HACK: Redefine free() to fix bug in AXRuntime.framework

Podfile

@@ -9,16 +9,19 @@ xcodeproj 'WebDriverAgent.xcodeproj'
 # UIAutomation Testing
 
 target :WebDriverAgent, :exclusive => true do
+  pod 'fishhook', :git => 'https://github.com/facebook/fishhook.git', :commit => '8dbd09b'
   pod 'KissXML'
   pod 'RoutingHTTPServer'
 end
 
 target :WebDriverAgentLib, :exclusive => true do
+  pod 'fishhook', :git => 'https://github.com/facebook/fishhook.git', :commit => '8dbd09b'
   pod 'KissXML'
   pod 'RoutingHTTPServer'
 end
 
 target :WebDriverAgentLibTests, :exclusive => true do
+  pod 'fishhook', :git => 'https://github.com/facebook/fishhook.git', :commit => '8dbd09b'
   pod 'KissXML'
   pod 'RoutingHTTPServer'
   pod 'OCMock'
@@ -28,11 +31,13 @@ end
 # XCT Testing
 
 target :XCTWebDriverAgentLib, :exclusive => true do
+  pod 'fishhook', :git => 'https://github.com/facebook/fishhook.git', :commit => '8dbd09b'
   pod 'KissXML'
   pod 'RoutingHTTPServer'
 end
 
 target :XCTUITestRunner, :exclusive => true do
+  pod 'fishhook', :git => 'https://github.com/facebook/fishhook.git', :commit => '8dbd09b'
   pod 'KissXML'
   pod 'RoutingHTTPServer'
-end
+end

Podfile.lock

@@ -11,20 +11,33 @@ PODS:
     - CocoaLumberjack/Core
   - CocoaLumberjack/Extensions (2.0.3):
     - CocoaLumberjack/Default
+  - fishhook (0.1)
   - KissXML (5.0)
   - OCMock (3.2)
   - RoutingHTTPServer (1.0.0):
     - CocoaHTTPServer (~> 2.3)
 
 DEPENDENCIES:
+  - fishhook (from `https://github.com/facebook/fishhook.git`, commit `8dbd09b`)
   - KissXML
   - OCMock
   - RoutingHTTPServer
 
+EXTERNAL SOURCES:
+  fishhook:
+    :commit: 8dbd09b
+    :git: https://github.com/facebook/fishhook.git
+
+CHECKOUT OPTIONS:
+  fishhook:
+    :commit: 8dbd09b
+    :git: https://github.com/facebook/fishhook.git
+
 SPEC CHECKSUMS:
   CocoaAsyncSocket: f5783bdedd232d91b89769bc4b5a1580aed518ad
   CocoaHTTPServer: 5624681fc3473d43b18202f635f9b3abb013b530
   CocoaLumberjack: f58d8a19629f4d8379ae14bb3534def24161430e
+  fishhook: 6d204de227d0fa80dca600bb3bc15c0d257756b0
   KissXML: ce643413d618ad69886d0d43c3792b7dedfe476e
   OCMock: 28def049ef47f996b515a8eeea958be7ccab2dbb
   RoutingHTTPServer: fab8b13e725f26720500c146d43c98c11ebc4d47

WebDriverAgent/main.m

@@ -9,8 +9,35 @@
 
 #import <WebDriverAgentLib/FBUIAWebDriverAgent.h>
 
+#import <dlfcn.h>
+#import <fishhook/fishhook.h>
+
+void my_free(void *ptr);
+static void (*orig_free)(void *);
+
+static void *badFreeCaller;
+
+void my_free(void *ptr) {
+  void *caller = __builtin_return_address(0);
+  if (caller == badFreeCaller) {
+    return;
+  }
+  orig_free(ptr);
+}
+
+
 int main(int argc, char *argv[]) {
   @autoreleasepool {
+    // This is all one terrible hack to deal with a bug in AXRuntime cfAttributedStringUnserialize() where they attempt
+    // to free a pointer which was not allocated.
+    // From doing pointer arithmetic, at the end of this `badFreeCaller` is set to the exact address of the caller which attempts
+    // this within cfAttributedStringUnserialize.
+    // This issue shows up in Xcode 7.2.
+    rebind_symbols((struct rebinding[1]){{"free", my_free, (void *)&orig_free}}, 1);
+    void *AXRuntimeImage = dlopen("/System/Library/PrivateFrameworks/AXRuntime.framework/AXRuntime", RTLD_NOW);
+    void *knownAddress = dlsym(AXRuntimeImage, "AXUnserializeCFType");
+    badFreeCaller = knownAddress + 0x1F69;
+
     [[FBUIAWebDriverAgent sharedAgent] start];
   }