Crash in networking stack

[rolfbjarne]

Use this test project: #11799 (comment)

Run the project for a while (typically hours, sometimes overnight - at one point it crashed after 16 hours / just over 1.5M network requests), and it eventually crashes.

lldb shows this stack trace:

(lldb) bt
* thread #1, name = 'tid_103', queue = 'com.apple.main-thread', stop reason = signal SIGSEGV
  * frame #0: 0x000000019d9e5c34 libobjc.A.dylib`objc_msgSend + 52
    frame #1: 0x000000019da18a5c libobjc.A.dylib`objc_object::sidetable_release(bool, bool) + 292
    frame #2: 0x00000001a30f169c CFNetwork`___lldb_unnamed_symbol2909 + 32
    frame #3: 0x00000001a30f1400 CFNetwork`___lldb_unnamed_symbol2903 + 260
    frame #4: 0x000000019dab717c libsystem_blocks.dylib`_call_dispose_helpers_excp + 48
    frame #5: 0x000000019dab6f48 libsystem_blocks.dylib`_Block_release + 252
    frame #6: 0x00000001a3194e7c CFNetwork`___lldb_unnamed_symbol5273 + 28
    frame #7: 0x000000019dab717c libsystem_blocks.dylib`_call_dispose_helpers_excp + 48
    frame #8: 0x000000019dab6f48 libsystem_blocks.dylib`_Block_release + 252
    frame #9: 0x000000019dc0a3e8 libdispatch.dylib`_dispatch_client_callout + 20
    frame #10: 0x000000019dc18bb8 libdispatch.dylib`_dispatch_main_queue_drain + 988
    frame #11: 0x000000019dc187cc libdispatch.dylib`_dispatch_main_queue_callback_4CF + 44
    frame #12: 0x000000019dedb4ac CoreFoundation`__CFRUNLOOP_IS_SERVICING_THE_MAIN_DISPATCH_QUEUE__ + 16
    frame #13: 0x000000019de98c30 CoreFoundation`__CFRunLoopRun + 1996
    frame #14: 0x000000019de97e0c CoreFoundation`CFRunLoopRunSpecific + 608
    frame #15: 0x00000001a8633000 HIToolbox`RunCurrentEventLoopInMode + 292
    frame #16: 0x00000001a8632e3c HIToolbox`ReceiveNextEventCommon + 648
    frame #17: 0x00000001a8632b94 HIToolbox`_BlockUntilNextEventMatchingListInModeWithFilter + 76
    frame #18: 0x00000001a16f0970 AppKit`_DPSNextEvent + 660
    frame #19: 0x00000001a1ee2dec AppKit`-[NSApplication(NSEventRouting) _nextEventMatchingEventMask:untilDate:inMode:dequeue:] + 700
    frame #20: 0x00000001a16e3cb8 AppKit`-[NSApplication run] + 476
    frame #21: 0x00000001a16baf54 AppKit`NSApplicationMain + 880
    frame #22: 0x00000001a190d610 AppKit`_NSApplicationMainWithInfoDictionary + 24
    frame #23: 0x00000001b71290dc UIKitMacHelper`UINSApplicationMain + 972
    frame #24: 0x00000001cd2159b4 UIKitCore`UIApplicationMain + 148
    frame #25: 0x0000000106879854 nsurlsessionhandler`xamarin_UIApplicationMain(argc=0, argv=0x00006000028144c0, principalClassName=0x0000000000000000, delegateClassName="AppDelegate", exception_gchandle=0x000000016fdfe8e0) at bindings.m:126:10
    frame #26: 0x00000001065c6280 nsurlsessionhandler`wrapper_managed_to_native_UIKit_UIApplication_xamarin_UIApplicationMain_int_intptr_intptr_intptr_intptr_ + 176
    frame #27: 0x0000000105db9614 nsurlsessionhandler`UIKit_UIApplication_UIApplicationMain_int_string___intptr_intptr + 100
    frame #28: 0x0000000105db9948 nsurlsessionhandler`UIKit_UIApplication_Main_string___System_Type_System_Type + 280
    frame #29: 0x0000000102492d68 nsurlsessionhandler`Program__Main__string__ + 136
    frame #30: 0x000000010508ea08 nsurlsessionhandler`wrapper_runtime_invoke_object_runtime_invoke_dynamic_intptr_intptr_intptr_intptr + 296
    frame #31: 0x0000000106b8ea90 nsurlsessionhandler`mono_jit_runtime_invoke(method=<unavailable>, obj=<unavailable>, params=<unavailable>, exc=<unavailable>, error=0x000000016fdfec90) at mini-runtime.c:3636:3 [opt]
    frame #32: 0x0000000106b2f158 nsurlsessionhandler`mono_runtime_invoke_checked [inlined] do_runtime_invoke(method=0x000000011a914598, obj=0x0000000000000000, params=0x000000016fdfec30, exc=0x0000000000000000, error=0x000000016fdfec90) at object.c:2576:11 [opt]
    frame #33: 0x0000000106b2f11c nsurlsessionhandler`mono_runtime_invoke_checked(method=0x000000011a914598, obj=0x0000000000000000, params=0x000000016fdfec30, error=0x000000016fdfec90) at object.c:2792:9 [opt]
    frame #34: 0x0000000106b35494 nsurlsessionhandler`mono_runtime_exec_main_checked [inlined] do_exec_main_checked(method=0x000000011a914598, args=<unavailable>, error=0x000000016fdfec90) at object.c:0 [opt]
    frame #35: 0x0000000106b35458 nsurlsessionhandler`mono_runtime_exec_main_checked(method=0x000000011a914598, args=<unavailable>, error=0x000000016fdfec90) at object.c:4775:9 [opt]
    frame #36: 0x0000000106b35540 nsurlsessionhandler`mono_runtime_run_main_checked(method=<unavailable>, argc=<unavailable>, argv=<unavailable>, error=<unavailable>) at object.c:4339:9 [opt] [artificial]
    frame #37: 0x0000000106be1434 nsurlsessionhandler`mono_jit_exec at driver.c:1369:13 [opt]
    frame #38: 0x0000000106be1424 nsurlsessionhandler`mono_jit_exec(domain=<unavailable>, assembly=<unavailable>, argc=1, argv=0x000000016fdfed10) at driver.c:1314:7 [opt]
    frame #39: 0x00000001068a2e58 nsurlsessionhandler`xamarin_main(argc=1, argv=0x000000016fdff070, launch_mode=XamarinLaunchModeApp) at monotouch-main.m:495:8
    frame #40: 0x0000000106d47b18 nsurlsessionhandler`main(argc=1, argv=0x000000016fdff070) at main.arm64.mm:416:11
    frame #41: 0x000000019da320e0 dyld`start + 2360

manually symbolicating the stack using backtrace in lldb shows:

(lldb) parray 20 (char **) 0x000000011aa14800
(char **) $1 = 0x000000011aa14800 {
  [0] = 0x000000011aa148a0 "0   ???                                 0x000000010f58c64c 0x0 + 4552443468"
  [1] = 0x000000011aa148ec "1   nsurlsessionhandler                 0x0000000106d47ad8 main + 0"
  [2] = 0x000000011aa14930 "2   CFNetwork                           0x00000001a30f169c CFURLRequestGetMainDocumentURL + 20720"
  [3] = 0x000000011aa14992 "3   CFNetwork                           0x00000001a30f1400 CFURLRequestGetMainDocumentURL + 20052"
  [4] = 0x000000011aa149f4 "4   libsystem_blocks.dylib              0x000000019dab717c _call_dispose_helpers_excp + 48"
  [5] = 0x000000011aa14a4f "5   libsystem_blocks.dylib              0x000000019dab6f48 _Block_release + 252"
  [6] = 0x000000011aa14a9f "6   CFNetwork                           0x00000001a3194e7c CFURLCredentialStorageCopyAllCredentials + 40380"
  [7] = 0x000000011aa14b0b "7   libsystem_blocks.dylib              0x000000019dab717c _call_dispose_helpers_excp + 48"
  [8] = 0x000000011aa14b66 "8   libsystem_blocks.dylib              0x000000019dab6f48 _Block_release + 252"
  [9] = 0x000000011aa14bb6 "9   libdispatch.dylib                   0x000000019dc0a3e8 _dispatch_client_callout + 20"
  [10] = 0x000000011aa14c0f "10  libdispatch.dylib                   0x000000019dc18bb8 _dispatch_main_queue_drain + 988"
  [11] = 0x000000011aa14c6b "11  libdispatch.dylib                   0x000000019dc187cc _dispatch_main_queue_callback_4CF + 44"
  [12] = 0x000000011aa14ccd "12  CoreFoundation                      0x000000019dedb4ac __CFRUNLOOP_IS_SERVICING_THE_MAIN_DISPATCH_QUEUE__ + 16"
  [13] = 0x000000011aa14d40 "13  CoreFoundation                      0x000000019de98c30 __CFRunLoopRun + 1996"
  [14] = 0x000000011aa14d91 "14  CoreFoundation                      0x000000019de97e0c CFRunLoopRunSpecific + 608"
  [15] = 0x000000011aa14de7 "15  HIToolbox                           0x00000001a8633000 RunCurrentEventLoopInMode + 292"
  [16] = 0x000000011aa14e42 "16  HIToolbox                           0x00000001a8632e3c ReceiveNextEventCommon + 648"
  [17] = 0x000000011aa14e9a "17  HIToolbox                           0x00000001a8632b94 _BlockUntilNextEventMatchingListInModeWithFilter + 76"
  [18] = 0x000000011aa14f0b "18  AppKit                              0x00000001a16f0970 _DPSNextEvent + 660"
  [19] = 0x000000011aa14f5a "19  AppKit                              0x00000001a1ee2dec -[NSApplication(NSEventRouting) _nextEventMatchingEventMask:untilDate:inMode:dequeue:] + 700"
}

Some investigation in lldb revelead:

• ___lldb_unnamed_symbol2909: [__NSCFURLSessionConnection dealloc]
• ___lldb_unnamed_symbol2903: [__NSCFURLLocalSessionConnection dealloc]
• ___lldb_unnamed_symbol5273: a block dispose method

Some more lldb info:

(lldb) disass
CFNetwork`___lldb_unnamed_symbol2909: # [__NSCFURLSessionConnection dealloc]
    0x1a30f167c <+0>:   pacibsp
    0x1a30f1680 <+4>:   sub    sp, sp, #0x30
    0x1a30f1684 <+8>:   stp    x20, x19, [sp, #0x10]
    0x1a30f1688 <+12>:  stp    x29, x30, [sp, #0x20]
    0x1a30f168c <+16>:  add    x29, sp, #0x20
    0x1a30f1690 <+20>:  mov    x19, x0
    0x1a30f1694 <+24>:  ldr    x0, [x0, #0x8]
    0x1a30f1698 <+28>:  bl     0x1a3359158               ; symbol stub for: objc_release
->  0x1a30f169c <+32>:  ldr    x0, [x19, #0x10]
    0x1a30f16a0 <+36>:  cbz    x0, 0x1a30f16ac           ; <+48>
    0x1a30f16a4 <+40>:  bl     0x1a3357578               ; symbol stub for: dispatch_release
    0x1a30f16a8 <+44>:  str    xzr, [x19, #0x10]
    0x1a30f16ac <+48>:  mov    x0, x19
    0x1a30f16b0 <+52>:  mov    x2, #0x0
    0x1a30f16b4 <+56>:  mov    w3, #0x18
    0x1a30f16b8 <+60>:  bl     0x1a33591c8               ; symbol stub for: objc_setProperty_atomic
    0x1a30f16bc <+64>:  ldr    x0, [x19, #0x28]
    0x1a30f16c0 <+68>:  cbz    x0, 0x1a30f16cc           ; <+80>
    0x1a30f16c4 <+72>:  bl     0x1a3359158               ; symbol stub for: objc_release
    0x1a30f16c8 <+76>:  str    xzr, [x19, #0x28]
    0x1a30f16cc <+80>:  ldr    x0, [x19, #0x30]
    0x1a30f16d0 <+84>:  cbz    x0, 0x1a30f16dc           ; <+96>
    0x1a30f16d4 <+88>:  bl     0x1a3357578               ; symbol stub for: dispatch_release
    0x1a30f16d8 <+92>:  str    xzr, [x19, #0x30]
    0x1a30f16dc <+96>:  adrp   x8, 424846
    0x1a30f16e0 <+100>: ldr    x8, [x8, #0x890]
    0x1a30f16e4 <+104>: stp    x19, x8, [sp]
    0x1a30f16e8 <+108>: adrp   x8, 373089
    0x1a30f16ec <+112>: add    x1, x8, #0x71f
    0x1a30f16f0 <+116>: mov    x0, sp
    0x1a30f16f4 <+120>: bl     0x1a33590f8               ; symbol stub for: objc_msgSendSuper2
    0x1a30f16f8 <+124>: ldp    x29, x30, [sp, #0x20]
    0x1a30f16fc <+128>: ldp    x20, x19, [sp, #0x10]
    0x1a30f1700 <+132>: add    sp, sp, #0x30
    0x1a30f1704 <+136>: retab


(lldb) disass
CFNetwork`___lldb_unnamed_symbol2903: # [__NSCFURLLocalSessionConnection dealloc]
    0x1a30f12fc <+0>:   pacibsp
    0x1a30f1300 <+4>:   sub    sp, sp, #0x30
    0x1a30f1304 <+8>:   stp    x20, x19, [sp, #0x10]
    0x1a30f1308 <+12>:  stp    x29, x30, [sp, #0x20]
    0x1a30f130c <+16>:  add    x29, sp, #0x20
    0x1a30f1310 <+20>:  mov    x19, x0
    0x1a30f1314 <+24>:  adrp   x8, 399283
    0x1a30f1318 <+28>:  ldrsw  x20, [x8, #0x414]
    0x1a30f131c <+32>:  ldr    x0, [x0, x20]
    0x1a30f1320 <+36>:  cbz    x0, 0x1a30f134c           ; <+80>
    0x1a30f1324 <+40>:  ldr    x16, [x0]
    0x1a30f1328 <+44>:  mov    x17, x0
    0x1a30f132c <+48>:  movk   x17, #0x81be, lsl #48
    0x1a30f1330 <+52>:  autda  x16, x17
    0x1a30f1334 <+56>:  ldr    x8, [x16, #0x8]!
    0x1a30f1338 <+60>:  mov    x9, x16
    0x1a30f133c <+64>:  mov    x17, x9
    0x1a30f1340 <+68>:  movk   x17, #0x990e, lsl #48
    0x1a30f1344 <+72>:  blraa  x8, x17
    0x1a30f1348 <+76>:  str    xzr, [x19, x20]
    0x1a30f134c <+80>:  adrp   x8, 399283
    0x1a30f1350 <+84>:  ldrsw  x20, [x8, #0x410]
    0x1a30f1354 <+88>:  ldr    x0, [x19, x20]
    0x1a30f1358 <+92>:  cbz    x0, 0x1a30f1384           ; <+136>
    0x1a30f135c <+96>:  ldr    x16, [x0]
    0x1a30f1360 <+100>: mov    x17, x0
    0x1a30f1364 <+104>: movk   x17, #0x4399, lsl #48
    0x1a30f1368 <+108>: autda  x16, x17
    0x1a30f136c <+112>: ldr    x8, [x16, #0x8]!
    0x1a30f1370 <+116>: mov    x9, x16
    0x1a30f1374 <+120>: mov    x17, x9
    0x1a30f1378 <+124>: movk   x17, #0x3f8b, lsl #48
    0x1a30f137c <+128>: blraa  x8, x17
    0x1a30f1380 <+132>: str    xzr, [x19, x20]
    0x1a30f1384 <+136>: adrp   x8, 399283
    0x1a30f1388 <+140>: ldrsw  x20, [x8, #0x41c]
    0x1a30f138c <+144>: ldr    x0, [x19, x20]
    0x1a30f1390 <+148>: cbz    x0, 0x1a30f139c           ; <+160>
    0x1a30f1394 <+152>: bl     0x1a3359158               ; symbol stub for: objc_release
    0x1a30f1398 <+156>: str    xzr, [x19, x20]
    0x1a30f139c <+160>: adrp   x8, 399283
    0x1a30f13a0 <+164>: ldrsw  x20, [x8, #0x420]
    0x1a30f13a4 <+168>: ldr    x0, [x19, x20]
    0x1a30f13a8 <+172>: cbz    x0, 0x1a30f13b4           ; <+184>
    0x1a30f13ac <+176>: bl     0x1a3357578               ; symbol stub for: dispatch_release
    0x1a30f13b0 <+180>: str    xzr, [x19, x20]
    0x1a30f13b4 <+184>: adrp   x8, 399283
    0x1a30f13b8 <+188>: ldrsw  x20, [x8, #0x424]
    0x1a30f13bc <+192>: ldr    x0, [x19, x20]
    0x1a30f13c0 <+196>: cbz    x0, 0x1a30f13cc           ; <+208>
    0x1a30f13c4 <+200>: bl     0x1a3357578               ; symbol stub for: dispatch_release
    0x1a30f13c8 <+204>: str    xzr, [x19, x20]
    0x1a30f13cc <+208>: adrp   x8, 399283
    0x1a30f13d0 <+212>: ldrsw  x20, [x8, #0x428]
    0x1a30f13d4 <+216>: ldr    x0, [x19, x20]
    0x1a30f13d8 <+220>: cbz    x0, 0x1a30f13e4           ; <+232>
    0x1a30f13dc <+224>: bl     0x1a3359158               ; symbol stub for: objc_release
    0x1a30f13e0 <+228>: str    xzr, [x19, x20]
    0x1a30f13e4 <+232>: adrp   x8, 424846
    0x1a30f13e8 <+236>: ldr    x8, [x8, #0x898]
    0x1a30f13ec <+240>: stp    x19, x8, [sp]
    0x1a30f13f0 <+244>: adrp   x8, 373089
    0x1a30f13f4 <+248>: add    x1, x8, #0x71f
    0x1a30f13f8 <+252>: mov    x0, sp
    0x1a30f13fc <+256>: bl     0x1a33590f8               ; symbol stub for: objc_msgSendSuper2
->  0x1a30f1400 <+260>: ldp    x29, x30, [sp, #0x20]
    0x1a30f1404 <+264>: ldp    x20, x19, [sp, #0x10]
    0x1a30f1408 <+268>: add    sp, sp, #0x30
    0x1a30f140c <+272>: retab

(lldb) disass
CFNetwork`___lldb_unnamed_symbol5273: # block dispose method
    0x1a3194e60 <+0>:  pacibsp
    0x1a3194e64 <+4>:  stp    x20, x19, [sp, #-0x20]!
    0x1a3194e68 <+8>:  stp    x29, x30, [sp, #0x10]
    0x1a3194e6c <+12>: add    x29, sp, #0x10
    0x1a3194e70 <+16>: mov    x19, x0
    0x1a3194e74 <+20>: ldr    x0, [x0, #0x30]
    0x1a3194e78 <+24>: bl     0x1a3359158               ; symbol stub for: objc_release
->  0x1a3194e7c <+28>: ldr    x0, [x19, #0x28]
    0x1a3194e80 <+32>: bl     0x1a3359158               ; symbol stub for: objc_release
    0x1a3194e84 <+36>: ldr    x0, [x19, #0x20]
    0x1a3194e88 <+40>: ldp    x29, x30, [sp, #0x10]
    0x1a3194e8c <+44>: ldp    x20, x19, [sp], #0x20
    0x1a3194e90 <+48>: autibsp
    0x1a3194e94 <+52>: eor    x16, x30, x30, lsl #1
    0x1a3194e98 <+56>: tbz    x16, #0x3e, 0x1a3194ea0   ; <+64>
    0x1a3194e9c <+60>: brk    #0xc471
    0x1a3194ea0 <+64>: b      0x1a3359158               ; symbol stub for: objc_release

(lldb) re re
General Purpose Registers:
        x0 = 0x000000011b8b5180
        x1 = 0x00000001fe25271f
        x2 = 0x0000600003fbe3c0
        x3 = 0x0000600003fbe3c0
        x4 = 0x0000600003fbe440
        x5 = 0x00000000000023c0
        x6 = 0x0000000000000000
        x7 = 0x0000000000000403
        x8 = 0x000000020a5f4e78  "dealloc"
        x9 = 0x000000020a5f4e78  "dealloc"
       x10 = 0x0000000400000041
       x11 = 0x0000000000000000
       x12 = 0x0000000000000000
       x13 = 0x0000000400000041
       x14 = 0x000000011b893ce0
       x15 = 0x000000011b893ce0
       x16 = 0x000000011b893ce0
       x17 = 0x0000000000000001
       x18 = 0x0000000000000000
       x19 = 0x000000011b8b5180
       x20 = 0x0000000000000001
       x21 = 0x0000000205ac7400  libobjc.A.dylib`(anonymous namespace)::SideTablesMap + 3072
       x22 = 0x0000000000000001
       x23 = 0x0000000000000104
       x24 = 0x0000000000000000
       x25 = 0x0000000205ac7ba0  dyld`_main_thread + 224
       x26 = 0x0000600003fbd100
       x27 = 0x000000000000000f
       x28 = 0x0000000000000000
        fp = 0x000000016fdfcea0
        lr = 0x000000019da18a5c  libobjc.A.dylib`objc_object::sidetable_release(bool, bool) + 292
        sp = 0x000000016fdfce50
        pc = 0x000000019d9e5c34  libobjc.A.dylib`objc_msgSend + 52
      cpsr = 0x20001000

[tipa]

I'm also seeing this crash in my app:

EXC_BAD_ACCESS
cancel > class > isEqual: >
KERN_INVALID_ADDRESS at 0x15326c8b184f08.

0   libobjc.A.dylib                 0x31e64bc20         objc_msgSend
1   MyApp12                         0x2048c8bf4         xamarin_get_frame_length (trampolines.m:570)
2   MyApp12                         0x2048cfe50         xamarin_dyn_objc_msgSend
3   MyApp12                         0x204ca0560         _Microsoft_iOS_ObjCRuntime_Messaging__CallVariadicFunction (Messaging.cs:164)
4   MyApp12                         0x204c3cd24         _Microsoft_iOS_Foundation_NSUrlSessionTask__Cancel (NSUrlSessionTask.g.cs:156)
5   MyApp12                         0x204c4b15c         _Microsoft_iOS_System_Net_Http_NSUrlSessionHandler__RemoveInflightData (NSUrlSessionHandler.cs:234)
6   MyApp12                         0x204c4f598         _Microsoft_iOS_System_Net_Http_NSUrlSessionHandler___c__DisplayClass58_0___SendAsync_b__0 (NSUrlSessionHandler.cs:543)
7   MyApp12                         0x204e1f380         _Microsoft_iOS_ObjCRuntime_Trampolines_NIDUIDeferredMenuElementCompletionHandler__Invoke (Trampolines.g.cs:51484)
8   MyApp12                         0x204e1fa08         _Microsoft_iOS_ObjCRuntime_Trampolines_NIDUIDeferredMenuElementCompletionHandler__Invoke (Trampolines.g.cs:51484)
9   MyApp12                         0x204e1eff8         _Microsoft_iOS_ObjCRuntime_Trampolines_NIDUIDeferredMenuElementCompletionHandler__Invoke (Trampolines.g.cs:51484)
10  MyApp12                         0x204e27c08         _Microsoft_iOS_ObjCRuntime_Trampolines_NIDUIDeferredMenuElementCompletionHandler__Invoke (Trampolines.g.cs:51484)
11  MyApp12                         0x204e26c68         _Microsoft_iOS_ObjCRuntime_Trampolines_NIDUIDeferredMenuElementCompletionHandler__Invoke (Trampolines.g.cs:51484)
12  MyApp12                         0x204e262b4         _Microsoft_iOS_ObjCRuntime_Trampolines_NIDUIDeferredMenuElementCompletionHandler__Invoke (Trampolines.g.cs:51484)
13  MyApp12                         0x204e25f84         _Microsoft_iOS_ObjCRuntime_Trampolines_NIDUIDeferredMenuElementCompletionHandler__Invoke (Trampolines.g.cs:51484)
14  MyApp12                         0x204ea97ec         _Microsoft_iOS_ObjCRuntime_Trampolines_NIDUIDeferredMenuElementCompletionHandler__Invoke (Trampolines.g.cs:51484)
15  MyApp12                         0x204e1d1ac         _Microsoft_iOS_ObjCRuntime_Trampolines_NIDUIDeferredMenuElementCompletionHandler__Invoke (Trampolines.g.cs:51484)
16  MyApp12                         0x204e1d71c         _Microsoft_iOS_ObjCRuntime_Trampolines_NIDUIDeferredMenuElementCompletionHandler__Invoke (Trampolines.g.cs:51484)
17  libsystem_pthread.dylib         0x432744378         _pthread_start

If this should be tracked as a separate issue, I can open one

[rolfbjarne]

@tipa yes, please file a new issue, that looks like something different.

[sleushunou]

I see a lot of crashes related to CFNetwork in my app:

Crash 1:

Thread 18 name:
Thread 18 name:
Thread 18 Crashed:
0 Gambino.IOS 0x00000001030bcd84 MSplcrash_async_thread_state_mcontext_init (in Gambino.IOS) (PLCrashAsyncThread.c:108) + 8179076
1 Gambino.IOS 0x00000001030ad440 signal_handler_callback (in Gambino.IOS) (PLCrashReporter.m:224) + 8115264
2 Gambino.IOS 0x00000001030a9820 internal_callback_iterator(int, __siginfo*, __darwin_ucontext*, void*) (in Gambino.IOS) (PLCrashSignalHandler.mm:0) + 8099872
3 Gambino.IOS 0x00000001030a9784 MSplcrash_signal_handler (in Gambino.IOS) (PLCrashSignalHandler.mm:201) + 8099716
4 libsystem_platform.dylib 0x000000022bb1dca8 _sigtramp + 56 (sigtramp.c:116)
5 libsystem_pthread.dylib 0x000000022bbcd59c pthread_kill + 268 (pthread.c:1721)
6 libsystem_c.dylib 0x00000001a8de0b08 abort + 128 (abort.c:122)
7 libsystem_malloc.dylib 0x00000001b1594b74 malloc_vreport + 896 (malloc_printf.c:251)
8 libsystem_malloc.dylib 0x00000001b15bdc00 malloc_zone_error + 100 (malloc_printf.c:319)
9 libsystem_malloc.dylib 0x00000001b15b2c30 nanov2_guard_corruption_detected + 44 (nanov2_malloc.c:2496)
10 libsystem_malloc.dylib 0x00000001b1593c6c nanov2_allocate_outlined + 460 (nanov2_malloc.c:2989)
11 libsystem_malloc.dylib 0x00000001b1593a18 nanov2_calloc_type + 568 (nanov2_malloc.c:1247)
12 libobjc.A.dylib 0x000000019e4e8e8c _objc_rootAllocWithZone + 48 (objc-runtime-new.mm:9191)
13 CFNetwork 0x00000001a24621e4 -[NSURLRequest mutableCopyWithZone:] + 84 (NSURLRequest.mm:575)
14 CFNetwork 0x00000001a2461128 -[NSURLSessionTask updateCurrentRequest:] + 44 (SessionTask.mm:1073)
15 CFNetwork 0x00000001a24c0d04 -[__NSCFLocalSessionTask _onqueue_strippedMutableRequest] + 84 (LocalSessionTask.mm:452)
16 CFNetwork 0x00000001a24c0c3c __40-[__NSURLSessionLocal taskForClassInfo:]_block_invoke_3 + 40 (LocalSession.mm:803)
17 CFNetwork 0x00000001a24c0be4 -[__NSCFLocalSessionTask _onqueue_completeInitialization] + 96 (LocalSessionTask.mm:1039)
18 CFNetwork 0x00000001a24c0b50 __26-[NSURLSessionTask resume]_block_invoke + 64 (SessionTask.mm:862)
19 libdispatch.dylib 0x00000001a8d25248 _dispatch_call_block_and_release + 32 (init.c:1549)
20 libdispatch.dylib 0x00000001a8d26fa8 _dispatch_client_callout + 20 (object.m:576)
21 libdispatch.dylib 0x00000001a8d2e5cc _dispatch_lane_serial_drain + 768 (queue.c:3934)
22 libdispatch.dylib 0x00000001a8d2f158 _dispatch_lane_invoke + 432 (queue.c:4025)
23 libdispatch.dylib 0x00000001a8d3a38c _dispatch_root_queue_drain_deferred_wlh + 288 (queue.c:7193)
24 libdispatch.dylib 0x00000001a8d39bd8 _dispatch_workloop_worker_thread + 540 (queue.c:6787)
25 libsystem_pthread.dylib 0x000000022bbc8680 _pthread_wqthread + 288 (pthread.c:2696)
26 libsystem_pthread.dylib 0x000000022bbc6474 start_wqthread + 8 (:-1)

Crash 2:

Thread 22 name:
Thread 22 Crashed:
0 libsystem_kernel.dylib 0x00000001f0dca22c __open + 8 (:-1)
1 libsystem_kernel.dylib 0x00000001f0dca218 open + 40 (open-base.c:101)
2 Gambino.IOS 0x0000000100e95018 plcrash_write_report (in Gambino.IOS) (PLCrashReporter.m:156) + 8146968
3 Gambino.IOS 0x0000000100e93e14 signal_handler_callback (in Gambino.IOS) (PLCrashReporter.m:232) + 8142356
4 Gambino.IOS 0x0000000100e901c0 internal_callback_iterator(int, __siginfo*, __darwin_ucontext*, void*) (in Gambino.IOS) (PLCrashSignalHandler.mm:0) + 8126912
5 Gambino.IOS 0x0000000100e90124 MSplcrash_signal_handler (in Gambino.IOS) (PLCrashSignalHandler.mm:201) + 8126756
6 libsystem_platform.dylib 0x000000022a255ca8 _sigtramp + 56 (sigtramp.c:116)
7 libsystem_pthread.dylib 0x000000022a30559c pthread_kill + 268 (pthread.c:1721)
8 libsystem_c.dylib 0x00000001a7518b08 abort + 128 (abort.c:122)
9 libsystem_malloc.dylib 0x00000001afcccb74 malloc_vreport + 896 (malloc_printf.c:251)
10 libsystem_malloc.dylib 0x00000001afcf5c00 malloc_zone_error + 100 (malloc_printf.c:319)
11 libsystem_malloc.dylib 0x00000001afceac30 nanov2_guard_corruption_detected + 44 (nanov2_malloc.c:2496)
12 libsystem_malloc.dylib 0x00000001afccbc6c nanov2_allocate_outlined + 460 (nanov2_malloc.c:2989)
13 libsystem_malloc.dylib 0x00000001afcc58e0 nanov2_malloc_type + 472 (nanov2_malloc.c:1144)
14 libc++abi.dylib 0x000000022a22d804 __typed_operator_new_impl[abi:ne180100](unsigned long, std::__type_descriptor_t) + 36 (stdlib_typed_new.cpp:52)
15 libc++abi.dylib 0x000000022a22d7ac $_0::operator()() const::'lambda0'(unsigned long, std::__type_descriptor_t)::__invoke(unsigned long, std::__type_descriptor_t) + 16 (stdlib_typed_new.cpp:204)
16 CFNetwork 0x00000001a0bde200 StrictSecurityPolicy::getATSExceptionForHost(__CFString const*) + 460 (StrictSecurityPolicy.cpp:1342)
17 CFNetwork 0x00000001a0befffc HTTPProtocol::copySSLPropertiesForStream(bool) + 292 (HTTPProtocol.cpp:2654)
18 CFNetwork 0x00000001a0bf47c0 HTTPProtocol::asynchronouslyCreateAndOpenStream_WithMessage_AfterCookiesAndAuthenticatorHeaders(__CFHTTPMessage*) + 1144 (HTTPProtocol.cpp:3161)
19 CFNetwork 0x00000001a0bcd728 HTTPProtocol::asynchronouslyAddAuthenticatorHeadersAndContinue(__CFHTTPMessage*) + 132 (HTTPProtocol.cpp:0)
20 CFNetwork 0x00000001a0bcd678 invocation function for block in HTTPProtocol::asynchronouslyAddCookiesAndContinue(__CFHTTPMessage*) + 32 (HTTPProtocol.cpp:3676)
21 CFNetwork 0x00000001a0bcbd20 invocation function for block in QCoreSchedulingSet::performAsync(void () block_pointer) const + 60 (CoreSchedulingSet.mm:156)
22 libdispatch.dylib 0x00000001a745d248 _dispatch_call_block_and_release + 32 (init.c:1549)
23 libdispatch.dylib 0x00000001a745efa8 _dispatch_client_callout + 20 (object.m:576)
24 libdispatch.dylib 0x00000001a74665cc _dispatch_lane_serial_drain + 768 (queue.c:3934)
25 libdispatch.dylib 0x00000001a7467158 _dispatch_lane_invoke + 432 (queue.c:4025)
26 libdispatch.dylib 0x00000001a74685c0 _dispatch_workloop_invoke + 1744 (queue.c:4704)
27 libdispatch.dylib 0x00000001a747238c _dispatch_root_queue_drain_deferred_wlh + 288 (queue.c:7193)
28 libdispatch.dylib 0x00000001a7471bd8 _dispatch_workloop_worker_thread + 540 (queue.c:6787)
29 libsystem_pthread.dylib 0x000000022a300680 _pthread_wqthread + 288 (pthread.c:2696)
30 libsystem_pthread.dylib 0x000000022a2fe474 start_wqthread + 8 (:-1)

Crash 3:

Thread 17 name:
Thread 17 name:
Thread 17 Crashed:
0 ??? 0x0000000000000000 0x0 + 0
1 CoreFoundation 0x000000019f6cc5c8 -[NSDictionary isEqualToDictionary:] + 276 (NSDictionary.m:333)
2 CoreFoundation 0x000000019f6cb8b4 -[__NSDictionaryM objectForKeyedSubscript:] + 168 (NSDictionaryM.m:288)
3 CFNetwork 0x00000001a0c4e4bc TubeManager::invalidateKey(HTTPConnectionCacheKey const*, bool, MetaConnectionCacheType) + 228 (TubeManager.cpp:303)
4 CFNetwork 0x00000001a0c8bac4 invocation function for block in HTTP2ConnectionCache::_onqueue_base_remove_connections(bool, bool) + 256 (HTTP2ConnectionCache.cpp:342)
5 CoreFoundation 0x000000019f6f3988 __CFDictionaryApplyFunction_block_invoke + 28 (CFDictionary.c:323)
6 CoreFoundation 0x000000019f6f3524 CFBasicHashApply + 148 (CFBasicHash.c:1040)
7 CoreFoundation 0x000000019f6c2040 CFDictionaryApplyFunction + 224 (CFDictionary.c:322)
8 CFNetwork 0x00000001a0c7c090 HTTP2ConnectionCache::_onqueue_base_remove_connections(bool, bool) + 336 (HTTP2ConnectionCache.cpp:339)
9 CFNetwork 0x00000001a0c7bde8 HTTP2ConnectionCache::_onqueue_removeIdleConnections() + 120 (HTTP2ConnectionCache.cpp:285)
10 libdispatch.dylib 0x00000001a745efa8 _dispatch_client_callout + 20 (object.m:576)
11 libdispatch.dylib 0x00000001a746245c _dispatch_continuation_pop + 596 (queue.c:325)
12 libdispatch.dylib 0x00000001a7476620 _dispatch_source_latch_and_call + 420 (source.c:596)
13 libdispatch.dylib 0x00000001a74751e8 _dispatch_source_invoke + 836 (source.c:961)
14 libdispatch.dylib 0x00000001a746642c _dispatch_lane_serial_drain + 352 (queue.c:3934)
15 libdispatch.dylib 0x00000001a7467158 _dispatch_lane_invoke + 432 (queue.c:4025)
16 libdispatch.dylib 0x00000001a74685c0 _dispatch_workloop_invoke + 1744 (queue.c:4704)
17 libdispatch.dylib 0x00000001a747238c _dispatch_root_queue_drain_deferred_wlh + 288 (queue.c:7193)
18 libdispatch.dylib 0x00000001a7471bd8 _dispatch_workloop_worker_thread + 540 (queue.c:6787)
19 libsystem_pthread.dylib 0x000000022a300680 _pthread_wqthread + 288 (pthread.c:2696)
20 libsystem_pthread.dylib 0x000000022a2fe474 start_wqthread + 8 (:-1)

[rolfbjarne]

@sleushunou those look like different problems, so please file a new issue.

[mlancione]

Any update on this issue? We are experiencing the same issue even when running the latest .NET 9 release (9.0.203 iOS 18.4.9288).

Thread 0 Crashed:
0 libobjc.A.dylib 0x0000000194950790 0x194948000 + 34704
1 CFNetwork 0x000000019897ff3c -[__NSCFURLSessionConnection dealloc] + 32 (SessionConnection.mm:357)
2 CFNetwork 0x000000019897fc94 -[__NSCFURLLocalSessionConnection dealloc] + 260 (SessionConnection.mm:591)
3 libsystem_blocks.dylib 0x0000000222264a20 <deduplicated_symbol> + 68
4 libsystem_blocks.dylib 0x00000002222643e4 HelperBase::destroyBlock(Block_layout*, bool, unsigned char*) + 116 (runtime.cpp:471)
5 libsystem_blocks.dylib 0x0000000222264868 _call_dispose_helpers_excp + 72 (generic_helpers.c:34)
6 libsystem_blocks.dylib 0x0000000222264354 _Block_release + 236 (runtime.cpp:1017)
7 libsystem_blocks.dylib 0x00000002222648e0 <deduplicated_symbol> + 68
8 libsystem_blocks.dylib 0x0000000222264434 HelperBase::destroyBlock(Block_layout*, bool, unsigned char*) + 196 (runtime.cpp:479)
9 libsystem_blocks.dylib 0x0000000222264868 _call_dispose_helpers_excp + 72 (generic_helpers.c:34)
10 libsystem_blocks.dylib 0x0000000222264354 _Block_release + 236 (runtime.cpp:1017)
11 libdispatch.dylib 0x000000019f357584 _dispatch_client_callout + 16 (client_callout.mm:85)
12 libdispatch.dylib 0x000000019f3745a0 _dispatch_main_queue_drain.cold.5 + 812 (queue.c:8104)
13 libdispatch.dylib 0x000000019f34cd30 _dispatch_main_queue_drain + 180 (queue.c:8085)
14 libdispatch.dylib 0x000000019f34cc6c _dispatch_main_queue_callback_4CF + 44 (queue.c:8264)
15 CoreFoundation 0x000000019742ded0 0x1973c1000 + 446160
16 CoreFoundation 0x00000001973d1634 0x1973c1000 + 67124
17 CoreFoundation 0x00000001973d2d7c 0x1973c1000 + 73084
18 GraphicsServices 0x00000001e5025454 0x1e5024000 + 5204
19 UIKitCore 0x0000000199ded890 0x199cb8000 + 1267856
20 UIKitCore 0x0000000199db8cec 0x199cb8000 + 1051884

[rolfbjarne]

No updates for the moment, there hasn't been any progress here.

[jonathanantoine]

I am seeing this a lot too. Any workaround maybe ?

[sleushunou]

I see more than 1000 crashes on my app last 90 days with this stacktrace:

Thread 0 name: tid_103 Crashed:
0 libobjc.A.dylib 0x305b34790 objc_release_x8
1 CFNetwork 0x30db70f38 -[__NSCFURLSessionConnection dealloc]
2 CFNetwork 0x30db70c90 -[__NSCFURLLocalSessionConnection dealloc]
3 libsystem_blocks.dylib 0x41fe3da1c HelperBase::disposeCapture
4 libsystem_blocks.dylib 0x41fe3d3e0 HelperBase::destroyBlock
5 libsystem_blocks.dylib 0x41fe3d864 _call_dispose_helpers_excp
6 libsystem_blocks.dylib 0x41fe3d350 _Block_release
7 libsystem_blocks.dylib 0x41fe3d8dc HelperBase::disposeCapture
8 libsystem_blocks.dylib 0x41fe3d430 HelperBase::destroyBlock
9 libsystem_blocks.dylib 0x41fe3d864 _call_dispose_helpers_excp
10 libsystem_blocks.dylib 0x41fe3d350 _Block_release
11 libdispatch.dylib 0x31af55580 _dispatch_client_callout
12 libdispatch.dylib 0x31af7259c _dispatch_main_queue_drain.cold.5
13 libdispatch.dylib 0x31af4ad2c _dispatch_main_queue_drain
14 libdispatch.dylib 0x31af4ac68 _dispatch_main_queue_callback_4CF
15 CoreFoundation 0x30b092d8c CFRUNLOOP_IS_SERVICING_THE_MAIN_DISPATCH_QUEUE
16 CoreFoundation 0x30b0364f0 __CFRunLoopRun
17 CoreFoundation 0x30b037c38 CFRunLoopRunSpecific
18 GraphicsServices 0x3a5405450 GSEventRunModal
19 UIKitCore 0x310339270 -[UIApplication _run]
20 UIKitCore 0x310304a24 UIApplicationMain
21 Gambino.IOS 0x2014344ac xamarin_UIApplicationMain (bindings.m:126)
22 Gambino.IOS 0x20178fd04 do_icall (interp.c:2310)
23 Gambino.IOS 0x20178e37c do_icall_wrapper (interp.c:2350)
24 Gambino.IOS 0x201782240 mono_interp_exec_method
25 Gambino.IOS 0x20177fdac interp_runtime_invoke (interp.c:2109)
26 Gambino.IOS 0x201745538 mono_jit_runtime_invoke (mini-runtime.c:3683)
27 Gambino.IOS 0x2016e14e4 [inlined] do_runtime_invoke (object.c:2576)
28 Gambino.IOS 0x2016e14e4 mono_runtime_invoke_checked (object.c:2792)
29 Gambino.IOS 0x2016e8608 [inlined] do_exec_main_checked
30 Gambino.IOS 0x2016e8608 mono_runtime_exec_main_checked (object.c:4775)
31 Gambino.IOS 0x20174ce84 [inlined] mono_jit_exec_internal (driver.c:1369)
32 Gambino.IOS 0x20174ce84 mono_jit_exec (driver.c:1314)
33 Gambino.IOS 0x2014486f0 xamarin_main (monotouch-main.m:495)
34 Gambino.IOS 0x2017b54d8 main (main.arm64.mm:84)
35 0x1af387f08

[Zalkovalsky]

I have seen this issue on the latest .NET 9 sdk (9.0.302) too, although it's quite random in timing