Bug 1838286 - Fix a race condition with in-process DLL interception. r=win-reviewers,gstoll

If a thread starts running a detoured function right after we
successfully committed our 13-bytes patch, there is a short delay where
it can reach the patched_XXX function and try to call stub_XXX while
stub_XXX.mOrigFunc is still a null pointer.

We fix this specific race condition, which, in the current code base,
materializes mostly as crashes in patched_BaseThreadInitThunk when
trying to call stub_BaseThreadInitThunk.

Differential Revision: https://phabricator.services.mozilla.com/D192668

toolkit/xre/dllservices/mozglue/interceptor/PatcherDetour.h

@@ -1737,12 +1737,14 @@ class WindowsDllDetourPatcher final
       PrimitiveT::ApplyDefaultPatch(target, aDest);
     } while (false);
 
-    if (!target.Commit()) {
-      return;
-    }
-
-    // Output the trampoline, thus signalling that this call was a success
+    // Output the trampoline, thus signalling that this call was a success. This
+    // must happen before our patched function can be reached from another
+    // thread, so before we commit the target code (bug 1838286).
     *aOutTramp = trampPtr;
+
+    if (!target.Commit()) {
+      *aOutTramp = nullptr;
+    }
   }
 };