[fuchsia] SceneHostBindings are no longer thread locals

Prior to this change SceneHostBindinds was a ThreadLocal but the
intention was for it to be IsolateLocal. Given that dart
could collect this map on a non-UI thread this caused
use-after-free issues.

This change fixes it by making it keyed on isolate and koid
this is not the ideal solution, this would exist on
dart isolate group data struct. Given that Fuchsia is moving
to use the embedder API, the decision to use this temporary
work around was made.

fixes flutter/flutter#49738

Author: Kaushik Iska

lib/ui/compositing/scene_host.cc

@@ -10,33 +10,49 @@
 #include <third_party/tonic/dart_binding_macros.h>
 #include <third_party/tonic/logging/dart_invoke.h>
 
+#include "dart/runtime/include/dart_api.h"
 #include "flutter/flow/view_holder.h"
 #include "flutter/fml/thread_local.h"
 #include "flutter/lib/ui/ui_dart_state.h"
 
 namespace {
 
-using SceneHostBindings = std::unordered_map<zx_koid_t, flutter::SceneHost*>;
+struct SceneHostBindingKey {
+  Dart_Isolate associated_isolate;
+  zx_koid_t koid;
 
-FML_THREAD_LOCAL fml::ThreadLocalUniquePtr<SceneHostBindings>
-    tls_scene_host_bindings;
+  SceneHostBindingKey(const zx_koid_t koid) {
+    this->koid = koid;
+    this->associated_isolate = Dart_CurrentIsolate();
+  }
 
-void SceneHost_constructor(Dart_NativeArguments args) {
-  // This UI thread / Isolate contains at least 1 SceneHost.  Initialize the
-  // per-Isolate bindings.
-  if (tls_scene_host_bindings.get() == nullptr) {
-    tls_scene_host_bindings.reset(new SceneHostBindings());
+  bool operator==(const SceneHostBindingKey& other) const {
+    return associated_isolate == other.associated_isolate && koid == other.koid;
   }
+};
+
+struct SceneHostBindingKeyHasher {
+  std::size_t operator()(const SceneHostBindingKey& key) const {
+    std::size_t koid_hash = std::hash<zx_koid_t>()(key.koid);
+    std::size_t isolate_hash =
+        std::hash<Dart_Isolate>()(key.associated_isolate);
+    return koid_hash ^ isolate_hash;
+  }
+};
+
+using SceneHostBindings = std::unordered_map<SceneHostBindingKey,
+                                             flutter::SceneHost*,
+                                             SceneHostBindingKeyHasher>;
 
+static SceneHostBindings scene_host_bindings;
+
+void SceneHost_constructor(Dart_NativeArguments args) {
   tonic::DartCallConstructor(&flutter::SceneHost::Create, args);
 }
 
 flutter::SceneHost* GetSceneHost(scenic::ResourceId id) {
-  auto* bindings = tls_scene_host_bindings.get();
-  FML_DCHECK(bindings);
-
-  auto binding = bindings->find(id);
-  if (binding != bindings->end()) {
+  auto binding = scene_host_bindings.find(id);
+  if (binding != scene_host_bindings.end()) {
     return binding->second;
   }
 
@@ -153,11 +169,9 @@ SceneHost::SceneHost(fml::RefPtr<zircon::dart::Handle> viewHolderToken,
   // This callback will be posted as a task  when the |scenic::ViewHolder|
   // resource is created and given an id by the GPU thread.
   auto bind_callback = [scene_host = this](scenic::ResourceId id) {
-    auto* bindings = tls_scene_host_bindings.get();
-    FML_DCHECK(bindings);
-    FML_DCHECK(bindings->find(id) == bindings->end());
-
-    bindings->emplace(std::make_pair(id, scene_host));
+    FML_DCHECK(scene_host_bindings.find(id) == scene_host_bindings.end());
+    const auto key = SceneHostBindingKey(id);
+    scene_host_bindings.emplace(std::make_pair(key, scene_host));
   };
 
   // Pass the raw handle to the GPU thead; destroying a |zircon::dart::Handle|
@@ -175,9 +189,7 @@ SceneHost::SceneHost(fml::RefPtr<zircon::dart::Handle> viewHolderToken,
 }
 
 SceneHost::~SceneHost() {
-  auto* bindings = tls_scene_host_bindings.get();
-  FML_DCHECK(bindings);
-  bindings->erase(koid_);
+  scene_host_bindings.erase(koid_);
 
   gpu_task_runner_->PostTask(
       [id = koid_]() { flutter::ViewHolder::Destroy(id); });