Related
This is a follow on to this question. In this routine,
func tableView(_ tableView: UITableView, didSelectRowAt indexPath: IndexPath) {
Tracker.track("getting row \(indexPath.row)")
let ptv = tableView as? NovilloTableView
if ptv!.uiType == .textTable {
let gp = Projects.currentProject?.getPaths(type: PaletteView.getCurrentPane())
GitPaths.currentGitPath = gp![indexPath.row]
// NotificationCenter.default.post(name: NNames.updateWebText.nn(), object: nil)
return
}
let svgs = Projects.currentProject!.getPaths(type : PaletteView.getCurrentPane())
var gitPath = svgs[indexPath.row]
Tracker.track("gitpath is \(gitPath)")
var gitPaths = GitPaths.getMediaBoundingBoxes(paths: [gitPath])
guard let pathArrays = gitPath.parseForRegBeziers() else { return }
let rslt = pathArrays.0
let regBeziers = pathArrays.1
gitPath.boundingBox = gitPath.getBoundsParamsForPaths(src: regBeziers.isEmpty ? rslt : regBeziers)
GitPaths.currentGitPath = gitPath
// Tracker.track("sending notification")
NotificationCenter.default.post(name: NNames.updateMedia.nn(), object: nil, userInfo: ["path" : gitPath])
Tracker.track("completed didSelect")
return
}
…the main thread logical path I'm following is the one that ends at the bottom withTracker.track("completed didSelect"). I'm getting a crash if I execute the notification call, that throws this information:
libobjc.A.dylib`objc_msgSend:
0x18002ec00 <+0>: cmp x0, #0x0
0x18002ec04 <+4>: b.le 0x18002ec6c ; <+108>
0x18002ec08 <+8>: ldr x14, [x0]
0x18002ec0c <+12>: and x16, x14, #0x7ffffffffffff8
0x18002ec10 <+16>: mov x15, x16
-> 0x18002ec14 <+20>: ldr x10, [x16, #0x10]
0x18002ec18 <+24>: lsr x11, x10, #48
0x18002ec1c <+28>: and x10, x10, #0xffffffffffff
0x18002ec20 <+32>: and w12, w1, w11
0x18002ec24 <+36>: add x13, x10, x12, lsl #4
0x18002ec28 <+40>: ldp x17, x9, [x13], #-0x10
0x18002ec2c <+44>: cmp x9, x1
0x18002ec30 <+48>: b.ne 0x18002ec3c ; <+60>
0x18002ec34 <+52>: eor x17, x17, x16
0x18002ec38 <+56>: br x17
0x18002ec3c <+60>: cbz x9, 0x18002eea0 ; _objc_msgSend_uncached
0x18002ec40 <+64>: cmp x13, x10
0x18002ec44 <+68>: b.hs 0x18002ec28 ; <+40>
0x18002ec48 <+72>: add x13, x10, w11, uxtw #4
0x18002ec4c <+76>: add x12, x10, x12, lsl #4
0x18002ec50 <+80>: ldp x17, x9, [x13], #-0x10
0x18002ec54 <+84>: cmp x9, x1
0x18002ec58 <+88>: b.eq 0x18002ec34 ; <+52>
0x18002ec5c <+92>: cmp x9, #0x0
0x18002ec60 <+96>: ccmp x13, x12, #0x0, ne
0x18002ec64 <+100>: b.hi 0x18002ec50 ; <+80>
0x18002ec68 <+104>: b 0x18002eea0 ; _objc_msgSend_uncached
0x18002ec6c <+108>: b.eq 0x18002ec90 ; <+144>
0x18002ec70 <+112>: and x10, x0, #0x7
0x18002ec74 <+116>: asr x11, x0, #55
0x18002ec78 <+120>: cmp x10, #0x7
0x18002ec7c <+124>: csel x12, x11, x10, eq
0x18002ec80 <+128>: adrp x10, 232550
0x18002ec84 <+132>: add x10, x10, #0xa00 ; objc_debug_taggedpointer_classes
0x18002ec88 <+136>: ldr x16, [x10, x12, lsl #3]
0x18002ec8c <+140>: b 0x18002ec10 ; <+16>
0x18002ec90 <+144>: mov x1, #0x0
0x18002ec94 <+148>: movi d0, #0000000000000000
0x18002ec98 <+152>: movi d1, #0000000000000000
0x18002ec9c <+156>: movi d2, #0000000000000000
0x18002eca0 <+160>: movi d3, #0000000000000000
0x18002eca4 <+164>: ret
0x18002eca8 <+168>: nop
0x18002ecac <+172>: nop
0x18002ecb0 <+176>: nop
0x18002ecb4 <+180>: nop
0x18002ecb8 <+184>: nop
0x18002ecbc <+188>: nop
According to another post in Stackoverflow, that message has come up when functions that need to be visible to Objective-C aren't marked with #objc, but as you can see, this one is (below).
This wasn't happening at first, and I'm not sure why, but the function called by the Notification is this:
#objc func updateMedia(notification : Notification) {
let path = (notification.userInfo?["path"] ?? GitPaths.currentGitPath!) as? GitPaths
Tracker.track("sublayers: \(mediaDisplay!.layer.sublayers == nil)")
mediaDisplay!.layer.sublayers = nil
mediaDisplay!.mask = nil
// Tracker.track("render beziers for \(path)")
// path!.renderBeziers(tgt: mediaDisplay!, path : path) //, data:["style" : "media"])
// refreshMediaInfo()
// updateSelectedMedia( src : GitPaths.currentGitPath! )
// return
}
I've commented most lines out to see where the crash can be induced, and it's the line mediaDisplay!.layer.sublayers = nil. If I comment this line out, the function executes correctly; if I include it, it will crash, but not as that line executes; the whole function will return, and the crash happens at the end of the function that called the Notification in the first place, which is the one at the top of this post. Tracker.track() is just a way to print messages in a formatted way, and isn't a contributor to this; so basically, after the Notification returns, nothing else happens; if I step through, it gets to the final bracket of the function, before returning control the the user.
I've checked that the object mediaDisplay exists, and it does because it's actually doing what is being asked; when not commented out, the line path!.renderBeziers(tgt: mediaDisplay!, path : path) , uncommented is drawing a bunch of Bezier paths into that view, which as this screenshot taken after the crash shows it does successfully. In other words, the line that causes the crash doesn't stop all the other code that's behind path!.renderBeziers(tgt: mediaDisplay!, path : path) from doing its job, when I uncomment those and run the same thing. The table in the palette is the object that initiates all this, btw.
The view has a big question mark hanging over it; it is a subclass of a WKWebView, which is the big change here. I'm using it here as for regular UIView capability, of acting as a container for a bunch of CAShapeLayers. This is working exactly as it was before, when it was a UIView.
The reason for the change is that I want to be able to display html content in the same view as the CAShapeLayers, as a way of having html interleaved between different drawn elements on the screen; think of text with the dark purple shape behind it and the lighter one in front. In this, I'm following a question I asked which was answered here.
In any case, referring to the container in the next line, where the mask is set to nil does not cause the crash; so it seems to have to do with the layer of the WKWebView, and the sublayers of it. They exist, and I've checked that, but setting them to nil seems to blow this up, in this weird way.
I'm sure I'm missing something; I haven't used WebViews before, so I'm expecting that maybe that's the issue; but it's not intuitive to me what could be going wrong, and I've tried multiple strategies for debugging this. The one that has gotten me the closest to pinpointing the problem is what I've shown here, where I can locate it in the one line; but it seems pretty unproblematic to me...am I missing something obvious?
Thanks in advance for your ideas and insights.
It would appear that #Larme was on the right track: I eventually traced it to the line where the view's layer's sublayers were set to nil. This was the problem. Iterating through the sublayers if present and removing them individually from the parent layer caused the crash to disappear.
The same problem cropped up in a second view, also a WKWebView, where applying the same solution caused a similar crash. In both cases, the error message was entirely unhelpful. In the second case, I simply commented out all the code related to sublayer, and things worked fine. I suspect that this might cause problems at a later stage when I need to update the view with other sublayer information, but I am not in a situation to test that right now.
I'm travelling right now without access to my original project, so sorry for no code to show; but the basic iteration through the layer's sublayers should not be too hard to work out.
I am currently working on an iOS Jailbreak for iOS 13.7.
As part of the jailbreak, I need to do a series of patches to the XNU Kernel live in the memory.
Of course, the kernel is protected by kASLR, KPP / KTRR, and other memory watchdogs that would trigger a Kernel Panic if something is modified.
As luck would have it, KTRR (Kernel Text Ready Only Region) can only protect, well, static data that is not supposed to change (i.e. the TEXT section and constants). The variables can still be altered.
I am building a PatchFinder which is supposed to locate a function or a variable in the XNU memory based on tell-tale symbols and I am wondering what would be the most effective approach for this.
I am currently adapting on top of the PatchFinder made publicly available back in the iOS 8 era by in7egal which looks like this:
uint32_t find_cs_enforcement_disable_amfi(uint32_t region, uint8_t* kdata, size_t ksize)
{
// Find a function referencing cs_enforcement_disable_amfi
const uint8_t search_function[] = {0x20, 0x68, 0x40, 0xF4, 0x40, 0x70, 0x20, 0x60, 0x00, 0x20, 0x90, 0xBD};
uint8_t* ptr = memmem(kdata, ksize, search_function, sizeof(search_function));
if(!ptr)
return 0;
// Only LDRB in there should try to dereference cs_enforcement_disable_amfi
uint16_t* ldrb = find_last_insn_matching(region, kdata, ksize, (uint16_t*) ptr, insn_is_ldrb_imm);
if(!ldrb)
return 0;
// Weird, not the right one.
if(insn_ldrb_imm_imm(ldrb) != 0 || insn_ldrb_imm_rt(ldrb) > 12)
return 0;
// See what address that LDRB is dereferencing
return find_pc_rel_value(region, kdata, ksize, ldrb, insn_ldrb_imm_rn(ldrb));
}
I wonder if there is any faster way or a more reliable way to locate the cs_enforcement_disable_amfi.
Once found by the PatchFinder in the XNU Kernel memory, it's used like this:
uint32_t cs_enforcement_disable_amfi = find_cs_enforcement_disable_amfi(kernel_base, kdata, ksize);
printf("cs_enforcement_disable_amfi is at=0x%08x\n",cs_enforcement_disable_amfi);
if (cs_enforcement_disable_amfi){
char patch[] ="\x00\xbf\x00\xbf\x00\xbf\x00\xbf\x00\xbf";
kern_return_t kernret = vm_write(proccessTask, cs_enforcement_disable_amfi+kernel_base, patch, sizeof(patch)-1);
if (kernret == KERN_SUCCESS){
printf("Successfully patched cs_enforcement_disable_amfi\n");
}
}
So the PatchFinder has to be able to reliably return the pointer to cs_enforcement_disable_amfi otherwise I am blindly writing to an invalid (or valid but different) address which almost certainly will trigger memory corruption.
The current code does return a valid pointer to cs_enforcement_disable_amfi most of the time, but randomly panics the kernel about 10-15% of the time which means the address it returns 10-15% of the time is invalid. Not sure how to make it more reliable.
The variable you're looking for doesn't exist anymore.
The bytes in your first snippet make up Thumb instructions, which find this function in AMFI in a 32bit kernelcache:
0x8074ad04 90b5 push {r4, r7, lr}
0x8074ad06 01af add r7, sp, 4
0x8074ad08 0d48 ldr r0, [0x8074ad40]
0x8074ad0a 7844 add r0, pc
0x8074ad0c 0078 ldrb r0, [r0]
0x8074ad0e 0128 cmp r0, 1
0x8074ad10 03d1 bne 0x8074ad1a
0x8074ad12 0020 movs r0, 0
0x8074ad14 00f04efa bl 0x8074b1b4
0x8074ad18 30b9 cbnz r0, 0x8074ad28
0x8074ad1a 7c69 ldr r4, [r7, 0x14]
0x8074ad1c 002c cmp r4, 0
0x8074ad1e 05d0 beq 0x8074ad2c
0x8074ad20 2068 ldr r0, [r4]
0x8074ad22 40f44070 orr r0, r0, 0x300
0x8074ad26 2060 str r0, [r4]
0x8074ad28 0020 movs r0, 0
0x8074ad2a 90bd pop {r4, r7, pc}
Given the magic constant 0x300 and the fact that AMFI's __TEXT_EXEC segment is quite small, we can easily find this in other kernels, including 64bit ones.
This is what it looks like on an iPhone 5s on 8.4:
0xffffff800268d2e4 f44fbea9 stp x20, x19, [sp, -0x20]!
0xffffff800268d2e8 fd7b01a9 stp x29, x30, [sp, 0x10]
0xffffff800268d2ec fd430091 add x29, sp, 0x10
0xffffff800268d2f0 f30307aa mov x19, x7
0xffffff800268d2f4 e8fc1110 adr x8, section.com.apple.driver.AppleMobileFileIntegrity.10.__DATA.__bss
0xffffff800268d2f8 1f2003d5 nop
0xffffff800268d2fc 08054039 ldrb w8, [x8, 1]
0xffffff800268d300 a8000037 tbnz w8, 0, 0xffffff800268d314
0xffffff800268d304 130100b4 cbz x19, 0xffffff800268d324
0xffffff800268d308 680240b9 ldr w8, [x19]
0xffffff800268d30c 08051832 orr w8, w8, 0x300
0xffffff800268d310 680200b9 str w8, [x19]
0xffffff800268d314 00008052 mov w0, 0
0xffffff800268d318 fd7b41a9 ldp x29, x30, [sp, 0x10]
0xffffff800268d31c f44fc2a8 ldp x20, x19, [sp], 0x20
0xffffff800268d320 c0035fd6 ret
But by the time of iOS 11, the variable is gone:
0xfffffff006245d84 f44fbea9 stp x20, x19, [sp, -0x20]!
0xfffffff006245d88 fd7b01a9 stp x29, x30, [sp, 0x10]
0xfffffff006245d8c fd430091 add x29, sp, 0x10
0xfffffff006245d90 f30307aa mov x19, x7
0xfffffff006245d94 130100b4 cbz x19, 0xfffffff006245db4
0xfffffff006245d98 680240b9 ldr w8, [x19]
0xfffffff006245d9c 08051832 orr w8, w8, 0x300
0xfffffff006245da0 680200b9 str w8, [x19]
0xfffffff006245da4 00008052 mov w0, 0
0xfffffff006245da8 fd7b41a9 ldp x29, x30, [sp, 0x10]
0xfffffff006245dac f44fc2a8 ldp x20, x19, [sp], 0x20
0xfffffff006245db0 c0035fd6 ret
Looking at iOS 12.0b1, we can learn the signature of that function:
_vnode_check_exec(ucred*, vnode*, vnode*, label*, label*, label*, componentname*, unsigned int*, void*, unsigned long)
So yeah, finding this function is really easy:
Find AMFI's __TEXT_EXEC segment.
Find an orr wN, wN, 0x300 in it.
But that won't help you unless you defeat kernel integrity.
tl;dr - The code in the question is correct. Reason for crash at another party.
The challenge is to control an Elgato Eve Energy HomeKit enabled outlet.
Up til where the code starts, everything is working OK, so the correct room, accessory and so on is selected. The code does turn off the outlet, but right afterwards the app crashes.
guard let services = accessory?.services else {
print("No Service")
return
}
for service in services {
if service.serviceType == HMServiceTypeOutlet {
for characteristic in service.characteristics {
print(characteristic.characteristicType)
if characteristic.characteristicType == HMCharacteristicTypePowerState {
print(characteristic.metadata!)
dump(characteristic)
// Turning off the outlet
characteristic.writeValue(false, completionHandler: { (error: Error?) -> Void in
if error == nil {
print("Yep")
} else {
print("Nop")
}
})
}
}
}
}
Log
00000023-0000-1000-8000-0026BB765291
00000025-0000-1000-8000-0026BB765291
[%# Format: bool, Manufacturer Description: Power State ]
- <HMCharacteristic: 0x1702c23e0> #0
- super: NSObject
00000026-0000-1000-8000-0026BB765291
E863F10A-079E-48FF-8F27-9C2605A29F52
E863F126-079E-48FF-8F27-9C2605A29F52
E863F10D-079E-48FF-8F27-9C2605A29F52
E863F10C-079E-48FF-8F27-9C2605A29F52
2017-02-07 23:19:59.725340 POS[499:100178] -[__NSDate length]: unrecognized selector sent to instance 0x170007710
2017-02-07 23:19:59.725767 POS[499:100178] *** Terminating app due to uncaught exception 'NSInvalidArgumentException', reason: '-[__NSDate length]: unrecognized selector sent to instance 0x170007710'
*** First throw call stack:
(0x188a291b8 0x18746055c 0x188a30268 0x188a2d270 0x18892680c 0x1895be458 0x1895be350 0x1895be698 0x1006328f8 0x1a249ac8c 0x199674f34 0x19966c588 0x1a249d194 0x101951258 0x101951218 0x10195eaec 0x101954ce0 0x10195f088 0x101960e2c 0x101960b78 0x187abb2a0 0x187abad8c)
libc++abi.dylib: terminating with uncaught exception of type NSException
Sym
2017-02-08 10:17:47.804825 POS[602:171994] -[__NSDate length]: unrecognized selector sent to instance 0x1740169c0
iZettlePayments`-[NSDictionary(Fractionized) dateForKey:]:
0x100973d88 <+0>: stp x22, x21, [sp, #-48]!
0x100973d8c <+4>: stp x20, x19, [sp, #16]
0x100973d90 <+8>: stp x29, x30, [sp, #32]
0x100973d94 <+12>: add x29, sp, #32 ; =32
0x100973d98 <+16>: mov x19, x0
0x100973d9c <+20>: nop
0x100973da0 <+24>: ldr x20, #861056 ; (void *)0x00000001ad8966b8: NSDateFormatter
0x100973da4 <+28>: nop
0x100973da8 <+32>: ldr x21, #851248 ; "izDateFormatterUsingISO8601"
0x100973dac <+36>: mov x0, x2
0x100973db0 <+40>: bl 0x1009e9b54 ; symbol stub for: objc_retain
0x100973db4 <+44>: mov x22, x0
0x100973db8 <+48>: mov x0, x20
0x100973dbc <+52>: mov x1, x21
0x100973dc0 <+56>: bl 0x1009e9b30 ; symbol stub for: objc_msgSend
0x100973dc4 <+60>: mov x29, x29
0x100973dc8 <+64>: bl 0x1009e9b78 ; symbol stub for: objc_retainAutoreleasedReturnValue
0x100973dcc <+68>: mov x20, x0
0x100973dd0 <+72>: nop
0x100973dd4 <+76>: ldr x1, #849044 ; "valueForKey:"
0x100973dd8 <+80>: mov x0, x19
0x100973ddc <+84>: mov x2, x22
0x100973de0 <+88>: bl 0x1009e9b30 ; symbol stub for: objc_msgSend
0x100973de4 <+92>: mov x19, x0
0x100973de8 <+96>: mov x0, x22
0x100973dec <+100>: bl 0x1009e9b48 ; symbol stub for: objc_release
0x100973df0 <+104>: mov x0, x19
0x100973df4 <+108>: bl 0x1009e9b78 ; symbol stub for: objc_retainAutoreleasedReturnValue
0x100973df8 <+112>: mov x19, x0
0x100973dfc <+116>: nop
0x100973e00 <+120>: ldr x1, #851168 ; "dateFromString:"
0x100973e04 <+124>: mov x0, x20
0x100973e08 <+128>: mov x2, x19
0x100973e0c <+132>: bl 0x1009e9b30 ; symbol stub for: objc_msgSend
0x100973e10 <+136>: mov x29, x29
0x100973e14 <+140>: bl 0x1009e9b78 ; symbol stub for: objc_retainAutoreleasedReturnValue
0x100973e18 <+144>: mov x21, x0
0x100973e1c <+148>: mov x0, x19
0x100973e20 <+152>: bl 0x1009e9b48 ; symbol stub for: objc_release
0x100973e24 <+156>: mov x0, x20
0x100973e28 <+160>: bl 0x1009e9b48 ; symbol stub for: objc_release
0x100973e2c <+164>: mov x0, x21
0x100973e30 <+168>: ldp x29, x30, [sp, #32]
0x100973e34 <+172>: ldp x20, x19, [sp, #16]
0x100973e38 <+176>: ldp x22, x21, [sp], #48
0x100973e3c <+180>: b 0x1009e9ac4 ; symbol stub for: objc_autoreleaseReturnValue
Browsing the Elgato Eve services and characteristics, shows the first characteristic in the array is the one holding the name, and the second one is the one I need to manipulate. The printed metadata shows its a bool, and confirms its the Power State, and its both readable and writable, as described in the table linked to before.
Since I write a false to the correct characteristic, the outlet turns off, but a couple of seconds later, the app crashes. I have removed any observers and delegate methods that could interfere. This really baffles me.
Further, the code does not crash on iOS 9, just iOS 10.2, as well as the 10.3 betas
Solution
Sorry guys, after a whole lot of swearing, a bruised toe, and a lot less hair, and 24 hours later, I found the culprit. Im using iZettle, a payment device, and as soon as the libraries was added to the project, it crashed. The guys over at iZettle admitted they had an extension on NSDictionary
#interface NSDictionary (Fractionized)
- (NSDate *)dateForKey:(id)aKey;
#end
This one collides with an extension in HomeKit, so thats the reason for the problem. The result is they have to add a prefix to their extension and compile the libraries again.
While a symbolicated stack trace would help, there is one symbol in your logs that may provide a useful hint: something is trying to ask an NSDate for length. In my experience, this happens when a library expects something to be an NSString and it's about to parse it or print it or what have you.
Perhaps you know where NSDates are being used. It will also help to know if the crash is on the same thread that is executing your above code. Given that you are experiencing a slight delay, it's hard to say if it is related to that code at all! Perhaps elsewhere in your app, you are responding to the device itself giving you a status update, and maybe printing a value that you think is a string but is really a date?
I am getting this exception thrown at a certain point in the App but can't track down the cause. I assume its simply a UI call being made from a background thread but I can't find any UI calls that are not made on the main thread.
BTW all UI calls are wrapped in DispatchQueue.main.async{}, presumably I missed something but can't figure out how to track it down.
Any suggestion how to figure out what call is leading to this - there are a few background threads running concurrently as well as events from SNS and Bluetooth.
This application is modifying the autolayout engine from a background thread after the engine was accessed from the main thread. This can lead to engine corruption and weird crashes.
Stack:(
0 CoreFoundation 0x000000018fc8e1d8 <redacted> + 148
1 libobjc.A.dylib 0x000000018e6c855c objc_exception_throw + 56
2 CoreFoundation 0x000000018fc8e108 <redacted> + 0
3 Foundation 0x0000000190875ea4 <redacted> + 192
4 Foundation 0x00000001906bd3fc <redacted> + 36
5 UIKit 0x0000000196434770 <redacted> + 72
6 UIKit 0x0000000195ae61e8 <redacted> + 1140
7 QuartzCore 0x0000000192fa6188 <redacted> + 148
8 QuartzCore 0x0000000192f9ae64 <redacted> + 292
9 QuartzCore 0x0000000192f9ad24 <redacted> + 32
10 QuartzCore 0x0000000192f177ec <redacted> + 252
11 QuartzCore 0x0000000192f3ec58 <redacted> + 512
12 QuartzCore 0x0000000192f3f124 <redacted> + 660
13 libsystem_pthread.dylib 0x000000018ed22fbc <redacted> + 572
14 libsystem_pthread.dylib 0x000000018ed22ce4 <redacted> + 200
15 libsystem_pthread.dylib 0x000000018ed22378 pthread_mutex_lock + 0
16 libsystem_pthread.dylib 0x000000018ed21da4 start_wqthread + 4
)
OK So I added the Breakpoint but I just get the following on thread 10 (!) I can't figure out what could be running on Thread 10 or what UI code is being called.
libobjc.A.dylib`objc_exception_throw:
-> 0x18e6c8524 <+0>: stp x28, x27, [sp, #-64]!
0x18e6c8528 <+4>: stp x22, x21, [sp, #16]
0x18e6c852c <+8>: stp x20, x19, [sp, #32]
0x18e6c8530 <+12>: stp x29, x30, [sp, #48]
0x18e6c8534 <+16>: add x29, sp, #48 ; =48
0x18e6c8538 <+20>: sub sp, sp, #4032 ; =4032
0x18e6c853c <+24>: mov x20, x0
0x18e6c8540 <+28>: orr w0, wzr, #0x20
0x18e6c8544 <+32>: bl 0x18e6b6c24 ; __cxa_allocate_exception
0x18e6c8548 <+36>: mov x19, x0
0x18e6c854c <+40>: adrp x8, 157305
0x18e6c8550 <+44>: ldr x8, [x8, #408]
0x18e6c8554 <+48>: mov x0, x20
0x18e6c8558 <+52>: blr x8
0x18e6c855c <+56>: mov x20, x0
0x18e6c8560 <+60>: adrp x8, 151285
0x18e6c8564 <+64>: ldr x1, [x8]
0x18e6c8568 <+68>: bl 0x18e6daf20 ; objc_msgSend
0x18e6c856c <+72>: str x20, [x19]
0x18e6c8570 <+76>: adrp x8, 151286
0x18e6c8574 <+80>: add x8, x8, #160 ; =160
0x18e6c8578 <+84>: add x8, x8, #16 ; =16
0x18e6c857c <+88>: mov x21, x19
0x18e6c8580 <+92>: str x8, [x21, #8]!
0x18e6c8584 <+96>: mov x0, x20
0x18e6c8588 <+100>: bl 0x18e6c681c ; object_getClassName
0x18e6c858c <+104>: str x0, [x19, #16]
0x18e6c8590 <+108>: cbnz x20, 0x18e6c859c ; <+120>
0x18e6c8594 <+112>: movz x8, #0
0x18e6c8598 <+116>: b 0x18e6c85e0 ; <+188>
0x18e6c859c <+120>: tbz x20, #63, 0x18e6c85d8 ; <+180>
0x18e6c85a0 <+124>: lsr x8, x20, #60
0x18e6c85a4 <+128>: cmp x8, #15 ; =15
0x18e6c85a8 <+132>: lsr x8, x20, #57
0x18e6c85ac <+136>: and x8, x8, #0x78
0x18e6c85b0 <+140>: adrp x9, 157305
0x18e6c85b4 <+144>: add x9, x9, #544 ; =544
0x18e6c85b8 <+148>: add x8, x9, x8
0x18e6c85bc <+152>: lsr x9, x20, #52
0x18e6c85c0 <+156>: adrp x10, 157305
0x18e6c85c4 <+160>: add x10, x10, #672 ; =672
0x18e6c85c8 <+164>: add x9, x10, w9, uxtb #3
0x18e6c85cc <+168>: csel x8, x8, x9, lo
0x18e6c85d0 <+172>: ldr x8, [x8]
0x18e6c85d4 <+176>: b 0x18e6c85e0 ; <+188>
0x18e6c85d8 <+180>: ldr x8, [x20]
0x18e6c85dc <+184>: and x8, x8, #0xffffffff8
0x18e6c85e0 <+188>: str x8, [x19, #24]
0x18e6c85e4 <+192>: adrp x22, 151466
0x18e6c85e8 <+196>: add x22, x22, #1958 ; =1958
0x18e6c85ec <+200>: ldrb w8, [x22]
0x18e6c85f0 <+204>: cbz w8, 0x18e6c8610 ; <+236>
0x18e6c85f4 <+208>: mov x0, x20
0x18e6c85f8 <+212>: bl 0x18e6c681c ; object_getClassName
0x18e6c85fc <+216>: stp x20, x0, [sp, #8]
0x18e6c8600 <+220>: str x19, [sp]
0x18e6c8604 <+224>: adrp x0, 29
0x18e6c8608 <+228>: add x0, x0, #2192 ; =2192
0x18e6c860c <+232>: bl 0x18e6c7f00 ; _objc_inform
0x18e6c8610 <+236>: adrp x8, 151466
0x18e6c8614 <+240>: add x8, x8, #1959 ; =1959
0x18e6c8618 <+244>: ldrb w8, [x8]
0x18e6c861c <+248>: cbz w8, 0x18e6c8674 ; <+336>
0x18e6c8620 <+252>: ldrb w8, [x22]
0x18e6c8624 <+256>: cbnz w8, 0x18e6c8644 ; <+288>
0x18e6c8628 <+260>: mov x0, x20
0x18e6c862c <+264>: bl 0x18e6c681c ; object_getClassName
0x18e6c8630 <+268>: stp x20, x0, [sp, #8]
0x18e6c8634 <+272>: str x19, [sp]
0x18e6c8638 <+276>: adrp x0, 29
0x18e6c863c <+280>: add x0, x0, #2192 ; =2192
0x18e6c8640 <+284>: bl 0x18e6c7f00 ; _objc_inform
0x18e6c8644 <+288>: movz w1, #0x1f4
0x18e6c8648 <+292>: add x0, sp, #32 ; =32
0x18e6c864c <+296>: bl 0x18eb7709c ; backtrace
0x18e6c8650 <+300>: mov x22, x0
0x18e6c8654 <+304>: adrp x8, 132269
0x18e6c8658 <+308>: ldr x8, [x8, #48]
0x18e6c865c <+312>: ldr x0, [x8]
0x18e6c8660 <+316>: bl 0x18eb7a548 ; fileno
0x18e6c8664 <+320>: mov x2, x0
0x18e6c8668 <+324>: add x0, sp, #32 ; =32
0x18e6c866c <+328>: mov x1, x22
0x18e6c8670 <+332>: bl 0x18eb86804 ; backtrace_symbols_fd
0x18e6c8674 <+336>: mov x0, x20
0x18e6c8678 <+340>: nop
0x18e6c867c <+344>: adrp x2, 0
0x18e6c8680 <+348>: add x2, x2, #1680 ; =1680
0x18e6c8684 <+352>: mov x0, x19
0x18e6c8688 <+356>: mov x1, x21
0x18e6c868c <+360>: bl 0x18e6e4764 ; symbol stub for: +[NSObject resolveInstanceMethod:]
EDIT:
OK I got lucky and found a notification that was not wrapped in a main thread call. Turns out it was a property changed from a background thread triggering a notification. Surprisingly difficult to find the UI Code that was being called. I must be doing something wrong.
Try implementing UI changes in main queue.
Swift 3:
OperationQueue.main.addOperation({
// Update UI
})
Did you add all exception break point? It can help.
You are right, it's due to UI modification from background. Can you add an exception breakpoint in xCode and try to determine, where is this call?
After that, you can place this call in
DispatchQueue.main.async { your call }
for swift, or gcd version for Objective C
I'll add a few steps to #mkeremkeskin's answer:
Step by step:
Go to the Breakpoint Navigator: Breakpoint Navigator
Add an Exception Breakpoint: Exception Breakpoint
Make it throw on All Exceptions
You should be able to track down the exception now.
You shouldn't do any changes related to UIKit objects in background thread. They should be done in main thread as stated by Apple in it's developer documentation.
Note
For the most part, use UIKit classes only from your app’s main thread. This is particularly true for classes derived from UIResponder or that involve manipulating your app’s user interface in any way.
If you're doing some operations in background thread and need to update UIKit elements. You can do it in the following way
dispatch_async(dispatch_get_main_queue(), ^{
});
[[NSOperationQueue mainQueue] addOperationWithBlock:^{
}];
In swift3,
DispatchQueue.main.async {
}
OperationQueue.main.addOperation {
}
For detecting where you're getting exception, you can do that using exception breakpoint. You can do that as shown in the pictures given below:
I use 2 SQLite databases: one is part of the bundle and stores static/read-only data (called Seed.sqlite), the other is created on first launch (or auto-migrated) and is used to save the user data (User.sqlite).
The persistent store managing the read-only database (Seed.sqlite) is setup with the following options:
options[NSReadOnlyPersistentStoreOption] = true
options[NSSQLitePragmasOption] = ["journal_mode": "DELETE"]
It works fine under iOS 9.x and under iOS 10 within the simulator, but it crashes when used on a device running iOS 10 (beta 4 and 8, at least).
I don't have any issue whatsoever with the User.sqlite database.
Up until now, the above configuration was making CoreData complying with the restrictions on a device (ie: bundle files can't be edited).
On iOS 10, it still seems like this is the case: when the above options are removed, temporary files are created (when ran in the simulator, since in that case the bundle is writable), and otherwise, the file is left untouched.
So it seems to behave as it did before, but it still crashes on the device.
Here's where the exception happens. There's a mention of "PFUbiquityTransactionHistoryCache writePendingEntries:". Trying to write something in the bundle might explain the crash, but I don't see why it would be called.
Calling po $arg1 from the exception returns "Can't create support directory (can't create directory)
(null)"
CoreData`developerSubmittedBlockToNSManagedObjectContextPerform:
0x189f45ad0 <+0>: stp x28, x27, [sp, #-96]!
0x189f45ad4 <+4>: stp x26, x25, [sp, #16]
0x189f45ad8 <+8>: stp x24, x23, [sp, #32]
0x189f45adc <+12>: stp x22, x21, [sp, #48]
0x189f45ae0 <+16>: stp x20, x19, [sp, #64]
0x189f45ae4 <+20>: stp x29, x30, [sp, #80]
0x189f45ae8 <+24>: add x29, sp, #80 ; =80
0x189f45aec <+28>: mov x20, x0
0x189f45af0 <+32>: ldp x21, x19, [x20]
0x189f45af4 <+36>: ldr x23, [x20, #16]
0x189f45af8 <+40>: tbz w23, #2, 0x189f45b08 ; <+56>
0x189f45afc <+44>: bl 0x186629c74 ; objc_autoreleasePoolPush
0x189f45b00 <+48>: mov x22, x0
0x189f45b04 <+52>: b 0x189f45b0c ; <+60>
0x189f45b08 <+56>: movz x22, #0
0x189f45b0c <+60>: tbz w23, #13, 0x189f45b14 ; <+68>
0x189f45b10 <+64>: dmb ish
0x189f45b14 <+68>: mrs x8, TPIDRRO_EL0
0x189f45b18 <+72>: and x26, x8, #0xfffffffffffffff8
0x189f45b1c <+76>: ldr x25, [x26, #712]
0x189f45b20 <+80>: ldr x24, [x20, #24]
0x189f45b24 <+84>: cmp x25, x19
0x189f45b28 <+88>: b.eq 0x189f45b3c ; <+108>
0x189f45b2c <+92>: cbz x24, 0x189f45b44 ; <+116>
0x189f45b30 <+96>: ldr x27, [x24, #8]
0x189f45b34 <+100>: str x19, [x24, #8]
0x189f45b38 <+104>: b 0x189f45b48 ; <+120>
0x189f45b3c <+108>: movz x27, #0
0x189f45b40 <+112>: b 0x189f45b4c ; <+124>
0x189f45b44 <+116>: movz x27, #0
0x189f45b48 <+120>: str x19, [x26, #712]
0x189f45b4c <+124>: adrp x8, 140081
0x189f45b50 <+128>: add x8, x8, #2616 ; =2616
0x189f45b54 <+132>: ldrb w8, [x8]
0x189f45b58 <+136>: cbnz w8, 0x189f45cb8 ; <+488>
0x189f45b5c <+140>: ldr x8, [x21, #16]
0x189f45b60 <+144>: mov x0, x21
0x189f45b64 <+148>: blr x8
0x189f45b68 <+152>: and x8, x23, #0x4
0x189f45b6c <+156>: tbnz w23, #12, 0x189f45b9c ; <+204>
0x189f45b70 <+160>: tbnz w23, #1, 0x189f45bf4 ; <+292>
0x189f45b74 <+164>: cbz x8, 0x189f45c24 ; <+340>
0x189f45b78 <+168>: cbz x22, 0x189f45b84 ; <+180>
0x189f45b7c <+172>: mov x0, x22
0x189f45b80 <+176>: bl 0x18a0a76ac ; symbol stub for: -[PFUbiquitySwitchboardCacheWrapper init]
0x189f45b84 <+180>: adrp x8, 134549
0x189f45b88 <+184>: ldr x1, [x8, #1568]
0x189f45b8c <+188>: movz w2, #0
0x189f45b90 <+192>: mov x0, x19
0x189f45b94 <+196>: bl 0x186622f20 ; objc_msgSend
0x189f45b98 <+200>: b 0x189f45c24 ; <+340>
0x189f45b9c <+204>: cmp x8, #0 ; =0
0x189f45ba0 <+208>: cset w8, eq
0x189f45ba4 <+212>: cbz x22, 0x189f45bb4 ; <+228>
0x189f45ba8 <+216>: tbnz w8, #0, 0x189f45bb4 ; <+228>
0x189f45bac <+220>: mov x0, x22
0x189f45bb0 <+224>: bl 0x18a0a76ac ; symbol stub for: -[PFUbiquitySwitchboardCacheWrapper init]
0x189f45bb4 <+228>: and x22, x23, #0x1000
0x189f45bb8 <+232>: tbz w23, #0, 0x189f45bcc ; <+252>
0x189f45bbc <+236>: mov x0, x21
0x189f45bc0 <+240>: bl 0x186ab6998 ; _Block_release
0x189f45bc4 <+244>: mov x0, x20
0x189f45bc8 <+248>: bl 0x18a0a71fc ; symbol stub for: -[PFUbiquityTransactionHistoryCache writePendingEntries:]
0x189f45bcc <+252>: movz w21, #0
0x189f45bd0 <+256>: cbz x22, 0x189f45c3c ; <+364>
0x189f45bd4 <+260>: cmp x25, x19
0x189f45bd8 <+264>: b.eq 0x189f45ca0 ; <+464>
0x189f45bdc <+268>: str x25, [x26, #712]
0x189f45be0 <+272>: cbz x24, 0x189f45c78 ; <+424>
0x189f45be4 <+276>: cmp x27, x19
0x189f45be8 <+280>: csel x8, xzr, x27, eq
0x189f45bec <+284>: str x8, [x24, #8]
0x189f45bf0 <+288>: b 0x189f45c78 ; <+424>
0x189f45bf4 <+292>: adrp x8, 134548
0x189f45bf8 <+296>: ldr x1, [x8, #3312]
0x189f45bfc <+300>: mov x0, x19
0x189f45c00 <+304>: bl 0x186622f20 ; objc_msgSend
0x189f45c04 <+308>: cbz x22, 0x189f45c10 ; <+320>
0x189f45c08 <+312>: mov x0, x22
0x189f45c0c <+316>: bl 0x18a0a76ac ; symbol stub for: -[PFUbiquitySwitchboardCacheWrapper init]
0x189f45c10 <+320>: adrp x8, 134549
0x189f45c14 <+324>: ldr x1, [x8, #1568]
0x189f45c18 <+328>: movz w2, #0
0x189f45c1c <+332>: mov x0, x19
0x189f45c20 <+336>: bl 0x186622f20 ; objc_msgSend
0x189f45c24 <+340>: tbnz w23, #0, 0x189f45c30 ; <+352>
0x189f45c28 <+344>: movz w21, #0
0x189f45c2c <+348>: b 0x189f45c3c ; <+364>
0x189f45c30 <+352>: mov x0, x21
0x189f45c34 <+356>: bl 0x186ab6998 ; _Block_release
0x189f45c38 <+360>: movz w21, #0
0x189f45c3c <+364>: cmp x25, x19
0x189f45c40 <+368>: b.eq 0x189f45c50 ; <+384>
0x189f45c44 <+372>: str x25, [x26, #712]
0x189f45c48 <+376>: cbz x24, 0x189f45c50 ; <+384>
0x189f45c4c <+380>: str x27, [x24, #8]
0x189f45c50 <+384>: tbnz w23, #0, 0x189f45c68 ; <+408>
0x189f45c54 <+388>: adrp x8, 134548
0x189f45c58 <+392>: ldr x1, [x8, #32]
0x189f45c5c <+396>: mov x0, x19
0x189f45c60 <+400>: bl 0x186622f20 ; objc_msgSend
0x189f45c64 <+404>: b 0x189f45c78 ; <+424>
0x189f45c68 <+408>: mov x0, x19
0x189f45c6c <+412>: bl 0x187aae3e8 ; CFRelease
0x189f45c70 <+416>: mov x0, x20
0x189f45c74 <+420>: bl 0x18a0a71fc ; symbol stub for: -[PFUbiquityTransactionHistoryCache writePendingEntries:]
0x189f45c78 <+424>: tbz w23, #13, 0x189f45c80 ; <+432>
0x189f45c7c <+428>: dmb ish
0x189f45c80 <+432>: cbnz w21, 0x189f45cdc ; <+524>
0x189f45c84 <+436>: ldp x29, x30, [sp, #80]
0x189f45c88 <+440>: ldp x20, x19, [sp, #64]
0x189f45c8c <+444>: ldp x22, x21, [sp, #48]
0x189f45c90 <+448>: ldp x24, x23, [sp, #32]
0x189f45c94 <+452>: ldp x26, x25, [sp, #16]
0x189f45c98 <+456>: ldp x28, x27, [sp], #96
0x189f45c9c <+460>: ret
0x189f45ca0 <+464>: str xzr, [x26, #712]
0x189f45ca4 <+468>: cbz x24, 0x189f45c78 ; <+424>
0x189f45ca8 <+472>: cmp x27, x25
0x189f45cac <+476>: b.ne 0x189f45c78 ; <+424>
0x189f45cb0 <+480>: str xzr, [x24, #8]
0x189f45cb4 <+484>: b 0x189f45c78 ; <+424>
0x189f45cb8 <+488>: adrp x8, 134550
0x189f45cbc <+492>: ldr x1, [x8, #2768]
0x189f45cc0 <+496>: mov x0, x19
0x189f45cc4 <+500>: bl 0x189f3ea64 ; _PFAssertSafeMultiThreadedAccess_impl
0x189f45cc8 <+504>: b 0x189f45b5c ; <+140>
0x189f45ccc <+508>: bl 0x186610720 ; objc_begin_catch
0x189f45cd0 <+512>: and x22, x23, #0x1000
0x189f45cd4 <+516>: orr w21, wzr, #0x1
0x189f45cd8 <+520>: b 0x189f45bd0 ; <+256>
0x189f45cdc <+524>: bl 0x1866106f0 ; objc_exception_rethrow
0x189f45ce0 <+528>: b 0x189f45c84 ; <+436>
0x189f45ce4 <+532>: mov x19, x0
0x189f45ce8 <+536>: b 0x189f45cf4 ; <+548>
0x189f45cec <+540>: mov x19, x0
0x189f45cf0 <+544>: tbz w21, #0, 0x189f45cf8 ; <+552>
0x189f45cf4 <+548>: bl 0x186610768 ; objc_end_catch
0x189f45cf8 <+552>: mov x0, x19
0x189f45cfc <+556>: bl 0x186ca4ed4 ; _Unwind_Resume
0x189f45d00 <+560>: bl 0x186610794 ; objc_terminate
And here's the device crash log:
0 CoreFoundation 0x187bd81c0 __exceptionPreprocess + 124
1 libobjc.A.dylib 0x18661055c objc_exception_throw + 56
2 CoreData 0x189f9ff14 -[NSSQLCore externalDataReferencesDirectory] + 992
3 CoreData 0x18a05ef44 -[NSSQLFetchRequestContext initWithRequest:context:sqlCore:] + 424
4 CoreData 0x189f9eba4 -[NSSQLCore processFetchRequest:inContext:] + 76
5 CoreData 0x189ea1510 -[NSSQLCore executeRequest:withContext:error:] + 504
6 CoreData 0x189f8183c __65-[NSPersistentStoreCoordinator executeRequest:withContext:error:]_block_invoke + 4512
7 CoreData 0x189f79f88 -[NSPersistentStoreCoordinator _routeHeavyweightBlock:] + 276
8 CoreData 0x189ea11c4 -[NSPersistentStoreCoordinator executeRequest:withContext:error:] + 408
9 CoreData 0x189e9fbec -[NSManagedObjectContext executeFetchRequest:error:] + 572
10 CoreData 0x189f50b88 -[NSManagedObjectContext(_NestedContextSupport) _parentObjectsForFetchRequest:inContext:error:] + 456
11 CoreData 0x189f51390 __82-[NSManagedObjectContext(_NestedContextSupport) executeRequest:withContext:error:]_block_invoke + 584
12 CoreData 0x189f53638 internalBlockToNSManagedObjectContextPerform + 92
13 libdispatch.dylib 0x186a611c0 _dispatch_client_callout + 16
14 libdispatch.dylib 0x186a6e860 _dispatch_barrier_sync_f_invoke + 84
15 CoreData 0x189f409a8 _perform + 232
16 CoreData 0x189f51080 -[NSManagedObjectContext(_NestedContextSupport) executeRequest:withContext:error:] + 188
17 CoreData 0x189e9fbec -[NSManagedObjectContext executeFetchRequest:error:] + 572
18 MagicalRecord 0x101b5b274 0x101b48000 + 78452
19 CoreData 0x189f45b68 developerSubmittedBlockToNSManagedObjectContextPerform + 152
20 CoreData 0x189f45a48 -[NSManagedObjectContext performBlockAndWait:] + 260
…
Edit
Re-creating the Seed database under iOS 10 doesn't solve the issue
Copying the file from the bundle into the app container (with NSFileManager) on first launch and then using that one solves the issue. But then it takes twice the space (database in the bundle + copy), it's the solution I managed to avoid up until now (at least it proves everything else works as expected)
The answer is no, you can still do that… BUT if you have a Binary Data attribute with Allows External Storage, then it will crash.
Because of that, a .Seed_SUPPORT folder with a _EXTERNAL_DATA subfolder is created, even if the models that allow external storage are not in the Seed configuration.
So to fix it:
create a .xxx_SUPPORT folder (replace xxx with the name of your sqlite file), next to your xxx.sqlite seed file
create a subfolder named _EXTERNAL_DATA inside
BONUS: create a .gitkeep file inside _EXTERNAL_DATA, so that git commits the folder
add that folder to XCode, make sure to add it with "Create folder references", not "Create Groups"
You'll probably need to see hidden files in the Finder, for that just run:
defaults write com.apple.finder AppleShowAllFiles YES
killall Finder
You can set it back to NO afterwards.