Eliminate race in swift_bridgeErrorToNSError.

DougGregor · DougGregor · commit ad4e7775d1b9 · 2016-08-03T15:44:18.000-07:00
Huge thanks to John for noting that 'consume' didn't provide the guarantees we wanted, and to Michael G. for getting a TSan build up and running to identify/verify this race. It's possible that this is overlay strict, and that we only need to look at the domain to ensure that the code and userInfo are visible. However, TSan seems to prefix the form in this patch, so we'll be more conservative for now. Fixes rdar://problem/27541751. (cherry picked from commit e07e887)
diff --git a/stdlib/public/runtime/ErrorObject.mm b/stdlib/public/runtime/ErrorObject.mm
@@ -79,15 +79,10 @@ - (NSInteger)code {
 - (NSDictionary*)userInfo {
   auto error = (const SwiftError*)self;
   auto userInfo = error->userInfo.load(SWIFT_MEMORY_ORDER_CONSUME);
-  
-  if (userInfo) {
-    // Don't need to .retain.autorelease since it's immutable.
-    return (NSDictionary*)userInfo;
-  } else {
-    // -[NSError userInfo] never returns nil on OS X 10.8 or later.
-    NSDictionary *emptyDict = SWIFT_LAZY_CONSTANT(@{});
-    return emptyDict;
-  }
+  assert(userInfo
+         && "Error box used as NSError before initialization");
+  // Don't need to .retain.autorelease since it's immutable.
+  return (NSDictionary*)userInfo;
 }
 
 - (id)copyWithZone:(NSZone *)zone {
@@ -319,8 +314,11 @@ typedef SWIFT_CC(swift)
 static id _swift_bridgeErrorToNSError_(SwiftError *errorObject) {
   auto ns = reinterpret_cast<NSError *>(errorObject);
 
-  // If we already have a domain set, then we've already initialized.
-  if (errorObject->domain.load(SWIFT_MEMORY_ORDER_CONSUME))
+  // If we already have a domain and userInfo set, then we've already
+  // initialized.
+  // FIXME: This might be overly strict; can we look only at the domain?
+  if (errorObject->domain.load(std::memory_order_acquire) &&
+      errorObject->userInfo.load(std::memory_order_acquire))
     return ns;
   
   // Otherwise, calculate the domain and code (TODO: and user info), and
@@ -334,6 +332,10 @@ static id _swift_bridgeErrorToNSError_(SwiftError *errorObject) {
   NSDictionary *userInfo =
     swift_stdlib_getErrorUserInfoNSDictionary(value, type, witness);
 
+  // Never produce an empty userInfo dictionary.
+  if (!userInfo)
+    userInfo = SWIFT_LAZY_CONSTANT(@{});
+
   // The error code shouldn't change, so we can store it blindly, even if
   // somebody beat us to it. The store can be relaxed, since we'll do a
   // store(release) of the domain last thing to publish the initialized
diff --git a/validation-test/stdlib/ErrorProtocol.swift b/validation-test/stdlib/ErrorProtocol.swift
@@ -1,6 +1,5 @@
 // RUN: %target-run-simple-swift
 // REQUIRES: executable_test
-// REQUIRES: rdar27541751
 // REQUIRES: objc_interop
 
 import SwiftPrivate
