Re: [PATCH RFC 00/33] Compile-time thread-safety checking

[Marco Elver]

On Fri, 7 Feb 2025 at 18:46, Bart Van Assche <bvanassche@xxxxxxx> wrote:
>
> On 2/7/25 1:08 AM, Peter Zijlstra wrote:
> > On Fri, Feb 07, 2025 at 10:05:47AM +0100, Marco Elver wrote:
> >> Yes, you can add multiple guarded_by. But it's just going to enforce
> >> that you need to hold both locks before you access the member. If you
> >> want the rules to be more complex, the best way to express that is with
> >> some helpers. E.g. something like this (tested on top my series)
> >
> > Oh gawd, this is going to be a pain, isn't it :/
>
> The Clang thread-safety annotations are used widely so behavior of
> existing attributes must be preserved. I propose to introduce new
> thread-safety attributes when useful to annotate kernel code.

Agreed - we can't change the existing semantics, but if absolutely
necessary we could think about extensions (which I already started for
something else: https://github.com/llvm/llvm-project/pull/123063)

> As an
> example, the Clang try_acquire_capability function attribute does not
> support functions that return pointers although this is a common pattern
> in the Linux kernel. I think that introducing a new function attribute
> to support functions that return pointers is a better solution than
> trying to annotate such functions with any of the existing Clang
> thread-safety attributes.

try_acquire_capability / __cond_acquires(cond, capability) is happy
with pointer-returning functions when using int-literals for "cond"
i.e. 0 or 1 (Clang's documentation says it only wants bool, but that's
wrong). I just tested this on a pointer-returning function, and it
works.