This is an archive of the discontinued LLVM Phabricator instance.

Differential D49707

[tsan] Fix crash in objc_sync_enter/objc_sync_exit when using an Obj-C tagged pointer
ClosedPublic

Authored by kubamracek on Jul 23 2018, 4:48 PM.

Details

Reviewers
dvyukov
george.karpenkov
delcypher
dcoughlin
Commits
rGdc36389ea8ad: [tsan] Fix crash in objc_sync_enter/objc_sync_exit when using an Obj-C tagged…
rCRT337837: [tsan] Fix crash in objc_sync_enter/objc_sync_exit when using an Obj-C tagged…
rL337837: [tsan] Fix crash in objc_sync_enter/objc_sync_exit when using an Obj-C tagged…
Summary

Objective-C tagged pointers (either bottom-most or top-most bit is 1) are valid Obj-C objects but are not valid pointers. Make sure we don't crash on them when used in objc_sync_enter/objc_sync_exit. Instead, let's synchronize on a global object.

Diff Detail

Event Timeline

kubamracek created this revision.Jul 23 2018, 4:48 PM
Herald added subscribers: Restricted Project, jfb. · View Herald TranscriptJul 23 2018, 4:48 PM
george.karpenkov added inline comments.Jul 23 2018, 5:05 PM
lib/tsan/rtl/tsan_interceptors_mac.cc
297

can we have a short docstring for both functions? Also, isTaggedObjCPointer?

299

return ((uptr)obj & kPossibleTaggedBits) != 0 ?

303

what's the point of taking in the argument then?

324

can we extract this line into a function with a name explaining it's semantics?

kubamracek added inline comments.Jul 23 2018, 5:08 PM
lib/tsan/rtl/tsan_interceptors_mac.cc
303

The point is that, ideally, the function would return a different sync address for different pointers. But for now, the implementation trivially returns the same address for all, which can cause false negatives.

kubamracek updated this revision to Diff 156932.Jul 23 2018, 5:14 PM
kubamracek added inline comments.
lib/tsan/rtl/tsan_interceptors_mac.cc
297

Also, isTaggedObjCPointer?

In (almost) all of TSan, private functions starts with an uppercase letter. Let's not try to change style with this patch.

george.karpenkov added inline comments.Jul 23 2018, 5:16 PM
lib/tsan/rtl/tsan_interceptors_mac.cc
299

also all the helper functions should be static

kubamracek updated this revision to Diff 156935.Jul 23 2018, 5:17 PM

add static

george.karpenkov accepted this revision.Jul 23 2018, 5:20 PM
This revision is now accepted and ready to land.Jul 23 2018, 5:20 PM
kubamracek updated this revision to Diff 156937.Jul 23 2018, 5:21 PM
dvyukov accepted this revision.Jul 24 2018, 12:49 AM
delcypher accepted this revision.Jul 24 2018, 8:26 AM

Other than minor suggestions the basic idea seems okay for now.

lib/tsan/rtl/tsan_interceptors_mac.cc
299

Perhaps the name should be IsTaggedObjCPointer?

308

There probably should be a TODO(kubamracek) or FIXME in here.

Do we even want to do Acquire() and Release() for tagged pointers? Even if we had a perfect implementation of SyncAddressForTaggedPointer() that still seems wrong because we could have two independent instances of a tagged pointer
(e.g. create two separate NSString with same value) and those shouldn't really be considered as the same object, but they would
be considered the same because their tagged pointer value is the same.

kubamracek added inline comments.Jul 24 2018, 9:00 AM
lib/tsan/rtl/tsan_interceptors_mac.cc
308

Yes, the entire idea of using value types (strings, integeres, timestamps) as synchronization objects is weird and most likely not what you intended anyway. Therefore this patch is really just to avoid crashing and to mirror what libobjc is actually doing when using @synchronize on a tagged pointer (it does actually establish synchronization if the pointer bits are exactly the same).

Closed by commit rL337837: [tsan] Fix crash in objc_sync_enter/objc_sync_exit when using an Obj-C tagged… (authored by kuba.brecka). · Explain WhyJul 24 2018, 9:19 AM
Closed by commit rCRT337837: [tsan] Fix crash in objc_sync_enter/objc_sync_exit when using an Obj-C tagged… (authored by kuba.brecka). · Explain Why
This revision was automatically updated to reflect the committed changes.
This revision was automatically updated to reflect the committed changes.
kubamracek added a comment.Jul 24 2018, 9:19 AM

Thanks for the fast review!

Revision Contents

PathSize
lib/
tsan/
rtl/
28 lines
test/
tsan/
Darwin/
62 lines

Diff 157059

lib/tsan/rtl/tsan_interceptors_mac.cc

Show First 20 LinesShow All 288 Lines▼ Show 20 Lines
TSAN_INTERCEPTOR(void, xpc_connection_cancel, xpc_connection_t connection) { TSAN_INTERCEPTOR(void, xpc_connection_cancel, xpc_connection_t connection) {
SCOPED_TSAN_INTERCEPTOR(xpc_connection_cancel, connection); SCOPED_TSAN_INTERCEPTOR(xpc_connection_cancel, connection);
Release(thr, pc, (uptr)connection); Release(thr, pc, (uptr)connection);
REAL(xpc_connection_cancel)(connection); REAL(xpc_connection_cancel)(connection);
} }
#endif // #if defined(__has_include) && __has_include(<xpc/xpc.h>) #endif // #if defined(__has_include) && __has_include(<xpc/xpc.h>)
// Is the Obj-C object a tagged pointer (i.e. isn't really a valid pointer and
george.karpenkovUnsubmitted
Not Done
ReplyInline Actions

can we have a short docstring for both functions? Also, isTaggedObjCPointer?

george.karpenkov: can we have a short docstring for both functions? Also, `isTaggedObjCPointer`?
kubamracekAuthorUnsubmitted
Not Done
ReplyInline Actions

Also, isTaggedObjCPointer?

In (almost) all of TSan, private functions starts with an uppercase letter. Let's not try to change style with this patch.

kubamracek: > Also, `isTaggedObjCPointer`? In (almost) all of TSan, private functions starts with an…
// contains data in the pointers bits instead)?
static bool IsTaggedObjCPointer(void *obj) {
george.karpenkovUnsubmitted
Not Done
ReplyInline Actions

return ((uptr)obj & kPossibleTaggedBits) != 0 ?

george.karpenkov: ` return ((uptr)obj & kPossibleTaggedBits) != 0` ?
george.karpenkovUnsubmitted
Not Done
ReplyInline Actions

also all the helper functions should be static

george.karpenkov: also all the helper functions should be static
delcypherUnsubmitted
Not Done
ReplyInline Actions

Perhaps the name should be IsTaggedObjCPointer?

delcypher: Perhaps the name should be `IsTaggedObjCPointer`?
const uptr kPossibleTaggedBits = 0x8000000000000001ull;
return ((uptr)obj & kPossibleTaggedBits) != 0;
}
george.karpenkovUnsubmitted
Not Done
ReplyInline Actions

what's the point of taking in the argument then?

george.karpenkov: what's the point of taking in the argument then?
kubamracekAuthorUnsubmitted
Not Done
ReplyInline Actions

The point is that, ideally, the function would return a different sync address for different pointers. But for now, the implementation trivially returns the same address for all, which can cause false negatives.

kubamracek: The point is that, ideally, the function would return a different sync address for different…
// Return an address on which we can synchronize (Acquire and Release) for a
// Obj-C tagged pointer (which is not a valid pointer). Ideally should be a
// derived address from 'obj', but for now just return the same global address.
// TODO(kubamracek): Return different address for different pointers.
static uptr SyncAddressForTaggedPointer(void *obj) {
delcypherUnsubmitted
Not Done
ReplyInline Actions

There probably should be a TODO(kubamracek) or FIXME in here.

Do we even want to do Acquire() and Release() for tagged pointers? Even if we had a perfect implementation of SyncAddressForTaggedPointer() that still seems wrong because we could have two independent instances of a tagged pointer
(e.g. create two separate NSString with same value) and those shouldn't really be considered as the same object, but they would
be considered the same because their tagged pointer value is the same.

delcypher: There probably should be a `TODO(kubamracek)` or `FIXME` in here. Do we even want to do…
kubamracekAuthorUnsubmitted
Not Done
ReplyInline Actions

Yes, the entire idea of using value types (strings, integeres, timestamps) as synchronization objects is weird and most likely not what you intended anyway. Therefore this patch is really just to avoid crashing and to mirror what libobjc is actually doing when using @synchronize on a tagged pointer (it does actually establish synchronization if the pointer bits are exactly the same).

kubamracek: Yes, the entire idea of using value types (strings, integeres, timestamps) as synchronization…
(void)obj;
static u64 addr;
return (uptr)&addr;
}
// Address on which we can synchronize for an Objective-C object. Supports
// tagged pointers.
static uptr SyncAddressForObjCObject(void *obj) {
if (IsTaggedObjCPointer(obj)) return SyncAddressForTaggedPointer(obj);
return (uptr)obj;
}
TSAN_INTERCEPTOR(int, objc_sync_enter, void *obj) { TSAN_INTERCEPTOR(int, objc_sync_enter, void *obj) {
SCOPED_TSAN_INTERCEPTOR(objc_sync_enter, obj); SCOPED_TSAN_INTERCEPTOR(objc_sync_enter, obj);
int result = REAL(objc_sync_enter)(obj); int result = REAL(objc_sync_enter)(obj);
if (obj) Acquire(thr, pc, (uptr)obj); if (obj) Acquire(thr, pc, SyncAddressForObjCObject(obj));
george.karpenkovUnsubmitted
Not Done
ReplyInline Actions

can we extract this line into a function with a name explaining it's semantics?

george.karpenkov: can we extract this line into a function with a name explaining it's semantics?
return result; return result;
} }
TSAN_INTERCEPTOR(int, objc_sync_exit, void *obj) { TSAN_INTERCEPTOR(int, objc_sync_exit, void *obj) {
SCOPED_TSAN_INTERCEPTOR(objc_sync_enter, obj); SCOPED_TSAN_INTERCEPTOR(objc_sync_enter, obj);
if (obj) Release(thr, pc, (uptr)obj); if (obj) Release(thr, pc, SyncAddressForObjCObject(obj));
return REAL(objc_sync_exit)(obj); return REAL(objc_sync_exit)(obj);
} }
// On macOS, libc++ is always linked dynamically, so intercepting works the // On macOS, libc++ is always linked dynamically, so intercepting works the
// usual way. // usual way.
#define STDCXX_INTERCEPTOR TSAN_INTERCEPTOR #define STDCXX_INTERCEPTOR TSAN_INTERCEPTOR
namespace { namespace {
▲ Show 20 LinesShow All 87 LinesShow Last 20 Lines

test/tsan/Darwin/objc-synchronize-tagged.mm

// RUN: %clangxx_tsan %s -o %t -framework Foundation -fobjc-arc %darwin_min_target_with_full_runtime_arc_support
// RUN: %run %t 2>&1 | FileCheck %s
#import <Foundation/Foundation.h>
NSString *tagged_string = nil;
@interface MyClass : NSObject {
long field;
}
@property(nonatomic, readonly) long value;
@end
dispatch_group_t group;
@implementation MyClass
- (void)start {
dispatch_queue_t q = dispatch_queue_create(NULL, NULL);
dispatch_async(dispatch_get_global_queue(DISPATCH_QUEUE_PRIORITY_DEFAULT, 0), ^{
for (int i = 0; i < 10; i++) {
dispatch_async(q, ^{
@synchronized(tagged_string) {
self->field = i;
}
});
}
});
}
- (long)value {
@synchronized(tagged_string) {
return self->field;
}
}
- (void)dealloc {
dispatch_group_leave(group);
}
@end
int main() {
tagged_string = [NSString stringWithFormat:@"%s", "abc"];
uintptr_t tagged_string_bits = (uintptr_t)tagged_string;
assert((tagged_string_bits & 0x8000000000000001ull) != 0);
group = dispatch_group_create();
@autoreleasepool {
for (int j = 0; j < 100; ++j) {
dispatch_group_enter(group);
MyClass *obj = [[MyClass alloc] init];
[obj start];
long x = obj.value;
(void)x;
}
}
dispatch_group_wait(group, DISPATCH_TIME_FOREVER);
NSLog(@"Hello world");
}
// CHECK: Hello world
// CHECK-NOT: WARNING: ThreadSanitizer