Bad memory alignment iOS

Question

I am stuck with the following crash report:

Date/Time:       2013-09-12 22:39:54 +0000
OS Version:      iPhone OS 6.1.3 (10B329)
Report Version:  104

Exception Type:  SIGSEGV
Exception Codes: SEGV_ACCERR at 0xa0000008
Crashed Thread:  0

Thread 0 Crashed:
0   libobjc.A.dylib                     0x39a3c564 _cache_getImp + 4
1   libobjc.A.dylib                     0x39a3e1d7 class_respondsToSelector + 31
2   CoreFoundation                      0x31b96605 objectIsKindOfClass + 37
3   CoreFoundation                      0x31b9635d __handleUncaughtException + 69
4   libobjc.A.dylib                     0x39a41a65 _objc_terminate() + 129
5   libc++abi.dylib                     0x3948e07b safe_handler_caller(void (*)()) + 79
6   libc++abi.dylib                     0x3948e114 std::terminate() + 20
7   libc++abi.dylib                     0x3948f599 __cxa_current_exception_type + 1
8   libobjc.A.dylib                     0x39a419d1 objc_exception_rethrow + 13
9   CoreFoundation                      0x31adcf21 CFRunLoopRunSpecific + 457
10  CoreFoundation                      0x31adcd49 CFRunLoopRunInMode + 105
11  GraphicsServices                    0x356a82eb GSEventRunModal + 75
12  UIKit                               0x339f2301 UIApplicationMain + 1121
13  Our App                             0x0003bc27 main (main.m:15)

After different attempts to fix the bug causing this error I keep receiving this crashlog again and again from PLCrashReporter (from our adhoc builds from the beta testers). The different exception codes vary from SIGSEGV/SEGV_ACCERR to SIGBUS/BUS_ADRALN to EXC_BAD_ACCESS/KERN_INVALID_ADDRESS

I am using the rapidjson library on iOS (armv7 and armv7s) with the padding fix as described here (#8) and I use the objective-c runtime functions to add method implementation on runtime (using class_addMethod).

Our codebase exists of mostly Objective-C code with some Obj-C++ and some C code. Memory Management is done by ARC except for the Obj-C++ and C parts which is handled manually. I looked into every malloc/free call and I extensively used libgmalloc to determine memory issues but there is nothing which does not seem correct to me.

I cannot reproduce this crashlogs myself, not in debug or release mode, but our beta testers keep sending me this crashlog once in a while (1 in about 50 runs). As our product (hopefully) will run on many iOS devices soon, this is not something we can left broken.

After reading a lot of memory management articles I suspect this issue is caused by bad memory alignment. Therefore I suspect rapidjson to be the cause of this bug. My lack of knowledge about memory alignment on iOS / armv7 does not allow me to fix this crashlog. Can someone explain me more about this subject on iOS? Or am I looking in the wrong place and is this another memory issue? I hope someone can point me in the right direction.

If more info is needed I am happy to provide it. Note: I am not looking for answers as using JSONKit or another library to replace rapidjson. Thanks :)

Answer 1

This issue was previously addressed here: https://devforums.apple.com/message/807860

In short, the original Objective-C exception has been released (eg, by an autorelease pool) prior to it being dereferenced in the uncaught exception handler. As such, __handleUncaughtException() dereferences a now-dead pointer, and you see the crash in your exception handler.

Answer 2

First, the address 0xa0000008 does not look misaligned, and SEGV_ACCERR does not mean an alignment problem, but a memory access permission problem (from sys/signal.h):

#define SEGV_ACCERR     2       /* [XSI] invalid permission for mapped object */

Considering you are using class_addMethod() and the crash is in _cache_getImp(), which is part of retrieving a method, my largely unfounded suspicion would be that you passed some invalid pointers to class_addMethod(), or overwrote that information later on.

Something to check would be whether you are using either globals or malloc()ed memory, because the runtime functions do not make copies for you.

Second, the crash you are seeing is secondary, you are crashing while running the top-level exception handler that is already terminating (_objc_terminate()) your program from an earlier exception, but in this case it's not a Unix signal, but an Objective-C exception: objc_exception_rethrow().

So you probably need to figure out that primary error first, for example from logs of the exception (just a backtrace isn't enough in many cases).