|  | # Zircon thread safety annotations | 
|  |  | 
|  | Zircon code takes advantage of clang's thread safety analysis feature to | 
|  | document and machine-verify some of our synchronization invariants. These | 
|  | annotations are checked when building for clang (see | 
|  | [getting started](/docs/development/kernel/getting_started.md) for instructions on building with | 
|  | clang). | 
|  |  | 
|  | ## How to use | 
|  |  | 
|  | [Clang's documentation](https://clang.llvm.org/docs/ThreadSafetyAnalysis.html) | 
|  |  | 
|  | In Zircon, we provide our own set of macros wrapping the annotations and have | 
|  | annotated our synchronization primitives. When writing new code involving | 
|  | synchronization or annotating existing code, in most cases you should use the | 
|  | thread annotation macros provided by | 
|  | [<lib/zircon-internal/thread\_annotations.h](/zircon/system/ulib/zircon-internal/include/lib/zircon-internal/thread_annotations.h). | 
|  | These macros all begin with the prefix `"TA_"` for thread analysis. The most | 
|  | commonly used ones are: | 
|  |  | 
|  | * `TA_GUARDED(x)` the annotated variable is guarded by the capability (e.g. lock) `x` | 
|  | * `TA_ACQ(x...)` function acquires all of the mutexes in the set `x` and hold them after returning | 
|  | * `TA_REL(x...)` function releases all of the mutexes in the set `x` | 
|  | * `TA_REQ(x...)` function requires that the caller hold all of the mutexes in the set `x` | 
|  | * `TA_EXCL(x...)` function requires that the caller not be holding any of the mutexes in the set `x` | 
|  |  | 
|  | For example, a class containing a member variable `'int foo_'` protected by a | 
|  | mutex would be annotated like so: | 
|  |  | 
|  | ``` | 
|  | // example.h | 
|  |  | 
|  | class Example { | 
|  | public: | 
|  | // Public function has no locking requirements and thus needs no annotation. | 
|  | int IncreaseFoo(int by); | 
|  |  | 
|  | private: | 
|  | // This is an internal helper routine that can only be called with |lock_| | 
|  | // held. Calling this without holding |lock_| is a compile-time error. | 
|  | // Annotations like TA_REQ, TA_ACQ, TA_REL, etc are part of the function's | 
|  | // interface and must be on the function declaration, usually in the header, | 
|  | // not the definition. | 
|  | int IncreaseFooLocked(int by) TA_REQ(lock_); | 
|  |  | 
|  | // This internal routine requires that both |lock_| and |foo_lock_| be held by the | 
|  | // caller. | 
|  | int IncreaseFooAndBarLocked(int foo_by, int bar_by) TA_REQ(lock_) TA_REQ(bar_lock_); | 
|  |  | 
|  | // The TA_GUARDED(lock_) annotation on |foo_| means that |lock_| must be | 
|  | // held to read or write from |foo_|. | 
|  | int foo_ TA_GUARDED(lock_); | 
|  |  | 
|  | // |lock_| can be declared after annotations referencing it, | 
|  | // if desired. | 
|  | Mutex lock_; | 
|  |  | 
|  | Mutex bar_lock_; | 
|  | }; | 
|  |  | 
|  | // example.cpp | 
|  |  | 
|  | int Example::IncreaseFoo(int by) { | 
|  | int new_value; | 
|  | { | 
|  | AutoLock lock(&lock_);  // fbl::AutoLock is annotated | 
|  | new_value = IncreaseFooLocked(by); | 
|  | } | 
|  | return new_value; | 
|  | } | 
|  | ``` | 
|  |  | 
|  | Note that for annotations which allow sets of mutex objects, one may either | 
|  | apply the annotation multiple times, or provided a comma separated list to the | 
|  | annotation.  In other words, the following two declarations are equivalent. | 
|  |  | 
|  | ``` | 
|  | int IncreaseFooAndBarLocked(int foo_by, int bar_by) TA_REQ(lock_) TA_REQ(bar_lock_); | 
|  | int IncreaseFooAndBarLocked(int foo_by, int bar_by) TA_REQ(lock_, bar_lock_); | 
|  | ``` | 
|  |  | 
|  | Library code exposed through the sysroot must use the more awkwardly named | 
|  | macros provided by | 
|  | [system/public/zircon/compiler.h](/zircon/system/public/zircon/compiler.h) to | 
|  | avoid collisions with consumers of the sysroot. | 
|  |  | 
|  | ## Best practices | 
|  |  | 
|  | Annotations should complement the comments and identifiers to make the code | 
|  | understandable. Annotations do not replace comments or clear names. Try to | 
|  | follow these best practices when writing code involving locking: | 
|  |  | 
|  | * Group member variables protected by a lock with the lock. Where it makes | 
|  | sense, document what is protected by what with a comment in addition to the | 
|  | annotations. For example when several member variables are protected by one lock | 
|  | and several are protected by a different lock, a comment is easier to read than | 
|  | going through each annotation. | 
|  |  | 
|  | * Name functions that require a lock be held with a 'Locked()' suffix. If there | 
|  | are multiple locks that could be plausibly held to call the function, consider | 
|  | making the choice clear in the function name. Keep in mind readers of calling | 
|  | code will not be able to see the annotations. | 
|  |  | 
|  | ## Limitations | 
|  |  | 
|  | The thread safety analysis is a purely static check done at compile time and | 
|  | cannot understand conditionally held locks or locking patterns that span | 
|  | compilation units in ways not expressible via static annotations. In many | 
|  | situations, this analysis is still useful but there are situations that the | 
|  | analysis simply cannot understand. The main escape hatch for disabling analysis | 
|  | is to add the annotation `TA_NO_THREAD_SAFETY_ANALYSIS` to the function definition | 
|  | containing the code the analysis is confused by. Other escape mechanisms are | 
|  | available as well - see the Clang documentation for details. Situations that | 
|  | require disabling the analysis are likely to be complex for humans to understand | 
|  | as well as machines and should be accompanied by a comment indicating the | 
|  | invariants in use. | 
|  |  | 
|  | The thread safety analysis can be defeated in a number of ways, for instance | 
|  | when using pointers.  For example, when taking the address of a guarded data | 
|  | member Clang loses track of the guard, e.g. for a foo_ protected by a lock_ | 
|  | a call to `memset(&foo_, 0, sizeof(foo_))` without holding lock_ won't be caught | 
|  | as a violation. |