I ran a test code with ThreadSanitizer, it throws a race condition in the block of xpcconnectionseteventhandler even I set a sync queue to the connection. xpc_connection_set_event_handler(conn, ^(xpc_object_t event) { xpc_type_t type = xpc_get_type(event); if (xpc_get_type(event) == XPC_TYPE_DICTIONARY) { 		// race condition here 		// WARNING: ThreadSanitizer: data race // ... } else { if (event == XPCERRORCONNECTIONINVALID) { // Error indicates the peer has closed the connection. // Tear down any associated data structures. } else { // Error indicates that service will terminate soon. // Flush all buffers, finish all work, etc. } xpcrelease(peer); } }); https://developer.apple.com/documentation/xpc/1448786-xpc_connection_set_target_queue?language=objc: "the XPC runtime guarantees that, when the target queue is a serial queue, the event handler block will execute synchronously with respect to other blocks submitted to that same queue. When the target queue is a concurrent queue, the event handler block may run concurrently with other blocks submitted to that queue, but it will never run concurrently with other invocations of itself for the same connection" looks like there should have no race condition according to the above description, but why I encounter the race condition issue reported by ThreadSanitizer? Does the block of xpcconnectionseteventhandler need sync to avoid race condition?

Hi Experts, When experimenting with NEFilterDataProvider, I observed that whole ICMP data flows are visible on the local machine when pinging a remote machine from it. However, no ICMP data flows are observed on the local machine when the remote machine pings it. Below is the rule for filtering any protocol with any direction. NEFilterRule(networkRule: .init( remoteNetwork: nil, remotePrefix: 0, localNetwork: nil, localPrefix: 0, protocol: .any, direction: .any), action: .filterData) There is no issue for TCP/UDP. May I know it's a bug or by design?

NEFilterManager * mgr = [NEFilterManager sharedManager]; ... NSString *description = [mgr localizedDescription] Hi Experts, I can get another NEFilterManager instance if there are multi-network profilers in the Network panel. The above code is in a different background process(bundle id) than the main process without any entitlement. I can only get the correct NEFilterManager instance associated with the main process, is it by design? how to get a specified NEFilterManager instance in the background process?

Hi Expert, I found the value of kDADiskDescriptionVolumeUUIDKey changed after upgrading to BigSur from Catalina, so it should not be used to identify a unique machine? Btw: I found there is another unique hardware UUID in "system_profiler SPHardwareDataType"

Please anyone suggest how to disable App Transport Security completely by enabling NSAllowsArbitraryLoads for the daemon process since it does not have info.plist on macOS? or can I add those config in the corresponding ***.plist in /Library/LaunchDaemon/? Thanks in advance.

Hi guys, I observed the infinite connection callback(inSelector) for some Bluetooth devices (such as an iPhone SE or Mac Mini) even when I powered off them. However, the issue is not reproducible easily. (IOBluetoothUserNotification *)registerForConnectNotifications:(id)observer selector:(SEL)inSelector ble.txt Looks like there are many -[CBManager xpcConnectionDidReceiveMsg:args:] calls when the issue occurs based on the sample, so it might be caused by the XPC connection with bluetoothd? Has anyone else experienced this issue, or any workaround for it? such as should I restart the bluetoothd?

Hi,I downloaded FilteringNetworkTraffic and added a FilterPacketProvider to intercept network packet with following info.plist:<key>NEProviderClasses</key> <dict> <key>com.apple.networkextension.filter-packet</key> <string>$(PRODUCT_MODULE_NAME).FilterPacketProvider</string> </dict>but the callback function and packetHandler closure do not work at all? thanks!

Hi Experts, I knew there is LSEnvironment for defining environment variables to be set before launching. e.g. <key>LSEnvironment</key> <dict> <key>PATH</key> <string>/Users/flori/.rvm/gems/ruby-1.9.3-p362/bin:/Users/flori/.rvm/gems/ruby-1.9.3-p362@global/bin:/Users/flori/.rvm/rubies/ruby-1.9.3-p326/bin:/Users/flori/.rvm/bin:/usr/bin:/bin:/usr/sbin:/sbin:/usr/local/bin:</string> </dict> How about system extension? Thanks a lot.

Hi Experts, I created a simple application with the following code to retrieve the signing info from Apps such as Xcode: CFURLRef appURLRef = NULL;   SecStaticCodeRef staticCodeRef = NULL;   CFDictionaryRef signatureInfoRef = NULL;       do {     appURLRef = CFURLCreateWithFileSystemPath(kCFAllocatorDefault, CFSTR("/Applications/Xcode.app"), kCFURLPOSIXPathStyle, YES);     if(!appURLRef) {       break;     }           OSStatus status = SecStaticCodeCreateWithPath(appURLRef, kSecCSDefaultFlags, &amp;staticCodeRef);     if(errSecSuccess != status) {       break;     }           status = SecCodeCopySigningInformation(staticCodeRef, kSecCSSigningInformation, &amp;signatureInfoRef);     if(errSecSuccess != status) {       break;     }   } while(0);       if(staticCodeRef) {     CFRelease(staticCodeRef);     staticCodeRef = NULL;   }   if(signatureInfoRef) {     CFRelease(signatureInfoRef);     signatureInfoRef = NULL;   }   if(appURLRef) {     CFRelease(appURLRef);     appURLRef = NULL;   } then I use leaks to check if any memory issues, the output is: Process: checksig [4733] Path: /Users/USER/Library/Developer/Xcode/DerivedData/Build/Products/Debug/checksig Load Address: 0x10e033000 Identifier: checksig Version: ??? Code Type: X86-64 Platform: macOS Parent Process: leaks [4732] Date/Time: 2022-02-13 23:10:32.606 +0800 Launch Time: 2022-02-13 23:10:32.109 +0800 OS Version: Mac OS X 10.15.6 (19G73) Report Version: 7 Analysis Tool: /Applications/Xcode.app/Contents/Developer/usr/bin/leaks Analysis Tool Version: Xcode 12.4 (12D4e) ---- leaks Report Version: 4.0 Process 4733: 3725 nodes malloced for 456 KB Process 4733: 1 leak for 32 total leaked bytes. 1 (32 bytes) ROOT LEAK: 0x7ffc33d04c00 [32] length: 23 ",CSSMERR_CL_UNKNOWN_TAG" If I remove the SecCodeCopySigningInformation line, then the issue is gone. So there is a memory leak in API SecCodeCopySigningInformation? or in my code or sth incorrect in the report of leaks? Did anybody see the same issue before? thanks a lot!

let query: [String: Any] = [ kSecClass as String: kSecClassCertificate, kSecMatchLimit as String: kSecMatchLimitAll ] var result: CFTypeRef? let status = SecItemCopyMatching(query as CFDictionary, &amp;result) guard status == errSecSuccess else { print("Error retrieving certificates: \(status)") return true } It works on macOS, but always gets -25300(errSecItemNotFound) on iOS, so looks it won't be possible to do an equivalent in iOS given the app ecosystem is sandboxed?

Hi Experts, I found the request for PAC was not triggered each time when using CFNetworkExecuteProxyAutoConfigurationURL. Looks like there is a cache inside, if so how can I disable that cache? like NSURLRequestReloadIgnoringLocalCacheData? Thanks in advance. Btw, so far if I update any proxy setting of the system or wait for some time, then the "cache" will be refreshed and new request will be sent when using CFNetworkExecuteProxyAutoConfigurationURL.

I observed the following crash: Code Type: ARM-64 (Native) Parent Process: launchd [1] User ID: 0 Date/Time: 2025-10-07 13:48:29.082 OS Version: macOS 15.6 (24G84) Report Version: 12 Anonymous UUID: 8B651788-4B2E-7869-516B-1DA0D60F3744 Crashed Thread: 3 Dispatch queue: NEFlow queue Exception Type: EXC_BAD_ACCESS (SIGSEGV) Exception Codes: KERN_INVALID_ADDRESS at 0x0000000000000054 ... Thread 3 Crashed: Dispatch queue: NEFlow queue 0 libdispatch.dylib 0x000000019af6da34 dispatch_async + 192 1 libnetworkextension.dylib 0x00000001b0cf8580 __flow_startup_block_invoke.216 + 124 2 com.apple.NetworkExtension 0x00000001adf97da8 __88-[NEExtensionAppProxyProviderContext setInitialFlowDivertControlSocket:extraValidation:]_block_invoke.90 + 860 3 libnetworkextension.dylib 0x00000001b0cf8140 __flow_startup_block_invoke.214 + 172 4 libdispatch.dylib 0x000000019af67b2c _dispatch_call_block_and_release + 32 5 libdispatch.dylib 0x000000019af8185c _dispatch_client_callout + 16 6 libdispatch.dylib 0x000000019af70350 _dispatch_lane_serial_drain + 740 7 libdispatch.dylib 0x000000019af70e2c _dispatch_lane_invoke + 388 8 libdispatch.dylib 0x000000019af7b264 _dispatch_root_queue_drain_deferred_wlh + 292 9 libdispatch.dylib 0x000000019af7aae8 _dispatch_workloop_worker_thread + 540 10 libsystem_pthread.dylib 0x000000019b11be64 _pthread_wqthread + 292 11 libsystem_pthread.dylib 0x000000019b11ab74 start_wqthread + 8 ... It appears that the crash is caused by the flow director queue becoming NULL when dispatch_async is called (accessing address 0x0000000000000054). Meanwhile, my transparent proxy was still running. I'm wondering if this is a known issue or if anyone else has encountered the same problem. @eskimo

Hi Experts, Looks like es_mute_path_xxx are deprecated, so does anyone know if there has some new APIs? Thanks! https://developer.apple.com/documentation/endpointsecurity/3366123-es_mute_path_prefix

Hi @eskimo and experts, I created a simple code and found there is a memory leak: #import &lt;Foundation/Foundation.h&gt; #include &lt;functional&gt; void testLeaks(const std::function &lt;void (int)&gt;&amp; inCallback) {   NSTask* task = [[NSTask alloc] init];   [task setTerminationHandler:^(NSTask* inTask) {     inCallback(inTask.terminationStatus);   }];       [task release]; } int main(int argc, const char * argv[]) {   auto callback = [](int result) {     NSLog(@"callback");   };   testLeaks(callback);   NSLog(@"done");   return 0; } The output of leaks: Process: testLeaks2 [13084] Path: /Users/USER/Library/Developer/Xcode/DerivedData/Build/Products/Debug/testLeaks2 Load Address: 0x10a04d000 Identifier: testLeaks2 Version: ??? Code Type: X86-64 Platform: macOS Parent Process: leaks [13083] Date/Time: 2022-02-28 23:34:28.374 +0800 Launch Time: 2022-02-28 23:34:27.939 +0800 OS Version: Mac OS X 10.15.6 (19G73) Report Version: 7 Analysis Tool: /Applications/Xcode.app/Contents/Developer/usr/bin/leaks Analysis Tool Version: Xcode 12.4 (12D4e) ---- leaks Report Version: 4.0 Process 13084: 596 nodes malloced for 59 KB Process 13084: 1 leak for 48 total leaked bytes. 1 (48 bytes) ROOT LEAK: &lt;__NSMallocBlock__ 0x7fbbc2704350&gt; [48] testLeaks2 invocation function for block in testLeaks(std::__1::function&lt;void (int)&gt; const&amp;) 0..." Looks the issue is in the block of setTerminationHandler. How do I address this memory leak issue if I want to keep using std::function as a callback?

According to the document: "the URL Loading System handles various aspects of the HTTP protocol for you (HTTP 1.1 persistent connections, proxies, authentication, and so on). As part of this support, the URL Loading System takes responsibility for certain HTTP headers: Content-Length Authorization Connection Host Proxy-Authenticate Proxy-Authorization WWW-Authenticate If you set a value for one of these reserved headers, the system may ignore the value you set, or overwrite it with its own value, or simply not send it. Moreover, the exact behavior may change over time. To avoid confusing problems like this, do not set these headers directly." Looks like we'd better avoid setting "proxy-authorization" directly: [req setValue:authenticationValue forHTTPHeaderField:@"Proxy-Authorization"]; or [config setHTTPAdditionalHeaders:@{@"Proxy-Authorization": authHeader  } ];, instead, should go to the session delegate. However, we would have 2 "requests" if we follow the authentication challenge if we have credentials already: https://developer.apple.com/documentation/foundation/url_loading_system/handling_an_authentication_challenge?language=objc. So is there any API or other safe way to set "Proxy-Authorization" for nsurlsessionconfig at the "beginning" if we got the credential already? Thanks in advance.