| Message ID | 20230117135203.3049709-3-eesposit@redhat.com (mailing list archive) |
|---|---|
| State | New, archived |
| Headers | show |
| Series | TSA: make sure QEMU compiles when using clang TSA | expand |
On Tue, Jan 17, 2023 at 6:52 AM Emanuele Giuseppe Esposito < eesposit@redhat.com> wrote: > QEMU does not compile when enabling clang's thread safety analysis > (TSA), > because some functions create wrappers for pthread mutexes but do > not use any TSA macro. Therefore the compiler fails. > > In order to make the compiler happy and avoid adding all the > necessary macros to all callers (lock functions should use > TSA_ACQUIRE, while unlock TSA_RELEASE, and this applies to allusers of > pthread_mutex_lock/pthread_mutex_unlock), > simply use TSA_NO_TSA to supppress such warnings. > I'm not sure I understand this quite right. Maybe a clarifying question will help me understand: Why is this needed for bsd-user but not linux-user? How are they different here? Warner > Signed-off-by: Emanuele Giuseppe Esposito <eesposit@redhat.com> > --- > bsd-user/qemu.h | 5 +++-- > include/exec/exec-all.h | 5 +++-- > 2 files changed, 6 insertions(+), 4 deletions(-) > > diff --git a/bsd-user/qemu.h b/bsd-user/qemu.h > index be6105385e..711fdd1b64 100644 > --- a/bsd-user/qemu.h > +++ b/bsd-user/qemu.h > @@ -37,6 +37,7 @@ extern char **environ; > #include "target_os_signal.h" > #include "target.h" > #include "exec/gdbstub.h" > +#include "qemu/clang-tsa.h" > > /* > * This struct is used to hold certain information about the image. > Basically, > @@ -235,8 +236,8 @@ int target_msync(abi_ulong start, abi_ulong len, int > flags); > extern unsigned long last_brk; > extern abi_ulong mmap_next_start; > abi_ulong mmap_find_vma(abi_ulong start, abi_ulong size); > -void mmap_fork_start(void); > -void mmap_fork_end(int child); > +void TSA_NO_TSA mmap_fork_start(void); > +void TSA_NO_TSA mmap_fork_end(int child); > > /* main.c */ > extern char qemu_proc_pathname[]; > diff --git a/include/exec/exec-all.h b/include/exec/exec-all.h > index 25e11b0a8d..4f0c0559ac 100644 > --- a/include/exec/exec-all.h > +++ b/include/exec/exec-all.h > @@ -25,6 +25,7 @@ > #include "exec/cpu_ldst.h" > #endif > #include "qemu/interval-tree.h" > +#include "qemu/clang-tsa.h" > > /* allow to see translation results - the slowdown should be negligible, > so we leave it */ > #define DEBUG_DISAS > @@ -758,8 +759,8 @@ static inline tb_page_addr_t > get_page_addr_code(CPUArchState *env, > } > > #if defined(CONFIG_USER_ONLY) > -void mmap_lock(void); > -void mmap_unlock(void); > +void TSA_NO_TSA mmap_lock(void); > +void TSA_NO_TSA mmap_unlock(void); > bool have_mmap_lock(void); > > /** > -- > 2.39.0 > >
Am 17/01/2023 um 17:16 schrieb Warner Losh: > > > On Tue, Jan 17, 2023 at 6:52 AM Emanuele Giuseppe Esposito > <eesposit@redhat.com <mailto:eesposit@redhat.com>> wrote: > > QEMU does not compile when enabling clang's thread safety analysis > (TSA), > because some functions create wrappers for pthread mutexes but do > not use any TSA macro. Therefore the compiler fails. > > In order to make the compiler happy and avoid adding all the > necessary macros to all callers (lock functions should use > TSA_ACQUIRE, while unlock TSA_RELEASE, and this applies to allusers > of pthread_mutex_lock/pthread_mutex_unlock), > simply use TSA_NO_TSA to supppress such warnings. > > > I'm not sure I understand this quite right. Maybe a clarifying question > will help me understand: Why is this needed for bsd-user but not > linux-user? How are they different here? > Honestly I just went and fix the warnings that the compiler was throwing at me. On FreeBSD it complains on bsd-user/mmap.c, but apparently the CI or even compiling locally in linux doesn't create any issue with linux-user. Weird. But I guess it won't hurt to add TSA_NO_TSA there too. Emanuele > Warner > > > Signed-off-by: Emanuele Giuseppe Esposito <eesposit@redhat.com > <mailto:eesposit@redhat.com>> > --- > bsd-user/qemu.h | 5 +++-- > include/exec/exec-all.h | 5 +++-- > 2 files changed, 6 insertions(+), 4 deletions(-) > > diff --git a/bsd-user/qemu.h b/bsd-user/qemu.h > index be6105385e..711fdd1b64 100644 > --- a/bsd-user/qemu.h > +++ b/bsd-user/qemu.h > @@ -37,6 +37,7 @@ extern char **environ; > #include "target_os_signal.h" > #include "target.h" > #include "exec/gdbstub.h" > +#include "qemu/clang-tsa.h" > > /* > * This struct is used to hold certain information about the > image. Basically, > @@ -235,8 +236,8 @@ int target_msync(abi_ulong start, abi_ulong len, > int flags); > extern unsigned long last_brk; > extern abi_ulong mmap_next_start; > abi_ulong mmap_find_vma(abi_ulong start, abi_ulong size); > -void mmap_fork_start(void); > -void mmap_fork_end(int child); > +void TSA_NO_TSA mmap_fork_start(void); > +void TSA_NO_TSA mmap_fork_end(int child); > > /* main.c */ > extern char qemu_proc_pathname[]; > diff --git a/include/exec/exec-all.h b/include/exec/exec-all.h > index 25e11b0a8d..4f0c0559ac 100644 > --- a/include/exec/exec-all.h > +++ b/include/exec/exec-all.h > @@ -25,6 +25,7 @@ > #include "exec/cpu_ldst.h" > #endif > #include "qemu/interval-tree.h" > +#include "qemu/clang-tsa.h" > > /* allow to see translation results - the slowdown should be > negligible, so we leave it */ > #define DEBUG_DISAS > @@ -758,8 +759,8 @@ static inline tb_page_addr_t > get_page_addr_code(CPUArchState *env, > } > > #if defined(CONFIG_USER_ONLY) > -void mmap_lock(void); > -void mmap_unlock(void); > +void TSA_NO_TSA mmap_lock(void); > +void TSA_NO_TSA mmap_unlock(void); > bool have_mmap_lock(void); > > /** > -- > 2.39.0 >
Am 17.01.2023 um 17:16 hat Warner Losh geschrieben: > On Tue, Jan 17, 2023 at 6:52 AM Emanuele Giuseppe Esposito < > eesposit@redhat.com> wrote: > > > QEMU does not compile when enabling clang's thread safety analysis > > (TSA), > > because some functions create wrappers for pthread mutexes but do > > not use any TSA macro. Therefore the compiler fails. > > > > In order to make the compiler happy and avoid adding all the > > necessary macros to all callers (lock functions should use > > TSA_ACQUIRE, while unlock TSA_RELEASE, and this applies to allusers of > > pthread_mutex_lock/pthread_mutex_unlock), > > simply use TSA_NO_TSA to supppress such warnings. > > I'm not sure I understand this quite right. Maybe a clarifying question > will help me understand: Why is this needed for bsd-user but not > linux-user? How are they different here? FreeBSD's pthread headers include TSA annotations for some functions that force us to do something about them (for now: suppress the warnings in their callers) before we can enable -Wthread-safety for the purposes where we really want it. Without this, calling functions like pthread_mutex_lock() would cause compiler errors. glibc's headers don't contain such annotations, so the same is not necessary on Linux. Kevin
On Tue, Jan 17, 2023 at 08:52:02AM -0500, Emanuele Giuseppe Esposito wrote: > QEMU does not compile when enabling clang's thread safety analysis > (TSA), > because some functions create wrappers for pthread mutexes but do > not use any TSA macro. Therefore the compiler fails. > > In order to make the compiler happy and avoid adding all the > necessary macros to all callers (lock functions should use > TSA_ACQUIRE, while unlock TSA_RELEASE, and this applies to allusers of pthread_mutex_lock/pthread_mutex_unlock), > simply use TSA_NO_TSA to supppress such warnings. > > Signed-off-by: Emanuele Giuseppe Esposito <eesposit@redhat.com> > --- > bsd-user/qemu.h | 5 +++-- > include/exec/exec-all.h | 5 +++-- > 2 files changed, 6 insertions(+), 4 deletions(-) As a TSA newbie I'm wondering how would we go about annotating this properly? Maybe: 1. mmap_lock() ACQUIRE(), mmap_unlock() RELEASE() 2. Find all functions that call mmap_lock() but not mmap_release() and add ACQUIRE(). 3. Find all functions that call mmap_unlock() but not mmap_lock() and add RELEASE(). Can you add an item to https://wiki.qemu.org/BiteSizedTasks so someone who wants to spend a few hours auditing the code can do this? Thanks!
On Tue, Jan 17, 2023 at 9:25 AM Kevin Wolf <kwolf@redhat.com> wrote: > Am 17.01.2023 um 17:16 hat Warner Losh geschrieben: > > On Tue, Jan 17, 2023 at 6:52 AM Emanuele Giuseppe Esposito < > > eesposit@redhat.com> wrote: > > > > > QEMU does not compile when enabling clang's thread safety analysis > > > (TSA), > > > because some functions create wrappers for pthread mutexes but do > > > not use any TSA macro. Therefore the compiler fails. > > > > > > In order to make the compiler happy and avoid adding all the > > > necessary macros to all callers (lock functions should use > > > TSA_ACQUIRE, while unlock TSA_RELEASE, and this applies to allusers of > > > pthread_mutex_lock/pthread_mutex_unlock), > > > simply use TSA_NO_TSA to supppress such warnings. > > > > I'm not sure I understand this quite right. Maybe a clarifying question > > will help me understand: Why is this needed for bsd-user but not > > linux-user? How are they different here? > > FreeBSD's pthread headers include TSA annotations for some functions > that force us to do something about them (for now: suppress the warnings > in their callers) before we can enable -Wthread-safety for the purposes > where we really want it. Without this, calling functions like > pthread_mutex_lock() would cause compiler errors. > > glibc's headers don't contain such annotations, so the same is not > necessary on Linux > Thanks Kevin. With that explanation, these patches and their explanation make perfect sense now. Often when there's a patch to bsd-user but not linux-user, it's because bsd-user needs to do more in some way (which I try to keep up on). In this case, it's because FreeBSD's libc is a bit ahead of the curve. So I understand why it's needed, and what I need to do next (though I think that I may have to wait for the rest of qemu to be annotated)... It might be better, though, to put some of this information in the commit message so it isn't just on the mailing list. Just a suggestion: Reviewed-by: Warner Losh <imp@bsdimp.com>
Am 17.01.2023 um 17:43 hat Warner Losh geschrieben: > On Tue, Jan 17, 2023 at 9:25 AM Kevin Wolf <kwolf@redhat.com> wrote: > > > Am 17.01.2023 um 17:16 hat Warner Losh geschrieben: > > > On Tue, Jan 17, 2023 at 6:52 AM Emanuele Giuseppe Esposito < > > > eesposit@redhat.com> wrote: > > > > > > > QEMU does not compile when enabling clang's thread safety analysis > > > > (TSA), > > > > because some functions create wrappers for pthread mutexes but do > > > > not use any TSA macro. Therefore the compiler fails. > > > > > > > > In order to make the compiler happy and avoid adding all the > > > > necessary macros to all callers (lock functions should use > > > > TSA_ACQUIRE, while unlock TSA_RELEASE, and this applies to allusers of > > > > pthread_mutex_lock/pthread_mutex_unlock), > > > > simply use TSA_NO_TSA to supppress such warnings. > > > > > > I'm not sure I understand this quite right. Maybe a clarifying question > > > will help me understand: Why is this needed for bsd-user but not > > > linux-user? How are they different here? > > > > FreeBSD's pthread headers include TSA annotations for some functions > > that force us to do something about them (for now: suppress the warnings > > in their callers) before we can enable -Wthread-safety for the purposes > > where we really want it. Without this, calling functions like > > pthread_mutex_lock() would cause compiler errors. > > > > glibc's headers don't contain such annotations, so the same is not > > necessary on Linux > > > > Thanks Kevin. With that explanation, these patches and their explanation > make perfect sense now. Often when there's a patch to bsd-user but not > linux-user, it's because bsd-user needs to do more in some way (which I try > to keep up on). > > In this case, it's because FreeBSD's libc is a bit ahead of the curve. So I > understand why it's needed, and what I need to do next (though I think that > I may have to wait for the rest of qemu to be annotated)... I assume that the bsd-user part is actually sufficiently independent that you could do proper annotations there if you want. However, be aware that TSA has some serious limitations with C, so you can't express certain things, and it isn't as strict as it could be (in particular, function pointers bypass it). As long as you have global locks (as opposed to locks in structs), it kind of works, though. Certainly better than nothing. But it probably means that some of the rest of QEMU may never get the annotations. Also, our primary goal is protecting the block layer, so someone else would have to work on other locks. With checks disabled on individual functions like in this series, it should at least be possible to work on it incrementally. > It might be better, though, to put some of this information in the commit > message so it isn't just on the mailing list. Yes, I agree. We can tweak the commit messages before merging it. > Just a suggestion: > > Reviewed-by: Warner Losh <imp@bsdimp.com> Thanks! Kevin
On Tue, 17 Jan 2023 at 12:17, Kevin Wolf <kwolf@redhat.com> wrote: > > Am 17.01.2023 um 17:43 hat Warner Losh geschrieben: > > On Tue, Jan 17, 2023 at 9:25 AM Kevin Wolf <kwolf@redhat.com> wrote: > > > > > Am 17.01.2023 um 17:16 hat Warner Losh geschrieben: > > > > On Tue, Jan 17, 2023 at 6:52 AM Emanuele Giuseppe Esposito < > > > > eesposit@redhat.com> wrote: > > > > > > > > > QEMU does not compile when enabling clang's thread safety analysis > > > > > (TSA), > > > > > because some functions create wrappers for pthread mutexes but do > > > > > not use any TSA macro. Therefore the compiler fails. > > > > > > > > > > In order to make the compiler happy and avoid adding all the > > > > > necessary macros to all callers (lock functions should use > > > > > TSA_ACQUIRE, while unlock TSA_RELEASE, and this applies to allusers of > > > > > pthread_mutex_lock/pthread_mutex_unlock), > > > > > simply use TSA_NO_TSA to supppress such warnings. > > > > > > > > I'm not sure I understand this quite right. Maybe a clarifying question > > > > will help me understand: Why is this needed for bsd-user but not > > > > linux-user? How are they different here? > > > > > > FreeBSD's pthread headers include TSA annotations for some functions > > > that force us to do something about them (for now: suppress the warnings > > > in their callers) before we can enable -Wthread-safety for the purposes > > > where we really want it. Without this, calling functions like > > > pthread_mutex_lock() would cause compiler errors. > > > > > > glibc's headers don't contain such annotations, so the same is not > > > necessary on Linux > > > > > > > Thanks Kevin. With that explanation, these patches and their explanation > > make perfect sense now. Often when there's a patch to bsd-user but not > > linux-user, it's because bsd-user needs to do more in some way (which I try > > to keep up on). > > > > In this case, it's because FreeBSD's libc is a bit ahead of the curve. So I > > understand why it's needed, and what I need to do next (though I think that > > I may have to wait for the rest of qemu to be annotated)... > > I assume that the bsd-user part is actually sufficiently independent > that you could do proper annotations there if you want. > > However, be aware that TSA has some serious limitations with C, so you > can't express certain things, and it isn't as strict as it could be (in > particular, function pointers bypass it). As long as you have global > locks (as opposed to locks in structs), it kind of works, though. > Certainly better than nothing. What are the limitations on locks in structs (a common case)? Stefan
Am 17.01.2023 um 21:43 hat Stefan Hajnoczi geschrieben: > On Tue, 17 Jan 2023 at 12:17, Kevin Wolf <kwolf@redhat.com> wrote: > > > > Am 17.01.2023 um 17:43 hat Warner Losh geschrieben: > > > On Tue, Jan 17, 2023 at 9:25 AM Kevin Wolf <kwolf@redhat.com> wrote: > > > > > > > Am 17.01.2023 um 17:16 hat Warner Losh geschrieben: > > > > > On Tue, Jan 17, 2023 at 6:52 AM Emanuele Giuseppe Esposito < > > > > > eesposit@redhat.com> wrote: > > > > > > > > > > > QEMU does not compile when enabling clang's thread safety analysis > > > > > > (TSA), > > > > > > because some functions create wrappers for pthread mutexes but do > > > > > > not use any TSA macro. Therefore the compiler fails. > > > > > > > > > > > > In order to make the compiler happy and avoid adding all the > > > > > > necessary macros to all callers (lock functions should use > > > > > > TSA_ACQUIRE, while unlock TSA_RELEASE, and this applies to allusers of > > > > > > pthread_mutex_lock/pthread_mutex_unlock), > > > > > > simply use TSA_NO_TSA to supppress such warnings. > > > > > > > > > > I'm not sure I understand this quite right. Maybe a clarifying question > > > > > will help me understand: Why is this needed for bsd-user but not > > > > > linux-user? How are they different here? > > > > > > > > FreeBSD's pthread headers include TSA annotations for some functions > > > > that force us to do something about them (for now: suppress the warnings > > > > in their callers) before we can enable -Wthread-safety for the purposes > > > > where we really want it. Without this, calling functions like > > > > pthread_mutex_lock() would cause compiler errors. > > > > > > > > glibc's headers don't contain such annotations, so the same is not > > > > necessary on Linux > > > > > > > > > > Thanks Kevin. With that explanation, these patches and their explanation > > > make perfect sense now. Often when there's a patch to bsd-user but not > > > linux-user, it's because bsd-user needs to do more in some way (which I try > > > to keep up on). > > > > > > In this case, it's because FreeBSD's libc is a bit ahead of the curve. So I > > > understand why it's needed, and what I need to do next (though I think that > > > I may have to wait for the rest of qemu to be annotated)... > > > > I assume that the bsd-user part is actually sufficiently independent > > that you could do proper annotations there if you want. > > > > However, be aware that TSA has some serious limitations with C, so you > > can't express certain things, and it isn't as strict as it could be (in > > particular, function pointers bypass it). As long as you have global > > locks (as opposed to locks in structs), it kind of works, though. > > Certainly better than nothing. > > What are the limitations on locks in structs (a common case)? TSA_GUARDED_BY() can't refer to a mutex in the same struct in C. You would have to have something like 'this', but it just doesn't exist. (I think in C++ you don't actually need 'this' because name resolution automatically starts at the struct or something - I neither know C++ well enough nor TSA with it, so take this with a grain of salt.) You can still annotate functions for such structs in C, because then you have a name for the struct, like this: void lock(Foo *foo) TSA_REQUIRES(foo->mutex); Kevin
On Wed, Jan 18, 2023, 04:15 Kevin Wolf <kwolf@redhat.com> wrote: > Am 17.01.2023 um 21:43 hat Stefan Hajnoczi geschrieben: > > On Tue, 17 Jan 2023 at 12:17, Kevin Wolf <kwolf@redhat.com> wrote: > > > > > > Am 17.01.2023 um 17:43 hat Warner Losh geschrieben: > > > > On Tue, Jan 17, 2023 at 9:25 AM Kevin Wolf <kwolf@redhat.com> wrote: > > > > > > > > > Am 17.01.2023 um 17:16 hat Warner Losh geschrieben: > > > > > > On Tue, Jan 17, 2023 at 6:52 AM Emanuele Giuseppe Esposito < > > > > > > eesposit@redhat.com> wrote: > > > > > > > > > > > > > QEMU does not compile when enabling clang's thread safety > analysis > > > > > > > (TSA), > > > > > > > because some functions create wrappers for pthread mutexes but > do > > > > > > > not use any TSA macro. Therefore the compiler fails. > > > > > > > > > > > > > > In order to make the compiler happy and avoid adding all the > > > > > > > necessary macros to all callers (lock functions should use > > > > > > > TSA_ACQUIRE, while unlock TSA_RELEASE, and this applies to > allusers of > > > > > > > pthread_mutex_lock/pthread_mutex_unlock), > > > > > > > simply use TSA_NO_TSA to supppress such warnings. > > > > > > > > > > > > I'm not sure I understand this quite right. Maybe a clarifying > question > > > > > > will help me understand: Why is this needed for bsd-user but not > > > > > > linux-user? How are they different here? > > > > > > > > > > FreeBSD's pthread headers include TSA annotations for some > functions > > > > > that force us to do something about them (for now: suppress the > warnings > > > > > in their callers) before we can enable -Wthread-safety for the > purposes > > > > > where we really want it. Without this, calling functions like > > > > > pthread_mutex_lock() would cause compiler errors. > > > > > > > > > > glibc's headers don't contain such annotations, so the same is not > > > > > necessary on Linux > > > > > > > > > > > > > Thanks Kevin. With that explanation, these patches and their > explanation > > > > make perfect sense now. Often when there's a patch to bsd-user but > not > > > > linux-user, it's because bsd-user needs to do more in some way > (which I try > > > > to keep up on). > > > > > > > > In this case, it's because FreeBSD's libc is a bit ahead of the > curve. So I > > > > understand why it's needed, and what I need to do next (though I > think that > > > > I may have to wait for the rest of qemu to be annotated)... > > > > > > I assume that the bsd-user part is actually sufficiently independent > > > that you could do proper annotations there if you want. > > > > > > However, be aware that TSA has some serious limitations with C, so you > > > can't express certain things, and it isn't as strict as it could be (in > > > particular, function pointers bypass it). As long as you have global > > > locks (as opposed to locks in structs), it kind of works, though. > > > Certainly better than nothing. > > > > What are the limitations on locks in structs (a common case)? > > TSA_GUARDED_BY() can't refer to a mutex in the same struct in C. You > would have to have something like 'this', but it just doesn't exist. (I > think in C++ you don't actually need 'this' because name resolution > automatically starts at the struct or something - I neither know C++ > well enough nor TSA with it, so take this with a grain of salt.) > > You can still annotate functions for such structs in C, because then you > have a name for the struct, like this: > > void lock(Foo *foo) TSA_REQUIRES(foo->mutex); > Thanks for the explanation! Stefan >
Am 17/01/2023 um 18:17 schrieb Kevin Wolf: > Am 17.01.2023 um 17:43 hat Warner Losh geschrieben: >> On Tue, Jan 17, 2023 at 9:25 AM Kevin Wolf <kwolf@redhat.com> wrote: >> >>> Am 17.01.2023 um 17:16 hat Warner Losh geschrieben: >>>> On Tue, Jan 17, 2023 at 6:52 AM Emanuele Giuseppe Esposito < >>>> eesposit@redhat.com> wrote: >>>> >>>>> QEMU does not compile when enabling clang's thread safety analysis >>>>> (TSA), >>>>> because some functions create wrappers for pthread mutexes but do >>>>> not use any TSA macro. Therefore the compiler fails. >>>>> >>>>> In order to make the compiler happy and avoid adding all the >>>>> necessary macros to all callers (lock functions should use >>>>> TSA_ACQUIRE, while unlock TSA_RELEASE, and this applies to allusers of >>>>> pthread_mutex_lock/pthread_mutex_unlock), >>>>> simply use TSA_NO_TSA to supppress such warnings. >>>> >>>> I'm not sure I understand this quite right. Maybe a clarifying question >>>> will help me understand: Why is this needed for bsd-user but not >>>> linux-user? How are they different here? >>> >>> FreeBSD's pthread headers include TSA annotations for some functions >>> that force us to do something about them (for now: suppress the warnings >>> in their callers) before we can enable -Wthread-safety for the purposes >>> where we really want it. Without this, calling functions like >>> pthread_mutex_lock() would cause compiler errors. >>> >>> glibc's headers don't contain such annotations, so the same is not >>> necessary on Linux >>> >> >> Thanks Kevin. With that explanation, these patches and their explanation >> make perfect sense now. Often when there's a patch to bsd-user but not >> linux-user, it's because bsd-user needs to do more in some way (which I try >> to keep up on). >> >> In this case, it's because FreeBSD's libc is a bit ahead of the curve. So I >> understand why it's needed, and what I need to do next (though I think that >> I may have to wait for the rest of qemu to be annotated)... > > I assume that the bsd-user part is actually sufficiently independent > that you could do proper annotations there if you want. > > However, be aware that TSA has some serious limitations with C, so you > can't express certain things, and it isn't as strict as it could be (in > particular, function pointers bypass it). As long as you have global > locks (as opposed to locks in structs), it kind of works, though. > Certainly better than nothing. > > But it probably means that some of the rest of QEMU may never get the > annotations. Also, our primary goal is protecting the block layer, so > someone else would have to work on other locks. With checks disabled on > individual functions like in this series, it should at least be possible > to work on it incrementally. > >> It might be better, though, to put some of this information in the commit >> message so it isn't just on the mailing list. > > Yes, I agree. We can tweak the commit messages before merging it. New proposed commit message: bsd-user/mmap: use TSA_NO_TSA to suppress clang TSA warnings in FreeBSD FreeBSD implements pthread headers using TSA (thread safety analysis) annotations, therefore when an application is compiled with -Wthread-safety there are some locking/annotation requirements that the user of the pthread API has to follow. This will also be the case in QEMU, since bsd-user/mmap.c uses the pthread API. Therefore when building it with -Wthread-safety the compiler will throw warnings because the functions are not properly annotated. We need TSA to be enabled because it ensures that the critical sections of an annotated variable are properly locked. In order to make the compiler happy and avoid adding all the necessary macros to all callers (lock functions should use TSA_ACQUIRE, while unlock TSA_RELEASE, and this applies to all users of pthread_mutex_lock/pthread_mutex_unlock), simply use TSA_NO_TSA to supppress such warnings. Signed-off-by: Emanuele Giuseppe Esposito <eesposit@redhat.com> Same message could be applied to patch 1, substituting bsd-user/mmap with util/qemu-thread-posix. Thank you, Emanuele > >> Just a suggestion: >> >> Reviewed-by: Warner Losh <imp@bsdimp.com> > > Thanks! > > Kevin >
On Wed, Jan 18, 2023 at 04:12:09PM +0100, Emanuele Giuseppe Esposito wrote: > > > Am 17/01/2023 um 18:17 schrieb Kevin Wolf: > > Am 17.01.2023 um 17:43 hat Warner Losh geschrieben: > >> On Tue, Jan 17, 2023 at 9:25 AM Kevin Wolf <kwolf@redhat.com> wrote: > >> > >>> Am 17.01.2023 um 17:16 hat Warner Losh geschrieben: > >>>> On Tue, Jan 17, 2023 at 6:52 AM Emanuele Giuseppe Esposito < > >>>> eesposit@redhat.com> wrote: > >>>> > >>>>> QEMU does not compile when enabling clang's thread safety analysis > >>>>> (TSA), > >>>>> because some functions create wrappers for pthread mutexes but do > >>>>> not use any TSA macro. Therefore the compiler fails. > >>>>> > >>>>> In order to make the compiler happy and avoid adding all the > >>>>> necessary macros to all callers (lock functions should use > >>>>> TSA_ACQUIRE, while unlock TSA_RELEASE, and this applies to allusers of > >>>>> pthread_mutex_lock/pthread_mutex_unlock), > >>>>> simply use TSA_NO_TSA to supppress such warnings. > >>>> > >>>> I'm not sure I understand this quite right. Maybe a clarifying question > >>>> will help me understand: Why is this needed for bsd-user but not > >>>> linux-user? How are they different here? > >>> > >>> FreeBSD's pthread headers include TSA annotations for some functions > >>> that force us to do something about them (for now: suppress the warnings > >>> in their callers) before we can enable -Wthread-safety for the purposes > >>> where we really want it. Without this, calling functions like > >>> pthread_mutex_lock() would cause compiler errors. > >>> > >>> glibc's headers don't contain such annotations, so the same is not > >>> necessary on Linux > >>> > >> > >> Thanks Kevin. With that explanation, these patches and their explanation > >> make perfect sense now. Often when there's a patch to bsd-user but not > >> linux-user, it's because bsd-user needs to do more in some way (which I try > >> to keep up on). > >> > >> In this case, it's because FreeBSD's libc is a bit ahead of the curve. So I > >> understand why it's needed, and what I need to do next (though I think that > >> I may have to wait for the rest of qemu to be annotated)... > > > > I assume that the bsd-user part is actually sufficiently independent > > that you could do proper annotations there if you want. > > > > However, be aware that TSA has some serious limitations with C, so you > > can't express certain things, and it isn't as strict as it could be (in > > particular, function pointers bypass it). As long as you have global > > locks (as opposed to locks in structs), it kind of works, though. > > Certainly better than nothing. > > > > But it probably means that some of the rest of QEMU may never get the > > annotations. Also, our primary goal is protecting the block layer, so > > someone else would have to work on other locks. With checks disabled on > > individual functions like in this series, it should at least be possible > > to work on it incrementally. > > > >> It might be better, though, to put some of this information in the commit > >> message so it isn't just on the mailing list. > > > > Yes, I agree. We can tweak the commit messages before merging it. > > New proposed commit message: > > bsd-user/mmap: use TSA_NO_TSA to suppress clang TSA warnings in FreeBSD > > FreeBSD implements pthread headers using TSA (thread safety analysis) > annotations, therefore when an application is compiled with -Wthread-safety > there are some locking/annotation requirements that the user of the > pthread API has to follow. > > This will also be the case in QEMU, since bsd-user/mmap.c uses the > pthread API. Therefore when building it with -Wthread-safety the > compiler will throw warnings because the functions are not properly > annotated. We need TSA to be enabled because it ensures > that the critical sections of an annotated variable are properly > locked. > > In order to make the compiler happy and avoid adding all the > necessary macros to all callers (lock functions should use > TSA_ACQUIRE, while unlock TSA_RELEASE, and this applies to all > users of pthread_mutex_lock/pthread_mutex_unlock), > simply use TSA_NO_TSA to supppress such warnings. > > Signed-off-by: Emanuele Giuseppe Esposito <eesposit@redhat.com> > > Same message could be applied to patch 1, substituting bsd-user/mmap > with util/qemu-thread-posix. Looks good to me. Stefan
On Wed, Jan 18, 2023 at 8:12 AM Emanuele Giuseppe Esposito < eesposit@redhat.com> wrote: > > > Am 17/01/2023 um 18:17 schrieb Kevin Wolf: > > Am 17.01.2023 um 17:43 hat Warner Losh geschrieben: > >> On Tue, Jan 17, 2023 at 9:25 AM Kevin Wolf <kwolf@redhat.com> wrote: > >> > >>> Am 17.01.2023 um 17:16 hat Warner Losh geschrieben: > >>>> On Tue, Jan 17, 2023 at 6:52 AM Emanuele Giuseppe Esposito < > >>>> eesposit@redhat.com> wrote: > >>>> > >>>>> QEMU does not compile when enabling clang's thread safety analysis > >>>>> (TSA), > >>>>> because some functions create wrappers for pthread mutexes but do > >>>>> not use any TSA macro. Therefore the compiler fails. > >>>>> > >>>>> In order to make the compiler happy and avoid adding all the > >>>>> necessary macros to all callers (lock functions should use > >>>>> TSA_ACQUIRE, while unlock TSA_RELEASE, and this applies to allusers > of > >>>>> pthread_mutex_lock/pthread_mutex_unlock), > >>>>> simply use TSA_NO_TSA to supppress such warnings. > >>>> > >>>> I'm not sure I understand this quite right. Maybe a clarifying > question > >>>> will help me understand: Why is this needed for bsd-user but not > >>>> linux-user? How are they different here? > >>> > >>> FreeBSD's pthread headers include TSA annotations for some functions > >>> that force us to do something about them (for now: suppress the > warnings > >>> in their callers) before we can enable -Wthread-safety for the purposes > >>> where we really want it. Without this, calling functions like > >>> pthread_mutex_lock() would cause compiler errors. > >>> > >>> glibc's headers don't contain such annotations, so the same is not > >>> necessary on Linux > >>> > >> > >> Thanks Kevin. With that explanation, these patches and their explanation > >> make perfect sense now. Often when there's a patch to bsd-user but not > >> linux-user, it's because bsd-user needs to do more in some way (which I > try > >> to keep up on). > >> > >> In this case, it's because FreeBSD's libc is a bit ahead of the curve. > So I > >> understand why it's needed, and what I need to do next (though I think > that > >> I may have to wait for the rest of qemu to be annotated)... > > > > I assume that the bsd-user part is actually sufficiently independent > > that you could do proper annotations there if you want. > > > > However, be aware that TSA has some serious limitations with C, so you > > can't express certain things, and it isn't as strict as it could be (in > > particular, function pointers bypass it). As long as you have global > > locks (as opposed to locks in structs), it kind of works, though. > > Certainly better than nothing. > > > > But it probably means that some of the rest of QEMU may never get the > > annotations. Also, our primary goal is protecting the block layer, so > > someone else would have to work on other locks. With checks disabled on > > individual functions like in this series, it should at least be possible > > to work on it incrementally. > > > >> It might be better, though, to put some of this information in the > commit > >> message so it isn't just on the mailing list. > > > > Yes, I agree. We can tweak the commit messages before merging it. > > New proposed commit message: > > bsd-user/mmap: use TSA_NO_TSA to suppress clang TSA warnings in FreeBSD > > FreeBSD implements pthread headers using TSA (thread safety analysis) > annotations, therefore when an application is compiled with -Wthread-safety > there are some locking/annotation requirements that the user of the > pthread API has to follow. > > This will also be the case in QEMU, since bsd-user/mmap.c uses the > pthread API. Therefore when building it with -Wthread-safety the > compiler will throw warnings because the functions are not properly > annotated. We need TSA to be enabled because it ensures > that the critical sections of an annotated variable are properly > locked. > > In order to make the compiler happy and avoid adding all the > necessary macros to all callers (lock functions should use > TSA_ACQUIRE, while unlock TSA_RELEASE, and this applies to all > users of pthread_mutex_lock/pthread_mutex_unlock), > simply use TSA_NO_TSA to supppress such warnings. > Looks good to me. Warner > Signed-off-by: Emanuele Giuseppe Esposito <eesposit@redhat.com> > > Same message could be applied to patch 1, substituting bsd-user/mmap > with util/qemu-thread-posix. > > > Thank you, > Emanuele > > > > >> Just a suggestion: > >> > >> Reviewed-by: Warner Losh <imp@bsdimp.com> > > > > Thanks! > > > > Kevin > > > >
diff --git a/bsd-user/qemu.h b/bsd-user/qemu.h index be6105385e..711fdd1b64 100644 --- a/bsd-user/qemu.h +++ b/bsd-user/qemu.h @@ -37,6 +37,7 @@ extern char **environ; #include "target_os_signal.h" #include "target.h" #include "exec/gdbstub.h" +#include "qemu/clang-tsa.h" /* * This struct is used to hold certain information about the image. Basically, @@ -235,8 +236,8 @@ int target_msync(abi_ulong start, abi_ulong len, int flags); extern unsigned long last_brk; extern abi_ulong mmap_next_start; abi_ulong mmap_find_vma(abi_ulong start, abi_ulong size); -void mmap_fork_start(void); -void mmap_fork_end(int child); +void TSA_NO_TSA mmap_fork_start(void); +void TSA_NO_TSA mmap_fork_end(int child); /* main.c */ extern char qemu_proc_pathname[]; diff --git a/include/exec/exec-all.h b/include/exec/exec-all.h index 25e11b0a8d..4f0c0559ac 100644 --- a/include/exec/exec-all.h +++ b/include/exec/exec-all.h @@ -25,6 +25,7 @@ #include "exec/cpu_ldst.h" #endif #include "qemu/interval-tree.h" +#include "qemu/clang-tsa.h" /* allow to see translation results - the slowdown should be negligible, so we leave it */ #define DEBUG_DISAS @@ -758,8 +759,8 @@ static inline tb_page_addr_t get_page_addr_code(CPUArchState *env, } #if defined(CONFIG_USER_ONLY) -void mmap_lock(void); -void mmap_unlock(void); +void TSA_NO_TSA mmap_lock(void); +void TSA_NO_TSA mmap_unlock(void); bool have_mmap_lock(void); /**
QEMU does not compile when enabling clang's thread safety analysis (TSA), because some functions create wrappers for pthread mutexes but do not use any TSA macro. Therefore the compiler fails. In order to make the compiler happy and avoid adding all the necessary macros to all callers (lock functions should use TSA_ACQUIRE, while unlock TSA_RELEASE, and this applies to allusers of pthread_mutex_lock/pthread_mutex_unlock), simply use TSA_NO_TSA to supppress such warnings. Signed-off-by: Emanuele Giuseppe Esposito <eesposit@redhat.com> --- bsd-user/qemu.h | 5 +++-- include/exec/exec-all.h | 5 +++-- 2 files changed, 6 insertions(+), 4 deletions(-)