From a33f7d7a846a3ec8efa17d4ee1ec1fb824f5ade4 Mon Sep 17 00:00:00 2001 From: Adam Comella Date: Thu, 1 Dec 2016 21:22:25 -0800 Subject: [PATCH] iOS: Fix an image loader crash Summary: Fixes #10433 The code didn't account for the fact that cancelLoad is set by two different threads. It gets set on the URL request queue when the request completes successfully and it gets set on the UI queue during cancelation. This oversight lead to a couple of different kinds of crashes. 1. Attempt to invoke a nil function -- We check that cancelLoad is non-nil and on the next line we call it. However, cancelLoad could have been set to nil by the other thread between the time it was verified to be non-nil and the time it was called. Consequently, the program will attempt to call nil and crash. 2. Block deallocated while it's executing -- Suppose cancelLoad points to a block, it is verified to be non-nil, and it is successfully invoked. In the middle of executing the block, cancelLoad, the last reference to the block, is set to nil. This causes the block to be deallocated and its captured values to be freed. However, the block continues executing and the next time it attempts to use a captured value Closes https://github.com/facebook/react-native/pull/11145 Differential Revision: D4261499 Pulled By: javache fbshipit-source-id: 46424c6dd8cfa085cef32d945308de07798040bc --- Libraries/Image/RCTImageLoader.m | 12 +++++++----- 1 file changed, 7 insertions(+), 5 deletions(-) diff --git a/Libraries/Image/RCTImageLoader.m b/Libraries/Image/RCTImageLoader.m index a460f712a0449d..ea600058adccbd 100644 --- a/Libraries/Image/RCTImageLoader.m +++ b/Libraries/Image/RCTImageLoader.m @@ -382,9 +382,10 @@ - (RCTImageLoaderCancellationBlock)_loadImageOrDataWithURLRequest:(NSURLRequest }); return ^{ - if (cancelLoad && !cancelled) { - cancelLoad(); - cancelLoad = nil; + dispatch_block_t cancelLoadLocal = cancelLoad; + cancelLoad = nil; + if (cancelLoadLocal && !cancelled) { + cancelLoadLocal(); } OSAtomicOr32Barrier(1, &cancelled); }; @@ -514,8 +515,9 @@ - (RCTImageLoaderCancellationBlock)loadImageWithURLRequest:(NSURLRequest *)image __block volatile uint32_t cancelled = 0; __block dispatch_block_t cancelLoad = nil; dispatch_block_t cancellationBlock = ^{ - if (cancelLoad && !cancelled) { - cancelLoad(); + dispatch_block_t cancelLoadLocal = cancelLoad; + if (cancelLoadLocal && !cancelled) { + cancelLoadLocal(); } OSAtomicOr32Barrier(1, &cancelled); };