android: Synchronize ArtMethod class field post GC

So our replacement ArtMethod instances don't go stale, and cause
undefined behavior.

Co-authored-by: Håvard Sørbø <havard@hsorbo.no>

Author: oleavr

lib/android.js

@@ -1867,19 +1867,23 @@ set_replacement_method (gpointer original_method,
 }
 
 void
-on_fixups_applied (guint quick_code_offset,
-                   void * nterp_entrypoint,
-                   void * quick_to_interpreter_bridge)
+synchronize_replacement_methods (guint quick_code_offset,
+                                 void * nterp_entrypoint,
+                                 void * quick_to_interpreter_bridge)
 {
   GHashTableIter iter;
-  gpointer hooked_method;
+  gpointer hooked_method, replacement_method;
 
   g_mutex_lock (&lock);
 
   g_hash_table_iter_init (&iter, methods);
-  while (g_hash_table_iter_next (&iter, &hooked_method, NULL))
+  while (g_hash_table_iter_next (&iter, &hooked_method, &replacement_method))
   {
-    void ** quick_code = hooked_method + quick_code_offset;
+    void ** quick_code;
+
+    *((uint32_t *) replacement_method) = *((uint32_t *) hooked_method);
+
+    quick_code = hooked_method + quick_code_offset;
     if (*quick_code == nterp_entrypoint)
       *quick_code = quick_to_interpreter_bridge;
   }
@@ -2045,7 +2049,7 @@ on_leave_gc_concurrent_copying_copying_phase (GumInvocationContext * ic)
       isReplacement: new NativeFunction(cm.is_replacement_method, 'bool', ['pointer'], fastOptions),
       get: new NativeFunction(cm.get_replacement_method, 'pointer', ['pointer'], fastOptions),
       set: new NativeFunction(cm.set_replacement_method, 'void', ['pointer', 'pointer'], fastOptions),
-      onFixupsApplied: new NativeFunction(cm.on_fixups_applied, 'void', ['uint', 'pointer', 'pointer'], fastOptions),
+      synchronize: new NativeFunction(cm.synchronize_replacement_methods, 'void', ['uint', 'pointer', 'pointer'], fastOptions),
       delete: new NativeFunction(cm.delete_replacement_method, 'void', ['pointer'], fastOptions),
       translate: new NativeFunction(cm.translate_method, 'pointer', ['pointer'], fastOptions),
       findReplacementFromQuickCode: cm.find_replacement_method_from_quick_code
@@ -2079,6 +2083,7 @@ function ensureArtKnowsHowToHandleMethodInstrumentation (vm) {
 
   instrumentArtQuickEntrypoints(vm);
   instrumentArtMethodInvocationFromInterpreter();
+  instrumentArtGarbageCollection();
   instrumentArtFixupStaticTrampolines();
 }
 
@@ -2131,6 +2136,23 @@ function instrumentArtMethodInvocationFromInterpreter () {
   }
 }
 
+function instrumentArtGarbageCollection () {
+  const api = getApi();
+  const art = api.module;
+
+  const gc = art.findSymbolByName("_ZN3art2gc4Heap22CollectGarbageInternalENS0_9collector6GcTypeENS0_7GcCauseEbj");
+  if (gc === null)
+    return;
+
+  const { artNterpEntryPoint, artQuickToInterpreterBridge } = api;
+  const quickCodeOffset = getArtMethodSpec(api.vm).offset.quickCode;
+  Interceptor.attach(gc, {
+    onLeave() {
+      artController.replacedMethods.synchronize(quickCodeOffset, artNterpEntryPoint, artQuickToInterpreterBridge);
+    }
+  });
+}
+
 function instrumentArtFixupStaticTrampolines () {
   const patterns = [
     ['_ZN3art11ClassLinker26VisiblyInitializedCallback22MarkVisiblyInitializedEPNS_6ThreadE',         'e90340f8 : ff0ff0ff'],
@@ -2152,7 +2174,7 @@ function instrumentArtFixupStaticTrampolines () {
     const { artNterpEntryPoint, artQuickToInterpreterBridge } = api;
     const quickCodeOffset = getArtMethodSpec(api.vm).offset.quickCode;
     Interceptor.attach(matches[0].address, function () {
-      artController.replacedMethods.onFixupsApplied(quickCodeOffset, artNterpEntryPoint, artQuickToInterpreterBridge);
+      artController.replacedMethods.synchronize(quickCodeOffset, artNterpEntryPoint, artQuickToInterpreterBridge);
     });
 
     return;