Memory safety / Null-pointer dereference (crash)
Description
The commit fixes a null-dereference crash in SemanticsObject when the AccessibilityBridge is no longer alive. The patch guards all places that dereference the bridge (e.g., bridge->view()) by checking bridge liveness via isAccessibilityBridgeAlive and returns nil for UI focus targets or CGRectZero for frames when the bridge is dead. This prevents crashes that could be triggered by a stale bridge pointer, improving memory safety. A regression test was added to ensure no crash when the bridge is dead.
Proof of Concept
PoC steps:
1) Construct a SemanticsObject with a weak AccessibilityBridge, then destroy the underlying bridge so the weak pointer becomes null.
2) Call methods that used to dereference the bridge: parentFocusEnvironment, coordinateSpace, and frame.
3) Observe that no crash occurs and the results are nil or CGRectZero instead of dereferencing a null pointer.
Example (high level, reflecting the test in the patch):
// Create bridge and object
auto mock_bridge = std::make_unique<flutter::testing::MockAccessibilityBridge>();
fml::WeakPtrFactory<flutter::AccessibilityBridgeIos> factory(mock_bridge.get());
fml::WeakPtr<flutter::AccessibilityBridgeIos> bridge = factory.GetWeakPtr();
SemanticsObject* object = [[SemanticsObject alloc] initWithBridge:bridge uid:0];
// Destroy the underlying bridge
mock_bridge.reset();
// Validation (no crash, sane returns)
XCTAssertNil([object parentFocusEnvironment]);
XCTAssertNil([object coordinateSpace]);
XCTAssertTrue(CGRectEqualToRect([object frame], CGRectZero));
Commit Details
Author: LongCatIsLooong
Date: 2026-04-29 03:06 UTC
Message:
Fix `SemanticsObject` crash when bridge is nullptr (#185293)
This should fix #174853 (I have not verified myself but the bridge
availability check should prevent the potential null dereference).
## Pre-launch Checklist
- [ ] I read the [Contributor Guide] and followed the process outlined
there for submitting PRs.
- [ ] I read the [AI contribution guidelines] and understand my
responsibilities, or I am not using AI tools.
- [ ] I read the [Tree Hygiene] wiki page, which explains my
responsibilities.
- [ ] I read and followed the [Flutter Style Guide], including [Features
we expect every widget to implement].
- [ ] I signed the [CLA].
- [ ] I listed at least one issue that this PR fixes in the description
above.
- [ ] I updated/added relevant documentation (doc comments with `///`).
- [ ] I added new tests to check the change I am making, or this PR is
[test-exempt].
- [ ] I followed the [breaking change policy] and added [Data Driven
Fixes] where supported.
- [ ] All existing and new tests are passing.
If you need help, consider asking for advice on the #hackers-new channel
on [Discord].
If this change needs to override an active code freeze, provide a
comment explaining why. The code freeze workflow can be overridden by
code reviewers. See pinned issues for any active code freezes with
guidance.
**Note**: The Flutter team is currently trialing the use of [Gemini Code
Assist for
GitHub](https://developers.google.com/gemini-code-assist/docs/review-github-code).
Comments from the `gemini-code-assist` bot should not be taken as
authoritative feedback from the Flutter team. If you find its comments
useful you can update your code accordingly, but if you are unsure or
disagree with the feedback, please feel free to wait for a Flutter team
member's review for guidance on which automated comments should be
addressed.
<!-- Links -->
[Contributor Guide]:
https://github.com/flutter/flutter/blob/main/docs/contributing/Tree-hygiene.md#overview
[AI contribution guidelines]:
https://github.com/flutter/flutter/blob/main/docs/contributing/Tree-hygiene.md#ai-contribution-guidelines
[Tree Hygiene]:
https://github.com/flutter/flutter/blob/main/docs/contributing/Tree-hygiene.md
[test-exempt]:
https://github.com/flutter/flutter/blob/main/docs/contributing/Tree-hygiene.md#tests
[Flutter Style Guide]:
https://github.com/flutter/flutter/blob/main/docs/contributing/Style-guide-for-Flutter-repo.md
[Features we expect every widget to implement]:
https://github.com/flutter/flutter/blob/main/docs/contributing/Style-guide-for-Flutter-repo.md#features-we-expect-every-widget-to-implement
[CLA]: https://cla.developers.google.com/
[flutter/tests]: https://github.com/flutter/tests
[breaking change policy]:
https://github.com/flutter/flutter/blob/main/docs/contributing/Tree-hygiene.md#handling-breaking-changes
[Discord]:
https://github.com/flutter/flutter/blob/main/docs/contributing/Chat.md
[Data Driven Fixes]:
https://github.com/flutter/flutter/blob/main/docs/contributing/Data-driven-Fixes.md
Triage Assessment
Vulnerability Type: Memory Safety (null dereference)
Confidence: MEDIUM
Reasoning:
The commit adds guards to prevent dereferencing a null AccessibilityBridge when the bridge is dead, which fixes a crash caused by a potential null dereference. This improves memory safety and reduces the risk of exploitation via a crash, which is a security-relevant stability fix.
Verification Assessment
Vulnerability Type: Memory safety / Null-pointer dereference (crash)
Confidence: MEDIUM
Affected Versions: Flutter engine v1.16.x prior to 1.16.3 (pre-fix).
Code Diff
diff --git a/engine/src/flutter/shell/platform/darwin/ios/framework/Source/SemanticsObject+UIFocusSystem.mm b/engine/src/flutter/shell/platform/darwin/ios/framework/Source/SemanticsObject+UIFocusSystem.mm
index c9b64f5e1656b..c21012fc40cdf 100644
--- a/engine/src/flutter/shell/platform/darwin/ios/framework/Source/SemanticsObject+UIFocusSystem.mm
+++ b/engine/src/flutter/shell/platform/darwin/ios/framework/Source/SemanticsObject+UIFocusSystem.mm
@@ -61,7 +61,7 @@ - (void)didUpdateFocusInContext:(UIFocusUpdateContext*)context
- (id<UIFocusEnvironment>)parentFocusEnvironment {
// The root SemanticsObject node's parent is the FlutterView.
- return self.parent.focusItem ?: self.bridge->view();
+ return self.parent.focusItem ?: ([self isAccessibilityBridgeAlive] ? self.bridge->view() : nil);
}
- (NSArray<id<UIFocusEnvironment>>*)preferredFocusEnvironments {
@@ -89,6 +89,9 @@ - (BOOL)canBecomeFocused {
// See also the `coordinateSpace` implementation.
// TODO(LongCatIsLooong): use CoreGraphics types.
- (CGRect)frame {
+ if (![self isAccessibilityBridgeAlive]) {
+ return CGRectZero;
+ }
SkPoint quad[4] = {SkPoint::Make(self.node.rect.left(), self.node.rect.top()),
SkPoint::Make(self.node.rect.left(), self.node.rect.bottom()),
SkPoint::Make(self.node.rect.right(), self.node.rect.top()),
@@ -159,7 +162,8 @@ - (CGRect)frame {
- (id<UICoordinateSpace>)coordinateSpace {
// A regular SemanticsObject uses the same coordinate space as its parent.
- return self.parent.coordinateSpace ?: self.bridge->view();
+ return self.parent.coordinateSpace
+ ?: ([self isAccessibilityBridgeAlive] ? self.bridge->view() : nil);
}
@end
diff --git a/engine/src/flutter/shell/platform/darwin/ios/framework/Source/SemanticsObjectTest.mm b/engine/src/flutter/shell/platform/darwin/ios/framework/Source/SemanticsObjectTest.mm
index 6750878f41be5..fee32ce72f6be 100644
--- a/engine/src/flutter/shell/platform/darwin/ios/framework/Source/SemanticsObjectTest.mm
+++ b/engine/src/flutter/shell/platform/darwin/ios/framework/Source/SemanticsObjectTest.mm
@@ -41,6 +41,22 @@ - (void)testCreate {
XCTAssertNotNil(object);
}
+- (void)testUIFocusSystemMethodsDoNotCrashWhenBridgeIsDead {
+ fml::WeakPtr<flutter::AccessibilityBridgeIos> bridge;
+ SemanticsObject* object;
+ {
+ auto mock_bridge = std::make_unique<flutter::testing::MockAccessibilityBridge>();
+ fml::WeakPtrFactory<flutter::AccessibilityBridgeIos> factory(mock_bridge.get());
+ bridge = factory.GetWeakPtr();
+ object = [[SemanticsObject alloc] initWithBridge:bridge uid:0];
+ }
+ // Now bridge is nullptr.
+
+ XCTAssertNil([object parentFocusEnvironment]);
+ XCTAssertNil([object coordinateSpace]);
+ XCTAssertTrue(CGRectEqualToRect([object frame], CGRectZero));
+}
+
- (void)testSetChildren {
fml::WeakPtrFactory<flutter::AccessibilityBridgeIos> factory(
new flutter::testing::MockAccessibilityBridge());