Bug 1797354 - Allow specifying capability type in thread-safety macros, r=jesup,media-playback-reviewers,alwu

It is possible to specify full names for capabilities when using the clang
thread-safety analysis which will be used in error messages. We should use that
form of the attribute rather than the legacy lockable attribute.

Differential Revision: https://phabricator.services.mozilla.com/D160531

dom/media/doctor/MultiWriterQueue.h

@@ -20,7 +20,7 @@ namespace mozilla {
 
 // Default reader locking strategy, using a mutex to ensure that concurrent
 // PopAll calls won't overlap.
-class MOZ_CAPABILITY MultiWriterQueueReaderLocking_Mutex {
+class MOZ_CAPABILITY("mutex") MultiWriterQueueReaderLocking_Mutex {
  public:
   MultiWriterQueueReaderLocking_Mutex()
       : mMutex("MultiWriterQueueReaderLocking_Mutex") {}
@@ -33,7 +33,7 @@ class MOZ_CAPABILITY MultiWriterQueueReaderLocking_Mutex {
 
 // Reader non-locking strategy, trusting that PopAll will never be called
 // concurrently (e.g., by only calling it from a specific thread).
-class MOZ_CAPABILITY MultiWriterQueueReaderLocking_None {
+class MOZ_CAPABILITY("dummy lock") MultiWriterQueueReaderLocking_None {
  public:
 #ifndef DEBUG
   void Lock() MOZ_CAPABILITY_ACQUIRE(){};

dom/workers/Queue.h

@@ -51,7 +51,7 @@ struct StorageWithTArray {
   static void Compact(StorageType& aStorage) { aStorage.Compact(); }
 };
 
-class MOZ_CAPABILITY LockingWithMutex {
+class MOZ_CAPABILITY("mutex") LockingWithMutex {
   mozilla::Mutex mMutex;
 
  protected:

dom/workers/WorkerPrivate.h

@@ -85,10 +85,10 @@ class WorkerThread;
 // SharedMutex is a small wrapper around an (internal) reference-counted Mutex
 // object. It exists to avoid changing a lot of code to use Mutex* instead of
 // Mutex&.
-class MOZ_CAPABILITY SharedMutex {
+class MOZ_CAPABILITY("mutex") SharedMutex {
   using Mutex = mozilla::Mutex;
 
-  class MOZ_CAPABILITY RefCountedMutex final : public Mutex {
+  class MOZ_CAPABILITY("mutex") RefCountedMutex final : public Mutex {
    public:
     explicit RefCountedMutex(const char* aName) : Mutex(aName) {}
 

ipc/chromium/src/mojo/core/ports/port.h

@@ -28,7 +28,7 @@ namespace detail {
 
 // Ports cannot use mozilla::Mutex, as the acquires-before relationships handled
 // by PortLocker can overload the debug-only deadlock detector.
-class MOZ_CAPABILITY PortMutex : private ::mozilla::detail::MutexImpl {
+class MOZ_CAPABILITY("mutex") PortMutex : private ::mozilla::detail::MutexImpl {
  public:
   void AssertCurrentThreadOwns() const MOZ_ASSERT_CAPABILITY(this) {
 #ifdef DEBUG

ipc/mscom/Interceptor.cpp

@@ -38,7 +38,7 @@ namespace mozilla {
 namespace mscom {
 namespace detail {
 
-class MOZ_CAPABILITY LiveSet final {
+class MOZ_CAPABILITY("mutex") LiveSet final {
  public:
   LiveSet() : mMutex("mozilla::mscom::LiveSet::mMutex") {}
 

memory/build/Mutex.h

@@ -38,7 +38,7 @@ OS_EXPORT OS_NOTHROW OS_NONNULL_ALL void os_unfair_lock_lock_with_options(
 // places, because they require malloc()ed memory, which causes bootstrapping
 // issues in some cases.  We also can't use constructors, because for statics,
 // they would fire after the first use of malloc, resetting the locks.
-struct MOZ_CAPABILITY Mutex {
+struct MOZ_CAPABILITY("mutex") Mutex {
 #if defined(XP_WIN)
   CRITICAL_SECTION mMutex;
 #elif defined(XP_DARWIN)
@@ -148,7 +148,7 @@ struct MOZ_CAPABILITY Mutex {
 // Ideally, we'd use the same type of locks everywhere, but SRWLocks
 // everywhere incur a performance penalty. See bug 1418389.
 #if defined(XP_WIN)
-struct MOZ_CAPABILITY StaticMutex {
+struct MOZ_CAPABILITY("mutex") StaticMutex {
   SRWLOCK mMutex;
 
   inline void Lock() MOZ_CAPABILITY_ACQUIRE() {

mfbt/ThreadSafety.h

@@ -86,7 +86,7 @@
   MOZ_THREAD_ANNOTATION_ATTRIBUTE__(lock_returned(x))
 
 // Document if a class/type is a lockable type (such as the Mutex class).
-#define MOZ_CAPABILITY MOZ_THREAD_ANNOTATION_ATTRIBUTE__(lockable)
+#define MOZ_CAPABILITY(x) MOZ_THREAD_ANNOTATION_ATTRIBUTE__(capability(x))
 
 // Document if a class is a scoped lockable type (such as the MutexLock class).
 #define MOZ_SCOPED_CAPABILITY MOZ_THREAD_ANNOTATION_ATTRIBUTE__(scoped_lockable)

mozglue/baseprofiler/public/BaseProfilerDetail.h

@@ -22,7 +22,8 @@ namespace baseprofiler {
 namespace detail {
 
 // Thin shell around mozglue PlatformMutex, for Base Profiler internal use.
-class MOZ_CAPABILITY BaseProfilerMutex : private ::mozilla::detail::MutexImpl {
+class MOZ_CAPABILITY("mutex") BaseProfilerMutex
+    : private ::mozilla::detail::MutexImpl {
  public:
   BaseProfilerMutex() : ::mozilla::detail::MutexImpl() {}
   explicit BaseProfilerMutex(const char* aName)

xpcom/base/StaticMonitor.h

@@ -13,7 +13,8 @@
 
 namespace mozilla {
 
-class MOZ_ONLY_USED_TO_AVOID_STATIC_CONSTRUCTORS MOZ_CAPABILITY StaticMonitor {
+class MOZ_ONLY_USED_TO_AVOID_STATIC_CONSTRUCTORS MOZ_CAPABILITY("monitor")
+    StaticMonitor {
  public:
   // In debug builds, check that mMutex is initialized for us as we expect by
   // the compiler.  In non-debug builds, don't declare a constructor so that

xpcom/base/StaticMutex.h

@@ -26,7 +26,8 @@ namespace mozilla {
  * initialized to 0 in order to initialize mMutex.  It is only safe to use
  * StaticMutex as a global or static variable.
  */
-class MOZ_ONLY_USED_TO_AVOID_STATIC_CONSTRUCTORS MOZ_CAPABILITY StaticMutex {
+class MOZ_ONLY_USED_TO_AVOID_STATIC_CONSTRUCTORS MOZ_CAPABILITY("mutex")
+    StaticMutex {
  public:
   // In debug builds, check that mMutex is initialized for us as we expect by
   // the compiler.  In non-debug builds, don't declare a constructor so that

xpcom/base/nsTraceRefcnt.cpp

@@ -66,7 +66,8 @@
 
 #include "prthread.h"
 
-class MOZ_CAPABILITY TraceLogMutex : private mozilla::detail::MutexImpl {
+class MOZ_CAPABILITY("mutex") TraceLogMutex
+    : private mozilla::detail::MutexImpl {
  public:
   explicit TraceLogMutex() : ::mozilla::detail::MutexImpl(){};
 

xpcom/build/IOInterposerPrivate.h

@@ -28,7 +28,7 @@ namespace IOInterposer {
  * positives.
  */
 
-class MOZ_CAPABILITY Monitor {
+class MOZ_CAPABILITY("monitor") Monitor {
  public:
   Monitor() : mLock(PR_NewLock()), mCondVar(PR_NewCondVar(mLock)) {}
 
@@ -82,7 +82,7 @@ class MOZ_SCOPED_CAPABILITY MonitorAutoUnlock {
   Monitor& mMonitor;
 };
 
-class MOZ_CAPABILITY Mutex {
+class MOZ_CAPABILITY("mutex") Mutex {
  public:
   Mutex() : mPRLock(PR_NewLock()) {}
 

xpcom/threads/EventTargetCapability.h

@@ -54,7 +54,7 @@ namespace mozilla {
 // can be asserted using `AssertIsOnMainThread()`.
 
 template <typename T>
-class MOZ_CAPABILITY EventTargetCapability final {
+class MOZ_CAPABILITY("event target") EventTargetCapability final {
   static_assert(std::is_base_of_v<nsIEventTarget, T>,
                 "T must derive from nsIEventTarget");
 

xpcom/threads/MainThreadUtils.h

@@ -37,7 +37,7 @@ namespace mozilla {
  * If you want a thread-safety-analysis capability for a non-main thread,
  * consider using the `EventTargetCapability` type.
  */
-class MOZ_CAPABILITY MainThreadCapability final {};
+class MOZ_CAPABILITY("main thread") MainThreadCapability final {};
 constexpr MainThreadCapability sMainThreadCapability;
 
 #  ifdef DEBUG

xpcom/threads/Monitor.h

@@ -21,7 +21,7 @@ namespace mozilla {
  * to instead use the RAII wrappers MonitorAutoLock and
  * MonitorAutoUnlock.
  */
-class MOZ_CAPABILITY Monitor {
+class MOZ_CAPABILITY("monitor") Monitor {
  public:
   explicit Monitor(const char* aName)
       : mMutex(aName), mCondVar(mMutex, "[Monitor.mCondVar]") {}

xpcom/threads/Mutex.h

@@ -34,8 +34,8 @@ namespace mozilla {
  * include leak checking.  Sometimes you want to intentionally "leak" a mutex
  * until shutdown; in these cases, OffTheBooksMutex is for you.
  */
-class MOZ_CAPABILITY OffTheBooksMutex : public detail::MutexImpl,
-                                        BlockingResourceBase {
+class MOZ_CAPABILITY("mutex") OffTheBooksMutex : public detail::MutexImpl,
+                                                 BlockingResourceBase {
  public:
   /**
    * @param aName A name which can reference this lock

xpcom/threads/RWLock.h

@@ -40,8 +40,8 @@ namespace mozilla {
 //
 // It is unspecified whether RWLock gives priority to waiting readers or
 // a waiting writer when unlocking.
-class MOZ_CAPABILITY RWLock : public detail::RWLockImpl,
-                              public BlockingResourceBase {
+class MOZ_CAPABILITY("rwlock") RWLock : public detail::RWLockImpl,
+                                        public BlockingResourceBase {
  public:
   explicit RWLock(const char* aName);
 
@@ -182,7 +182,8 @@ typedef BaseAutoTryWriteLock<RWLock> AutoTryWriteLock;
 // calls to WriteLock() and WriteUnlock().
 typedef BaseAutoWriteLock<RWLock> AutoWriteLock;
 
-class MOZ_ONLY_USED_TO_AVOID_STATIC_CONSTRUCTORS MOZ_CAPABILITY StaticRWLock {
+class MOZ_ONLY_USED_TO_AVOID_STATIC_CONSTRUCTORS MOZ_CAPABILITY("rwlock")
+    StaticRWLock {
  public:
   // In debug builds, check that mLock is initialized for us as we expect by
   // the compiler.  In non-debug builds, don't declare a constructor so that

xpcom/threads/RecursiveMutex.h

@@ -18,7 +18,8 @@
 
 namespace mozilla {
 
-class MOZ_CAPABILITY RecursiveMutex : public BlockingResourceBase {
+class MOZ_CAPABILITY("recursive mutex") RecursiveMutex
+    : public BlockingResourceBase {
  public:
   explicit RecursiveMutex(const char* aName);
   ~RecursiveMutex();

xpcom/threads/ReentrantMonitor.h

@@ -34,7 +34,8 @@ namespace mozilla {
  * When possible, use ReentrantMonitorAutoEnter to hold this monitor within a
  * scope, instead of calling Enter/Exit directly.
  **/
-class MOZ_CAPABILITY ReentrantMonitor : BlockingResourceBase {
+class MOZ_CAPABILITY("reentrant monitor") ReentrantMonitor
+    : BlockingResourceBase {
  public:
   /**
    * ReentrantMonitor