Skip to content
This repository was archived by the owner on Feb 25, 2025. It is now read-only.

iOS a11y: Implement strong down weak up reference management #4602

Merged
yjbanov merged 2 commits into from
Feb 16, 2018
Merged

iOS a11y: Implement strong down weak up reference management #4602

yjbanov merged 2 commits into from
Feb 16, 2018

Conversation

@yjbanov
Copy link
Contributor

@yjbanov yjbanov commented Jan 29, 2018
edited
Loading

Fixes flutter/flutter#13701

The crash was caused by a use-after-free bug. SemanticsObjectContainer uses a raw pointer to point to _semanticsObject. When it returns the pointer to iOS' a11y framework it does not bump the ref count. Similarly, SemanticsObject has a raw std::vector<SemanticsObject*> _children, and does not bump the ref count when returning pointers to iOS. When the semantics tree is updated and AccessibilityBridge::UpdateSemantics clears the objects_ dictionary, the ref count hits zero and the semantics objects are freed. In the mean time, iOS continues to assume that the objects are live.

/cc @goderbauer @chinmaygarde

@yjbanov
Copy link
Contributor Author

yjbanov commented Jan 29, 2018

Hmm, I do not understand the Travis failure. It seems to tell me that I should format a file that I didn't touch :/

@goderbauer
Copy link
Member

goderbauer commented Jan 29, 2018

Looks like the engine repo is red on travis for master, so that failure was probably not introduced by you: https://travis-ci.org/flutter/engine/builds/334200934

chinmaygarde
chinmaygarde suggested changes Jan 29, 2018
View reviewed changes
Copy link
Member

@chinmaygarde chinmaygarde left a comment
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

accessibilityElementAtIndex: does not have transfer-out ownership rules of the child at that particular index. I suspect you are working around some other issue around the ownership rules. Likely by introducing a (another?) leak.

I strongly feel like we should fix the underlying issue by not holding onto these object by raw pointers. We already have smart pointers for NSObject types in FML. We also control that library and we can add more utilities to address out use case.

@cbracken
Copy link
Member

cbracken commented Jan 30, 2018

+1 to @chinmaygarde's comment. First thing to do is clarify who's responsible for object lifetime, then clean up what's there and stop relying on just the shared dict for ref-count. Everyone using an NSObject should manage their own inc/dec of the refcount.

@yjbanov
Copy link
Contributor Author

yjbanov commented Feb 14, 2018
edited
Loading

PTAL. In this new version I made parent a weak pointer, and children a strong ref-counted array of pointers. On top of that, I null out children's parent pointers eagerly inside the parent's destructor because there's no guarantee about when the child's destructor is called (iOS may continue holding references to children after we cleared them out). A similar relationship is established between SemanticsObjectContainer and SemanticsObject. After this change, SemanticsObject only holds strong references to it's children. So strong references always point down the tree, and weak references point up the tree and cleared out eagerly.

@yjbanov yjbanov changed the title retain refs vended from non-managed fields and collections iOS a11y: Implement strong down weak up reference management Feb 15, 2018
@yjbanov
Copy link
Contributor Author

yjbanov commented Feb 15, 2018
edited
Loading

Update: I can no longer vouch for existence of a leak. It seems I have been reading the Instruments UI wrong. Many of the objects listed in it have ref count == 0.

goderbauer
goderbauer approved these changes Feb 15, 2018
View reviewed changes
Copy link
Member

@goderbauer goderbauer left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@yjbanov yjbanov merged commit 503f86d into flutter:master Feb 16, 2018
cbracken
cbracken reviewed Feb 16, 2018
View reviewed changes
shell/platform/darwin/ios/framework/Source/accessibility_bridge.mm
if (top == 0.0)
return rectA.origin.x - rectB.origin.x < 0.0;
return top < 0.0;
NSComparisonResult intToComparisonResult(int32_t value) {
Copy link
Member

@cbracken cbracken Feb 16, 2018

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

IntToComparisonResult for static funcs.

@yjbanov yjbanov deleted the ios-fix-a11y-crash branch June 22, 2021 21:18
@jmagman jmagman mentioned this pull request May 14, 2024
Merged
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.

Reviewers

3 more reviewers

@cbracken cbracken cbracken left review comments

@chinmaygarde chinmaygarde chinmaygarde approved these changes

@goderbauer goderbauer goderbauer approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

cla: yes

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

5 participants

@yjbanov @goderbauer @cbracken @chinmaygarde @googlebot