Arene Base
Fundamental Utilities For Safety Critical C++
Loading...
Searching...
No Matches
thread_safety_annotations.hpp
Go to the documentation of this file.
1// Copyright 2026, Toyota Motor Corporation
2//
3// SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception
4
5///
6/// @file thread_safety_annotations.hpp
7/// @brief Provides a stable interface to clang's Thread Safety Annotations
8///
9
10#ifndef INCLUDE_GUARD_ARENE_BASE_ARENE_BASE_COMPILER_SUPPORT_THREAD_SAFETY_ANNOTATIONS_HPP_
11#define INCLUDE_GUARD_ARENE_BASE_ARENE_BASE_COMPILER_SUPPORT_THREAD_SAFETY_ANNOTATIONS_HPP_
12
13// parasoft-begin-suppress AUTOSAR-A16_2_2-a-2 "Arene Base aggregate headers permitted by A16-2-2 Permit #1"
14#include "arene/base/compiler_support/platform_queries.hpp"
15#include "arene/base/compiler_support/preprocessor.hpp"
16
17// NOLINTBEGIN(cppcoreguidelines-macro-usage) These are wrappers around existing macros that must be macros.
18
19#if ARENE_IS_ON(ARENE_HAS_THREAD_SAFETY_ANALYSIS)
20#include "arene/base/compiler_support/detail/thread_safety_annotations_enabled.hpp"
21#else
22#include "arene/base/compiler_support/detail/thread_safety_annotations_disabled.hpp"
23#endif
24// parasoft-end-suppress AUTOSAR-A16_2_2-a-2
25
26// parasoft-begin-suppress AUTOSAR-A16_0_1-d "Conditional defines permitted by A16-0-1 Permit #2"
27
28///
29/// @brief Annotates a type as a "capability," which is a type that provides synchronization protection.
30/// @see https://clang.llvm.org/docs/ThreadSafetyAnalysis.html#capability-string
31/// @param x The name of the type; used in generating error messages.
32///
33#define ARENE_TSA_CAPABILITY(x) ARENE_THREAD_SAFETY_ANNOTATION_ATTRIBUTE_I_(capability(x))
34
35///
36/// @brief Annotates a type as a "scoped capability," which is a type that provides RAII synchronization protection.
37/// @see https://clang.llvm.org/docs/ThreadSafetyAnalysis.html#scoped-capability
38///
39#define ARENE_TSA_SCOPED_CAPABILITY ARENE_THREAD_SAFETY_ANNOTATION_ATTRIBUTE_I_(scoped_lockable)
40
41///
42/// @brief Annotates a member as being guarded by a given capability.
43/// @see https://clang.llvm.org/docs/ThreadSafetyAnalysis.html#guarded-by-c-and-pt-guarded-by-c
44/// @param x The name of the member which provides the capability that guards the annotated member
45///
46#define ARENE_TSA_GUARDED_BY(x) ARENE_THREAD_SAFETY_ANNOTATION_ATTRIBUTE_I_(guarded_by(x))
47
48///
49/// @brief Annotates a member that is a (smart)pointer's _pointed to content_ as being guarded by a given capability.
50/// @see https://clang.llvm.org/docs/ThreadSafetyAnalysis.html#guarded-by-c-and-pt-guarded-by-c
51/// @param x The name of the member which provides the capability that guards the annotated pointer-member
52/// @note This does _not_ mark the pointer value itself as requiring synchronization. Only dereferencing it.
53///
54#define ARENE_TSA_PT_GUARDED_BY(x) ARENE_THREAD_SAFETY_ANNOTATION_ATTRIBUTE_I_(pt_guarded_by(x))
55
56///
57/// @brief Annotates a function or method as needing the calling thread to hold **exclusive** access to the named
58/// capabilities _before entering_ and _after exit_.
59/// @see https://clang.llvm.org/docs/ThreadSafetyAnalysis.html#requires-requires-shared
60/// @param ... A comma-separated list of the names of members/variables which provide the needed capabilities.
61///
62#define ARENE_TSA_REQUIRES(...) ARENE_THREAD_SAFETY_ANNOTATION_ATTRIBUTE_I_(requires_capability(__VA_ARGS__))
63
64///
65/// @brief Annotates a function or method as needing the calling thread to hold **shared** access to the named
66/// capabilities _before entering_ and _after exit_.
67/// @see https://clang.llvm.org/docs/ThreadSafetyAnalysis.html#requires-requires-shared
68/// @param ... A comma-separated list of the names of members/variables which provide the needed capabilities.
69///
70#define ARENE_TSA_REQUIRES_SHARED(...)
71 ARENE_THREAD_SAFETY_ANNOTATION_ATTRIBUTE_I_(requires_shared_capability(__VA_ARGS__))
72
73///
74/// @brief Annotates a function or method as acquiring **exclusive** access to the named capabilities _before exit_,
75/// **without releasing them** on exit.
76/// @see
77/// https://clang.llvm.org/docs/ThreadSafetyAnalysis.html#acquire-acquire-shared-release-release-shared-release-generic
78/// @param ... A comma-separated list of the names of members/variables which provide the capabilities to be acquired.
79/// If omitted, assumed to be @c this .
80///
81#define ARENE_TSA_ACQUIRE(...) ARENE_THREAD_SAFETY_ANNOTATION_ATTRIBUTE_I_(acquire_capability(__VA_ARGS__))
82
83///
84/// @brief Annotates a function or method as acquiring **shared** access to the named capabilities _before exit_,
85/// **without releasing them** on exit.
86/// @see
87/// https://clang.llvm.org/docs/ThreadSafetyAnalysis.html#acquire-acquire-shared-release-release-shared-release-generic
88/// @param ... A comma-separated list of the names of members/variables which provide the capabilities to be acquired.
89/// If omitted, assumed to be @c this .
90///
91#define ARENE_TSA_ACQUIRE_SHARED(...)
92 ARENE_THREAD_SAFETY_ANNOTATION_ATTRIBUTE_I_(acquire_shared_capability(__VA_ARGS__))
93
94///
95/// @brief Annotates a function or method as releasing access to the named capabilities _before exit_. The calling
96/// thread must hold **exclusive** access to the named capabilities _before entering_.
97/// @see
98/// https://clang.llvm.org/docs/ThreadSafetyAnalysis.html#acquire-acquire-shared-release-release-shared-release-generic
99/// @param ... A comma-separated list of the names of members/variables which provide the capabilities to be released.
100/// If omitted, assumed to be @c this .
101///
102#define ARENE_TSA_RELEASE(...) ARENE_THREAD_SAFETY_ANNOTATION_ATTRIBUTE_I_(release_capability(__VA_ARGS__))
103
104///
105/// @brief Annotates a function or method as releasing access to the named capabilities _before exit_. The calling
106/// thread must hold **shared** access to the named capabilities _before entering_.
107/// @see
108/// https://clang.llvm.org/docs/ThreadSafetyAnalysis.html#acquire-acquire-shared-release-release-shared-release-generic
109/// @param ... A comma-separated list of the names of members/variables which provide the capabilities to be released.
110/// If omitted, assumed to be @c this .
111///
112#define ARENE_TSA_RELEASE_SHARED(...)
113 ARENE_THREAD_SAFETY_ANNOTATION_ATTRIBUTE_I_(release_shared_capability(__VA_ARGS__))
114
115///
116/// @brief Annotates a function or method as releasing access to the named capabilities _before exit_. The calling
117/// thread can hold either **exclusive** or **shared** access to the named capabilities _before entering_.
118/// @see
119/// https://clang.llvm.org/docs/ThreadSafetyAnalysis.html#acquire-acquire-shared-release-release-shared-release-generic
120/// @param ... A comma-separated list of the names of members/variables which provide the capabilities to be released.
121/// If omitted, assumed to be @c this .
122///
123#define ARENE_TSA_RELEASE_GENERIC(...)
124 ARENE_THREAD_SAFETY_ANNOTATION_ATTRIBUTE_I_(release_generic_capability(__VA_ARGS__))
125
126///
127/// @brief Annotates a function or method as attempting to acquire **exclusive** access to the named capabilities
128/// _before exit_, **without releasing them** on exit, and returning a bool of success/failure.
129/// @see https://clang.llvm.org/docs/ThreadSafetyAnalysis.html#try-acquire-bool-try-acquire-shared-bool
130/// @param ... A boolean value, followed by a comma-separated list of the names of members/variables which provide the
131/// capabilities to be acquired. The boolean value represents which boolean value represents "success" for
132/// the assertion. If the name of the capability(s) are omitted, the capability is assumed to be @c this .
133/// @warning Because TSA does not support conditional locking analysis, the capability will assume to have been locked
134/// after the first branch based on the return value from the annotated function. Therefore, callers of the
135/// annotated function must have the "success" path as the first branch.
136///
137#define ARENE_TSA_TRY_ACQUIRE(...) ARENE_THREAD_SAFETY_ANNOTATION_ATTRIBUTE_I_(try_acquire_capability(__VA_ARGS__))
138
139///
140/// @brief Annotates a function or method as attempting to acquire **shared** access to the named capabilities
141/// _before exit_, **without releasing them** on exit, and returning a bool of success/failure.
142/// @see https://clang.llvm.org/docs/ThreadSafetyAnalysis.html#try-acquire-bool-try-acquire-shared-bool
143/// @param ... A boolean value, followed by a comma-separated list of the names of members/variables which provide the
144/// capabilities to be acquired. The boolean value represents which boolean value represents "success" for
145/// the assertion. If the name of the capability(s) are omitted, the capability is assumed to be @c this .
146/// @warning Because TSA does not support conditional locking analysis, the capability will assume to have been locked
147/// after the first branch based on the return value from the annotated function. Therefore, callers of the
148/// annotated function must have the "success" path as the first branch.
149///
150#define ARENE_TSA_TRY_ACQUIRE_SHARED(...)
151 ARENE_THREAD_SAFETY_ANNOTATION_ATTRIBUTE_I_(try_acquire_shared_capability(__VA_ARGS__))
152
153///
154/// @brief Annotates a function or method as requiring the calling thread must **not** hold access to the named
155/// capabilities before entry.
156/// @see https://clang.llvm.org/docs/ThreadSafetyAnalysis.html#excludes
157/// @param ... A comma-separated list of the names of members/variables which provide the needed capabilities.
158///
159#define ARENE_TSA_EXCLUDES(...) ARENE_THREAD_SAFETY_ANNOTATION_ATTRIBUTE_I_(locks_excluded(__VA_ARGS__))
160
161///
162/// @brief Annotates a function or method as asserting that the calling thread holds *exclusive access* to the named
163/// capability, and would terminate the process if it is not held.
164/// @see https://clang.llvm.org/docs/ThreadSafetyAnalysis.html#assert-capability-and-assert-shared-capability
165/// @param x The name of the member or variable that provides the needed capability
166/// @post The analysis will assume the given capability is held after exit from the annotated function or method.
167///
168#define ARENE_TSA_ASSERT_CAPABILITY(x) ARENE_THREAD_SAFETY_ANNOTATION_ATTRIBUTE_I_(assert_capability(x))
169
170///
171/// @brief Annotates a function or method as asserting that the calling thread holds **shared access** to the named
172/// capability, and would terminate the process if it is not held.
173/// @see https://clang.llvm.org/docs/ThreadSafetyAnalysis.html#assert-capability-and-assert-shared-capability
174/// @param x The name of the member or variable that provides the needed capability
175/// @post The analysis will assume the given capability is held after exit from the annotated function or method.
176///
177#define ARENE_TSA_ASSERT_SHARED_CAPABILITY(x) ARENE_THREAD_SAFETY_ANNOTATION_ATTRIBUTE_I_(assert_shared_capability(x))
178
179///
180/// @brief Annotates a function or method as returning a reference to the named capability.
181/// @see https://clang.llvm.org/docs/ThreadSafetyAnalysis.html#return-capability-c
182/// @param x The name of the member or variable that provides the needed capability
183///
184#define ARENE_TSA_RETURN_CAPABILITY(x) ARENE_THREAD_SAFETY_ANNOTATION_ATTRIBUTE_I_(lock_returned(x))
185
186///
187/// @brief Annotates a function or method as explicitly excluded from thread safety analysis.
188/// @see https://clang.llvm.org/docs/ThreadSafetyAnalysis.html#no-thread-safety-analysis
189/// @note This should only be done in situations where a function is too complex for TSA to work correctly, due to the
190/// [known limitations](https://clang.llvm.org/docs/ThreadSafetyAnalysis.html#limitations) of TSA.
191///
192#define ARENE_TSA_NO_THREAD_SAFETY_ANALYSIS ARENE_THREAD_SAFETY_ANNOTATION_ATTRIBUTE_I_(no_thread_safety_analysis)
193
194// parasoft-end-suppress AUTOSAR-A16_0_1-d
195// NOLINTEND(cppcoreguidelines-macro-usage) These are wrappers around existing macros that must be macros.
196
197#endif // INCLUDE_GUARD_ARENE_BASE_ARENE_BASE_COMPILER_SUPPORT_THREAD_SAFETY_ANNOTATIONS_HPP_