00001 // Copyright 2017 The Abseil Authors. 00002 // 00003 // Licensed under the Apache License, Version 2.0 (the "License"); 00004 // you may not use this file except in compliance with the License. 00005 // You may obtain a copy of the License at 00006 // 00007 // https://www.apache.org/licenses/LICENSE-2.0 00008 // 00009 // Unless required by applicable law or agreed to in writing, software 00010 // distributed under the License is distributed on an "AS IS" BASIS, 00011 // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 00012 // See the License for the specific language governing permissions and 00013 // limitations under the License. 00014 // 00015 // ----------------------------------------------------------------------------- 00016 // File: thread_annotations.h 00017 // ----------------------------------------------------------------------------- 00018 // 00019 // This header file contains macro definitions for thread safety annotations 00020 // that allow developers to document the locking policies of multi-threaded 00021 // code. The annotations can also help program analysis tools to identify 00022 // potential thread safety issues. 00023 // 00024 // These annotations are implemented using compiler attributes. Using the macros 00025 // defined here instead of raw attributes allow for portability and future 00026 // compatibility. 00027 // 00028 // When referring to mutexes in the arguments of the attributes, you should 00029 // use variable names or more complex expressions (e.g. my_object->mutex_) 00030 // that evaluate to a concrete mutex object whenever possible. If the mutex 00031 // you want to refer to is not in scope, you may use a member pointer 00032 // (e.g. &MyClass::mutex_) to refer to a mutex in some (unknown) object. 00033 00034 #ifndef ABSL_BASE_THREAD_ANNOTATIONS_H_ 00035 #define ABSL_BASE_THREAD_ANNOTATIONS_H_ 00036 00037 #if defined(__clang__) 00038 #define THREAD_ANNOTATION_ATTRIBUTE__(x) __attribute__((x)) 00039 #else 00040 #define THREAD_ANNOTATION_ATTRIBUTE__(x) // no-op 00041 #endif 00042 00043 // GUARDED_BY() 00044 // 00045 // Documents if a shared field or global variable needs to be protected by a 00046 // mutex. GUARDED_BY() allows the user to specify a particular mutex that 00047 // should be held when accessing the annotated variable. 00048 // 00049 // Although this annotation (and PT_GUARDED_BY, below) cannot be applied to 00050 // local variables, a local variable and its associated mutex can often be 00051 // combined into a small class or struct, thereby allowing the annotation. 00052 // 00053 // Example: 00054 // 00055 // class Foo { 00056 // Mutex mu_; 00057 // int p1_ GUARDED_BY(mu_); 00058 // ... 00059 // }; 00060 #define GUARDED_BY(x) THREAD_ANNOTATION_ATTRIBUTE__(guarded_by(x)) 00061 00062 // PT_GUARDED_BY() 00063 // 00064 // Documents if the memory location pointed to by a pointer should be guarded 00065 // by a mutex when dereferencing the pointer. 00066 // 00067 // Example: 00068 // class Foo { 00069 // Mutex mu_; 00070 // int *p1_ PT_GUARDED_BY(mu_); 00071 // ... 00072 // }; 00073 // 00074 // Note that a pointer variable to a shared memory location could itself be a 00075 // shared variable. 00076 // 00077 // Example: 00078 // 00079 // // `q_`, guarded by `mu1_`, points to a shared memory location that is 00080 // // guarded by `mu2_`: 00081 // int *q_ GUARDED_BY(mu1_) PT_GUARDED_BY(mu2_); 00082 #define PT_GUARDED_BY(x) THREAD_ANNOTATION_ATTRIBUTE__(pt_guarded_by(x)) 00083 00084 // ACQUIRED_AFTER() / ACQUIRED_BEFORE() 00085 // 00086 // Documents the acquisition order between locks that can be held 00087 // simultaneously by a thread. For any two locks that need to be annotated 00088 // to establish an acquisition order, only one of them needs the annotation. 00089 // (i.e. You don't have to annotate both locks with both ACQUIRED_AFTER 00090 // and ACQUIRED_BEFORE.) 00091 // 00092 // As with GUARDED_BY, this is only applicable to mutexes that are shared 00093 // fields or global variables. 00094 // 00095 // Example: 00096 // 00097 // Mutex m1_; 00098 // Mutex m2_ ACQUIRED_AFTER(m1_); 00099 #define ACQUIRED_AFTER(...) \ 00100 THREAD_ANNOTATION_ATTRIBUTE__(acquired_after(__VA_ARGS__)) 00101 00102 #define ACQUIRED_BEFORE(...) \ 00103 THREAD_ANNOTATION_ATTRIBUTE__(acquired_before(__VA_ARGS__)) 00104 00105 // EXCLUSIVE_LOCKS_REQUIRED() / SHARED_LOCKS_REQUIRED() 00106 // 00107 // Documents a function that expects a mutex to be held prior to entry. 00108 // The mutex is expected to be held both on entry to, and exit from, the 00109 // function. 00110 // 00111 // An exclusive lock allows read-write access to the guarded data member(s), and 00112 // only one thread can acquire a lock exclusively at any one time. A shared lock 00113 // allows read-only access, and any number of threads can acquire a shared lock 00114 // concurrently. 00115 // 00116 // Generally, non-const methods should be annotated with 00117 // EXCLUSIVE_LOCKS_REQUIRED, while const methods should be annotated with 00118 // SHARED_LOCKS_REQUIRED. 00119 // 00120 // Example: 00121 // 00122 // Mutex mu1, mu2; 00123 // int a GUARDED_BY(mu1); 00124 // int b GUARDED_BY(mu2); 00125 // 00126 // void foo() EXCLUSIVE_LOCKS_REQUIRED(mu1, mu2) { ... } 00127 // void bar() const SHARED_LOCKS_REQUIRED(mu1, mu2) { ... } 00128 #define EXCLUSIVE_LOCKS_REQUIRED(...) \ 00129 THREAD_ANNOTATION_ATTRIBUTE__(exclusive_locks_required(__VA_ARGS__)) 00130 00131 #define SHARED_LOCKS_REQUIRED(...) \ 00132 THREAD_ANNOTATION_ATTRIBUTE__(shared_locks_required(__VA_ARGS__)) 00133 00134 // LOCKS_EXCLUDED() 00135 // 00136 // Documents the locks acquired in the body of the function. These locks 00137 // cannot be held when calling this function (as Abseil's `Mutex` locks are 00138 // non-reentrant). 00139 #define LOCKS_EXCLUDED(...) \ 00140 THREAD_ANNOTATION_ATTRIBUTE__(locks_excluded(__VA_ARGS__)) 00141 00142 // LOCK_RETURNED() 00143 // 00144 // Documents a function that returns a mutex without acquiring it. For example, 00145 // a public getter method that returns a pointer to a private mutex should 00146 // be annotated with LOCK_RETURNED. 00147 #define LOCK_RETURNED(x) \ 00148 THREAD_ANNOTATION_ATTRIBUTE__(lock_returned(x)) 00149 00150 // LOCKABLE 00151 // 00152 // Documents if a class/type is a lockable type (such as the `Mutex` class). 00153 #define LOCKABLE \ 00154 THREAD_ANNOTATION_ATTRIBUTE__(lockable) 00155 00156 // SCOPED_LOCKABLE 00157 // 00158 // Documents if a class does RAII locking (such as the `MutexLock` class). 00159 // The constructor should use `LOCK_FUNCTION()` to specify the mutex that is 00160 // acquired, and the destructor should use `UNLOCK_FUNCTION()` with no 00161 // arguments; the analysis will assume that the destructor unlocks whatever the 00162 // constructor locked. 00163 #define SCOPED_LOCKABLE \ 00164 THREAD_ANNOTATION_ATTRIBUTE__(scoped_lockable) 00165 00166 // EXCLUSIVE_LOCK_FUNCTION() 00167 // 00168 // Documents functions that acquire a lock in the body of a function, and do 00169 // not release it. 00170 #define EXCLUSIVE_LOCK_FUNCTION(...) \ 00171 THREAD_ANNOTATION_ATTRIBUTE__(exclusive_lock_function(__VA_ARGS__)) 00172 00173 // SHARED_LOCK_FUNCTION() 00174 // 00175 // Documents functions that acquire a shared (reader) lock in the body of a 00176 // function, and do not release it. 00177 #define SHARED_LOCK_FUNCTION(...) \ 00178 THREAD_ANNOTATION_ATTRIBUTE__(shared_lock_function(__VA_ARGS__)) 00179 00180 // UNLOCK_FUNCTION() 00181 // 00182 // Documents functions that expect a lock to be held on entry to the function, 00183 // and release it in the body of the function. 00184 #define UNLOCK_FUNCTION(...) \ 00185 THREAD_ANNOTATION_ATTRIBUTE__(unlock_function(__VA_ARGS__)) 00186 00187 // EXCLUSIVE_TRYLOCK_FUNCTION() / SHARED_TRYLOCK_FUNCTION() 00188 // 00189 // Documents functions that try to acquire a lock, and return success or failure 00190 // (or a non-boolean value that can be interpreted as a boolean). 00191 // The first argument should be `true` for functions that return `true` on 00192 // success, or `false` for functions that return `false` on success. The second 00193 // argument specifies the mutex that is locked on success. If unspecified, this 00194 // mutex is assumed to be `this`. 00195 #define EXCLUSIVE_TRYLOCK_FUNCTION(...) \ 00196 THREAD_ANNOTATION_ATTRIBUTE__(exclusive_trylock_function(__VA_ARGS__)) 00197 00198 #define SHARED_TRYLOCK_FUNCTION(...) \ 00199 THREAD_ANNOTATION_ATTRIBUTE__(shared_trylock_function(__VA_ARGS__)) 00200 00201 // ASSERT_EXCLUSIVE_LOCK() / ASSERT_SHARED_LOCK() 00202 // 00203 // Documents functions that dynamically check to see if a lock is held, and fail 00204 // if it is not held. 00205 #define ASSERT_EXCLUSIVE_LOCK(...) \ 00206 THREAD_ANNOTATION_ATTRIBUTE__(assert_exclusive_lock(__VA_ARGS__)) 00207 00208 #define ASSERT_SHARED_LOCK(...) \ 00209 THREAD_ANNOTATION_ATTRIBUTE__(assert_shared_lock(__VA_ARGS__)) 00210 00211 // NO_THREAD_SAFETY_ANALYSIS 00212 // 00213 // Turns off thread safety checking within the body of a particular function. 00214 // This annotation is used to mark functions that are known to be correct, but 00215 // the locking behavior is more complicated than the analyzer can handle. 00216 #define NO_THREAD_SAFETY_ANALYSIS \ 00217 THREAD_ANNOTATION_ATTRIBUTE__(no_thread_safety_analysis) 00218 00219 //------------------------------------------------------------------------------ 00220 // Tool-Supplied Annotations 00221 //------------------------------------------------------------------------------ 00222 00223 // TS_UNCHECKED should be placed around lock expressions that are not valid 00224 // C++ syntax, but which are present for documentation purposes. These 00225 // annotations will be ignored by the analysis. 00226 #define TS_UNCHECKED(x) "" 00227 00228 // TS_FIXME is used to mark lock expressions that are not valid C++ syntax. 00229 // It is used by automated tools to mark and disable invalid expressions. 00230 // The annotation should either be fixed, or changed to TS_UNCHECKED. 00231 #define TS_FIXME(x) "" 00232 00233 // Like NO_THREAD_SAFETY_ANALYSIS, this turns off checking within the body of 00234 // a particular function. However, this attribute is used to mark functions 00235 // that are incorrect and need to be fixed. It is used by automated tools to 00236 // avoid breaking the build when the analysis is updated. 00237 // Code owners are expected to eventually fix the routine. 00238 #define NO_THREAD_SAFETY_ANALYSIS_FIXME NO_THREAD_SAFETY_ANALYSIS 00239 00240 // Similar to NO_THREAD_SAFETY_ANALYSIS_FIXME, this macro marks a GUARDED_BY 00241 // annotation that needs to be fixed, because it is producing thread safety 00242 // warning. It disables the GUARDED_BY. 00243 #define GUARDED_BY_FIXME(x) 00244 00245 // Disables warnings for a single read operation. This can be used to avoid 00246 // warnings when it is known that the read is not actually involved in a race, 00247 // but the compiler cannot confirm that. 00248 #define TS_UNCHECKED_READ(x) thread_safety_analysis::ts_unchecked_read(x) 00249 00250 00251 namespace thread_safety_analysis { 00252 00253 // Takes a reference to a guarded data member, and returns an unguarded 00254 // reference. 00255 template <typename T> 00256 inline const T& ts_unchecked_read(const T& v) NO_THREAD_SAFETY_ANALYSIS { 00257 return v; 00258 } 00259 00260 template <typename T> 00261 inline T& ts_unchecked_read(T& v) NO_THREAD_SAFETY_ANALYSIS { 00262 return v; 00263 } 00264 00265 } // namespace thread_safety_analysis 00266 00267 #endif // ABSL_BASE_THREAD_ANNOTATIONS_H_