mirror-linux/include/linux/compiler-context-analysis.h

/* SPDX-License-Identifier: GPL-2.0 */
/*
 * Macros and attributes for compiler-based static context analysis.
 */

#ifndef _LINUX_COMPILER_CONTEXT_ANALYSIS_H
#define _LINUX_COMPILER_CONTEXT_ANALYSIS_H

#if defined(WARN_CONTEXT_ANALYSIS) && !defined(__CHECKER__) && !defined(__GENKSYMS__)

/*
 * These attributes define new context lock (Clang: capability) types.
 * Internal only.
 */
# define __ctx_lock_type(name)			__attribute__((capability(#name)))
# define __reentrant_ctx_lock			__attribute__((reentrant_capability))
# define __acquires_ctx_lock(...)		__attribute__((acquire_capability(__VA_ARGS__)))
# define __acquires_shared_ctx_lock(...)	__attribute__((acquire_shared_capability(__VA_ARGS__)))
# define __try_acquires_ctx_lock(ret, var)	__attribute__((try_acquire_capability(ret, var)))
# define __try_acquires_shared_ctx_lock(ret, var) __attribute__((try_acquire_shared_capability(ret, var)))
# define __releases_ctx_lock(...)		__attribute__((release_capability(__VA_ARGS__)))
# define __releases_shared_ctx_lock(...)	__attribute__((release_shared_capability(__VA_ARGS__)))
# define __returns_ctx_lock(var)		__attribute__((lock_returned(var)))

/*
 * The below are used to annotate code being checked. Internal only.
 */
# define __excludes_ctx_lock(...)		__attribute__((locks_excluded(__VA_ARGS__)))
# define __requires_ctx_lock(...)		__attribute__((requires_capability(__VA_ARGS__)))
# define __requires_shared_ctx_lock(...)	__attribute__((requires_shared_capability(__VA_ARGS__)))

/*
 * The "assert_capability" attribute is a bit confusingly named. It does not
 * generate a check. Instead, it tells the analysis to *assume* the capability
 * is held. This is used for augmenting runtime assertions, that can then help
 * with patterns beyond the compiler's static reasoning abilities.
 */
# define __assumes_ctx_lock(...)		__attribute__((assert_capability(__VA_ARGS__)))
# define __assumes_shared_ctx_lock(...)	__attribute__((assert_shared_capability(__VA_ARGS__)))

/**
 * __guarded_by - struct member and globals attribute, declares variable
 *                only accessible within active context
 *
 * Declares that the struct member or global variable is only accessible within
 * the context entered by the given context lock. Read operations on the data
 * require shared access, while write operations require exclusive access.
 *
 * .. code-block:: c
 *
 *	struct some_state {
 *		spinlock_t lock;
 *		long counter __guarded_by(&lock);
 *	};
 */
# define __guarded_by(...)		__attribute__((guarded_by(__VA_ARGS__)))

/**
 * __pt_guarded_by - struct member and globals attribute, declares pointed-to
 *                   data only accessible within active context
 *
 * Declares that the data pointed to by the struct member pointer or global
 * pointer is only accessible within the context entered by the given context
 * lock. Read operations on the data require shared access, while write
 * operations require exclusive access.
 *
 * .. code-block:: c
 *
 *	struct some_state {
 *		spinlock_t lock;
 *		long *counter __pt_guarded_by(&lock);
 *	};
 */
# define __pt_guarded_by(...)		__attribute__((pt_guarded_by(__VA_ARGS__)))

/**
 * context_lock_struct() - declare or define a context lock struct
 * @name: struct name
 *
 * Helper to declare or define a struct type that is also a context lock.
 *
 * .. code-block:: c
 *
 *	context_lock_struct(my_handle) {
 *		int foo;
 *		long bar;
 *	};
 *
 *	struct some_state {
 *		...
 *	};
 *	// ... declared elsewhere ...
 *	context_lock_struct(some_state);
 *
 * Note: The implementation defines several helper functions that can acquire
 * and release the context lock.
 */
# define context_lock_struct(name, ...)									\
	struct __ctx_lock_type(name) __VA_ARGS__ name;							\
	static __always_inline void __acquire_ctx_lock(const struct name *var)				\
		__attribute__((overloadable)) __no_context_analysis __acquires_ctx_lock(var) { }	\
	static __always_inline void __acquire_shared_ctx_lock(const struct name *var)			\
		__attribute__((overloadable)) __no_context_analysis __acquires_shared_ctx_lock(var) { } \
	static __always_inline bool __try_acquire_ctx_lock(const struct name *var, bool ret)		\
		__attribute__((overloadable)) __no_context_analysis __try_acquires_ctx_lock(1, var)	\
	{ return ret; }											\
	static __always_inline bool __try_acquire_shared_ctx_lock(const struct name *var, bool ret)	\
		__attribute__((overloadable)) __no_context_analysis __try_acquires_shared_ctx_lock(1, var) \
	{ return ret; }											\
	static __always_inline void __release_ctx_lock(const struct name *var)				\
		__attribute__((overloadable)) __no_context_analysis __releases_ctx_lock(var) { }	\
	static __always_inline void __release_shared_ctx_lock(const struct name *var)			\
		__attribute__((overloadable)) __no_context_analysis __releases_shared_ctx_lock(var) { } \
	static __always_inline void __assume_ctx_lock(const struct name *var)				\
		__attribute__((overloadable)) __assumes_ctx_lock(var) { }				\
	static __always_inline void __assume_shared_ctx_lock(const struct name *var)			\
		__attribute__((overloadable)) __assumes_shared_ctx_lock(var) { }			\
	struct name

/**
 * disable_context_analysis() - disables context analysis
 *
 * Disables context analysis. Must be paired with a later
 * enable_context_analysis().
 */
# define disable_context_analysis()				\
	__diag_push();						\
	__diag_ignore_all("-Wunknown-warning-option", "")	\
	__diag_ignore_all("-Wthread-safety", "")		\
	__diag_ignore_all("-Wthread-safety-pointer", "")

/**
 * enable_context_analysis() - re-enables context analysis
 *
 * Re-enables context analysis. Must be paired with a prior
 * disable_context_analysis().
 */
# define enable_context_analysis() __diag_pop()

/**
 * __no_context_analysis - function attribute, disables context analysis
 *
 * Function attribute denoting that context analysis is disabled for the
 * whole function. Prefer use of `context_unsafe()` where possible.
 */
# define __no_context_analysis	__attribute__((no_thread_safety_analysis))

#else /* !WARN_CONTEXT_ANALYSIS */

# define __ctx_lock_type(name)
# define __reentrant_ctx_lock
# define __acquires_ctx_lock(...)
# define __acquires_shared_ctx_lock(...)
# define __try_acquires_ctx_lock(ret, var)
# define __try_acquires_shared_ctx_lock(ret, var)
# define __releases_ctx_lock(...)
# define __releases_shared_ctx_lock(...)
# define __assumes_ctx_lock(...)
# define __assumes_shared_ctx_lock(...)
# define __returns_ctx_lock(var)
# define __guarded_by(...)
# define __pt_guarded_by(...)
# define __excludes_ctx_lock(...)
# define __requires_ctx_lock(...)
# define __requires_shared_ctx_lock(...)
# define __acquire_ctx_lock(var)			do { } while (0)
# define __acquire_shared_ctx_lock(var)		do { } while (0)
# define __try_acquire_ctx_lock(var, ret)		(ret)
# define __try_acquire_shared_ctx_lock(var, ret)	(ret)
# define __release_ctx_lock(var)			do { } while (0)
# define __release_shared_ctx_lock(var)		do { } while (0)
# define __assume_ctx_lock(var)			do { (void)(var); } while (0)
# define __assume_shared_ctx_lock(var)			do { (void)(var); } while (0)
# define context_lock_struct(name, ...)		struct __VA_ARGS__ name
# define disable_context_analysis()
# define enable_context_analysis()
# define __no_context_analysis

#endif /* WARN_CONTEXT_ANALYSIS */

/**
 * context_unsafe() - disable context checking for contained code
 *
 * Disables context checking for contained statements or expression.
 *
 * .. code-block:: c
 *
 *	struct some_data {
 *		spinlock_t lock;
 *		int counter __guarded_by(&lock);
 *	};
 *
 *	int foo(struct some_data *d)
 *	{
 *		// ...
 *		// other code that is still checked ...
 *		// ...
 *		return context_unsafe(d->counter);
 *	}
 */
#define context_unsafe(...)		\
({					\
	disable_context_analysis();	\
	__VA_ARGS__;			\
	enable_context_analysis()	\
})

/**
 * __context_unsafe() - function attribute, disable context checking
 * @comment: comment explaining why opt-out is safe
 *
 * Function attribute denoting that context analysis is disabled for the
 * whole function. Forces adding an inline comment as argument.
 */
#define __context_unsafe(comment) __no_context_analysis

/**
 * context_unsafe_alias() - helper to insert a context lock "alias barrier"
 * @p: pointer aliasing a context lock or object containing context locks
 *
 * No-op function that acts as a "context lock alias barrier", where the
 * analysis rightfully detects that we're switching aliases, but the switch is
 * considered safe but beyond the analysis reasoning abilities.
 *
 * This should be inserted before the first use of such an alias.
 *
 * Implementation Note: The compiler ignores aliases that may be reassigned but
 * their value cannot be determined (e.g. when passing a non-const pointer to an
 * alias as a function argument).
 */
#define context_unsafe_alias(p) _context_unsafe_alias((void **)&(p))
static inline void _context_unsafe_alias(void **p) { }

/**
 * token_context_lock() - declare an abstract global context lock instance
 * @name: token context lock name
 *
 * Helper that declares an abstract global context lock instance @name, but not
 * backed by a real data structure (linker error if accidentally referenced).
 * The type name is `__ctx_lock_@name`.
 */
#define token_context_lock(name, ...)					\
	context_lock_struct(__ctx_lock_##name, ##__VA_ARGS__) {};	\
	extern const struct __ctx_lock_##name *name

/**
 * token_context_lock_instance() - declare another instance of a global context lock
 * @ctx: token context lock previously declared with token_context_lock()
 * @name: name of additional global context lock instance
 *
 * Helper that declares an additional instance @name of the same token context
 * lock class @ctx. This is helpful where multiple related token contexts are
 * declared, to allow using the same underlying type (`__ctx_lock_@ctx`) as
 * function arguments.
 */
#define token_context_lock_instance(ctx, name)		\
	extern const struct __ctx_lock_##ctx *name

/*
 * Common keywords for static context analysis.
 */

/**
 * __must_hold() - function attribute, caller must hold exclusive context lock
 *
 * Function attribute declaring that the caller must hold the given context
 * lock instance(s) exclusively.
 */
#define __must_hold(...)	__requires_ctx_lock(__VA_ARGS__)

/**
 * __must_not_hold() - function attribute, caller must not hold context lock
 *
 * Function attribute declaring that the caller must not hold the given context
 * lock instance(s).
 */
#define __must_not_hold(...)	__excludes_ctx_lock(__VA_ARGS__)

/**
 * __acquires() - function attribute, function acquires context lock exclusively
 *
 * Function attribute declaring that the function acquires the given context
 * lock instance(s) exclusively, but does not release them.
 */
#define __acquires(...)		__acquires_ctx_lock(__VA_ARGS__)

/*
 * Clang's analysis does not care precisely about the value, only that it is
 * either zero or non-zero. So the __cond_acquires() interface might be
 * misleading if we say that @ret is the value returned if acquired. Instead,
 * provide symbolic variants which we translate.
 */
#define __cond_acquires_impl_true(x, ...)     __try_acquires##__VA_ARGS__##_ctx_lock(1, x)
#define __cond_acquires_impl_false(x, ...)    __try_acquires##__VA_ARGS__##_ctx_lock(0, x)
#define __cond_acquires_impl_nonzero(x, ...)  __try_acquires##__VA_ARGS__##_ctx_lock(1, x)
#define __cond_acquires_impl_0(x, ...)        __try_acquires##__VA_ARGS__##_ctx_lock(0, x)
#define __cond_acquires_impl_nonnull(x, ...)  __try_acquires##__VA_ARGS__##_ctx_lock(1, x)
#define __cond_acquires_impl_NULL(x, ...)     __try_acquires##__VA_ARGS__##_ctx_lock(0, x)

/**
 * __cond_acquires() - function attribute, function conditionally
 *                     acquires a context lock exclusively
 * @ret: abstract value returned by function if context lock acquired
 * @x: context lock instance pointer
 *
 * Function attribute declaring that the function conditionally acquires the
 * given context lock instance @x exclusively, but does not release it. The
 * function return value @ret denotes when the context lock is acquired.
 *
 * @ret may be one of: true, false, nonzero, 0, nonnull, NULL.
 */
#define __cond_acquires(ret, x) __cond_acquires_impl_##ret(x)

/**
 * __releases() - function attribute, function releases a context lock exclusively
 *
 * Function attribute declaring that the function releases the given context
 * lock instance(s) exclusively. The associated context(s) must be active on
 * entry.
 */
#define __releases(...)		__releases_ctx_lock(__VA_ARGS__)

/**
 * __acquire() - function to acquire context lock exclusively
 * @x: context lock instance pointer
 *
 * No-op function that acquires the given context lock instance @x exclusively.
 */
#define __acquire(x)		__acquire_ctx_lock(x)

/**
 * __release() - function to release context lock exclusively
 * @x: context lock instance pointer
 *
 * No-op function that releases the given context lock instance @x.
 */
#define __release(x)		__release_ctx_lock(x)

/**
 * __must_hold_shared() - function attribute, caller must hold shared context lock
 *
 * Function attribute declaring that the caller must hold the given context
 * lock instance(s) with shared access.
 */
#define __must_hold_shared(...)	__requires_shared_ctx_lock(__VA_ARGS__)

/**
 * __acquires_shared() - function attribute, function acquires context lock shared
 *
 * Function attribute declaring that the function acquires the given
 * context lock instance(s) with shared access, but does not release them.
 */
#define __acquires_shared(...)	__acquires_shared_ctx_lock(__VA_ARGS__)

/**
 * __cond_acquires_shared() - function attribute, function conditionally
 *                            acquires a context lock shared
 * @ret: abstract value returned by function if context lock acquired
 * @x: context lock instance pointer
 *
 * Function attribute declaring that the function conditionally acquires the
 * given context lock instance @x with shared access, but does not release it.
 * The function return value @ret denotes when the context lock is acquired.
 *
 * @ret may be one of: true, false, nonzero, 0, nonnull, NULL.
 */
#define __cond_acquires_shared(ret, x) __cond_acquires_impl_##ret(x, _shared)

/**
 * __releases_shared() - function attribute, function releases a
 *                       context lock shared
 *
 * Function attribute declaring that the function releases the given context
 * lock instance(s) with shared access. The associated context(s) must be
 * active on entry.
 */
#define __releases_shared(...)	__releases_shared_ctx_lock(__VA_ARGS__)

/**
 * __acquire_shared() - function to acquire context lock shared
 * @x: context lock instance pointer
 *
 * No-op function that acquires the given context lock instance @x with shared
 * access.
 */
#define __acquire_shared(x)	__acquire_shared_ctx_lock(x)

/**
 * __release_shared() - function to release context lock shared
 * @x: context lock instance pointer
 *
 * No-op function that releases the given context lock instance @x with shared
 * access.
 */
#define __release_shared(x)	__release_shared_ctx_lock(x)

/**
 * __acquire_ret() - helper to acquire context lock of return value
 * @call: call expression
 * @ret_expr: acquire expression that uses __ret
 */
#define __acquire_ret(call, ret_expr)		\
	({					\
		__auto_type __ret = call;	\
		__acquire(ret_expr);		\
		__ret;				\
	})

/**
 * __acquire_shared_ret() - helper to acquire context lock shared of return value
 * @call: call expression
 * @ret_expr: acquire shared expression that uses __ret
 */
#define __acquire_shared_ret(call, ret_expr)	\
	({					\
		__auto_type __ret = call;	\
		__acquire_shared(ret_expr);	\
		__ret;				\
	})

/*
 * Attributes to mark functions returning acquired context locks.
 *
 * This is purely cosmetic to help readability, and should be used with the
 * above macros as follows:
 *
 *   struct foo { spinlock_t lock; ... };
 *   ...
 *   #define myfunc(...) __acquire_ret(_myfunc(__VA_ARGS__), &__ret->lock)
 *   struct foo *_myfunc(int bar) __acquires_ret;
 *   ...
 */
#define __acquires_ret		__no_context_analysis
#define __acquires_shared_ret	__no_context_analysis

#endif /* _LINUX_COMPILER_CONTEXT_ANALYSIS_H */