Crash in free()

Question

I have several crash reports from an iOS app that stem from a SIGABRT in a free() call.

The call stack is consistent:

0   libsystem_kernel.dylib              0x3863c1f0 __pthread_kill + 8
1   libsystem_c.dylib                   0x385ecfdd abort + 77
2   libsystem_malloc.dylib              0x38664d67 free + 383

I'm trying to get more diagnostics, but in the meantime, did anyone encounter the same? What kind of a wrong argument would crash a free() call? I can see several options:

• a null pointer (actually legit)
• a data area pointer (i. e. a string literal)
• a stack pointer
• a garbage pointer (i. e. an uninitialized one)
• a heap pointer that was already freed

Any ideas please? Those are pretty rare, the last one was in Sep '14. But I've got over 10 total, there is probably a bug there.

Answer 1

If I read the stack dump correctly, the code triggered an assertion in free and called abort. Look at the source code for the libsystem_malloc on http://opensource.apple.com and try and figure which assertion failed.

You have a stray pointer, guessing where it is hiding from a single non reproducible crash is next to impossible. Running your application in the emulator with valgrind (if that's possible) may help you track memory misuse.

It the stack dump is longer that 3 lines, you should have an indication of which call to free caused the problem. It may help you track the bug, but it may also be a late side-effect of some earlier pointer misuse.