From: Marco Elver <elver@google.com>
To: elver@google.com, Peter Zijlstra <peterz@infradead.org>,
Boqun Feng <boqun.feng@gmail.com>,
Ingo Molnar <mingo@kernel.org>, Will Deacon <will@kernel.org>
Cc: "David S. Miller" <davem@davemloft.net>,
Luc Van Oostenryck <luc.vanoostenryck@gmail.com>,
Chris Li <sparse@chrisli.org>,
"Paul E. McKenney" <paulmck@kernel.org>,
Alexander Potapenko <glider@google.com>,
Arnd Bergmann <arnd@arndb.de>,
Bart Van Assche <bvanassche@acm.org>,
Christoph Hellwig <hch@lst.de>,
Dmitry Vyukov <dvyukov@google.com>,
Eric Dumazet <edumazet@google.com>,
Frederic Weisbecker <frederic@kernel.org>,
Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
Herbert Xu <herbert@gondor.apana.org.au>,
Ian Rogers <irogers@google.com>, Jann Horn <jannh@google.com>,
Joel Fernandes <joelagnelf@nvidia.com>,
Johannes Berg <johannes.berg@intel.com>,
Jonathan Corbet <corbet@lwn.net>,
Josh Triplett <josh@joshtriplett.org>,
Justin Stitt <justinstitt@google.com>,
Kees Cook <kees@kernel.org>,
Kentaro Takeda <takedakn@nttdata.co.jp>,
Lukas Bulwahn <lukas.bulwahn@gmail.com>,
Mark Rutland <mark.rutland@arm.com>,
Mathieu Desnoyers <mathieu.desnoyers@efficios.com>,
Miguel Ojeda <ojeda@kernel.org>,
Nathan Chancellor <nathan@kernel.org>,
Neeraj Upadhyay <neeraj.upadhyay@kernel.org>,
Nick Desaulniers <nick.desaulniers+lkml@gmail.com>,
Steven Rostedt <rostedt@goodmis.org>,
Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>,
Thomas Gleixner <tglx@linutronix.de>,
Thomas Graf <tgraf@suug.ch>, Uladzislau Rezki <urezki@gmail.com>,
Waiman Long <longman@redhat.com>,
kasan-dev@googlegroups.com, linux-crypto@vger.kernel.org,
linux-doc@vger.kernel.org, linux-kbuild@vger.kernel.org,
linux-kernel@vger.kernel.org, linux-mm@kvack.org,
linux-security-module@vger.kernel.org,
linux-sparse@vger.kernel.org, linux-wireless@vger.kernel.org,
llvm@lists.linux.dev, rcu@vger.kernel.org
Subject: [PATCH v5 06/36] cleanup: Basic compatibility with context analysis
Date: Fri, 19 Dec 2025 16:39:55 +0100 [thread overview]
Message-ID: <20251219154418.3592607-7-elver@google.com> (raw)
In-Reply-To: <20251219154418.3592607-1-elver@google.com>
Introduce basic compatibility with cleanup.h infrastructure.
We need to allow the compiler to see the acquisition and release of the
context lock at the start and end of a scope. However, the current
"cleanup" helpers wrap the lock in a struct passed through separate
helper functions, which hides the lock alias from the compiler (no
inter-procedural analysis).
While Clang supports scoped guards in C++, it's not possible to apply in
C code: https://clang.llvm.org/docs/ThreadSafetyAnalysis.html#scoped-context
However, together with recent improvements to Clang's alias analysis
abilities, idioms such as this work correctly now:
void spin_unlock_cleanup(spinlock_t **l) __releases(*l) { .. }
...
{
spinlock_t *lock_scope __cleanup(spin_unlock_cleanup) = &lock;
spin_lock(&lock); // lock through &lock
... critical section ...
} // unlock through lock_scope -[alias]-> &lock (no warnings)
To generalize this pattern and make it work with existing lock guards,
introduce DECLARE_LOCK_GUARD_1_ATTRS() and WITH_LOCK_GUARD_1_ATTRS().
These allow creating an explicit alias to the context lock instance that
is "cleaned" up with a separate cleanup helper. This helper is a dummy
function that does nothing at runtime, but has the release attributes to
tell the compiler what happens at the end of the scope.
Example usage:
DECLARE_LOCK_GUARD_1_ATTRS(mutex, __acquires(_T), __releases(*(struct mutex **)_T))
#define class_mutex_constructor(_T) WITH_LOCK_GUARD_1_ATTRS(mutex, _T)
Note: To support the for-loop based scoped helpers, the auxiliary
variable must be a pointer to the "class" type because it is defined in
the same statement as the guard variable. However, we initialize it with
the lock pointer (despite the type mismatch, the compiler's alias
analysis still works as expected). The "_unlock" attribute receives a
pointer to the auxiliary variable (a double pointer to the class type),
and must be cast and dereferenced appropriately.
Signed-off-by: Marco Elver <elver@google.com>
---
v5:
* Rework infrastructure to properly release at scope end with reworked
WITH_LOCK_GUARD_1_ATTRS() and WITH_LOCK_GUARD_1_ATTRS().
v4:
* Rename capability -> context analysis.
v3:
* Add *_ATTRS helpers instead of implicit __assumes_cap (suggested by Peter)
* __assert -> __assume rename
---
include/linux/cleanup.h | 50 +++++++++++++++++++++++++++++++++++++++++
1 file changed, 50 insertions(+)
diff --git a/include/linux/cleanup.h b/include/linux/cleanup.h
index 8d41b917c77d..ee6df68c2177 100644
--- a/include/linux/cleanup.h
+++ b/include/linux/cleanup.h
@@ -278,16 +278,21 @@ const volatile void * __must_check_fn(const volatile void *val)
#define DEFINE_CLASS(_name, _type, _exit, _init, _init_args...) \
typedef _type class_##_name##_t; \
+typedef _type lock_##_name##_t; \
static __always_inline void class_##_name##_destructor(_type *p) \
+ __no_context_analysis \
{ _type _T = *p; _exit; } \
static __always_inline _type class_##_name##_constructor(_init_args) \
+ __no_context_analysis \
{ _type t = _init; return t; }
#define EXTEND_CLASS(_name, ext, _init, _init_args...) \
+typedef lock_##_name##_t lock_##_name##ext##_t; \
typedef class_##_name##_t class_##_name##ext##_t; \
static __always_inline void class_##_name##ext##_destructor(class_##_name##_t *p) \
{ class_##_name##_destructor(p); } \
static __always_inline class_##_name##_t class_##_name##ext##_constructor(_init_args) \
+ __no_context_analysis \
{ class_##_name##_t t = _init; return t; }
#define CLASS(_name, var) \
@@ -474,12 +479,14 @@ _label: \
*/
#define __DEFINE_UNLOCK_GUARD(_name, _type, _unlock, ...) \
+typedef _type lock_##_name##_t; \
typedef struct { \
_type *lock; \
__VA_ARGS__; \
} class_##_name##_t; \
\
static __always_inline void class_##_name##_destructor(class_##_name##_t *_T) \
+ __no_context_analysis \
{ \
if (!__GUARD_IS_ERR(_T->lock)) { _unlock; } \
} \
@@ -488,6 +495,7 @@ __DEFINE_GUARD_LOCK_PTR(_name, &_T->lock)
#define __DEFINE_LOCK_GUARD_1(_name, _type, _lock) \
static __always_inline class_##_name##_t class_##_name##_constructor(_type *l) \
+ __no_context_analysis \
{ \
class_##_name##_t _t = { .lock = l }, *_T = &_t; \
_lock; \
@@ -496,6 +504,7 @@ static __always_inline class_##_name##_t class_##_name##_constructor(_type *l) \
#define __DEFINE_LOCK_GUARD_0(_name, _lock) \
static __always_inline class_##_name##_t class_##_name##_constructor(void) \
+ __no_context_analysis \
{ \
class_##_name##_t _t = { .lock = (void*)1 }, \
*_T __maybe_unused = &_t; \
@@ -503,6 +512,47 @@ static __always_inline class_##_name##_t class_##_name##_constructor(void) \
return _t; \
}
+#define DECLARE_LOCK_GUARD_0_ATTRS(_name, _lock, _unlock) \
+static inline class_##_name##_t class_##_name##_constructor(void) _lock;\
+static inline void class_##_name##_destructor(class_##_name##_t *_T) _unlock;
+
+/*
+ * To support Context Analysis, we need to allow the compiler to see the
+ * acquisition and release of the context lock. However, the "cleanup" helpers
+ * wrap the lock in a struct passed through separate helper functions, which
+ * hides the lock alias from the compiler (no inter-procedural analysis).
+ *
+ * To make it work, we introduce an explicit alias to the context lock instance
+ * that is "cleaned" up with a separate cleanup helper. This helper is a dummy
+ * function that does nothing at runtime, but has the "_unlock" attribute to
+ * tell the compiler what happens at the end of the scope.
+ *
+ * To generalize the pattern, the WITH_LOCK_GUARD_1_ATTRS() macro should be used
+ * to redefine the constructor, which then also creates the alias variable with
+ * the right "cleanup" attribute, *after* DECLARE_LOCK_GUARD_1_ATTRS() has been
+ * used.
+ *
+ * Example usage:
+ *
+ * DECLARE_LOCK_GUARD_1_ATTRS(mutex, __acquires(_T), __releases(*(struct mutex **)_T))
+ * #define class_mutex_constructor(_T) WITH_LOCK_GUARD_1_ATTRS(mutex, _T)
+ *
+ * Note: To support the for-loop based scoped helpers, the auxiliary variable
+ * must be a pointer to the "class" type because it is defined in the same
+ * statement as the guard variable. However, we initialize it with the lock
+ * pointer (despite the type mismatch, the compiler's alias analysis still works
+ * as expected). The "_unlock" attribute receives a pointer to the auxiliary
+ * variable (a double pointer to the class type), and must be cast and
+ * dereferenced appropriately.
+ */
+#define DECLARE_LOCK_GUARD_1_ATTRS(_name, _lock, _unlock) \
+static inline class_##_name##_t class_##_name##_constructor(lock_##_name##_t *_T) _lock;\
+static __always_inline void __class_##_name##_cleanup_ctx(class_##_name##_t **_T) \
+ __no_context_analysis _unlock { }
+#define WITH_LOCK_GUARD_1_ATTRS(_name, _T) \
+ class_##_name##_constructor(_T), \
+ *__UNIQUE_ID(unlock) __cleanup(__class_##_name##_cleanup_ctx) = (void *)(unsigned long)(_T)
+
#define DEFINE_LOCK_GUARD_1(_name, _type, _lock, _unlock, ...) \
__DEFINE_CLASS_IS_CONDITIONAL(_name, false); \
__DEFINE_UNLOCK_GUARD(_name, _type, _unlock, __VA_ARGS__) \
--
2.52.0.322.g1dd061c0dc-goog
next prev parent reply other threads:[~2025-12-19 15:45 UTC|newest]
Thread overview: 65+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-12-19 15:39 [PATCH v5 00/36] Compiler-Based Context- and Locking-Analysis Marco Elver
2025-12-19 15:39 ` [PATCH v5 01/36] compiler_types: Move lock checking attributes to compiler-context-analysis.h Marco Elver
2025-12-19 15:39 ` [PATCH v5 02/36] compiler-context-analysis: Add infrastructure for Context Analysis with Clang Marco Elver
2025-12-19 18:38 ` Bart Van Assche
2025-12-19 18:59 ` Marco Elver
2025-12-19 19:04 ` Bart Van Assche
2025-12-19 19:11 ` Marco Elver
2025-12-20 13:33 ` Peter Zijlstra
2025-12-19 15:39 ` [PATCH v5 03/36] compiler-context-analysis: Add test stub Marco Elver
2025-12-19 15:39 ` [PATCH v5 04/36] Documentation: Add documentation for Compiler-Based Context Analysis Marco Elver
2025-12-19 18:51 ` Bart Van Assche
2025-12-19 15:39 ` [PATCH v5 05/36] checkpatch: Warn about context_unsafe() without comment Marco Elver
2025-12-19 15:39 ` Marco Elver [this message]
2025-12-19 19:16 ` [PATCH v5 06/36] cleanup: Basic compatibility with context analysis Bart Van Assche
2025-12-19 15:39 ` [PATCH v5 07/36] lockdep: Annotate lockdep assertions for " Marco Elver
2025-12-19 20:53 ` Bart Van Assche
2025-12-19 21:16 ` Marco Elver
2025-12-19 21:28 ` Bart Van Assche
2025-12-19 21:47 ` Marco Elver
2025-12-19 15:39 ` [PATCH v5 08/36] locking/rwlock, spinlock: Support Clang's " Marco Elver
2025-12-19 20:26 ` Bart Van Assche
2025-12-19 21:02 ` Marco Elver
2025-12-19 21:34 ` Bart Van Assche
2025-12-19 21:48 ` Marco Elver
2025-12-19 21:45 ` Bart Van Assche
2025-12-19 15:39 ` [PATCH v5 09/36] compiler-context-analysis: Change __cond_acquires to take return value Marco Elver
2025-12-19 15:39 ` [PATCH v5 10/36] locking/mutex: Support Clang's context analysis Marco Elver
2025-12-19 15:40 ` [PATCH v5 11/36] locking/seqlock: " Marco Elver
2025-12-19 15:40 ` [PATCH v5 12/36] bit_spinlock: Include missing <asm/processor.h> Marco Elver
2025-12-19 20:38 ` Bart Van Assche
2025-12-19 15:40 ` [PATCH v5 13/36] bit_spinlock: Support Clang's context analysis Marco Elver
2025-12-19 20:47 ` Bart Van Assche
2025-12-19 21:09 ` Marco Elver
2025-12-19 15:40 ` [PATCH v5 14/36] rcu: " Marco Elver
2025-12-19 15:40 ` [PATCH v5 15/36] srcu: " Marco Elver
2025-12-19 15:40 ` [PATCH v5 16/36] kref: Add context-analysis annotations Marco Elver
2025-12-19 20:49 ` Bart Van Assche
2025-12-19 15:40 ` [PATCH v5 17/36] locking/rwsem: Support Clang's context analysis Marco Elver
2025-12-19 20:55 ` Bart Van Assche
2025-12-20 12:52 ` Marco Elver
2025-12-19 15:40 ` [PATCH v5 18/36] locking/local_lock: Include missing headers Marco Elver
2025-12-19 20:56 ` Bart Van Assche
2025-12-19 15:40 ` [PATCH v5 19/36] locking/local_lock: Support Clang's context analysis Marco Elver
2025-12-19 15:40 ` [PATCH v5 20/36] locking/ww_mutex: " Marco Elver
2025-12-19 15:40 ` [PATCH v5 21/36] debugfs: Make debugfs_cancellation a context lock struct Marco Elver
2025-12-19 21:01 ` Bart Van Assche
2025-12-19 15:40 ` [PATCH v5 22/36] um: Fix incorrect __acquires/__releases annotations Marco Elver
2025-12-19 21:05 ` Bart Van Assche
2025-12-19 15:40 ` [PATCH v5 23/36] compiler-context-analysis: Remove Sparse support Marco Elver
2025-12-19 21:38 ` Bart Van Assche
2025-12-19 15:40 ` [PATCH v5 24/36] compiler-context-analysis: Remove __cond_lock() function-like helper Marco Elver
2025-12-19 21:42 ` Bart Van Assche
2025-12-20 12:51 ` Marco Elver
2025-12-19 15:40 ` [PATCH v5 25/36] compiler-context-analysis: Introduce header suppressions Marco Elver
2025-12-19 15:40 ` [PATCH v5 26/36] compiler: Let data_race() imply disabled context analysis Marco Elver
2025-12-19 15:40 ` [PATCH v5 27/36] MAINTAINERS: Add entry for Context Analysis Marco Elver
2025-12-19 15:40 ` [PATCH v5 28/36] kfence: Enable context analysis Marco Elver
2025-12-19 15:40 ` [PATCH v5 29/36] kcov: " Marco Elver
2025-12-19 15:40 ` [PATCH v5 30/36] kcsan: " Marco Elver
2025-12-19 15:40 ` [PATCH v5 31/36] stackdepot: " Marco Elver
2025-12-19 15:40 ` [PATCH v5 32/36] rhashtable: " Marco Elver
2025-12-19 15:40 ` [PATCH v5 33/36] printk: Move locking annotation to printk.c Marco Elver
2025-12-19 15:40 ` [PATCH v5 34/36] security/tomoyo: Enable context analysis Marco Elver
2025-12-19 15:40 ` [PATCH v5 35/36] crypto: " Marco Elver
2025-12-19 15:40 ` [PATCH v5 36/36] sched: Enable context analysis for core.c and fair.c Marco Elver
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20251219154418.3592607-7-elver@google.com \
--to=elver@google.com \
--cc=arnd@arndb.de \
--cc=boqun.feng@gmail.com \
--cc=bvanassche@acm.org \
--cc=corbet@lwn.net \
--cc=davem@davemloft.net \
--cc=dvyukov@google.com \
--cc=edumazet@google.com \
--cc=frederic@kernel.org \
--cc=glider@google.com \
--cc=gregkh@linuxfoundation.org \
--cc=hch@lst.de \
--cc=herbert@gondor.apana.org.au \
--cc=irogers@google.com \
--cc=jannh@google.com \
--cc=joelagnelf@nvidia.com \
--cc=johannes.berg@intel.com \
--cc=josh@joshtriplett.org \
--cc=justinstitt@google.com \
--cc=kasan-dev@googlegroups.com \
--cc=kees@kernel.org \
--cc=linux-crypto@vger.kernel.org \
--cc=linux-doc@vger.kernel.org \
--cc=linux-kbuild@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-mm@kvack.org \
--cc=linux-security-module@vger.kernel.org \
--cc=linux-sparse@vger.kernel.org \
--cc=linux-wireless@vger.kernel.org \
--cc=llvm@lists.linux.dev \
--cc=longman@redhat.com \
--cc=luc.vanoostenryck@gmail.com \
--cc=lukas.bulwahn@gmail.com \
--cc=mark.rutland@arm.com \
--cc=mathieu.desnoyers@efficios.com \
--cc=mingo@kernel.org \
--cc=nathan@kernel.org \
--cc=neeraj.upadhyay@kernel.org \
--cc=nick.desaulniers+lkml@gmail.com \
--cc=ojeda@kernel.org \
--cc=paulmck@kernel.org \
--cc=penguin-kernel@I-love.SAKURA.ne.jp \
--cc=peterz@infradead.org \
--cc=rcu@vger.kernel.org \
--cc=rostedt@goodmis.org \
--cc=sparse@chrisli.org \
--cc=takedakn@nttdata.co.jp \
--cc=tglx@linutronix.de \
--cc=tgraf@suug.ch \
--cc=urezki@gmail.com \
--cc=will@kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox