[compiler-rt] r337837 - [tsan] Fix crash in objc_sync_enter/objc_sync_exit when using an Obj-C tagged pointer

Kuba Mracek via llvm-commits llvm-commits at lists.llvm.org
Tue Jul 24 09:19:06 PDT 2018 

Author: kuba.brecka
Date: Tue Jul 24 09:19:06 2018
New Revision: 337837

URL: http://llvm.org/viewvc/llvm-project?rev=337837&view=rev
Log:
[tsan] Fix crash in objc_sync_enter/objc_sync_exit when using an Obj-C tagged pointer

Objective-C tagged pointers (either bottom-most or top-most bit is 1) are valid Obj-C objects but are not valid pointers. Make sure we don't crash on them when used in objc_sync_enter/objc_sync_exit. Instead, let's synchronize on a global object.

Differential Revision: https://reviews.llvm.org/D49707


Added:
    compiler-rt/trunk/test/tsan/Darwin/objc-synchronize-tagged.mm
Modified:
    compiler-rt/trunk/lib/tsan/rtl/tsan_interceptors_mac.cc

Modified: compiler-rt/trunk/lib/tsan/rtl/tsan_interceptors_mac.cc
URL: http://llvm.org/viewvc/llvm-project/compiler-rt/trunk/lib/tsan/rtl/tsan_interceptors_mac.cc?rev=337837&r1=337836&r2=337837&view=diff
==============================================================================
--- compiler-rt/trunk/lib/tsan/rtl/tsan_interceptors_mac.cc (original)
+++ compiler-rt/trunk/lib/tsan/rtl/tsan_interceptors_mac.cc Tue Jul 24 09:19:06 2018
@@ -294,16 +294,40 @@ TSAN_INTERCEPTOR(void, xpc_connection_ca
 
 #endif  // #if defined(__has_include) && __has_include(<xpc/xpc.h>)
 
+// Is the Obj-C object a tagged pointer (i.e. isn't really a valid pointer and
+// contains data in the pointers bits instead)?
+static bool IsTaggedObjCPointer(void *obj) {
+  const uptr kPossibleTaggedBits = 0x8000000000000001ull;
+  return ((uptr)obj & kPossibleTaggedBits) != 0;
+}
+
+// Return an address on which we can synchronize (Acquire and Release) for a
+// Obj-C tagged pointer (which is not a valid pointer). Ideally should be a
+// derived address from 'obj', but for now just return the same global address.
+// TODO(kubamracek): Return different address for different pointers.
+static uptr SyncAddressForTaggedPointer(void *obj) {
+  (void)obj;
+  static u64 addr;
+  return (uptr)&addr;
+}
+
+// Address on which we can synchronize for an Objective-C object. Supports
+// tagged pointers.
+static uptr SyncAddressForObjCObject(void *obj) {
+  if (IsTaggedObjCPointer(obj)) return SyncAddressForTaggedPointer(obj);
+  return (uptr)obj;
+}
+
 TSAN_INTERCEPTOR(int, objc_sync_enter, void *obj) {
   SCOPED_TSAN_INTERCEPTOR(objc_sync_enter, obj);
   int result = REAL(objc_sync_enter)(obj);
-  if (obj) Acquire(thr, pc, (uptr)obj);
+  if (obj) Acquire(thr, pc, SyncAddressForObjCObject(obj));
   return result;
 }
 
 TSAN_INTERCEPTOR(int, objc_sync_exit, void *obj) {
   SCOPED_TSAN_INTERCEPTOR(objc_sync_enter, obj);
-  if (obj) Release(thr, pc, (uptr)obj);
+  if (obj) Release(thr, pc, SyncAddressForObjCObject(obj));
   return REAL(objc_sync_exit)(obj);
 }
 

Added: compiler-rt/trunk/test/tsan/Darwin/objc-synchronize-tagged.mm
URL: http://llvm.org/viewvc/llvm-project/compiler-rt/trunk/test/tsan/Darwin/objc-synchronize-tagged.mm?rev=337837&view=auto
==============================================================================
--- compiler-rt/trunk/test/tsan/Darwin/objc-synchronize-tagged.mm (added)
+++ compiler-rt/trunk/test/tsan/Darwin/objc-synchronize-tagged.mm Tue Jul 24 09:19:06 2018
@@ -0,0 +1,62 @@
+// RUN: %clangxx_tsan %s -o %t -framework Foundation -fobjc-arc %darwin_min_target_with_full_runtime_arc_support
+// RUN: %run %t 2>&1 | FileCheck %s
+
+#import <Foundation/Foundation.h>
+
+NSString *tagged_string = nil;
+
+ at interface MyClass : NSObject {
+  long field;
+}
+ at property(nonatomic, readonly) long value;
+ at end
+
+dispatch_group_t group;
+
+ at implementation MyClass
+
+- (void)start {
+  dispatch_queue_t q = dispatch_queue_create(NULL, NULL);
+  dispatch_async(dispatch_get_global_queue(DISPATCH_QUEUE_PRIORITY_DEFAULT, 0), ^{
+    for (int i = 0; i < 10; i++) {
+      dispatch_async(q, ^{
+        @synchronized(tagged_string) {
+          self->field = i;
+        }
+      });
+    }
+  });
+}
+
+- (long)value {
+  @synchronized(tagged_string) {
+    return self->field;
+  }
+}
+
+- (void)dealloc {
+  dispatch_group_leave(group);
+}
+
+ at end
+
+int main() {
+  tagged_string = [NSString stringWithFormat:@"%s", "abc"];
+  uintptr_t tagged_string_bits = (uintptr_t)tagged_string;
+  assert((tagged_string_bits & 0x8000000000000001ull) != 0);
+  group = dispatch_group_create();
+  @autoreleasepool {
+    for (int j = 0; j < 100; ++j) {
+      dispatch_group_enter(group);
+      MyClass *obj = [[MyClass alloc] init];
+      [obj start];
+      long x = obj.value;
+      (void)x;
+    }
+  }
+  dispatch_group_wait(group, DISPATCH_TIME_FOREVER);
+  NSLog(@"Hello world");
+}
+
+// CHECK: Hello world
+// CHECK-NOT: WARNING: ThreadSanitizer

More information about the llvm-commits mailing list