Guard against seg fault if replaceChild index is out of bounds #1744
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
|
The latest updates on your projects. Learn more about Vercel for Git ↗︎
|
|
This pull request was exported from Phabricator. Differential Revision: D66038645 |
joevilches
force-pushed
the
export-D66038645
branch
from
5f6cc74 to
89e55b3
Compare
joevilches
added a commit
to joevilches/yoga
that referenced
this pull request
Nov 16, 2024
…ook#1744) Summary: X-link: facebook/react-native#47644 We are seeing some seg faults after the new display: contents logic was added. This is either because we are passing in an out of bounds index - in which case we try to read `display_` from protected memory. Or, the `Node *` was deleted at some point without removing it from this array. I think its the out of bounds issue mainly because I am not sure where this deletion would occur I added an if to revert to the legacy, undefined behavior in this case. This is not ideal and we should find the root cause that is calling into this function improperly but for now it stops apps from crashing on the `replaceChild` call Changelog: [Internal] Reviewed By: rozele Differential Revision: D66038645
joevilches
added a commit
to joevilches/react-native
that referenced
this pull request
Nov 16, 2024
…ook#47644) Summary: X-link: facebook/yoga#1744 We are seeing some seg faults after the new display: contents logic was added. This is either because we are passing in an out of bounds index - in which case we try to read `display_` from protected memory. Or, the `Node *` was deleted at some point without removing it from this array. I think its the out of bounds issue mainly because I am not sure where this deletion would occur I added an if to revert to the legacy, undefined behavior in this case. This is not ideal and we should find the root cause that is calling into this function improperly but for now it stops apps from crashing on the `replaceChild` call Changelog: [Internal] Reviewed By: rozele Differential Revision: D66038645
|
This pull request was exported from Phabricator. Differential Revision: D66038645 |
…ook#1744) Summary: X-link: facebook/react-native#47644 We are seeing some seg faults after the new display: contents logic was added. This is either because we are passing in an out of bounds index - in which case we try to read `display_` from protected memory. Or, the `Node *` was deleted at some point without removing it from this array. I think its the out of bounds issue mainly because I am not sure where this deletion would occur I added an if to revert to the legacy, undefined behavior in this case. This is not ideal and we should find the root cause that is calling into this function improperly but for now it stops apps from crashing on the `replaceChild` call Changelog: [Internal] Reviewed By: rozele Differential Revision: D66038645
joevilches
force-pushed
the
export-D66038645
branch
from
89e55b3 to
0d2abf5
Compare
joevilches
added a commit
to joevilches/react-native
that referenced
this pull request
Nov 18, 2024
…ook#47644) Summary: X-link: facebook/yoga#1744 We are seeing some seg faults after the new display: contents logic was added. This is either because we are passing in an out of bounds index - in which case we try to read `display_` from protected memory. Or, the `Node *` was deleted at some point without removing it from this array. I think its the out of bounds issue mainly because I am not sure where this deletion would occur I added an if to revert to the legacy, undefined behavior in this case. This is not ideal and we should find the root cause that is calling into this function improperly but for now it stops apps from crashing on the `replaceChild` call Changelog: [Internal] Reviewed By: rozele Differential Revision: D66038645
|
This pull request was exported from Phabricator. Differential Revision: D66038645 |
|
@joevilches how much of an emergency is this? Silently allowing shadowtree or other Yoga node corruption to happen later just moves the blame of the problem, instead of fixing anything. We should be hard asserting here, like we do in some other places by using “at()” instead of subscript operator. |
|
@NickGerleman oh yeah totally with you. This was a stop gap for a UBN, although I think the urgency is lower than I initially thought on Friday. I was putting this out here to at least revert to previous behavior in bad cases with a follow up to actually fix this. We can chat more tomorrow though, I plan on sitting on this change at this point. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Summary:
We are seeing some seg faults after the new display: contents logic was added. This is either because we are passing in an out of bounds index - in which case we try to read
display_from protected memory. Or, theNode *was deleted at some point without removing it from this array. I think its the out of bounds issue mainly because I am not sure where this deletion would occurI added an if to revert to the legacy, undefined behavior in this case. This is not ideal and we should find the root cause that is calling into this function improperly but for now it stops apps from crashing on the
replaceChildcallChangelog: [Internal]
Reviewed By: rozele
Differential Revision: D66038645