当前位置：网站首页>Wild pointer problem: review orange Technology

Wild pointer problem: review orange Technology

2022-07-19 16:23:00 【dengjiangszhan】

Background and ideas :

This article refers to 《 How to locate Obj-C The pointer is random Crash （ Three articles ）》

Orange its first , Improve the appearance of wild pointer crash Probability

Collapse caused by wild pointer , Not necessarily

Allocated memory , With the pointer pointing to him , There is 1 Relationship to many

Allocated memory , Marked for recycling , May be written at any time

The content written is random , Reflect the wild pointer , Collapse or not , The random nature of when to collapse

This is the time , Use the surviving pointer , It is likely to take out the wrong content , Then execute the methods of the original class

This error usually occurs ,EXC_BAD_ACCESS

Ideas

The first part uses manual code , The form of memory pollution ,

adopt fishhook, hook Object's free Method ,

Get free Object pointer to , Obliterate as 0x55

memset(obj, 0x55, memSiziee);

Put random problems , Determinate . as long as free fall , It's not the original

The first 2 piece , The appearance of limit raising wild pointer crash Probability

The memory to be released , Maybe our code is painted 0x55,

Apple's operating system , Objects of the same type are assigned ,

（ Initial address , Also the same ）

such , I still don't know about the crash ,

The above operation , waste .

Wild pointer keeps the idea alive

Use a queue （ Array ）, add to

Will be released （ Tampering ） Of memory ,（ Then it is smeared as 0x55 )

The corresponding pointer , To keep alive

In this queue , Except for arrays , There is also a mutex ,

Ensure safe operation

pthread_mutex_t mutate

On memory , There is an automatic expansion


// Save so much memory at most , Greater than this value releases part of 

#define MAX_STEAL_MEM_SIZE 1024*1024*100

// Keep at most so many pointers , More will release some 

#define MAX_STEAL_MEM_NUM 1024*1024*10

The first 3 piece , Wild pointer crash location

The wild pointer causes a crash , Output crash Location information , Class name and method

When the object is about to be released , Rewrite his isa , It is a very good time

//  Runtime , Get the class information of the object 
Class origClass= object_getClass(obj);

//  Rewrite the of the object to be released  isa,  Specify as a proxy class , So get the way to collapse 
object_setClass(obj, [MOACatcher class]);

//  Get the class information of the object , Easy to output 
((MOACatcher *)obj).originClass = origClass;

Rewrite the method forwarding method of proxy class , Get the wrong report selector,

Match the class name you got before


@interface MOACatcher : NSProxy

// ...

- (NSMethodSignature *)methodSignatureForSelector: (SEL)sel{

    return [self.originClass instanceMethodSignatureForSelector:sel];

}


- (void)forwardInvocation: (NSInvocation *)invocation{

    [self _throwMessageSentExceptionWithSelector: invocation.selector];

}

Change and pre

《 Three articles 》 Written in 2018.3, 4 Years ago

The wild pointer of the original text is not crash Example , Optimized by Apple

     UIView * testObj = [[UIView alloc] init];

    [testObj release];
    
    //  collapse , It's inevitable 

    [testObj setNeedsLayout];

ARC In the environment , Use commonly developed API, Write a simple wild pointer that doesn't crash demo

It's a little difficult , First of all , Ability to compile

Know wild pointer

C Language :

Wild pointer generation


void main()
{
  /*  Wild pointer , Pointer not initialized ,
   This pointer points to any memory location ,
   May cause the program to crash , Or acting strange  */
  int *p;  
   /*  Random location memory , Contaminated  */ 
  *p = 12; 
}

Normal code


void main()
{
   int *p = (int *)malloc(sizeof(int));
  *p = 12;
}

iOS app The wild pointer in

C++ Code generated

void dooo(void){

    //  Distribute  10  individual  int  Type of memory 

    int* p1 = (int*)malloc(40);

    for(int i = 0;i < 10;i++){

        *(p1 + i) = i;

    }

    free(p1);

    for(int i = 0;i < 10;i++){

        // Look at the effect of the wild pointer 

        cout << *(p1 + i) << endl;

    }

    cout << "end ... " << endl;

}

The effect of execution :

After application ,

free When , First memset(p, 0x55, memCapacity);

It can be seen that , The effect of smearing into memory

The higher probability of wild pointer is C Code ,C++ Code ,

2022 Of ARC, OK Well

github repo

原网站

版权声明
本文为[dengjiangszhan]所创，转载请带上原文链接，感谢
https://yzsam.com/2022/200/202207180111050149.html