iOS App crashes with EXC_BAD_ACCESS error

[vivekm-remitly]

Describe the bug

Our app uses bugsnag-cocoa 6.30.1 and after a recent release, we are seeing a large spike in EXC_BAD_ACCESS related crash on iOS.

EXC_BAD_ACCESS RCTModuleMethod.mm:584
Attempted to dereference garbage pointer 0x8.

For additional context, we haven't updated the BugSnag client recently. Although, we recently upgraded RN from 0.72.x to 0.76.9 and introduced expo in our app. Since the stack trace seems to be referring to [BugsnagClient addRuntimeVersionInfo:withKey:] (BugsnagClient.m:998:9) it could be related to BugSnag initialization behavior. Attaching the stack trace for reference, but let us know if you need any additional details to investigate this.

cc @mjbuchholz from our team who can share more context about this crash.

Steps to reproduce

Unfortunately we don't have a repro for this, but it seems to be impacting 10k+ of our users.

• For these users, the app seems to crash at startup (durationInForeground < 300ms)
• Number of crashes ~= Number of users, indicating that the user is not experiencing repetitive crashes.

Environment

• BugSnag version: (BugSnag @bugsnag/react-native version 7.25.1 which internally uses bugsnag-cocoa 6.30.1)
• CocoaPods version: 1.16.2
• iOS version(s): All versions (starting with 15.6, but high volume of errors on 18.5 likely as a high % of our users are on recent OS versions)
• Simulator or physical device: Physical device
• Xcode version: 16.2
• Swift version (if applicable):

Stacktrace as seen on BugSnag dashboard:

CrashReporter Key:  e90290aa11e481b633d37a41f34985eb9b8de79f
Hardware Model:     iPhone17,2
Process:            Remitly
Identifier:         com.remitly.remitly
Version:            6.44.1-2d80219
Role:               Foreground
OS Version:         iOS 18.5
Exception Type:     EXC_BAD_ACCESS 
Exception Subtype:  KERN_INVALID_ADDRESS


EXC_BAD_ACCESS: Attempted to dereference garbage pointer 0x8.

0  CoreFoundation +0x1e4cc         -[__NSDictionaryM setObject:forKeyedSubscript:]
1  Remitly +0x39e0ac               -[BugsnagClient addRuntimeVersionInfo:withKey:] (BugsnagClient.m:998:9)
2  Remitly +0x3ace24               -[BugsnagReactNative addRuntimeVersionInfo:] (BugsnagReactNative.mm:222:5)
3  Remitly +0x3abf2c               -[BugsnagReactNative configure:] (BugsnagReactNative.mm:49:5)
4  CoreFoundation +0x2fa90         ___invoking___
5  CoreFoundation +0x2f108         -[NSInvocation invoke]
6  CoreFoundation +0xa1b28         -[NSInvocation invokeWithTarget:]
7  Remitly +0xb1f1e4               -[RCTModuleMethod invokeWithBridge:module:arguments:] (RCTModuleMethod.mm:584:3)
8  Remitly +0xb21354               facebook::react::invokeInner(RCTBridge*, RCTModuleData*, unsigned int, folly::dynamic const&, int, (anonymous namespace)::SchedulingContext) (RCTNativeModule.mm:196:17)
9  Remitly +0xb21164               facebook::react::RCTNativeModule::callSerializableNativeHook(unsigned int, folly::dynamic&&) (RCTNativeModule.mm:143:10)
10 Remitly +0xd4b0f4               facebook::react::JSIExecutor::nativeCallSyncHook(facebook::jsi::Value const*, unsigned long) (JSIExecutor.cpp:474:40)
11 Remitly +0x42619c               std::__1::function<facebook::jsi::Value (facebook::jsi::Runtime&, facebook::jsi::Value const&, facebook::jsi::Value const*, unsigned long)>::operator()(facebook::jsi::Runtime&, facebook::jsi::Value const&, facebook::jsi::Value const*, unsigned long) const (function.h:428:12)
12 hermes +0x14f78                 std::__1::function<facebook::jsi::Value (facebook::jsi::Runtime&, facebook::jsi::Value const&, facebook::jsi::Value const*, unsigned long)>::operator()(facebook::jsi::Runtime&, facebook::jsi::Value const&, facebook::jsi::Value const*, unsigned long) const
13 hermes +0x14c2c                 facebook::hermes::HermesRuntimeImpl::HFContext::func(void*, hermes::vm::Runtime&, hermes::vm::NativeArgs)
14 hermes +0x236e0                 hermes::vm::NativeFunction::_nativeCall(hermes::vm::NativeFunction*, hermes::vm::Runtime&)
15 hermes +0x2f88c                 hermes::vm::Interpreter::handleCallSlowPath(hermes::vm::Runtime&, hermes::vm::PinnedHermesValue*)
16 hermes +0x31298                 hermes::vm::CallResult<hermes::vm::HermesValue, (hermes::vm::detail::CallResultSpecialize)2> hermes::vm::Interpreter::interpretFunction<false, false>(hermes::vm::Runtime&, hermes::vm::InterpreterState&)
17 hermes +0x30884                 hermes::vm::Runtime::interpretFunctionImpl(hermes::vm::CodeBlock*)
18 hermes +0x604ac                 hermes::vm::Runtime::runBytecode(std::__1::shared_ptr<hermes::hbc::BCProviderBase>&&, hermes::vm::RuntimeModuleFlags, llvh::StringRef, hermes::vm::Handle<hermes::vm::Environment>, hermes::vm::Handle<hermes::vm::HermesValue>)
19 hermes +0x8af8                  facebook::hermes::HermesRuntimeImpl::evaluatePreparedJavaScript(std::__1::shared_ptr<facebook::jsi::PreparedJavaScript const> const&)
20 hermes +0x8990                  facebook::hermes::HermesRuntime::evaluateJavaScriptWithSourceMap(std::__1::shared_ptr<facebook::jsi::Buffer const> const&, std::__1::shared_ptr<facebook::jsi::Buffer const> const&, std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char> > const&)
21 hermes +0x97e8                  facebook::hermes::HermesRuntimeImpl::evaluateJavaScript(std::__1::shared_ptr<facebook::jsi::Buffer const> const&, std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char> > const&)
22 Remitly +0xd49520               facebook::react::JSIExecutor::loadBundle(std::__1::unique_ptr<facebook::react::JSBigString const, std::__1::default_delete<facebook::react::JSBigString const> >, std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char> >) (JSIExecutor.cpp:166:13)
23 Remitly +0xd11674               facebook::react::NativeToJsBridge::loadBundle(std::__1::unique_ptr<facebook::react::RAMBundleRegistry, std::__1::default_delete<facebook::react::RAMBundleRegistry> >, std::__1::unique_ptr<facebook::react::JSBigString const, std::__1::default_delete<facebook::react::JSBigString const> >, std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char> >)::$_0::operator()(facebook::react::JSExecutor*) (NativeToJsBridge.cpp:144:21)
24 Remitly +0xd125e8               std::__1::__function::__func<facebook::react::NativeToJsBridge::runOnExecutorQueue(std::__1::function<void (facebook::react::JSExecutor*)>&&)::$_0, std::__1::allocator<facebook::react::NativeToJsBridge::runOnExecutorQueue(std::__1::function<void (facebook::react::JSExecutor*)>&&)::$_0>, void ()>::operator()() (function.h:428:12)
25 Remitly +0xb0a70c               facebook::react::tryAndReturnError(std::__1::function<void ()> const&) (function.h:428:12)
26 Remitly +0xb1817c               facebook::react::RCTMessageThread::tryFunc(std::__1::function<void ()> const&) (RCTMessageThread.mm:68:20)
27 Remitly +0xb17f80               ___ZN8facebook5react16RCTMessageThread8runAsyncENSt3__18functionIFvvEEE_block_invoke (function.h:428:12)
28 CoreFoundation +0x6c9ac         ___CFRUNLOOP_IS_CALLING_OUT_TO_A_BLOCK__
29 CoreFoundation +0xf184          ___CFRunLoopDoBlocks
30 CoreFoundation +0x10684         ___CFRunLoopRun
31 CoreFoundation +0x11c38         _CFRunLoopRunSpecific
32 Remitly +0xb00450               +[RCTCxxBridge runRunLoop] (RCTCxxBridge.mm:350:12)
33 Foundation +0x75800             ___NSThread__start__
34 libsystem_pthread.dylib +0x3340 __pthread_start

[clr182]

Hi @vivekm-remitly

It seems likely that this issue is due to your initialization of the bugsnag sdk. As you say that you have introduced expo into your application, you may find it more helpful to use our dedicated expo-sdk rather than the react-native SDK: https://github.com/bugsnag/bugsnag-expo/releases

[mjbuchholz]

Hi @vivekm-remitly

It seems likely that this issue is due to your initialization of the bugsnag sdk. As you say that you have introduced expo into your application, you may find it more helpful to use our dedicated expo-sdk rather than the react-native SDK: https://github.com/bugsnag/bugsnag-expo/releases

Yes we are investigating migrating to the expo release, though we weren't sure we'd be able to given the amount of native code the app contains.

We've opted to attempt a patch similar to the bug fix that went in with #1632 in the hopes it would resolve the issue, we'd like to get your thoughts on. We've added atomic property to the property that was creating the EXC_BAD_ACCESS and we've added @synchronized for additional thread safety

diff --git a/node_modules/@bugsnag/react-native/ios/vendor/bugsnag-cocoa/Bugsnag/Client/BugsnagClient+Private.h b/node_modules/@bugsnag/react-native/ios/vendor/bugsnag-cocoa/Bugsnag/Client/BugsnagClient+Private.h
--- a/node_modules/@bugsnag/react-native/ios/vendor/bugsnag-cocoa/Bugsnag/Client/BugsnagClient+Private.h
+++ b/node_modules/@bugsnag/react-native/ios/vendor/bugsnag-cocoa/Bugsnag/Client/BugsnagClient+Private.h
@@ -38,7 +38,7 @@ BSG_OBJC_DIRECT_MEMBERS
 
 @property (strong, nonatomic) BSGEventUploader *eventUploader;
 
-@property (nonatomic) NSMutableDictionary *extraRuntimeInfo;
+@property (strong, atomic) NSMutableDictionary *extraRuntimeInfo;
 
 @property (atomic) BOOL isStarted;
 
diff --git a/node_modules/@bugsnag/react-native/ios/vendor/bugsnag-cocoa/Bugsnag/Client/BugsnagClient.m b/node_modules/@bugsnag/react-native/ios/vendor/bugsnag-cocoa/Bugsnag/Client/BugsnagClient.m
--- a/node_modules/@bugsnag/react-native/ios/vendor/bugsnag-cocoa/Bugsnag/Client/BugsnagClient.m
+++ b/node_modules/@bugsnag/react-native/ios/vendor/bugsnag-cocoa/Bugsnag/Client/BugsnagClient.m
@@ -994,12 +994,24 @@ - (void)addRuntimeVersionInfo:(NSString *)info
                       withKey:(NSString *)key {
     [self.sessionTracker addRuntimeVersionInfo:info
                                        withKey:key];
-    if (info != nil && key != nil) {
-        self.extraRuntimeInfo[key] = info;
+    @synchronized (self) {
+        // Take a weak reference to avoid holding a potentially dead object
+        __weak NSMutableDictionary *weakDict = self.extraRuntimeInfo;
+        NSMutableDictionary *dict = weakDict;
+
+        if (!dict) {
+            dict = [NSMutableDictionary dictionary];
+            self.extraRuntimeInfo = dict;
+        }
+
+        if (info != nil && key != nil) {
+            dict[key] = info;
+        }
+        [self.state addMetadata:dict withKey:BSGKeyExtraRuntimeInfo toSection:BSGKeyDevice];
     }
-    [self.state addMetadata:self.extraRuntimeInfo withKey:BSGKeyExtraRuntimeInfo toSection:BSGKeyDevice];
 }

[clr182]

Hi @mjbuchholz

Your patch to add the atomic property makes sense for thread safety, Wrapping the mutation login in @synchronized(self) also makes sense here for your use case. Please let us know whether you experience any issues with the runtime information passed.