_mismatch_here_for_param)))
+                     DeclLoc, S.PDiag(diag::note_managed_mismatch_here_for_param)))
                : getNotes();
   }
 
@@ -1839,7 +1838,7 @@ class ThreadSafetyReporter : public clang::threadSafety::ThreadSafetyHandler {
 
   void handleExpectMoreUnderlyingMutexes(SourceLocation Loc,
                                          SourceLocation DLoc, Name scopeName,
-                                         StringRef Kind,
+                                         StringRef Kind, 
                                          Name expected) override {
     PartialDiagnosticAt Warning(
         Loc, S.PDiag(diag::warn_expect_more_underlying_mutexes)

clang/lib/Sema/SemaDeclAttr.cpp

@@ -430,14 +430,12 @@ static void checkAttrArgsAreCapabilityObjs(Sema &S, Decl *D,
   }
 }
 
-static bool checkFunParamsAreScopedLockable(Sema &S,
-                                            const ParmVarDecl *ParamDecl,
+static bool checkFunParamsAreScopedLockable(Sema &S, const ParmVarDecl *ParamDecl,
                                             const ParsedAttr &AL) {
   QualType ParamType = ParamDecl->getType();
-  if (const auto *RefType = ParamType->getAs<ReferenceType>();
-      RefType &&
-      checkRecordTypeForScopedCapability(S, RefType->getPointeeType()))
-    return true;
+  if (const auto *RefType = ParamType->getAs<ReferenceType>())
+    if (checkRecordTypeForScopedCapability(S, RefType->getPointeeType()))
+      return true;
   S.Diag(AL.getLoc(), diag::warn_thread_attribute_not_on_scoped_lockable_param)
       << AL;
   return false;
@@ -670,9 +668,10 @@ static void handleLockReturnedAttr(Sema &S, Decl *D, const ParsedAttr &AL) {
 }
 
 static void handleLocksExcludedAttr(Sema &S, Decl *D, const ParsedAttr &AL) {
-  if (const auto *ParmDecl = dyn_cast<ParmVarDecl>(D);
-      ParmDecl && !checkFunParamsAreScopedLockable(S, ParmDecl, AL))
-    return;
+
+  if (const auto *ParmDecl = dyn_cast<ParmVarDecl>(D))
+    if (!checkFunParamsAreScopedLockable(S, ParmDecl, AL))
+      return;
 
   if (!AL.checkAtLeastNumArgs(S, 1))
     return;
@@ -6197,9 +6196,9 @@ static void handleAssertCapabilityAttr(Sema &S, Decl *D, const ParsedAttr &AL) {
 
 static void handleAcquireCapabilityAttr(Sema &S, Decl *D,
                                         const ParsedAttr &AL) {
-  if (const auto *ParmDecl = dyn_cast<ParmVarDecl>(D);
-      ParmDecl && !checkFunParamsAreScopedLockable(S, ParmDecl, AL))
-    return;
+  if (const auto *ParmDecl = dyn_cast<ParmVarDecl>(D))
+    if (!checkFunParamsAreScopedLockable(S, ParmDecl, AL))
+      return;
 
   SmallVector<Expr*, 1> Args;
   if (!checkLockFunAttrCommon(S, D, AL, Args))
@@ -6221,9 +6220,9 @@ static void handleTryAcquireCapabilityAttr(Sema &S, Decl *D,
 
 static void handleReleaseCapabilityAttr(Sema &S, Decl *D,
                                         const ParsedAttr &AL) {
-  if (const auto *ParmDecl = dyn_cast<ParmVarDecl>(D);
-      ParmDecl && !checkFunParamsAreScopedLockable(S, ParmDecl, AL))
-    return;
+  if (const auto *ParmDecl = dyn_cast<ParmVarDecl>(D))
+    if (!checkFunParamsAreScopedLockable(S, ParmDecl, AL))
+      return;
   // Check that all arguments are lockable objects.
   SmallVector<Expr *, 1> Args;
   checkAttrArgsAreCapabilityObjs(S, D, AL, Args, 0, true);
@@ -6234,9 +6233,9 @@ static void handleReleaseCapabilityAttr(Sema &S, Decl *D,
 
 static void handleRequiresCapabilityAttr(Sema &S, Decl *D,
                                          const ParsedAttr &AL) {
-  if (const auto *ParmDecl = dyn_cast<ParmVarDecl>(D);
-      ParmDecl && !checkFunParamsAreScopedLockable(S, ParmDecl, AL))
-    return;
+  if (const auto *ParmDecl = dyn_cast<ParmVarDecl>(D))
+    if (!checkFunParamsAreScopedLockable(S, ParmDecl, AL))
+      return;
 
   if (!AL.checkAtLeastNumArgs(S, 1))
     return;

clang/test/SemaCXX/warn-thread-safety-analysis.cpp

@@ -3496,10 +3496,17 @@ void acquireCallWithAlreadyHeldLock() {
 
 void excludeCallWithAlreadyHeldLock() {
   RelockableScope scope(&mu);
-  exclude(scope); // expected-warning{{cannot call function 'exclude' while mutex 'mu' is held}}
+  exclude(scope);// expected-warning{{cannot call function 'exclude' while mutex 'mu' is held}}
   x = 2; // OK.
 }
 
+// Passing a scope by value
+RelockableScope lock() EXCLUSIVE_LOCK_FUNCTION(mu);
+void destruct(RelockableScope scope) {}
+void passScopeByValue() {
+  destruct(lock());
+}
+
 void requireConst(const ReleasableMutexLock& scope EXCLUSIVE_LOCKS_REQUIRED(mu));
 void requireConstCall() {
   requireConst(ReleasableMutexLock(&mu));
@@ -3534,7 +3541,7 @@ void requireCallWithReleasedLock2() {
 }
 
 void requireDecl(RelockableScope &scope EXCLUSIVE_LOCKS_REQUIRED(mu));
-void requireDecl(RelockableScope &scope) {
+void requireDecl(RelockableScope &scope){
   scope.Release();
   scope.Acquire();
 }
@@ -3553,19 +3560,6 @@ struct foo
   }
 };
 
-struct ObjectWithMutex {
-  Mutex mu;
-  int x GUARDED_BY(mu);
-};
-void releaseMember(ObjectWithMutex& object, ReleasableMutexLock& scope EXCLUSIVE_UNLOCK_FUNCTION(object.mu)) {
-  object.x = 1;
-  scope.Release();
-}
-void releaseMemberCall() {
-  ObjectWithMutex obj;
-  ReleasableMutexLock lock(&obj.mu);
-  releaseMember(obj, lock);
-}
 
 } // end namespace PassingScope