0

I'm currently dealing with a really weird bug in my iOS app. It doesn't happen in the simulator, and it doesn't happen when I recompile the core of the app for x86 and run it on Mac or Linux.

It takes the form of an EXC_BAD_ACCESS when you do some particular thing. The code is 1, which apparently means KERN_INVALID_ADDRESS. In other words, the kernel says nothing is mapped at that address. But when I use the memory region command in lldb, it says there's a page mapped at that address with read and write permissions turned on. I've confirmed with debug logging that the region is mapped with mmap earlier in the program and never unmapped. (I haven't tried calling mach_vm_region_info, but I suspect it would return the same thing.)

So the question is, why would the kernel throw EXC_BAD_ACCESS with code 1 for an address that's apparently valid?

One clue: If you run the app in lldb over USB, runn memory region ptr, and then run memory region with no arguments, LLDB will crash, and the app just continues and works fine. Maybe memory region ptr caused some sort of probe that made the kernel realize the pointer was actually valid?

You can reproduce with this commit: https://github.com/tbodt/ish/tree/d935be75ef83784a8d4050b6ad7f96b8b792b481. Install the app, log in as root, and run these commands:

echo "nameserver 8.8.8.8" > /etc/resolv.conf
apk update
apk add lua
# that should crash the app

To repro again, run apk del lua, then apk add lua again the next time.

tbodt
  • 16,609
  • 6
  • 58
  • 83
  • Cursorily, it look like an unaligned address may also cause this fault? It would explain why it may not happen on other platforms you cite. See [ARM-Linux trapping unaligned](https://stackoverflow.com/questions/16548059/how-to-trap-unaligned-memory-access) to see if your app has this behaviour. – artless noise Dec 07 '17 at 18:06
  • @artlessnoise It's definitely not an unaligned access, since then the exception code would be EXC_ARM_DA_ALIGN or 257. https://github.com/apple/darwin-xnu/blob/master/osfmk/arm64/sleh.c#L1003 Also the crash happens in memcpy, and the C standard guarantees that memcpy works with unaligned pointers. – tbodt Dec 07 '17 at 21:37
  • True if `is_vm_fault` isn't hit. I just see that someone posted identical codes and the address was un-aligned. It is easy to check; memcpy may have an 'un-aligned pointer' if it gets a bad stack for instance. Anyways, platform dependent memory behavior is usually undefined user code unless you are using bleeding edge kernel software. – artless noise Dec 08 '17 at 19:19
  • @artlessnoise The fault status code is the DFSC of the ISS of the ESR, described on page D7-2280 of the ARMv8 manual. `is_vm_fault` returns true for a number of faults, but an alignment fault is not one of them, that would be `FSC_ALIGNMENT_FAULT`. – tbodt Dec 08 '17 at 19:31

0 Answers0