CEF crashes on OS_xpc_oject dealloc

[BNagyDa]

I have a crash with OS_xpc_object dealloc in the call stack on MacOS. This crash occurs seems to occur since CEF version 118.7.1.

0   libsystem_trace.dylib         	0x00007fff2023d7b4 _os_log_preferences_cache_find_record_by_name + 80
1   libsystem_trace.dylib         	0x00007fff2023d677 _os_log_preferences_refresh + 514
2   libsystem_trace.dylib         	0x00007fff2023d337 os_log_create + 775
3   com.apple.SystemConfiguration 	0x00007fff2100351d __SCDynamicStoreAddSession + 617
4   com.apple.SystemConfiguration 	0x00007fff21003fbd __SCDynamicStoreCheckRetryAndHandleError + 126
5   com.apple.SystemConfiguration 	0x00007fff21003ce4 SCDynamicStoreCopyValue + 328
6   com.apple.SystemConfiguration 	0x00007fff21011498 SCDynamicStoreCopyComputerName + 115
7   com.graphisoft.GSRoot         	0x0000000116012cd5 GS::BugRepMac::GetComputerName(char*, unsigned int) + 34
8   com.graphisoft.GSRoot         	0x0000000116019d3b BugRepMac::DumpComputerName() + 98
9   com.graphisoft.GSRoot         	0x00000001160188e0 BugRepMac::GenerateSignalReport(int, __siginfo*, void*) + 167
10  com.graphisoft.GSRoot         	0x000000011601867f BugRepMac::GeneralSignalHandler(int, __siginfo*, void*) + 266
11  libsystem_platform.dylib      	0x00007fff2050ed7d _sigtramp + 29
12  ???                           	0xaaaaaaaaaaaaaaaa 0 + 12297829382473034410
13  libsystem_trace.dylib         	0x00007fff20241a27 _os_log_with_args_impl + 460
14  libsystem_asl.dylib           	0x00007fff24d3faea _vsyslog + 285
15  libsystem_asl.dylib           	0x00007fff24d319fe syslog$DARWIN_EXTSN + 131
16  com.graphisoft.GSRoot         	0x0000000115f5ff05 WriteString(char const*) + 441
17  com.graphisoft.GSRoot         	0x0000000116015843 BugRepMac::DBLog(char const*, ...) + 152
18  com.graphisoft.GSRoot         	0x00000001160185d3 BugRepMac::GeneralSignalHandler(int, __siginfo*, void*) + 94
19  libsystem_platform.dylib      	0x00007fff2050ed7d _sigtramp + 29
20  ???                           	0xaaaaaaaaaaaaaaaa 0 + 12297829382473034410
21  libsystem_trace.dylib         	0x00007fff20241a27 _os_log_with_args_impl + 460
22  libsystem_asl.dylib           	0x00007fff24d3faea _vsyslog + 285
23  libsystem_asl.dylib           	0x00007fff24d319fe syslog$DARWIN_EXTSN + 131
24  com.graphisoft.GSRoot         	0x0000000115f5ff05 WriteString(char const*) + 441
25  com.graphisoft.GSRoot         	0x0000000116015843 BugRepMac::DBLog(char const*, ...) + 152
26  com.graphisoft.GSRoot         	0x00000001160185d3 BugRepMac::GeneralSignalHandler(int, __siginfo*, void*) + 94
27  libsystem_platform.dylib      	0x00007fff2050ed7d _sigtramp + 29
28  libobjc.A.dylib               	0x00007fff20368fb5 _objc_fetch_pthread_data + 20
29  libobjc.A.dylib               	0x00007fff203695ba object_dispose + 19
30  org.cef.framework             	0x0000000142676db2 ChromeAppModeStart_v7 + 31083138
31  libxpc.dylib                  	0x00007fff20208180 -[OS_xpc_object dealloc] + 47
32  libxpc.dylib                  	0x00007fff20221a7e xpc_atfork_child + 125
33  libSystem.B.dylib             	0x00007fff2a69ba08 libSystem_atfork_child + 59
34  libsystem_c.dylib             	0x00007fff203aeb7b fork + 40
35  com.graphisoft.GSRoot         	0x000000011600af6d GS::ProcessImpl::Create(GS::UniString, GS::Array<GS::UniString> const&, unsigned int, bool, bool, bool) + 305
36  com.graphisoft.GSRoot         	0x000000011600b42f GS::ProcessImpl::Create(GS::UniString, GS::Array<GS::UniString> const&) + 55
37  com.graphisoft.GSRoot         	0x0000000115fc7fcd GS::Process::Create(GS::UniString const&, GS::Array<GS::UniString> const&) + 49
38  com.graphisoft.archicad28     	0x000000010e637641 FW::ACCustomerInvolvementHandling::StartUsageLogSenderExe(unsigned char, unsigned char) + 625
39  com.graphisoft.archicad28     	0x000000010e1ae467 FW::ACApplication::ProcessACEvent(FW::ACEvent const&) + 1739
40  com.graphisoft.archicad28     	0x000000010e1b359f FW::ACApplication::ProcessApplicationEvent(FW::ApplicationEvent const&) + 123
41  com.graphisoft.archicad28     	0x000000010e3f60ce FW::ACApplication::MainMessageLoop() + 1958
42  com.graphisoft.archicad28     	0x000000010e49daea FW::Application::Run() + 84
43  com.graphisoft.archicad28     	0x000000010e3f4c57 FW::ACApplication::Run() + 355
44  com.graphisoft.GSRoot         	0x0000000115faaab4 GS::Main() + 80
45  com.graphisoft.archicad28     	0x000000010ade3143 -[GSRootAppController run] + 42
46  com.graphisoft.archicad28     	0x000000010ade3953 main + 223
47  libdyld.dylib                 	0x00007fff204e4f5d start + 1

Here is another call stack

0   libsystem_trace.dylib         	    0x7ff80823a0b7 _os_log_preferences_cache_find_record_by_name + 146
1   libsystem_trace.dylib         	    0x7ff808239f74 _os_log_preferences_refresh + 265
2   libsystem_trace.dylib         	    0x7ff808239d2d os_log_create + 801
3   SystemConfiguration           	    0x7ff8090a4084 __SCDynamicStoreAddSession + 625
4   SystemConfiguration           	    0x7ff8090c0b29 ____SCDynamicStoreReconnect_block_invoke + 32
5   libdispatch.dylib             	    0x7ff808310317 _dispatch_client_callout + 8
6   libdispatch.dylib             	    0x7ff80831d7ee _dispatch_lane_barrier_sync_invoke_and_complete + 60
7   SystemConfiguration           	    0x7ff8090a4deb __SCDynamicStoreCheckRetryAndHandleError + 220
8   SystemConfiguration           	    0x7ff8090a4ab0 SCDynamicStoreCopyValue + 309
9   SystemConfiguration           	    0x7ff8090b241e SCDynamicStoreCopyComputerName + 127
10  GSRoot                        	       0x10f3a5d45 GS::BugRepMac::GetComputerName(char*, unsigned int) + 34
11  GSRoot                        	       0x10f3acdab BugRepMac::DumpComputerName() + 98
12  GSRoot                        	       0x10f3ab950 BugRepMac::GenerateSignalReport(int, __siginfo*, void*) + 167
13  GSRoot                        	       0x10f3ab6ef BugRepMac::GeneralSignalHandler(int, __siginfo*, void*) + 266
14  libsystem_platform.dylib      	    0x7ff8084dcdfd _sigtramp + 29
15  dyld                          	       0x116a494f5 invocation function for block in dyld3::MachOFile::preferredLoadAddress() const + 35
16  libsystem_trace.dylib         	    0x7ff80823e55f _os_log_with_args_impl + 448
17  libsystem_asl.dylib           	    0x7ff80d479166 _vsyslog + 294
18  libsystem_asl.dylib           	    0x7ff80d46b0be syslog$DARWIN_EXTSN + 131
19  GSRoot                        	       0x10f2f32c5 WriteString(char const*) + 441
20  GSRoot                        	       0x10f3a88b3 BugRepMac::DBLog(char const*, ...) + 152
21  GSRoot                        	       0x10f3ab643 BugRepMac::GeneralSignalHandler(int, __siginfo*, void*) + 94
22  libsystem_platform.dylib      	    0x7ff8084dcdfd _sigtramp + 29
23  dyld                          	       0x116a494f5 invocation function for block in dyld3::MachOFile::preferredLoadAddress() const + 35
24  libsystem_trace.dylib         	    0x7ff80823e55f _os_log_with_args_impl + 448
25  libsystem_asl.dylib           	    0x7ff80d479166 _vsyslog + 294
26  libsystem_asl.dylib           	    0x7ff80d46b0be syslog$DARWIN_EXTSN + 131
27  GSRoot                        	       0x10f2f32c5 WriteString(char const*) + 441
28  GSRoot                        	       0x10f3a88b3 BugRepMac::DBLog(char const*, ...) + 152
29  GSRoot                        	       0x10f3ab643 BugRepMac::GeneralSignalHandler(int, __siginfo*, void*) + 94
30  libsystem_platform.dylib      	    0x7ff8084dcdfd _sigtramp + 29
31  ???                           	0xf8eed41e600c0012 ???
32  ???                           	    0x7ff849c1ba48 OBJC_METACLASS_$_OS_xpc_serializer + 40
33  libobjc.A.dylib               	    0x7ff80836a38e object_dispose + 19
34  Chromium Embedded Framework   	       0x148c9bdb2 ChromeAppModeStart_v7 + 31083138
35  libxpc.dylib                  	    0x7ff8081fe9d5 -[OS_xpc_object dealloc] + 47
36  libxpc.dylib                  	    0x7ff80821945e xpc_atfork_child + 125
37  libSystem.B.dylib             	    0x7ff8132b9c8e libSystem_atfork_child + 63
38  libsystem_c.dylib             	    0x7ff8083bb82d fork + 84
39  BIMxLogin                     	       0x123d94933 Uploader::ChildProcessImpl::Create(GS::UniString, GS::Array<GS::UniString> const&, bool, bool) + 411
40  BIMxLogin                     	       0x123d6e363 Uploader::ChildProcess::ChildProcess(GS::UniString const&, GS::Array<GS::UniString> const&, bool, bool) + 65
41  BIMxLogin                     	       0x123d6ff02 BIMxLogin::CurlConnection::RunCurl(GS::Array<GS::UniString> const&, bool, GS::UniString const&, GS::UniString*) + 362
42  BIMxLogin                     	       0x123d6f567 BIMxLogin::CurlConnection::Send(std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char> > const&, bool, BIMxLogin::WebApiClient::SendMode, bool, std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char> > const&, std::__1::vector<std::__1::pair<std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char> >, std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char> > >, std::__1::allocator<std::__1::pair<std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char> >, std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char> > > > > const&, std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char> >&) + 3109
43  BIMxLogin                     	       0x123d79f5b GS::Result<BIMxLogin::Services::GraphisoftLogins::response_type, BIMxLogin::ServerErrCode> BIMxLogin::WebApiClient::SendRequest<BIMxLogin::Services::GraphisoftLogins>(BIMxLogin::Services::GraphisoftLogins const&, BIMxLogin::Services::GraphisoftLogins::request_type const*) + 181
44  BIMxLogin                     	       0x123d79c89 BIMxLogin::HTTPGSIDServerOperations::InvokeGraphisoftLogins() + 761
45  BIMxLogin                     	       0x123d761e0 BIMxLogin::Environment::InitGSIDServiceStrings() + 68
46  BIMxLogin                     	       0x123d760ff BIMxLogin::Environment::GetGSIDServiceString(BIMxLogin::GSIDServiceKey) + 49
47  BIMxLogin                     	       0x123d6b7d4 BIMxLogin::Services::PostGetLoginSettings::GetUrl() const + 50
48  BIMxLogin                     	       0x123d7ae7f GS::Result<BIMxLogin::Services::PostGetLoginSettings::response_type, BIMxLogin::ServerErrCode> BIMxLogin::WebApiClient::SendRequest<BIMxLogin::Services::PostGetLoginSettings>(BIMxLogin::Services::PostGetLoginSettings const&, BIMxLogin::Services::PostGetLoginSettings::request_type const*) + 61
49  BIMxLogin                     	       0x123d7ac7c BIMxLogin::HTTPGSIDServerOperations::InvokeGetLoginSettings(BIMxLogin::Environment::AppInfo const&, BIMxLogin::Environment::VersionInfo const&, BIMxLogin::Environment::LicenseData const&, std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char> > const&) + 1292
50  BIMxLogin                     	       0x123d8fe93 GSID::LiveMandatoryLoginDeterminationStrategy::QueryLoginSettings(BIMxLogin::Environment::LicenseData const&) + 199
51  BIMxLogin                     	       0x123d92217 GSID::MandatoryLoginManager::QueryLoginSettingsFromServer(BIMxLogin::Environment::LicenseData const&) + 51
52  GSRoot                        	       0x10f364db9 GS::ThreadImpl::Run() + 27
53  GSRoot                        	       0x10f365041 GS::ThreadImpl::Launch(GS::ThreadImpl*, GS::ThreadImpl*) + 163
54  GSRoot                        	       0x10f3a115b (anonymous namespace)::ThreadRunner(void*) + 17
55  libsystem_pthread.dylib       	    0x7ff8084c74e1 _pthread_start + 125
56  libsystem_pthread.dylib       	    0x7ff8084c2f6b thread_start + 15

This issue seems to point towards CEF making use of the IPC solution of MacOS: XPC. A callback seems to be inserted, and somehonw it seems to cause a crash. In the symbolicated call stack I have found, that a RemotesBundleMap is somehow related to this crash. This seems to be found in print_backend_service_manager.h in Chromium's source.

AppleCrashLog_BIMxUpload.txt
Archicad_2024-04-09-011551_ac-test-mac-14.txt
BIMxUpload_crash_log.txt

[magreenblatt]

What reproduction steps?

Does it reproduce with currently supported versions (M127+)?

Does it reproduce with the cefclient or cefsimple sample application at the same version?

[BNagyDa]

There is no known manual repro. We've only been able to reproduce it using automated testing methods. It is known, that whenever CEF is active, and we make a fork of the process, the application crashes.
I have no information regarding M127+ versions.
It hasn't been tried with the sample apps, but I would guess, that it is nigh impossible to reproduce it manually.
We are running CEF with the --no-sandbox switch. It is strage as to why CEF still seems to have data in the 'sandboxed_remotes_bundles_' collection.
There was a similar JVM based crash like this, it is probably related: chromiumembedded/java-cef#471

[magreenblatt]

I'll leave this issue open for now, but it's likely something that you will need to debug and fix yourself.