1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. 2 // Use of this source code is governed by a BSD-style license that can be 3 // found in the LICENSE file. 4 5 #import "chrome/common/mac/objc_zombie.h" 6 7 #include <AvailabilityMacros.h> 8 9 #include <execinfo.h> 10 #import <objc/runtime.h> 11 12 #include <algorithm> 13 14 #include "base/debug/crash_logging.h" 15 #include "base/debug/stack_trace.h" 16 #include "base/lazy_instance.h" 17 #include "base/logging.h" 18 #include "base/strings/stringprintf.h" 19 #include "base/synchronization/lock.h" 20 #include "chrome/common/crash_keys.h" 21 #import "chrome/common/mac/objc_method_swizzle.h" 22 23 #if !defined(OS_IOS) && (MAC_OS_X_VERSION_MAX_ALLOWED <= MAC_OS_X_VERSION_10_6) 24 // Apparently objc/runtime.h doesn't define this with the 10.6 SDK yet. 25 // The docs say it exists since 10.6 however. 26 OBJC_EXPORT void *objc_destructInstance(id obj); 27 #endif 28 29 // Deallocated objects are re-classed as |CrZombie|. No superclass 30 // because then the class would have to override many/most of the 31 // inherited methods (|NSObject| is like a category magnet!). 32 // Without the __attribute__, clang's -Wobjc-root-class warns on the missing 33 // superclass. 34 __attribute__((objc_root_class)) 35 @interface CrZombie { 36 Class isa; 37 } 38 @end 39 40 // Objects with enough space are made into "fat" zombies, which 41 // directly remember which class they were until reallocated. 42 @interface CrFatZombie : CrZombie { 43 @public 44 Class wasa; 45 } 46 @end 47 48 namespace { 49 50 // The depth of backtrace to store with zombies. This directly influences 51 // the amount of memory required to track zombies, so should be kept as 52 // small as is useful. Unfortunately, too small and it won't poke through 53 // deep autorelease and event loop stacks. 54 // NOTE(shess): Breakpad currently restricts values to 255 bytes. The 55 // trace is hex-encoded with "0x" prefix and " " separators, meaning 56 // the maximum number of 32-bit items which can be encoded is 23. 57 const size_t kBacktraceDepth = 20; 58 59 // The original implementation for |-[NSObject dealloc]|. 60 IMP g_originalDeallocIMP = NULL; 61 62 // Classes which freed objects become. |g_fatZombieSize| is the 63 // minimum object size which can be made into a fat zombie (which can 64 // remember which class it was before free, even after falling off the 65 // treadmill). 66 Class g_zombieClass = Nil; // cached [CrZombie class] 67 Class g_fatZombieClass = Nil; // cached [CrFatZombie class] 68 size_t g_fatZombieSize = 0; 69 70 // Whether to zombie all freed objects, or only those which return YES 71 // from |-shouldBecomeCrZombie|. 72 BOOL g_zombieAllObjects = NO; 73 74 // Protects |g_zombieCount|, |g_zombieIndex|, and |g_zombies|. 75 base::LazyInstance<base::Lock>::Leaky g_lock = LAZY_INSTANCE_INITIALIZER; 76 77 // How many zombies to keep before freeing, and the current head of 78 // the circular buffer. 79 size_t g_zombieCount = 0; 80 size_t g_zombieIndex = 0; 81 82 typedef struct { 83 id object; // The zombied object. 84 Class wasa; // Value of |object->isa| before we replaced it. 85 void* trace[kBacktraceDepth]; // Backtrace at point of deallocation. 86 size_t traceDepth; // Actual depth of trace[]. 87 } ZombieRecord; 88 89 ZombieRecord* g_zombies = NULL; 90 91 // Replacement |-dealloc| which turns objects into zombies and places 92 // them into |g_zombies| to be freed later. 93 void ZombieDealloc(id self, SEL _cmd) { 94 // This code should only be called when it is implementing |-dealloc|. 95 DCHECK_EQ(_cmd, @selector(dealloc)); 96 97 // Use the original |-dealloc| if the object doesn't wish to be 98 // zombied. 99 if (!g_zombieAllObjects && ![self shouldBecomeCrZombie]) { 100 g_originalDeallocIMP(self, _cmd); 101 return; 102 } 103 104 Class wasa = object_getClass(self); 105 const size_t size = class_getInstanceSize(wasa); 106 107 // Destroy the instance by calling C++ destructors and clearing it 108 // to something unlikely to work well if someone references it. 109 // NOTE(shess): |object_dispose()| will call this again when the 110 // zombie falls off the treadmill! But by then |isa| will be a 111 // class without C++ destructors or associative references, so it 112 // won't hurt anything. 113 objc_destructInstance(self); 114 memset(self, '!', size); 115 116 // If the instance is big enough, make it into a fat zombie and have 117 // it remember the old |isa|. Otherwise make it a regular zombie. 118 // Setting |isa| rather than using |object_setClass()| because that 119 // function is implemented with a memory barrier. The runtime's 120 // |_internal_object_dispose()| (in objc-class.m) does this, so it 121 // should be safe (messaging free'd objects shouldn't be expected to 122 // be thread-safe in the first place). 123 #pragma clang diagnostic push // clang warns about direct access to isa. 124 #pragma clang diagnostic ignored "-Wdeprecated-objc-isa-usage" 125 if (size >= g_fatZombieSize) { 126 self->isa = g_fatZombieClass; 127 static_cast<CrFatZombie*>(self)->wasa = wasa; 128 } else { 129 self->isa = g_zombieClass; 130 } 131 #pragma clang diagnostic pop 132 133 // The new record to swap into |g_zombies|. If |g_zombieCount| is 134 // zero, then |self| will be freed immediately. 135 ZombieRecord zombieToFree = {self, wasa}; 136 zombieToFree.traceDepth = 137 std::max(backtrace(zombieToFree.trace, kBacktraceDepth), 0); 138 139 // Don't involve the lock when creating zombies without a treadmill. 140 if (g_zombieCount > 0) { 141 base::AutoLock pin(g_lock.Get()); 142 143 // Check the count again in a thread-safe manner. 144 if (g_zombieCount > 0) { 145 // Put the current object on the treadmill and keep the previous 146 // occupant. 147 std::swap(zombieToFree, g_zombies[g_zombieIndex]); 148 149 // Bump the index forward. 150 g_zombieIndex = (g_zombieIndex + 1) % g_zombieCount; 151 } 152 } 153 154 // Do the free out here to prevent any chance of deadlock. 155 if (zombieToFree.object) 156 object_dispose(zombieToFree.object); 157 } 158 159 // Search the treadmill for |object| and fill in |*record| if found. 160 // Returns YES if found. 161 BOOL GetZombieRecord(id object, ZombieRecord* record) { 162 // Holding the lock is reasonable because this should be fast, and 163 // the process is going to crash presently anyhow. 164 base::AutoLock pin(g_lock.Get()); 165 for (size_t i = 0; i < g_zombieCount; ++i) { 166 if (g_zombies[i].object == object) { 167 *record = g_zombies[i]; 168 return YES; 169 } 170 } 171 return NO; 172 } 173 174 // Dump the symbols. This is pulled out into a function to make it 175 // easy to use DCHECK to dump only in debug builds. 176 BOOL DumpDeallocTrace(const void* const* array, int size) { 177 fprintf(stderr, "Backtrace from -dealloc:\n"); 178 base::debug::StackTrace(array, size).Print(); 179 180 return YES; 181 } 182 183 // Log a message to a freed object. |wasa| is the object's original 184 // class. |aSelector| is the selector which the calling code was 185 // attempting to send. |viaSelector| is the selector of the 186 // dispatch-related method which is being invoked to send |aSelector| 187 // (for instance, -respondsToSelector:). 188 void ZombieObjectCrash(id object, SEL aSelector, SEL viaSelector) { 189 ZombieRecord record; 190 BOOL found = GetZombieRecord(object, &record); 191 192 // The object's class can be in the zombie record, but if that is 193 // not available it can also be in the object itself (in most cases). 194 Class wasa = Nil; 195 if (found) { 196 wasa = record.wasa; 197 } else if (object_getClass(object) == g_fatZombieClass) { 198 wasa = static_cast<CrFatZombie*>(object)->wasa; 199 } 200 const char* wasaName = (wasa ? class_getName(wasa) : "<unknown>"); 201 202 std::string aString = base::StringPrintf("Zombie <%s: %p> received -%s", 203 wasaName, object, sel_getName(aSelector)); 204 if (viaSelector != NULL) { 205 const char* viaName = sel_getName(viaSelector); 206 base::StringAppendF(&aString, " (via -%s)", viaName); 207 } 208 209 // Set a value for breakpad to report. 210 base::debug::SetCrashKeyValue(crash_keys::mac::kZombie, aString); 211 212 // Encode trace into a breakpad key. 213 if (found) { 214 base::debug::SetCrashKeyFromAddresses( 215 crash_keys::mac::kZombieTrace, record.trace, record.traceDepth); 216 } 217 218 // Log -dealloc backtrace in debug builds then crash with a useful 219 // stack trace. 220 if (found && record.traceDepth) { 221 DCHECK(DumpDeallocTrace(record.trace, record.traceDepth)); 222 } else { 223 DLOG(INFO) << "Unable to generate backtrace from -dealloc."; 224 } 225 DLOG(FATAL) << aString; 226 227 // This is how about:crash is implemented. Using instead of 228 // |base::debug::BreakDebugger()| or |LOG(FATAL)| to make the top of 229 // stack more immediately obvious in crash dumps. 230 int* zero = NULL; 231 *zero = 0; 232 } 233 234 // Initialize our globals, returning YES on success. 235 BOOL ZombieInit() { 236 static BOOL initialized = NO; 237 if (initialized) 238 return YES; 239 240 Class rootClass = [NSObject class]; 241 g_originalDeallocIMP = 242 class_getMethodImplementation(rootClass, @selector(dealloc)); 243 // objc_getClass() so CrZombie doesn't need +class. 244 g_zombieClass = objc_getClass("CrZombie"); 245 g_fatZombieClass = objc_getClass("CrFatZombie"); 246 g_fatZombieSize = class_getInstanceSize(g_fatZombieClass); 247 248 if (!g_originalDeallocIMP || !g_zombieClass || !g_fatZombieClass) 249 return NO; 250 251 initialized = YES; 252 return YES; 253 } 254 255 } // namespace 256 257 @implementation CrZombie 258 259 // The Objective-C runtime needs to be able to call this successfully. 260 + (void)initialize { 261 } 262 263 // Any method not explicitly defined will end up here, forcing a 264 // crash. 265 - (id)forwardingTargetForSelector:(SEL)aSelector { 266 ZombieObjectCrash(self, aSelector, NULL); 267 return nil; 268 } 269 270 // Override a few methods often used for dynamic dispatch to log the 271 // message the caller is attempting to send, rather than the utility 272 // method being used to send it. 273 - (BOOL)respondsToSelector:(SEL)aSelector { 274 ZombieObjectCrash(self, aSelector, _cmd); 275 return NO; 276 } 277 278 - (id)performSelector:(SEL)aSelector { 279 ZombieObjectCrash(self, aSelector, _cmd); 280 return nil; 281 } 282 283 - (id)performSelector:(SEL)aSelector withObject:(id)anObject { 284 ZombieObjectCrash(self, aSelector, _cmd); 285 return nil; 286 } 287 288 - (id)performSelector:(SEL)aSelector 289 withObject:(id)anObject 290 withObject:(id)anotherObject { 291 ZombieObjectCrash(self, aSelector, _cmd); 292 return nil; 293 } 294 295 - (void)performSelector:(SEL)aSelector 296 withObject:(id)anArgument 297 afterDelay:(NSTimeInterval)delay { 298 ZombieObjectCrash(self, aSelector, _cmd); 299 } 300 301 @end 302 303 @implementation CrFatZombie 304 305 // This implementation intentionally left empty. 306 307 @end 308 309 @implementation NSObject (CrZombie) 310 311 - (BOOL)shouldBecomeCrZombie { 312 return NO; 313 } 314 315 @end 316 317 namespace ObjcEvilDoers { 318 319 bool ZombieEnable(bool zombieAllObjects, 320 size_t zombieCount) { 321 // Only allow enable/disable on the main thread, just to keep things 322 // simple. 323 DCHECK([NSThread isMainThread]); 324 325 if (!ZombieInit()) 326 return false; 327 328 g_zombieAllObjects = zombieAllObjects; 329 330 // Replace the implementation of -[NSObject dealloc]. 331 Method m = class_getInstanceMethod([NSObject class], @selector(dealloc)); 332 if (!m) 333 return false; 334 335 const IMP prevDeallocIMP = method_setImplementation(m, (IMP)ZombieDealloc); 336 DCHECK(prevDeallocIMP == g_originalDeallocIMP || 337 prevDeallocIMP == (IMP)ZombieDealloc); 338 339 // Grab the current set of zombies. This is thread-safe because 340 // only the main thread can change these. 341 const size_t oldCount = g_zombieCount; 342 ZombieRecord* oldZombies = g_zombies; 343 344 { 345 base::AutoLock pin(g_lock.Get()); 346 347 // Save the old index in case zombies need to be transferred. 348 size_t oldIndex = g_zombieIndex; 349 350 // Create the new zombie treadmill, disabling zombies in case of 351 // failure. 352 g_zombieIndex = 0; 353 g_zombieCount = zombieCount; 354 g_zombies = NULL; 355 if (g_zombieCount) { 356 g_zombies = 357 static_cast<ZombieRecord*>(calloc(g_zombieCount, sizeof(*g_zombies))); 358 if (!g_zombies) { 359 NOTREACHED(); 360 g_zombies = oldZombies; 361 g_zombieCount = oldCount; 362 g_zombieIndex = oldIndex; 363 ZombieDisable(); 364 return false; 365 } 366 } 367 368 // If the count is changing, allow some of the zombies to continue 369 // shambling forward. 370 const size_t sharedCount = std::min(oldCount, zombieCount); 371 if (sharedCount) { 372 // Get index of the first shared zombie. 373 oldIndex = (oldIndex + oldCount - sharedCount) % oldCount; 374 375 for (; g_zombieIndex < sharedCount; ++ g_zombieIndex) { 376 DCHECK_LT(g_zombieIndex, g_zombieCount); 377 DCHECK_LT(oldIndex, oldCount); 378 std::swap(g_zombies[g_zombieIndex], oldZombies[oldIndex]); 379 oldIndex = (oldIndex + 1) % oldCount; 380 } 381 g_zombieIndex %= g_zombieCount; 382 } 383 } 384 385 // Free the old treadmill and any remaining zombies. 386 if (oldZombies) { 387 for (size_t i = 0; i < oldCount; ++i) { 388 if (oldZombies[i].object) 389 object_dispose(oldZombies[i].object); 390 } 391 free(oldZombies); 392 } 393 394 return true; 395 } 396 397 void ZombieDisable() { 398 // Only allow enable/disable on the main thread, just to keep things 399 // simple. 400 DCHECK([NSThread isMainThread]); 401 402 // |ZombieInit()| was never called. 403 if (!g_originalDeallocIMP) 404 return; 405 406 // Put back the original implementation of -[NSObject dealloc]. 407 Method m = class_getInstanceMethod([NSObject class], @selector(dealloc)); 408 DCHECK(m); 409 method_setImplementation(m, g_originalDeallocIMP); 410 411 // Can safely grab this because it only happens on the main thread. 412 const size_t oldCount = g_zombieCount; 413 ZombieRecord* oldZombies = g_zombies; 414 415 { 416 base::AutoLock pin(g_lock.Get()); // In case any -dealloc are in progress. 417 g_zombieCount = 0; 418 g_zombies = NULL; 419 } 420 421 // Free any remaining zombies. 422 if (oldZombies) { 423 for (size_t i = 0; i < oldCount; ++i) { 424 if (oldZombies[i].object) 425 object_dispose(oldZombies[i].object); 426 } 427 free(oldZombies); 428 } 429 } 430 431 } // namespace ObjcEvilDoers 432
