Debugging sporadic app crashes with dylib in iOS13/iPadOS 13

Question

After updating to iOS 13.x / iPadOS 13.x we see sporadic crashes with our recent Testflight builds. We've not seen reports from users using our pre-13 released version yet, but it seems not many have updated to 13 yet, so we really don't know.

The app is a cordova-app with cordova-ios 5.0.2 using WkWebView. Data protection entitlement is set to full.

I have a hard time making sense of the crash, and it seems to be somewhere deep in the iOS-stack? The crash is sporadic and seems only to happen occasionally when the app has been put into the background.

I'm looking for some guidance/pointers on how to get to the bottom of this.

Crash report from TestFlight:

Incident Identifier: 900F9C19-EE4A-4A9D-B1AB-E834F6387565
Beta Identifier:     7194E7C0-152C-43E4-9716-BE2AF29A0BD7
Hardware Model:      iPad7,5
Process:             SomeApp [677]
Path:                /private/var/containers/Bundle/Application/745F3054-AB4B-4A1A-A7AB-2AFD0516706C/SomeApp.app/SomeApp
Identifier:          SomeApp
Version:             380 (2.0.0)
AppStoreTools:       11A1002b
Beta:                YES
Code Type:           ARM-64 (Native)
Role:                Non UI
Parent Process:      launchd [1]
Coalition:           SomeApp [620]


Date/Time:           2019-10-03 07:10:10.2716 +0200
Launch Time:         2019-10-02 15:50:25.8963 +0200
OS Version:          iPhone OS 13.1.2 (17A860)
Release Type:        User
Baseband Version:    n/a
Report Version:      104

Exception Type:  EXC_BAD_ACCESS (SIGBUS)
Exception Subtype: KERN_MEMORY_ERROR at 0x00000001048a5c8c
VM Region Info: 0x1048a5c8c is in 0x104884000-0x1048a8000;  bytes after start: 138380  bytes before end: 9075
      REGION TYPE                      START - END             [ VSIZE] PRT/MAX SHRMOD  REGION DETAIL
      MALLOC_LARGE           0000000104880000-0000000104884000 [   16K] rw-/rwx SM=PRV  
--->  mapped file            0000000104884000-00000001048a8000 [  144K] r--/rw- SM=COW  ...t_id=18017271
      shared memory          00000001048a8000-00000001048ac000 [   16K] r--/r-- SM=SHM  

Termination Signal: Bus error: 10
Termination Reason: Namespace SIGNAL, Code 0xa
Terminating Process: exc handler [677]
Triggered by Thread:  12

Thread 12 name:
Thread 12 Crashed:
0   libdyld.dylib                   0x000000018a2f76c0 dyld3::closure::ObjCStringTable::hash(char const*, unsigned long) const + 16 (Closure.cpp:1339)
1   libdyld.dylib                   0x000000018a2f7cd4 dyld3::closure::ObjCStringTable::getIndex(char const*) const + 52 (Closure.h:840)
2   libdyld.dylib                   0x000000018a2f7a6c dyld3::closure::ObjCStringTable::getPotentialTarget(char const*) const + 20 (Closure.h:824)
3   libdyld.dylib                   0x000000018a2f7d40 dyld3::closure::ObjCClassDuplicatesOpt::getClassLocation(char const*, objc_opt::objc_opt_t const*... + 44 (Closure.cpp:1483)
4   libdyld.dylib                   0x000000018a3044bc dyld3::AllImages::forEachObjCClass(char const*, void (void*, bool, bool*) block_pointer) const + 72 (AllImages.cpp:1915)
5   libobjc.A.dylib                 0x000000018a236c38 getPreoptimizedClass + 148 (objc-opt.mm:279)
6   libobjc.A.dylib                 0x000000018a2218d8 getClassExceptSomeSwift(char const*) + 20 (objc-runtime-new.mm:1607)
7   libobjc.A.dylib                 0x000000018a222784 look_up_class + 100 (objc-runtime-new.mm:6843)
8   Foundation                      0x000000018a8b4b00 NSClassFromString + 200 (NSObjCRuntime.m:0)
9   BoardServices                   0x000000018f2ba1b0 +[BSXPCServiceConnectionProxy invokeMethod:onTarget:withMessage:forConnection:] + 104 (BSXPCServiceConnectionProxy.m:329)
10  BoardServices                   0x000000018f2b9374 -[BSXPCServiceConnectionProxy invokeMessage:onTarget:] + 144 (BSXPCServiceConnectionProxy.m:177)
11  BoardServices                   0x000000018f2c080c __63-[BSXPCServiceConnectionEventHandler connection:handleMessage:]_block_invoke + 428 (BSXPCServiceConnectionEventHandler.m:184)
12  BoardServices                   0x000000018f2d6bf0 BSXPCServiceConnectionExecuteCallOut + 344 (BSXPCServiceConnection.m:1049)
13  BoardServices                   0x000000018f2c062c -[BSXPCServiceConnectionEventHandler connection:handleMessage:] + 172 (BSXPCServiceConnectionEventHandler.m:173)
14  BoardServices                   0x000000018f2d53e4 -[BSXPCServiceConnection _connection_handleMessage:fromPeer:withHandoff:] + 644 (BSXPCServiceConnection.m:808)
15  libdispatch.dylib               0x000000018a1bf610 _dispatch_call_block_and_release + 24 (init.c:1408)
16  libdispatch.dylib               0x000000018a1c0184 _dispatch_client_callout + 16 (object.m:495)
17  libdispatch.dylib               0x000000018a16c464 _dispatch_lane_serial_drain$VARIANT$mp + 608 (inline_internal.h:2487)
18  libdispatch.dylib               0x000000018a16ce88 _dispatch_lane_invoke$VARIANT$mp + 468 (queue.c:3820)
19  libdispatch.dylib               0x000000018a16c330 _dispatch_lane_serial_drain$VARIANT$mp + 300 (inline_internal.h:2528)
20  libdispatch.dylib               0x000000018a16ce88 _dispatch_lane_invoke$VARIANT$mp + 468 (queue.c:3820)
21  libdispatch.dylib               0x000000018a176340 _dispatch_workloop_worker_thread + 588 (queue.c:6386)
22  libsystem_pthread.dylib         0x000000018a20ffa4 _pthread_wqthread + 276 (pthread.c:2323)
23  libsystem_pthread.dylib         0x000000018a212ae0 start_wqthread + 8

Stack after update to iPadOS 13.2, of note: PluginKit:

Thread 5 name:
Thread 5 Crashed:
0   libdyld.dylib                   0x00000001bc5505d0 dyld3::closure::ObjCStringTable::hash(char const*, unsigned long) const + 16 (Closure.cpp:1339)
1   libdyld.dylib                   0x00000001bc550be4 dyld3::closure::ObjCStringTable::getIndex(char const*) const + 52 (Closure.h:841)
2   libdyld.dylib                   0x00000001bc55097c dyld3::closure::ObjCStringTable::getPotentialTarget(char const*) const + 20 (Closure.h:825)
3   libdyld.dylib                   0x00000001bc550c50 dyld3::closure::ObjCClassDuplicatesOpt::getClassLocation(char const*, objc_opt::objc_opt_t const*... + 44 (Closure.cpp:1483)
4   libdyld.dylib                   0x00000001bc55d3cc dyld3::AllImages::forEachObjCClass(char const*, void (void*, bool, bool*) block_pointer) const + 72 (AllImages.cpp:1915)
5   libobjc.A.dylib                 0x00000001bc48fc28 getPreoptimizedClass + 148 (objc-opt.mm:279)
6   libobjc.A.dylib                 0x00000001bc47a7d8 getClassExceptSomeSwift(char const*) + 20 (objc-runtime-new.mm:1620)
7   libobjc.A.dylib                 0x00000001bc47b684 look_up_class + 100 (objc-runtime-new.mm:6880)
8   BaseBoard                       0x00000001bf30447c _BSXPCEncodeObjectForKey + 124 (BSXPCCoder.m:377)
9   BaseBoard                       0x00000001bf30428c -[BSXPCCoder encodeObject:forKey:] + 96 (BSXPCCoder.m:181)
10  RunningBoardServices            0x00000001bf29f604 __44+[RBSXPCMessage messageForMethod:arguments:]_block_invoke + 288 (RBSXPCUtilities.m:152)
11  RunningBoardServices            0x00000001bf29f35c +[RBSXPCMessage messageWithEncoder:] + 72 (RBSXPCUtilities.m:132)
12  RunningBoardServices            0x00000001bf29f408 +[RBSXPCMessage messageForMethod:arguments:] + 148 (RBSXPCUtilities.m:140)
13  RunningBoardServices            0x00000001bf29f788 +[RBSXPCMessage messageForMethod:varguments:] + 192 (RBSXPCUtilities.m:170)
14  RunningBoardServices            0x00000001bf28f234 -[RBSConnection _invalidateAssertionIdentifier:error:] + 144 (RBSConnection.m:1361)
15  RunningBoardServices            0x00000001bf28808c -[RBSConnection invalidateAssertion:error:] + 80 (RBSConnection.m:275)
16  RunningBoardServices            0x00000001bf28605c -[RBSAssertion _clientInvalidateWithError:] + 124 (RBSAssertion.m:317)
17  AssertionServices               0x00000001c0e6278c -[BKSAssertion _invalidateSynchronously:] + 104 (BKSAssertion.m:164)
18  AssertionServices               0x00000001c0e6718c -[BKSProcessAssertion invalidate] + 92 (BKSProcessAssertion.m:291)
19  Foundation                      0x00000001bcb2e624 ___NSExtensionTearDownRequestWithIdentifier_block_invoke_2 + 84 (NSExtension.m:1098)
20  PlugInKit                       0x00000001c9e6db4c -[PKHostPlugIn endUsing:] + 152 (PKHostPlugIn.m:814)
21  Foundation                      0x00000001bcb2d090 __64-[NSExtension _safelyEndUsingWithProcessAssertion:continuation:]_block_invoke + 116 (NSExtension.m:1670)
22  libdispatch.dylib               0x00000001bc418610 _dispatch_call_block_and_release + 24 (init.c:1408)
23  libdispatch.dylib               0x00000001bc419184 _dispatch_client_callout + 16 (object.m:495)
24  libdispatch.dylib               0x00000001bc3c5404 _dispatch_lane_serial_drain$VARIANT$mp + 608 (inline_internal.h:2484)
25  libdispatch.dylib               0x00000001bc3c5df8 _dispatch_lane_invoke$VARIANT$mp + 420 (queue.c:3863)
26  libdispatch.dylib               0x00000001bc3cf314 _dispatch_workloop_worker_thread + 588 (queue.c:6445)
27  libsystem_pthread.dylib         0x00000001bc468f98 _pthread_wqthread + 276 (pthread.c:2323)
28  libsystem_pthread.dylib         0x00000001bc46bad4 start_wqthread + 8

For others experiencing these problems here are some other relevant links:

https://forums.developer.apple.com/thread/123728 https://forums.developer.apple.com/message/384064#384064

Alex Terente · Accepted Answer · 2019-10-04T13:41:53.863

4

It seems that the dyld3 saves the generated clojure files in the app tmp directory and if you use NSFileProtectionComplete the closure files have this property too.

To generate a crahs close the app, lock the phone, send a push that will wake up the app and then the crash is generated.

The solution seems to be simple, just change the permissions for the app tmp direcptry to NSFileProtectionCompleteUntilFirstUserAuthentication and the app will not crash. I really don't know why apple did this.

edited Oct 04 '19 at 13:41

answered Oct 03 '19 at 11:56

Alex Terente

12,006
5
51
71

Hi and thanks for your feedback! I assume by clojure you mean closure? The app doesn't have any push capabilities, so that makes trying that reproduction hard. – Lubricin Oct 03 '19 at 12:09
Adding to that, the app is made with cordova, so I'm a bit stranded as how to change the tmp directory permissions. I'll try to look into it. – Lubricin Oct 03 '19 at 12:11
Question: How do you know that problem is with files in the app tmp directory? How do you parse that out of the stack/crash report? – Lubricin Oct 03 '19 at 12:14
I found this issue/comment and assume that is what you also describing? https://github.com/firebase/firebase-ios-sdk/issues/2846#issuecomment-537752697 – Lubricin Oct 03 '19 at 12:41
You can not trace that from the stack trace. But is same stack trace, but same stack trace is generated when you have file protection complete set in the app and the app is loaded and the phone locked. Just list the closure files and their properties in the app. – Alex Terente Oct 04 '19 at 13:44
@AlexTerente You don't necessarily need to use push notifications to reproduce the issue. If your app is configured to use complete file protection in the entitlements, any code that runs while protected data is unavailable will cause the app to crash. For example, my company's app has a background task that takes longer than 10 seconds to execute. Since protected data becomes unavailable around 10 seconds after locking the device, the app will crash before the background task can finish executing (despite having more time available on the assertion). – Ryan Pendleton Oct 09 '19 at 04:05
1

Just to add for any future readers (from: https://forums.developer.apple.com/message/384064): Steps to reproduce: *Run application without debugger attached (to enable watchdog timers) * Lock device (while the application is in the foreground) * Wait 15 seconds * Rotate device to landscape while locked (give it a good shake so you know the new orientation has been recognized) * Wake and unlock device * App has crashed – Lubricin Oct 16 '19 at 11:44
And according to https://forums.developer.apple.com/message/384064#384064 this issue should be solved with iPadOS/iOS 13.2 beta 3. – Lubricin Oct 18 '19 at 06:38
@Lubricin, is good that apple fixed this in 13.2 but still the app has to run on iOS 13.0 and 13.1. – Alex Terente Oct 18 '19 at 07:23

score 2 · Answer 2 · answered Oct 29 '19 at 01:07

2

I could consistently reproduce this issue in iOS 13.1. But I tested today on iOS13.2 beta 4 and can no longer reproduce this issue. I would suggest reverting the file protection level to complete and then testing on the latest 13.2 beta.

answered Oct 29 '19 at 01:07

Zia

14,622
7
40
59

Yes. The fix came in 13.2 Beta 3 (see comments above.) :-) – Lubricin Nov 01 '19 at 10:10

score 0 · Answer 3 · answered Nov 01 '19 at 08:57

0

Update the device to iOS 13.2 if possible. I installed iOS 13.2 and I can no longer reproduce this issue. I have not changed the file protection level to NSFileProtectionCompleteUntilFirstUserAuthentication, and it still works.

answered Nov 01 '19 at 08:57

Cloud9999Strife

3,102
3
30
43

Debugging sporadic app crashes with dylib in iOS13/iPadOS 13

3 Answers3

Linked