From 3269701cb25662ae8a9771a864201116626adb50 Mon Sep 17 00:00:00 2001 From: Marco Elver Date: Fri, 19 Dec 2025 16:39:51 +0100 Subject: compiler-context-analysis: Add infrastructure for Context Analysis with Clang Context Analysis is a language extension, which enables statically checking that required contexts are active (or inactive), by acquiring and releasing user-definable "context locks". An obvious application is lock-safety checking for the kernel's various synchronization primitives (each of which represents a "context lock"), and checking that locking rules are not violated. Clang originally called the feature "Thread Safety Analysis" [1]. This was later changed and the feature became more flexible, gaining the ability to define custom "capabilities". Its foundations can be found in "Capability Systems" [2], used to specify the permissibility of operations to depend on some "capability" being held (or not held). Because the feature is not just able to express "capabilities" related to synchronization primitives, and "capability" is already overloaded in the kernel, the naming chosen for the kernel departs from Clang's "Thread Safety" and "capability" nomenclature; we refer to the feature as "Context Analysis" to avoid confusion. The internal implementation still makes references to Clang's terminology in a few places, such as `-Wthread-safety` being the warning option that also still appears in diagnostic messages. [1] https://clang.llvm.org/docs/ThreadSafetyAnalysis.html [2] https://www.cs.cornell.edu/talc/papers/capabilities.pdf See more details in the kernel-doc documentation added in this and subsequent changes. Clang version 22+ is required. [peterz: disable the thing for __CHECKER__ builds] Signed-off-by: Marco Elver Signed-off-by: Peter Zijlstra (Intel) Link: https://patch.msgid.link/20251219154418.3592607-3-elver@google.com --- scripts/Makefile.context-analysis | 7 +++++++ 1 file changed, 7 insertions(+) create mode 100644 scripts/Makefile.context-analysis (limited to 'scripts/Makefile.context-analysis') diff --git a/scripts/Makefile.context-analysis b/scripts/Makefile.context-analysis new file mode 100644 index 000000000000..70549f7fae1a --- /dev/null +++ b/scripts/Makefile.context-analysis @@ -0,0 +1,7 @@ +# SPDX-License-Identifier: GPL-2.0 + +context-analysis-cflags := -DWARN_CONTEXT_ANALYSIS \ + -fexperimental-late-parse-attributes -Wthread-safety \ + -Wthread-safety-pointer -Wthread-safety-beta + +export CFLAGS_CONTEXT_ANALYSIS := $(context-analysis-cflags) -- cgit v1.2.3 From c237f1ceeef56fa101c2b599a00307b3d690801a Mon Sep 17 00:00:00 2001 From: Marco Elver Date: Fri, 19 Dec 2025 16:40:14 +0100 Subject: compiler-context-analysis: Introduce header suppressions While we can opt in individual subsystems which add the required annotations, such subsystems inevitably include headers from other subsystems which may not yet have the right annotations, which then result in false positive warnings. Making compatible by adding annotations across all common headers currently requires an excessive number of __no_context_analysis annotations, or carefully analyzing non-trivial cases to add the correct annotations. While this is desirable long-term, providing an incremental path causes less churn and headaches for maintainers not yet interested in dealing with such warnings. Rather than clutter headers unnecessary and mandate all subsystem maintainers to keep their headers working with context analysis, suppress all -Wthread-safety warnings in headers. Explicitly opt in headers with context-enabled primitives. With this in place, we can start enabling the analysis on more complex subsystems in subsequent changes. Signed-off-by: Marco Elver Signed-off-by: Peter Zijlstra (Intel) Link: https://patch.msgid.link/20251219154418.3592607-26-elver@google.com --- scripts/Makefile.context-analysis | 4 ++++ scripts/context-analysis-suppression.txt | 32 ++++++++++++++++++++++++++++++++ 2 files changed, 36 insertions(+) create mode 100644 scripts/context-analysis-suppression.txt (limited to 'scripts/Makefile.context-analysis') diff --git a/scripts/Makefile.context-analysis b/scripts/Makefile.context-analysis index 70549f7fae1a..cd3bb49d3f09 100644 --- a/scripts/Makefile.context-analysis +++ b/scripts/Makefile.context-analysis @@ -4,4 +4,8 @@ context-analysis-cflags := -DWARN_CONTEXT_ANALYSIS \ -fexperimental-late-parse-attributes -Wthread-safety \ -Wthread-safety-pointer -Wthread-safety-beta +ifndef CONFIG_WARN_CONTEXT_ANALYSIS_ALL +context-analysis-cflags += --warning-suppression-mappings=$(srctree)/scripts/context-analysis-suppression.txt +endif + export CFLAGS_CONTEXT_ANALYSIS := $(context-analysis-cflags) diff --git a/scripts/context-analysis-suppression.txt b/scripts/context-analysis-suppression.txt new file mode 100644 index 000000000000..df25c3d07a5b --- /dev/null +++ b/scripts/context-analysis-suppression.txt @@ -0,0 +1,32 @@ +# SPDX-License-Identifier: GPL-2.0 +# +# The suppressions file should only match common paths such as header files. +# For individual subsytems use Makefile directive CONTEXT_ANALYSIS := [yn]. +# +# The suppressions are ignored when CONFIG_WARN_CONTEXT_ANALYSIS_ALL is +# selected. + +[thread-safety] +src:*arch/*/include/* +src:*include/acpi/* +src:*include/asm-generic/* +src:*include/linux/* +src:*include/net/* + +# Opt-in headers: +src:*include/linux/bit_spinlock.h=emit +src:*include/linux/cleanup.h=emit +src:*include/linux/kref.h=emit +src:*include/linux/list*.h=emit +src:*include/linux/local_lock*.h=emit +src:*include/linux/lockdep.h=emit +src:*include/linux/mutex*.h=emit +src:*include/linux/rcupdate.h=emit +src:*include/linux/refcount.h=emit +src:*include/linux/rhashtable.h=emit +src:*include/linux/rwlock*.h=emit +src:*include/linux/rwsem.h=emit +src:*include/linux/seqlock*.h=emit +src:*include/linux/spinlock*.h=emit +src:*include/linux/srcu*.h=emit +src:*include/linux/ww_mutex.h=emit -- cgit v1.2.3