App receive SIGTRAP and crash at os_unfair_lock_unowned_unlock

I am getting a SIGTRAP crash.


App receive SIGTRAP and crash at os_unfair_lock_unowned_unlock, it looks like `@synchronized` cause SIGTRAP happen.

This crash only happens in iOS 12; iOS 11 & 10 is free.


The App is download from AppStore, why can a release app receive a debug signal SIGTRAP ? And how to fix this crash ?



Crash Detail:



Hardware Model: iPhone7,2

Process: LizhiFM [1673]

Path: /private/var/containers/Bundle/Application/6170A78F-5047-4B3F-8AD0-7E4E6133F6F0/LizhiFM.app/LizhiFM

Identifier: com.lizhi.lizhifm

Version: 134664 (5.0.1)

AppStoreTools: 10E121a

AppVariant: 1:iPhone7,2:12.2

Code Type: ARM-64 (Native)

Role: Non UI

Parent Process: launchd [1]

Coalition: com.lizhi.lizhifm [606]



Date/Time: 2019-06-04 18:27:01.8431 +0800

Launch Time: 2019-06-04 18:26:55.7277 +0800

OS Version: iPhone OS 12.2 (16E227)

Baseband Version: 7.55.01

Report Version: 104



Exception Type: EXC_BREAKPOINT (SIGTRAP)

Exception Codes: 0x0000000000000001, 0x00000001a8dfa04c

Termination Signal: Trace/BPT trap: 5

Termination Reason: Namespace SIGNAL, Code 0x5

Terminating Process: exc handler [1673]

Triggered by Thread: 28



Thread 0 name:

Thread 0:

0 libsystem_kernel.dylib 0x00000001a8d8a9d4 __ulock_wait + 8

1 libsystem_platform.dylib 0x00000001a8dfb348 _os_unfair_lock_lock_slow + 220

2 libobjc.A.dylib 0x00000001a83daf6c objc_sync_enter + 32 (lock_private.h:437)

3 LizhiFM 0x0000000101a86ef0 -[LZDBAccessor select:param:processor:] + 92 (LZDBAccessor.m:135)

4 LizhiFM 0x0000000101a86e4c -[LZDBAccessor locate:param:processor:] + 24 (LZDBAccessor.m:116)

5 LizhiFM 0x0000000101a87940 -[LZDBAccessor getIntValue:param:] + 28 (LZDBAccessor.m:350)

6 LizhiFM 0x0000000101dceb08 -[LZConversationDao totalUnreadCountWithSessionId:types:] + 596 (LZConversationDao.m:460)

7 LizhiFM 0x0000000101dd0964 -[LZConversationMgr totalUnreadCountWithTypes:] + 140 (LZConversationMgr.m:197)

8 LizhiFM 0x00000001011a8c34 -[LZConversationService totalUnreadCountWithTypes:] + 84 (LZConversationService.m:93)

9 LizhiFM 0x0000000101de5be4 -[LZMessageNotifyMgrService getChatMessageCount] + 292 (LZMessageNotifyMgrService.m:114)

10 LizhiFM 0x0000000101de5c4c -[LZMessageNotifyMgrService getMessageAllCount] + 32 (LZMessageNotifyMgrService.m:120)

11 LizhiFM 0x0000000101f600b4 -[LZMainTabBarManager updateMyItemBarBadge] + 140 (LZMainTabBarManager.m:228)

12 LizhiFM 0x0000000101f5d22c -[LZMainTabBarController viewDidAppear:] + 88 (LZMainTabBarController.m:87)

13 LizhiFM 0x00000001037f9a90 -[_priv_NBSUIHookMatrix nbs_jump_viewDidAppear:origIMP:superClass:] + 1696

14 UIKitCore 0x00000001d50480f4 -[UIViewController _setViewAppearState:isAnimating:] + 808 (UIViewController.m:4520)

15 UIKitCore 0x00000001d504aa28 __64-[UIViewController viewDidMoveToWindow:shouldAppearOrDisappear:]_block_invoke + 44 (UIViewController.m:5104)

16 UIKitCore 0x00000001d5049094 -[UIViewController _executeAfterAppearanceBlock] + 88 (UIViewController.m:4842)

17 UIKitCore 0x00000001d55f70e8 _runAfterCACommitDeferredBlocks + 564 (UIApplication.m:2759)

18 UIKitCore 0x00000001d55e5b2c _cleanUpAfterCAFlushAndRunDeferredBlocks + 352 (UIApplication.m:2728)

19 UIKitCore 0x00000001d5612744 _afterCACommitHandler + 116 (UIApplication.m:2780)

20 CoreFoundation 0x00000001a917d89c __CFRUNLOOP_IS_CALLING_OUT_TO_AN_OBSERVER_CALLBACK_FUNCTION__ + 32 (CFRunLoop.c:1822)

21 CoreFoundation 0x00000001a91785c4 __CFRunLoopDoObservers + 412 (CFRunLoop.c:1932)

22 CoreFoundation 0x00000001a9178b40 __CFRunLoopRun + 1228 (CFRunLoop.c:2950)

23 CoreFoundation 0x00000001a9178354 CFRunLoopRunSpecific + 436 (CFRunLoop.c:3247)

24 GraphicsServices 0x00000001ab37879c GSEventRunModal + 104 (GSEvent.c:2245)

25 UIKitCore 0x00000001d55ebb68 UIApplicationMain + 212 (UIApplication.m:4353)

26 LizhiFM 0x0000000101173d64 main + 88 (main.m:25)

27 libdyld.dylib 0x00000001a8c3e8e0 start + 4



Thread 10 name:

Thread 10:

0 libsystem_kernel.dylib 0x00000001a8d8a9d4 __ulock_wait + 8

1 libsystem_platform.dylib 0x00000001a8dfb348 _os_unfair_lock_lock_slow + 220

2 libobjc.A.dylib 0x00000001a83daf6c objc_sync_enter + 32 (lock_private.h:437)

3 LizhiFM 0x0000000101a86ef0 -[LZDBAccessor select:param:processor:] + 92 (LZDBAccessor.m:135)

4 LizhiFM 0x0000000101a80244 -[LZBaseDao loadCondition:condition:] + 760 (LZBaseDao.m:197)

5 LizhiFM 0x0000000101a7ebfc -[KeyValueStoreMgr getValueWithKey:defaultValue:xid:] + 216 (KeyValueStoreMgr.m:260)

6 LizhiFM 0x00000001020379a8 -[KeyValueStoreMgr(Config) getCheckSubapp] + 68 (KeyValueStoreMgr+Config.m:170)

7 LizhiFM 0x0000000101265dbc -[LZLaunchTaskMgr reportSubappTransform] + 76 (LZLaunchTaskMgr.m:1158)

8 LizhiFM 0x00000001012643ec -[LZLaunchTaskMgr initComponentsOnGloabalThread] + 40 (LZLaunchTaskMgr.m:867)

9 Foundation 0x00000001a9c728d4 __NSThreadPerformPerform + 336 (NSThread.m:1259)

10 CoreFoundation 0x00000001a917e2bc __CFRUNLOOP_IS_CALLING_OUT_TO_A_SOURCE0_PERFORM_FUNCTION__ + 24 (CFRunLoop.c:1980)

11 CoreFoundation 0x00000001a917e23c __CFRunLoopDoSource0 + 88 (CFRunLoop.c:2015)

12 CoreFoundation 0x00000001a917db24 __CFRunLoopDoSources0 + 176 (CFRunLoop.c:2051)

13 CoreFoundation 0x00000001a9178a60 __CFRunLoopRun + 1004 (CFRunLoop.c:2922)

14 CoreFoundation 0x00000001a9178354 CFRunLoopRunSpecific + 436 (CFRunLoop.c:3247)

15 CoreFoundation 0x00000001a91790b0 CFRunLoopRun + 80 (CFRunLoop.c:3271)

16 LizhiFM 0x0000000101f64bf4 +[LZThreadMgr runGlobalFunc] + 148 (LZThreadMgr.m:47)

17 Foundation 0x00000001a9c726e4 __NSThread__start__ + 984 (NSThread.m:1175)

18 libsystem_pthread.dylib 0x00000001a8e0c2c0 _pthread_body + 128 (pthread.c:857)

19 libsystem_pthread.dylib 0x00000001a8e0c220 _pthread_start + 44 (pthread.c:884)

20 libsystem_pthread.dylib 0x00000001a8e0fcdc thread_start + 4



Thread 28 name:

Thread 28 Crashed:

0 libsystem_platform.dylib 0x00000001a8dfa04c _os_unfair_lock_unowned_abort + 36 (lock.c:525)

1 libsystem_platform.dylib 0x00000001a8dfb4ec _os_unfair_lock_unlock_slow + 144

2 libsqlite3.dylib 0x00000001a95e8124 fillInUnixFile + 460 (sqlite3.c:24953)

3 libsqlite3.dylib 0x00000001a95e7d24 unixOpen + 1996 (sqlite3.c:42486)

4 libsqlite3.dylib 0x00000001a964adf4 pager_write + 916 (sqlite3.c:22120)

5 libsqlite3.dylib 0x00000001a964a5f0 sqlite3BtreeDelete + 780 (sqlite3.c:62327)

6 libsqlite3.dylib 0x00000001a9627798 sqlite3VdbeExec + 17628 (sqlite3.c:93758)

7 libsqlite3.dylib 0x00000001a9621d24 sqlite3_step + 444 (sqlite3.c:86839)

8 LizhiFM 0x0000000101a87458 -[LZDBAccessor update:param:isInsert:] + 440 (LZDBAccessor.m:216)

9 LizhiFM 0x0000000101a811d0 -[LZBaseDao updateRecord:condition:] + 692 (LZBaseDao.m:374)

10 LizhiFM 0x0000000101a88918 -[LZKeyValueStoreDao commit:] + 180 (LZKeyValueStoreDao.m:55)

11 LizhiFM 0x0000000101a7e5b4 __34-[KeyValueStoreMgr p_synchronize:]_block_invoke + 204 (KeyValueStoreMgr.m:155)

12 CoreFoundation 0x00000001a90d67c0 -[__NSDictionaryM enumerateKeysAndObjectsWithOptions:usingBlock:] + 232 (NSDictionaryM_Common.h:310)

13 LizhiFM 0x0000000101a7e718 __36-[KeyValueStoreMgr asyncSynchronize]_block_invoke + 168 (KeyValueStoreMgr.m:181)

14 libdispatch.dylib 0x00000001a8c2ca38 _dispatch_call_block_and_release + 24 (init.c:1372)

15 libdispatch.dylib 0x00000001a8c2d7d4 _dispatch_client_callout + 16 (object.m:511)

16 libdispatch.dylib 0x00000001a8bd6320 _dispatch_lane_serial_drain$VARIANT$mp + 592 (inline_internal.h:2441)

17 libdispatch.dylib 0x00000001a8bd6e3c _dispatch_lane_invoke$VARIANT$mp + 428 (queue.c:3805)

18 libdispatch.dylib 0x00000001a8bdf4a8 _dispatch_workloop_worker_thread + 596 (queue.c:5889)

19 libsystem_pthread.dylib 0x00000001a8e0d114 _pthread_wqthread + 304 (pthread.c:2371)

20 libsystem_pthread.dylib 0x00000001a8e0fcd4 start_wqthread + 4



Thread 32 name:

Thread 32:

0 libsystem_kernel.dylib 0x00000001a8d8a9d4 __ulock_wait + 8

1 libsystem_platform.dylib 0x00000001a8dfb348 _os_unfair_lock_lock_slow + 220

2 libobjc.A.dylib 0x00000001a83daf6c objc_sync_enter + 32 (lock_private.h:437)

3 LizhiFM 0x0000000101a86ef0 -[LZDBAccessor select:param:processor:] + 92 (LZDBAccessor.m:135)

4 LizhiFM 0x0000000101a86e4c -[LZDBAccessor locate:param:processor:] + 24 (LZDBAccessor.m:116)

5 LizhiFM 0x0000000101a87940 -[LZDBAccessor getIntValue:param:] + 28 (LZDBAccessor.m:350)

6 LizhiFM 0x0000000101a80948 -[LZBaseDao recordExistWithCondition:] + 108 (LZBaseDao.m:276)

7 LizhiFM 0x0000000102026d0c -[LZSessionDao commit:] + 172 (LZSessionDao.m:74)

8 LizhiFM 0x0000000102027a88 -[LZSessionMgr(DataItem) setValue:key:] + 288 (LZSessionMgr+DataItem.m:27)

9 LizhiFM 0x0000000101e7cd30 -[ITWhereToGoWhenRichScene onResponseWithNetId:errType:errCode:errMsg:packet:] + 544 (ITWhereToGoWhenRichScene.m:128)

10 LizhiFM 0x00000001018f4494 -[ReqResp onResponseImplInThread:] + 444

11 Foundation 0x00000001a9c728d4 __NSThreadPerformPerform + 336 (NSThread.m:1259)

12 CoreFoundation 0x00000001a917e2bc __CFRUNLOOP_IS_CALLING_OUT_TO_A_SOURCE0_PERFORM_FUNCTION__ + 24 (CFRunLoop.c:1980)

13 CoreFoundation 0x00000001a917e23c __CFRunLoopDoSource0 + 88 (CFRunLoop.c:2015)

14 CoreFoundation 0x00000001a917db24 __CFRunLoopDoSources0 + 176 (CFRunLoop.c:2051)

15 CoreFoundation 0x00000001a9178a60 __CFRunLoopRun + 1004 (CFRunLoop.c:2922)

16 CoreFoundation 0x00000001a9178354 CFRunLoopRunSpecific + 436 (CFRunLoop.c:3247)

17 CoreFoundation 0x00000001a91790b0 CFRunLoopRun + 80 (CFRunLoop.c:3271)

18 LizhiFM 0x00000001018c7070 +[PodITNetLibrary_LZThreadMgr(Network) runNetSceneResponseFunc] + 148

19 Foundation 0x00000001a9c726e4 __NSThread__start__ + 984 (NSThread.m:1175)

20 libsystem_pthread.dylib 0x00000001a8e0c2c0 _pthread_body + 128 (pthread.c:857)

21 libsystem_pthread.dylib 0x00000001a8e0c220 _pthread_start + 44 (pthread.c:884)

22 libsystem_pthread.dylib 0x00000001a8e0fcdc thread_start + 4



Thread 28 crashed with ARM Thread State (64-bit):

x0: 0x0000000000000001 x1: 0x0000000000000000 x2: 0x000000000000f20b x3: 0x0000000000000000

x4: 0x0000000000000000 x5: 0x0000000000000000 x6: 0x0000000281ece480 x7: 0x0000000000000000

x8: 0x0000000000000001 x9: 0x00000002832dc850 x10: 0x0000000000000850 x11: 0x0000000000000000

x12: 0x0000000000000085 x13: 0x0000000000000001 x14: 0x0000000000000085 x15: 0x000000000000037a

x16: 0x00000001a8dfb430 x17: 0x0000000011800000 x18: 0x0000000000000000 x19: 0x00000001dfd5db80

x20: 0x000000015a00d020 x21: 0x00000001d8b98a78 x22: 0x0000000000000030 x23: 0x0000000000000000

x24: 0x00000001dfd5f000 x25: 0x00000001dfd5cf40 x26: 0x00000001d8b98a78 x27: 0x00000001dfd5d120

x28: 0x0000000000000000 fp: 0x000000016fcc5020 lr: 0x00000001a8dfb4ec

sp: 0x000000016fcc5010 pc: 0x00000001a8dfa04c cpsr: 0x00000000

Up vote post of lizhifm-kelvin Down vote post of lizhifm-kelvin
5.9k views
Posted by
lizhifm-kelvin
Reply
Add a Comment

Replies

The App is download from AppStore, why can a release app receive a debug signal 

SIGTRAP
? 
SIGTRAP
is only related to the debugger in the sense that the CPU’s breakpoint instruction gets translated into a 
SIGTRAP
signal. Many system frameworks use a special instruction to trap (halt the process) when they detect an error. On Arm they use the breakpoint instruction ( 
brk
), and thus your program stops with a 
SIGTRAP
[1].

App receive 

SIGTRAP
and crash at 
os_unfair_lock_unowned_unlock
, it looks like 
@synchronized
cause 
SIGTRAP
happen.

I think you’re misreading the crash report. The crashing thread here is thread 28, and it’s backtrace is this:

0   libsystem_platform.dylib … _os_unfair_lock_unowned_abort + 36 (lock.c:525)
1   libsystem_platform.dylib … _os_unfair_lock_unlock_slow + 144
2   libsqlite3.dylib         … fillInUnixFile + 460 (sqlite3.c:24953)
3   libsqlite3.dylib         … unixOpen + 1996 (sqlite3.c:42486)
4   libsqlite3.dylib         … pager_write + 916 (sqlite3.c:22120)
5   libsqlite3.dylib         … sqlite3BtreeDelete + 780 (sqlite3.c:62327)
6   libsqlite3.dylib         … sqlite3VdbeExec + 17628 (sqlite3.c:93758)
7   libsqlite3.dylib         … sqlite3_step + 444 (sqlite3.c:86839)
8   LizhiFM                  … -[LZDBAccessor update:param:isInsert:] + 440 (LZDBAccessor.m:216)
9   LizhiFM                  … -[LZBaseDao updateRecord:condition:] + 692 (LZBaseDao.m:374)
10  LizhiFM                  … -[LZKeyValueStoreDao commit:] + 180 (LZKeyValueStoreDao.m:55)
11  LizhiFM                  … __34-[KeyValueStoreMgr p_synchronize:]_block_invoke + 204 (KeyValueStoreMgr.m:155)
12  CoreFoundation           …-[__NSDictionaryM enumerateKeysAndObjectsWithOptions:usingBlock:] + 232 (NSDictionaryM_Common.h:310)
13  LizhiFM                  … __36-[KeyValueStoreMgr asyncSynchronize]_block_invoke + 168 (KeyValueStoreMgr.m:181)
14  libdispatch.dylib        … _dispatch_call_block_and_release + 24 (init.c:1372)
…

Note that there’s no 

objc_sync_enter
in the backtrace, indicating that 
@synchronized
is not involved.

You can see the source for 

_os_unfair_lock_unlock_slow
(frame 1) in Darwin [2]. There’s a number of potential traps here, but the most likely one is the direct call to 
_os_unfair_lock_unowned_abort
, which comes about if you try to release a unlock that you don’t own [3].

It’s hard to say for sure what might be triggering that but my best guess is that the LizhiFM code (frames 13 and 11 through 8) is breaking the SQLite concurrency rules.

Share and Enjoy

Quinn “The Eskimo!”
Apple Developer Relations, Developer Technical Support, Core OS/Hardware 

let myEmail = "eskimo" + "1" + "@apple.com"

[1] On Intel they use the 

ud2
instruction, which results in a 
SIGILL
.

[2] This is the Darwin source corresponding, roughly, to macOS 10.14. There’s no guarantee that this is exactly aligned with iOS 12.2, but in my experience it’s generally pretty close.

[3] The other traps in that routine all call 

__LIBPLATFORM_INTERNAL_CRASH__
, which does generate a 
SIGTRAP
on Arm but won’t leave 
_os_unfair_lock_unowned_abort
in the backtrace.
Posted by
eskimo
Up vote reply of eskimo Down vote reply of eskimo
Add a Comment

Thks for your anwsering.


> Note that there’s no 

objc_sync_enter
in the backtrace, indicating that 
@synchronized
is not involved.


LizhiFM app use @synchronized to serially run SQLite, however, no objc_sync_enter in the backtrace, it's very strange. i guess there might be a system action to stop @synchronized lock and send SIGTRAP.

Posted by
lizhifm-kelvin
Up vote reply of lizhifm-kelvin Down vote reply of lizhifm-kelvin
Add a Comment

i guess there might be a system action to stop 

@synchronized
lock and send 
SIGTRAP
.

No. 

@synchronized
is just a mutex, and it’s definitely not going to do anything fancy with 
SIGTRAP
.

Share and Enjoy

Quinn “The Eskimo!”
Apple Developer Relations, Developer Technical Support, Core OS/Hardware 

let myEmail = "eskimo" + "1" + "@apple.com"
Posted by
eskimo
Up vote reply of eskimo Down vote reply of eskimo
Add a Comment

What if @synchronized is used in main thread and cause a long block ?

Posted by
lizhifm-kelvin
Up vote reply of lizhifm-kelvin Down vote reply of lizhifm-kelvin
Add a Comment

What if 

@synchronized
is used in main thread and cause a long block ?

Then you run the risk of your app being killed by the watchdog, but the resulting crash report won’t look like the one you’ve posted (it will have the 0x8badf00d exception code described in TN2151).

Share and Enjoy

Quinn “The Eskimo!”
Apple Developer Relations, Developer Technical Support, Core OS/Hardware 

let myEmail = "eskimo" + "1" + "@apple.com"
Posted by
eskimo
Up vote reply of eskimo Down vote reply of eskimo
Add a Comment