Add guards around nativeProps usage to prevent race conditions

[OrfeasZ]

Summary:

Some third-party libraries, like react-native-reanimated, can clone nodes in a different thread while react-native is calling setNativeProps_DEPRECATED. This results in a race condition, where a stale pointer to nativeProps_DEPRECATED can be accessed, resulting in a crash. This usually manifests as a EXC_BAD_ACCESS crash on iOS. On Android it seems more rare. We've added a lock around accesses to nativeProps_DEPRECATED, but alternative options of fixing this can be considered too.

For more information see software-mansion/react-native-reanimated#7666

Changelog:

[INTERNAL] [FIXED] - Fixed crashes caused by race conditions when third-party libraries clone the shadow dom from a different thread

Test Plan:

Due to this being a race condition that only manifests in rare circumstances, it's very difficult to create a reliable reproduction case. The issue mentioned above contains ThreadSanitizer logs that demonstrate this issue. TSan no longer complains with this patch applied, and we've not seen any additional issues from it after deploying it in production over the past week.

[meta-cla]

Hi @OrfeasZ!

Thank you for your pull request and welcome to our community.

Action Required

In order to merge any pull request (code, docs, etc.), we require contributors to sign our Contributor License Agreement, and we don't seem to have one on file for you.

Process

In order for us to review and merge your suggested changes, please sign at https://code.facebook.com/cla. If you are contributing on behalf of someone else (eg your employer), the individual CLA may not be sufficient and your employer may need to sign the corporate CLA.

Once the CLA is signed, our tooling will perform checks and validations. Afterwards, the pull request will be tagged with CLA signed. The tagging process may take up to 1 hour after signing. Please give it that time before contacting us about it.

If you have received this in error or have any questions, please contact us at cla@meta.com. Thanks!

[meta-cla]

Thank you for signing our Contributor License Agreement. We can now accept your code for this (and any) Meta Open Source project. Thanks!

[renyufei8023]

rn0.81.1 still has this issue, when will we merge it?

[bartlomiejbloniarz]

@cipolleschi Hi! Could we have someone look at this? I think it could also be a problem for c++ animated.

[ismaelsousa]

Hello, have any of you had any problems with the patch so far?

[Edited - 22 Sep]
I will release it today for my users

[ismaelsousa]

I patched locally and released it to my users so far, so great, no more crashes 🎉
Someone from meta really needs to look at this. I was having a 23% crash rate in the users' sections

[javache]

Any reason this needs to be a recursive mutex instead of a plain one?

Does this need to be ShadowNodeFamily scoped, or would a single global mutex on UIManager be sufficient?

[OrfeasZ]

I don't know enough about the internals of react native, so took the safe approach of using a recursive one to prevent deadlocks in the case the critical path ends up trying to acquire the lock again recursively. That said, if that can't happen, it could be replaced with a regular mutex.

As for scoping, I'm not sure (again due to lack of internals knowledge). The main issue this tries to address is concurrent writes / reads to the nativeProps_DEPRECATED field, which is why I added it there, trying to keep the locking exactly to where it's needed.

[javache]

Let's stick with a normal mutex here - I don't see any way this could be re-entrant.

[OrfeasZ]

@javache Could we get an update on this? Is there anything I should change so we can get this merged?

[michael-tugby]

@javache Could we get an update on this? We need this fix for our project.