[Runtime] Use the properly resolved tag when adding offset after resolving relative pointers in layout strings

drexin · drexin · commit 10685367ceff · 2023-07-24T09:36:26.000-07:00
The tag was overwritten after resolve when a prior field caused a non-zero offset. This then caused the runtime to treat is a relative instead of an absolute pointer, causing invalid pointers to be dereferenced.
diff --git a/stdlib/public/runtime/Metadata.cpp b/stdlib/public/runtime/Metadata.cpp
@@ -2827,9 +2827,9 @@ void swift::_swift_addRefCountStringForMetatype(LayoutStringWriter &writer,
       }
 
       if (offset) {
+        LayoutStringReader tagReader {writer.layoutStr, writer.offset};
         auto writerOffsetCopy = writer.offset;
-        reader.offset = layoutStringHeaderSize;
-        auto firstTagAndOffset = reader.readBytes<uint64_t>();
+        auto firstTagAndOffset = tagReader.readBytes<uint64_t>();
         firstTagAndOffset += offset;
         writer.writeBytes(firstTagAndOffset);
         writer.offset = writerOffsetCopy;
diff --git a/test/Interpreter/layout_string_witnesses_dynamic.swift b/test/Interpreter/layout_string_witnesses_dynamic.swift
@@ -753,6 +753,41 @@ func testGenericSinglePayloadEnumManyXI() {
 
 testGenericSinglePayloadEnumManyXI()
 
+struct RefPlusEnumResolve {
+    let x: SimpleClass
+    let y: ResilientSinglePayloadEnumComplex
+}
+
+func testRefPlusEnumResolve() {
+    let ptr = allocateInternalGenericPtr(of: RefPlusEnumResolve.self)
+
+    do {
+        let x = RefPlusEnumResolve(x: SimpleClass(x: 23), y: .nonEmpty(.nonEmpty1(SimpleClass(x: 23))))
+        testGenericInit(ptr, to: x)
+    }
+
+    do {
+        let y = RefPlusEnumResolve(x: SimpleClass(x: 23), y: .nonEmpty(.nonEmpty1(SimpleClass(x: 23))))
+        // CHECK: Before deinit
+        print("Before deinit")
+
+        // CHECK-NEXT: SimpleClass deinitialized!
+        // CHECK-NEXT: SimpleClass deinitialized!
+        testGenericAssign(ptr, from: y)
+    }
+
+    // CHECK-NEXT: Before deinit
+    print("Before deinit")
+
+    // CHECK-NEXT: SimpleClass deinitialized!
+    // CHECK-NEXT: SimpleClass deinitialized!
+    testGenericDestroy(ptr, of: RefPlusEnumResolve.self)
+
+    ptr.deallocate()
+}
+
+testRefPlusEnumResolve()
+
 func testResilientSingletonEnumTag() {
     let x = switch getResilientSingletonEnumNonEmpty(SimpleClass(x: 23)) {
     case .nonEmpty: 0
