1、野指针问题 【EXC_BAD_ACCESS (SIGSEGV) / KERN_INVALID_ADDRESS]

Possible zombie in call: Function: objc_releaseParam 1: 0x157f2a740 Originated at or in a subcall of unknown, cannot find symb

如有以下溃散栈可以怀疑是在dealloc中直接或直接运用了@try{} @catch{}

2、溃散栈

0  libobjc.A.dylib    _objc_release()
1  CoreFoundation     -[__NSDictionaryI dealloc]()         
2  CoreFoundation     -[NSException dealloc]()         
3  libobjc.A.dylib    AutoreleasePoolPage::releaseUntil(objc_object**)()         
4  libobjc.A.dylib    _objc_autoreleasePoolPop()        
   ......
   ......

try-catch引起的野指针问题排查

3、场景复现代码

#import "ViewController.h"
@interface TestExpectionObj : NSObject
@end
@implementation TestExpectionObj
- (void)dealloc {
    @try {
        [self setValue:@"test" forKey:@"testKey"];
    } @catch (NSException *exception) {
        NSLog(@"%@", exception);
    }
}
@end
@implementation ViewController
- (void)viewDidLoad {
    [super viewDidLoad];
    // Do any additional setup after loading the view.
    [TestExpectionObj new];
}
@end

4、问题分析

dealloc运用try-catch并触发catch时,会生成NSException目标,exception结构如下

exception : NSException {
	userInfo: NSDictionary {
		NSTargetObjectUserInfoKey = "<TestExpectionObj: 0x6000038ac3e0>";
	}
}

exception会强引证TestExpectionObj目标,而且exception一般都是类办法生成会自动加入到AutoreleasePool,所以dealloc履行完后TestExpectionObj目标现已开释(因为在dealloc办法中在强引证当时目标没法停止当时目标的开释,引证计数增加与否已无含义),所以exception.userInfo中的TestExpectionObj对变成野目标。

AutoreleasePool抵达周期开释时就对调用release exception & userInfo,字典userInfo开释时会也会相应的开释key/value,故NSTargetObjectUserInfoKey = "<TestExpectionObj: 0x6000038ac3e0>"又调用一次release,因为之前现已dealloc结束,所以这次就会触发重复开释溃散引起野指针问题,

但如果exceptionTestExpectionObj目标的dealloc办法履行完之前开释就不会出现问题。

5、上报可能引起野指针溃散栈

#import <JRSwizzle/JRSwizzle.h>
@implementation NSException (ExceptionTestSunztObj)
+ (void)load {
    static dispatch_once_t onceToken;
    dispatch_once(&onceToken, ^{
        [self jr_swizzleMethod:NSSelectorFromString(@"dealloc")
                              withMethod:@selector(intercept_dealloc)
                                   error:nil];
    });
}
- (void)intercept_dealloc {
    BOOL isContainDealloc = NO;
    NSMutableString *symblos = [NSMutableString string];
    for (NSString *sym in self.callStackSymbols) {
        [symblos appendFormat:@"%@\n", sym];
        if ([sym containsString:@" dealloc]"]) {
            isContainDealloc = YES;
        }
    }
    // 把 symblos上报给自己的APM渠道
    [APM report:@"ttReportExceptionCallStackSymbols" withValue:symblos];
    [APM report:@"ttReportExceptionReason" withValue:self.reason?:@"NULL"];
    if (isContainDealloc) {
        // 本地log打印,需符号化
       TTLocalLog("NSException:throws:dealloc:ttReport", {
           @"name": self.name?:@"",
           @"reason": self.reason?:@"",
           @"callStackSymbols": symblos
       });
       // 延迟保证数据写完在开释
       __unsafe_unretained NSException *demoSelf = self;
       dispatch_after(dispatch_time(DISPATCH_TIME_NOW, (int64_t)(1.0 * NSEC_PER_SEC)), dispatch_get_main_queue(), ^{
           [demoSelf intercept_dealloc];
       });
       return;
    }
    [self intercept_dealloc];
}
@end

注:在dealloc中运用@try{} @catch{}可能会引起难以排查的野指针溃散

运用@try-@catch

[<TestExpectionObj 0x600000714220> setValue:forUndefinedKey:]: this class is not key value coding-compliant for the key testKey.
(
  0   CoreFoundation                      0x0000000102a93604 __exceptionPreprocess + 242
  1   libobjc.A.dylib                     0x0000000102943a45 objc_exception_throw + 48
  2   CoreFoundation                      0x0000000102a9329c -[NSException init] + 0
  3   Foundation                          0x00000001034f2354 -[NSObject(NSKeyValueCoding) setValue:forKey:] + 315
  4   ExpectionDemo                       0x00000001023cae52 -[TestExpectionObj dealloc] + 50
  5   libobjc.A.dylib                     0x00000001029417b7 _ZN11objc_object17sidetable_releaseEbb + 177
  6   ExpectionDemo                       0x00000001023caf58 -[ViewController viewDidLoad] + 72
  7   UIKitCore                           0x000000010f3ce3bc -[UIViewController _sendViewDidLoadWithAppearanceProxyObjectTaggingEnabled] + 88
  8   UIKitCore                           0x000000010f3d2dbf -[UIViewController loadViewIfRequired] + 1193
  9   UIKitCore                           0x000000010f3d319a -[UIViewController view] + 27
  10  UIKitCore                           0x000000010fbdb00a -[UIWindow addRootViewControllerViewIfPossible] + 305
  11  UIKitCore                           0x000000010fbda6fe -[UIWindow _updateLayerOrderingAndSetLayerHidden:actionBlock:] + 230
  12  UIKitCore                           0x000000010fbdb6d6 -[UIWindow _setHidden:forced:] + 409
  13  UIKitCore                           0x000000010fbee204 -[UIWindow _mainQueue_makeKeyAndVisible] + 47
  14  UIKitCore                           0x000000010fe605f6 -[UIWindowScene _makeKeyAndVisibleIfNeeded] + 202
  15  UIKitCore                           0x000000010ef0fb8f +[UIScene _sceneForFBSScene:create:withSession:connectionOptions:] + 1591
  16  UIKitCore                           0x000000010fb98fbd -[UIApplication _connectUISceneFromFBSScene:transitionContext:] + 1299
  17  UIKitCore                           0x000000010fb99471 -[UIApplication workspace:didCreateScene:withTransitionContext:completion:] + 301
  18  UIKitCore                           0x000000010f613afe -[UIApplicationSceneClientAgent scene:didInitializeWithEvent:completion:] + 355
  19  FrontBoardServices                  0x0000000107090cdd -[FBSScene _callOutQueue_agent_didCreateWithTransitionContext:completion:] + 415
  20  FrontBoardServices                  0x00000001070bd216 __94-[FBSWorkspaceScenesClient createWithSceneID:groupID:parameters:transitionContext:completion:]_block_invoke.180 + 102
  21  FrontBoardServices                  0x000000010709f0ef -[FBSWorkspace _calloutQueue_executeCalloutFromSource:withBlock:] + 209
  22  FrontBoardServices                  0x00000001070bcdf5 __94-[FBSWorkspaceScenesClient createWithSceneID:groupID:parameters:transitionContext:completion:]_block_invoke + 352
  23  libdispatch.dylib                   0x0000000103c0ba5b _dispatch_client_callout + 8
  24  libdispatch.dylib                   0x0000000103c0e93b _dispatch_block_invoke_direct + 295
  25  FrontBoardServices                  0x00000001070e3da3 __FBSSERIALQUEUE_IS_CALLING_OUT_TO_A_BLOCK__ + 30
  26  FrontBoardServices                  0x00000001070e3c99 -[FBSSerialQueue _targetQueue_performNextIfPossible] + 174
  27  FrontBoardServices                  0x00000001070e3dcb -[FBSSerialQueue _performNextFromRunLoopSource] + 19
  28  CoreFoundation                      0x0000000102a004a7 __CFRUNLOOP_IS_CALLING_OUT_TO_A_SOURCE0_PERFORM_FUNCTION__ + 17
  29  CoreFoundation                      0x0000000102a0039f __CFRunLoopDoSource0 + 180
  30  CoreFoundation                      0x00000001029ff8ce __CFRunLoopDoSources0 + 340
  31  CoreFoundation                      0x00000001029f9f68 __CFRunLoopRun + 871
  32  CoreFoundation                      0x00000001029f9704 CFRunLoopRunSpecific + 562
  33  GraphicsServices                    0x00000001071e3c8e GSEventRunModal + 139
  34  UIKitCore                           0x000000010fb9765a -[UIApplication _run] + 928
  35  UIKitCore                           0x000000010fb9c2b5 UIApplicationMain + 101
  36  ExpectionDemo                       0x00000001023cb1be main + 110
  37  dyld                                0x00000001025e6f21 start_sim + 10
  38  ???                                 0x00000001091ce4fe 0x0 + 4447855870
)

这种溃散信息运用NSSetUncaughtExceptionHandler()是抓不到的