0

I knew EXC_BAD_ACCESS & Zombie, and how to find it in normal way. But what I face now is very very confusing, at least to me.

Background

I have a multi-account app, in which the user can login many accounts at the same time.

The app works well with only one account on, but when the user really logins more and more accounts, the app becomes more and more vulnerable as well, crashing randomly but mostly on AppLaunch. Not 8badf00d, but EXC_BAD_ACCESS (SIGSEGV) / KERN_INVALID_ADDRESS.

Code Architecture

Objective-C - Application level, including UI.
|
Objective-C & C++ - Account Context, including login logic.
|
C++ - Net/Communication level, including sockets.

Notification & Delegation are both used between levels.

Reproduce

Double-tap the Home button, swipe the app out to kill it, then tap the app icon to relaunch it. After passing TouchId, the app will login the accounts, and randomly crash, resulting in many different crash logs. No matter the device is iPhone 6s plus or iPhone 5s/5c/5, iOS 8 or iOS 9.

The memory usage is not high, just several tens of MB.

Crash Log No.1

Exception Type:  EXC_BAD_ACCESS (SIGSEGV)
Exception Subtype: KERN_INVALID_ADDRESS at 0x0000000100000048
Triggered by Thread:  0

Thread 0 name:  Dispatch queue: com.apple.main-thread
Thread 0 Crashed:
0   libobjc.A.dylib                 0x0000000180b8dbd0 objc_msgSend + 16
1   CoreFoundation                  0x00000001814c7fe0 -[_CFXNotificationObjectRegistration match:matching:] + 152
2   CoreFoundation                  0x0000000181573704 -[_CFXNotificationNameRegistration match:observer:matching:] + 372
3   CoreFoundation                  0x0000000181518778 -[_CFXNotificationRegistrar match:object:observer:enumerator:] + 1968
4   CoreFoundation                  0x0000000181415894 _CFXNotificationRemoveObservers + 164
5   Foundation                      0x0000000181de3510 -[NSNotificationCenter removeObserver:name:object:] + 236
6   Foundation                      0x0000000181df036c -[__NSObserver dealloc] + 48
7   UIKit                           0x000000018639d12c -[_UIBackdropView dealloc] + 280
8   libobjc.A.dylib                 0x0000000180b95ae8 (anonymous namespace)::AutoreleasePoolPage::pop(void*) + 508
9   CoreFoundation                  0x00000001813f142c _CFAutoreleasePoolPop + 28
10  UIKit                           0x00000001864bdf94 _prepareForCAFlush + 352
11  UIKit                           0x00000001861fe8f4 _UIApplicationHandleEventQueue + 5880
12  CoreFoundation                  0x00000001814c4efc __CFRUNLOOP_IS_CALLING_OUT_TO_A_SOURCE0_PERFORM_FUNCTION__ + 24
13  CoreFoundation                  0x00000001814c4910 __CFRunLoopDoSources0 + 412
14  CoreFoundation                  0x00000001814c2690 __CFRunLoopRun + 724
15  CoreFoundation                  0x00000001813f1680 CFRunLoopRunSpecific + 384
16  GraphicsServices                0x0000000182900088 GSEventRunModal + 180
17  UIKit                           0x0000000186268d90 UIApplicationMain + 204
18  MultiAccountApp                 0x0000000100095254 main (main.m:19)
19  libdyld.dylib                   0x0000000180f928b8 start + 4

Thread 1:
0   libsystem_pthread.dylib         0x000000018117501c start_wqthread + 0

Thread 2 name:  Dispatch queue: com.apple.libdispatch-manager
Thread 2:
0   libsystem_kernel.dylib          0x00000001810b14fc kevent_qos + 8
1   libdispatch.dylib               0x0000000180f7494c _dispatch_mgr_invoke + 232
2   libdispatch.dylib               0x0000000180f637bc _dispatch_source_invoke + 0

Crash Log No.2

Exception Type:  EXC_BAD_ACCESS (SIGSEGV)
Exception Subtype: KERN_INVALID_ADDRESS at 0x0000000000000000
Triggered by Thread:  0

Thread 0 name:  Dispatch queue: com.apple.main-thread
Thread 0 Crashed:
0   libobjc.A.dylib                 0x0000000180b7e5f4 _class_getNonMetaClass + 212
1   libobjc.A.dylib                 0x0000000180b7e5f0 _class_getNonMetaClass + 208
2   libobjc.A.dylib                 0x0000000180b7accc _class_resolveMethod + 112
3   libobjc.A.dylib                 0x0000000180b839a8 lookUpImpOrForward + 360
4   libobjc.A.dylib                 0x0000000180b837b4 class_getInstanceMethod + 64
5   Foundation                      0x0000000181e1530c +[NSObject(NSKeyValueObservingCustomization) keyPathsForValuesAffectingValueForKey:] + 236
6   Foundation                      0x0000000181e14ff8 -[NSKeyValueUnnestedProperty _givenPropertiesBeingInitialized:getAffectingProperties:] + 184
7   Foundation                      0x0000000181e14d14 -[NSKeyValueUnnestedProperty _initWithContainerClass:key:propertiesBeingInitialized:] + 152
8   Foundation                      0x0000000181e14bec NSKeyValuePropertyForIsaAndKeyPathInner + 284
9   Foundation                      0x0000000181e11508 NSKeyValuePropertyForIsaAndKeyPath + 152
10  Foundation                      0x0000000181e27ddc _NSKeyValueCreateImplicitObservationInfo + 248
11  CoreData                        0x0000000182fa1764 -[NSManagedObjectContext(_NSInternalNotificationHandling) _implicitObservationInfoForEntity:forResultingClass:] + 300
12  CoreData                        0x0000000182fa162c -[NSManagedObject(_NSInternalMethods) _implicitObservationInfo] + 96
13  Foundation                      0x0000000181de2840 -[NSObject(NSKeyValueObserverNotification) willChangeValueForKey:] + 160
14  CoreData                        0x0000000183002c2c -[NSManagedObject(_NSInternalMethods) _updateFromRefreshSnapshot:includingTransients:] + 628
15  CoreData                        0x0000000183015b54 -[NSManagedObjectContext(_NestedContextSupport) _copyChildObject:toParentObject:fromChildContext:] + 924
16  CoreData                        0x0000000183015f70 -[NSManagedObjectContext(_NestedContextSupport) _parentProcessSaveRequest:inContext:error:] + 996
17  CoreData                        0x0000000183016a44 __82-[NSManagedObjectContext(_NestedContextSupport) executeRequest:withContext:error:]_block_invoke + 348
18  CoreData                        0x0000000183018d80 internalBlockToNSManagedObjectContextPerform + 108
19  libdispatch.dylib               0x0000000180f615f0 _dispatch_client_callout + 16
20  libdispatch.dylib               0x0000000180f70c5c _dispatch_barrier_sync_f_slow_invoke + 644
21  libdispatch.dylib               0x0000000180f615f0 _dispatch_client_callout + 16
22  libdispatch.dylib               0x0000000180f66cf8 _dispatch_main_queue_callback_4CF + 1844
23  CoreFoundation                  0x00000001814c4bb0 __CFRUNLOOP_IS_SERVICING_THE_MAIN_DISPATCH_QUEUE__ + 12
24  CoreFoundation                  0x00000001814c2a18 __CFRunLoopRun + 1628
25  CoreFoundation                  0x00000001813f1680 CFRunLoopRunSpecific + 384
26  GraphicsServices                0x0000000182900088 GSEventRunModal + 180
27  UIKit                           0x0000000186268d90 UIApplicationMain + 204
28  MultiAccountApp                 0x0000000100085254 main (main.m:19)
29  libdyld.dylib                   0x0000000180f928b8 start + 4

Thread 1:
0   libsystem_kernel.dylib          0x00000001810b0b6c __workq_kernreturn + 8
1   libsystem_pthread.dylib         0x0000000181175530 _pthread_wqthread + 1284
2   libsystem_pthread.dylib         0x0000000181175020 start_wqthread + 4

Thread 2 name:  Dispatch queue: com.apple.libdispatch-manager
Thread 2:
0   libsystem_kernel.dylib          0x00000001810b14fc kevent_qos + 8
1   libdispatch.dylib               0x0000000180f7494c _dispatch_mgr_invoke + 232
2   libdispatch.dylib               0x0000000180f637bc _dispatch_source_invoke + 0

Crash Log No.3

Exception Type:  EXC_BAD_ACCESS (SIGSEGV)
Exception Subtype: KERN_INVALID_ADDRESS at 0x0000000100000038
Triggered by Thread:  0

Thread 0 name:  Dispatch queue: com.apple.main-thread
Thread 0 Crashed:
0   libobjc.A.dylib                 0x0000000180b8dbd0 objc_msgSend + 16
1   QuartzCore                      0x0000000183c3bad0 CA::Render::String::new_string(__CFString const*) + 36
2   QuartzCore                      0x0000000183c3c46c -[CABackdropLayer _copyRenderLayer:layerFlags:commitFlags:] + 144
3   QuartzCore                      0x0000000183c0ac54 CA::Context::commit_layer(CA::Layer*, unsigned int, unsigned int, void*) + 108
4   QuartzCore                      0x0000000183c079cc CA::Layer::commit_if_needed(CA::Transaction*, void (*)(CA::Layer*, unsigned int, unsigned int, void*), void*) + 392
5   QuartzCore                      0x0000000183c0795c CA::Layer::commit_if_needed(CA::Transaction*, void (*)(CA::Layer*, unsigned int, unsigned int, void*), void*) + 280
6   QuartzCore                      0x0000000183c0795c CA::Layer::commit_if_needed(CA::Transaction*, void (*)(CA::Layer*, unsigned int, unsigned int, void*), void*) + 280
7   QuartzCore                      0x0000000183c0795c CA::Layer::commit_if_needed(CA::Transaction*, void (*)(CA::Layer*, unsigned int, unsigned int, void*), void*) + 280
8   QuartzCore                      0x0000000183c0795c CA::Layer::commit_if_needed(CA::Transaction*, void (*)(CA::Layer*, unsigned int, unsigned int, void*), void*) + 280
9   QuartzCore                      0x0000000183c07750 x_hash_table_foreach + 72
10  QuartzCore                      0x0000000183c06cc8 CA::Transaction::foreach_root(void (*)(CA::Layer*, void*), void*) + 40
11  QuartzCore                      0x0000000183c050f0 CA::Context::commit_transaction(CA::Transaction*) + 1368
12  QuartzCore                      0x0000000183c049dc CA::Transaction::commit() + 512
13  UIKit                           0x00000001864bde20 __84-[UIApplication _handleApplicationActivationWithScene:transitionContext:completion:]_block_invoke_2 + 104
14  CoreFoundation                  0x00000001814c4de4 __CFRUNLOOP_IS_CALLING_OUT_TO_A_BLOCK__ + 20
15  CoreFoundation                  0x00000001814c471c __CFRunLoopDoBlocks + 308
16  CoreFoundation                  0x00000001814c26a4 __CFRunLoopRun + 744
17  CoreFoundation                  0x00000001813f1680 CFRunLoopRunSpecific + 384
18  GraphicsServices                0x0000000182900088 GSEventRunModal + 180
19  UIKit                           0x0000000186268d90 UIApplicationMain + 204
20  MultiAccountApp                 0x000000010009d254 main (main.m:19)
21  libdyld.dylib                   0x0000000180f928b8 start + 4

Crash Log No.4

Exception Type:  EXC_BAD_ACCESS (SIGSEGV)
Exception Subtype: KERN_INVALID_ADDRESS at 0x0000000100000048
Triggered by Thread:  0

Thread 0 name:  Dispatch queue: com.apple.main-thread
Thread 0 Crashed:
0   libobjc.A.dylib                 0x0000000180b8dbd0 objc_msgSend + 16
1   CoreFoundation                  0x00000001813f93e0 -[__NSArrayM dealloc] + 152
2   libobjc.A.dylib                 0x0000000180b95ae8 (anonymous namespace)::AutoreleasePoolPage::pop(void*) + 508
3   CoreFoundation                  0x00000001813f142c _CFAutoreleasePoolPop + 28
4   CoreFoundation                  0x00000001814c2a20 __CFRunLoopRun + 1636
5   CoreFoundation                  0x00000001813f1680 CFRunLoopRunSpecific + 384
6   GraphicsServices                0x0000000182900088 GSEventRunModal + 180
7   UIKit                           0x0000000186268d90 UIApplicationMain + 204
8   MultiAccountApp                 0x00000001000f5254 main (main.m:19)
9   libdyld.dylib                   0x0000000180f928b8 start + 4

Thread 1:
0   libsystem_kernel.dylib          0x00000001810b0b6c __workq_kernreturn + 8
1   libsystem_pthread.dylib         0x0000000181175530 _pthread_wqthread + 1284
2   libsystem_pthread.dylib         0x0000000181175020 start_wqthread + 4

Crash Log No.5

Exception Type:  EXC_BAD_ACCESS (SIGSEGV)
Exception Subtype: KERN_INVALID_ADDRESS at 0x0000000100000050
Triggered by Thread:  0

Thread 0 name:  Dispatch queue: com.apple.main-thread
Thread 0 Crashed:
0   libobjc.A.dylib                 0x0000000180b8dbd0 objc_msgSend + 16
1   CoreFoundation                  0x00000001814c7fe0 -[_CFXNotificationObjectRegistration match:matching:] + 152
2   CoreFoundation                  0x0000000181573704 -[_CFXNotificationNameRegistration match:observer:matching:] + 372
3   CoreFoundation                  0x0000000181518778 -[_CFXNotificationRegistrar match:object:observer:enumerator:] + 1968
4   CoreFoundation                  0x0000000181415894 _CFXNotificationRemoveObservers + 164
5   Foundation                      0x0000000181de3510 -[NSNotificationCenter removeObserver:name:object:] + 236
6   UIKit                           0x00000001863a0948 -[UINavigationController dealloc] + 140
7   CoreFoundation                  0x00000001813f5380 -[__NSArrayI dealloc] + 80
8   UIKit                           0x00000001864b0cb4 _runAfterCACommitDeferredBlocks + 616
9   UIKit                           0x00000001864be030 _cleanUpAfterCAFlushAndRunDeferredBlocks + 92
10  CoreFoundation                  0x00000001814c4de4 __CFRUNLOOP_IS_CALLING_OUT_TO_A_BLOCK__ + 20
11  CoreFoundation                  0x00000001814c471c __CFRunLoopDoBlocks + 308
12  CoreFoundation                  0x00000001814c26a4 __CFRunLoopRun + 744
13  CoreFoundation                  0x00000001813f1680 CFRunLoopRunSpecific + 384
14  GraphicsServices                0x0000000182900088 GSEventRunModal + 180
15  UIKit                           0x0000000186268d90 UIApplicationMain + 204
16  MultiAccountApp                 0x0000000100099254 main (main.m:19)
17  libdyld.dylib                   0x0000000180f928b8 start + 4

Though I have logs in hand, I still have no idea how to solve it. Maybe the Address Space has been dirty? Forcibly / unintentionally modified by the C++ level?

Thanks in advance.

Community
  • 1
  • 1
Jason Lee
  • 3,200
  • 1
  • 34
  • 71
  • Those all look like different bugs in your code. – trojanfoe Feb 05 '16 at 07:22
  • Impossible to guess. A possible scenario is that you're storing stale or uninitialised pointers somewhere, as the targets for `objc_msgSend` are clearly invalid. The lack of NSZombies also hints at the issue being in the C++ "universe". – molbdnilo Feb 05 '16 at 07:48
  • The words of `randomly crash` makes me think about `race condition`. Are there many threads? Does one thread release resources which are used by another thread ? Add more `NSLog()` to trace the behaviors of the application, to help you find out the reason why. – AechoLiu Feb 05 '16 at 08:11
  • @molbdnilo Yeah, C++ is suspect. – Jason Lee Feb 07 '16 at 01:03
  • @trojanfoe I don't think so :) please look here http://stackoverflow.com/questions/35197217/ios-class-classmethod-results-in-unrecognized-selector-sent – Jason Lee Feb 07 '16 at 01:04
  • I don't think they are different errors? Why is that? – trojanfoe Feb 07 '16 at 10:31
  • @trojanfoe we've found that in C-level code, writing array out of range exists. – Jason Lee Feb 16 '16 at 02:41

0 Answers0