Why do crashes in iOS relating to dyld_stub_binder occur? - ios

It's widely known that dynamic link libraries aren't allowed in iOS apps, they may only link to dynamic system libraries. But I do run into some pretty confusing crashes with the 3rd frame from the top of the stack being dyld_stub_binder.
It's tough to find some solid information, but I'm guessing that dyld_stub_binder actually performs late linking of a dynamic system library.
I tend to run into crashes where the exception is EXC_BREAKPOINT UNKNOWN and the crash always seems to occur in the context of dyld_stub_binder.
The implementation of dyld_stub_binder is on the apple open source website. I don't quite understand the assembly, but perhaps someone who does could interpret why this error happens or whether or not it's something that is out of the application's direct control. The assembly code may not be useful though, as I'm talking about the iOS (arm) implementation and this code is i386 and x86_64.
EDIT: An interesting piece of information is that I think I started seeing this crash during efforts for porting to arm64. Is it possible that a runtime exception like this is due to some kind of misalignment?

As you've stated, the asm for the ARM case is not available, but it's fairly straightforward to figure out since you can decompile fairly easily. What dyld_stub_binder does (on all architectures) is to handle the lazy symbols in a binary. For example, consider the following:
$ cat a.c
void main(int argc, char **argv)
{
printf("%s", argv[1]);
}
$ gcc-iphone a.c -o a
$ jtool -d a
Disassembling from file offset 0x7f44, Address 0x100007f44
_main:
100007f44 STP X29, X30, [X31,#-16]!
100007f48 ADD x29, x31, #0x0 ; ..R29 = R31 (0x0) + 0x0 = 0x1f
100007f4c SUB X31, X31, #32
100007f50 STUR X0, X29, #-4 ; *((1) + 0x0) = ???
100007f54 STR X1, [ X31, #2] ; *((2) + 0x0) = ???
100007f58 LDR X1, [X31, #0x10] ; R1 = *(10) = 0x100000cfeedfacf
100007f5c LDR X1, [X1, #0x8] ; R1 = *(100000cfeedfad7) = 0x100000cfeedfacf
100007f60 ADD x8, x31, #0x0 ; ..R8 = R31 (0x0) + 0x0 = 0x1f
100007f64 STR X1, [ X8, #0] ; *(0x0) = 0xfeedfacf
100007f68 ADRP x0, 0 ; ->R0 = 0x100007000
100007f6c ADD x0, x0, #0xfb4 ; ..R0 = R0 (0x100007000) + 0xfb4 = 0x100007fb4 "%s"
100007f70 BL _printf ; 0x100007f84
; _printf("%s",arg..);
100007f74 STR X0, [ X31, #3] ; *((254) + 0x0) = ???
100007f78 ADD x31, x29, #0x0 ; ..R31 = R29 (0x1f) + 0x0 = 0x1d
100007f7c LDP X29, X30, [X31],#16
100007f80 RET
see that printf up there? 0x100007f84? Let's see what that is (The built-in otool can't decompile that part, but jtool can:)
_printf:
100007f84 NOP
100007f88 LDR X16, #34 ; R16 = *(100008010) = 0x100007fa8
100007f8c BR X16
So you just to 0x100007fa8. Once again applying jtool:
$ jtool -d 0x100007fa8 a
Disassembling from file offset 0x7fa8, Address 0x100007fa8
100007fa8 LDR X16, #2
100007fac B 0x100007f90
And now we have 0x100007f90, which is ...
100007f90 ADR x17, 120 ; ->R17 = 0x100008008
100007f94 NOP
100007f98 STP X16, X17, [X31,#-16]!
100007f9c NOP
100007fa0 LDR X16, #24 ; R16 = *(100008000) dyld_stub_binder
100007fa4 BR X16
Now, go back to that 0x...8010 which gets loaded - that will be the address of printf(), but it is only bound after the first "hit" or access. You can verify that with dyldinfo, or jtool -lazy_bind:
$ jtool -lazy_bind a
bind information:
segment section address type addend dylib symbol
__DATA __la_symbol_ptr 0x100008010 ... 0 libSystem.B.dylib _printf
Meaning, on first access, the stub_binder finds the address of printf in lib system, and embeds it there.
If the symbol cannot be bound, you get an exception. Though that can be for oh-so-many-reasons. You might want to add the crash log here. If it's a breakpoint, that's a voluntary crash by dyld which usually occurs when symbol was not found. If a debugger (lldb) is attached, it will break there and then. Else - with no debugger - it crashes.

Related

Odd Crash in Swift, related to setting sublayers to nil

This is a follow on to this question. In this routine,
func tableView(_ tableView: UITableView, didSelectRowAt indexPath: IndexPath) {
Tracker.track("getting row \(indexPath.row)")
let ptv = tableView as? NovilloTableView
if ptv!.uiType == .textTable {
let gp = Projects.currentProject?.getPaths(type: PaletteView.getCurrentPane())
GitPaths.currentGitPath = gp![indexPath.row]
// NotificationCenter.default.post(name: NNames.updateWebText.nn(), object: nil)
return
}
let svgs = Projects.currentProject!.getPaths(type : PaletteView.getCurrentPane())
var gitPath = svgs[indexPath.row]
Tracker.track("gitpath is \(gitPath)")
var gitPaths = GitPaths.getMediaBoundingBoxes(paths: [gitPath])
guard let pathArrays = gitPath.parseForRegBeziers() else { return }
let rslt = pathArrays.0
let regBeziers = pathArrays.1
gitPath.boundingBox = gitPath.getBoundsParamsForPaths(src: regBeziers.isEmpty ? rslt : regBeziers)
GitPaths.currentGitPath = gitPath
// Tracker.track("sending notification")
NotificationCenter.default.post(name: NNames.updateMedia.nn(), object: nil, userInfo: ["path" : gitPath])
Tracker.track("completed didSelect")
return
}
…the main thread logical path I'm following is the one that ends at the bottom withTracker.track("completed didSelect"). I'm getting a crash if I execute the notification call, that throws this information:
libobjc.A.dylib`objc_msgSend:
0x18002ec00 <+0>: cmp x0, #0x0
0x18002ec04 <+4>: b.le 0x18002ec6c ; <+108>
0x18002ec08 <+8>: ldr x14, [x0]
0x18002ec0c <+12>: and x16, x14, #0x7ffffffffffff8
0x18002ec10 <+16>: mov x15, x16
-> 0x18002ec14 <+20>: ldr x10, [x16, #0x10]
0x18002ec18 <+24>: lsr x11, x10, #48
0x18002ec1c <+28>: and x10, x10, #0xffffffffffff
0x18002ec20 <+32>: and w12, w1, w11
0x18002ec24 <+36>: add x13, x10, x12, lsl #4
0x18002ec28 <+40>: ldp x17, x9, [x13], #-0x10
0x18002ec2c <+44>: cmp x9, x1
0x18002ec30 <+48>: b.ne 0x18002ec3c ; <+60>
0x18002ec34 <+52>: eor x17, x17, x16
0x18002ec38 <+56>: br x17
0x18002ec3c <+60>: cbz x9, 0x18002eea0 ; _objc_msgSend_uncached
0x18002ec40 <+64>: cmp x13, x10
0x18002ec44 <+68>: b.hs 0x18002ec28 ; <+40>
0x18002ec48 <+72>: add x13, x10, w11, uxtw #4
0x18002ec4c <+76>: add x12, x10, x12, lsl #4
0x18002ec50 <+80>: ldp x17, x9, [x13], #-0x10
0x18002ec54 <+84>: cmp x9, x1
0x18002ec58 <+88>: b.eq 0x18002ec34 ; <+52>
0x18002ec5c <+92>: cmp x9, #0x0
0x18002ec60 <+96>: ccmp x13, x12, #0x0, ne
0x18002ec64 <+100>: b.hi 0x18002ec50 ; <+80>
0x18002ec68 <+104>: b 0x18002eea0 ; _objc_msgSend_uncached
0x18002ec6c <+108>: b.eq 0x18002ec90 ; <+144>
0x18002ec70 <+112>: and x10, x0, #0x7
0x18002ec74 <+116>: asr x11, x0, #55
0x18002ec78 <+120>: cmp x10, #0x7
0x18002ec7c <+124>: csel x12, x11, x10, eq
0x18002ec80 <+128>: adrp x10, 232550
0x18002ec84 <+132>: add x10, x10, #0xa00 ; objc_debug_taggedpointer_classes
0x18002ec88 <+136>: ldr x16, [x10, x12, lsl #3]
0x18002ec8c <+140>: b 0x18002ec10 ; <+16>
0x18002ec90 <+144>: mov x1, #0x0
0x18002ec94 <+148>: movi d0, #0000000000000000
0x18002ec98 <+152>: movi d1, #0000000000000000
0x18002ec9c <+156>: movi d2, #0000000000000000
0x18002eca0 <+160>: movi d3, #0000000000000000
0x18002eca4 <+164>: ret
0x18002eca8 <+168>: nop
0x18002ecac <+172>: nop
0x18002ecb0 <+176>: nop
0x18002ecb4 <+180>: nop
0x18002ecb8 <+184>: nop
0x18002ecbc <+188>: nop
According to another post in Stackoverflow, that message has come up when functions that need to be visible to Objective-C aren't marked with #objc, but as you can see, this one is (below).
This wasn't happening at first, and I'm not sure why, but the function called by the Notification is this:
#objc func updateMedia(notification : Notification) {
let path = (notification.userInfo?["path"] ?? GitPaths.currentGitPath!) as? GitPaths
Tracker.track("sublayers: \(mediaDisplay!.layer.sublayers == nil)")
mediaDisplay!.layer.sublayers = nil
mediaDisplay!.mask = nil
// Tracker.track("render beziers for \(path)")
// path!.renderBeziers(tgt: mediaDisplay!, path : path) //, data:["style" : "media"])
// refreshMediaInfo()
// updateSelectedMedia( src : GitPaths.currentGitPath! )
// return
}
I've commented most lines out to see where the crash can be induced, and it's the line mediaDisplay!.layer.sublayers = nil. If I comment this line out, the function executes correctly; if I include it, it will crash, but not as that line executes; the whole function will return, and the crash happens at the end of the function that called the Notification in the first place, which is the one at the top of this post. Tracker.track() is just a way to print messages in a formatted way, and isn't a contributor to this; so basically, after the Notification returns, nothing else happens; if I step through, it gets to the final bracket of the function, before returning control the the user.
I've checked that the object mediaDisplay exists, and it does because it's actually doing what is being asked; when not commented out, the line path!.renderBeziers(tgt: mediaDisplay!, path : path) , uncommented is drawing a bunch of Bezier paths into that view, which as this screenshot taken after the crash shows it does successfully. In other words, the line that causes the crash doesn't stop all the other code that's behind path!.renderBeziers(tgt: mediaDisplay!, path : path) from doing its job, when I uncomment those and run the same thing. The table in the palette is the object that initiates all this, btw.
The view has a big question mark hanging over it; it is a subclass of a WKWebView, which is the big change here. I'm using it here as for regular UIView capability, of acting as a container for a bunch of CAShapeLayers. This is working exactly as it was before, when it was a UIView.
The reason for the change is that I want to be able to display html content in the same view as the CAShapeLayers, as a way of having html interleaved between different drawn elements on the screen; think of text with the dark purple shape behind it and the lighter one in front. In this, I'm following a question I asked which was answered here.
In any case, referring to the container in the next line, where the mask is set to nil does not cause the crash; so it seems to have to do with the layer of the WKWebView, and the sublayers of it. They exist, and I've checked that, but setting them to nil seems to blow this up, in this weird way.
I'm sure I'm missing something; I haven't used WebViews before, so I'm expecting that maybe that's the issue; but it's not intuitive to me what could be going wrong, and I've tried multiple strategies for debugging this. The one that has gotten me the closest to pinpointing the problem is what I've shown here, where I can locate it in the one line; but it seems pretty unproblematic to me...am I missing something obvious?
Thanks in advance for your ideas and insights.
It would appear that #Larme was on the right track: I eventually traced it to the line where the view's layer's sublayers were set to nil. This was the problem. Iterating through the sublayers if present and removing them individually from the parent layer caused the crash to disappear.
The same problem cropped up in a second view, also a WKWebView, where applying the same solution caused a similar crash. In both cases, the error message was entirely unhelpful. In the second case, I simply commented out all the code related to sublayer, and things worked fine. I suspect that this might cause problems at a later stage when I need to update the view with other sublayer information, but I am not in a situation to test that right now.
I'm travelling right now without access to my original project, so sorry for no code to show; but the basic iteration through the layer's sublayers should not be too hard to work out.

What would be the best approach patch-finding the pointer of a certain function on the XNU Kernel?

I am currently working on an iOS Jailbreak for iOS 13.7.
As part of the jailbreak, I need to do a series of patches to the XNU Kernel live in the memory.
Of course, the kernel is protected by kASLR, KPP / KTRR, and other memory watchdogs that would trigger a Kernel Panic if something is modified.
As luck would have it, KTRR (Kernel Text Ready Only Region) can only protect, well, static data that is not supposed to change (i.e. the TEXT section and constants). The variables can still be altered.
I am building a PatchFinder which is supposed to locate a function or a variable in the XNU memory based on tell-tale symbols and I am wondering what would be the most effective approach for this.
I am currently adapting on top of the PatchFinder made publicly available back in the iOS 8 era by in7egal which looks like this:
uint32_t find_cs_enforcement_disable_amfi(uint32_t region, uint8_t* kdata, size_t ksize)
{
// Find a function referencing cs_enforcement_disable_amfi
const uint8_t search_function[] = {0x20, 0x68, 0x40, 0xF4, 0x40, 0x70, 0x20, 0x60, 0x00, 0x20, 0x90, 0xBD};
uint8_t* ptr = memmem(kdata, ksize, search_function, sizeof(search_function));
if(!ptr)
return 0;
// Only LDRB in there should try to dereference cs_enforcement_disable_amfi
uint16_t* ldrb = find_last_insn_matching(region, kdata, ksize, (uint16_t*) ptr, insn_is_ldrb_imm);
if(!ldrb)
return 0;
// Weird, not the right one.
if(insn_ldrb_imm_imm(ldrb) != 0 || insn_ldrb_imm_rt(ldrb) > 12)
return 0;
// See what address that LDRB is dereferencing
return find_pc_rel_value(region, kdata, ksize, ldrb, insn_ldrb_imm_rn(ldrb));
}
I wonder if there is any faster way or a more reliable way to locate the cs_enforcement_disable_amfi.
Once found by the PatchFinder in the XNU Kernel memory, it's used like this:
uint32_t cs_enforcement_disable_amfi = find_cs_enforcement_disable_amfi(kernel_base, kdata, ksize);
printf("cs_enforcement_disable_amfi is at=0x%08x\n",cs_enforcement_disable_amfi);
if (cs_enforcement_disable_amfi){
char patch[] ="\x00\xbf\x00\xbf\x00\xbf\x00\xbf\x00\xbf";
kern_return_t kernret = vm_write(proccessTask, cs_enforcement_disable_amfi+kernel_base, patch, sizeof(patch)-1);
if (kernret == KERN_SUCCESS){
printf("Successfully patched cs_enforcement_disable_amfi\n");
}
}
So the PatchFinder has to be able to reliably return the pointer to cs_enforcement_disable_amfi otherwise I am blindly writing to an invalid (or valid but different) address which almost certainly will trigger memory corruption.
The current code does return a valid pointer to cs_enforcement_disable_amfi most of the time, but randomly panics the kernel about 10-15% of the time which means the address it returns 10-15% of the time is invalid. Not sure how to make it more reliable.
The variable you're looking for doesn't exist anymore.
The bytes in your first snippet make up Thumb instructions, which find this function in AMFI in a 32bit kernelcache:
0x8074ad04 90b5 push {r4, r7, lr}
0x8074ad06 01af add r7, sp, 4
0x8074ad08 0d48 ldr r0, [0x8074ad40]
0x8074ad0a 7844 add r0, pc
0x8074ad0c 0078 ldrb r0, [r0]
0x8074ad0e 0128 cmp r0, 1
0x8074ad10 03d1 bne 0x8074ad1a
0x8074ad12 0020 movs r0, 0
0x8074ad14 00f04efa bl 0x8074b1b4
0x8074ad18 30b9 cbnz r0, 0x8074ad28
0x8074ad1a 7c69 ldr r4, [r7, 0x14]
0x8074ad1c 002c cmp r4, 0
0x8074ad1e 05d0 beq 0x8074ad2c
0x8074ad20 2068 ldr r0, [r4]
0x8074ad22 40f44070 orr r0, r0, 0x300
0x8074ad26 2060 str r0, [r4]
0x8074ad28 0020 movs r0, 0
0x8074ad2a 90bd pop {r4, r7, pc}
Given the magic constant 0x300 and the fact that AMFI's __TEXT_EXEC segment is quite small, we can easily find this in other kernels, including 64bit ones.
This is what it looks like on an iPhone 5s on 8.4:
0xffffff800268d2e4 f44fbea9 stp x20, x19, [sp, -0x20]!
0xffffff800268d2e8 fd7b01a9 stp x29, x30, [sp, 0x10]
0xffffff800268d2ec fd430091 add x29, sp, 0x10
0xffffff800268d2f0 f30307aa mov x19, x7
0xffffff800268d2f4 e8fc1110 adr x8, section.com.apple.driver.AppleMobileFileIntegrity.10.__DATA.__bss
0xffffff800268d2f8 1f2003d5 nop
0xffffff800268d2fc 08054039 ldrb w8, [x8, 1]
0xffffff800268d300 a8000037 tbnz w8, 0, 0xffffff800268d314
0xffffff800268d304 130100b4 cbz x19, 0xffffff800268d324
0xffffff800268d308 680240b9 ldr w8, [x19]
0xffffff800268d30c 08051832 orr w8, w8, 0x300
0xffffff800268d310 680200b9 str w8, [x19]
0xffffff800268d314 00008052 mov w0, 0
0xffffff800268d318 fd7b41a9 ldp x29, x30, [sp, 0x10]
0xffffff800268d31c f44fc2a8 ldp x20, x19, [sp], 0x20
0xffffff800268d320 c0035fd6 ret
But by the time of iOS 11, the variable is gone:
0xfffffff006245d84 f44fbea9 stp x20, x19, [sp, -0x20]!
0xfffffff006245d88 fd7b01a9 stp x29, x30, [sp, 0x10]
0xfffffff006245d8c fd430091 add x29, sp, 0x10
0xfffffff006245d90 f30307aa mov x19, x7
0xfffffff006245d94 130100b4 cbz x19, 0xfffffff006245db4
0xfffffff006245d98 680240b9 ldr w8, [x19]
0xfffffff006245d9c 08051832 orr w8, w8, 0x300
0xfffffff006245da0 680200b9 str w8, [x19]
0xfffffff006245da4 00008052 mov w0, 0
0xfffffff006245da8 fd7b41a9 ldp x29, x30, [sp, 0x10]
0xfffffff006245dac f44fc2a8 ldp x20, x19, [sp], 0x20
0xfffffff006245db0 c0035fd6 ret
Looking at iOS 12.0b1, we can learn the signature of that function:
_vnode_check_exec(ucred*, vnode*, vnode*, label*, label*, label*, componentname*, unsigned int*, void*, unsigned long)
So yeah, finding this function is really easy:
Find AMFI's __TEXT_EXEC segment.
Find an orr wN, wN, 0x300 in it.
But that won't help you unless you defeat kernel integrity.

HomeKit crashes reason: '-[__NSDate length]: but Bool sent

tl;dr - The code in the question is correct. Reason for crash at another party.
The challenge is to control an Elgato Eve Energy HomeKit enabled outlet.
Up til where the code starts, everything is working OK, so the correct room, accessory and so on is selected. The code does turn off the outlet, but right afterwards the app crashes.
guard let services = accessory?.services else {
print("No Service")
return
}
for service in services {
if service.serviceType == HMServiceTypeOutlet {
for characteristic in service.characteristics {
print(characteristic.characteristicType)
if characteristic.characteristicType == HMCharacteristicTypePowerState {
print(characteristic.metadata!)
dump(characteristic)
// Turning off the outlet
characteristic.writeValue(false, completionHandler: { (error: Error?) -> Void in
if error == nil {
print("Yep")
} else {
print("Nop")
}
})
}
}
}
}
Log
00000023-0000-1000-8000-0026BB765291
00000025-0000-1000-8000-0026BB765291
[%# Format: bool, Manufacturer Description: Power State ]
- <HMCharacteristic: 0x1702c23e0> #0
- super: NSObject
00000026-0000-1000-8000-0026BB765291
E863F10A-079E-48FF-8F27-9C2605A29F52
E863F126-079E-48FF-8F27-9C2605A29F52
E863F10D-079E-48FF-8F27-9C2605A29F52
E863F10C-079E-48FF-8F27-9C2605A29F52
2017-02-07 23:19:59.725340 POS[499:100178] -[__NSDate length]: unrecognized selector sent to instance 0x170007710
2017-02-07 23:19:59.725767 POS[499:100178] *** Terminating app due to uncaught exception 'NSInvalidArgumentException', reason: '-[__NSDate length]: unrecognized selector sent to instance 0x170007710'
*** First throw call stack:
(0x188a291b8 0x18746055c 0x188a30268 0x188a2d270 0x18892680c 0x1895be458 0x1895be350 0x1895be698 0x1006328f8 0x1a249ac8c 0x199674f34 0x19966c588 0x1a249d194 0x101951258 0x101951218 0x10195eaec 0x101954ce0 0x10195f088 0x101960e2c 0x101960b78 0x187abb2a0 0x187abad8c)
libc++abi.dylib: terminating with uncaught exception of type NSException
Sym
2017-02-08 10:17:47.804825 POS[602:171994] -[__NSDate length]: unrecognized selector sent to instance 0x1740169c0
iZettlePayments`-[NSDictionary(Fractionized) dateForKey:]:
0x100973d88 <+0>: stp x22, x21, [sp, #-48]!
0x100973d8c <+4>: stp x20, x19, [sp, #16]
0x100973d90 <+8>: stp x29, x30, [sp, #32]
0x100973d94 <+12>: add x29, sp, #32 ; =32
0x100973d98 <+16>: mov x19, x0
0x100973d9c <+20>: nop
0x100973da0 <+24>: ldr x20, #861056 ; (void *)0x00000001ad8966b8: NSDateFormatter
0x100973da4 <+28>: nop
0x100973da8 <+32>: ldr x21, #851248 ; "izDateFormatterUsingISO8601"
0x100973dac <+36>: mov x0, x2
0x100973db0 <+40>: bl 0x1009e9b54 ; symbol stub for: objc_retain
0x100973db4 <+44>: mov x22, x0
0x100973db8 <+48>: mov x0, x20
0x100973dbc <+52>: mov x1, x21
0x100973dc0 <+56>: bl 0x1009e9b30 ; symbol stub for: objc_msgSend
0x100973dc4 <+60>: mov x29, x29
0x100973dc8 <+64>: bl 0x1009e9b78 ; symbol stub for: objc_retainAutoreleasedReturnValue
0x100973dcc <+68>: mov x20, x0
0x100973dd0 <+72>: nop
0x100973dd4 <+76>: ldr x1, #849044 ; "valueForKey:"
0x100973dd8 <+80>: mov x0, x19
0x100973ddc <+84>: mov x2, x22
0x100973de0 <+88>: bl 0x1009e9b30 ; symbol stub for: objc_msgSend
0x100973de4 <+92>: mov x19, x0
0x100973de8 <+96>: mov x0, x22
0x100973dec <+100>: bl 0x1009e9b48 ; symbol stub for: objc_release
0x100973df0 <+104>: mov x0, x19
0x100973df4 <+108>: bl 0x1009e9b78 ; symbol stub for: objc_retainAutoreleasedReturnValue
0x100973df8 <+112>: mov x19, x0
0x100973dfc <+116>: nop
0x100973e00 <+120>: ldr x1, #851168 ; "dateFromString:"
0x100973e04 <+124>: mov x0, x20
0x100973e08 <+128>: mov x2, x19
0x100973e0c <+132>: bl 0x1009e9b30 ; symbol stub for: objc_msgSend
0x100973e10 <+136>: mov x29, x29
0x100973e14 <+140>: bl 0x1009e9b78 ; symbol stub for: objc_retainAutoreleasedReturnValue
0x100973e18 <+144>: mov x21, x0
0x100973e1c <+148>: mov x0, x19
0x100973e20 <+152>: bl 0x1009e9b48 ; symbol stub for: objc_release
0x100973e24 <+156>: mov x0, x20
0x100973e28 <+160>: bl 0x1009e9b48 ; symbol stub for: objc_release
0x100973e2c <+164>: mov x0, x21
0x100973e30 <+168>: ldp x29, x30, [sp, #32]
0x100973e34 <+172>: ldp x20, x19, [sp, #16]
0x100973e38 <+176>: ldp x22, x21, [sp], #48
0x100973e3c <+180>: b 0x1009e9ac4 ; symbol stub for: objc_autoreleaseReturnValue
Browsing the Elgato Eve services and characteristics, shows the first characteristic in the array is the one holding the name, and the second one is the one I need to manipulate. The printed metadata shows its a bool, and confirms its the Power State, and its both readable and writable, as described in the table linked to before.
Since I write a false to the correct characteristic, the outlet turns off, but a couple of seconds later, the app crashes. I have removed any observers and delegate methods that could interfere. This really baffles me.
Further, the code does not crash on iOS 9, just iOS 10.2, as well as the 10.3 betas
Solution
Sorry guys, after a whole lot of swearing, a bruised toe, and a lot less hair, and 24 hours later, I found the culprit. Im using iZettle, a payment device, and as soon as the libraries was added to the project, it crashed. The guys over at iZettle admitted they had an extension on NSDictionary
#interface NSDictionary (Fractionized)
- (NSDate *)dateForKey:(id)aKey;
#end
This one collides with an extension in HomeKit, so thats the reason for the problem. The result is they have to add a prefix to their extension and compile the libraries again.
While a symbolicated stack trace would help, there is one symbol in your logs that may provide a useful hint: something is trying to ask an NSDate for length. In my experience, this happens when a library expects something to be an NSString and it's about to parse it or print it or what have you.
Perhaps you know where NSDates are being used. It will also help to know if the crash is on the same thread that is executing your above code. Given that you are experiencing a slight delay, it's hard to say if it is related to that code at all! Perhaps elsewhere in your app, you are responding to the device itself giving you a status update, and maybe printing a value that you think is a string but is really a date?

UIWebview: WebThread EXC_BAD_ACCESS

I have a completely simple app: Show a web view with http://tv2.dk
I'am using a storyboard, added the web view and set a property on my controller. To keep things simple i'am not setting a delegate.
In viewDidLoad i call the web view with the url i want to load
[self.webView loadRequest:[NSURLRequest requestWithURL:[NSURL URLWithString:#"http://tv2.dk"]]];
Each time the app starts up it crashes due to some error in a web thread worker, see this dump.
libobjc.A.dylib`objc_msgSend:
0x1954f7bc0: cmp x0, #0
0x1954f7bc4: b.le 0x1954f7c30 ; objc_msgSend + 112
0x1954f7bc8: ldr x13, [x0]
0x1954f7bcc: and x9, x13, #0x1fffffff8
0x1954f7bd0: ldp x10, x11, [x9, #16]
0x1954f7bd4: and w12, w1, w11
0x1954f7bd8: add x12, x10, x12, lsl #4
0x1954f7bdc: ldp x16, x17, [x12]
0x1954f7be0: cmp x16, x1
0x1954f7be4: b.ne 0x1954f7bec ; objc_msgSend + 44
0x1954f7be8: br x17
0x1954f7bec: cbz x16, 0x1954f7d80 ; _objc_msgSend_uncached_impcache
0x1954f7bf0: cmp x12, x10
0x1954f7bf4: b.eq 0x1954f7c00 ; objc_msgSend + 64
0x1954f7bf8: ldp x16, x17, [x12, #-16]!
0x1954f7bfc: b 0x1954f7be0 ; objc_msgSend + 32
0x1954f7c00: add x12, x12, w11, uxtw #4
0x1954f7c04: ldp x16, x17, [x12]
0x1954f7c08: cmp x16, x1
0x1954f7c0c: b.ne 0x1954f7c14 ; objc_msgSend + 84
0x1954f7c10: br x17
0x1954f7c14: cbz x16, 0x1954f7d80 ; _objc_msgSend_uncached_impcache
0x1954f7c18: cmp x12, x10
0x1954f7c1c: b.eq 0x1954f7c28 ; objc_msgSend + 104
0x1954f7c20: ldp x16, x17, [x12, #-16]!
0x1954f7c24: b 0x1954f7c08 ; objc_msgSend + 72
0x1954f7c28: mov x2, x9
0x1954f7c2c: b 0x1954e1e70 ; objc_msgSend_corrupt_cache_error
0x1954f7c30: b.eq 0x1954f7c48 ; objc_msgSend + 136
0x1954f7c34: adrp x10, 18278
0x1954f7c38: add x10, x10, #1904
0x1954f7c3c: lsr x11, x0, #60
0x1954f7c40: ldr x9, [x10, x11, lsl #3]
0x1954f7c44: b 0x1954f7bd0 ; objc_msgSend + 16
0x1954f7c48: movz x1, #0
0x1954f7c4c: movi d0, #0000000000000000
0x1954f7c50: movi d1, #0000000000000000
0x1954f7c54: movi d2, #0000000000000000
0x1954f7c58: movi d3, #0000000000000000
0x1954f7c5c: ret
Offending line
0x1954f7bd0: ldp x10, x11, [x9, #16]
Check out the full source code here: https://bitbucket.org/styrken/ios-webview-crash
I have tried running this code on multiple devices etc, crashes on them all.
From #RasmusStyrk 's comment above
I have found out that with using NSZombie's, i got the following crash
message: WebviewCrash[4598:956679] *** -[UIViewAnimationState
release]: message sent to deallocated instance 0x1707c5370. To fix
this i had to turn off animations in UIVIew using [UIView
setAnimationsEnabled:NO]; and now it works. It seems like a bug in
iOS8. –
We also had this where it would randomly crash, and setting [UIView setAnimationsEnabled:NO] is the only thing that has worked to completely alleviate this issue!
Thread EXC_BAD_ACCESS says it all.
UIWebView likes to be called from the main thread. Try putting your code as follows:
dispatch_async(dispatch_get_main_queue(), ^{
//send webview a message
[self.webView loadRequest:[NSURLRequest requestWithURL:[NSURL URLWithString:#"http://tv2.dk"]]];
});
In my case, I made the silly mistake to forget adding the WKWebView to the view hierarchy prior to loading a resource.

Bare metal assembly - data not initialized

I wrote some very simple code, aimed to work on bare metal RaspberryPi. My code consists of gpio.s (with function "flash", which turns LED on and off) and main.s, shown below.
.section .init
.globl _start
_start:
mov sp, $0x8000
b main
.section .text
.globl main
main:
ldr r5, =variable
ldr r4, [r5]
cmp r4, $100
bleq flash
loop:
b loop
.section .data
.align 4
.globl variable
variable:
.word 100
So r4 should be filled with 100 => condition flag should be eq => LED should flash! But it does not. Why?
Apart from that example, function "flash" works, as well as in the case of adding these lines after "ldr r5, =variable":
mov r1, $100
str r1, [r5]
So it seems like memory is accessible, but doesn't get initialized. I would be grateful for your explanations.
Disassembly:
./build/output.elf: file format elf32-littlearm
Disassembly of section .init:
00000000 <_start>:
0: e3a0d902 mov sp, #32768 ; 0x8000
4: ea00205c b 817c <main>
Disassembly of section .text:
00008000 <getGpioAddr>:
8000: e59f0170 ldr r0, [pc, #368] ; 8178 <flash2+0x14>
8004: e1a0f00e mov pc, lr
00008008 <setGpioFunct>:
8008: e3500035 cmp r0, #53 ; 0x35
800c: 93510007 cmpls r1, #7 ; 0x7
8010: 83a00001 movhi r0, #1 ; 0x1
8014: 81a0f00e movhi pc, lr
8018: e92d0030 push {r4, r5}
801c: e1a02001 mov r2, r1
8020: e1a01000 mov r1, r0
8024: e92d4000 push {lr}
8028: ebfffff4 bl 8000 <getGpioAddr>
802c: e8bd4000 pop {lr}
8030: e3a04000 mov r4, #0 ; 0x0
00008034 <subTen>:
8034: e351000a cmp r1, #10 ; 0xa
8038: 2241100a subcs r1, r1, #10 ; 0xa
803c: 22844001 addcs r4, r4, #1 ; 0x1
8040: 2afffffb bcs 8034 <subTen>
8044: e3a05004 mov r5, #4 ; 0x4
8048: e0030594 mul r3, r4, r5
804c: e0800003 add r0, r0, r3
8050: e3a05003 mov r5, #3 ; 0x3
8054: e0030591 mul r3, r1, r5
8058: e1a02312 lsl r2, r2, r3
805c: e3e0430e mvn r4, #939524096 ; 0x38000000
8060: e3a05009 mov r5, #9 ; 0x9
8064: e0451001 sub r1, r5, r1
8068: e3a05003 mov r5, #3 ; 0x3
806c: e0030591 mul r3, r1, r5
8070: e1a04374 ror r4, r4, r3
8074: e5905000 ldr r5, [r0]
8078: e0055004 and r5, r5, r4
807c: e1855002 orr r5, r5, r2
8080: e5805000 str r5, [r0]
8084: e8bd0030 pop {r4, r5}
8088: e3a00000 mov r0, #0 ; 0x0
808c: e1a0f00e mov pc, lr
00008090 <setPin>:
8090: e3500035 cmp r0, #53 ; 0x35
8094: 83a00001 movhi r0, #1 ; 0x1
8098: 81a0f00e movhi pc, lr
809c: e92d0020 push {r5}
80a0: e3500020 cmp r0, #32 ; 0x20
80a4: 22401020 subcs r1, r0, #32 ; 0x20
80a8: 31a01000 movcc r1, r0
80ac: 23a02020 movcs r2, #32 ; 0x20
80b0: 33a0201c movcc r2, #28 ; 0x1c
80b4: e92d4000 push {lr}
80b8: ebffffd0 bl 8000 <getGpioAddr>
80bc: e8bd4000 pop {lr}
80c0: e3a05001 mov r5, #1 ; 0x1
80c4: e1a05115 lsl r5, r5, r1
80c8: e7805002 str r5, [r0, r2]
80cc: e3a00000 mov r0, #0 ; 0x0
80d0: e8bd0020 pop {r5}
80d4: e1a0f00e mov pc, lr
000080d8 <clearPin>:
80d8: e3500035 cmp r0, #53 ; 0x35
80dc: 83a00001 movhi r0, #1 ; 0x1
80e0: 81a0f00e movhi pc, lr
80e4: e92d0020 push {r5}
80e8: e3500020 cmp r0, #32 ; 0x20
80ec: 22401020 subcs r1, r0, #32 ; 0x20
80f0: 31a01000 movcc r1, r0
80f4: 23a0202c movcs r2, #44 ; 0x2c
80f8: 33a02028 movcc r2, #40 ; 0x28
80fc: e92d4000 push {lr}
8100: ebffffbe bl 8000 <getGpioAddr>
8104: e8bd4000 pop {lr}
8108: e3a05001 mov r5, #1 ; 0x1
810c: e1a05115 lsl r5, r5, r1
8110: e7805002 str r5, [r0, r2]
8114: e3a00000 mov r0, #0 ; 0x0
8118: e8bd0020 pop {r5}
811c: e1a0f00e mov pc, lr
00008120 <flash>:
8120: e92d4013 push {r0, r1, r4, lr}
8124: e3a00010 mov r0, #16 ; 0x10
8128: e3a01001 mov r1, #1 ; 0x1
812c: ebffffb5 bl 8008 <setGpioFunct>
8130: e3a00010 mov r0, #16 ; 0x10
8134: ebffffe7 bl 80d8 <clearPin>
8138: eb000004 bl 8150 <wait>
813c: e3a00010 mov r0, #16 ; 0x10
8140: ebffffd2 bl 8090 <setPin>
8144: eb000001 bl 8150 <wait>
8148: e8bd4013 pop {r0, r1, r4, lr}
814c: e1a0f00e mov pc, lr
00008150 <wait>:
8150: e3a0583f mov r5, #4128768 ; 0x3f0000
00008154 <loop>:
8154: e2455001 sub r5, r5, #1 ; 0x1
8158: e3550000 cmp r5, #0 ; 0x0
815c: 1afffffc bne 8154 <loop>
8160: e1a0f00e mov pc, lr
00008164 <flash2>:
8164: e92d4000 push {lr}
8168: ebffffec bl 8120 <flash>
816c: ebffffeb bl 8120 <flash>
8170: e8bd4000 pop {lr}
8174: e1a0f00e mov pc, lr
8178: 20200000 .word 0x20200000
0000817c <main>:
817c: e59f500c ldr r5, [pc, #12] ; 8190 <loop+0x4>
8180: e5954000 ldr r4, [r5]
8184: e3540064 cmp r4, #100 ; 0x64
8188: 0bffffe4 bleq 8120 <flash>
0000818c <loop>:
818c: eafffffe b 818c <loop>
8190: 00008194 .word 0x00008194
Disassembly of section .data:
00008194 <variable>:
8194: 00000064 .word 0x00000064
Linker scripts, makefile etc. taken from: http://www.cl.cam.ac.uk/projects/raspberrypi/tutorials/os/ok01.html
from your link (you should not ask questions here using links, put the code in the question)
0000817c <main>:
817c: e59f500c ldr r5, [pc, #12] ; 8190 <loop+0x4>
8180: e3a01064 mov r1, #100 ; 0x64
8184: e3540064 cmp r4, #100 ; 0x64
8188: 0bffffe4 bleq 8120 <flash>
0000818c <loop>:
818c: eafffffe b 818c <loop>
8190: 000081a0 .word 0x000081a0
Disassembly of section .data:
000081a0 <variable>:
81a0: 00000064 .word 0x00000064
...
you are moving r1 a 100 but comparing r4 which has not been initialized at least in this code, so that is unpredictable what will happen. if you replace that with a mov r4,[r5] it should work as desired as r5 is getting the address of the word that contains the #100 and then you read from that address into r4.
I assume you have verified that if you simply bl flash it works (not a conditional but always go there) as desired?
In this bare metal mode you definitely have access to read/write memory, no worries there.
David
Memory is normally initialized as part of the C runtime code. If you are writing bare-metal assembly without including the functionality of the C runtime then your variables in RAM will not be initialized. You need to explicitly initialize the value of variable in your own code.
Finally found out! Really subtle, and it's not my fault indeed. I had taken the makefile and linker script from Alex Chadwick tutorial, and the linker script looked like that:
SECTIONS {
/*
* First and formost we need the .init section, containing the IVT.
*/
.init 0x0000 : {
*(.init)
}
/*
* We allow room for the ATAGs and the stack and then start our code at
* 0x8000.
*/
.text 0x8000 : {
*(.text)
}
/*
* Next we put the data.
*/
.data : {
*(.data)
}
/*
* Finally comes everything else. A fun trick here is to put all other
* sections into this section, which will be discarded by default.
*/
/DISCARD/ : {
*(*)
}
}
.init section was based at 0x0000, and then the .text started at 0x8000. But actually, kernel.img is loaded at address 0x8000 by Pi (real address of .init was 0x8000), so: whole .text section (as well as the following sections) were shifted - due to that fact, addresses of labels were misassumed at the assembling-linking time. Only pc-relative addressing could work, as PC was set correctly. The solution is to start the image at 0x8000:
SECTIONS {
/*
* First and formost we need the .init section, containing the IVT.
*/
.init 0x8000 : {
*(.init)
}
.text : {
*(.text)
}
/*
* Next we put the data.
*/
.data : {
*(.data)
}
/*
* Finally comes everything else. A fun trick here is to put all other
* sections into this section, which will be discarded by default.
*/
/DISCARD/ : {
*(*)
}
}
I've just checked the template on his website and it's corrected now, so there is no point contacting him. I must have downloaded template before this correction. Thank you guys for your attempts.

Resources