KSJSON icon indicating copy to clipboard operation
KSJSON copied to clipboard

Published 20 hours ago verified publisher icon kstenerud

Crashes in String-Serializer

Open mickeyl opened this issue 7 years ago • 3 comments

After having worked successfully with KSJSON for a couple of years, recent deployments seem to crash. I have attached a couple of crash logs, perhaps they ring a bell for someone of you.

2018-07-05_07-40-57.4533_+0200-ed0f425b7f5bee50860bf8b7ef618aa3ea65332a.crash.txt 2018-07-05_10-41-30.6721_+0200-633a26bf64eda5cb9a98007810cde3595bf3e97b.crash.txt 2018-07-05_08-21-42.0399_+0200-43c90c601837d9169956ed8841dc33e3397940fb.crash.txt 2018-07-05_10-15-40.7203_+0200-c6cf223c2fa2cebbe9689723fc2b9f49ab6eb7a6.crash.txt 2018-07-05_07-54-25.4155_+0200-7fc4ac5a3077f970e8b927d701fa4521387c81d4.crash.txt

Could one of the newer clang releases in Xcode 9.x be responsible for that?

I have reverted to using NSJSONSerialization for now and the crashes stopped, since this is way slower than KSJSON though, I'd be interested in any hints.

mickeyl avatar Jul 29 '18 12:07 mickeyl

Hmm... The crash doesn't seem to be getting properly symbolicated - the line offset is wrong.

Do you have a repro case that crashes every time? From the surface it looks like it's crashing when it encounters a long string, but I can't be sure from the crash reports.

kstenerud avatar Jul 29 '18 18:07 kstenerud

Thanks for responding. Unfortunately I have not been able to acquire a case to reproduce this. The people who use the software claim that it's intermittent – even with the very same input data. Could it be an OOM situation? All crashes seem to happen on an iPad 4 mini. I try to hammer it with some very long strings when I have a chance.

mickeyl avatar Jul 29 '18 19:07 mickeyl

It's crashing due to an access outside of a malloced block:

Exception Subtype: KERN_INVALID_ADDRESS at 0x0000000107ac4000
VM Region Info: 0x107ac4000 is not in any region.  Bytes after previous region: 1  Bytes before following region: 180224
      REGION TYPE                      START - END             [ VSIZE] PRT/MAX SHRMOD  REGION DETAIL
      MALLOC_LARGE           0000000107aa4000-0000000107ac4000 [  128K] rw-/rwx SM=PRV  
--->  GAP OF 0x2c000 BYTES
      mapped file            0000000107af0000-0000000107afc000 [   48K] r--/r-- SM=SHM

So something's running off the end of a malloced buffer. Trouble is, I don't know if it's happening when reading from a source buffer, or when writing to a destination buffer. There are a number of places where it might be happening, but without a repro case or a valid line number, it's mostly guesswork.

If I were to venture a guess, I'd suspect line 1149:

likely_if(nextEscape > ch)
{
    serializeChars(context, ch, (unsigned int)(nextEscape - ch));
}

Try changing nextEscape to end. I think it might be possible for nextEscape to be 1 byte too far.

likely_if(end > ch)
{
    serializeChars(context, ch, (unsigned int)(end - ch));
}

kstenerud avatar Jul 29 '18 20:07 kstenerud