averello/linux-stable-mirror
1
0
Fork 0
mirror of https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git synced 2026-03-03 18:28:01 +01:00
Code Issues Packages Projects Releases Wiki Activity
Files
master
linux-stable-mirror/Documentation/dev-tools/context-analysis.rst
Marco Elver d084a73714 compiler-context-analysis: Introduce scoped init guards 
Add scoped init guard definitions for common synchronization primitives
supported by context analysis.

The scoped init guards treat the context as active within initialization
scope of the underlying context lock, given initialization implies
exclusive access to the underlying object. This allows initialization of
guarded members without disabling context analysis, while documenting
initialization from subsequent usage.

The documentation is updated with the new recommendation. Where scoped
init guards are not provided or cannot be implemented (ww_mutex omitted
for lack of multi-arg guard initializers), the alternative is to just
disable context analysis where guarded members are initialized.

Suggested-by: Peter Zijlstra <peterz@infradead.org>
Signed-off-by: Marco Elver <elver@google.com>
Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
Link: https://lore.kernel.org/all/20251212095943.GM3911114@noisy.programming.kicks-ass.net/
Link: https://patch.msgid.link/20260119094029.1344361-3-elver@google.com
2026-01-28 20:45:24 +01:00

170 lines
7.0 KiB
ReStructuredText
Raw Permalink Blame History

.. SPDX-License-Identifier: GPL-2.0
.. Copyright (C) 2025, Google LLC.
.. _context-analysis:
Compiler-Based Context Analysis
===============================
Context Analysis is a language extension, which enables statically checking
that required contexts are active (or inactive) by acquiring and releasing
user-definable "context locks". An obvious application is lock-safety checking
for the kernel's various synchronization primitives (each of which represents a
"context lock"), and checking that locking rules are not violated.
The Clang compiler currently supports the full set of context analysis
features. To enable for Clang, configure the kernel with::
CONFIG_WARN_CONTEXT_ANALYSIS=y
The feature requires Clang 22 or later.
The analysis is *opt-in by default*, and requires declaring which modules and
subsystems should be analyzed in the respective `Makefile`::
CONTEXT_ANALYSIS_mymodule.o := y
Or for all translation units in the directory::
CONTEXT_ANALYSIS := y
It is possible to enable the analysis tree-wide, however, which will result in
numerous false positive warnings currently and is *not* generally recommended::
CONFIG_WARN_CONTEXT_ANALYSIS_ALL=y
Programming Model
-----------------
The below describes the programming model around using context lock types.
.. note::
Enabling context analysis can be seen as enabling a dialect of Linux C with
a Context System. Some valid patterns involving complex control-flow are
constrained (such as conditional acquisition and later conditional release
in the same function).
Context analysis is a way to specify permissibility of operations to depend on
context locks being held (or not held). Typically we are interested in
protecting data and code in a critical section by requiring a specific context
to be active, for example by holding a specific lock. The analysis ensures that
callers cannot perform an operation without the required context being active.
Context locks are associated with named structs, along with functions that
operate on struct instances to acquire and release the associated context lock.
Context locks can be held either exclusively or shared. This mechanism allows
assigning more precise privileges when a context is active, typically to
distinguish where a thread may only read (shared) or also write (exclusive) to
data guarded within a context.
The set of contexts that are actually active in a given thread at a given point
in program execution is a run-time concept. The static analysis works by
calculating an approximation of that set, called the context environment. The
context environment is calculated for every program point, and describes the
set of contexts that are statically known to be active, or inactive, at that
particular point. This environment is a conservative approximation of the full
set of contexts that will actually be active in a thread at run-time.
More details are also documented `here
<https://clang.llvm.org/docs/ThreadSafetyAnalysis.html>`_.
.. note::
Clang's analysis explicitly does not infer context locks acquired or
released by inline functions. It requires explicit annotations to (a) assert
that it's not a bug if a context lock is released or acquired, and (b) to
retain consistency between inline and non-inline function declarations.
Supported Kernel Primitives
~~~~~~~~~~~~~~~~~~~~~~~~~~~
Currently the following synchronization primitives are supported:
`raw_spinlock_t`, `spinlock_t`, `rwlock_t`, `mutex`, `seqlock_t`,
`bit_spinlock`, RCU, SRCU (`srcu_struct`), `rw_semaphore`, `local_lock_t`,
`ww_mutex`.
To initialize variables guarded by a context lock with an initialization
function (``type_init(&lock)``), prefer using ``guard(type_init)(&lock)`` or
``scoped_guard(type_init, &lock) { ... }`` to initialize such guarded members
or globals in the enclosing scope. This initializes the context lock and treats
the context as active within the initialization scope (initialization implies
exclusive access to the underlying object).
For example::
struct my_data {
spinlock_t lock;
int counter __guarded_by(&lock);
};
void init_my_data(struct my_data *d)
{
...
guard(spinlock_init)(&d->lock);
d->counter = 0;
...
}
Alternatively, initializing guarded variables can be done with context analysis
disabled, preferably in the smallest possible scope (due to lack of any other
checking): either with a ``context_unsafe(var = init)`` expression, or by
marking small initialization functions with the ``__context_unsafe(init)``
attribute.
Lockdep assertions, such as `lockdep_assert_held()`, inform the compiler's
context analysis that the associated synchronization primitive is held after
the assertion. This avoids false positives in complex control-flow scenarios
and encourages the use of Lockdep where static analysis is limited. For
example, this is useful when a function doesn't *always* require a lock, making
`__must_hold()` inappropriate.
Keywords
~~~~~~~~
.. kernel-doc:: include/linux/compiler-context-analysis.h
:identifiers: context_lock_struct
token_context_lock token_context_lock_instance
__guarded_by __pt_guarded_by
__must_hold
__must_not_hold
__acquires
__cond_acquires
__releases
__must_hold_shared
__acquires_shared
__cond_acquires_shared
__releases_shared
__acquire
__release
__acquire_shared
__release_shared
__acquire_ret
__acquire_shared_ret
context_unsafe
__context_unsafe
disable_context_analysis enable_context_analysis
.. note::
The function attribute `__no_context_analysis` is reserved for internal
implementation of context lock types, and should be avoided in normal code.
Background
----------
Clang originally called the feature `Thread Safety Analysis
<https://clang.llvm.org/docs/ThreadSafetyAnalysis.html>`_, with some keywords
and documentation still using the thread-safety-analysis-only terminology. This
was later changed and the feature became more flexible, gaining the ability to
define custom "capabilities". Its foundations can be found in `Capability
Systems <https://www.cs.cornell.edu/talc/papers/capabilities.pdf>`_, used to
specify the permissibility of operations to depend on some "capability" being
held (or not held).
Because the feature is not just able to express capabilities related to
synchronization primitives, and "capability" is already overloaded in the
kernel, the naming chosen for the kernel departs from Clang's initial "Thread
Safety" and "capability" nomenclature; we refer to the feature as "Context
Analysis" to avoid confusion. The internal implementation still makes
references to Clang's terminology in a few places, such as `-Wthread-safety`
being the warning option that also still appears in diagnostic messages.
Reference in New Issue View Git Blame Copy Permalink