From 3ac94fe6137e5d5123b064b03084ea7a0bd0f5ff Mon Sep 17 00:00:00 2001
From: Kuba Mracek <mracek@apple.com>
Date: Tue, 24 Jul 2018 16:19:06 +0000
Subject: [tsan] Fix crash in objc_sync_enter/objc_sync_exit when using an
 Obj-C tagged pointer

Objective-C tagged pointers (either bottom-most or top-most bit is 1) are valid Obj-C objects but are not valid pointers. Make sure we don't crash on them when used in objc_sync_enter/objc_sync_exit. Instead, let's synchronize on a global object.

Differential Revision: https://reviews.llvm.org/D49707



git-svn-id: https://llvm.org/svn/llvm-project/compiler-rt/trunk@337837 91177308-0d34-0410-b5e6-96231b3b80d8
---
 lib/tsan/rtl/tsan_interceptors_mac.cc       | 28 ++++++++++++-
 test/tsan/Darwin/objc-synchronize-tagged.mm | 62 +++++++++++++++++++++++++++++
 2 files changed, 88 insertions(+), 2 deletions(-)
 create mode 100644 test/tsan/Darwin/objc-synchronize-tagged.mm

diff --git a/lib/tsan/rtl/tsan_interceptors_mac.cc b/lib/tsan/rtl/tsan_interceptors_mac.cc
index 1c4aa02a0..b58e6b707 100644
--- a/lib/tsan/rtl/tsan_interceptors_mac.cc
+++ b/lib/tsan/rtl/tsan_interceptors_mac.cc
@@ -294,16 +294,40 @@ TSAN_INTERCEPTOR(void, xpc_connection_cancel, xpc_connection_t connection) {
 
 #endif  // #if defined(__has_include) && __has_include(<xpc/xpc.h>)
 
+// Is the Obj-C object a tagged pointer (i.e. isn't really a valid pointer and
+// contains data in the pointers bits instead)?
+static bool IsTaggedObjCPointer(void *obj) {
+  const uptr kPossibleTaggedBits = 0x8000000000000001ull;
+  return ((uptr)obj & kPossibleTaggedBits) != 0;
+}
+
+// Return an address on which we can synchronize (Acquire and Release) for a
+// Obj-C tagged pointer (which is not a valid pointer). Ideally should be a
+// derived address from 'obj', but for now just return the same global address.
+// TODO(kubamracek): Return different address for different pointers.
+static uptr SyncAddressForTaggedPointer(void *obj) {
+  (void)obj;
+  static u64 addr;
+  return (uptr)&addr;
+}
+
+// Address on which we can synchronize for an Objective-C object. Supports
+// tagged pointers.
+static uptr SyncAddressForObjCObject(void *obj) {
+  if (IsTaggedObjCPointer(obj)) return SyncAddressForTaggedPointer(obj);
+  return (uptr)obj;
+}
+
 TSAN_INTERCEPTOR(int, objc_sync_enter, void *obj) {
   SCOPED_TSAN_INTERCEPTOR(objc_sync_enter, obj);
   int result = REAL(objc_sync_enter)(obj);
-  if (obj) Acquire(thr, pc, (uptr)obj);
+  if (obj) Acquire(thr, pc, SyncAddressForObjCObject(obj));
   return result;
 }
 
 TSAN_INTERCEPTOR(int, objc_sync_exit, void *obj) {
   SCOPED_TSAN_INTERCEPTOR(objc_sync_enter, obj);
-  if (obj) Release(thr, pc, (uptr)obj);
+  if (obj) Release(thr, pc, SyncAddressForObjCObject(obj));
   return REAL(objc_sync_exit)(obj);
 }
 
diff --git a/test/tsan/Darwin/objc-synchronize-tagged.mm b/test/tsan/Darwin/objc-synchronize-tagged.mm
new file mode 100644
index 000000000..ab0af46ec
--- /dev/null
+++ b/test/tsan/Darwin/objc-synchronize-tagged.mm
@@ -0,0 +1,62 @@
+// RUN: %clangxx_tsan %s -o %t -framework Foundation -fobjc-arc %darwin_min_target_with_full_runtime_arc_support
+// RUN: %run %t 2>&1 | FileCheck %s
+
+#import <Foundation/Foundation.h>
+
+NSString *tagged_string = nil;
+
+@interface MyClass : NSObject {
+  long field;
+}
+@property(nonatomic, readonly) long value;
+@end
+
+dispatch_group_t group;
+
+@implementation MyClass
+
+- (void)start {
+  dispatch_queue_t q = dispatch_queue_create(NULL, NULL);
+  dispatch_async(dispatch_get_global_queue(DISPATCH_QUEUE_PRIORITY_DEFAULT, 0), ^{
+    for (int i = 0; i < 10; i++) {
+      dispatch_async(q, ^{
+        @synchronized(tagged_string) {
+          self->field = i;
+        }
+      });
+    }
+  });
+}
+
+- (long)value {
+  @synchronized(tagged_string) {
+    return self->field;
+  }
+}
+
+- (void)dealloc {
+  dispatch_group_leave(group);
+}
+
+@end
+
+int main() {
+  tagged_string = [NSString stringWithFormat:@"%s", "abc"];
+  uintptr_t tagged_string_bits = (uintptr_t)tagged_string;
+  assert((tagged_string_bits & 0x8000000000000001ull) != 0);
+  group = dispatch_group_create();
+  @autoreleasepool {
+    for (int j = 0; j < 100; ++j) {
+      dispatch_group_enter(group);
+      MyClass *obj = [[MyClass alloc] init];
+      [obj start];
+      long x = obj.value;
+      (void)x;
+    }
+  }
+  dispatch_group_wait(group, DISPATCH_TIME_FOREVER);
+  NSLog(@"Hello world");
+}
+
+// CHECK: Hello world
+// CHECK-NOT: WARNING: ThreadSanitizer
-- 
cgit v1.2.3