Skip to content

fix(macos): guard WebView async callback against use-after-free (macOS 26.5 crash/hang)#11052

Merged
lanewei120 merged 1 commit into
bambulab:masterfrom
BenJule:fix/macos-webview-uaf
Jun 11, 2026
Merged

fix(macos): guard WebView async callback against use-after-free (macOS 26.5 crash/hang)#11052
lanewei120 merged 1 commit into
bambulab:masterfrom
BenJule:fix/macos-webview-uaf

Conversation

@BenJule

@BenJule BenJule commented Jun 6, 2026
edited
Loading

Copy link
Copy Markdown
Contributor

Problem

On macOS 26.5 / 26.5.1, BambuStudio either hangs for a long time on startup (#10968) or crashes within ~20 s of launch (#11004), with steadily growing memory use in both cases. The crash is an Apple-Silicon pointer-authentication failure:

Exception: EXC_BAD_ACCESS (SIGSEGV)
Subtype:   KERN_INVALID_ADDRESS ... possible pointer authentication failure

0  BambuStudio  WebView::CreateWebView(...)::$_0::operator()(wxWebView*) const + 240
1  BambuStudio  wxAsyncMethodCallEventFunctor<...>::Execute() + 156

Likely cause

WebView::CreateWebView registers the "wx" script message handler from a CallAfter() callback. The callback captures the raw webView pointer and calls AddScriptMessageHandler() on it.

The stack (a CreateWebView lambda invoked from wxAsyncMethodCallEventFunctor::Execute, failing with a PAC error on a corrupted pointer) is consistent with the WebKit view being torn down before this async callback runs, so the callback would dereference a freed wxWebView* (use-after-free). I am inferring the use-after-free from the stack and the PAC failure — I have not confirmed it with a heap / ASan trace — but the captured raw pointer makes it possible and it is the most likely explanation. On Apple Silicon a corrupted pointer trips pointer authentication → hard crash; elsewhere the same path surfaces as the long startup hang.

The same hazard applies to g_delay_webviews, which holds raw pointers that are never cleared when a view is destroyed.

Fix

  • In the CallAfter lambda, check g_webviews (the list of live views) and bail out if webView has already been destroyed.
  • In ~WebViewRef, also remove the view from g_delay_webviews, so a later flush of the delayed list can never touch a freed view.

Small, self-contained change: no effect on Windows (the block runs synchronously there) and no functional change on the healthy path. The guards are defensive and correct regardless of whether the use-after-free is the exact mechanism.

Fixes #11004
Fixes #10968

@BenJule
fix(macos): guard WebView async callback against use-after-free
adc6410 
On macOS 26.5+ the wxWebView created in WebView::CreateWebView can be
destroyed before the CallAfter() callback that registers the "wx" script
message handler fires. The callback captured the raw webView pointer and
called AddScriptMessageHandler() on it unconditionally, dereferencing a
dangling pointer. On Apple Silicon this trips pointer authentication and
crashes (EXC_BAD_ACCESS / PAC failure); elsewhere it shows up as a long
startup hang with steadily growing memory use.

Guard the async callback by checking g_webviews (the list of live views)
before touching the webView, and also remove a view from g_delay_webviews
in ~WebViewRef so a pending flush never reaches an already-destroyed view.

Fixes bambulab#11004
Fixes bambulab#10968
@BenJule

BenJule commented Jun 6, 2026

Copy link
Copy Markdown
Contributor Author

Note on the failing Build All (macos-15, arm64) / Build Deps check: this failure is not caused by this PR.

This PR only touches src/slic3r/GUI/Widgets/WebView.cpp — it changes no dependencies — and the build never reaches the source step; it fails earlier while building Assimp's bundled zlib:

FAILED: contrib/zlib/CMakeFiles/zlibstatic.dir/zutil.c.o
.../MacOSX15.5.sdk/usr/include/_stdio.h:318:7: error: expected identifier or '('

Assimp's vendored contrib/zlib defines an fdopen macro that no longer parses against the macOS 15+ SDK headers, so ASSIMP_BUILD_ZLIB=ON breaks the dependency build on macOS. This is a pre-existing failure on master that currently affects every PR's macOS deps build.

It is fixed by #11051 (fix(deps): use system zlib for Assimp on macOS/Linux). Once that lands, this PR's macOS CI should pass on a rebase — the two changes are independent.

This was referenced Jun 6, 2026
Closed
Merged
BenJule added a commit to BenJule/BambuStudio that referenced this pull request Jun 6, 2026
@BenJule
fix: backport 2.7.1 crash fixes (macOS 26 WebView UAF + MakerWorld 3M…
a202841 
…F NULL-deref) (#490)

Backports my two upstream crash fixes into the fork via develop.

- **WebView use-after-free** (macOS 26.5+ PAC crash / hang) — upstream
bambulab#11052, bambulab bambulab#11004/bambulab#10968
- **load_object_volume NULL-deref** (MakerWorld 3MF crash) — upstream
bambulab#11053, bambulab bambulab#11016/bambulab#11037

Both are small defensive guards, verified upstream. WebView.cpp +14,
3DScene.cpp +9.

Closes #489
@lanewei120 lanewei120 requested a review from tonghao-bbl June 11, 2026 02:01
tonghao-bbl
tonghao-bbl reviewed Jun 11, 2026
View reviewed changes

@tonghao-bbl tonghao-bbl left a comment
edited
Loading

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM @lanewei120

@lanewei120 lanewei120 merged commit 2be9db9 into bambulab:master Jun 11, 2026
14 of 17 checks passed
@lanewei120

lanewei120 commented Jun 11, 2026

Copy link
Copy Markdown
Collaborator

thanks

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@tonghao-bbl tonghao-bbl tonghao-bbl left review comments

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Crash on launch: PAC failure in WebView::CreateWebView (macOS 26.5.1, ARM64) Very long loading time since 2.7.1.57

3 participants

@BenJule @lanewei120 @tonghao-bbl