Instagram / IGListKit

99%

master: 100%

LAST BUILD ON BRANCH main

branch: SELECT

CHANGE BRANCH

x

• No branch selected
• 2.0.0
• 2.1.0
• 3.0.0
• 3.1.0
• 3.1.1
• API-to-get-visible-indexes
• add-checklist
• animated-update
• auto-diff
• auto-diff1
• automation-travis
• aviral/1220
• background-diff
• bad-update
• base-test
• bdotdub-file-header-template-whitespace
• binding-guide
• build-on-device
• category-linking
• center
• changelog
• changelog-fixes
• changelog-fixup
• changelog-tbd
• chore/dangerfile_noise
• cleanup-layout
• collection-view-layout-precision
• collectionview-reuse
• compiler
• config
• coverall
• danger
• danger-init
• debug-dump
• defer-invalidate
• dep-demo
• deprecate-IGListStackedSectionController
• deprecate-pods
• deselect
• disable-9_3-tests
• display-delegate
• display-suppl
• docs
• docs-patch
• docs-update
• documentation-updates
• double-inserts
• double-reload
• embed-crash
• equal-guide
• equality-guide-update
• export-D15590354
• export-D18064465
• export-D18114249
• export-D18249291
• export-D18449843
• export-D18594370
• export-D18638528
• faq
• feature/support-for-context-menu
• feb26-release
• fix-BindSectionController-updates-not-invalidating-layouts
• fix-build
• fix-cocoapods
• fix-danger
• fix-diff
• fix-docs-broken-image-links
• fix-duplicate-public-headers
• fix-examples
• fix-github-ci
• fix-headers
• fix-ig-assertion
• fix-iglistbindingsectioncontroller-generics
• fix-links
• fix-logic-error-of-layout-invalidation
• fix-readme-links
• fix-scrollToObject
• fix-swift-package
• fix-tv
• fix-user-github
• fix_layout_invalidation_659
• gen-docs
• guide-cleanup
• guides-setup
• iOS11Patch
• improve-coverage
• index-for-cell-nil
• initial-faq-guide
• instagram-clone-demo-app
• ios11-examples
• ios11-pod-warnings
• ipad-ci-update
• issue-1219
• issue-1223
• jessesquires-patch-1
• jessesquires-patch-2
• layout
• layout-2
• layout-fit
• less-layout
• lolwut-dafuck
• main
• master
• migration-3
• migration-format
• miss-delegate
• move-items
• move-section-index-to-property
• move-uicv-out-of-list-adapter
• moves-deleted
• multiple-delete
• negative-sizes
• new-generate-code
• new-world
• newline
• nit-tests
• objc-fixup
• optional-crash
• organize
• patch-1
• patch-2
• path-description
• pr-1284-cleanup
• project-fixups
• protocol-gone-readme
• protocolize-list-view
• rawlinxx-master
• readme-refine
• readme-tweaks
• readme_starter_tasks
• refine-changelog
• refine-demo-apps
• regen-docs
• relax_swiftlint
• release-2.1.0
• release-2.x
• release-4.0-tableview-support
• reload-bug
• reload-tests
• remove-lint
• remove___IPHONE_11_0
• remove_intercepted_duplicate_seletor
• remove_ios8_system_version
• remove_unused_headers
• remove_useless_system_version
• retain-cycle
• scroll-bottom-inset
• section-index-reset-on-adapter-dealloc
• simpler-travis
• slather-exclude
• small-refactoring
• stable
• stack-demo
• stack-offset
• stacked-working
• supplementary-example
• support_catalyst
• suppress-travis-warning
• swift-refinements
• swift4
• test-coverage
• test-cycle
• tests
• tracking
• travis
• travis-omfg
• travis-patch
• travis-update
• tvOS-support
• tvOS-tests
• tvos-tests
• ui-tests
• uicv-dump
• unbreak
• unused
• update-background-diffing-queue-priority
• update-changelog
• update-crash
• update-docs
• update-issue-template
• update-travis
• update-versions
• updater-tests
• upgrade-cocoapods
• use-cocoapods-cdn
• vision
• weak-uicv

Build # 25202427585

Build Type

push

github

Committed by meta-codesync[bot]

Commit Message

Fix heap corruption crash from concurrent array mutation during diff (#1578)

Summary:
Fixes https://github.com/Instagram/IGListKit/issues/1578

Callers of `IGListDiff`/`IGListDiffPaths` may pass `NSMutableArray` instances backed by collections that are mutated on other threads. Because the diffing algorithm uses `__unsafe_unretained` pointers internally for performance, concurrent mutation can cause use-after-free heap corruption — typically manifesting as:

```
malloc: Incorrect checksum for freed object: probably modified after being freed.
```

inside `std::deque::push_back` during the entry `oldIndexes` stack growth.

This change adds `[oldArray copy]` and `[newArray copy]` at the top of `IGListDiffing()`. For immutable `NSArray` inputs this is a no-op retain with zero overhead. For `NSMutableArray` inputs it creates an immutable snapshot, narrowing the race window from the entire O(n+m) diff to just the `-copy` call.

This is a best-effort mitigation — callers are still responsible for not mutating the source array concurrently since `-[NSMutableArray copy]` itself is not atomic.

Differential Revision: D101205956

fbshipit-source-id: 514ebbef1

Coverage Stats

2 of 2 new or added lines in 1 file covered. (100.0%)

4508 of 4562 relevant lines covered (98.82%)

703.73 hits per line