ios开发try-catch引起的野指针问题排查

Jacinthe ·

更新时间:2024-09-20

· 628 次阅读

1、野指针问题

2、崩溃栈

3、场景复现代码

4、问题分析

5、上报可能引起野指针崩溃栈

1、野指针问题

【EXC_BAD_ACCESS (SIGSEGV) / KERN_INVALID_ADDRESS]

Possible zombie in call: Function: objc_releaseParam 1: 0x157f2a740 Originated at or in a subcall of unknown, cannot find symb

如有以下崩溃栈可以怀疑是在dealloc中直接或间接使用了@try{} @catch{}

2、崩溃栈

  libobjc.A.dylib    _objc_release()         
  CoreFoundation     -[__NSDictionaryI dealloc]()         
  CoreFoundation     -[NSException dealloc]()         
  libobjc.A.dylib    AutoreleasePoolPage::releaseUntil(objc_object**)()         
  libobjc.A.dylib    _objc_autoreleasePoolPop()        
   ......
   ......

3、场景复现代码

#import "ViewController.h"
@interface TestExpectionObj : NSObject
@end
@implementation TestExpectionObj
- (void)dealloc {
    @try {
        [self setValue:@"test" forKey:@"testKey"];
    } @catch (NSException *exception) {
        NSLog(@"%@", exception);
    }
}
@end
@implementation ViewController
- (void)viewDidLoad {
    [super viewDidLoad];
    // Do any additional setup after loading the view.
    [TestExpectionObj new];
}
@end

4、问题分析

在dealloc使用try-catch并触发catch时，会生成NSException对象，exception结构如下

exception : NSException {
userInfo: NSDictionary {
NSTargetObjectUserInfoKey = "<TestExpectionObj: 0x6000038ac3e0>";
}
}

故exception会强引用TestExpectionObj对象，并且exception一般都是类方法生成会自动加入到AutoreleasePool，所以dealloc执行完后TestExpectionObj对象已经释放（因为在dealloc方法中在强引用当前对象没法终止当前对象的释放，引用计数增加与否已无意义），所以exception.userInfo中的TestExpectionObj对变成野对象。

当AutoreleasePool到达周期释放时就对调用release exception & userInfo，字典userInfo释放时会也会相应的释放key/value，故NSTargetObjectUserInfoKey = "<TestExpectionObj: 0x6000038ac3e0>"又调用一次release，因为之前已经dealloc完毕，所以这次就会触发重复释放崩溃引起野指针问题，

但如果exception在TestExpectionObj对象的dealloc方法执行完之前释放就不会出现问题。

5、上报可能引起野指针崩溃栈

#import <JRSwizzle/JRSwizzle.h>
@implementation NSException (ExceptionTestSunztObj)
+ (void)load {
    static dispatch_once_t onceToken;
    dispatch_once(&onceToken, ^{
        [self jr_swizzleMethod:NSSelectorFromString(@"dealloc")
                              withMethod:@selector(intercept_dealloc)
                                   error:nil];
    });
}
- (void)intercept_dealloc {
    BOOL isContainDealloc = NO;
    NSMutableString *symblos = [NSMutableString string];
    for (NSString *sym in self.callStackSymbols) {
        [symblos appendFormat:@"%@\n", sym];
        if ([sym containsString:@" dealloc]"]) {
            isContainDealloc = YES;
        }
    }
    // 把 symblos上报给自己的APM平台
    [APM report:@"ttReportExceptionCallStackSymbols" withValue:symblos];
    [APM report:@"ttReportExceptionReason" withValue:self.reason?:@"NULL"];
    if (isContainDealloc) {
        // 本地log打印，需符号化
       TTLocalLog("NSException:throws:dealloc:ttReport", {
           @"name": self.name?:@"",
           @"reason": self.reason?:@"",
           @"callStackSymbols": symblos
       });
       // 延迟保证数据写完在释放
       __unsafe_unretained NSException *demoSelf = self;
       dispatch_after(dispatch_time(DISPATCH_TIME_NOW, (int64_t)(1.0 * NSEC_PER_SEC)), dispatch_get_main_queue(), ^{
           [demoSelf intercept_dealloc];
       });
       return;
    }
    [self intercept_dealloc];
}
@end

注：在dealloc中使用@try{} @catch{}可能会引起难以排查的野指针崩溃

使用@try-@catch后

[<TestExpectionObj 0x600000714220> setValue:forUndefinedKey:]: this class is not key value coding-compliant for the key testKey.
(
  0   CoreFoundation                      0x0000000102a93604 __exceptionPreprocess + 242
  1   libobjc.A.dylib                     0x0000000102943a45 objc_exception_throw + 48
  2   CoreFoundation                      0x0000000102a9329c -[NSException init] + 0
  3   Foundation                          0x00000001034f2354 -[NSObject(NSKeyValueCoding) setValue:forKey:] + 315
  4   ExpectionDemo                       0x00000001023cae52 -[TestExpectionObj dealloc] + 50
  5   libobjc.A.dylib                     0x00000001029417b7 _ZN11objc_object17sidetable_releaseEbb + 177
  6   ExpectionDemo                       0x00000001023caf58 -[ViewController viewDidLoad] + 72
  7   UIKitCore                           0x000000010f3ce3bc -[UIViewController _sendViewDidLoadWithAppearanceProxyObjectTaggingEnabled] + 88
  8   UIKitCore                           0x000000010f3d2dbf -[UIViewController loadViewIfRequired] + 1193
  9   UIKitCore                           0x000000010f3d319a -[UIViewController view] + 27
  10  UIKitCore                           0x000000010fbdb00a -[UIWindow addRootViewControllerViewIfPossible] + 305
  11  UIKitCore                           0x000000010fbda6fe -[UIWindow _updateLayerOrderingAndSetLayerHidden:actionBlock:] + 230
  12  UIKitCore                           0x000000010fbdb6d6 -[UIWindow _setHidden:forced:] + 409
  13  UIKitCore                           0x000000010fbee204 -[UIWindow _mainQueue_makeKeyAndVisible] + 47
  14  UIKitCore                           0x000000010fe605f6 -[UIWindowScene _makeKeyAndVisibleIfNeeded] + 202
  15  UIKitCore                           0x000000010ef0fb8f +[UIScene _sceneForFBSScene:create:withSession:connectionOptions:] + 1591
  16  UIKitCore                           0x000000010fb98fbd -[UIApplication _connectUISceneFromFBSScene:transitionContext:] + 1299
  17  UIKitCore                           0x000000010fb99471 -[UIApplication workspace:didCreateScene:withTransitionContext:completion:] + 301
  18  UIKitCore                           0x000000010f613afe -[UIApplicationSceneClientAgent scene:didInitializeWithEvent:completion:] + 355
  19  FrontBoardServices                  0x0000000107090cdd -[FBSScene _callOutQueue_agent_didCreateWithTransitionContext:completion:] + 415
  20  FrontBoardServices                  0x00000001070bd216 __94-[FBSWorkspaceScenesClient createWithSceneID:groupID:parameters:transitionContext:completion:]_block_invoke.180 + 102
  21  FrontBoardServices                  0x000000010709f0ef -[FBSWorkspace _calloutQueue_executeCalloutFromSource:withBlock:] + 209
  22  FrontBoardServices                  0x00000001070bcdf5 __94-[FBSWorkspaceScenesClient createWithSceneID:groupID:parameters:transitionContext:completion:]_block_invoke + 352
  23  libdispatch.dylib                   0x0000000103c0ba5b _dispatch_client_callout + 8
  24  libdispatch.dylib                   0x0000000103c0e93b _dispatch_block_invoke_direct + 295
  25  FrontBoardServices                  0x00000001070e3da3 __FBSSERIALQUEUE_IS_CALLING_OUT_TO_A_BLOCK__ + 30
  26  FrontBoardServices                  0x00000001070e3c99 -[FBSSerialQueue _targetQueue_performNextIfPossible] + 174
  27  FrontBoardServices                  0x00000001070e3dcb -[FBSSerialQueue _performNextFromRunLoopSource] + 19
  28  CoreFoundation                      0x0000000102a004a7 __CFRUNLOOP_IS_CALLING_OUT_TO_A_SOURCE0_PERFORM_FUNCTION__ + 17
  29  CoreFoundation                      0x0000000102a0039f __CFRunLoopDoSource0 + 180
  30  CoreFoundation                      0x00000001029ff8ce __CFRunLoopDoSources0 + 340
  31  CoreFoundation                      0x00000001029f9f68 __CFRunLoopRun + 871
  32  CoreFoundation                      0x00000001029f9704 CFRunLoopRunSpecific + 562
  33  GraphicsServices                    0x00000001071e3c8e GSEventRunModal + 139
  34  UIKitCore                           0x000000010fb9765a -[UIApplication _run] + 928
  35  UIKitCore                           0x000000010fb9c2b5 UIApplicationMain + 101
  36  ExpectionDemo                       0x00000001023cb1be main + 110
  37  dyld                                0x00000001025e6f21 start_sim + 10
  38  ???                                 0x00000001091ce4fe 0x0 + 4447855870
)

这种崩溃信息使用NSSetUncaughtExceptionHandler()是抓不到的

以上就是ios开发 try-catch引起的野指针问题排查的详细内容，更多关于ios开发try-catch野指针的资料请关注软件开发网其它相关文章！

catch try 指针 IOS

1024 个赞