App crashes in CGFontStrikeRelease

Question

Created May ’24

Replies 4

Boosts 0

Views 1k

Participants 5

This crash has been troubling us for a long time. We have this crash report in every release of our App, but can't reproduce it.

Here is part of the crash info:


Incident Identifier: xxxx
Hardware Model:      iPhone13,3
Process:             MyApp [34550]
Path:                /private/var/containers/Bundle/Application/xxxx/MyApp.app/MyApp
Identifier:          xxx.xxx
Version:             xxx (296)
AppStoreTools:       15F31c
AppVariant:          1:iPhone13,3:15
Code Type:           ARM-64 (Native)
Role:                Foreground
Parent Process:      launchd [1]
Coalition:           xxx.xxx [466]

Date/Time:           2024-05-19 13:59:10.9716 +0800
Launch Time:         2024-05-19 12:18:24.8753 +0800
OS Version:          iPhone OS 16.6.1 (20G81)
Release Type:        User
Baseband Version:    3.80.01
Report Version:      104

Exception Type:  EXC_BAD_ACCESS (SIGSEGV)
Exception Subtype: KERN_INVALID_ADDRESS at 0x322e323400000000 -> 0x0000003400000000 (possible pointer authentication failure)
Exception Codes: 0x0000000000000001, 0x322e323400000000
VM Region Info: 0x3400000000 is in 0x1000000000-0x7000000000;  bytes after start: 154618822656  bytes before end: 257698037759
      REGION TYPE                 START - END      [ VSIZE] PRT/MAX SHRMOD  REGION DETAIL
      commpage (reserved)      fc0000000-1000000000 [  1.0G] ---/--- SM=NUL  ...(unallocated)
--->  GPU Carveout (reserved) 1000000000-7000000000 [384.0G] ---/--- SM=NUL  ...(unallocated)
      UNUSED SPACE AT END
Triggered by Thread:  0


Thread 0 name:
Thread 0 Crashed:
0   CoreGraphics                  	0x00000001bd1d0780 CGFontStrikeRelease + 76 (CGFontStrike.c:126)
1   CoreGraphics                  	0x00000001bd1dd0cc CGGlyphBuilderUnlockBitmaps + 476 (CGGlyphBuilder.cc:113)
2   CoreGraphics                  	0x00000001bd1eb8c8 render_glyphs + 412 (RIPContextDrawGlyphs.c:127)
3   CoreGraphics                  	0x00000001bd202ea4 draw_glyph_bitmaps + 1132 (RIPContextDrawGlyphs.c:210)
4   CoreGraphics                  	0x00000001bd21a0ec ripc_DrawGlyphs + 1320 (RIPContextDrawGlyphs.c:558)
5   CoreGraphics                  	0x00000001bd1d26d8 CG::DisplayList::executeEntries(std::__1::__wrap_iter<std::__1::unique_ptr<CG::DisplayListEntry const, std::__1::default_delete<CG::DisplayListEntry const> >*>, std::__1::__wrap_iter<std::__1::uniq... + 5852 (DisplayList.cpp:1657)
6   CoreGraphics                  	0x00000001bd1c86a8 CGDisplayListDrawInContextDelegate + 268 (DisplayList.cpp:2151)
7   QuartzCore                    	0x00000001bcc797d4 CABackingStoreUpdate_ + 468 (CABackingStore.cpp:1388)
8   QuartzCore                    	0x00000001bccf0c34 invocation function for block in CA::Layer::display_() + 64 (CALayer.mm:9699)
9   QuartzCore                    	0x00000001bcc78d54 -[CALayer _display] + 1720 (CALayer.mm:9732)
10  QuartzCore                    	0x00000001bcc785b4 CA::Layer::layout_and_display_if_needed(CA::Transaction*) + 412 (CALayer.mm:2521)
11  QuartzCore                    	0x00000001bcc898d8 CA::Context::commit_transaction(CA::Transaction*, double, double*) + 444 (CAContextInternal.mm:2714)
12  QuartzCore                    	0x00000001bccb8e80 CA::Transaction::commit() + 648 (CATransactionInternal.mm:432)
13  QuartzCore                    	0x00000001bcca2df0 CA::Transaction::flush_as_runloop_observer(bool) + 88 (CATransactionInternal.mm:940)
14  UIKitCore                     	0x00000001bdca34d0 _UIApplicationFlushCATransaction + 52 (UIApplication.m:3286)
15  UIKitCore                     	0x00000001bddf3d94 _UIUpdateSequenceRun + 84 (_UIUpdateSequence.mm:114)
16  UIKitCore                     	0x00000001be458894 schedulerStepScheduledMainSection + 144 (_UIUpdateScheduler.m:1015)
17  UIKitCore                     	0x00000001be457df0 runloopSourceCallback + 92 (_UIUpdateScheduler.m:1164)
18  CoreFoundation                	0x00000001bb80a128 __CFRUNLOOP_IS_CALLING_OUT_TO_A_SOURCE0_PERFORM_FUNCTION__ + 28 (CFRunLoop.c:1957)
19  CoreFoundation                	0x00000001bb8167b4 __CFRunLoopDoSource0 + 176 (CFRunLoop.c:2001)
20  CoreFoundation                	0x00000001bb79b5e8 __CFRunLoopDoSources0 + 244 (CFRunLoop.c:2038)
21  CoreFoundation                	0x00000001bb7b10d4 __CFRunLoopRun + 828 (CFRunLoop.c:2953)
22  CoreFoundation                	0x00000001bb7b63ec CFRunLoopRunSpecific + 612 (CFRunLoop.c:3418)
23  GraphicsServices              	0x00000001f6ccc35c GSEventRunModal + 164 (GSEvent.c:2196)
24  UIKitCore                     	0x00000001bdb42f58 -[UIApplication _run] + 888 (UIApplication.m:3782)
25  UIKitCore                     	0x00000001bdb42bbc UIApplicationMain + 340 (UIApplication.m:5372)
26  MyApp                        	0x000000010468f978 main + 80 (main.m:15)
27  dyld                          	0x00000001dace8dec start + 2220 (dyldMain.cpp:1165)

Thread 1 name:
Thread 1:
0   libsystem_kernel.dylib        	0x00000001fa6f6ca4 mach_msg2_trap + 8 (:-1)
1   libsystem_kernel.dylib        	0x00000001fa709b74 mach_msg2_internal + 80 (mach_msg.c:201)
2   libsystem_kernel.dylib        	0x00000001fa709e4c mach_msg_overwrite + 540 (mach_msg.c:0)
3   libsystem_kernel.dylib        	0x00000001fa6f71e8 mach_msg + 24 (mach_msg.c:323)
4   CoreFoundation                	0x00000001bb7b0024 __CFRunLoopServiceMachPort + 160 (CFRunLoop.c:2622)
5   CoreFoundation                	0x00000001bb7b1250 __CFRunLoopRun + 1208 (CFRunLoop.c:3005)
6   CoreFoundation                	0x00000001bb7b63ec CFRunLoopRunSpecific + 612 (CFRunLoop.c:3418)
7   Foundation                    	0x00000001b5a2efb4 -[NSRunLoop(NSRunLoop) runMode:beforeDate:] + 212 (NSRunLoop.m:373)
8   Foundation                    	0x00000001b5a2ee9c -[NSRunLoop(NSRunLoop) runUntilDate:] + 64 (NSRunLoop.m:420)
9   UIKitCore                     	0x00000001bdc75cc8 -[UIEventFetcher threadMain] + 416 (UIEventFetcher.m:1376)
10  Foundation                    	0x00000001b5a48524 __NSThread__start__ + 716 (NSThread.m:963)
11  libsystem_pthread.dylib       	0x000000021b5766b8 _pthread_start + 148 (pthread.c:893)
12  libsystem_pthread.dylib       	0x000000021b575b88 thread_start + 8 (:-1)

Thread 2:
0   libsystem_kernel.dylib        	0x00000001fa6f7164 __semwait_signal + 8 (:-1)
1   libsystem_c.dylib             	0x00000001c2c50888 nanosleep + 220 (nanosleep.c:104)
2   libsystem_c.dylib             	0x00000001c2c61b1c sleep + 52 (sleep.c:62)
3   MyApp                        	0x00000001075ccb14 -[UTDCacheManager synchronizeData] + 104 (UTDCacheManager.m:133)
4   Foundation                    	0x00000001b5a48524 __NSThread__start__ + 716 (NSThread.m:963)
5   libsystem_pthread.dylib       	0x000000021b5766b8 _pthread_start + 148 (pthread.c:893)
6   libsystem_pthread.dylib       	0x000000021b575b88 thread_start + 8 (:-1)

Boost

Answer 1

dondongx OP

Nov ’24

I have the same crash. Do you have any idea to fix it.

0

Answer 2

Jokan210 OP

Feb ’25

“I have found a solution where changing the use of weak to strong for UI properties in Objective-C files helps mitigate this issue.”

0

Answer 3

roboto-09 OP

5d

Adding a data point to this thread.

We're seeing the exact same stack chain — _os_unfair_lock_corruption_abort → _os_unfair_lock_lock_slow → CGFontStrikeGetSize → CGGlyphBuilderUnlockBitmaps → render_glyphs → CA::Transaction::commit → _UIApplicationFlushCATransaction — deterministically reproducing on iPhone 17 Pro Max + iOS 26.4.2 (build 23E261) during a SwiftUI Setup→Session view transition while CoreML models are warming and an AVAudioEngine is starting. Filed as FB22728399 on 2026-05-08, with 6 byte-identical .ips reports and a full sysdiagnose attached.

A few additions to the existing reports here:

Negative MallocStackLogging result. Crash reproduces with MallocStackLogging + MallocScribble + MallocPreScribble + MallocGuardEdges all simultaneously active. Zero malloc diagnostics fire. The corrupting write is not in user-managed heap.
Co-occurring signal. 8× "AVAudioBuffer.mm:281 mBuffers[0].mDataByteSize (0) should be non-zero" warnings during the same model-compile window in which the lock corruption surfaces. Suggests the race involves audio session activation overlapping with text-rendering during view transition.
Consumer-substitution evidence. A sibling variant of this Mandelbug surfaces on the return transition with cache_t::bad_cache aborting on _UILiquidLensView (iOS 26 Liquid Glass) during UISwitch reinstantiation. Replacing the UISwitch site with a pure-SwiftUI custom ToggleStyle (no UIViewRepresentable) suppresses the back-transition variant — but the forward-transition CGFontStrikeGetSize variant in this thread continues to fire. Both surfaces appear to be consumers of an upstream race in Apple-framework cache state, not consumers of each other.

Cross-reference: github.com/mshibanami/iOS26Crash (FB20447562) for a related iOS 26 UISwitch / Liquid Glass family member, and Apple Developer Forums thread/822643 for the iOS 26.3.1+ drawHierarchy regression that DTS attributed to ImageIO security patches.

Happy to share the .ips, sysdiagnose, and full reproducer if it helps triage.

0

Answer 4

DTS Engineer OP

Apple

1d

Hello @roboto-09,

Thanks for your thorough investigation into this issue. Just to confirm, which of the bug reports does not yet contain the latest .ips or sysdiagnose files? It appears that you've attached some to both reports.

Richard Yeh  Developer Technical Support

0