Crash reason: EXC_BAD_ACCESS / KERN_INVALID_ADDRESS
Crash address: 0x1073c008
Process uptime: 126675 seconds
Thread 57 (crashed)
0 libsystem_platform.dylib!_platform_memmove + 0x2开发者_如何学运维24
x0 = 0x000000010dad8000 x1 = 0x000000011073c008
x2 = 0x0000000000000005 x3 = 0x000000010dad8008
x4 = 0x000000000000006b x5 = 0x000000000000006b
x6 = 0x313a22726576227b x7 = 0x000000016e39d538
x8 = 0x0000000000004000 x9 = 0x0000000000000000
x10 = 0x0000000000000000 x11 = 0x0000000000000000
x12 = 0x00000000000c44b5 x13 = 0x00000000016e3600
x14 = 0x0000000000000000 x15 = 0x00000000000000cc
x16 = 0x00000001dd2ab820 x17 = 0x0000000071000000
x18 = 0x0000000000000000 x19 = 0x000000010dad8000
x20 = 0x000000011073c000 x21 = 0x000000028182cc18
x22 = 0x0000000000000015 x23 = 0x000000010dad8000
x24 = 0x0000000000000015 x25 = 0x0000000000000015
x26 = 0x0000000000000000 x27 = 0x0000000000000000
x28 = 0x0000000000000000 fp = 0x000000016e39da30
lr = 0x000000010c96fdc0 sp = 0x000000016e39d9c0
pc = 0x00000001dd2aba44
Found by: given as instruction pointer in context
1 Cronet!std::__1::enable_if<(__is_forward_iterator<char*>::value) && (is_constructible<char, std::__1::iterator_traits<char*>::reference>::value), std::__1::__wrap_iter<char*> >::type std::__1::vector<char, std::__1::allocator<char> >::insert<char*>(std::__1::__wrap_iter<char const*>, char*, char*) [memory : 1698 + 0x8]
fp = 0x000000016e39dae0 lr = 0x000000010cb77208
sp = 0x000000016e39da40 pc = 0x000000010c96fdc0
Found by: previous frame's frame pointer
2 Cronet!disk_cache::EntryImpl::InternalWriteData(int, int, net::IOBuffer*, int, base::OnceCallback<void (int)>, bool) [entry_impl.cc : 1162 + 0xc]
fp = 0x000000016e39db40 lr = 0x000000010cb7708c
sp = 0x000000016e39daf0 pc = 0x000000010cb77208
Found by: previous frame's frame pointer
3 Cronet!disk_cache::EntryImpl::WriteDataImpl(int, int, net::IOBuffer*, int, base::OnceCallback<void (int)>, bool) [entry_impl.cc : 365 + 0x1c]
fp = 0x000000016e39dbd0 lr = 0x000000010cb7c084
sp = 0x000000016e39db50 pc = 0x000000010cb7708c
Found by: previous frame's frame pointer
4 Cronet!disk_cache::BackendIO::ExecuteEntryOperation() [in_flight_backend_io.cc : 386 + 0x8]
fp = 0x000000016e39dcb0 lr = 0x000000010cad4d24
sp = 0x000000016e39dbe0 pc = 0x000000010cb7c084
Comment 1 by adeve...@gmail.com on Wed, Nov 23, 2022, 5:29 PM GMT+8 (13 days ago)
Here is the code that causes the crash:
std::unique_ptr<char, base::FreeDeleter> read_buffer_;
scoped_refptr<WrappedIOBuffer> read_buffer_wrapper_;
void HttpProtocolHandlerCore::AllocateReadBuffer(int last_read_data_size) {
if (last_read_data_size == read_buffer_size_) {
// If the whole buffer was filled with data then increase the buffer size
// for the next read but don't exceed |kIOBufferMaxSize|.
read_buffer_size_ = std::min(read_buffer_size_ * 2, kIOBufferMaxSize);
} else if (read_buffer_size_ / 2 >= last_read_data_size) {
// If only a half or less of the buffer was filled with data then reduce
// the buffer size for the next read but not make it smaller than
// |kIOBufferMinSize|.
read_buffer_size_ = std::max(read_buffer_size_ / 2, kIOBufferMinSize);
}
read_buffer_.reset(static_cast<char*>(malloc(read_buffer_size_)));
read_buffer_wrapper_ = base::MakeRefCounted<WrappedIOBuffer>(
static_cast<const char*>(read_buffer_.get()));
}
I had found the Crash Reason: read_buffer_wrapper_ reference the memory data holded by read_buffer_. BackendIO(OP_WRITE) will reference read_buffer_wrapper_ and write the memory data to disk cache . (DISK CACHE MODE) When the http request canceled by user or timeout, the read_buffer_ will be free, and the memory data hold by read_buffer_ will be free, too.But if at the same time, a new BackendIO(OP_WRITE) task is sending to the iothread, when the iothread execute the BackendIO(OP_WRITE) task, it got crash.
My Solution: read_buffer_wrapper_ and read_buffer_ should reference to the same smart pointer.
精彩评论