From b00da64ac856adf5f9bde404c5842f0904392cb5 Mon Sep 17 00:00:00 2001
From: Justin Cohen <justincohen@google.com>
Date: Tue, 4 Oct 2022 17:38:56 -0400
Subject: [PATCH] ios: Correct iOS forbidden allocators on iOS 16.1

There's a new try_free_default in malloc zone 13, and tests now need to
replace zone functions in all zones, not just the default zone.

Change-Id: I5a9893a73f8c9f7068e52bf25f57632f9e409aa2
Reviewed-on: https://chromium-review.googlesource.com/c/crashpad/crashpad/+/3934555
Reviewed-by: Joshua Peraza <jperaza@chromium.org>
Commit-Queue: Justin Cohen <justincohen@chromium.org>
---
 test/ios/host/handler_forbidden_allocators.cc | 31 +++++++++++++++++++
 1 file changed, 31 insertions(+)

diff --git a/test/ios/host/handler_forbidden_allocators.cc b/test/ios/host/handler_forbidden_allocators.cc
index 8c234388..34e93e3a 100644
--- a/test/ios/host/handler_forbidden_allocators.cc
+++ b/test/ios/host/handler_forbidden_allocators.cc
@@ -154,6 +154,18 @@ boolean_t handler_forbidden_claimed_address(struct _malloc_zone_t* zone,
   return g_old_zone.claimed_address(zone, ptr);
 }
 
+#if defined(__IPHONE_16_1) && __IPHONE_OS_VERSION_MAX_ALLOWED >= __IPHONE_16_1
+void handler_forbidden_try_free_default(struct _malloc_zone_t* zone,
+                                        void* ptr) {
+  if (is_handler_thread()) {
+    CRASHPAD_RAW_LOG(
+        "handler_forbidden_try_free_default allocator used in handler.");
+    exit(EXIT_FAILURE);
+  }
+  g_old_zone.try_free_default(zone, ptr);
+}
+#endif
+
 size_t handler_forbidden_size(struct _malloc_zone_t* zone, const void* ptr) {
   if (is_handler_thread()) {
     CRASHPAD_RAW_LOG("handler_forbidden_size allocator used in handler.");
@@ -246,6 +258,11 @@ void ReplaceZoneFunctions(malloc_zone_t* zone, const malloc_zone_t* functions) {
   zone->free_definite_size = functions->free_definite_size;
   zone->pressure_relief = functions->pressure_relief;
   zone->claimed_address = functions->claimed_address;
+#if defined(__IPHONE_16_1) && __IPHONE_OS_VERSION_MAX_ALLOWED >= __IPHONE_16_1
+  if (zone->version >= 13 && functions->try_free_default) {
+    zone->try_free_default = functions->try_free_default;
+  }
+#endif
 
   // Restore protection if it was active.
   if (reprotection_start) {
@@ -285,8 +302,22 @@ void ReplaceAllocatorsWithHandlerForbidden() {
   new_functions.free_definite_size = handler_forbidden_free_definite_size;
   new_functions.pressure_relief = handler_forbidden_pressure_relief;
   new_functions.claimed_address = handler_forbidden_claimed_address;
+#if defined(__IPHONE_16_1) && __IPHONE_OS_VERSION_MAX_ALLOWED >= __IPHONE_16_1
+  new_functions.try_free_default = handler_forbidden_try_free_default;
+#endif
   ReplaceZoneFunctions(default_zone, &new_functions);
 
+  vm_address_t* zones;
+  unsigned int count;
+  kern_return_t kr =
+      malloc_get_all_zones(mach_task_self(), nullptr, &zones, &count);
+  if (kr != KERN_SUCCESS)
+    return;
+  for (unsigned int i = 0; i < count; ++i) {
+    malloc_zone_t* zone = reinterpret_cast<malloc_zone_t*>(zones[i]);
+    ReplaceZoneFunctions(zone, &new_functions);
+  }
+
   malloc_zone_t* purgeable_zone = malloc_default_purgeable_zone();
   ReplaceZoneFunctions(purgeable_zone, &new_functions);
 }