Network framework crashes from nw_browser_cancel call

App & System Services Networking
RemcoPoelstra OP
Created Nov ’24
Replies 2
Boosts 0
Views 394
Participants 2

Hi,

I'm using the Network framework to browse for devices on the local network. Unfortunately, I get many crash reports that crash in nw_browser_cancel, of which two are attached.

This discussion seems to have a similar issue, but it was never resolved: https://forums.developer.apple.com/forums/thread/696037

Contrary to the situation in the linked thread, my implementation uses DispatchQueue.main as the queue for the browser, so I don't think over-releasing the queue is the problem.

I am unable to reproduce this problem myself, but one of my users can reproduce it reliably it seems.

How can I resolve this crash?

Incident Identifier: 606A5C22-6BDA-424E-A2A7-4A551A66E16B
Distributor ID:      com.apple.TestFlight
Hardware Model:      iPhone15,4
Process:             MotionMount [11973]
Path:                /private/var/containers/Bundle/Application/83F4BFFB-914B-4187-BE25-DC1E7CF89745/MotionMount.app/MotionMount
Identifier:          com.vogels.pi.MotionMountUno
Version:             3.0.4 (25)
AppStoreTools:       16B39
AppVariant:          1:iPhone15,4:17.4
Beta:                YES
Code Type:           ARM-64 (Native)
Role:                Foreground
Parent Process:      launchd [1]
Coalition:           com.vogels.pi.MotionMountUno [7819]

Date/Time:           2024-11-10 14:24:35.3886 +0100
Launch Time:         2024-11-10 14:24:34.8655 +0100
OS Version:          iPhone OS 17.5.1 (21F90)
Release Type:        User
Baseband Version:    1.60.02
Report Version:      104

Exception Type:  EXC_BAD_ACCESS (SIGSEGV)
Exception Subtype: KERN_INVALID_ADDRESS at 0x0000000000000054
Exception Codes: 0x0000000000000001, 0x0000000000000054
VM Region Info: 0x54 is not in any region.  Bytes before following region: 4370857900
      REGION TYPE                 START - END      [ VSIZE] PRT/MAX SHRMOD  REGION DETAIL
      UNUSED SPACE AT START
--->  
      __TEXT                   104860000-10494c000 [  944K] r-x/r-x SM=COW  /var/containers/Bundle/Application/83F4BFFB-914B-4187-BE25-DC1E7CF89745/MotionMount.app/MotionMount
Termination Reason: SIGNAL 11 Segmentation fault: 11
Terminating Process: exc handler [11973]

Triggered by Thread:  0


Thread 0 name:
Thread 0 Crashed:
0   libdispatch.dylib             	0x000000019a7127d8 dispatch_async + 192 (queue.c:940)
1   Network                       	0x00000001934ace50 nw_browser_set_state_locked + 552 (browser.m:390)
2   Network                       	0x00000001934b5f64 nw_browser_cancel + 484 (browser.m:1768)
3   MotionMount                   	0x000000010487b348 LanDiscoveryService.stopDiscovery() + 100 (LanDiscoveryService.swift:41)
4   MotionMount                   	0x000000010487b348 MotionMountManager.stopDiscovery() + 276 (MotionMountManager.swift:83)
5   MotionMount                   	0x000000010493a6e8 closure #3 in MountListView.body.getter + 324 (MountListView.swift:126)
6   SwiftUI                       	0x0000000196946aac _ValueActionModifier2.sendAction(old:) + 520 (ValueActionModifier.swift:533)
7   SwiftUI                       	0x000000019694688c partial apply for closure #2 in ValueActionDispatcher.updateValue() + 132 (:0)
8   SwiftUI                       	0x000000019689b4e8 thunk for @escaping @callee_guaranteed () -> () + 28 (:0)
9   SwiftUI                       	0x000000019689abc0 closure #2 in closure #1 in ViewRendererHost.render(interval:updateDisplayList:) + 2088 (ViewRendererHost.swift:249)
10  SwiftUI                       	0x000000019689964c closure #1 in ViewRendererHost.render(interval:updateDisplayList:) + 660 (ViewRendererHost.swift:235)
11  SwiftUI                       	0x0000000196897d7c ViewRendererHost.render(interval:updateDisplayList:) + 408 (:0)
12  SwiftUI                       	0x0000000196897b0c _UIHostingView.layoutSubviews() + 332 (UIHostingView.swift:1127)
13  SwiftUI                       	0x00000001967acc6c @objc _UIHostingView.layoutSubviews() + 36 (:0)
14  UIKitCore                     	0x0000000194a76a4c -[UIView(CALayerDelegate) layoutSublayersOfLayer:] + 1528 (UIView.m:20054)
15  QuartzCore                    	0x0000000193ed53b4 CA::Layer::layout_if_needed(CA::Transaction*) + 504 (CALayer.mm:10816)
16  QuartzCore                    	0x0000000193ed4f38 CA::Layer::layout_and_display_if_needed(CA::Transaction*) + 148 (CALayer.mm:2598)
17  QuartzCore                    	0x0000000193f300e0 CA::Context::commit_transaction(CA::Transaction*, double, double*) + 464 (CAContextInternal.mm:2760)
18  QuartzCore                    	0x0000000193ea5028 CA::Transaction::commit() + 648 (CATransactionInternal.mm:432)
19  QuartzCore                    	0x0000000193eeed7c CA::Transaction::flush_as_runloop_observer(bool) + 88 (CATransactionInternal.mm:942)
20  UIKitCore                     	0x0000000194b1fff4 _UIApplicationFlushCATransaction + 52 (UIApplication.m:3181)
21  UIKitCore                     	0x0000000194b1d76c _UIUpdateSequenceRun + 84 (_UIUpdateSequence.mm:119)
22  UIKitCore                     	0x0000000194b1d3b0 schedulerStepScheduledMainSection + 172 (_UIUpdateScheduler.m:1058)
23  UIKitCore                     	0x0000000194b1e254 runloopSourceCallback + 92 (_UIUpdateScheduler.m:1221)
24  CoreFoundation                	0x000000019283b834 __CFRUNLOOP_IS_CALLING_OUT_TO_A_SOURCE0_PERFORM_FUNCTION__ + 28 (CFRunLoop.c:1957)
25  CoreFoundation                	0x000000019283b7c8 __CFRunLoopDoSource0 + 176 (CFRunLoop.c:2001)
26  CoreFoundation                	0x0000000192839298 __CFRunLoopDoSources0 + 244 (CFRunLoop.c:2038)
27  CoreFoundation                	0x0000000192838484 __CFRunLoopRun + 828 (CFRunLoop.c:2955)
28  CoreFoundation                	0x0000000192837cd8 CFRunLoopRunSpecific + 608 (CFRunLoop.c:3420)
29  GraphicsServices              	0x00000001d76e81a8 GSEventRunModal + 164 (GSEvent.c:2196)
30  UIKitCore                     	0x0000000194e7090c -[UIApplication _run] + 888 (UIApplication.m:3713)
31  UIKitCore                     	0x0000000194f249d0 UIApplicationMain + 340 (UIApplication.m:5303)
32  SwiftUI                       	0x0000000196a28148 closure #1 in KitRendererCommon(_:) + 168 (UIKitApp.swift:51)
33  SwiftUI                       	0x00000001969d4714 runApp<a>(_:) + 152 (UIKitApp.swift:14)
34  SwiftUI                       	0x00000001969e04d0 static App.main() + 132 (App.swift:114)
35  MotionMount                   	0x000000010494e960 static MotionMountApp.$main() + 144 (MotionMountApp.swift:0)
36  MotionMount                   	0x000000010494e960 main + 160
37  dyld                          	0x00000001b5ee9e4c start + 2240 (dyldMain.cpp:1298)

Thread 1:
0   libsystem_pthread.dylib       	0x00000001ef6bc0c4 start_wqthread + 0 (:-1)

Thread 2:
0   libsystem_pthread.dylib       	0x00000001ef6bc0c4 start_wqthread + 0 (:-1)

Thread 3:
0   libsystem_pthread.dylib       	0x00000001ef6bc0c4 start_wqthread + 0 (:-1)

Thread 4:
0   libsystem_pthread.dylib       	0x00000001ef6bc0c4 start_wqthread + 0 (:-1)

Thread 5:
0   libsystem_pthread.dylib       	0x00000001ef6bc0c4 start_wqthread + 0 (:-1)

Thread 6:
0   libsystem_pthread.dylib       	0x00000001ef6bc0c4 start_wqthread + 0 (:-1)

Thread 7 name:
Thread 7:
0   libsystem_kernel.dylib        	0x00000001db918808 mach_msg2_trap + 8 (:-1)
1   libsystem_kernel.dylib        	0x00000001db91c008 mach_msg2_internal + 80 (mach_msg.c:201)
2   libsystem_kernel.dylib        	0x00000001db91bf20 mach_msg_overwrite + 436 (mach_msg.c:0)
3   libsystem_kernel.dylib        	0x00000001db91bd60 mach_msg + 24 (mach_msg.c:323)
4   CoreFoundation                	0x0000000192838f5c __CFRunLoopServiceMachPort + 160 (CFRunLoop.c:2624)
5   CoreFoundation                	0x0000000192838600 __CFRunLoopRun + 1208 (CFRunLoop.c:3007)
6   CoreFoundation                	0x0000000192837cd8 CFRunLoopRunSpecific + 608 (CFRunLoop.c:3420)
7   Foundation                    	0x0000000191758e4c -[NSRunLoop(NSRunLoop) runMode:beforeDate:] + 212 (NSRunLoop.m:373)
8   Foundation                    	0x0000000191758c9c -[NSRunLoop(NSRunLoop) runUntilDate:] + 64 (NSRunLoop.m:420)
9   UIKitCore                     	0x0000000194e84640 -[UIEventFetcher threadMain] + 420 (UIEventFetcher.m:1207)
10  Foundation                    	0x000000019176f718 __NSThread__start__ + 732 (NSThread.m:991)
11  libsystem_pthread.dylib       	0x00000001ef6c106c _pthread_start + 136 (pthread.c:931)
12  libsystem_pthread.dylib       	0x00000001ef6bc0d8 thread_start + 8 (:-1)

Thread 8:
0   libsystem_pthread.dylib       	0x00000001ef6bc0c4 start_wqthread + 0 (:-1)


Thread 0 crashed with ARM Thread State (64-bit):
    x0: 0x0000000303b7f9c0   x1: 0x000000016b59b2c0   x2: 0x000000016b59b2c0   x3: 0x0000000303b7f9fc
    x4: 0x0000000000000004   x5: 0x00000000000039c0   x6: 0x0000000000000000   x7: 0x0000000000000000
    x8: 0x00000000000010ff   x9: 0x0000000000000000  x10: 0x0000000000001200  x11: 0x00000003020fc8a8
   x12: 0x0000000043000006  x13: 0x00000000001ff800  x14: 0x00000000000007fb  x15: 0x000000008b4150e8
   x16: 0x000000019a70c11c  x17: 0x00000001934ad194  x18: 0x0000000000000000  x19: 0x0000000000000000
   x20: 0x0000000303b7fa40  x21: 0x000000016b59b2d0  x22: 0x00000001f355ffa0  x23: 0x0000000000000000
   x24: 0x0000000000000002  x25: 0x00000001f3586128  x26: 0x0000000300df0b60  x27: 0x00000001faaaf8d0
   x28: 0x00000001f61f7618   fp: 0x000000016b59b2a0   lr: 0x611180019a712750
    sp: 0x000000016b59b280   pc: 0x000000019a7127d8 cpsr: 0x20001000
   esr: 0x92000006 (Data Abort) byte read Translation fault


Binary Images:
        0x104860000 -         0x104a27fff MotionMount arm64  <3b329407d7af35cca1fd06081636034a> /private/var/containers/Bundle/Application/83F4BFFB-914B-4187-BE25-DC1E7CF89745/MotionMount.app/MotionMount
        0x104dbc000 -         0x104dc7fff libobjc-trampolines.dylib arm64e  <2e2c05f8377a30899ad91926d284dd03> /private/preboot/Cryptexes/OS/usr/lib/libobjc-trampolines.dylib
        0x191691000 -         0x192206fff Foundation arm64e  <3d3a12e3f5e9361fb00a4a5e8861aa55> /System/Library/Frameworks/Foundation.framework/Foundation
        0x1927e5000 -         0x192d12fff CoreFoundation arm64e  <00e76a98210c3cb5930bf236807ff24c> /System/Library/Frameworks/CoreFoundation.framework/CoreFoundation
        0x192d13000 -         0x19391afff Network arm64e  <3b346129ab2a364a8109b53646eb1f80> /System/Library/Frameworks/Network.framework/Network
        0x193e57000 -         0x1941e4fff QuartzCore arm64e   /System/Library/Frameworks/QuartzCore.framework/QuartzCore
        0x194a66000 -         0x196586fff UIKitCore arm64e  <1741fa374e53371e8daed611aab0043d> /System/Library/PrivateFrameworks/UIKitCore.framework/UIKitCore
        0x196634000 -         0x1983d2fff SwiftUI arm64e   /System/Library/Frameworks/SwiftUI.framework/SwiftUI
        0x19a70a000 -         0x19a750fff libdispatch.dylib arm64e  <81d355df266a3010bab8113b76a206c1> /usr/lib/system/libdispatch.dylib
        0x1b5ead000 -         0x1b5f39ef7 dyld arm64e  <71846eacee653697bf7d790b6a07dcdb> /usr/lib/dyld
        0x1d76e7000 -         0x1d76effff GraphicsServices arm64e   /System/Library/PrivateFrameworks/GraphicsServices.framework/GraphicsServices
        0x1db917000 -         0x1db950fef libsystem_kernel.dylib arm64e  <13b5134e819c3baab3004856112114cb> /usr/lib/system/libsystem_kernel.dylib
        0x1ef6bb000 -         0x1ef6c7ff3 libsystem_pthread.dylib arm64e  <1196b6c3333d3450818ff3663484b8eb> /usr/lib/system/libsystem_pthread.dylib

EOF
</a>

Incident Identifier: A36E1A02-9FEF-4488-A62F-942F3AE6E51D
Distributor ID:      com.apple.AppStore
Hardware Model:      iPhone17,1
Process:             MotionMount [380]
Path:                /private/var/containers/Bundle/Application/25D8A8E8-22AB-49DF-BA0A-E84787DBB3A9/MotionMount.app/MotionMount
Identifier:          com.vogels.pi.MotionMountUno
Version:             3.0.3 (16)
AppStoreTools:       15F31e
AppVariant:          1:iPhone16,1:17
Code Type:           ARM-64 (Native)
Role:                Foreground
Parent Process:      launchd [1]
Coalition:           com.vogels.pi.MotionMountUno [587]

Date/Time:           2024-11-08 08:54:31.6366 +0100
Launch Time:         2024-11-08 08:53:56.9902 +0100
OS Version:          iPhone OS 18.1 (22B83)
Release Type:        User
Baseband Version:    1.11.01
Report Version:      104

Exception Type:  EXC_BAD_ACCESS (SIGSEGV)
Exception Subtype: KERN_INVALID_ADDRESS at 0x0000000000000054
Exception Codes: 0x0000000000000001, 0x0000000000000054
VM Region Info: 0x54 is not in any region.  Bytes before following region: 4339072940
      REGION TYPE                 START - END      [ VSIZE] PRT/MAX SHRMOD  REGION DETAIL
      UNUSED SPACE AT START
--->  
      __TEXT                   102a10000-102ad4000 [  784K] r-x/r-x SM=COW  /var/containers/Bundle/Application/25D8A8E8-22AB-49DF-BA0A-E84787DBB3A9/MotionMount.app/MotionMount
Termination Reason: SIGNAL 11 Segmentation fault: 11
Terminating Process: exc handler [380]

Triggered by Thread:  0


Thread 0 name:
Thread 0 Crashed:
0   libdispatch.dylib             	0x00000001aa716a7c dispatch_async + 192 (queue.c:944)
1   Network                       	0x00000001a38a8148 nw_browser_set_state_locked(NWConcrete_nw_browser*, nw_browser_state_t, NSObject*) + 560 (browser.cpp:406)
2   Network                       	0x00000001a38b3ec0 nw_browser_cancel + 484 (browser.cpp:1963)
3   MotionMount                   	0x0000000102a28290 LanDiscoveryService.stopDiscovery() + 4 (LanDiscoveryService.swift:41)
4   MotionMount                   	0x0000000102a28290 MotionMountManager.stopDiscovery() + 64 (MotionMountManager.swift:83)
5   MotionMount                   	0x0000000102ac6164 closure #2 in MountListView.body.getter + 244 (MountListView.swift:115)
6   SwiftUICore                   	0x0000000262652d10 _ValueActionModifier2.sendAction(old:) + 724 (ValueActionModifier.swift:327)
7   SwiftUICore                   	0x00000002626549d8 partial apply for closure #2 in ValueActionDispatcher.updateValue() + 208 (:0)
8   SwiftUICore                   	0x000000026235ded4 thunk for @callee_guaranteed () -> () + 28 (:0)
9   SwiftUICore                   	0x000000026235ed3c static Update.dispatchActions() + 1256 (Update.swift:189)
10  SwiftUICore                   	0x00000002628c6b40 closure #2 in closure #1 in ViewRendererHost.render(interval:updateDisplayList:targetTimestamp:) + 156 (ViewRendererHost.swift:215)
11  SwiftUICore                   	0x00000002628c6928 closure #1 in ViewRendererHost.render(interval:updateDisplayList:targetTimestamp:) + 708 (ViewRendererHost.swift:201)
12  SwiftUICore                   	0x00000002628c40d4 ViewRendererHost.render(interval:updateDisplayList:targetTimestamp:) + 556 (ViewRendererHost.swift:186)
13  SwiftUI                       	0x00000001a796657c UIHostingViewBase.layoutSubviews() + 324 (UIHostingViewBase.swift:388)
14  SwiftUI                       	0x00000001a710612c _UIHostingView.layoutSubviews() + 120 (UIHostingView.swift:686)
15  SwiftUI                       	0x00000001a70bb860 @objc _UIHostingView.layoutSubviews() + 36 (:0)
16  UIKitCore                     	0x00000001a51ad688 -[UIView(CALayerDelegate) layoutSublayersOfLayer:] + 2424 (UIView.m:19916)
17  QuartzCore                    	0x00000001a44e3c28 CA::Layer::layout_if_needed(CA::Transaction*) + 496 (CALayer.mm:10944)
18  QuartzCore                    	0x00000001a44e37b4 CA::Layer::layout_and_display_if_needed(CA::Transaction*) + 148 (CALayer.mm:2638)
19  QuartzCore                    	0x00000001a453a914 CA::Context::commit_transaction(CA::Transaction*, double, double*) + 472 (CAContextInternal.mm:2613)
20  QuartzCore                    	0x00000001a44b97c4 CA::Transaction::commit() + 648 (CATransactionInternal.mm:420)
21  UIKitCore                     	0x00000001a53486a0 __34-[UIApplication _firstCommitBlock]_block_invoke_2 + 36 (UIApplication.m:12446)
22  CoreFoundation                	0x00000001a2a1f6e4 __CFRUNLOOP_IS_CALLING_OUT_TO_A_BLOCK__ + 28 (CFRunLoop.c:1818)
23  CoreFoundation                	0x00000001a2a0d910 __CFRunLoopDoBlocks + 356 (CFRunLoop.c:1860)
24  CoreFoundation                	0x00000001a2a0cfd4 __CFRunLoopRun + 864 (CFRunLoop.c:2971)
25  CoreFoundation                	0x00000001a2a0c830 CFRunLoopRunSpecific + 588 (CFRunLoop.c:3434)
26  GraphicsServices              	0x00000001ee9ec1c4 GSEventRunModal + 164 (GSEvent.c:2196)
27  UIKitCore                     	0x00000001a5572eb0 -[UIApplication _run] + 816 (UIApplication.m:3844)
28  UIKitCore                     	0x00000001a56215b4 UIApplicationMain + 340 (UIApplication.m:5496)
29  SwiftUI                       	0x00000001a7175f98 closure #1 in KitRendererCommon(_:) + 168 (UIKitApp.swift:68)
30  SwiftUI                       	0x00000001a7156664 runApp<a>(_:) + 100 (UIKitApp.swift:16)
31  SwiftUI                       	0x00000001a7159490 static App.main() + 180 (App.swift:121)
32  MotionMount                   	0x0000000102ad5f58 static MotionMountApp.$main() + 24 (MotionMountApp.swift:0)
33  MotionMount                   	0x0000000102ad5f58 main + 36
34  dyld                          	0x00000001c83faec8 start + 2724 (dyldMain.cpp:1334)

Thread 1:
0   libswiftCore.dylib            	0x00000001a1205724 _isNSString(_:) + 0 (StringBridge.swift:112)
1   libswiftCore.dylib            	0x00000001a1222c74 __SharedStringStorage.isEqual(to:) + 224 (StringStorageBridge.swift:341)
2   libswiftCore.dylib            	0x00000001a1222e9c @objc __SharedStringStorage.isEqual(to:) + 28 (:0)
3   CoreFoundation                	0x00000001a29c6a5c CFEqual + 744 (CFRuntime.c:0)
4   CoreFoundation                	0x00000001a2a08a74 CFCachedStringEqual + 52 (CFXNotificationRegistrar.c:210)
5   CoreFoundation                	0x00000001a2a08a0c _CFXNotificationRegistrarFindName + 108 (CFXNotificationRegistrar.c:1534)
6   CoreFoundation                	0x00000001a2a09d80 CFXNotificationRegistrarFind + 324 (CFXNotificationRegistrar.c:1612)
7   CoreFoundation                	0x00000001a2a0969c _CFXNotificationPost + 616 (CFNotificationCenter.c:1242)
8   Foundation                    	0x00000001a162cea4 -[NSNotificationCenter postNotificationName:object:userInfo:] + 92 (NSNotification.m:531)
9   Foundation                    	0x00000001a162c0d4 __NSFinalizeThreadData + 164 (NSThread.m:1145)
10  CoreFoundation                	0x00000001a2a9087c __CFTSDFinalize + 124 (CFPlatform.c:840)
11  libsystem_pthread.dylib       	0x000000022af48258 _pthread_tsd_cleanup + 620 (pthread_tsd.c:416)
12  libsystem_pthread.dylib       	0x000000022af47fc8 _pthread_exit + 84 (pthread.c:1770)
13  libsystem_pthread.dylib       	0x000000022af47f74 _pthread_wqthread_exit + 56 (pthread.c:2656)
14  libsystem_pthread.dylib       	0x000000022af47d04 _pthread_wqthread + 424 (pthread.c:2690)
15  libsystem_pthread.dylib       	0x000000022af44488 start_wqthread + 8

Thread 2:
0   libsystem_pthread.dylib       	0x000000022af44480 start_wqthread + 0

Thread 3:
0   libsystem_pthread.dylib       	0x000000022af44480 start_wqthread + 0

Thread 4:
0   libsystem_pthread.dylib       	0x000000022af44480 start_wqthread + 0

Thread 5:
0   libsystem_pthread.dylib       	0x000000022af44480 start_wqthread + 0

Thread 6:
0   libsystem_pthread.dylib       	0x000000022af44480 start_wqthread + 0

Thread 7:
0   libsystem_pthread.dylib       	0x000000022af44480 start_wqthread + 0

Thread 8 name:
Thread 8:
0   libsystem_kernel.dylib        	0x00000001f2dce688 mach_msg2_trap + 8
1   libsystem_kernel.dylib        	0x00000001f2dd1d98 mach_msg2_internal + 80 (mach_msg.c:201)
2   libsystem_kernel.dylib        	0x00000001f2dd1cb0 mach_msg_overwrite + 424 (mach_msg.c:0)
3   libsystem_kernel.dylib        	0x00000001f2dd1afc mach_msg + 24 (mach_msg.c:323)
4   CoreFoundation                	0x00000001a2a0da84 __CFRunLoopServiceMachPort + 160 (CFRunLoop.c:2637)
5   CoreFoundation                	0x00000001a2a0d130 __CFRunLoopRun + 1212 (CFRunLoop.c:3021)
6   CoreFoundation                	0x00000001a2a0c830 CFRunLoopRunSpecific + 588 (CFRunLoop.c:3434)
7   Foundation                    	0x00000001a16b4500 -[NSRunLoop(NSRunLoop) runMode:beforeDate:] + 212 (NSRunLoop.m:373)
8   Foundation                    	0x00000001a16b4350 -[NSRunLoop(NSRunLoop) runUntilDate:] + 64 (NSRunLoop.m:420)
9   UIKitCore                     	0x00000001a5586358 -[UIEventFetcher threadMain] + 420 (UIEventFetcher.m:1241)
10  Foundation                    	0x00000001a16c56c8 __NSThread__start__ + 724 (NSThread.m:991)
11  libsystem_pthread.dylib       	0x000000022af4937c _pthread_start + 136 (pthread.c:931)
12  libsystem_pthread.dylib       	0x000000022af44494 thread_start + 8

Thread 9:
0   libsystem_pthread.dylib       	0x000000022af44480 start_wqthread + 0

Thread 10:
0   libsystem_pthread.dylib       	0x000000022af44480 start_wqthread + 0

Thread 11:
0   libsystem_pthread.dylib       	0x000000022af44480 start_wqthread + 0


Thread 0 crashed with ARM Thread State (64-bit):
    x0: 0x00000003036a0440   x1: 0x000000016d3ea9d0   x2: 0x000000016d3ea9d0   x3: 0x00000003036a047c
    x4: 0x0000000000000000   x5: 0x00000000c141a812   x6: 0x0000000000000000   x7: 0x0000000000000000
    x8: 0x00000000000010ff   x9: 0x0000000000000000  x10: 0x0000000000000003  x11: 0x0000000302db2198
   x12: 0x0000000043000006  x13: 0x00000003021a28d8  x14: 0x00000000001ff800  x15: 0x00000000000007fb
   x16: 0x00000001aa710350  x17: 0x00000001a38a85b0  x18: 0x0000000000000000  x19: 0x0000000000000000
   x20: 0x00000003036a1680  x21: 0x000000016d3ea9e0  x22: 0x00000002067e5120  x23: 0x0000000000000000
   x24: 0x000000016d3ea9d0  x25: 0x000000016d3eae70  x26: 0x00000002088a65d8  x27: 0x000000016d3eaea0
   x28: 0x000000010a2906e8   fp: 0x000000016d3ea9a0   lr: 0xe75f8001aa7169f4
    sp: 0x000000016d3ea980   pc: 0x00000001aa716a7c cpsr: 0x20000000
   esr: 0x92000006 (Data Abort) byte read Translation fault


Binary Images:
        0x102a10000 -         0x102ba7fff MotionMount arm64  <134979d4bd5230c49cc8933db86bae8b> /private/var/containers/Bundle/Application/25D8A8E8-22AB-49DF-BA0A-E84787DBB3A9/MotionMount.app/MotionMount
        0x103720000 -         0x10372bfff libobjc-trampolines.dylib arm64e  <35a44678195b39c2bdd7072893564b45> /private/preboot/Cryptexes/OS/usr/lib/libobjc-trampolines.dylib
        0x19fcf8000 -         0x19fd48d5f libobjc.A.dylib arm64e  <1608892e67db3f949fc291492b86c95f> /usr/lib/libobjc.A.dylib
        0x1a0fe5000 -         0x1a1586fff libswiftCore.dylib arm64e  <1ae81ac9024c33c59e78ccfa639c5f06> /usr/lib/swift/libswiftCore.dylib
        0x1a15fd000 -         0x1a230afff Foundation arm64e  <6d0212cc3b9e32c9be2072989ce3acb8> /System/Library/Frameworks/Foundation.framework/Foundation
        0x1a29ba000 -         0x1a2efcfff CoreFoundation arm64e  <1532d3d89b3b3f2fb35f55a20ddf411b> /System/Library/Frameworks/CoreFoundation.framework/CoreFoundation
        0x1a2efd000 -         0x1a3e8afff Network arm64e  <440571df71ec386eaeeba272b6d25c8a> /System/Library/Frameworks/Network.framework/Network
        0x1a446b000 -         0x1a4810fff QuartzCore arm64e   /System/Library/Frameworks/QuartzCore.framework/QuartzCore
        0x1a51a0000 -         0x1a7073fff UIKitCore arm64e  <575e5140fa6a37c2b00ba4eacedfda53> /System/Library/PrivateFrameworks/UIKitCore.framework/UIKitCore
        0x1a7074000 -         0x1a8368fff SwiftUI arm64e  <9f67c19cfcde3e979fc23bba36998297> /System/Library/Frameworks/SwiftUI.framework/SwiftUI
        0x1aa70e000 -         0x1aa753fff libdispatch.dylib arm64e  <7de7ec03cfb7349d9b9e8782b38f231d> /usr/lib/system/libdispatch.dylib
        0x1c83c7000 -         0x1c844a99f dyld arm64e  <3060d36a16ce3c3a92583881459f5714> /usr/lib/dyld
        0x1ee9eb000 -         0x1ee9f3fff GraphicsServices arm64e  <8425ea11000e3e5e8abcbddf3ff3fa32> /System/Library/PrivateFrameworks/GraphicsServices.framework/GraphicsServices
        0x1f2dcd000 -         0x1f2e06ff3 libsystem_kernel.dylib arm64e   /usr/lib/system/libsystem_kernel.dylib
        0x22af43000 -         0x22af4fff3 libsystem_pthread.dylib arm64e  <3ca98e388eee3c269862c5f66aad93c0> /usr/lib/system/libsystem_pthread.dylib
        0x261eb9000 -         0x262a47fff SwiftUICore arm64e   /System/Library/Frameworks/SwiftUICore.framework/SwiftUICore

EOF
</a>
Answered by DTS Engineer in 813797022

I’m looking at your second crash, which is easier for me to investigate because it’s on 18.1. In that I see this:

Thread 0 name:
Thread 0 Crashed:
0   libdispatch.dylib … dispatch_async + 192 (queue.c:944)
1   Network           … nw_browser_set_state_locked(NWConcrete_nw_browser*, nw_browser_state_t, NSObject*) + 560 (browser.cpp:406)
2   Network           … nw_browser_cancel + 484 (browser.cpp:1963)
3   MotionMount       … LanDiscoveryService.stopDiscovery() + 4 (LanDiscoveryService.swift:41)

Your code (frame 3) called nw_browser_cancel (frame 2) which is setting the state to nw_browser_state_cancelled (frame 1) which is trying to deliver the state change to your state update handler.

Disassembling dispatch_async I see this:

(lldb) disas -n dispatch_async
libdispatch.dylib`dispatch_async:
    …
    0x19ad2ea7c <+192>: ldr    w9, [x19, #0x54]

Note the instruction at +192 is accessing 0x54 bytes off x19. That matches the crashing memory address:

Exception Type:  EXC_BAD_ACCESS (SIGSEGV)
Exception Subtype: KERN_INVALID_ADDRESS at 0x0000000000000054

assuming that x19 is zero, which it is:

Thread 0 crashed with ARM Thread State (64-bit):
    …
   x16: 0x000000019a70c11c  …  x19: 0x0000000000000000

Looking further up the disassembly I see this:

(lldb) disas -n dispatch_async
libdispatch.dylib`dispatch_async:
    0x19ad2e9bc <+0>:   pacibsp 
    0x19ad2e9c0 <+4>:   stp    x22, x21, [sp, #-0x30]!
    0x19ad2e9c4 <+8>:   stp    x20, x19, [sp, #0x10]
    0x19ad2e9c8 <+12>:  stp    x29, x30, [sp, #0x20]
    0x19ad2e9cc <+16>:  add    x29, sp, #0x20
    0x19ad2e9d0 <+20>:  mov    x21, x1
    0x19ad2e9d4 <+24>:  mov    x19, x0
    …
    0x19ad2ea7c <+192>: ldr    w9, [x19, #0x54]

At +24 it sets x19 to x0, where x0 is the first input parameter. So Network framework has called dispatch_async with a NULL queue parameter! That’s not good.

Originally I thought that this must be some sort of race condition or memory corruption issue, but after staring at the code for a while I believe that it’s a logic bug in nw_browser. If you build and run this code, you’ll see the same crash:

nw_browse_descriptor_t descriptor = nw_browse_descriptor_create_bonjour_service("_ssh._tcp", nil);
nw_parameters_t parameters = nw_parameters_create();
nw_browser_t browser = nw_browser_create(descriptor, parameters);
nw_browser_set_state_changed_handler(browser, ^(nw_browser_state_t state, nw_error_t _Nullable error) {
    // do nothing
});
// nw_browser_set_queue(browser, dispatch_get_main_queue());
nw_browser_cancel(browser);

Note the commented out line, meaning that the code sets a state update handler but doesn’t set a queue. So when nw_browser_cancel goes to set the state to nw_browser_state_cancelled, nw_browser_set_state_locked tries to call the state update handler on… well… no queue.

I filed my own bug report about this (r. 139710124).

I’m not sure if that’s the only cause of this bug, but I recommend that you audit your code to make sure it can’t ever trigger this bug.

Share and Enjoy

Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

Replies  2
Boosts  0
Views  394
Participants  2
DTS Engineer OP
Apple
Nov ’24
Accepted Answer
Recommended

I’m looking at your second crash, which is easier for me to investigate because it’s on 18.1. In that I see this:

Thread 0 name:
Thread 0 Crashed:
0   libdispatch.dylib … dispatch_async + 192 (queue.c:944)
1   Network           … nw_browser_set_state_locked(NWConcrete_nw_browser*, nw_browser_state_t, NSObject*) + 560 (browser.cpp:406)
2   Network           … nw_browser_cancel + 484 (browser.cpp:1963)
3   MotionMount       … LanDiscoveryService.stopDiscovery() + 4 (LanDiscoveryService.swift:41)

Your code (frame 3) called nw_browser_cancel (frame 2) which is setting the state to nw_browser_state_cancelled (frame 1) which is trying to deliver the state change to your state update handler.

Disassembling dispatch_async I see this:

(lldb) disas -n dispatch_async
libdispatch.dylib`dispatch_async:
    …
    0x19ad2ea7c <+192>: ldr    w9, [x19, #0x54]

Note the instruction at +192 is accessing 0x54 bytes off x19. That matches the crashing memory address:

Exception Type:  EXC_BAD_ACCESS (SIGSEGV)
Exception Subtype: KERN_INVALID_ADDRESS at 0x0000000000000054

assuming that x19 is zero, which it is:

Thread 0 crashed with ARM Thread State (64-bit):
    …
   x16: 0x000000019a70c11c  …  x19: 0x0000000000000000

Looking further up the disassembly I see this:

(lldb) disas -n dispatch_async
libdispatch.dylib`dispatch_async:
    0x19ad2e9bc <+0>:   pacibsp 
    0x19ad2e9c0 <+4>:   stp    x22, x21, [sp, #-0x30]!
    0x19ad2e9c4 <+8>:   stp    x20, x19, [sp, #0x10]
    0x19ad2e9c8 <+12>:  stp    x29, x30, [sp, #0x20]
    0x19ad2e9cc <+16>:  add    x29, sp, #0x20
    0x19ad2e9d0 <+20>:  mov    x21, x1
    0x19ad2e9d4 <+24>:  mov    x19, x0
    …
    0x19ad2ea7c <+192>: ldr    w9, [x19, #0x54]

At +24 it sets x19 to x0, where x0 is the first input parameter. So Network framework has called dispatch_async with a NULL queue parameter! That’s not good.

Originally I thought that this must be some sort of race condition or memory corruption issue, but after staring at the code for a while I believe that it’s a logic bug in nw_browser. If you build and run this code, you’ll see the same crash:

nw_browse_descriptor_t descriptor = nw_browse_descriptor_create_bonjour_service("_ssh._tcp", nil);
nw_parameters_t parameters = nw_parameters_create();
nw_browser_t browser = nw_browser_create(descriptor, parameters);
nw_browser_set_state_changed_handler(browser, ^(nw_browser_state_t state, nw_error_t _Nullable error) {
    // do nothing
});
// nw_browser_set_queue(browser, dispatch_get_main_queue());
nw_browser_cancel(browser);

Note the commented out line, meaning that the code sets a state update handler but doesn’t set a queue. So when nw_browser_cancel goes to set the state to nw_browser_state_cancelled, nw_browser_set_state_locked tries to call the state update handler on… well… no queue.

I filed my own bug report about this (r. 139710124).

I’m not sure if that’s the only cause of this bug, but I recommend that you audit your code to make sure it can’t ever trigger this bug.

Share and Enjoy

Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

0
RemcoPoelstra OP
Nov ’24

Thank you for your detailed answer.

I have the following code in the LanDiscoveryService:

    init() {
        setupBrowser()
    }

    func startDiscovery() {
        if browser == nil { setupBrowser() }
        if browser!.state == .ready { return } //Already running
        browser!.start(queue: DispatchQueue.main)
    }

    func stopDiscovery() {
        browser?.cancel()
        browser = nil
    }

If I now add a browser?.cancel() call at the end of init() I indeed get the exact same crash, so it seems that stopDiscovery() was called before startDiscovery(), which would set the queue. I'm uncertain how this can happen in my code, or why I initialised the browser in init(), so I've plenty of options to explore now to resolve this crash!

Many thanks!

0
Network framework crashes from nw_browser_cancel call
First post date Last post date
 
 
Q