Double freeing of memory in SocketStream::~SocketStream() of CFNetwork
| Originator: | kol.kheang | ||
| Number: | rdar://17856424 | Date Originated: | 07/30/2014 |
| Status: | Open | Resolved: | |
| Product: | iOS | Product Version: | Version 7.0.2 (Build 11A501) |
| Classification: | Crash | Reproducible: |
Some record owned by an Apple-internal SocketStream C++ class crashed in its destructor. So, some pointer it directly owns seems to have been freed elsewhere.
Note: We're using Mutual TLS.
Exception Type: EXC_CRASH (SIGSEGV)
Exception Codes: 0x0000000000000000, 0x0000000000000000
Triggered by Thread: 0
Thread 0 Crashed:
0 libsystem_kernel.dylib 0x38f74a8c mach_msg_trap + 20
1 libsystem_kernel.dylib 0x38f74888 mach_msg + 44
2 CoreFoundation 0x2e28c7c6 __CFRunLoopServiceMachPort + 150
3 CoreFoundation 0x2e28af32 __CFRunLoopRun + 850
4 CoreFoundation 0x2e1f5ce2 CFRunLoopRunSpecific + 518
5 CoreFoundation 0x2e1f5ac6 CFRunLoopRunInMode + 102
6 GraphicsServices 0x32ee327e GSEventRunModal + 134
7 UIKit 0x30a97a3c UIApplicationMain + 1132
8 MyAppName 0x000c87ca 0xc1000 + 30666
9 libdyld.dylib 0x38ed0ab4 start + 0
Thread 1:
0 libsystem_kernel.dylib 0x38f7483c kevent64 + 24
1 libdispatch.dylib 0x38eb5220 _dispatch_mgr_invoke + 228
2 libdispatch.dylib 0x38eb4fa6 _dispatch_mgr_thread$VARIANT$mp + 34
Thread 2:
0 CFNetwork 0x2debe2f8 SocketStream::~SocketStream() + 284
1 CFNetwork 0x2debe1c8 SocketStream::~SocketStream() + 16
2 CoreFoundation 0x2e1f26b4 CFRelease + 460
3 libdispatch.dylib 0x38eabd78 _dispatch_call_block_and_release + 8
4 libdispatch.dylib 0x38eb2292 _dispatch_queue_drain$VARIANT$mp + 370
5 libdispatch.dylib 0x38eb2096 _dispatch_queue_invoke$VARIANT$mp + 38
6 libdispatch.dylib 0x38eb2d12 _dispatch_root_queue_drain + 74
7 libdispatch.dylib 0x38eb2f88 _dispatch_worker_thread2 + 52
8 libsystem_pthread.dylib 0x38feddbc _pthread_wqthread + 296
9 libsystem_pthread.dylib 0x38fedc80 start_wqthread + 4
Thread 3 name: WebThread
Thread 3:
0 libsystem_kernel.dylib 0x38f74a8c mach_msg_trap + 20
1 libsystem_kernel.dylib 0x38f74888 mach_msg + 44
2 CoreFoundation 0x2e28c7c6 __CFRunLoopServiceMachPort + 150
3 CoreFoundation 0x2e28aeec __CFRunLoopRun + 780
4 CoreFoundation 0x2e1f5ce2 CFRunLoopRunSpecific + 518
5 CoreFoundation 0x2e1f5ac6 CFRunLoopRunInMode + 102
6 WebCore 0x3636bbae RunWebThread(void*) + 414
7 libsystem_pthread.dylib 0x38fefc1a _pthread_body + 138
8 libsystem_pthread.dylib 0x38fefb8a _pthread_start + 98
9 libsystem_pthread.dylib 0x38fedc8c thread_start + 4
Thread 4 name: com.apple.NSURLConnectionLoader
Thread 4:
0 libsystem_kernel.dylib 0x38f74a8c mach_msg_trap + 20
1 libsystem_kernel.dylib 0x38f74888 mach_msg + 44
2 CoreFoundation 0x2e28c7c6 __CFRunLoopServiceMachPort + 150
3 CoreFoundation 0x2e28aeec __CFRunLoopRun + 780
4 CoreFoundation 0x2e1f5ce2 CFRunLoopRunSpecific + 518
5 CoreFoundation 0x2e1f5ac6 CFRunLoopRunInMode + 102
6 Foundation 0x2ec2f492 +[NSURLConnection(Loader) _resourceLoadLoop:] + 314
7 Foundation 0x2eca4e22 __NSThread__main__ + 1058
8 libsystem_pthread.dylib 0x38fefc1a _pthread_body + 138
9 libsystem_pthread.dylib 0x38fefb8a _pthread_start + 98
10 libsystem_pthread.dylib 0x38fedc8c thread_start + 4
Thread 5:
0 libsystem_kernel.dylib 0x38f74a8c mach_msg_trap + 20
1 libsystem_kernel.dylib 0x38f74888 mach_msg + 44
2 CoreFoundation 0x2e28c7c6 __CFRunLoopServiceMachPort + 150
3 CoreFoundation 0x2e28aeec __CFRunLoopRun + 780
4 CoreFoundation 0x2e1f5ce2 CFRunLoopRunSpecific + 518
5 CoreFoundation 0x2e1f5ac6 CFRunLoopRunInMode + 102
6 libAVFAudio.dylib 0x2d1e7584 GenericRunLoopThread::Entry(void*) + 124
7 libAVFAudio.dylib 0x2d1dba94 CAPThread::Entry(CAPThread*) + 176
8 libsystem_pthread.dylib 0x38fefc1a _pthread_body + 138
9 libsystem_pthread.dylib 0x38fefb8a _pthread_start + 98
10 libsystem_pthread.dylib 0x38fedc8c thread_start + 4
Thread 6 name: com.apple.CFSocket.private
Thread 6:
0 libsystem_kernel.dylib 0x38f87440 __select + 20
1 CoreFoundation 0x2e290688 __CFSocketManager + 480
2 libsystem_pthread.dylib 0x38fefc1a _pthread_body + 138
3 libsystem_pthread.dylib 0x38fefb8a _pthread_start + 98
4 libsystem_pthread.dylib 0x38fedc8c thread_start + 4
Thread 7 name: JavaScriptCore::BlockFree
Thread 7:
0 libsystem_kernel.dylib 0x38f86f38 __psynch_cvwait + 24
1 libsystem_pthread.dylib 0x38fef224 _pthread_cond_wait + 536
2 libsystem_pthread.dylib 0x38ff0000 pthread_cond_wait + 36
3 JavaScriptCore 0x2f219d58 JSC::BlockAllocator::blockFreeingThreadMain() + 204
4 JavaScriptCore 0x2f2173a8 WTF::wtfThreadEntryPoint(void*) + 12
5 libsystem_pthread.dylib 0x38fefc1a _pthread_body + 138
6 libsystem_pthread.dylib 0x38fefb8a _pthread_start + 98
7 libsystem_pthread.dylib 0x38fedc8c thread_start + 4
Thread 8 name: JavaScriptCore::Marking
Thread 8:
0 libsystem_kernel.dylib 0x38f86f38 __psynch_cvwait + 24
1 libsystem_pthread.dylib 0x38fef224 _pthread_cond_wait + 536
2 libsystem_pthread.dylib 0x38ff0000 pthread_cond_wait + 36
3 JavaScriptCore 0x2f3b523e JSC::GCThread::waitForNextPhase() + 74
4 JavaScriptCore 0x2f3b5298 JSC::GCThread::gcThreadMain() + 48
5 JavaScriptCore 0x2f2173a8 WTF::wtfThreadEntryPoint(void*) + 12
6 libsystem_pthread.dylib 0x38fefc1a _pthread_body + 138
7 libsystem_pthread.dylib 0x38fefb8a _pthread_start + 98
8 libsystem_pthread.dylib 0x38fedc8c thread_start + 4
Thread 9 name: WebCore: CFNetwork Loader
Thread 9:
0 libsystem_kernel.dylib 0x38f74a8c mach_msg_trap + 20
1 libsystem_kernel.dylib 0x38f74888 mach_msg + 44
2 CoreFoundation 0x2e28c7c6 __CFRunLoopServiceMachPort + 150
3 CoreFoundation 0x2e28aeec __CFRunLoopRun + 780
4 CoreFoundation 0x2e1f5ce2 CFRunLoopRunSpecific + 518
5 CoreFoundation 0x2e1f5ac6 CFRunLoopRunInMode + 102
6 WebCore 0x363b472a WebCore::runLoaderThread(void*) + 250
7 JavaScriptCore 0x2f2173a8 WTF::wtfThreadEntryPoint(void*) + 12
8 libsystem_pthread.dylib 0x38fefc1a _pthread_body + 138
9 libsystem_pthread.dylib 0x38fefb8a _pthread_start + 98
10 libsystem_pthread.dylib 0x38fedc8c thread_start + 4
Thread 10:
0 libsystem_kernel.dylib 0x38f86f38 __psynch_cvwait + 24
1 libsystem_pthread.dylib 0x38fef224 _pthread_cond_wait + 536
2 libsystem_pthread.dylib 0x38ff0000 pthread_cond_wait + 36
3 Foundation 0x2ec2f592 -[NSCondition wait] + 190
4 MyAppName 0x000f6430 0xc1000 + 218160
5 Foundation 0x2eca4e22 __NSThread__main__ + 1058
6 libsystem_pthread.dylib 0x38fefc1a _pthread_body + 138
7 libsystem_pthread.dylib 0x38fefb8a _pthread_start + 98
8 libsystem_pthread.dylib 0x38fedc8c thread_start + 4
Thread 11:
0 libsystem_kernel.dylib 0x38f74a8c mach_msg_trap + 20
1 libsystem_kernel.dylib 0x38f74888 mach_msg + 44
2 CoreFoundation 0x2e28c7c6 __CFRunLoopServiceMachPort + 150
3 CoreFoundation 0x2e28aeec __CFRunLoopRun + 780
4 CoreFoundation 0x2e1f5ce2 CFRunLoopRunSpecific + 518
5 CoreFoundation 0x2e1f5ac6 CFRunLoopRunInMode + 102
6 AudioToolbox 0x2db526a4 GenericRunLoopThread::Entry(void*) + 124
7 AudioToolbox 0x2db338f0 CAPThread::Entry(CAPThread*) + 208
8 libsystem_pthread.dylib 0x38fefc1a _pthread_body + 138
9 libsystem_pthread.dylib 0x38fefb8a _pthread_start + 98
10 libsystem_pthread.dylib 0x38fedc8c thread_start + 4
Thread 12:
0 libsystem_kernel.dylib 0x38f87c7c __workq_kernreturn + 8
1 libsystem_pthread.dylib 0x38feddc6 _pthread_wqthread + 306
2 libsystem_pthread.dylib 0x38fedc80 start_wqthread + 4
Thread 13 name: AFNetworking
Thread 13:
0 libsystem_kernel.dylib 0x38f74a8c mach_msg_trap + 20
1 libsystem_kernel.dylib 0x38f74888 mach_msg + 44
2 CoreFoundation 0x2e28c7c6 __CFRunLoopServiceMachPort + 150
3 CoreFoundation 0x2e28aeec __CFRunLoopRun + 780
4 CoreFoundation 0x2e1f5ce2 CFRunLoopRunSpecific + 518
5 CoreFoundation 0x2e1f5ac6 CFRunLoopRunInMode + 102
6 Foundation 0x2ebe2576 -[NSRunLoop(NSRunLoop) runMode:beforeDate:] + 250
7 Foundation 0x2ec334ac -[NSRunLoop(NSRunLoop) run] + 76
8 MyAppName 0x0086be26 0xc1000 + 8039974
9 Foundation 0x2eca4e22 __NSThread__main__ + 1058
10 libsystem_pthread.dylib 0x38fefc1a _pthread_body + 138
11 libsystem_pthread.dylib 0x38fefb8a _pthread_start + 98
12 libsystem_pthread.dylib 0x38fedc8c thread_start + 4
Thread 14:
0 libsystem_kernel.dylib 0x38f74a8c mach_msg_trap + 20
1 libsystem_kernel.dylib 0x38f74888 mach_msg + 44
2 CoreFoundation 0x2e28c7c6 __CFRunLoopServiceMachPort + 150
3 CoreFoundation 0x2e28aeec __CFRunLoopRun + 780
4 CoreFoundation 0x2e1f5ce2 CFRunLoopRunSpecific + 518
5 CoreFoundation 0x2e2397fe CFRunLoopRun + 94
6 CoreMotion 0x2e8ac270 ___lldb_unnamed_function1404$$CoreMotion + 724
7 libsystem_pthread.dylib 0x38fefc1a _pthread_body + 138
8 libsystem_pthread.dylib 0x38fefb8a _pthread_start + 98
9 libsystem_pthread.dylib 0x38fedc8c thread_start + 4
Thread 15:
0 libsystem_kernel.dylib 0x38f87c7c __workq_kernreturn + 8
1 libsystem_pthread.dylib 0x38feddc6 _pthread_wqthread + 306
2 libsystem_pthread.dylib 0x38fedc80 start_wqthread + 4
Thread 0 crashed with ARM Thread State (32-bit):
r0: 0x10004005 r1: 0x07000006 r2: 0x00000000 r3: 0x00000c00
r4: 0x00001a03 r5: 0xffffffff r6: 0x00000000 r7: 0x27d41e6c
r8: 0x00000000 r9: 0x00000001 r10: 0x00001a03 r11: 0x00000c00
ip: 0xffffffe1 sp: 0x27d41e2c lr: 0x38f7488d pc: 0x38f74a8c
cpsr: 0x60000010
Comments
Please note: Reports posted here will not necessarily be seen by Apple. All problems should be submitted at bugreport.apple.com before they are posted here. Please only post information for Radars that you have filed yourself, and please do not include Apple confidential information in your posts. Thank you!