ios - 使用 Address Sanitizer 发现了一个 bug,日志该怎么看，如何去找到问题出在哪里？

问题描述

xcode 的日志如下：

==581==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x000117e1ea68 at pc 0x000100d2500c bp 0x00016e045830 sp 0x00016e045828READ of size 8 at 0x000117e1ea68 thread T3

#0 0x100d2500b in __64+[NetworkObserver injectIntoAllNSURLConnectionDelegateClasses]_block_invoke (/var/containers/Bundle/Application/98800CF8-BBF8-4B69-A29F-A988509D1600/iosapp.app/iosapp+0x100c5d00b) #1 0x1017a521b in _dispatch_client_callout (/usr/lib/system/introspection/libdispatch.dylib+0x121b) #2 0x1017a604b in dispatch_once_f (/usr/lib/system/introspection/libdispatch.dylib+0x204b) #3 0x100d24913 in +[NetworkObserver injectIntoAllNSURLConnectionDelegateClasses] (/var/containers/Bundle/Application/98800CF8-BBF8-4B69-A29F-A988509D1600/iosapp.app/iosapp+0x100c5c913) #4 0x100d239fb in +[NetworkObserver setEnabled:] (/var/containers/Bundle/Application/98800CF8-BBF8-4B69-A29F-A988509D1600/iosapp.app/iosapp+0x100c5b9fb) #5 0x100d70a73 in __26+[AP startWithAppID:]_block_invoke (/var/containers/Bundle/Application/98800CF8-BBF8-4B69-A29F-A988509D1600/iosapp.app/iosapp+0x100ca8a73) #6 0x100d8489f in __47-[ConnectionQueue connectHostWithCompletion:]_block_invoke_2 (/var/containers/Bundle/Application/98800CF8-BBF8-4B69-A29F-A988509D1600/iosapp.app/iosapp+0x100cbc89f) #7 0x18e752617 in <redacted> (/System/Library/Frameworks/CFNetwork.framework/CFNetwork+0x3617) #8 0x18e769317 in <redacted> (/System/Library/Frameworks/CFNetwork.framework/CFNetwork+0x1a317) #9 0x18ec157e3 in <redacted> (/System/Library/Frameworks/Foundation.framework/Foundation+0xe57e3) #10 0x18eb5a357 in <redacted> (/System/Library/Frameworks/Foundation.framework/Foundation+0x2a357) #11 0x18eb4a953 in <redacted> (/System/Library/Frameworks/Foundation.framework/Foundation+0x1a953) #12 0x18ec17b8f in <redacted> (/System/Library/Frameworks/Foundation.framework/Foundation+0xe7b8f) #13 0x10191f097 in asan_dispatch_call_block_and_release (/var/containers/Bundle/Application/98800CF8-BBF8-4B69-A29F-A988509D1600/iosapp.app/Frameworks/libclang_rt.asan_ios_dynamic.dylib+0x3b097) #14 0x1017a521b in _dispatch_client_callout (/usr/lib/system/introspection/libdispatch.dylib+0x121b) #15 0x1017b2b53 in _dispatch_queue_serial_drain (/usr/lib/system/introspection/libdispatch.dylib+0xeb53) #16 0x1017a8ce3 in _dispatch_queue_invoke (/usr/lib/system/introspection/libdispatch.dylib+0x4ce3) #17 0x1017b4e6b in _dispatch_root_queue_drain (/usr/lib/system/introspection/libdispatch.dylib+0x10e6b) #18 0x1017b4bb7 in _dispatch_worker_thread3 (/usr/lib/system/introspection/libdispatch.dylib+0x10bb7) #19 0x18d1e52c7 in _pthread_wqthread (/usr/lib/system/libsystem_pthread.dylib+0x12c7) #20 0x18d1e4db3 in start_wqthread (/usr/lib/system/libsystem_pthread.dylib+0xdb3)"</br>0x000117e1ea68 is located 0 bytes to the right of 123496-byte region [0x000117e00800,0x000117e1ea68)allocated by thread T3 here:

#1 0x100d24f9f in __64+[NetworkObserver injectIntoAllNSURLConnectionDelegateClasses]_block_invoke (/var/containers/Bundle/Application/98800CF8-BBF8-4B69-A29F-A988509D1600/iosapp.app/iosapp+0x100c5cf9f)#2 0x1017a521b in _dispatch_client_callout (/usr/lib/system/introspection/libdispatch.dylib+0x121b)#3 0x1017a604b in dispatch_once_f (/usr/lib/system/introspection/libdispatch.dylib+0x204b)#4 0x100d24913 in +[NetworkObserver injectIntoAllNSURLConnectionDelegateClasses] (/var/containers/Bundle/Application/98800CF8-BBF8-4B69-A29F-A988509D1600/iosapp.app/iosapp+0x100c5c913)#5 0x100d239fb in +[NetworkObserver setEnabled:] (/var/containers/Bundle/Application/98800CF8-BBF8-4B69-A29F-A988509D1600/iosapp.app/iosapp+0x100c5b9fb)#6 0x100d70a73 in __26+[AP startWithAppID:]_block_invoke (/var/containers/Bundle/Application/98800CF8-BBF8-4B69-A29F-A988509D1600/iosapp.app/iosapp+0x100ca8a73)#7 0x100d8489f in __47-[ConnectionQueue connectHostWithCompletion:]_block_invoke_2 (/var/containers/Bundle/Application/98800CF8-BBF8-4B69-A29F-A988509D1600/iosapp.app/iosapp+0x100cbc89f)#8 0x18e752617 in <redacted> (/System/Library/Frameworks/CFNetwork.framework/CFNetwork+0x3617)#9 0x18e769317 in <redacted> (/System/Library/Frameworks/CFNetwork.framework/CFNetwork+0x1a317)#10 0x18ec157e3 in <redacted> (/System/Library/Frameworks/Foundation.framework/Foundation+0xe57e3)#11 0x18eb5a357 in <redacted> (/System/Library/Frameworks/Foundation.framework/Foundation+0x2a357)#12 0x18eb4a953 in <redacted> (/System/Library/Frameworks/Foundation.framework/Foundation+0x1a953)#13 0x18ec17b8f in <redacted> (/System/Library/Frameworks/Foundation.framework/Foundation+0xe7b8f)#14 0x10191f097 in asan_dispatch_call_block_and_release (/var/containers/Bundle/Application/98800CF8-BBF8-4B69-A29F-A988509D1600/iosapp.app/Frameworks/libclang_rt.asan_ios_dynamic.dylib+0x3b097)#15 0x1017a521b in _dispatch_client_callout (/usr/lib/system/introspection/libdispatch.dylib+0x121b)#16 0x1017b2b53 in _dispatch_queue_serial_drain (/usr/lib/system/introspection/libdispatch.dylib+0xeb53)#17 0x1017a8ce3 in _dispatch_queue_invoke (/usr/lib/system/introspection/libdispatch.dylib+0x4ce3)#18 0x1017b4e6b in _dispatch_root_queue_drain (/usr/lib/system/introspection/libdispatch.dylib+0x10e6b)#19 0x1017b4bb7 in _dispatch_worker_thread3 (/usr/lib/system/introspection/libdispatch.dylib+0x10bb7)#20 0x18d1e52c7 in _pthread_wqthread (/usr/lib/system/libsystem_pthread.dylib+0x12c7)#21 0x18d1e4db3 in start_wqthread (/usr/lib/system/libsystem_pthread.dylib+0xdb3)

Thread T3 created by T1 here:<empty stack> </br>Thread T1 created by T0 here:

#1 0x1028c53eb in GPUTools::Interpose::DYInitInterpose(DYGuestAppClient* (*)(), int) (/Developer/Library/PrivateFrameworks/GPUToolsCore.framework/GPUToolsCore+0x113eb)#2 0x10187595b (<unknown module>)#3 0x101875b83 (<unknown module>)#4 0x101870f2b (<unknown module>)#5 0x10186ff4f (<unknown module>)#6 0x101870003 (<unknown module>)#7 0x101862463 (<unknown module>)#8 0x1018668f3 (<unknown module>)#9 0x101861043 (<unknown module>) "SUMMARY: AddressSanitizer: heap-buffer-overflow ??:0 __64+[NetworkObserver injectIntoAllNSURLConnectionDelegateClasses]_block_invoke

Shadow bytes around the buggy address:0x0001431c3cf0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 000x0001431c3d00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 000x0001431c3d10: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 000x0001431c3d20: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0001431c3d30: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00=>0x0001431c3d40: 00 00 00 00 00 00 00 00 00 00 00 00 00[fa]fa fa0x0001431c3d50: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa0x0001431c3d60: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa0x0001431c3d70: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa0x0001431c3d80: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa0x0001431c3d90: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa faShadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Heap right redzone: fb Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack partial redzone: f4 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user:f7 Container overflow: fc Array cookie: ac Intra object redzone: bb ASan internal: fe Left alloca redzone: ca Right alloca redzone: cb==581==ABORTINGWarning: hit breakpoint while running function, skipping commands and conditions to prevent recursion.warning: could not load any Objective-C class information from the dyld shared cache. This will significantly reduce the quality of type information available.AddressSanitizer report breakpoint hit. Use ’thread info -s’ to get extended information about the report.

崩溃的线程："* thread #5: tid = 0x14006, 0x0000000101929470 libclang_rt.asan_ios_dynamic.dylib`__asan::AsanDie(), queue = ’NSOperationQueue 0x114563b50 :: NSOperation 0x10b9be650 (QOS: DEFAULT)’, stop reason = Heap buffer overflow detected frame #0: 0x0000000101929470 libclang_rt.asan_ios_dynamic.dylib`__asan::AsanDie() frame #1: 0x000000010192cf2c libclang_rt.asan_ios_dynamic.dylib`__sanitizer::Die() + 44 frame #2: 0x0000000101928280 libclang_rt.asan_ios_dynamic.dylib`__asan::ScopedInErrorReport::~ScopedInErrorReport() + 336 frame #3: 0x0000000101928018 libclang_rt.asan_ios_dynamic.dylib`__asan::ScopedInErrorReport::~ScopedInErrorReport() + 12 frame #4: 0x0000000101927b94 libclang_rt.asan_ios_dynamic.dylib`__asan_report_error + 3216 frame #5: 0x0000000101928534 libclang_rt.asan_ios_dynamic.dylib`__asan_report_load8 + 44 * frame #6: 0x0000000100d2500c iosapp`__64+[NetworkObserver injectIntoAllNSURLConnectionDelegateClasses]_block_invoke(.block_descriptor=<unavailable>) + 1632 at NetworkObserver.m:190 frame #7: 0x00000001017a521c libdispatch.dylib`_dispatch_client_callout + 16 frame #8: 0x00000001017a604c libdispatch.dylib`dispatch_once_f + 116 frame #9: 0x0000000100d24914 iosapp`+[NetworkObserver injectIntoAllNSURLConnectionDelegateClasses] [inlined] _dispatch_once(predicate=0x00000001011c2760, block=(iosapp`__64+[NetworkObserver injectIntoAllNSURLConnectionDelegateClasses]_block_invoke at NetworkObserver.m:162)) + 124 at once.h:68 frame #10: 0x0000000100d24898 iosapp`+[NetworkObserver injectIntoAllNSURLConnectionDelegateClasses](self=NetworkObserver, _cmd='injectIntoAllNSURLConnectionDelegateClasses') + 832 at NetworkObserver.m:162 frame #11: 0x0000000100d239fc iosapp`+[NetworkObserver setEnabled:](self=NetworkObserver, _cmd='setEnabled:', enabled=YES) + 240 at NetworkObserver.m:89 frame #12: 0x0000000100d70a74 iosapp`__26+[AP startWithAppID:]_block_invoke(.block_descriptor=<unavailable>, success=YES) + 236 at AP.m:61 frame #13: 0x0000000100d848a0 iosapp`__47-[ConnectionQueue connectHostWithCompletion:]_block_invoke_2(.block_descriptor=<unavailable>, data=<unavailable>, response=<unavailable>, error=<unavailable>) + 1096 at RAConnectionQueue.m:175 frame #14: 0x000000018e752618 CFNetwork`__75-[__NSURLSessionLocal taskForClass:request:uploadFile:bodyData:completion:]_block_invoke + 32 frame #15: 0x000000018e769318 CFNetwork`__49-[__NSCFLocalSessionTask _task_onqueue_didFinish]_block_invoke + 296 frame #16: 0x000000018ec157e4 Foundation`__NSBLOCKOPERATION_IS_CALLING_OUT_TO_A_BLOCK__ + 16 frame #17: 0x000000018eb5a358 Foundation`-[NSBlockOperation main] + 96 frame #18: 0x000000018eb4a954 Foundation`-[__NSOperationInternal _start:] + 620 frame #19: 0x000000018ec17b90 Foundation`__NSOQSchedule_f + 228 frame #20: 0x000000010191f098 libclang_rt.asan_ios_dynamic.dylib`asan_dispatch_call_block_and_release + 264 frame #21: 0x00000001017a521c libdispatch.dylib`_dispatch_client_callout + 16 frame #22: 0x00000001017b2b54 libdispatch.dylib`_dispatch_queue_serial_drain + 1136 frame #23: 0x00000001017a8ce4 libdispatch.dylib`_dispatch_queue_invoke + 672 frame #24: 0x00000001017b4e6c libdispatch.dylib`_dispatch_root_queue_drain + 584 frame #25: 0x00000001017b4bb8 libdispatch.dylib`_dispatch_worker_thread3 + 140 frame #26: 0x000000018d1e52c8 libsystem_pthread.dylib`_pthread_wqthread + 1288

xcode 停留的位置：

Class *classes = NULL;int numClasses = objc_getClassList(NULL, 0);if (numClasses > 0) { classes = (__unsafe_unretained Class *)malloc(sizeof(Class) * numClasses); numClasses = objc_getClassList(classes, numClasses); for (NSInteger classIndex = 0; classIndex < numClasses; ++classIndex) {Class class = classes[classIndex];if (class == [NetworkObserver class] || class == [ConnectionQueue class] || class == [HTTPProtocol class]) { continue;}

最后停留在 Class class = classes[classIndex];问题可能出在哪里？

问题解答

此问题已经找到答案，原因是int numClasses = objc_getClassList(NULL, 0);和numClasses = objc_getClassList(classes, numClasses);获取的数字不一样，导致malloc分配的空间少于所需要的空间，最终导致xcode所提示的stop reason = Heap buffer overflow detected。