1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
|
// Copyright 2020 The gVisor Authors.
//
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
// You may obtain a copy of the License at
//
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.
package checklocks
import (
"fmt"
"go/ast"
"go/token"
"go/types"
"regexp"
"strings"
"golang.org/x/tools/go/ssa"
)
// atomicAlignment is saved per type.
//
// This represents the alignment required for the type, which may
// be implied and imposed by other types within the aggregate type.
type atomicAlignment int
// AFact implements analysis.Fact.AFact.
func (*atomicAlignment) AFact() {}
// atomicDisposition is saved per field.
//
// This represents how the field must be accessed. It must either
// be non-atomic (default), atomic or ignored.
type atomicDisposition int
const (
atomicDisallow atomicDisposition = iota
atomicIgnore
atomicRequired
)
// fieldList is a simple list of fields, used in two types below.
//
// Note that the integers in this list refer to one of two things:
// - A positive integer refers to a field index in a struct.
// - A negative integer refers to a field index in a struct, where
// that field is a pointer and must be subsequently resolved.
type fieldList []int
// resolvedValue is an ssa.Value with additional fields.
//
// This can be resolved to a string as part of a lock state.
type resolvedValue struct {
value ssa.Value
valid bool
fieldList []int
}
// findExtract finds a relevant extract. This must exist within the referrers
// to the call object. If this doesn't then the object which is locked is never
// consumed, and we should consider this a bug.
func findExtract(v ssa.Value, index int) (ssa.Value, bool) {
if refs := v.Referrers(); refs != nil {
for _, inst := range *refs {
if x, ok := inst.(*ssa.Extract); ok && x.Tuple == v && x.Index == index {
return inst.(ssa.Value), true
}
}
}
return nil, false
}
// resolve resolves the given field list.
func (fl fieldList) resolve(v ssa.Value) (rv resolvedValue) {
return resolvedValue{
value: v,
fieldList: fl,
valid: true,
}
}
// valueAsString returns a string representing this value.
//
// This must align with how the string is generated in valueAsString.
func (rv resolvedValue) valueAsString(ls *lockState) string {
typ := rv.value.Type()
s := ls.valueAsString(rv.value)
for i, fieldNumber := range rv.fieldList {
switch {
case fieldNumber > 0:
field, ok := findField(typ, fieldNumber-1)
if !ok {
// This can't be resolved, return for debugging.
return fmt.Sprintf("{%s+%v}", s, rv.fieldList[i:])
}
s = fmt.Sprintf("&(%s.%s)", s, field.Name())
typ = field.Type()
case fieldNumber < 1:
field, ok := findField(typ, (-fieldNumber)-1)
if !ok {
// See above.
return fmt.Sprintf("{%s+%v}", s, rv.fieldList[i:])
}
s = fmt.Sprintf("*(&(%s.%s))", s, field.Name())
typ = field.Type()
}
}
return s
}
// lockFieldFacts apply on every struct field.
type lockFieldFacts struct {
// IsMutex is true if the field is of type sync.Mutex.
IsMutex bool
// IsRWMutex is true if the field is of type sync.RWMutex.
IsRWMutex bool
// IsPointer indicates if the field is a pointer.
IsPointer bool
// FieldNumber is the number of this field in the struct.
FieldNumber int
}
// AFact implements analysis.Fact.AFact.
func (*lockFieldFacts) AFact() {}
// lockGuardFacts contains guard information.
type lockGuardFacts struct {
// GuardedBy is the set of locks that are guarding this field. The key
// is the original annotation value, and the field list is the object
// traversal path.
GuardedBy map[string]fieldList
// AtomicDisposition is the disposition for this field. Note that this
// can affect the interpretation of the GuardedBy field above, see the
// relevant comment.
AtomicDisposition atomicDisposition
}
// AFact implements analysis.Fact.AFact.
func (*lockGuardFacts) AFact() {}
// functionGuard is used by lockFunctionFacts, below.
type functionGuard struct {
// ParameterNumber is the index of the object that contains the
// guarding mutex. From this parameter, a walk is performed
// subsequently using the resolve method.
//
// Note that is ParameterNumber is beyond the size of parameters, then
// it may return to a return value. This applies only for the Acquires
// relation below.
ParameterNumber int
// NeedsExtract is used in the case of a return value, and indicates
// that the field must be extracted from a tuple.
NeedsExtract bool
// FieldList is the traversal path to the object.
FieldList fieldList
}
// resolveReturn resolves a return value.
//
// Precondition: rv is either an ssa.Value, or an *ssa.Return.
func (fg *functionGuard) resolveReturn(rv interface{}, args int) resolvedValue {
if rv == nil {
// For defers and other objects, this may be nil. This is
// handled in state.go in the actual lock checking logic.
return resolvedValue{
value: nil,
valid: false,
}
}
index := fg.ParameterNumber - args
// If this is a *ssa.Return object, i.e. we are analyzing the function
// and not the call site, then we can just pull the result directly.
if r, ok := rv.(*ssa.Return); ok {
return fg.FieldList.resolve(r.Results[index])
}
if fg.NeedsExtract {
// Resolve on the extracted field, this is necessary if the
// type here is not an explicit return. Note that rv must be an
// ssa.Value, since it is not an *ssa.Return.
v, ok := findExtract(rv.(ssa.Value), index)
if !ok {
return resolvedValue{
value: v,
valid: false,
}
}
return fg.FieldList.resolve(v)
}
if index != 0 {
// This should not happen, NeedsExtract should always be set.
panic("NeedsExtract is false, but return value index is non-zero")
}
// Resolve on the single return.
return fg.FieldList.resolve(rv.(ssa.Value))
}
// resolveStatic returns an ssa.Value representing the given field.
//
// Precondition: per resolveReturn.
func (fg *functionGuard) resolveStatic(fn *ssa.Function, rv interface{}) resolvedValue {
if fg.ParameterNumber >= len(fn.Params) {
return fg.resolveReturn(rv, len(fn.Params))
}
return fg.FieldList.resolve(fn.Params[fg.ParameterNumber])
}
// resolveCall returns an ssa.Value representing the given field.
func (fg *functionGuard) resolveCall(args []ssa.Value, rv ssa.Value) resolvedValue {
if fg.ParameterNumber >= len(args) {
return fg.resolveReturn(rv, len(args))
}
return fg.FieldList.resolve(args[fg.ParameterNumber])
}
// lockFunctionFacts apply on every method.
type lockFunctionFacts struct {
// HeldOnEntry tracks the names and number of parameter (including receiver)
// lockFuncfields that guard calls to this function.
//
// The key is the name specified in the checklocks annotation. e.g given
// the following code:
//
// ```
// type A struct {
// mu sync.Mutex
// a int
// }
//
// // +checklocks:a.mu
// func xyz(a *A) {..}
// ```
//
// '`+checklocks:a.mu' will result in an entry in this map as shown below.
// HeldOnEntry: {"a.mu" => {ParameterNumber: 0, FieldNumbers: {0}}
//
// Unlikely lockFieldFacts, there is no atomic interpretation.
HeldOnEntry map[string]functionGuard
// HeldOnExit tracks the locks that are expected to be held on exit.
HeldOnExit map[string]functionGuard
// Ignore means this function has local analysis ignores.
//
// This is not used outside the local package.
Ignore bool
}
// AFact implements analysis.Fact.AFact.
func (*lockFunctionFacts) AFact() {}
// checkGuard validates the guardName.
func (lff *lockFunctionFacts) checkGuard(pc *passContext, d *ast.FuncDecl, guardName string, allowReturn bool) (functionGuard, bool) {
if _, ok := lff.HeldOnEntry[guardName]; ok {
pc.maybeFail(d.Pos(), "annotation %s specified more than once, already required", guardName)
return functionGuard{}, false
}
if _, ok := lff.HeldOnExit[guardName]; ok {
pc.maybeFail(d.Pos(), "annotation %s specified more than once, already acquired", guardName)
return functionGuard{}, false
}
fg, ok := pc.findFunctionGuard(d, guardName, allowReturn)
return fg, ok
}
// addGuardedBy adds a field to both HeldOnEntry and HeldOnExit.
func (lff *lockFunctionFacts) addGuardedBy(pc *passContext, d *ast.FuncDecl, guardName string) {
if fg, ok := lff.checkGuard(pc, d, guardName, false /* allowReturn */); ok {
if lff.HeldOnEntry == nil {
lff.HeldOnEntry = make(map[string]functionGuard)
}
if lff.HeldOnExit == nil {
lff.HeldOnExit = make(map[string]functionGuard)
}
lff.HeldOnEntry[guardName] = fg
lff.HeldOnExit[guardName] = fg
}
}
// addAcquires adds a field to HeldOnExit.
func (lff *lockFunctionFacts) addAcquires(pc *passContext, d *ast.FuncDecl, guardName string) {
if fg, ok := lff.checkGuard(pc, d, guardName, true /* allowReturn */); ok {
if lff.HeldOnExit == nil {
lff.HeldOnExit = make(map[string]functionGuard)
}
lff.HeldOnExit[guardName] = fg
}
}
// addReleases adds a field to HeldOnEntry.
func (lff *lockFunctionFacts) addReleases(pc *passContext, d *ast.FuncDecl, guardName string) {
if fg, ok := lff.checkGuard(pc, d, guardName, false /* allowReturn */); ok {
if lff.HeldOnEntry == nil {
lff.HeldOnEntry = make(map[string]functionGuard)
}
lff.HeldOnEntry[guardName] = fg
}
}
// fieldListFor returns the fieldList for the given object.
func (pc *passContext) fieldListFor(pos token.Pos, fieldObj types.Object, index int, fieldName string, checkMutex bool) (int, bool) {
var lff lockFieldFacts
if !pc.pass.ImportObjectFact(fieldObj, &lff) {
// This should not happen: we export facts for all fields.
panic(fmt.Sprintf("no lockFieldFacts available for field %s", fieldName))
}
// Check that it is indeed a mutex.
if checkMutex && !lff.IsMutex && !lff.IsRWMutex {
pc.maybeFail(pos, "field %s is not a mutex or an rwmutex", fieldName)
return 0, false
}
// Return the resolution path.
if lff.IsPointer {
return -(index + 1), true
}
return (index + 1), true
}
// resolveOneField resolves a field in a single struct.
func (pc *passContext) resolveOneField(pos token.Pos, structType *types.Struct, fieldName string, checkMutex bool) (fl fieldList, fieldObj types.Object, ok bool) {
// Scan to match the next field.
for i := 0; i < structType.NumFields(); i++ {
fieldObj := structType.Field(i)
if fieldObj.Name() != fieldName {
continue
}
flOne, ok := pc.fieldListFor(pos, fieldObj, i, fieldName, checkMutex)
if !ok {
return nil, nil, false
}
fl = append(fl, flOne)
return fl, fieldObj, true
}
// Is this an embed?
for i := 0; i < structType.NumFields(); i++ {
fieldObj := structType.Field(i)
if !fieldObj.Embedded() {
continue
}
// Is this an embedded struct?
structType, ok := resolveStruct(fieldObj.Type())
if !ok {
continue
}
// Need to check that there is a resolution path. If there is
// no resolution path that's not a failure: we just continue
// scanning the next embed to find a match.
flEmbed, okEmbed := pc.fieldListFor(pos, fieldObj, i, fieldName, false)
flCont, fieldObjCont, okCont := pc.resolveOneField(pos, structType, fieldName, checkMutex)
if okEmbed && okCont {
fl = append(fl, flEmbed)
fl = append(fl, flCont...)
return fl, fieldObjCont, true
}
}
pc.maybeFail(pos, "field %s does not exist", fieldName)
return nil, nil, false
}
// resolveField resolves a set of fields given a string, such a 'a.b.c'.
//
// Note that this checks that the final element is a mutex of some kind, and
// will fail appropriately.
func (pc *passContext) resolveField(pos token.Pos, structType *types.Struct, parts []string) (fl fieldList, ok bool) {
for partNumber, fieldName := range parts {
flOne, fieldObj, ok := pc.resolveOneField(pos, structType, fieldName, partNumber >= len(parts)-1 /* checkMutex */)
if !ok {
// Error already reported.
return nil, false
}
fl = append(fl, flOne...)
if partNumber < len(parts)-1 {
// Traverse to the next type.
structType, ok = resolveStruct(fieldObj.Type())
if !ok {
pc.maybeFail(pos, "invalid intermediate field %s", fieldName)
return fl, false
}
}
}
return fl, true
}
var (
mutexRE = regexp.MustCompile("((.*/)|^)sync.(CrossGoroutineMutex|Mutex)")
rwMutexRE = regexp.MustCompile("((.*/)|^)sync.(CrossGoroutineRWMutex|RWMutex)")
)
// exportLockFieldFacts finds all struct fields that are mutexes, and ensures
// that they are annotated properly.
//
// This information is consumed subsequently by exportLockGuardFacts, and this
// function must be called first on all structures.
func (pc *passContext) exportLockFieldFacts(structType *types.Struct, ss *ast.StructType) {
for i, field := range ss.Fields.List {
lff := &lockFieldFacts{
FieldNumber: i,
}
// We use HasSuffix below because fieldType can be fully
// qualified with the package name eg for the gvisor sync
// package mutex fields have the type:
// "<package path>/sync/sync.Mutex"
fieldObj := structType.Field(i)
s := fieldObj.Type().String()
switch {
case mutexRE.MatchString(s):
lff.IsMutex = true
case rwMutexRE.MatchString(s):
lff.IsRWMutex = true
}
// Save whether this is a pointer.
_, lff.IsPointer = fieldObj.Type().Underlying().(*types.Pointer)
// We must always export the lockFieldFacts, since traversal
// can take place along any object in the struct.
pc.pass.ExportObjectFact(fieldObj, lff)
// If this is an anonymous type, then we won't discover it via
// the AST global declarations. We can recurse from here.
if ss, ok := field.Type.(*ast.StructType); ok {
if st, ok := fieldObj.Type().(*types.Struct); ok {
pc.exportLockFieldFacts(st, ss)
}
}
}
}
// exportLockGuardFacts finds all relevant guard information for structures.
//
// This function requires exportLockFieldFacts be called first on all
// structures.
func (pc *passContext) exportLockGuardFacts(structType *types.Struct, ss *ast.StructType) {
for i, field := range ss.Fields.List {
fieldObj := structType.Field(i)
if field.Doc != nil {
var (
lff lockFieldFacts
lgf lockGuardFacts
)
pc.pass.ImportObjectFact(structType.Field(i), &lff)
for _, l := range field.Doc.List {
pc.extractAnnotations(l.Text, map[string]func(string){
checkAtomicAnnotation: func(string) {
switch lgf.AtomicDisposition {
case atomicRequired:
pc.maybeFail(fieldObj.Pos(), "annotation is redundant, already atomic required")
case atomicIgnore:
pc.maybeFail(fieldObj.Pos(), "annotation is contradictory, already atomic ignored")
}
lgf.AtomicDisposition = atomicRequired
},
checkLocksIgnore: func(string) {
switch lgf.AtomicDisposition {
case atomicIgnore:
pc.maybeFail(fieldObj.Pos(), "annotation is redundant, already atomic ignored")
case atomicRequired:
pc.maybeFail(fieldObj.Pos(), "annotation is contradictory, already atomic required")
}
lgf.AtomicDisposition = atomicIgnore
},
checkLocksAnnotation: func(guardName string) {
// Check for a duplicate annotation.
if _, ok := lgf.GuardedBy[guardName]; ok {
pc.maybeFail(fieldObj.Pos(), "annotation %s specified more than once", guardName)
return
}
fl, ok := pc.resolveField(fieldObj.Pos(), structType, strings.Split(guardName, "."))
if ok {
// If we successfully resolved
// the field, then save it.
if lgf.GuardedBy == nil {
lgf.GuardedBy = make(map[string]fieldList)
}
lgf.GuardedBy[guardName] = fl
}
},
})
}
// Save only if there is something meaningful.
if len(lgf.GuardedBy) > 0 || lgf.AtomicDisposition != atomicDisallow {
pc.pass.ExportObjectFact(structType.Field(i), &lgf)
}
}
// See above, for anonymous structure fields.
if ss, ok := field.Type.(*ast.StructType); ok {
if st, ok := fieldObj.Type().(*types.Struct); ok {
pc.exportLockGuardFacts(st, ss)
}
}
}
}
// countFields gives an accurate field count, according for unnamed arguments
// and return values and the compact identifier format.
func countFields(fl []*ast.Field) (count int) {
for _, field := range fl {
if len(field.Names) == 0 {
count++
continue
}
count += len(field.Names)
}
return
}
// matchFieldList attempts to match the given field.
func (pc *passContext) matchFieldList(pos token.Pos, fl []*ast.Field, guardName string) (functionGuard, bool) {
parts := strings.Split(guardName, ".")
parameterName := parts[0]
parameterNumber := 0
for _, field := range fl {
// See countFields, above.
if len(field.Names) == 0 {
parameterNumber++
continue
}
for _, name := range field.Names {
if name.Name != parameterName {
parameterNumber++
continue
}
ptrType, ok := pc.pass.TypesInfo.TypeOf(field.Type).Underlying().(*types.Pointer)
if !ok {
// Since mutexes cannot be copied we only care
// about parameters that are pointer types when
// checking for guards.
pc.maybeFail(pos, "parameter name %s does not refer to a pointer type", parameterName)
return functionGuard{}, false
}
structType, ok := ptrType.Elem().Underlying().(*types.Struct)
if !ok {
// Fields can only be in named structures.
pc.maybeFail(pos, "parameter name %s does not refer to a pointer to a struct", parameterName)
return functionGuard{}, false
}
fg := functionGuard{
ParameterNumber: parameterNumber,
}
fl, ok := pc.resolveField(pos, structType, parts[1:])
fg.FieldList = fl
return fg, ok // If ok is false, already failed.
}
}
return functionGuard{}, false
}
// findFunctionGuard identifies the parameter number and field number for a
// particular string of the 'a.b'.
//
// This function will report any errors directly.
func (pc *passContext) findFunctionGuard(d *ast.FuncDecl, guardName string, allowReturn bool) (functionGuard, bool) {
var (
parameterList []*ast.Field
returnList []*ast.Field
)
if d.Recv != nil {
parameterList = append(parameterList, d.Recv.List...)
}
if d.Type.Params != nil {
parameterList = append(parameterList, d.Type.Params.List...)
}
if fg, ok := pc.matchFieldList(d.Pos(), parameterList, guardName); ok {
return fg, ok
}
if allowReturn {
if d.Type.Results != nil {
returnList = append(returnList, d.Type.Results.List...)
}
if fg, ok := pc.matchFieldList(d.Pos(), returnList, guardName); ok {
// Fix this up to apply to the return value, as noted
// in fg.ParameterNumber. For the ssa analysis, we must
// record whether this has multiple results, since
// *ssa.Call indicates: "The Call instruction yields
// the function result if there is exactly one.
// Otherwise it returns a tuple, the components of
// which are accessed via Extract."
fg.ParameterNumber += countFields(parameterList)
fg.NeedsExtract = countFields(returnList) > 1
return fg, ok
}
}
// We never saw a matching parameter.
pc.maybeFail(d.Pos(), "annotation %s does not have a matching parameter", guardName)
return functionGuard{}, false
}
// exportFunctionFacts exports relevant function findings.
func (pc *passContext) exportFunctionFacts(d *ast.FuncDecl) {
if d.Doc == nil || d.Doc.List == nil {
return
}
var lff lockFunctionFacts
for _, l := range d.Doc.List {
pc.extractAnnotations(l.Text, map[string]func(string){
checkLocksIgnore: func(string) {
// Note that this applies to all atomic
// analysis as well. There is no provided way
// to selectively ignore only lock analysis or
// atomic analysis, as we expect this use to be
// extremely rare.
lff.Ignore = true
},
checkLocksAnnotation: func(guardName string) { lff.addGuardedBy(pc, d, guardName) },
checkLocksAcquires: func(guardName string) { lff.addAcquires(pc, d, guardName) },
checkLocksReleases: func(guardName string) { lff.addReleases(pc, d, guardName) },
})
}
// Export the function facts if there is anything to save.
if lff.Ignore || len(lff.HeldOnEntry) > 0 || len(lff.HeldOnExit) > 0 {
funcObj := pc.pass.TypesInfo.Defs[d.Name].(*types.Func)
pc.pass.ExportObjectFact(funcObj, &lff)
}
}
|