random crash when set zombieCacheSize

[Zuikyo]

Hi.I got some random crash when set zombieCacheSize,1.5.6 version.It's not happened every time,most of time it works perfectlly.Here is my code:

 -(BOOL) application:(__unused UIApplication *) application
didFinishLaunchingWithOptions:(__unused NSDictionary *) launchOptions {
  //some other code:add obersver of notifications
  //setStatusBarStyle
  //setStatusBarOrientatiion
  //registerUserNotificationSettings
   [DYCrashReportManager setDefaultKSCrashHander];
......
}
 -(void) setDefaultKSCrashHander {
    [[KSCrash sharedInstance] install];
    [self configureAdvancedSettings];
}
 -(void) configureAdvancedSettings {
    KSCrash *hander = [KSCrash sharedInstance];
    hander.zombieCacheSize = 16384;
    hander.searchThreadNames = YES;
    hander.searchQueueNames = YES;
    hander.introspectMemory = YES;
}

And here is the crash report,it seems like KSCrash caused a crash in [[KSCrash sharedInstance] install] or hander.zombieCacheSize = 16384.I checked kszombie_install in KSZombie.m,but I can't figure it out.
I got SIGBUS evry time,and the crashed thread always showed "libxpc.dylib".One of my crash report got the crashed thread name: "Dispatch queue: com.apple.NSXPCConnection.m-user.com.apple.usernotification.notificationregistrar"

Hardware Model:      iPhone8,1
Version:         2.4.3 (2.4.3)
Code Type:       ARM-64
Parent Process:  ? [1]

Date/Time:       2016-05-16 09:39:31.000 +0800
OS Version:      iPhone OS 9.2.1 (13D15)
Report Version:  104

Exception Type:  EXC_BAD_ACCESS (SIGBUS)
Exception Codes: 0x00000000 at 0x0000000000000000
Crashed Thread:  4

Thread 0:
0   libsystem_kernel.dylib          0x00000001818ac020 0x181890000 + 114720 (__psynch_rw_unlock + 8)
1   libsystem_pthread.dylib         0x0000000181971b1c 0x181970000 + 6940 (pthread_rwlock_unlock + 380)
2   libobjc.A.dylib                 0x0000000181383754 0x181370000 + 79700 (<redacted> + 20)
3   libobjc.A.dylib                 0x000000018137d4e0 0x181370000 + 54496 (method_setImplementation + 64)
4   MyApp                         0x0000000100908824 0x1000b8000 + 8718372 (kszombie_install + 204)
5   MyApp                         0x000000010044c248 0x1000b8000 + 3752520 (-[DYCrashReportManager configureAdvancedSettings] + 60)
6   MyApp                         0x000000010044b56c 0x1000b8000 + 3749228 (+[DYCrashReportManager setDefaultKSCrashHander] + 100)
7   MyApp                         0x00000001000e55b4 0x1000b8000 + 185780 (-[AppDelegate application:didFinishLaunchingWithOptions:] + 700)
8   UIKit                           0x0000000186a71704 0x1869e8000 + 562948 (<redacted> + 400)
9   UIKit                           0x0000000186ca0130 0x1869e8000 + 2851120 (<redacted> + 2904)
10  UIKit                           0x0000000186ca44b8 0x1869e8000 + 2868408 (<redacted> + 1672)
11  UIKit                           0x0000000186ca15c0 0x1869e8000 + 2856384 (<redacted> + 168)
12  FrontBoardServices              0x00000001832bf790 0x183298000 + 161680 (<redacted> + 184)
13  FrontBoardServices              0x00000001832bfb10 0x183298000 + 162576 (<redacted> + 56)
14  CoreFoundation                  0x0000000181cc0efc 0x181be4000 + 904956 (<redacted> + 24)
15  CoreFoundation                  0x0000000181cc0990 0x181be4000 + 903568 (<redacted> + 540)
16  CoreFoundation                  0x0000000181cbe690 0x181be4000 + 894608 (<redacted> + 724)
17  CoreFoundation                  0x0000000181bed680 0x181be4000 + 38528 (CFRunLoopRunSpecific + 384)
18  UIKit                           0x0000000186a6a580 0x1869e8000 + 533888 (<redacted> + 460)
19  UIKit                           0x0000000186a64d90 0x1869e8000 + 511376 (UIApplicationMain + 204)
20  DuoYiIM                         0x00000001000c8300 0x1000b8000 + 66304 (main + 132)
21  libdyld.dylib                   0x000000018178e8b8 0x18178c000 + 10424 (<redacted> + 4)

Thread 1:
0   libsystem_kernel.dylib          0x00000001818ad4fc 0x181890000 + 120060 (kevent_qos + 8)
1   libdispatch.dylib               0x000000018177094c 0x18175c000 + 84300 (<redacted> + 232)
2   libdispatch.dylib               0x000000018175f7bc 0x18175c000 + 14268 (<redacted> + 52)

Thread 2:
0   libsystem_kernel.dylib          0x00000001818914f8 0x181890000 + 5368 (semaphore_wait_trap + 8)
1   libsystem_platform.dylib        0x000000018196a97c 0x181968000 + 10620 (_os_semaphore_wait + 24)
2   libdispatch.dylib               0x00000001817684ec 0x18175c000 + 50412 (<redacted> + 560)
3   AccessibilityUtilities          0x000000018ae3e1b0 0x18ae18000 + 156080 (<redacted> + 128)
4   libdispatch.dylib               0x000000018175d630 0x18175c000 + 5680 (<redacted> + 24)
5   libdispatch.dylib               0x000000018175d5f0 0x18175c000 + 5616 (<redacted> + 16)
6   libdispatch.dylib               0x0000000181769634 0x18175c000 + 54836 (<redacted> + 864)
7   libdispatch.dylib               0x00000001817610f4 0x18175c000 + 20724 (<redacted> + 464)
8   libdispatch.dylib               0x000000018175d5f0 0x18175c000 + 5616 (<redacted> + 16)
9   libdispatch.dylib               0x000000018176ba88 0x18175c000 + 64136 (<redacted> + 2140)
10  libdispatch.dylib               0x000000018176b224 0x18175c000 + 61988 (<redacted> + 112)
11  libsystem_pthread.dylib         0x0000000181971470 0x181970000 + 5232 (_pthread_wqthread + 1092)

Thread 3:
0   libsystem_kernel.dylib          0x00000001818acb6c 0x181890000 + 117612 (__workq_kernreturn + 8)
1   libsystem_pthread.dylib         0x0000000181971530 0x181970000 + 5424 (_pthread_wqthread + 1284)

Thread 4 Crashed:
0   (null) 0x0000000000000000 0x0 + 0
1   CoreFoundation                  0x0000000181bf5450 0x181be4000 + 70736 (<redacted> + 264)
2   CoreFoundation                  0x0000000181c123c0 0x181be4000 + 189376 (<redacted> + 88)
3   libobjc.A.dylib                 0x0000000181391ae8 0x181370000 + 137960 (<redacted> + 508)
4   libxpc.dylib                    0x00000001819a5358 0x1819a0000 + 21336 (<redacted> + 68)
5   libxpc.dylib                    0x00000001819a3100 0x1819a0000 + 12544 (<redacted> + 2132)
6   libdispatch.dylib               0x000000018175d6ec 0x18175c000 + 5868 (<redacted> + 16)
7   libdispatch.dylib               0x00000001817619d8 0x18175c000 + 23000 (<redacted> + 656)
8   libdispatch.dylib               0x0000000181769808 0x18175c000 + 55304 (<redacted> + 1332)
9   libdispatch.dylib               0x0000000181760aec 0x18175c000 + 19180 (<redacted> + 600)
10  libdispatch.dylib               0x0000000181769808 0x18175c000 + 55304 (<redacted> + 1332)
11  libdispatch.dylib               0x00000001817610f4 0x18175c000 + 20724 (<redacted> + 464)
12  libdispatch.dylib               0x000000018175d5f0 0x18175c000 + 5616 (<redacted> + 16)
13  libdispatch.dylib               0x000000018176ba88 0x18175c000 + 64136 (<redacted> + 2140)
14  libdispatch.dylib               0x000000018176b224 0x18175c000 + 61988 (<redacted> + 112)
15  libsystem_pthread.dylib         0x0000000181971470 0x181970000 + 5232 (_pthread_wqthread + 1092)

Thread 5:
0   libsystem_kernel.dylib          0x00000001818acb6c 0x181890000 + 117612 (__workq_kernreturn + 8)
1   libsystem_pthread.dylib         0x0000000181971530 0x181970000 + 5424 (_pthread_wqthread + 1284)

Thread 6:
0   libsystem_kernel.dylib          0x00000001818914bc 0x181890000 + 5308 (mach_msg_trap + 8)
1   libsystem_kernel.dylib          0x0000000181891338 0x181890000 + 4920 (mach_msg + 72)
2   libsystem_kernel.dylib          0x000000018189566c 0x181890000 + 22124 (thread_suspend + 80)
3   DuoYiIM                         0x0000000100908184 0x1000b8000 + 8716676 (ksmachexc_i_handleExceptions + 112)
4   libsystem_pthread.dylib         0x0000000181973b28 0x181970000 + 15144 (<redacted> + 156)
5   libsystem_pthread.dylib         0x0000000181973a8c 0x181970000 + 14988 (_pthread_start + 156)

Thread 7:

Thread 4 crashed with ARM-64 Thread State:
  cpsr: 0x0000000080000000     fp: 0x000000016e1ba670     lr: 0x0000000181bf5450     pc: 0x0000000000000000 
    sp: 0x000000016e1ba630     x0: 0x0000000145d5e990     x1: 0x00000001873d8d00    x10: 0x0000000000000d77 
   x11: 0x00000001a228b659    x12: 0x00000001a228b659    x13: 0x0000000000000001    x14: 0x000000008000001f 
   x15: 0x0000000080000023    x16: 0x0000000181377108    x17: 0x0000000100ad0c38    x18: 0x0000000000000000 
   x19: 0x0000000145d5e990     x2: 0x0000000000000000    x20: 0x0000000145d5e9c0    x21: 0x0000000000000000 
   x22: 0x000000019ee29000    x23: 0x000000019ee29000    x24: 0x0000000000000000    x25: 0x00000000a1a1a1a1 
   x26: 0x3b0094f615f71df1    x27: 0x000000016e1bb0e0    x28: 0xa3a3a3a3a3a3a3a3    x29: 0x000000016e1ba670 
    x3: 0x000000000000000b     x4: 0x000000000000005f     x5: 0x0000000000000054     x6: 0x0000000145d1dd20 
    x7: 0x0000000000000000     x8: 0x0000000100d7b000     x9: 0x0000000100c5a000 

Notable Addresses:
{
    "stack@0x16e1ba618": {
        "address": 5466614160,
        "class": "__NSArrayM",
        "last_deallocated_obj": "__NSArrayM",
        "type": "objc_object"
    },
    "stack@0x16e1ba630": {
        "address": 5466614160,
        "class": "__NSArrayM",
        "last_deallocated_obj": "__NSArrayM",
        "type": "objc_object"
    },
    "stack@0x16e1ba638": {
        "address": 6977154968,
        "class": "__NSArrayM",
        "type": "objc_class"
    },
    "stack@0x16e1ba660": {
        "address": 6563930377,
        "type": "string",
        "value": "release"
    },
    "stack@0x16e1ba668": {
        "address": 5466639200,
        "class": "NSInvocation",
        "ivars": {
            "_container": {
                "address": 5466614160,
                "class": "__NSArrayM",
                "last_deallocated_obj": "__NSArrayM",
                "type": "objc_object"
            },
            "_retainedArgs": 0,
            "_signature": {
                "address": 5466482432,
                "class": "NSMethodSignature",
                "ivars": {},
                "type": "objc_object"
            }
        },
        "type": "objc_object"
    },
    "x0": {
        "address": 5466614160,
        "class": "__NSArrayM",
        "last_deallocated_obj": "__NSArrayM",
        "type": "objc_object"
    },
    "x1": {
        "address": 6563925248,
        "type": "string",
        "value": "dealloc"
    },
    "x19": {
        "address": 5466614160,
        "class": "__NSArrayM",
        "last_deallocated_obj": "__NSArrayM",
        "type": "objc_object"
    },
    "x28": {
        "address": -6655295901103053917,
        "class": "NSString",
        "type": "objc_object",
        "value": ":::"
    }
}

Application Stats:
{
    "active_time_since_last_crash": 2073.84,
    "active_time_since_launch": 0,
    "application_active": false,
    "application_in_foreground": true,
    "background_time_since_last_crash": 1304.63,
    "background_time_since_launch": 0,
    "launches_since_last_crash": 36,
    "sessions_since_last_crash": 49,
    "sessions_since_launch": 1
}

CrashDoctor Diagnosis: Attempted to dereference null pointer.

[Zuikyo]

I find something new.In the "Notable Addresses" section ,every crash report contains this:

"x1": {
        "address": 6563925248,
        "type": "string",
        "value": "dealloc"
    }

So I think maybe the crash was caused by method_setImplementation(class_getInstanceMethod([CLASS class], @selector(dealloc)), (IMP)handleDealloc_ ## CLASS) in KSZombie.m.I'm not sure if method_setImplementation is atomic or not.And I can't reproduce the crash when testing dealloc method.
Now I move [DYCrashReportManager setDefaultKSCrashHander] to the first line in application:didFinishLaunchingWithOptions:.I hope this will solve my problem.

[kstenerud]

This should be fixed in the latest commit. Please let me know if it solves your crash issue.

[Zuikyo]

Good news!I reproduced the crash by using the code below,on my iOS 9.2.1 iPhone6s,1.5.6 version.It's the code from my crashed app:

- (BOOL) application:(__unused UIApplication *) application
didFinishLaunchingWithOptions:(__unused NSDictionary *) launchOptions
{
    [application setStatusBarStyle:UIStatusBarStyleDefault];
    [[NSNotificationCenter defaultCenter] addObserver:self selector:@selector(handleMyNotification:) name:@"myNotification" object:nil];
    [[UIApplication sharedApplication] setStatusBarOrientation:UIInterfaceOrientationPortrait animated:YES];

    //registerUserNotificationSettings,here is where the crashed thread came from
    UIMutableUserNotificationAction *sendMessageAction = [[UIMutableUserNotificationAction alloc] init];
    sendMessageAction.identifier = @"sendMessageAction";
    sendMessageAction.title = @"reply";
    sendMessageAction.activationMode = UIUserNotificationActivationModeBackground;
    sendMessageAction.destructive = NO;
    sendMessageAction.authenticationRequired = NO;
    sendMessageAction.behavior = UIUserNotificationActionBehaviorTextInput;
    sendMessageAction.parameters = @{UIUserNotificationTextInputActionButtonTitleKey:@"send"};

    NSArray *actionArray = @[sendMessageAction];

    UIMutableUserNotificationCategory *notificationCategory = [[UIMutableUserNotificationCategory alloc] init];
    notificationCategory.identifier = @"replyMessageCategory";
    [notificationCategory setActions:actionArray forContext:UIUserNotificationActionContextDefault];

    NSSet *categorySet = [[NSSet alloc] initWithObjects:notificationCategory, nil];
    UIUserNotificationSettings *notificationSettings = [UIUserNotificationSettings settingsForTypes:UIUserNotificationTypeAlert | UIUserNotificationTypeBadge | UIUserNotificationTypeSound categories:categorySet];
    [[UIApplication sharedApplication] registerUserNotificationSettings:notificationSettings];

    [application registerForRemoteNotifications];    

    [self installCrashHandler];

    return YES;
}

- (void) installCrashHandler
{  
    KSCrash *hander = [KSCrash sharedInstance];
    [hander install];
    [self configureAdvancedSettings];
}

- (void) configureAdvancedSettings
{
    KSCrash* handler = [KSCrash sharedInstance];
    handler.zombieCacheSize = 16384;
    handler.userInfo = @{@"someKey": @"someValue"};
    handler.searchThreadNames = YES;
    handler.searchQueueNames = YES;
    handler.introspectMemory = YES;
}

- (void)application:(UIApplication *)application didRegisterUserNotificationSettings:(UIUserNotificationSettings *)notificationSettings {
    NSLog(@"didRegisterUserNotificationSettings");
}

- (void)application:(UIApplication *)application didRegisterForRemoteNotificationsWithDeviceToken:(NSData *)deviceToken {
    NSLog(@"didRegisterForRemoteNotificationsWithDeviceToken");
}

And I unfold CREATE_ZOMBIE_HANDLER_INSTALLER(NSObject) in KSZombie.m for debug:

static IMP g_originalDealloc_NSObject;
static void handleDealloc_NSObject(id self, SEL _cmd)
{
    handleDealloc(self);
    typedef void (*fn)(id,SEL);
    fn f = (fn)g_originalDealloc_NSObject;
    f(self, _cmd);
}
static void installDealloc_NSObject()
{
    g_originalDealloc_NSObject = method_setImplementation(class_getInstanceMethod([NSObject class], @selector(dealloc)),
                                                           (IMP)handleDealloc_NSObject);
}
static void uninstallDealloc_NSObject()
{
    method_setImplementation(class_getInstanceMethod([NSObject class], @selector(dealloc)), g_originalDealloc_NSObject);
}

It's very hard to reproduce.I ran my App for over 100 times and only got 2 crashes.
It's crashed at f(self, _cmd) in handleDealloc_NSObject(id self, SEL _cmd),because g_originalDealloc_NSObject is NULL.

I think that's because in installDealloc_NSObject(),method_setImplementation() did change the implementation,but hadn't return the old implementation to g_originalDealloc_NSObject yet.And at the same moment in another thread, an object invoked dealloc,so in handleDealloc_NSObject() it got a null pointer error.
This problem still exists after the the latest commit.

[kstenerud]

I don't think you're using the latest commit. If you were, handler.zombieCacheSize = 16384; would not compile, since I've removed that API.

[Zuikyo]

Sorry I reproduced the crash by using 1.5.6 version framework. I read the installDealloc_NSObject() function of the latest commit and it's the same as 1.5.6 version,that's why I guessed the problem still exists.
Now I've run the latest commit version.It looks like the zombie catch feature has been disabled,cause the install() function in KSZombie.m never be invoked.

[kstenerud]

Bleh. Can you try the latest commit, please? I've fixed the enable/disable code.

[Zuikyo]

Congratulations!I've run the latest commit version with my test code for over 200 times,it never crash.I think the problem has been fixed.