3

The Objective-C runtime ISA pointer is defined as such:

union isa_t { isa_t() { } isa_t(uintptr_t value) : bits(value) { } uintptr_t bits; private: // Accessing the class requires custom ptrauth operations, so // force clients to go through setClass/getClass by making this // private. Class cls; public: #if defined(ISA_BITFIELD) struct { ISA_BITFIELD; // defined in isa.h }; bool isDeallocating() { return extra_rc == 0 && has_sidetable_rc == 0; } void setDeallocating() { extra_rc = 0; has_sidetable_rc = 0; } #endif void setClass(Class cls, objc_object *obj); Class getClass(bool authenticated); Class getDecodedClass(bool authenticated); };

The bits fields can be read by the definitions here.

When I read a macho from disk and go to the _objc_classlist section and follow a objc_class which is defined as such:

 struct objc_class : objc_object { objc_class(const objc_class&) = delete; objc_class(objc_class&&) = delete; void operator=(const objc_class&) = delete; void operator=(objc_class&&) = delete; // Class ISA; Class superclass; cache_t cache; // formerly cache pointer and vtable class_data_bits_t bits; // class_rw_t * plus custom rr/alloc flags ...

and objc_object is defined as such:

struct objc_object { private: isa_t isa; public: ...

meaning that I should be able to interpret the first 8 bytes of objc_class as the bits field of an isa, but when I do this and try to interpret the bits I get random and false information, on the other hand if I interpret the first 8 bytes as a pointer, it leads me to another objc_class instance on disk, which is usually the metaclass of the class. I wonder then why is the definition of the isa union from the Objective-C runtime and its bits field. Is this only right to interpret this as isa union with bits when we instantiate an object of a some kind and when reading from disk it's just a pointer to a meta class definition?

EDIT:
The way I read the objc_class struct from file is with python:

ISA_MASK = 0x0000000ffffffff8 @dataclass class Isa(): bits: ctypes.c_size_t _cls: ctypes.c_size_t def __init__(self, fp, addr): fp.seek(addr) self.bits = struct.unpack("<Q", fp.read(8))[0] self._cls = self.bits def nonpointer(self): return self.bits & 1 def has_assoc(self): return (self.bits >> 1) & 1 def has_cxx_dtor(self): return (self.bits >> 2) & 1 def shiftcls(self): return (self.bits >> 3) & 0x7ffffffff def magic(self): return (self.bits >> 36) & 0x3f def weakly_referenced(self): return (self.bits >> 42) & 1 def unused(self): return (self.bits >> 43) & 1 def has_sidetable_rc(self): return (self.bits >> 44) & 1 def extra_rc(self): return (self.bits >> 45) & 0x7ffff def get_class(self): clsbits = self.bits clsbits &= ISA_MASK return clsbits @dataclass class ObjcObject: isa: Isa _addr: ctypes.c_size_t def __init__(self, fp, addr, isa_class, external_block_addr): self.isa = None self._addr = addr fp.seek(addr) isa_addr = struct.unpack("<Q", fp.read(8))[0] if isa_addr != 0 and isa_addr < external_block_addr: self.isa = Isa(fp, isa_addr, external_block_addr) @dataclass class ObjcClass(ObjcObject): super_class: ObjcClass cache: Cache class_ro: ClassRo def __init__(self, fp, addr, external_block_addr): super().__init__(fp, addr, ObjcClass, external_block_addr) ... ...

I have for example a class lets call it A and after processing the chained fixups on address 0x0025eed0 I have it it's symbol _OBJC_CLASS_$_A and the objc_class defined in that addres.

The first 8 bytes of the structure is the ISA as we've established by looking at the sources of the runtime. Following it as a pointer and not treating it as the isa_t union I get to another objc_class struct for the symbol _OBJC_METACLASS_$_A which is the metaclass of this class.

Now if instead of treating the first 8 bytes of the objc_class struct as a pointer to the metaclass, I try to interpret them as the bits of the isa_t union like I have in the code I provided, and for example using the has_cxx_dtor method I get False which is incorrect because I can clearly find this method on the method_list_t structure of the class_ro so it doesn't match up with what I parse and hence the isa_t union seem unrelated to the actual data of the class on disk.

Note that the method for extracting the data from the bits of isa_t is by looking at the source of isa.h and assuming I read an ARM64 macho without ptr auth and not from simulator.

Improve this question
4
  • 1
    Can you share the code you're using to read and interpret these bits? There might be something specific in the access that's leading to unexpected behavior. Commented Oct 15, 2023 at 1:18
  • @ItaiFerber it's not just something I can share on stackoverflow, it's too big. But its basically walking the load commands of a macho, fixing chained fixups finding the __objc_classlist section and getting to the objc_class structures defined in the file and reading them according to the definition in the runtime. The only quirk I found is that the ISA field is basically just another pointer to objc_class usually a metaclass of the current class, and all this bit field mean nothing atleast when I read the objc_class from disk Commented Oct 15, 2023 at 17:10
  • I don't necessarily mean for you to share the whole code, just a snippet showing off exactly how you're reading and interpreting the isa; without some minimal reproducible code, it'll be hard to help much more... And when you say that the "bit field mean[s] nothing", what are the bits that you expect vs. the bits you're getting? Given that the field is a union, the bits should represent exactly the integer value of the pointer... Commented Oct 15, 2023 at 22:09
  • @ItaiFerber I've provided additional information on how I parse the structs and what I see compared to what I expect to see and what I actually see that contradicts other data I extract like the method_list of a class. Commented Oct 17, 2023 at 22:18

1 Answer 1

Reset to default
2

After digging a bit through the runtime, it appears that non-pointer isas are a runtime-only concept, and that all on-disk isas will always be regular pointers.

The loading process of Obj-C classes in an object file:

  1. dyld calls _objc_map_images (objc-internal.h/objc-runtime-new.mm), passing in the object headers to read and load classes from
  2. _objc_map_images does a bit of setup before calling map_images (objc-private.h/objc-runtime-new.mm)
  3. map_images takes the runtime lock, then calls map_images_nolock (objc-private.h/objc-os.mm)
  4. map_images_nolock iterates over the mach headers, searching for Obj-C info and performing some validation. It passes all of the headers which contain Obj-C classes to _read_images (objc-private.h/objc-runtime-new.mm)
  5. _read_images is where we actually get to the interesting parts. It first sets up support for non-pointer isas as relevant for the runtime target, and sets up some tables for storing class information. After reading and fixing up selectors, it starts reading class info (OBJC_RUNTIME_DISCOVER_CLASSES_START())
    • For each header, it iterates over the raw classlist stored in the header, receiving direct pointers to each of the classes in the image
    • For each class read this way, it calls readClass (objc-runtime-new.mm), which resolves mangled class names, Swift classes, and more — but at the end of the day, the read classref_t (raw pointer to dyld class) is either cast to Class (the class object), or replaced by an allocated Class instance

So, where do non-pointer isas come into play? Only when setting objects' class at runtime:

  1. When you create an object via either objc_constructInstance or class_createInstance (runtime.h), or set an object's class via object_setClass, the object has either objc_object::initInstanceIsa or objc_object::initIsa (objc-object.h) called on it (and initInstanceIsa just calls through to initIsa anyway)
  2. objc_object::initIsa has two implementations (one for SUPPORT_NONPOINTER_ISA and the other for non-supported), but both call down to isa_t::setClass (objc-private.h/objc-object.h)
  3. isa_t::setClass also has two implementations — when SUPPORT_NONPOINTER_ISA is true, the implementation sets the appropriate bits in the isa value itself, setting shiftcls as necessary; when SUPPORT_NONPOINTER_ISA is false, it just sets the class directly

(Or in reverse, if you prefer: isa_t::setClass is only called from objc_object::initIsa/objc_object::changeIsa, which themselves are only called from objc_constructInstance/class_createInstance/object_setClass.)

So, when you read these object files on disk, you will only ever encounter pointer isas for objects and classes; the bits that are actually set inside of isas is done at runtime exclusively. If there are details you're hoping to read from those bits, you'll need to construct that info yourself from the surrounding mach-o data.

Improve this answer
Sign up to request clarification or add additional context in comments.

2 Comments

So it was as I thought that it's runtime information only, thanks Itai for the wonderful explanation!
@Jorayen Happy to have helped! I'd meant to comment and say thanks for adding detail to your question, because it prompted me to go digging in the runtime to see what was going on. I feel like I've learned some valuable stuff!

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.