“0 ??? 0x00000000b5a95000 0 + 3047772160”这种crash怎么

技能讨论
1

crash日志如下:
xception Type: EXC_BAD_ACCESS (SIGSEGV)
Exception Subtype: KERN_INVALID_ADDRESS at 0x00000000b5a95000
VM Region Info: 0xb5a95000 is not in any region. Bytes before following region: 1285894144
REGION TYPE START - END [ VSIZE] PRT/MAX SHRMOD REGION DETAIL
UNUSED SPACE AT START
—>
__TEXT 00000001024e8000-00000001047a8000 [ 34.8M] r-x/r-x SM=COW …/cs.app/HSICS

Termination Signal: Segmentation fault: 11
Termination Reason: Namespace SIGNAL, Code 0xb
Terminating Process: exc handler [7827]
Triggered by Thread: 0

Thread 0 name: Dispatch queue: com.apple.main-thread
Thread 0 Crashed:
0 ??? 0x00000000b5a95000 0 + 3047772160

Thread 1:
0 libsystem_pthread.dylib 0x000000018d30f9c0 start_wqthread + 0

Thread 2:
0 libsystem_kernel.dylib 0x000000018d3ea8d0 kevent + 8
1 FridaAgent 0x000000010cc79588 0x10cb7c000 + 1037704
2 FridaAgent 0x000000010cc78a3c 0x10cb7c000 + 1034812
3 FridaAgent 0x000000010cc78c10 0x10cb7c000 + 1035280
4 FridaAgent 0x000000010cb80198 0x10cb7c000 + 16792
5 ??? 0x000000010cb6427c 0 + 4508238460
6 libsystem_pthread.dylib 0x000000018d307914 _pthread_start + 168
7 libsystem_pthread.dylib 0x000000018d30f9d4 thread_start + 8

Thread 3 name: pool-spawner
Thread 3:
0 libsystem_kernel.dylib 0x000000018d3e8bc0 __psynch_cvwait + 8
1 libsystem_pthread.dylib 0x000000018d30b1e4 _pthread_cond_wait + 676
2 FridaAgent 0x000000010cc9b6ec 0x10cb7c000 + 1177324
3 FridaAgent 0x000000010cc6616c 0x10cb7c000 + 958828
4 FridaAgent 0x000000010cc880d4 0x10cb7c000 + 1097940
5 FridaAgent 0x000000010cc87100 0x10cb7c000 + 1093888
6 libsystem_pthread.dylib 0x000000018d307914 _pthread_start + 168
7 libsystem_pthread.dylib 0x000000018d30f9d4 thread_start + 8

Thread 4 name: gmain
Thread 4:
0 libsystem_kernel.dylib 0x000000018d3ea8d0 kevent + 8
1 FridaAgent 0x000000010cc79588 0x10cb7c000 + 1037704
2 FridaAgent 0x000000010cc78a3c 0x10cb7c000 + 1034812
3 FridaAgent 0x000000010cc78ac0 0x10cb7c000 + 1034944
4 FridaAgent 0x000000010cc79918 0x10cb7c000 + 1038616
5 FridaAgent 0x000000010cc87100 0x10cb7c000 + 1093888
6 libsystem_pthread.dylib 0x000000018d307914 _pthread_start + 168
7 libsystem_pthread.dylib 0x000000018d30f9d4 thread_start + 8

Thread 5 name: gum-exceptor-worker
Thread 5:
0 libsystem_kernel.dylib 0x000000018d3c6784 mach_msg_trap + 8
1 libsystem_kernel.dylib 0x000000018d3c5ba8 mach_msg + 76
2 FridaAgent 0x000000010cd033f0 0x10cb7c000 + 1602544
3 FridaAgent 0x000000010cc87100 0x10cb7c000 + 1093888
4 libsystem_pthread.dylib 0x000000018d307914 _pthread_start + 168
5 libsystem_pthread.dylib 0x000000018d30f9d4 thread_start + 8

Thread 6 name: pool-frida
Thread 6:
0 libsystem_kernel.dylib 0x000000018d3e8bc0 __psynch_cvwait + 8
1 libsystem_pthread.dylib 0x000000018d30b218 _pthread_cond_wait + 728
2 FridaAgent 0x000000010cc9b7f8 0x10cb7c000 + 1177592
3 FridaAgent 0x000000010cc66160 0x10cb7c000 + 958816
4 FridaAgent 0x000000010cc87d7c 0x10cb7c000 + 1097084
5 FridaAgent 0x000000010cc87100 0x10cb7c000 + 1093888
6 libsystem_pthread.dylib 0x000000018d307914 _pthread_start + 168
7 libsystem_pthread.dylib 0x000000018d30f9d4 thread_start + 8

Thread 7 name: gdbus
Thread 7:
0 libsystem_kernel.dylib 0x000000018d3ea8d0 kevent + 8
1 FridaAgent 0x000000010cc79588 0x10cb7c000 + 1037704
2 FridaAgent 0x000000010cc78a3c 0x10cb7c000 + 1034812
3 FridaAgent 0x000000010cc78c10 0x10cb7c000 + 1035280
4 FridaAgent 0x000000010cc31fa0 0x10cb7c000 + 745376
5 FridaAgent 0x000000010cc87100 0x10cb7c000 + 1093888
6 libsystem_pthread.dylib 0x000000018d307914 _pthread_start + 168
7 libsystem_pthread.dylib 0x000000018d30f9d4 thread_start + 8

Thread 8 name: gum-js-loop
Thread 8:
0 libsystem_kernel.dylib 0x000000018d3ea8d0 kevent + 8
1 FridaAgent 0x000000010cc79588 0x10cb7c000 + 1037704
2 FridaAgent 0x000000010cc78a3c 0x10cb7c000 + 1034812
3 FridaAgent 0x000000010cc78c10 0x10cb7c000 + 1035280
4 FridaAgent 0x000000010cd20658 0x10cb7c000 + 1721944
5 FridaAgent 0x000000010cc87100 0x10cb7c000 + 1093888
6 libsystem_pthread.dylib 0x000000018d307914 _pthread_start + 168
7 libsystem_pthread.dylib 0x000000018d30f9d4 thread_start + 8

Thread 9 name: Dispatch queue: com.apple.root.default-qos
Thread 9:
0 libsystem_kernel.dylib 0x000000018d3c67c0 semaphore_wait_trap + 8
1 libdispatch.dylib 0x000000018d2a3af0 _dispatch_sema4_wait + 28
2 libdispatch.dylib 0x000000018d2a4188 _dispatch_semaphore_wait_slow + 132
3 CFNetwork 0x0000000190903c20 CFURLConnectionSendSynchronousRequest + 412
4 CFNetwork 0x000000019087d4cc 0x190879000 + 17612
5 Foundation 0x000000018d943e10 -[NSString initWithContentsOfURL:encoding:error:] + 264
6 Foundation 0x000000018d94437c +[NSString stringWithContentsOfURL:encoding:error:] + 60
7 HSICS 0x0000000102f21438 0x1024e8000 + 10720312
8 HSICS 0x0000000102f212ec 0x1024e8000 + 10719980
9 libdispatch.dylib 0x000000018d2a2134 _dispatch_call_block_and_release + 32
10 libdispatch.dylib 0x000000018d2a35ac _dispatch_client_callout + 20
11 libdispatch.dylib 0x000000018d2a5a1c _dispatch_queue_override_invoke + 672
12 libdispatch.dylib 0x000000018d2b2724 _dispatch_root_queue_drain + 348
13 libdispatch.dylib 0x000000018d2b2ed0 _dispatch_worker_thread2 + 116
14 libsystem_pthread.dylib 0x000000018d3096dc _pthread_wqthread + 216
15 libsystem_pthread.dylib 0x000000018d30f9c8 start_wqthread + 8

Thread 10:
0 libsystem_pthread.dylib 0x000000018d30f9c0 start_wqthread + 0

Thread 11:
0 libsystem_pthread.dylib 0x000000018d30f9c0 start_wqthread + 0

Thread 12 name: JavaScriptCore bmalloc scavenger
Thread 12:
0 libsystem_kernel.dylib 0x000000018d3e8bc0 __psynch_cvwait + 8
1 libsystem_pthread.dylib 0x000000018d30b1e4 _pthread_cond_wait + 676
2 libc++.1.dylib 0x000000018d43cf78 std::__1::condition_variable::wait(std::__1::unique_lockstd::__1::mutex&) + 28
3 JavaScriptCore 0x000000019c8c7a44 void std::__1::condition_variable_any::wait<std::__1::unique_lockbmalloc::Mutex >(std::__1::unique_lockbmalloc::Mutex&) + 104
4 JavaScriptCore 0x000000019c8cb7b4 bmalloc::Scavenger::threadRunLoop() + 156
5 JavaScriptCore 0x000000019c8cb4d8 bmalloc::Scavenger::Scavenger(std::__1::lock_guardbmalloc::Mutex const&) + 0
6 JavaScriptCore 0x000000019c8cc750 std::__1::__thread_specific_ptrstd::__1::__thread_struct::set_pointer(std::__1::__thread_struct*) + 0
7 libsystem_pthread.dylib 0x000000018d307914 _pthread_start + 168
8 libsystem_pthread.dylib 0x000000018d30f9d4 thread_start + 8

Thread 13 name: WebThread
Thread 13:
0 libsystem_kernel.dylib 0x000000018d3c6784 mach_msg_trap + 8
1 libsystem_kernel.dylib 0x000000018d3c5ba8 mach_msg + 76
2 CoreFoundation 0x000000018d57c538 __CFRunLoopServiceMachPort + 152
3 CoreFoundation 0x000000018d577364 __CFRunLoopRun + 1140
4 CoreFoundation 0x000000018d576bc8 CFRunLoopRunSpecific + 480
5 WebCore 0x0000000195d20c28 RunWebThread(void*) + 564
6 libsystem_pthread.dylib 0x000000018d307914 _pthread_start + 168
7 libsystem_pthread.dylib 0x000000018d30f9d4 thread_start + 8

Thread 14:
0 libsystem_pthread.dylib 0x000000018d30f9c0 start_wqthread + 0

Thread 0 crashed with ARM Thread State (64-bit):
x0: 0x0000000000000000 x1: 0x0000000105a8787a x2: 0x0000000000000002 x3: 0x0000000000000002
x4: 0x000000000000006c x5: 0x000000000000006c x6: 0x000000010aff4000 x7: 0x0000000000000790
x8: 0x000000000000006c x9: 0x00000000b5a95000 x10: 0x00000001db9d6880 x11: 0x0000070000000702
x12: 0x0000000000010001 x13: 0x00000000000120a8 x14: 0x0000000000000000 x15: 0x0000000000000000
x16: 0x000000018d3041f0 x17: 0x00000001cf952808 x18: 0x0000000000000000 x19: 0x000000010af0d9a0
x20: 0x000000010aff4000 x21: 0x00000001069157f0 x22: 0x000000016d910108 x23: 0x000000001f070018
x24: 0x00000001068ec000 x25: 0x0000000102586044 x26: 0x00000002837065d0 x27: 0xd59fab54333714da
x28: 0x0000000000002710 fp: 0x000000016d9100d0 lr: 0x0000000000000000
sp: 0x0000000000000000 pc: 0x00000000b5a95000 cpsr: 0x60000000
esr: 0x82000006 (Instruction Abort) Translation fault

看不出来有效信息,异常断点也捕获不到,求支招

2

FridaAgent

3

直接搜索0xb5a95000 感觉这个像一个常量,APP检测到异常之后清空调用栈然后跳转到一个异常地址

4

厉害厉害,楼主可以看看堆栈寄存器里有没有啥地址,在附件跟一下,看看能不能发现触发点

5

EXC_BAD_ACCESS

指的是:异常访问,了不该访问的地址

KERN_INVALID_ADDRESS

KERN_INVALID_ADDRESS 应该是内核无效地址

at 0x00000000b5a95000
VM Region Info: 0xb5a95000 is not in any region.

0xb5a95000 这个地址不属于任何一个区域,即访问了不该访问的地址

…/cs.app/HSICS

看起来,你的被测的app,好像是cs.app的二进制文件HSICS

Thread 0 name: Dispatch queue: com.apple.main-thread

是主线程报错的

0 ??? 0x00000000b5a95000 0 + 3047772160

具体崩溃所属的:

  • 地址是:0x00000000b5a95000
    • 所属函数:0
      • 无效的函数
    • 偏移量地址:3047772160 = 0xB5A95000 = 就是上面的地址:0x00000000b5a95000
Thread 2:
0 libsystem_kernel.dylib 0x000000018d3ea8d0 kevent + 8
1 FridaAgent 0x000000010cc79588 0x10cb7c000 + 1037704
2 FridaAgent 0x000000010cc78a3c 0x10cb7c000 + 1034812
3 FridaAgent 0x000000010cc78c10 0x10cb7c000 + 1035280
4 FridaAgent 0x000000010cb80198 0x10cb7c000 + 16792
...

你的错误堆栈线程信息中,大量出现了:FridaAgent
-》看来是:FridaAgent导致了,最终调用到了,报错的位置,报错的地址,导致此处最终报错
-》反推:

  • 要么是FridaAgent本身的bug:这个可能不是很高
    • 毕竟FridaAgent是经过大量测试的库,不太会有常见的bug
  • 要么是:你的被测程序的问题
    • 比如某些特殊情况的程序代码分支,导致此处访问了异常的无效的内核地址,而报错的
      -》假定是:你的程序导致此处的报错
      -》你要做的事情就是:找到最开始触发到此处错误的代码=具体位置
      -》从前面的堆栈看来,有可能是:

(可能1)

Thread 0 name: Dispatch queue: com.apple.main-thread
Thread 0 Crashed:
0 ??? 0x00000000b5a95000 0 + 3047772160

-》看看能否找到:
此处的0x00000000b5a95000所属,是否是你的程序(cs.app的二进制文件HSICS)中的代码(具体哪个函数和对应偏移量对应的哪行代码)?

(可能2)
从:

Thread 9 name: Dispatch queue: com.apple.root.default-qos
...
5 Foundation 0x000000018d943e10 -[NSString initWithContentsOfURL:encoding:error:] + 264
6 Foundation 0x000000018d94437c +[NSString stringWithContentsOfURL:encoding:error:] + 60
7 HSICS 0x0000000102f21438 0x1024e8000 + 10720312
8 HSICS 0x0000000102f212ec 0x1024e8000 + 10719980
...

-》去看看:HSICS中的这2个函数地址:

  • 内存中地址:0x0000000102f21438
    • 对应函数地址:0x1024e8000
      • 函数内偏移量:10720312
  • HSICS 0x0000000102f212ec
    • 对应函数地址:0x1024e8000
      • 函数内偏移量:10719980 =
        ->去找找,是哪些函数,以及对应偏移量的代码,是否可能导致此处的报错

(可能3)

Thread 0 crashed with ARM Thread State (64-bit):
x0: 0x0000000000000000 x1: 0x0000000105a8787a x2: 0x0000000000000002 x3: 0x0000000000000002
x4: 0x000000000000006c x5: 0x000000000000006c x6: 0x000000010aff4000 x7: 0x0000000000000790
x8: 0x000000000000006c x9: 0x00000000b5a95000 x10: 0x00000001db9d6880 x11: 0x0000070000000702
x12: 0x0000000000010001 x13: 0x00000000000120a8 x14: 0x0000000000000000 x15: 0x0000000000000000
x16: 0x000000018d3041f0 x17: 0x00000001cf952808 x18: 0x0000000000000000 x19: 0x000000010af0d9a0
x20: 0x000000010aff4000 x21: 0x00000001069157f0 x22: 0x000000016d910108 x23: 0x000000001f070018
x24: 0x00000001068ec000 x25: 0x0000000102586044 x26: 0x00000002837065d0 x27: 0xd59fab54333714da
x28: 0x0000000000002710 fp: 0x000000016d9100d0 lr: 0x0000000000000000
sp: 0x0000000000000000 pc: 0x00000000b5a95000 cpsr: 0x60000000
esr: 0x82000006 (Instruction Abort) Translation fault

-》找找上述的每个寄存器中的值,找到类似于,可能是:
你的程序(cs.app的二进制文件HSICS)中的地址
(比如,或许是:0x00000001db9d6880、 0x000000010af0d9a0,等等?)
-》如果是,找找是哪个函数的哪行代码(函数内偏移量)
-》或许有机会找到具体导致此处报错的具体代码
-》从而找到最终的问题根源(比如代码bug,漏判了错误地址,访问了错误的地址),和对应解决办法(修复代码bug,避免访问异常指针地址)

6

谢谢