[ASDisplayNode] Fix a crash in insertSubnode

rcancro · rcancro · commit d8c933cf453b · 2025-02-06T12:59:41.000-08:00
If a node is already a subnode to a supernode, Inserting it again can lead to a crash.

Here is a simple repro of the crash:
```
  ASDisplayNode *subnode = [[ASDisplayNode alloc] init];
  ASDisplayNode *supernode = [[ASDisplayNode alloc] init];

  [supernode addSubnode:subnode];
  // Crash on next line
  [supernode insertSubnode:subnode atIndex:1];
```

The issue is that all the checks around subnode array boundaries are done BEFORE `subnode` is removed from its `supernode`. If it happens that the `supernode` is self, then removing the `subnode` causes all our index checks to no longer be valid.

Here is the relevant code:

```
  __instanceLock__.lock();
    NSUInteger subnodesCount = _subnodes.count;
  __instanceLock__.unlock();
   ////// Here we check our indexes
  if (subnodeIndex &gt; subnodesCount || subnodeIndex &lt; 0) {
    ASDisplayNodeFailAssert(@"Cannot insert a subnode at index %ld. Count is %ld", (long)subnodeIndex, (long)subnodesCount);
    return;
  }

…

  ///////// Here our indexes could invalidate if self subnode’s supernode
  [subnode removeFromSupernode];
  [oldSubnode removeFromSupernode];

  __instanceLock__.lock();
    if (_subnodes == nil) {
      _subnodes = [[NSMutableArray alloc] init];
    }
    ////// Here would can crash if our index is too big
    [_subnodes insertObject:subnode atIndex:subnodeIndex];
    _cachedSubnodes = nil;
  __instanceLock__.unlock();
```
diff --git a/Source/ASDisplayNode.mm b/Source/ASDisplayNode.mm
@@ -2104,6 +2104,11 @@ - (void)_insertSubnode:(ASDisplayNode *)subnode atSubnodeIndex:(NSInteger)subnod
     ASDisplayNodeFailAssert(@"Cannot add a view-backed node as a subnode of a layer-backed node. Supernode: %@, subnode: %@", self, subnode);
     return;
   }
+  
+  if (subnode.supernode == self) {
+    ASDisplayNodeFailAssert(@"`subnode` %@ is already a subnode to `supernode` %@. You may be mixing addSubnode and ASM", subnode, self);
+    return;
+  }
 
   BOOL isRasterized = subtreeIsRasterized(self);
   if (isRasterized && subnode.nodeLoaded) {
diff --git a/Tests/ASDisplayNodeTests.mm b/Tests/ASDisplayNodeTests.mm
@@ -2783,4 +2783,15 @@ - (void)testPlaceholder
   XCTAssertTrue(hasPlaceholderLayer);
 }
 
+- (void)testInsertExistingSubnode
+{
+  ASDisplayNode *subnode = [[ASDisplayNode alloc] init];
+  ASDisplayNode *supernode = [[ASDisplayNode alloc] init];
+  
+  [supernode addSubnode:subnode];
+  // Previously this would cause a crash. We now protect inserting an already existing subnode
+  XCTAssertThrows([supernode insertSubnode:subnode atIndex:1]);
+  XCTAssertTrue(supernode.subnodes.count == 1);
+}
+
 @end
