[Mac] Use object_destructInstance() if available.

chrome/browser/ui/cocoa/objc_zombie.mm

 // Copyright (c) 2011 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #import "chrome/browser/ui/cocoa/objc_zombie.h"
 
 #include <dlfcn.h>
 #include <mach-o/dyld.h>
 #include <mach-o/nlist.h>
 
 #import <objc/objc-class.h>
 
 #include "base/logging.h"
+#include "base/metrics/histogram.h"
 #include "base/synchronization/lock.h"
+#include "base/sys_info.h"
 #import "chrome/app/breakpad_mac.h"
 #import "chrome/browser/ui/cocoa/objc_method_swizzle.h"
 
 // Deallocated objects are re-classed as |CrZombie|.  No superclass
 // because then the class would have to override many/most of the
 // inherited methods (|NSObject| is like a category magnet!).
 @interface CrZombie {
   Class isa;
 }
 @end
 
 // Objects with enough space are made into "fat" zombies, which
 // directly remember which class they were until reallocated.
 @interface CrFatZombie : CrZombie {
  @public
   Class wasa;
 }
 @end
 
 namespace {
 
-// |object_cxxDestruct()| is an Objective-C runtime function which
-// traverses the object's class tree for ".cxxdestruct" methods which
-// are run to call C++ destructors as part of |-dealloc|.  The
-// function is not public, so must be looked up using nlist.
+// Function which destroys the contents of an object without freeing
+// the object.  On 10.5 this is |object_cxxDestruct()|, which
+// traverses the class hierarchy to run the C++ destructors.  On 10.6
+// this is |objc_destructInstance()| which calls
+// |object_cxxDestruct()| and removes associative references.
+// |objc_destructInstance()| returns |void*|, pretending it has no

[Avi (use Gerrit), 2011/06/08 03:08:53]

"... returns |void*| but pretending..." 

+// return value makes the code simpler.
 typedef void DestructFn(id obj);
-DestructFn* g_object_cxxDestruct = NULL;
+DestructFn* g_objectDestruct = NULL;
 
 // The original implementation for |-[NSObject dealloc]|.
 IMP g_originalDeallocIMP = NULL;
 
 // Classes which freed objects become.  |g_fatZombieSize| is the
 // minimum object size which can be made into a fat zombie (which can
 // remember which class it was before free, even after falling off the
 // treadmill).
 Class g_zombieClass = Nil;  // cached [CrZombie class]
 Class g_fatZombieClass = Nil;  // cached [CrFatZombie class]
@@ skipping 11 matching lines @@
 size_t g_zombieCount = 0;
 size_t g_zombieIndex = 0;
 
 typedef struct {
   id object;   // The zombied object.
   Class wasa;  // Value of |object->isa| before we replaced it.
 } ZombieRecord;
 
 ZombieRecord* g_zombies = NULL;
 
-// Lookup the private |object_cxxDestruct| function and return a
-// pointer to it.  Returns |NULL| on failure.
-DestructFn* LookupObjectCxxDestruct() {
-#if ARCH_CPU_64_BITS
-  // TODO(shess): Port to 64-bit.  I believe using struct nlist_64
-  // will suffice.  http://crbug.com/44021 .
-  NOTIMPLEMENTED();
+const char* LookupObjcRuntimePath() {
+  const void* addr = reinterpret_cast<void*>(&object_getClass);
+  Dl_info info;
+
+  // |dladdr()| doesn't document how long |info| will stay valid...
+  if (dladdr(addr, &info))
+    return info.dli_fname;
+
   return NULL;
-#endif
+}
+
+// Lookup |objc_destructInstance()| dynamically because it isn't
+// available on 10.5, but we link with the 10.5 SDK.
+DestructFn* LookupObjectDestruct_10_6() {
+  const char* objc_runtime_path = LookupObjcRuntimePath();
+  if (!objc_runtime_path)
+    return NULL;
+
+  void* handle = dlopen(objc_runtime_path, RTLD_LAZY | RTLD_LOCAL);
+  if (!handle)
+    return NULL;
+
+  void* fn = dlsym(handle, "objc_destructInstance");
+
+  // |fn| would normally be expected to become invalid after this
+  // |dlclose()|, but since the |dlopen()| was on a library
+  // containing an already-mapped symbol, it will remain valid.
+  dlclose(handle);
+  return reinterpret_cast<DestructFn*>(fn);
+}
+
+// Under 10.5 |object_cxxDestruct()| is used, unfortunately it is

[Avi (use Gerrit), 2011/06/08 03:08:53]

"used but unfortunately"

+// |__private_extern__| in the runtime, meaning |dlsym()| cannot reach it.
+DestructFn* LookupObjectDestruct_10_5() {
+  // |nlist()| is only present for 32-bit.
+#if ARCH_CPU_32_BITS
+  const char* objc_runtime_path = LookupObjcRuntimePath();
+  if (!objc_runtime_path)
+    return NULL;
 
   struct nlist nl[3];
   bzero(&nl, sizeof(nl));
 
-  nl[0].n_un.n_name = (char*)"_object_cxxDestruct";
+  nl[0].n_un.n_name = const_cast<char*>("_object_cxxDestruct");
 
   // My ability to calculate the base for offsets is apparently poor.
   // Use |class_addIvar| as a known reference point.
-  nl[1].n_un.n_name = (char*)"_class_addIvar";
+  nl[1].n_un.n_name = const_cast<char*>("_class_addIvar");
 
-  if (nlist("/usr/lib/libobjc.dylib", nl) < 0 ||
+  if (nlist(objc_runtime_path, nl) < 0 ||
       nl[0].n_type == N_UNDF || nl[1].n_type == N_UNDF)
     return NULL;
 
-  return (DestructFn*)((char*)&class_addIvar - nl[1].n_value + nl[0].n_value);
+  // Back out offset to |class_addIvar()| to get the baseline, then
+  // add back offset to |object_cxxDestruct()|.
+  uintptr_t reference_addr = reinterpret_cast<uintptr_t>(&class_addIvar);
+  reference_addr -= nl[1].n_value;
+  reference_addr += nl[0].n_value;
+
+  return reinterpret_cast<DestructFn*>(reference_addr);
+#endif
+
+  return NULL;
 }
 
 // Replacement |-dealloc| which turns objects into zombies and places
 // them into |g_zombies| to be freed later.
 void ZombieDealloc(id self, SEL _cmd) {
   // This code should only be called when it is implementing |-dealloc|.
   DCHECK_EQ(_cmd, @selector(dealloc));
 
   // Use the original |-dealloc| if the object doesn't wish to be
   // zombied.
   if (!g_zombieAllObjects && ![self shouldBecomeCrZombie]) {
     g_originalDeallocIMP(self, _cmd);
     return;
   }
 
-  // Use the original |-dealloc| if |object_cxxDestruct| was never
+  // Use the original |-dealloc| if |g_objectDestruct| was never
   // initialized, because otherwise C++ destructors won't be called.
   // This case should be impossible, but doing it wrong would cause
   // terrible problems.
-  DCHECK(g_object_cxxDestruct);
-  if (!g_object_cxxDestruct) {
+  DCHECK(g_objectDestruct);
+  if (!g_objectDestruct) {
     g_originalDeallocIMP(self, _cmd);
     return;
   }
 
   Class wasa = object_getClass(self);
   const size_t size = class_getInstanceSize(wasa);
 
   // Destroy the instance by calling C++ destructors and clearing it
   // to something unlikely to work well if someone references it.
-  // NOTE(shess): |object_dispose()| will call |object_cxxDestruct()|
-  // again when the zombie falls off the treadmill!  But by then |isa|
-  // will be something without destructors, so it won't hurt anything.
-  (*g_object_cxxDestruct)(self);
+  // NOTE(shess): |object_dispose()| will call this again when the
+  // zombie falls off the treadmill!  But by then |isa| will be a
+  // class without C++ destructors or associative references, so it
+  // won't hurt anything.
+  (*g_objectDestruct)(self);
   memset(self, '!', size);
 
   // If the instance is big enough, make it into a fat zombie and have
   // it remember the old |isa|.  Otherwise make it a regular zombie.
   // Setting |isa| rather than using |object_setClass()| because that
   // function is implemented with a memory barrier.  The runtime's
   // |_internal_object_dispose()| (in objc-class.m) does this, so it
   // should be safe (messaging free'd objects shouldn't be expected to
   // be thread-safe in the first place).
   if (size >= g_fatZombieSize) {
@@ skipping 66 matching lines @@
   SetCrashKeyValue(@"zombie", aString);
   LOG(ERROR) << [aString UTF8String];
 
   // This is how about:crash is implemented.  Using instead of
   // |baes::debug::BreakDebugger()| or |LOG(FATAL)| to make the top of
   // stack more immediately obvious in crash dumps.
   int* zero = NULL;
   *zero = 0;
 }
 
+// For monitoring failures in |ZombieInit()|.
+enum ZombieFailure {
+  FAILED_10_5,
+  FAILED_10_6,
+
+  // Add new versions before here.
+  FAILED_MAX,
+};
+
+void RecordZombieFailure(ZombieFailure failure) {
+  UMA_HISTOGRAM_ENUMERATION("OSX.ZombieInitFailure", failure, FAILED_MAX);
+}
+
 // Initialize our globals, returning YES on success.
 BOOL ZombieInit() {
   static BOOL initialized = NO;
   if (initialized)
     return YES;
 
+  // Whitelist releases that are compatible with objc zombies.
+  int32 major_version = 0, minor_version = 0, bugfix_version = 0;
+  base::SysInfo::OperatingSystemVersionNumbers(
+      &major_version, &minor_version, &bugfix_version);
+
+  if (major_version < 10 || (major_version == 10 && minor_version < 5)) {
+    return NO;
+  } else if (major_version == 10 && minor_version == 5) {
+    g_objectDestruct = LookupObjectDestruct_10_5();
+    if (!g_objectDestruct) {
+      RecordZombieFailure(FAILED_10_5);
+      return NO;
+    }
+  } else if (major_version == 10 && minor_version == 6) {
+    g_objectDestruct = LookupObjectDestruct_10_6();
+    if (!g_objectDestruct) {
+      RecordZombieFailure(FAILED_10_6);
+      return NO;
+    }
+  } else {
+    // Assume the future looks like the present.
+    g_objectDestruct = LookupObjectDestruct_10_6();

[Scott Hess - ex-Googler, 2011/06/07 23:51:25]

Note that what's currently on trunk disables CrZombie for this case.  In theory
this works with 10.7, but I'm not sure we have anything that will provide a
direct signal that it isn't working.

[Mark Mentovai, 2011/06/08 02:27:48]

shess wrote:
Right. Once you check this in, we should do a follow-up to turn this back on for
>10.6.

I understand if you’re wary of doing this without testing on a Lion DP. If you
don’t have a Lion installation and don’t have someone nearby who does, talk to
me on Thursday and I’ll test it.

(I’m out tomorrow.)

+
+    // Put all future failures into the MAX bin.  New OS releases come
+    // out infrequently enough that this should always correspond to
+    // "Next release", and once the next release happens that bin will
+    // get an official name.
+    if (!g_objectDestruct) {
+      RecordZombieFailure(FAILED_MAX);
+      return NO;
+    }
+  }
+
   Class rootClass = [NSObject class];
-
-  g_object_cxxDestruct = LookupObjectCxxDestruct();
   g_originalDeallocIMP =
       class_getMethodImplementation(rootClass, @selector(dealloc));
   // objc_getClass() so CrZombie doesn't need +class.
   g_zombieClass = objc_getClass("CrZombie");
   g_fatZombieClass = objc_getClass("CrFatZombie");
   g_fatZombieSize = class_getInstanceSize(g_fatZombieClass);
 
-  if (!g_object_cxxDestruct || !g_originalDeallocIMP ||
+  if (!g_objectDestruct || !g_originalDeallocIMP ||
       !g_zombieClass || !g_fatZombieClass)
     return NO;
 
   initialized = YES;
   return YES;
 }
 
 }  // namespace
 
 @implementation CrZombie
@@ skipping 164 matching lines @@
   if (oldZombies) {
     for (size_t i = 0; i < oldCount; ++i) {
       if (oldZombies[i].object)
         object_dispose(oldZombies[i].object);
     }
     free(oldZombies);
   }
 }
 
 }  // namespace ObjcEvilDoers