Random crash in malloc

I have random crash problem on ReplayKit Broadcast extension.

I wrote test code with writing freed memory. Crash report say crash happens system area, not the app's code.

It makes very difficult to find out problem area for app engineer.


Environment

- Xcode 9.2

- iOS 11.2.6

Include "Screen Recording" by Setting -> Control Center -> Customize Controls


Steps to reproduce

1) On Xcode create a new project, iOS, Single View app, Objective-C, name:test8

2) Create a new target, Broadcast Upload Extension, Objective-C, name:test8ex

3) Add these code on test8ex SampleHandler.m on the top of processSampleBuffer()

- (void)processSampleBuffer:(CMSampleBufferRef)sampleBuffer withType:(RPSampleBufferType)sampleBufferType {

+ NSLog(@"processSampleBuffer called");

+ char* buf = malloc(10);

+ free(buf);

+ buf[0] = 'a'; // Expect crash here

....

}

4) Run test8 app on iOS device

5) Open control center by swiping from bottom

6) Long tap on Target icon and select "test8ex"

7) Tap "start broadcast"

8) iOS popups error dialog "Live broadcast to test8ex has stopped due to: (null)"

9) Repeat 4) to 8) over 3 times.

10) Open Xcode -> Window -> Devices and Simulators

11) Look crash log.


Expected result

12) All crash is reported on "buf[0] = 'a';"


Actual result

12) Crash is reported "malloc + 32" with random code, NSArray, xpc_serializer_unpack, NSLog...


Problem

- App developer cannot figure out where bad memory access happens.


This is one of my crash log

Thread 1 name: Dispatch queue: com.replaykit.broadcast.VideoSampleQueue

Thread 1 Crashed:

0 libsystem_kernel.dylib 0x00000001822502e8 __pthread_kill + 8

1 libsystem_pthread.dylib 0x00000001823652f8 pthread_kill$VARIANT$mp + 396

2 libsystem_c.dylib 0x00000001821befbc abort + 140

3 libsystem_malloc.dylib 0x0000000182296a00 nanozone_default_reader + 0

4 libsystem_malloc.dylib 0x0000000182297d18 _nano_malloc_check_clear + 412

5 libsystem_malloc.dylib 0x0000000182296c5c nano_malloc + 44

6 libsystem_malloc.dylib 0x0000000182285b88 malloc_zone_malloc + 172

7 libsystem_malloc.dylib 0x0000000182288540 malloc + 32

8 CoreFoundation 0x0000000182606a78 -[__NSArrayM insertObject:atIndex:] + 280

9 IOSurface 0x000000018370a430 unserializeReplacementArrayValues + 36

10 CoreFoundation 0x00000001826005a0 CFArrayApplyFunction + 80

11 IOSurface 0x000000018370793c unserializeReplacementIOKitTypeRef + 252

12 IOSurface 0x000000018370a3d0 unserializeReplacementDictionaryKeysAndValues + 32

13 CoreFoundation 0x0000000182618938 __CFDictionaryApplyFunction_block_invoke + 24

14 CoreFoundation 0x00000001825ffe98 CFBasicHashApply + 132

15 CoreFoundation 0x00000001826099ec CFDictionaryApplyFunction + 288

16 IOSurface 0x0000000183707988 unserializeReplacementIOKitTypeRef + 328

17 IOSurface 0x000000018370a3d0 unserializeReplacementDictionaryKeysAndValues + 32

18 CoreFoundation 0x0000000182618938 __CFDictionaryApplyFunction_block_invoke + 24

19 CoreFoundation 0x00000001825ffe98 CFBasicHashApply + 132

20 CoreFoundation 0x00000001826099ec CFDictionaryApplyFunction + 288

21 IOSurface 0x0000000183707988 unserializeReplacementIOKitTypeRef + 328

22 IOSurface 0x0000000183707784 IOSurfaceClientCopyAllValues + 504

23 CoreVideo 0x0000000185698368 CVPixelBufferCreateWithIOSurface + 1136

24 ReplayKit 0x000000019d57c390 -[RPBroadcastSampleHandler _sampleBufferFromIOSurface:timingInfo:] + 52

25 ReplayKit 0x000000019d57bef8 __59-[RPBroadcastSampleHandler _processPayloadWithVideoSample:]_block_invoke + 212

Replies

Hey torui,


I am also experimenting random malloc crashes. Did you manage to find something regarding this topic?