fix(replay): add explicit ComposeRect type reference to prevent DexGuard stripping#5505
Draft
sentry-junior[bot] wants to merge 1 commit into
Draft
fix(replay): add explicit ComposeRect type reference to prevent DexGuard stripping#5505sentry-junior[bot] wants to merge 1 commit into
sentry-junior[bot] wants to merge 1 commit into
Conversation
…ard stripping Under aggressive obfuscation (e.g. DexGuard), androidx.compose.ui.geometry.Rect was only present as an implicit return type of localBoundingBoxOf() and had no direct import. DexGuard could strip or rename the class, leaving ComposeViewHierarchyNode with an unresolvable type reference at runtime, causing a fatal VerifyError. Adding an explicit import alias and annotating the bounds variable with the concrete type creates a hard bytecode reference that obfuscation tools will preserve. Fixes #5497 Co-authored-by: no <nelson.osacky@sentry.io>
Contributor
Instructions and example for changelogPlease add an entry to Example: ## Unreleased
### Fixes
- add explicit ComposeRect type reference to prevent DexGuard stripping ([#5505](https://github.com/getsentry/sentry-java/pull/5505))If none of the above apply, you can opt out of this check by adding |
| @@ -169,7 +170,9 @@ internal fun LayoutCoordinates.boundsInWindow(rootCoordinates: LayoutCoordinates | |||
|
|
|||
| // pass clipBounds explicitly to avoid the `localBoundingBoxOf$default` bridge that AGP 8.13's D8 | |||
| // desugars inconsistently on minSdk < 24 | |||
There was a problem hiding this comment.
io.sentry.android.replay.util.Nodes — The boundsInWindow function is documented as "A faster copy of" the androidx LayoutCoordinates.kt implementation and includes a source URL, but is missing a copyright holder (e.g. Copyright (C) The Android Open Source Project) and a license name (e.g. Apache License, Version 2.0). Both are required attribution fields for vendored code.
Evidence
- The function docstring at lines ~155–165 (context before hunk) reads
A faster copy of https://github.com/androidx/androidx/blob/fc7df0dd68466ac3bb16b1c79b7a73dd0bfdd4c1/compose/ui/ui/src/commonMain/kotlin/androidx/compose/ui/layout/LayoutCoordinates.kt#L187— vendoring origin phrase and source URL are present. - Neither the docstring nor the file header (first 50 lines: imports and
ComposeTextLayout) contains a copyright holder or license name for this copied code. - The androidx codebase is Apache 2.0 licensed; the copyright holder is The Android Open Source Project.
- All four required fields must be physically present in the file/docstring header; two are absent.
Identified by Warden check-code-attribution · PW4-M9D
📲 Install BuildsAndroid
|
Contributor
Performance metrics 🚀
|
| Revision | Plain | With Sentry | Diff |
|---|---|---|---|
| 62b579c | 349.26 ms | 426.26 ms | 77.00 ms |
| d501a7e | 348.06 ms | 431.42 ms | 83.36 ms |
| cf708bd | 434.73 ms | 502.96 ms | 68.22 ms |
| 2195398 | 351.77 ms | 433.22 ms | 81.45 ms |
| cf708bd | 408.35 ms | 458.98 ms | 50.63 ms |
| e2dce0b | 308.96 ms | 360.10 ms | 51.14 ms |
| 5dee26b | 336.02 ms | 402.62 ms | 66.60 ms |
| 4c04bb8 | 333.16 ms | 408.16 ms | 75.00 ms |
| a1eadfa | 345.67 ms | 411.26 ms | 65.59 ms |
| 5b1a06b | 352.27 ms | 413.70 ms | 61.43 ms |
App size
| Revision | Plain | With Sentry | Diff |
|---|---|---|---|
| 62b579c | 0 B | 0 B | 0 B |
| d501a7e | 0 B | 0 B | 0 B |
| cf708bd | 1.58 MiB | 2.11 MiB | 539.71 KiB |
| 2195398 | 0 B | 0 B | 0 B |
| cf708bd | 1.58 MiB | 2.11 MiB | 539.71 KiB |
| e2dce0b | 0 B | 0 B | 0 B |
| 5dee26b | 0 B | 0 B | 0 B |
| 4c04bb8 | 0 B | 0 B | 0 B |
| a1eadfa | 0 B | 0 B | 0 B |
| 5b1a06b | 0 B | 0 B | 0 B |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Problem
Under aggressive obfuscation (e.g. DexGuard),
androidx.compose.ui.geometry.Recthad no explicit import inNodes.kt— it only appeared as the implicit return type oflocalBoundingBoxOf(). DexGuard can strip or rename a class that it doesn't see referenced by name, leavingComposeViewHierarchyNodewith an unresolvable type at runtime and causing a fatalVerifyErroron load.This was hitting at least one enterprise account (~20K users) who had to disable Session Replay on affected versions as a mitigation.
Fix
Add an explicit import alias (
androidx.compose.ui.geometry.Rect as ComposeRect) and annotate theboundslocal variable with the concrete type. This creates a direct bytecode reference that obfuscation tools will preserve.Verification
No automated test can cover DexGuard-specific bytecode behavior, but the change is compile-verified (the explicit type annotation will fail to compile if the import is wrong or the return type changes) and is the minimal correct fix for the root cause identified in the issue.
Fixes #5497
Action taken on behalf of Nelson Osacky.
View Session in Sentry