Emit .cxx_destruct for destruction of ivars in Objective-C-derived classes.

The Objective-C runtime executes the .cxx_destruct method after the
last -dealloc has executed when destroying an object, allowing the
instance variables to remain live even after the subclass's
destructor/-dealloc has executed, which is important for memory
safety. This fixes the majority of <rdar://problem/15136592>.

Note that IRGenModule::getAddrOfIVarDestroyer() contains  an egregious
hack to find the ivar destructor SIL function via a linear
search. We need a better way to find SIL functions that we know exist,
because LinkEntity does not suffice.

Swift SVN r12206

Author: DougGregor

docs/SIL.rst

@@ -665,6 +665,8 @@ Declaration References
   sil-decl-subref-part ::= 'initializer'
   sil-decl-subref-part ::= 'enumelt'
   sil-decl-subref-part ::= 'destroyer'
+  sil-decl-subref-part ::= 'deallocator'
+  sil-decl-subref-part ::= 'ivardestroyer'
   sil-decl-subref-part ::= 'globalaccessor'
   sil-decl-subref-part ::= 'defaultarg' '.' [0-9]+
   sil-decl-uncurry-level ::= [0-9]+
@@ -684,6 +686,7 @@ entity discriminators:
 - ``enumelt``: a member of a ``enum`` type.
 - ``destroyer``: a class's destroying destructor
 - ``deallocator``: a class's deallocating destructor
+- ``ivardestroyer``: a class's ivar destroyer
 - ``globalaccessor``: the addressor function for a global variable
 - ``defaultarg.``\ *n*: the default argument-generating function for
   the *n*\ -th argument of a Swift ``func``

include/swift/AST/Mangle.h

@@ -114,6 +114,7 @@ class Mangler {
   void mangleConstructorEntity(ConstructorDecl *ctor, bool isAllocating,
                                ExplosionKind kind, unsigned uncurryingLevel);
   void mangleDestructorEntity(DestructorDecl *decl, bool isDeallocating);
+  void mangleIVarDestroyerEntity(ClassDecl *decl);
   void mangleGetterEntity(ValueDecl *decl, ExplosionKind explosionKind);
   void mangleSetterEntity(ValueDecl *decl, ExplosionKind explosionKind);
   void mangleAddressorEntity(ValueDecl *decl);

include/swift/Basic/DemangleNodes.def

@@ -52,6 +52,7 @@ NODE(GenericTypeMetadataPattern)
 NODE(Getter)
 NODE(Global)
 NODE(Identifier)
+NODE(IVarDestroyer)
 NODE(ImplConvention)
 NODE(ImplFunctionAttribute)
 NODE(ImplFunctionType)

include/swift/SIL/SILDeclRef.h

@@ -89,7 +89,14 @@ struct SILDeclRef {
     GlobalAccessor,
 
     /// References the generator for a default argument of a function.
-    DefaultArgGenerator
+    DefaultArgGenerator,
+
+    /// References the ivar destroyer for the ClassDecl in loc.
+    ///
+    /// Only classes that are allocated using Objective-C's allocation
+    /// routines have an ivar destroyer, which is emitted as
+    /// .cxx_destruct.
+    IVarDestroyer,
   };
 
   /// The ValueDecl or AbstractClosureExpr represented by this SILDeclRef.

lib/AST/Mangle.cpp

@@ -1101,6 +1101,12 @@ void Mangler::mangleDestructorEntity(DestructorDecl *dtor,
   Buffer << (isDeallocating ? 'D' : 'd');
 }
 
+void Mangler::mangleIVarDestroyerEntity(ClassDecl *decl) {
+  Buffer << 'F';
+  mangleContext(decl, BindGenerics::Enclosing);
+  Buffer << 'E';
+}
+
 void Mangler::mangleGetterEntity(ValueDecl *decl, ExplosionKind explosion) {
   Buffer << 'F';
   mangleContextOf(decl, BindGenerics::All);

lib/Basic/Demangle.cpp

@@ -891,6 +891,9 @@ class Demangler {
     } else if (Mangled.nextIf('d')) {
       entityKind = Node::Kind::Destructor;
       hasType = false;
+    } else if (Mangled.nextIf('E')) {
+      entityKind = Node::Kind::IVarDestroyer;
+      hasType = false;
     } else if (Mangled.nextIf('C')) {
       if (context->getKind() == Node::Kind::Class)
         entityKind = Node::Kind::Allocator;
@@ -2127,6 +2130,9 @@ void NodePrinter::print(Node *pointer, bool asContext, bool suppressType) {
   case Node::Kind::Deallocator:
     printEntity(false, false, "__deallocating_destructor");
     return;
+  case Node::Kind::IVarDestroyer:
+    printEntity(false, false, "__ivar_destroyer");
+    return;
   case Node::Kind::ProtocolConformance: {
     Node *child0 = pointer->getChild(0);
     Node *child1 = pointer->getChild(1);

lib/IRGen/GenClass.cpp

@@ -715,6 +715,9 @@ namespace {
     {
       visitConformances(theClass->getProtocols());
       visitMembers(theClass);
+
+      if (Lowering::usesObjCAllocator(theClass))
+        addIVarDestroyer(); 
     }
 
     ClassDataBuilder(IRGenModule &IGM, ClassDecl *theClass,
@@ -1059,6 +1062,11 @@ namespace {
       }
     }
 
+    void addIVarDestroyer() {
+      llvm::Constant *entry = emitObjCIVarDestroyerDescriptor(IGM, getClass());
+      InstanceMethods.push_back(entry);
+    }
+
   private:
     StringRef chooseNamePrefix(StringRef forClass,
                                StringRef forCategory,

lib/IRGen/GenDecl.cpp

@@ -1250,7 +1250,7 @@ IRGenModule::getAddrOfBridgeToBlockConverter(SILType blockType,
   return entry;
 }
 
-/// Fetch the declaration of the given known function.
+/// Fetch the declaration of the given known destructor.
 llvm::Function *IRGenModule::getAddrOfDestructor(ClassDecl *cd,
                                                  DestructorKind kind,
                                                  ForDefinition_t forDefinition,
@@ -1281,6 +1281,25 @@ llvm::Function *IRGenModule::getAddrOfDestructor(ClassDecl *cd,
   return entry;
 }
 
+/// Fetch the declaration of the ivar destroyer for the given class.
+llvm::Function *IRGenModule::getAddrOfIVarDestroyer(
+                               ClassDecl *cd,
+                               ForDefinition_t forDefinition) {
+  SILDeclRef silRef(cd, SILDeclRef::Kind::IVarDestroyer, 
+                    SILDeclRef::ConstructAtNaturalUncurryLevel, 
+                    /*isForeign=*/false);
+  llvm::SmallString<64> ivarDestroyerNameBuffer;
+  auto ivarDestroyerName = silRef.mangle(ivarDestroyerNameBuffer);
+  // Find the SILFunction for the ivar destroyer.
+  // FIXME: This linear scan is awful. Fortunately, it only happens
+  // once per definition of an Objective-C-derived class.
+  for (auto &silFn : SILMod->getFunctions()) {
+    if (silFn.getName() == ivarDestroyerName)
+      return getAddrOfSILFunction(&silFn, ExplosionKind::Minimal,
+                                  forDefinition);
+  }
+  llvm_unreachable("Unable to find ivar destroyer SIL function");
+}
 
 /// Returns the address of a value-witness function.
 llvm::Function *IRGenModule::getAddrOfValueWitness(CanType abstractType,

lib/IRGen/GenObjC.cpp

@@ -355,6 +355,10 @@ namespace {
         cast<ConstructorDecl>(ref.getDecl())->getObjCSelector(Text);
         break;
 
+      case SILDeclRef::Kind::IVarDestroyer:
+        Text = ".cxx_destruct";
+        break;
+
       case SILDeclRef::Kind::Setter:
         if (auto var = dyn_cast<VarDecl>(ref.getDecl()))
           var->getObjCSetterSelector(Text);
@@ -1094,6 +1098,29 @@ llvm::Constant *irgen::emitObjCMethodDescriptor(IRGenModule &IGM,
   return llvm::ConstantStruct::getAnon(IGM.getLLVMContext(), fields);
 }
 
+llvm::Constant *irgen::emitObjCIVarDestroyerDescriptor(IRGenModule &IGM,
+                                                       ClassDecl *cd) {
+  /// The first element is the selector.
+  SILDeclRef declRef = SILDeclRef(cd, SILDeclRef::Kind::IVarDestroyer,
+                                  1, /*foreign*/ true);
+  Selector selector(declRef);
+  llvm::Constant *selectorRef = IGM.getAddrOfObjCMethodName(selector.str());
+  
+  /// The second element is the type @encoding.
+  llvm::Constant *atEncoding
+    = GetObjCEncodingForType(IGM, cd->getDestructor()->getType());
+
+  /// The third element is the method implementation pointer.
+  llvm::Function *swiftImpl = IGM.getAddrOfIVarDestroyer(cd, NotForDefinition);
+  llvm::Constant *impl
+    = getObjCMethodPointerForSwiftImpl(IGM, selector, declRef, swiftImpl, 
+                                       ExplosionKind::Minimal);
+
+  // Form the method_t instance.
+  llvm::Constant *fields[] = { selectorRef, atEncoding, impl };
+  return llvm::ConstantStruct::getAnon(IGM.getLLVMContext(), fields);
+}
+
 /// Emit Objective-C method descriptors for the property accessors of the given
 /// property. Returns a pair of Constants consisting of the getter and setter
 /// function pointers, in that order. The setter llvm::Constant* will be null if

lib/IRGen/GenObjC.h

@@ -121,10 +121,15 @@ namespace irgen {
                                      llvm::Constant *&atEncoding,
                                      llvm::Constant *&impl);
 
-  /// Build an Objective-C method descriptor for the given method or constructor
-  /// implementation.
+  /// Build an Objective-C method descriptor for the given method,
+  /// constructor, or destructor implementation.
   llvm::Constant *emitObjCMethodDescriptor(IRGenModule &IGM,
                                            AbstractFunctionDecl *method);
+
+  /// Build an Objective-C method descriptor for the ivar destroyer of
+  /// a class (-.cxx_destruct).
+  llvm::Constant *emitObjCIVarDestroyerDescriptor(IRGenModule &IGM,
+                                                  ClassDecl *cd);
 
   /// Build an Objective-C method descriptor for the given property's
   /// getter and setter methods.

lib/IRGen/IRGenModule.h

@@ -393,6 +393,8 @@ private:                            \
   llvm::Function *getAddrOfDestructor(ClassDecl *D, DestructorKind kind,
                                       ForDefinition_t forDefinition,
                                       bool isForeign);
+  llvm::Function *getAddrOfIVarDestroyer(ClassDecl *cd,
+                                         ForDefinition_t forDefinition);
   llvm::Constant *getAddrOfTypeMetadata(CanType concreteType,
                                         bool isIndirect, bool isPattern,
                                         llvm::Type *definitionType = nullptr);

lib/Parse/ParseSIL.cpp

@@ -800,6 +800,9 @@ bool SILParser::parseSILDeclRef(SILDeclRef &Result) {
       } else if (!ParseState && Id.str() == "globalaccessor") {
         Kind = SILDeclRef::Kind::GlobalAccessor;
         ParseState = 1;
+      } else if (!ParseState && Id.str() == "ivardestroyer") {
+        Kind = SILDeclRef::Kind::IVarDestroyer;
+        ParseState = 1;
       } else if (Id.str() == "foreign") {
         IsObjC = true;
         break;

lib/SIL/SIL.cpp

@@ -95,6 +95,10 @@ SILDeclRef::SILDeclRef(ValueDecl *vd, SILDeclRef::Kind kind,
     assert((kind == Kind::Destroyer || kind == Kind::Deallocator)
            && "can only create destroyer/deallocator SILDeclRef for dtor");
     naturalUncurryLevel = 0;
+  } else if (isa<ClassDecl>(vd)) {
+    assert(kind == Kind::IVarDestroyer
+           && "can only create ivar destroyer SILDeclRef for class decl");
+    naturalUncurryLevel = 1;
   } else if (auto *var = dyn_cast<VarDecl>(vd)) {
     assert((kind == Kind::Getter
             || kind == Kind::Setter
@@ -359,6 +363,12 @@ static void mangleConstant(SILDeclRef c, llvm::raw_ostream &buffer) {
                                     c.uncurryLevel);
     return;
 
+  //   entity ::= declaration 'E'                 // ivar destroyer
+  case SILDeclRef::Kind::IVarDestroyer:
+    buffer << introducer;
+    mangler.mangleIVarDestroyerEntity(cast<ClassDecl>(c.getDecl()));
+    return;
+
   //   entity ::= declaration 'g'                 // getter
   case SILDeclRef::Kind::Getter:
     buffer << introducer;

lib/SIL/SILFunctionType.cpp

@@ -632,6 +632,7 @@ static SelectorFamily getSelectorFamily(SILDeclRef c) {
   case SILDeclRef::Kind::Destroyer:
   case SILDeclRef::Kind::Deallocator:
   case SILDeclRef::Kind::GlobalAccessor:
+  case SILDeclRef::Kind::IVarDestroyer:
   case SILDeclRef::Kind::DefaultArgGenerator:
     return SelectorFamily::None;
   }
@@ -754,7 +755,9 @@ AbstractCC TypeConverter::getAbstractCC(SILDeclRef c) {
 
   // If this is a foreign thunk, it always has the foreign calling convention.
   if (c.isForeign)
-    return c.hasDecl() && isClassOrProtocolMethod(c.getDecl())
+    return c.hasDecl() && 
+      (isClassOrProtocolMethod(c.getDecl()) || 
+       c.kind == SILDeclRef::Kind::IVarDestroyer)
       ? AbstractCC::ObjCMethod
       : AbstractCC::C;
 
@@ -770,7 +773,8 @@ AbstractCC TypeConverter::getAbstractCC(SILDeclRef c) {
     return getProtocolWitnessCC(proto);
 
   if (c.getDecl()->isInstanceMember() ||
-      c.kind == SILDeclRef::Kind::Initializer)
+      c.kind == SILDeclRef::Kind::Initializer ||
+      c.kind == SILDeclRef::Kind::IVarDestroyer)
     return AbstractCC::Method;
   return AbstractCC::Freestanding;
 }

lib/SIL/SILPrinter.cpp

@@ -225,6 +225,9 @@ void SILDeclRef::print(raw_ostream &OS) const {
   case SILDeclRef::Kind::Deallocator:
     OS << "!deallocator";
     break;
+  case SILDeclRef::Kind::IVarDestroyer:
+    OS << "!ivardestroyer";
+    break;
   case SILDeclRef::Kind::GlobalAccessor:
     OS << "!globalaccessor";
     break;

lib/SIL/TypeLowering.cpp

@@ -1340,10 +1340,31 @@ static CanAnyFunctionType getDestructorType(DestructorDecl *dd,
   CanType resultTy = isDeallocating? TupleType::getEmpty(C)->getCanonicalType()
                                    : CanType(C.TheObjectPointerType);
 
+  auto selfType = classType;
   if (auto params = dd->getDeclContext()->getGenericParamsOfContext())
-    return CanPolymorphicFunctionType::get(classType, resultTy, params, extInfo);
+    return CanPolymorphicFunctionType::get(selfType, resultTy, params, extInfo);
 
-  return CanFunctionType::get(classType, resultTy, extInfo);
+  return CanFunctionType::get(selfType, resultTy, extInfo);
+}
+
+/// Retrieve the type of the ivar initializer or destroyer method for
+/// a class.
+static CanAnyFunctionType getIVarInitDestroyerType(ClassDecl *cd, 
+                                                   bool isObjC,
+                                                   ASTContext &ctx) {
+  auto classType = cd->getDeclaredTypeInContext()->getCanonicalType();
+
+  auto emptyTupleTy = TupleType::getEmpty(ctx)->getCanonicalType();
+  auto extInfo = AnyFunctionType::ExtInfo(isObjC? AbstractCC::ObjCMethod
+                                                : AbstractCC::Method,
+                                          /*thin*/ true,
+                                          /*noreturn*/ false);
+  
+  auto resultType = CanFunctionType::get(emptyTupleTy, emptyTupleTy, extInfo);
+  if (auto params = cd->getGenericParams())
+    return CanPolymorphicFunctionType::get(classType, resultType, params, 
+                                           extInfo);
+  return CanFunctionType::get(classType, resultType, extInfo);
 }
 
 GenericParamList *
@@ -1534,6 +1555,9 @@ CanAnyFunctionType TypeConverter::makeConstantType(SILDeclRef c,
     return getDefaultArgGeneratorType(cast<AbstractFunctionDecl>(vd),
                                       c.defaultArgIndex, Context);
   }
+  case SILDeclRef::Kind::IVarDestroyer: {
+    return getIVarInitDestroyerType(cast<ClassDecl>(vd), c.isForeign, Context);
+  }
   }
 }
 

lib/SILGen/SILGen.cpp

@@ -481,6 +481,19 @@ void SILGenModule::emitDestructor(ClassDecl *cd, DestructorDecl *dd) {
 
     // Emit the Objective-C thunk for -dealloc.
     emitObjCDestructorThunk(dd);
+
+    // Emit the ivar destroyer.
+    {
+      SILDeclRef ivarDestroyer(cd, SILDeclRef::Kind::IVarDestroyer);
+      SILFunction *f = preEmitFunction(ivarDestroyer, dd, dd);
+      PrettyStackTraceSILFunction X("silgen emitDestructor ivar destroyer", f);
+      SILGenFunction(*this, *f).emitIVarDestroyer(ivarDestroyer);
+      postEmitFunction(ivarDestroyer, f);
+    }
+
+    // Emit the Objective-C thunk for the ivar destroyer (.cxx_destruct).
+    emitObjCIVarDestroyerThunk(cd);
+    
     return;
   }
 
@@ -679,6 +692,22 @@ void SILGenModule::emitObjCDestructorThunk(DestructorDecl *destructor) {
   postEmitFunction(thunk, f);
 }
 
+void SILGenModule::emitObjCIVarDestroyerThunk(ClassDecl *cd) {
+  SILDeclRef thunk(cd,
+                   SILDeclRef::Kind::IVarDestroyer,
+                   SILDeclRef::ConstructAtNaturalUncurryLevel,
+                   /*isObjC*/ true);
+
+  // Don't emit the thunk if it already exists.
+  if (hasFunction(thunk))
+    return;
+  SILFunction *f = preEmitFunction(thunk, cd, cd);
+  PrettyStackTraceSILFunction X("silgen objc ivar destroyer thunk", f);
+  f->setBare(IsBare);
+  SILGenFunction(*this, *f).emitObjCMethodThunk(thunk);
+  postEmitFunction(thunk, f);
+}
+
 void SILGenModule::visitPatternBindingDecl(PatternBindingDecl *pd) {
   // If we're in a script mode context, emit the pattern binding as top-level
   // code.

lib/SILGen/SILGen.h

@@ -203,6 +203,10 @@ class LLVM_LIBRARY_VISIBILITY SILGenModule : public ASTVisitor<SILGenModule> {
   /// Emit the ObjC-compatible entry point for a destructor (i.e., -dealloc).
   void emitObjCDestructorThunk(DestructorDecl *destructor);
 
+  /// Emit the ObjC-compatible entry point for an ivar destroyer
+  /// (i.e., -.cxx_destruct).
+  void emitObjCIVarDestroyerThunk(ClassDecl *cd);
+
   /// Emit the ObjC-compatible getter and setter for a subscript
   /// declaration.
   void emitObjCSubscriptMethodThunks(SubscriptDecl *subscript);

lib/SILGen/SILGenDecl.cpp

@@ -1772,13 +1772,9 @@ void SILGenFunction::emitObjCDestructor(SILDeclRef dtor) {
     return;
 
   auto cleanupLoc = CleanupLocation::getCleanupLocation(loc);
-
-  // Release our members early.
-  // FIXME: Because Objective-C's -dealloc is a deallocating destructor,
-  // rather than a destroying destructor, we don't get a change to release
-  // the members after our superclass dealloc runs. This will eventually be
-  // handled by .cxx_destruct.
-  emitClassMemberDestruction(selfValue, cd, loc, cleanupLoc);
+  
+  // Note: the ivar destroyer is responsible for destroying the
+  // instance variables before the object is actually deallocated.
 
   // Form a reference to the superclass -dealloc.
   Type superclassTy = cd->getSuperclass();