[ASDisplayNode] Fix a crash in insertSubnode#2122
Merged
rcancro merged 2 commits intoTextureGroup:masterfrom Feb 6, 2025
Merged
[ASDisplayNode] Fix a crash in insertSubnode#2122rcancro merged 2 commits intoTextureGroup:masterfrom
rcancro merged 2 commits intoTextureGroup:masterfrom
Conversation
If a node is already a subnode to a supernode, Inserting it again can lead to a crash.
Here is a simple repro of the crash:
```
ASDisplayNode *subnode = [[ASDisplayNode alloc] init];
ASDisplayNode *supernode = [[ASDisplayNode alloc] init];
[supernode addSubnode:subnode];
// Crash on next line
[supernode insertSubnode:subnode atIndex:1];
```
The issue is that all the checks around subnode array boundaries are done BEFORE `subnode` is removed from its `supernode`. If it happens that the `supernode` is self, then removing the `subnode` causes all our index checks to no longer be valid.
Here is the relevant code:
```
__instanceLock__.lock();
NSUInteger subnodesCount = _subnodes.count;
__instanceLock__.unlock();
////// Here we check our indexes
if (subnodeIndex > subnodesCount || subnodeIndex < 0) {
ASDisplayNodeFailAssert(@"Cannot insert a subnode at index %ld. Count is %ld", (long)subnodeIndex, (long)subnodesCount);
return;
}
…
///////// Here our indexes could invalidate if self subnode’s supernode
[subnode removeFromSupernode];
[oldSubnode removeFromSupernode];
__instanceLock__.lock();
if (_subnodes == nil) {
_subnodes = [[NSMutableArray alloc] init];
}
////// Here would can crash if our index is too big
[_subnodes insertObject:subnode atIndex:subnodeIndex];
_cachedSubnodes = nil;
__instanceLock__.unlock();
```
raycsh017
approved these changes
Feb 6, 2025
Contributor
raycsh017
left a comment
raycsh017
left a comment
There was a problem hiding this comment.
Not adding subnode to the node hierarchy if it's already in it makes sense, approving.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
If a node is already a subnode to a supernode, Inserting it again can lead to a crash.
Here is a simple repro of the crash:
The issue is that all the checks around subnode array boundaries are done BEFORE
subnodeis removed from itssupernode. If it happens that thesupernodeis self, then removing thesubnodecauses all our index checks to no longer be valid.Here is the relevant code:
The fix is to add another case to exiting early because our
subnodeIndexis out of bounds of_subnodes. After this check:I've added a new check/early return