Maps: EXC_BAD_ACCESS: Attempted to dereference garbage pointer 0x43e14141ff01ff08

Created on 6 May 2020 · 19Comments · Source: react-native-mapbox-gl/maps

Describe the bug

Fatal crash received from Sentry.

To Reproduce

EXC_BAD_ACCESS
ampground-marker > campground-marker > za-metropolitan-2 >
Attempted to dereference garbage pointer 0x43e14141ff01ff08.

Exception Type: EXC_BAD_ACCESS (SIGBUS)
Exception Codes: BUS_NOOP at 0x43e14141ff01ff08
Crashed Thread: 0

Application Specific Information:
ampground-marker > campground-marker > za-metropolitan-2 >
Attempted to dereference garbage pointer 0x43e14141ff01ff08.

Thread 0 Crashed:
0   Mapbox                          0x2873000f4         mbgl::resourceURLWithAccountType
1   Mapbox                          0x287140cd4         mbgl::resourceURLWithAccountType
2   Mapbox                          0x28718a1d8         mbgl::resourceURLWithAccountType
3   Mapbox                          0x2871d90cc         mbgl::resourceURLWithAccountType
4   Mapbox                          0x2871e2ccc         mbgl::resourceURLWithAccountType
5   Mapbox                          0x2873e602c         MGLStringFromMetricType
6   Mapbox                          0x2873e5da0         MGLStringFromMetricType
7   CoreFoundation                  0x335fca284         __CFNOTIFICATIONCENTER_IS_CALLING_OUT_TO_AN_OBSERVER__
8   CoreFoundation                  0x335fca2cc         ___CFXRegistrationPost1_block_invoke
9   CoreFoundation                  0x335fc962c         _CFXRegistrationPost1
10  CoreFoundation                  0x335fc92e4         ___CFXNotificationPost_block_invoke
11  CoreFoundation                  0x335f45598         -[_CFXNotificationRegistrar find:object:observer:enumerator:]
12  CoreFoundation                  0x335fc8c34         _CFXNotificationPost
13  Foundation                      0x339d04134         -[NSNotificationCenter postNotificationName:object:userInfo:]
14  UIKitCore                       0x3425c3364         __47-[UIApplication _applicationDidEnterBackground]_block_invoke
15  UIKitCore                       0x341fb0628         +[UIViewController _performWithoutDeferringTransitionsAllowingAnimation:actions:]
16  UIKitCore                       0x3425c3120         -[UIApplication _applicationDidEnterBackground]
17  UIKitCore                       0x341d896a0         __101-[_UISceneLifecycleMultiplexer _evalTransitionToSettings:fromSettings:forceExit:withTransitionStore:]_block_invoke_2
18  UIKitCore                       0x34221eb6c         _UIScenePerformActionsWithLifecycleActionMask
19  UIKitCore                       0x341d892ac         __101-[_UISceneLifecycleMultiplexer _evalTransitionToSettings:fromSettings:forceExit:withTransitionStore:]_block_invoke
20  UIKitCore                       0x341d88db8         -[_UISceneLifecycleMultiplexer _performBlock:withApplicationOfDeactivationReasons:fromReasons:]
21  UIKitCore                       0x341d890d8         -[_UISceneLifecycleMultiplexer _evalTransitionToSettings:fromSettings:forceExit:withTransitionStore:]
22  UIKitCore                       0x341d88994         -[_UISceneLifecycleMultiplexer uiScene:transitionedFromState:withTransitionContext:]
23  UIKitCore                       0x341d8ce80         __186-[_UIWindowSceneFBSSceneTransitionContextDrivenLifecycleSettingsDiffAction _performActionsForUIScene:withUpdatedFBSScene:settingsDiff:fromSettings:transitionContext:lifecycleActionType:]_block_invoke_2
24  UIKitCore                       0x3421503dc         +[BSAnimationSettings(UIKit) tryAnimatingWithSettings:actions:completion:]
25  UIKitCore                       0x342238158         _UISceneSettingsDiffActionPerformChangesWithTransitionContext
26  UIKitCore                       0x341d8cbb8         __186-[_UIWindowSceneFBSSceneTransitionContextDrivenLifecycleSettingsDiffAction _performActionsForUIScene:withUpdatedFBSScene:settingsDiff:fromSettings:transitionContext:lifecycleActionType:]_block_invoke
27  UIKitCore                       0x342238054         _UISceneSettingsDiffActionPerformActionsWithDelayForTransitionContext
28  UIKitCore                       0x341d8ca24         -[_UIWindowSceneFBSSceneTransitionContextDrivenLifecycleSettingsDiffAction _performActionsForUIScene:withUpdatedFBSScene:settingsDiff:fromSettings:transitionContext:lifecycleActionType:]
29  UIKitCore                       0x341bfe87c         __64-[UIScene scene:didUpdateWithDiff:transitionContext:completion:]_block_invoke
30  UIKitCore                       0x341bfd3e4         -[UIScene _emitSceneSettingsUpdateResponseForCompletion:afterSceneUpdateWork:]
31  UIKitCore                       0x341bfe5b4         -[UIScene scene:didUpdateWithDiff:transitionContext:completion:]
32  UIKitCore                       0x342171244         -[UIApplicationSceneClientAgent scene:handleEvent:withCompletion:]
33  FrontBoardServices              0x342759244         -[FBSSceneImpl updater:didUpdateSettings:withDiff:transitionContext:completion:]
34  FrontBoardServices              0x34277dd24         __88-[FBSWorkspaceScenesClient sceneID:updateWithSettingsDiff:transitionContext:completion:]_block_invoke_2
35  FrontBoardServices              0x342762f00         -[FBSWorkspace _calloutQueue_executeCalloutFromSource:withBlock:]
36  FrontBoardServices              0x34277dc58         __88-[FBSWorkspaceScenesClient sceneID:updateWithSettingsDiff:transitionContext:completion:]_block_invoke
37  libdispatch.dylib               0x332f06180         _dispatch_client_callout
38  libdispatch.dylib               0x332ee041c         _dispatch_block_invoke_direct$VARIANT$armv81
39  FrontBoardServices              0x3427a2414         __FBSSERIALQUEUE_IS_CALLING_OUT_TO_A_BLOCK__
40  FrontBoardServices              0x3427a20e0         -[FBSSerialQueue _queue_performNextIfPossible]
41  FrontBoardServices              0x3427a2608         -[FBSSerialQueue _performNextFromRunLoopSource]
42  CoreFoundation                  0x335fec9fc         __CFRUNLOOP_IS_CALLING_OUT_TO_A_SOURCE0_PERFORM_FUNCTION__
43  CoreFoundation                  0x335fec954         __CFRunLoopDoSource0
44  CoreFoundation                  0x335fec0ec         __CFRunLoopDoSources0
45  CoreFoundation                  0x335fe7238         __CFRunLoopRun
46  CoreFoundation                  0x335fe6ad8         CFRunLoopRunSpecific
47  GraphicsServices                0x3484eb324         GSEventRunModal
48  UIKitCore                       0x3425bdadc         UIApplicationMain
49  The Dyrt                        0x2041298a0         <redacted>
50  libdyld.dylib                   0x32f70135c         start

Expected behavior
No crash.

Versions (please complete the following information):

Platform: iOS
Device: Apple iPhone X
Emulator/ Simulator: No
OS: iOS 13.3
react-native-mapbox-gl Version: 8.0.0
React Native Version 0.61.4

Source

bscheideldyrt

Most helpful comment

Awesome @mfazekas! Thanks for handling this. Is this going to be released in a new rc-version short term, or do you need help testing it out first?

cbrevik on 21 Oct 2020

👍2

All 19 comments

Pls provide sample to reproduce the issue, we cannot fix from this sentry log.

mfazekas on 6 May 2020

Unfortunately i'm getting these as well but can't reproduce ;(

dorthwein on 6 May 2020

@bscheideldyrt are you loading remote images for your markers or using local ones?

dorthwein on 6 May 2020

@dorthwein We're using custom markers that have been uploaded via Mapbox Studio

bscheideldyrt on 6 May 2020

Sorry this stacktrace does not give any info to me. I'm pretty sure the mabox names MGLStringFromMetricType, etc are not correct. You probably need to upload symbol files to sentry, so it can figure out better stacktrace, but even then none of that is from react-native-mapbox-gl. Which doesn't mean the root issue is not if rnmbgl.

mfazekas on 7 May 2020

@bscheideldyrt, did you ever come up with a solution to these crashes? These are our #1 crash in our shipping application and 99% of them occur when the application is in the background.

mattrobmattrob on 22 Jun 2020

@bscheideldyrt @mattrobmattrob We are having the same issue in our application and no idea how to fix it. Did one of you ever find a fix for this?

reinvanimschoot on 1 Jul 2020

@bscheideldyrt @mattrobmattrob We are having the same issue in our application and no idea how to fix it. Did one of you ever find a fix for this?

These _seems_ to have been solved by an upgrade from 5.8.0 to 5.9.0 in our Carthage configuration of our Mapbox dependency, @reinvanimschoot.

- binary "https://www.mapbox.com/ios-sdk/Mapbox-iOS-SDK-stripped.json" == 5.8
+ binary "https://www.mapbox.com/ios-sdk/Mapbox-iOS-SDK-stripped.json" == 5.9

mattrobmattrob on 1 Jul 2020

@mattrobmattrob Is that something to be changed in node_modules?

reinvanimschoot on 1 Jul 2020

@mattrobmattrob Is that something to be changed in node_modules?

In my case, I'm not using react-native-mapbox-gl but rather just had a similar crash in the Mapbox SDK. I'm not sure how to pin a specific dependency in the other (npm, React, etc.) context, sorry, @reinvanimschoot.

mattrobmattrob on 1 Jul 2020

Getting this infrequently on iOS as well, seems to be related to using images in a style (set via styleURL). (Uploaded dSYMs so we've been able to get better stack traces):

EXC_BAD_ACCESS Attempted to dereference garbage pointer 0xb0a81a36f460. 
    src/mbgl/style/style.cpp:70:19 addImage
    Frameworks/Mapbox.framework/Mapbox -[MGLStyle setImage:forName:]
    /Users/runner/work/1/s/node_modules/@react-native-mapbox-gl/maps/ios/RCTMGL/RCTMGLStyle.m:210:15 __42-[RCTMGLStyle symbolLayer:withReactStyle:]_block_invoke_2
    /usr/lib/system/libdispatch.dylib __dispatch_call_block_and_release
    /usr/lib/system/libdispatch.dylib __dispatch_client_callout
    /usr/lib/system/libdispatch.dylib __dispatch_main_queue_callback_4CF
    Frameworks/CoreFoundation.framework/CoreFoundation ___CFRUNLOOP_IS_SERVICING_THE_MAIN_DISPATCH_QUEUE__
    Frameworks/CoreFoundation.framework/CoreFoundation ___CFRunLoopRun
    Frameworks/CoreFoundation.framework/CoreFoundation _CFRunLoopRunSpecific
    PrivateFrameworks/GraphicsServices.framework/GraphicsServices _GSEventRunModal
    PrivateFrameworks/UIKitCore.framework/UIKitCore -[UIApplication _run]
    PrivateFrameworks/UIKitCore.framework/UIKitCore _UIApplicationMain
-- snip --

Seems to happen when we navigate away from the map, and it is unmounted in the React-tree. Been able to reproduce very infrequently on device - but see from logging that our users experience it when navigating away from the map view as well.

Will stack trace above help reproduce @mfazekas ?

cbrevik on 6 Oct 2020

we're running into this still as well in high frequency. Similar situation with coming out of the background with the map.

dorthwein on 20 Oct 2020

@cbrevik what could happen is that it starts to download an image then map closes, and when the download finishes we try to call setImage on a destructed style?!

mfazekas on 20 Oct 2020

@cbrevik what could happen is that it starts to download an image then map closes, and when the download finishes we try to call setImage on a destructed style?!

This seems very likely to me. Maybe there should be a check for if style is destructured before here in the dispatch: https://github.com/react-native-mapbox-gl/maps/blob/4a15881251465c126474ddfb5d593346a0101a31/ios/RCTMGL/RCTMGLStyle.m#L210

We're seeing this error pop up about every other day. Bit difficult to reproduce, so there's some sort of race condition here.

cbrevik on 20 Oct 2020

@cbrevik what could happen is that it starts to download an image then map closes, and when the download finishes we try to call setImage on a destructed style?!

This seems very likely to me. Maybe there should be a check for if style is destructured before here in the dispatch:

We're seeing this error pop up about every other day. Bit difficult to reproduce, so there's some sort of race condition here.

@cbrevik you should be able to reproduce it by changing the dispatch to a dispatch_after

https://github.com/react-native-mapbox-gl/maps/blob/4a15881251465c126474ddfb5d593346a0101a31/ios/RCTMGL/RCTMGLStyle.m#L209-L212

this will add 10 seconds, so if you close the map within 30 seconds it should trigger the issue.

dispatch_after(dispatch_time(DISPATCH_TIME_NOW, 30 * NSEC_PER_SEC), dispatch_get_main_queue(), ^{
              [self->_style setImage:image forName:imageURI];
              [self setIconImage:layer withReactStyleValue:styleValue];
});

mfazekas on 20 Oct 2020

Yep that definitely helped reproduce it in simulator! Weird thing is, my guess seems to be wrong that it's to do with the styleURL I set.

It seems to be related to showsUserHeadingIndicator being set to true on UserLocation:

Notice identifier = mapboxUserLocationHeadingIndicator: https://github.com/react-native-mapbox-gl/maps/blob/1bf50171f4af7ccd13b6e3f3273448ed7fc222b6/javascript/components/HeadingIndicator.js#L16

Attempted imageURI being set is @"http://localhost:8081/assets/node_modules/@react-native-mapbox-gl/maps/assets/[email protected]?platform=ios&hash=968890dcb073a3019631586b5d3e2f8a"

If I use:

<MapboxGL.UserLocation showsUserHeadingIndicator />

It crashes consistently. If I remove it:

<MapboxGL.UserLocation />

It stops crashing.

Might be because it takes some time to find direction? Even in simulator?

cbrevik on 20 Oct 2020

Not that this necessarily needs to be the sole reason for the crash. Could theoretically happen with other images/race conditions as well?

In this case the _style itself doesn't seem deallocated at first glance - probably something the MGLStyle implementation depends on internally in the MapboxGL iOS SDK which is deallocated? Bit unsure how to handle this for all cases.

cbrevik on 20 Oct 2020

@cbrevik the use of showsUserHeadingIndicator just means that we're going to hit this code path. I've added a PR #1089 that should fix the issue.

mfazekas on 21 Oct 2020

🚀2

Awesome @mfazekas! Thanks for handling this. Is this going to be released in a new rc-version short term, or do you need help testing it out first?

cbrevik on 21 Oct 2020

👍2

Was this page helpful?

0 / 5 - 0 ratings