Crash in ODCConfigFetcher PSM request serialization (std::string destructor) after fetching PSM/ODMv2 config

[jacksonon]

Description

Summary

When ODC PSM/ODMv2 is enabled and the device successfully fetches the config, the app crashes shortly after launch (reproducible). Crash happens in a background thread during PSM request building/serialization.

Environment

• Platform: iOS
• App type: Shipping build (production + demo both affected)
• Engine: UE 5.6 (caller only)
• ODC SDK: [version(s) you tested: e.g., 2.2.0 / 3.1.0 / 3.2.0]
• Device(s): [model(s)]
• iOS version(s): [e.g., 26.0]
• Region / locale: [only occurs when config fetch succeeds in certain regions]
• Network: [Wi-Fi / cellular]

Steps to Reproduce

1. Install and launch the app on a device where ODC can successfully fetch PSM/ODMv2 config.
2. Wait shortly after launch (no specific UI action required).
3. Observe the crash.

Expected Behavior

No crash; PSM/ODMv2 config fetch and request build completes successfully.

Actual Behavior

App aborts with SIGABRT in libsystem_malloc (process terminated by allocator).

Crash Signature / Stack (key frames)

• Signal: SIGABRT
• Error: ___BUG_IN_CLIENT_OF_LIBMALLOC_POINTER_BEING_FREED_WAS_NOT_ALLOCATED
• libc++: std::__1::basic_string<...>::~basic_string()
• ODC call chain:
  • -[ODCConfigFetcher executeTask]
  • -[ODCConfigFetcher handlePSMConfigResponse:data:error:]
  • -[ODCConfigFetcher createPSMRequestWithData:error:]

Thread 5 Crashed:
0   libsystem_kernel.dylib        	       0x2311390cc __pthread_kill + 8
1   libsystem_pthread.dylib       	       0x1e3dc5810 pthread_kill + 267
2   libsystem_c.dylib             	       0x194604fac __abort + 131
3   libsystem_c.dylib             	       0x194604f28 abort + 135
4   libsystem_malloc.dylib        	       0x1941bdba8 malloc_vreport + 891
5   libsystem_malloc.dylib        	       0x1941bd820 malloc_report + 63
6   libsystem_malloc.dylib        	       0x1941b1714 ___BUG_IN_CLIENT_OF_LIBMALLOC_POINTER_BEING_FREED_WAS_NOT_ALLOCATED + 75
7   libc++.1.dylib                	       0x197e6d870 std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char>>::~basic_string() + 43
8   xxx-IOS-Shipping           	       0x101635c1c -[ODCConfigFetcher createPSMRequestWithData:error:] + 1947
9   xxx-IOS-Shipping           	       0x101635364 -[ODCConfigFetcher handlePSMConfigResponse:data:error:] + 383
10  xxx-IOS-Shipping           	       0x101635158 __31-[ODCConfigFetcher executeTask]_block_invoke + 111
11  libdispatch.dylib             	       0x1c0945adc _dispatch_call_block_and_release + 31
12  libdispatch.dylib             	       0x1c095f7ec _dispatch_client_callout + 15
13  libdispatch.dylib             	       0x1c094e468 _dispatch_lane_serial_drain + 739
14  libdispatch.dylib             	       0x1c094ef44 _dispatch_lane_invoke + 387
15  libdispatch.dylib             	       0x1c09593ec _dispatch_root_queue_drain_deferred_wlh + 291
16  libdispatch.dylib             	       0x1c0958ce4 _dispatch_workloop_worker_thread + 691
17  libsystem_pthread.dylib       	       0x1e3dbf3b8 _pthread_wqthread + 291
18  libsystem_pthread.dylib       	       0x1e3dbe8c0 start_wqthread + 7

Notes / Analysis

• The crash appears to be inside ODC’s internal C++ implementation when building the PSM request (likely a lifetime/ownership issue around strings, leading to heap corruption detected by libmalloc).
• The app/engine is only the caller; the crash is inside the third-party SDK path.

Mitigation We Used (Temporary)

We replaced -[ODCConfigFetcher createPSMRequestWithData:error:] with a no-op at runtime (swizzling) to bypass PSM/ODMv2 request building, which prevents the crash.
Request: please provide an official fix or an official supported workaround (SDK-side or config-side).

Impact Question

What is the expected impact of disabling/bypassing PSM/ODMv2 request building on:

• conversion measurement / attribution accuracy
• reporting completeness
• modeling / frequency capping (if applicable)

Reproducing the issue

1. Successfully integrated the SDK into a UE5.6 project, configured it, and built a shipping package.
2. Install and launch the app on a device where ODC can successfully fetch PSM/ODMv2 config.
3. Wait shortly after launch (no specific UI action required).
4. Observe the crash.

Firebase SDK Version

12.6.0

Xcode Version

26.0

Installation Method

Zip

Firebase Product(s)

Analytics

Targeted Platforms

iOS

Relevant Log Output

If using Swift Package Manager, the project's Package.resolved

Expand Package.resolved snippet

Replace this line with the contents of your Package.resolved.

If using CocoaPods, the project's Podfile.lock

Expand Podfile.lock snippet

Replace this line with the contents of your Podfile.lock!

[rizafran]

Thanks for reporting, @jacksonon. I'm not sure if this issue is related, but the stack trace also includes BUG_IN_CLIENT_OF_LIBMALLOC_POINTER_BEING_FREED_WAS_NOT_ALLOCATED and std::__1::basic_string. Maybe you could check the steps provided by the engineer here?