[Windows] CFThreadSpecific implementation allows access to deallocated value

lxbndr · lxbndr · commit 62fd9560efbc · 2020-04-12T14:56:09.000+03:00
Unlike pthread-based implementation, TLS/FLS on Windows doesn't
return NULL when reading value after destructor call.

To avoid that we have to nullify value in destructor callback.
The implementation needs to store key along with user
data to perform proper cleanup.
diff --git a/CoreFoundation/Base.subproj/CFPlatform.c b/CoreFoundation/Base.subproj/CFPlatform.c
@@ -1390,8 +1390,22 @@ CF_PRIVATE int asprintf(char **ret, const char *format, ...) {
 extern void swift_retain(void *);
 extern void swift_release(void *);
 
+#if TARGET_OS_WIN32
+typedef struct _CFThreadSpecificData {
+    CFTypeRef value;
+    _CFThreadSpecificKey key;
+} _CFThreadSpecificData;
+#endif
+
 static void _CFThreadSpecificDestructor(void *ctx) {
+#if TARGET_OS_WIN32
+    _CFThreadSpecificData *data = (_CFThreadSpecificData *)ctx;
+    FlsSetValue(data->key, NULL);
+    swift_release(data->value);
+    free(data);
+#else
     swift_release(ctx);
+#endif
 }
 
 _CFThreadSpecificKey _CFThreadSpecificKeyCreate() {
@@ -1406,7 +1420,11 @@ _CFThreadSpecificKey _CFThreadSpecificKeyCreate() {
 
 CFTypeRef _Nullable _CFThreadSpecificGet(_CFThreadSpecificKey key) {
 #if TARGET_OS_WIN32
-  return (CFTypeRef)FlsGetValue(key);
+    _CFThreadSpecificData *data = (_CFThreadSpecificData *)FlsGetValue(key);
+    if (data == NULL) {
+        return NULL;
+    }
+    return data->value;
 #else
     return (CFTypeRef)pthread_getspecific(key);
 #endif
@@ -1415,9 +1433,23 @@ CFTypeRef _Nullable _CFThreadSpecificGet(_CFThreadSpecificKey key) {
 void _CFThreadSpecificSet(_CFThreadSpecificKey key, CFTypeRef _Nullable value) {
 #if TARGET_OS_WIN32
     if (value != NULL) {
+        _CFThreadSpecificData *oldData = (_CFThreadSpecificData *)FlsGetValue(key);
+        if (oldData) {
+            free(oldData);
+        }
+
+        _CFThreadSpecificData *data = malloc(sizeof(_CFThreadSpecificData));
+        if (!data) {
+            HALT_MSG("Out of memory");
+        }
+        data->value = value;
+        data->key = key;
+
         swift_retain((void *)value);
+        FlsSetValue(key, data);
+    } else {
+        FlsSetValue(key, NULL);
     }
-    FlsSetValue(key, value);
 #else
     if (value != NULL) {
         swift_retain((void *)value);
diff --git a/Tests/Foundation/Tests/TestNotificationQueue.swift b/Tests/Foundation/Tests/TestNotificationQueue.swift
@@ -229,5 +229,12 @@ class TestNotificationQueue : XCTestCase {
         bgThread.start()
 
         waitForExpectations(timeout: 0.2)
+
+        // There is a small time gap between "e.fulfill()"
+        // and actuall thread termination.
+        // We need a little delay to allow bgThread actually die.
+        // Callers of this function are assuming thread is
+        // deallocated after call.
+        Thread.sleep(forTimeInterval: 0.05)
     }
 }

Original file line number	Diff line number	Diff line change
`@@ -229,5 +229,12 @@ class TestNotificationQueue : XCTestCase {`
`229`	`229`	`bgThread.start()`
`230`	`230`
`231`	`231`	`waitForExpectations(timeout: 0.2)`
	`232`	`+`
	`233`	`+ // There is a small time gap between "e.fulfill()"`
	`234`	`+ // and actuall thread termination.`
	`235`	`+ // We need a little delay to allow bgThread actually die.`
	`236`	`+ // Callers of this function are assuming thread is`
	`237`	`+ // deallocated after call.`
	`238`	`+ Thread.sleep(forTimeInterval: 0.05)`
`232`	`239`	`}`
`233`	`240`	`}`