implement support for multiple TLS destructors on macOS

Author: joboet

src/shims/tls.rs

@@ -36,9 +36,9 @@ pub struct TlsData<'tcx> {
     /// pthreads-style thread-local storage.
     keys: BTreeMap<TlsKey, TlsEntry<'tcx>>,
 
-    /// A single per thread destructor of the thread local storage (that's how
-    /// things work on macOS) with a data argument.
-    macos_thread_dtors: BTreeMap<ThreadId, (ty::Instance<'tcx>, Scalar)>,
+    /// On macOS, each thread holds a list of destructor functions with their
+    /// respective data arguments.
+    macos_thread_dtors: BTreeMap<ThreadId, Vec<(ty::Instance<'tcx>, Scalar)>>,
 }
 
 impl<'tcx> Default for TlsData<'tcx> {
@@ -119,26 +119,18 @@ impl<'tcx> TlsData<'tcx> {
         }
     }
 
-    /// Set the thread wide destructor of the thread local storage for the given
-    /// thread. This function is used to implement `_tlv_atexit` shim on MacOS.
-    ///
-    /// Thread wide dtors are available only on MacOS. There is one destructor
-    /// per thread as can be guessed from the following comment in the
-    /// [`_tlv_atexit`
-    /// implementation](https://github.com/opensource-apple/dyld/blob/195030646877261f0c8c7ad8b001f52d6a26f514/src/threadLocalVariables.c#L389):
-    ///
-    /// NOTE: this does not need locks because it only operates on current thread data
-    pub fn set_macos_thread_dtor(
+    /// Add a thread local storage for the given thread. This function is used to
+    /// implement `_tlv_atexit` shim on MacOS.
+    /// FIXME: also implement `__cxa_thread_atexit_impl` for Linux using this, see
+    /// https://sourceware.org/glibc/wiki/Destructor%20support%20for%20thread_local%20variables
+    pub fn add_macos_thread_dtor(
         &mut self,
         thread: ThreadId,
         dtor: ty::Instance<'tcx>,
         data: Scalar,
     ) -> InterpResult<'tcx> {
-        if self.macos_thread_dtors.insert(thread, (dtor, data)).is_some() {
-            throw_unsup_format!(
-                "setting more than one thread local storage destructor for the same thread is not supported"
-            );
-        }
+        let dtors = self.macos_thread_dtors.entry(thread).or_default();
+        dtors.push((dtor, data));
         Ok(())
     }
 
@@ -212,7 +204,7 @@ impl VisitProvenance for TlsData<'_> {
         for scalar in keys.values().flat_map(|v| v.data.values()) {
             scalar.visit_provenance(visit);
         }
-        for (_, scalar) in macos_thread_dtors.values() {
+        for (_, scalar) in macos_thread_dtors.values().flatten() {
             scalar.visit_provenance(visit);
         }
     }
@@ -245,7 +237,7 @@ impl<'tcx> TlsDtorsState<'tcx> {
                         "macos" => {
                             // The macOS thread wide destructor runs "before any TLS slots get
                             // freed", so do that first.
-                            this.schedule_macos_tls_dtor()?;
+                            this.schedule_macos_tls_dtors()?;
                             // When that destructor is done, go on with the pthread dtors.
                             break 'new_state PthreadDtors(Default::default());
                         }
@@ -328,21 +320,26 @@ trait EvalContextPrivExt<'tcx>: crate::MiriInterpCxExt<'tcx> {
         Ok(())
     }
 
-    /// Schedule the MacOS thread destructor of the thread local storage to be
-    /// executed.
-    fn schedule_macos_tls_dtor(&mut self) -> InterpResult<'tcx> {
+    /// Schedule the macOS thread local storage destructors to be executed.
+    fn schedule_macos_tls_dtors(&mut self) -> InterpResult<'tcx> {
         let this = self.eval_context_mut();
         let thread_id = this.active_thread();
-        if let Some((instance, data)) = this.machine.tls.macos_thread_dtors.remove(&thread_id) {
-            trace!("Running macos dtor {:?} on {:?} at {:?}", instance, data, thread_id);
-
-            this.call_function(
-                instance,
-                Abi::C { unwind: false },
-                &[data.into()],
-                None,
-                StackPopCleanup::Root { cleanup: true },
-            )?;
+        if let Some(dtors) = this.machine.tls.macos_thread_dtors.remove(&thread_id) {
+            // macOS runs TLS destructors in the reverse order of their registration.
+            // See https://github.com/apple-oss-distributions/dyld/blob/d552c40cd1de105f0ec95008e0e0c0972de43456/dyld/DyldRuntimeState.cpp#L2277
+            // FIXME: Old macOS versions had a use-after-free bug that triggered when
+            // _tlv_atexit was run inside a destructor. Maybe miri should catch that?
+            for (instance, data) in dtors.into_iter().rev() {
+                trace!("Running macos dtor {:?} on {:?} at {:?}", instance, data, thread_id);
+
+                this.call_function(
+                    instance,
+                    Abi::C { unwind: false },
+                    &[data.into()],
+                    None,
+                    StackPopCleanup::Root { cleanup: true },
+                )?;
+            }
         }
         Ok(())
     }

src/shims/unix/macos/foreign_items.rs

@@ -132,7 +132,7 @@ pub trait EvalContextExt<'tcx>: crate::MiriInterpCxExt<'tcx> {
                 let dtor = this.get_ptr_fn(dtor)?.as_instance()?;
                 let data = this.read_scalar(data)?;
                 let active_thread = this.active_thread();
-                this.machine.tls.set_macos_thread_dtor(active_thread, dtor, data)?;
+                this.machine.tls.add_macos_thread_dtor(active_thread, dtor, data)?;
             }
 
             // Querying system information