[tsan] Fix crash in objc_sync_enter/objc_sync_exit when using an Obj-C tagged pointer

kubamracek · kubamracek · commit dc36389ea8ad · 2018-07-24T16:19:06.000Z
Objective-C tagged pointers (either bottom-most or top-most bit is 1) are valid Obj-C objects but are not valid pointers. Make sure we don't crash on them when used in objc_sync_enter/objc_sync_exit. Instead, let's synchronize on a global object. Differential Revision: https://reviews.llvm.org/D49707 llvm-svn: 337837
diff --git a/compiler-rt/lib/tsan/rtl/tsan_interceptors_mac.cc b/compiler-rt/lib/tsan/rtl/tsan_interceptors_mac.cc
@@ -294,16 +294,40 @@ TSAN_INTERCEPTOR(void, xpc_connection_cancel, xpc_connection_t connection) {
 
 #endif  // #if defined(__has_include) && __has_include(<xpc/xpc.h>)
 
+// Is the Obj-C object a tagged pointer (i.e. isn't really a valid pointer and
+// contains data in the pointers bits instead)?
+static bool IsTaggedObjCPointer(void *obj) {
+  const uptr kPossibleTaggedBits = 0x8000000000000001ull;
+  return ((uptr)obj & kPossibleTaggedBits) != 0;
+}
+
+// Return an address on which we can synchronize (Acquire and Release) for a
+// Obj-C tagged pointer (which is not a valid pointer). Ideally should be a
+// derived address from 'obj', but for now just return the same global address.
+// TODO(kubamracek): Return different address for different pointers.
+static uptr SyncAddressForTaggedPointer(void *obj) {
+  (void)obj;
+  static u64 addr;
+  return (uptr)&addr;
+}
+
+// Address on which we can synchronize for an Objective-C object. Supports
+// tagged pointers.
+static uptr SyncAddressForObjCObject(void *obj) {
+  if (IsTaggedObjCPointer(obj)) return SyncAddressForTaggedPointer(obj);
+  return (uptr)obj;
+}
+
 TSAN_INTERCEPTOR(int, objc_sync_enter, void *obj) {
   SCOPED_TSAN_INTERCEPTOR(objc_sync_enter, obj);
   int result = REAL(objc_sync_enter)(obj);
-  if (obj) Acquire(thr, pc, (uptr)obj);
+  if (obj) Acquire(thr, pc, SyncAddressForObjCObject(obj));
   return result;
 }
 
 TSAN_INTERCEPTOR(int, objc_sync_exit, void *obj) {
   SCOPED_TSAN_INTERCEPTOR(objc_sync_enter, obj);
-  if (obj) Release(thr, pc, (uptr)obj);
+  if (obj) Release(thr, pc, SyncAddressForObjCObject(obj));
   return REAL(objc_sync_exit)(obj);
 }
 
diff --git a/compiler-rt/test/tsan/Darwin/objc-synchronize-tagged.mm b/compiler-rt/test/tsan/Darwin/objc-synchronize-tagged.mm
@@ -0,0 +1,62 @@
+// RUN: %clangxx_tsan %s -o %t -framework Foundation -fobjc-arc %darwin_min_target_with_full_runtime_arc_support
+// RUN: %run %t 2>&1 | FileCheck %s
+
+#import <Foundation/Foundation.h>
+
+NSString *tagged_string = nil;
+
+@interface MyClass : NSObject {
+  long field;
+}
+@property(nonatomic, readonly) long value;
+@end
+
+dispatch_group_t group;
+
+@implementation MyClass
+
+- (void)start {
+  dispatch_queue_t q = dispatch_queue_create(NULL, NULL);
+  dispatch_async(dispatch_get_global_queue(DISPATCH_QUEUE_PRIORITY_DEFAULT, 0), ^{
+    for (int i = 0; i < 10; i++) {
+      dispatch_async(q, ^{
+        @synchronized(tagged_string) {
+          self->field = i;
+        }
+      });
+    }
+  });
+}
+
+- (long)value {
+  @synchronized(tagged_string) {
+    return self->field;
+  }
+}
+
+- (void)dealloc {
+  dispatch_group_leave(group);
+}
+
+@end
+
+int main() {
+  tagged_string = [NSString stringWithFormat:@"%s", "abc"];
+  uintptr_t tagged_string_bits = (uintptr_t)tagged_string;
+  assert((tagged_string_bits & 0x8000000000000001ull) != 0);
+  group = dispatch_group_create();
+  @autoreleasepool {
+    for (int j = 0; j < 100; ++j) {
+      dispatch_group_enter(group);
+      MyClass *obj = [[MyClass alloc] init];
+      [obj start];
+      long x = obj.value;
+      (void)x;
+    }
+  }
+  dispatch_group_wait(group, DISPATCH_TIME_FOREVER);
+  NSLog(@"Hello world");
+}
+
+// CHECK: Hello world
+// CHECK-NOT: WARNING: ThreadSanitizer
