Race condition between hooking function and setting up hook

[yifanlu]

Right now, if a function is called in middle of the hook, this series of events could be possible

1. substitute_hook_functions is called
2. Function is written to, old pointer is saved
3. taiHEN sets the old pointer into the tai_hook_t object stored in user address space.
4. Call returns to user with a reference to the tai_hook_t

It is possible, between 2 and 4 that the function is called. In that case, it jumps to the user function, which tries to call TAI_CONTINUE with an uninitialized reference.

There are a couple of possible solutions:

• We initialize the user reference to NULL before 1, then we modify TAI_CONTINUE to not dereference the hook if NULL and return error. The problem with this is that we cannot call the original function and this may break whatever code depends on it.
• We set the hook reference early (before returning from the hook call). This doesn't work for user hooks though.
• We can halt all threads while the hook process is happening. This is what substitute does on iOS. Not sure if we want this for performance reasons.

[yifanlu]

For now a workaround for the user is to set the hook reference to 0 before calling taihen and in the hook function only call TAI_CONTINUE if the reference is non-zero. Not a perfect solution but should prevent crashes.