Like -[NSObject retain], -[NSObject release] is trivial—it simply calls _objc_rootRelease() to release self.

The term root, as discussed in the retain post, indicates the operation is occurring via a -release message received by the root class in the object’s class hierarchy.

Next, the _objc_rootRelease function, which is also trivial, calls objc_object::rootRelease().

Finally, objc_object::rootRelease() calls an overload of rootRelease.

The overload called here is the core implementation, which has two parameters:

When ARC is enabled, the compiler performs reference counting operations through a compiler-private API added for ARC as a performance optimization (also discussed in the retain post).

If the object pointer value references an object on the heap, derived through the same ceremony as retain, the function calls objc_object::release() to perform the release operation.

This function calls the core implementation (though root in rootRelease is a misnomer at this point) with:

The compare-and-swap loop is the heart of the release implementation. It starts, perhaps unexpectedly, with a goto label. The Full Variant subsection below discusses this function’s use of goto.

The loop first sets newisa to the current isa value (i.e., oldisa), which the following steps will update to reflect the decremented retain count.

Then, the loop checks if the object instance has a non-pointer isa. If it does not, the retain count is recorded in a side table^[4]. This check is performed in the loop because if this thread loses a compare-and-swap, it could be due to another thread mutating the object in a way that removed its use of a non-pointer isa.

Next, the loop checks to see if it lost another race.

An object may be deallocating while a thread is attempting to release it in (at least) two scenarios:

If the _objc_rootReleaseWasZero() SPI performed the release, the return value of false indicates the caller should not initiate deallocation, as the object is already deallocating. The return value is otherwise unused by the NSObject and ARC entry points.

Finally, we get to the actual decrement.

Recall the non-pointer isa is a bit field with three variants. The value of RC_ONE is the bit that represents a retain count of one when viewing the bit field as an integer. The retain count is stored in the most significant bits of the isa, so an underflow, or carry, will occur if all of the retain count bits are zero (discussed in the following subsection). Otherwise, newisa contains the decremented retain count if no underflow occurs and is ready to be written back to the object instance.

If the value at &isa() matches the value at &oldisa, the compare-and-swap operation succeeds and writes the value of newisa to &isa(), and the loop ends.

Otherwise, the value of &isa() has changed since this thread loaded it into oldisa. The compare-and-swap operation fails and writes the new value at &isa() to &oldisa. The loop continues until the thread wins a compare-and-swap operation or another thread changes the object state to activate one of the above return paths.

After the loop ends, the runtime checks if the retain count is zero. If it is, it deallocates the object instance.

Otherwise, the object has a positive retain count. If necessary, the runtime will release the side table lock. The function ends by returning false, indicating to the _objc_rootReleaseWasZero() SPI that the object should not deallocate.

If the retain count underflows the bits in the non-pointer isa, the runtime reverts the changes to newisa. Then, it checks whether any retain counts previously overflowed to the side table.

If no retain counts overflowed to the side table, no retain counts remain, so the release deallocates the object instance, though I don’t think this can happen in practice as it would imply an over-release. Either there are retain counts in the side table, or the retain count reached zero and the above code path deallocated the object instance. In my opinion, it would be cleaner if the runtime trapped in this case, as the process will likely crash when -dealloc gets called for a second time.

If retain counts did previously overflow to the side table, the runtime checks whether this function invocation has the Fast or FastOrMsgSend variant. If so, it stops its attempt at the release operation and passes the buck to rootRelease_underflow().

The function immediately calls back into objc_object::rootRelease(bool, RRVariant) with the Full variant.

I speculated in the retain post the purpose of this function is to provide a frame in stack traces to help Apple engineers troubleshoot release crashes in the runtime, as the interplay of side table locking (which uses a non-reentrant spin lock) can be challenging to reason about.

If the release count decrement underflows with the Full variant, the runtime obtains a side table lock.

Acquiring the side table lock may cause the thread to suspend, so the runtime first removes its exclusive monitor on the isa address, which is required to use the exclusive monitor correctly. From the ARM Architecture Reference Manual (emphasis mine):

After obtaining the side table lock, the runtime reloads the isa value and starts the compare-and-swap loop again to perform the decrement. A reload of the isa is necessary because another thread may have changed the isa while this thread was waiting to acquire the side table lock.

Finally, if the decrement again results in an underflow, it’s safe for the runtime to load any additional retain counts from the side table.

sidetable_subExtraRC_nolock() returns a SidetableBorrow struct (borrow in the sense of taking the value of higher digits in a subtraction operation, not as in leasing the values from the side table), which has two fields:

The runtime first checks whether all the retain counts have been removed from the side table to perform additional bookkeeping later. Then, it checks whether the side table returned any retain counts. If the side table is empty, no retain counts remain, so the release will deallocate the object instance.

If the side table returned retain counts for the object instance, the runtime attempts to update the non-pointer isa with the retain counts taken from the side table.

The borrow.borrowed field contains the retain counts taken from the side table. The runtime subtracts one from the count (recall this is the code path for an underflow, so the release accounting has not yet occurred) and stores the value in the non-pointer isa's extra_rc field. It then updates the has_sidetable_rc bit to reflect whether the side table still has overflowed retain counts for the object instance.

It then attempts to store the new isa value. The store may fail, which is handled by the next code block.

If placing the retain counts taken from the side table into the non-pointer isa fails, the runtime immediately tries again. The runtime’s StoreReleaseExclusive() function performs the load exclusive operation if the store exclusive fails, so oldisa is the most recent value. After subtracting one for this release operation, it adds the retain counts taken from the side table, updates the bit tracking if the object instance has retain counts in the side table, and then attempts to store the updated isa again. This retry is likely less than 32 instructions (meeting ARM’s recommendation; see aside below) and is more likely to succeed than the general path.

If the store is successful, the runtime sets didTransitionToDeallocating to true if the retain count has reached zero. But this can never happen in practice, as adding RC_HALF - 1 retain counts to the non-pointer isa just succeeded.

If the retry did not succeed (e.g., adding RC_HALF - 1 retain counts overflowed), the runtime aborts this transaction by clearing the exclusive monitor, putting the retain counts back into the side table, and reloading the non-pointer isa before jumping back to the start of the compare-and-swap loop. It does, however, still hold the side table lock.

If either of the store attempts succeeds, and the side table does not have any additional retain counts for the object instance, the runtime removes the entry for the object instance from the side table.

Finally, if necessary, the runtime releases its side table lock and returns false to indicate the retain count did not reach zero (which is only used by the _objc_rootReleaseWasZero() SPI). The retain count cannot reach zero on this path (see above), so the release operation ends here after a successful side table update.

Otherwise, execution continues to the deallocation logic.

If the retain count reaches zero (or underflows and the object instance is not storing retain counts in a side table), the runtime deallocates^[5] the object.

First, the runtime releases the side table lock, if necessary.

Next, it has an acquire fence. I presume this is a atomic-fence synchronization, but it’s not clear to me what release operation this fence synchronizes with. The only potentially contentious read after the fence is of the isa in the message send a few lines down, but this thread just set the isa.

I would expect writes to the isa from another thread to be undefined behavior because the retain count is zero. Such a write, though, could change the class, which would be visible to this thread because of the fence. So, as far as I can tell, the fence’s only potential effect is on the message send in quite rare and bizarre circumstances.

The fence is probably an artifact from a previous implementation that is no longer relevant, a last minute change to "fix" a memory ordering problem just before a release, an unnecessary addition, or am I misunderstanding the behavior.

Then, finally, if the release didn’t occur through the _objc_rootReleaseWasZero() SPI, a -dealloc message is sent to the object.

The release operation ends by returning true, indicating the retain count has reached zero, which is ignored by every caller except the _objc_rootReleaseWasZero() SPI.