I'm seeing a fairly repeatable crash in CoreAnimation, generally when scrolling around a collectionview or pushing / popping in and out of it's viewcontroller.
The location of the crash varies, but the cause is always the same as far as I can tell: It fetches a pointer (which always seems to be 16k-aligned) from 24 bytes into some struct and derefs it, which triggers EXC_BAD_ACCESS, code=1. The pointer doesn't look obviously bad, or different to non-crashing calls, so presumably it's something that got unmapped.
The tricky thing is, I can only reproduce it on-device (iPhone 6) with malloc-scribble enabled, but I see no evidence of actually scribbling anywhere. Which leads me to believe maybe the scribbling is just exposing a race-condition - a couple of times I've caught the CA Layer destructor memsetting the scribble-pattern on the main thread while the crash happens on a background thread, which is suggestive.
Anyone else seen this? Do I need to worry about it?
Sample callstack (main thread):
#0
0x00000001865395f8 in CA::Render::release_shmem_bitmap(void const*, void*) ()
#1
0x0000000186528b08 in CA::Render::Image::~Image() ()
#2
0x0000000186526f74 in CA::Render::Image::release_data() const ()
#3
0x000000018651b43c in CABackingStoreReleaseImages(CABackingStore*) ()
#4
0x0000000186544c40 in backingStoreFinalize(void const*) ()
#5
0x00000001838f0c34 in CFRelease ()
#6
0x0000000186500ea4 in CA::Layer::~Layer() ()
#7
0x0000000186500ad4 in -[CALayer dealloc] ()
#8
0x00000001865008e8 in CA::Layer::free_transaction(CA::Transaction*) ()
#9
0x00000001864fc89c in CA::Transaction::commit() ()
#10
0x00000001864f5de4 in CA::Transaction::observer_callback(__CFRunLoopObserver*, unsigned long, void*) ()
#11
0x00000001839cc728 in __CFRUNLOOP_IS_CALLING_OUT_TO_AN_OBSERVER_CALLBACK_FUNCTION__ ()
#12
0x00000001839ca4cc in __CFRunLoopDoObservers ()
#13
0x00000001838f4c70 in CFRunLoopRunSpecific ()
#14
0x00000001851dc088 in GSEventRunModal ()
#15
0x0000000188bde088 in UIApplicationMain ()
#16