Summary
A crash occurs in ViewBridge framework when a TUINSRemoteViewController object receives -release message after being deallocated. This appears to be a reference counting issue within the ViewBridge framework's internal autorelease pool management.
Environment
- macOS Version: [15.0.0]
- Application: Custom Qt-based application using Chromium Embedded Framework (xcode version: xcode 15; QT version: 6.5.4 ; CEF version: 138.0.47+g2728d53+chromium-138.0.7204.221)
Steps to Reproduce
Users are typically using the app normally, but a crash occasionally occurs when they activate and click on the application. This happens infrequently, but it occurs roughly every day. Currently, only a few specific users experience this crash, and it may appear for several consecutive days before disappearing for several days. We cannot reliably reproduce this issue but have collected crash logs from affected users.
Crash Analysis
Zombie Detection Log:
Zombie <TUINSRemoteViewController: 0x338708020> received -release
Deallocation Stack Trace (when object was first released):
0 Chromium Embedded Framework 0x000000014283a7f4 rust_png$cxxbridge1$ResultOfWriter$operator$sizeof + 933592
1 AppKit 0x000000019eac0d80 -[NSResponder dealloc] + 340
2 AppKit 0x000000019ebb5e34 -[NSViewController dealloc] + 276
3 ViewBridge 0x00000001a3f6ab9c -[NSRemoteViewController dealloc] + 92
4 AppKit 0x000000019eada4b4 -[NSViewController release] + 236
5 ViewBridge 0x00000001a3eda130 -[NSRemoteViewController release] + 380
6 libobjc.A.dylib 0x000000019aa8806c objc_autoreleasePoolPop + 56
7 CoreFoundation 0x000000019aefc7c0 _CFAutoreleasePoolPop + 32
8 Foundation 0x000000019c0d14f4 -[NSAutoreleasePool drain] + 136
9 ViewBridge 0x00000001a3ed609c __CONSIDER_WHO_REQUESTED_THIS_WAIT_BEFORE_SENDING_BUG_TO_VIEWBRIDGE__ + 24
10 ViewBridge 0x00000001a3f82a10 deferredBlockOpportunity_block_invoke_2 + 436
11 CoreFoundation 0x000000019af3dfa0 __CFRUNLOOP_IS_CALLING_OUT_TO_A_BLOCK__ + 28
12 CoreFoundation 0x000000019af3deb0 __CFRunLoopDoBlocks + 356
13 CoreFoundation 0x000000019af3d330 __CFRunLoopRun + 2432
14 CoreFoundation 0x000000019af3c334 CFRunLoopRunSpecific + 572
15 HIToolbox 0x00000001a63740cc RunCurrentEventLoopInMode + 292
16 HIToolbox 0x00000001a6379ebc ReceiveNextEventCommon + 636
17 HIToolbox 0x00000001a637a020 _BlockUntilNextEventMatchingListInModeWithFilter + 76
18 AppKit 0x000000019ea7fa70 _DPSNextEvent + 660
19 AppKit 0x000000019f3a57b8 -[NSApplication(NSEventRouting) _nextEventMatchingEventMask:untilDate:inMode:dequeue:] + 688
Crash Stack Trace (second release attempt):
0 Chromium Embedded Framework 0x14a03a37c rust_png$cxxbridge1$ResultOfWriter$operator$sizeof + 932448
1 Chromium Embedded Framework 0x14a03a04c rust_png$cxxbridge1$ResultOfWriter$operator$sizeof + 931632
2 CoreFoundation 0x19af1cbe8 ___forwarding___ + 200
3 CoreFoundation 0x19af1ca60 _CF_forwarding_prep_0 + 96
4 libobjc.A.dylib 0x19aa8bd94 AutoreleasePoolPage::releaseUntil(objc_object**) + 204
5 libobjc.A.dylib 0x19aa88138 objc_autoreleasePoolPop + 260
6 CoreFoundation 0x19aefc7c0 _CFAutoreleasePoolPop + 32
7 Foundation 0x19c0d14f4 -[NSAutoreleasePool drain] + 136
8 ViewBridge 0x1a3ed609c __CONSIDER_WHO_REQUESTED_THIS_WAIT_BEFORE_SENDING_BUG_TO_VIEWBRIDGE__ + 24
9 ViewBridge 0x1a3f82a10 deferredBlockOpportunity_block_invoke_2 + 436
10 CoreFoundation 0x19af3dfa0 __CFRUNLOOP_IS_CALLING_OUT_TO_A_BLOCK__ + 28
11 CoreFoundation 0x19af3deb0 __CFRunLoopDoBlocks + 356
12 CoreFoundation 0x19af3d330 __CFRunLoopRun + 2432
13 CoreFoundation 0x19af3c334 CFRunLoopRunSpecific + 572
14 HIToolbox 0x1a63740cc RunCurrentEventLoopInMode + 292
15 HIToolbox 0x1a6379ebc ReceiveNextEventCommon + 636
16 HIToolbox 0x1a637a020 _BlockUntilNextEventMatchingListInModeWithFilter + 76
17 AppKit 0x19ea7fa70 _DPSNextEvent + 660
18 AppKit 0x19f3a57b8 -[NSApplication(NSEventRouting) _nextEventMatchingEventMask:untilDate:inMode:dequeue:] + 688
19 AppKit 0x19ea72b7c -[NSApplication run] + 480
20 libqcocoa.dylib 0x1057b7514 QCocoaEventDispatcher::processEvents(QFlags<QEventLoop::ProcessEventsFlag>) + 2156
21 QtCore 0x109bb55c4 QEventLoop::exec(QFlags<QEventLoop::ProcessEventsFlag>) + 532
22 QtCore 0x109babff8 QCoreApplication::exec() + 112
23 HoYowave 0x1009fc740 QWidgetFrameAdapter::RunMessageLoop() + 132
24 HoYowave 0x1008ae908 0x10088c000 + 141576
25 HoYowave 0x1008b7038 0x10088c000 + 176184
26 HoYowave 0x1008a3544 0x10088c000 + 95556
27 HoYowave 0x1008a294c 0x10088c000 + 92492
28 dyld 0x19aad4274 start + 2840
Technical Analysis
The crash pattern indicates:
- A TUINSRemoteViewController was autoreleased multiple times
- During autorelease pool drain, the first release triggered dealloc
- Subsequent release attempts accessed the deallocated object (zombie)
- This is entirely within ViewBridge framework's internal code path
The function name __CONSIDER_VIEW_SERVICE_BEFORE_SENDING_BUG_TO_VIEWBRIDGE__
in the stack trace suggests this is a known problematic area.
Questions
- Is this a known issue in ViewBridge framework?
- Is there any workaround or mitigation we can apply from the application side?
- Could you provide guidance on what might trigger this condition?
I have report this in Feedback Assistant FB21809243