search

OneSignal / OneSignal-iOS-SDK

OneSignal is a free push notification service for mobile apps. This plugin makes it easy to integrate your native iOS app with OneSignal. https://onesignal.com
Other
496 stars 263 forks source link

Heap use after free crash #281

Closed revolter closed 6 years ago

revolter commented 7 years ago

I receive a lot of crashes in Fabric and today it happened locally with Address Sanitizer enabled. It crashed when trying to start speech recognition using Nuance, so even though it makes no sense, it looks like -[OneSignalTrackIAP productsRequest:didReceiveResponse:] was called by it.

Here is the report:

=================================================================
==3482==ERROR: AddressSanitizer: heap-use-after-free on address 0x000175b41990 at pc 0x000103eaaff8 bp 0x00016f3959e0 sp 0x00016f395178
READ of size 3 at 0x000175b41990 thread T0
    #0 0x103eaaff7 in wrap_strlen (/var/containers/Bundle/Application/246725EB-0BB5-474C-9538-CD6F6DD73B2A/MyAppName.app/Frameworks/libclang_rt.asan_ios_dynamic.dylib:arm64+0x16ff7)
    #1 0x18716b433 in CFStringCreateWithCString (/System/Library/Frameworks/CoreFoundation.framework/CoreFoundation:arm64+0x9433)
    #2 0x10265f8fb in -[OneSignalTrackIAP productsRequest:didReceiveResponse:] (/var/containers/Bundle/Application/246725EB-0BB5-474C-9538-CD6F6DD73B2A/MyAppName.app/MyAppName:arm64+0x101bf78fb)
    #3 0x1025c9dbf in -[OneSignalTrackIAP productsRequest:didReceiveResponse:] (/var/containers/Bundle/Application/246725EB-0BB5-474C-9538-CD6F6DD73B2A/MyAppName.app/MyAppName:arm64+0x101b61dbf)
    #4 0x1025c956b in -[OneSignalTrackIAP productsRequest:didReceiveResponse:] (/var/containers/Bundle/Application/246725EB-0BB5-474C-9538-CD6F6DD73B2A/MyAppName.app/MyAppName:arm64+0x101b6156b)
    #5 0x1025cd80f in -[OneSignalTrackIAP productsRequest:didReceiveResponse:] (/var/containers/Bundle/Application/246725EB-0BB5-474C-9538-CD6F6DD73B2A/MyAppName.app/MyAppName:arm64+0x101b6580f)
    #6 0x1025cd673 in -[OneSignalTrackIAP productsRequest:didReceiveResponse:] (/var/containers/Bundle/Application/246725EB-0BB5-474C-9538-CD6F6DD73B2A/MyAppName.app/MyAppName:arm64+0x101b65673)
    #7 0x10106980b in -[NuanceSpeechRecognizer start] (/var/containers/Bundle/Application/246725EB-0BB5-474C-9538-CD6F6DD73B2A/MyAppName.app/MyAppName:arm64+0x10060180b)
    #8 0x100c35fab in __39-[LessonRViewController startRecording]_block_invoke (/var/containers/Bundle/Application/246725EB-0BB5-474C-9538-CD6F6DD73B2A/MyAppName.app/MyAppName:arm64+0x1001cdfab)
    #9 0x103ee20eb in __wrap_dispatch_after_block_invoke (/var/containers/Bundle/Application/246725EB-0BB5-474C-9538-CD6F6DD73B2A/MyAppName.app/Frameworks/libclang_rt.asan_ios_dynamic.dylib:arm64+0x4e0eb)
    #10 0x10516945b in _dispatch_client_callout (/usr/lib/system/introspection/libdispatch.dylib:arm64+0x145b)
    #11 0x1051767ff in _dispatch_continuation_pop (/usr/lib/system/introspection/libdispatch.dylib:arm64+0xe7ff)
    #12 0x10516b24b in _dispatch_source_invoke (/usr/lib/system/introspection/libdispatch.dylib:arm64+0x324b)
    #13 0x10516de8b in _dispatch_main_queue_callback_4CF (/usr/lib/system/introspection/libdispatch.dylib:arm64+0x5e8b)
    #14 0x18724bf1f in <redacted> (/System/Library/Frameworks/CoreFoundation.framework/CoreFoundation:arm64+0xe9f1f)
    #15 0x187249afb in <redacted> (/System/Library/Frameworks/CoreFoundation.framework/CoreFoundation:arm64+0xe7afb)
    #16 0x18716a2d7 in CFRunLoopRunSpecific (/System/Library/Frameworks/CoreFoundation.framework/CoreFoundation:arm64+0x82d7)
    #17 0x188ffbf83 in GSEventRunModal (/System/Library/PrivateFrameworks/GraphicsServices.framework/GraphicsServices:arm64+0xaf83)
    #18 0x19071687f in UIApplicationMain (/System/Library/Frameworks/UIKit.framework/UIKit:arm64+0x7387f)
    #19 0x100ea0e3f in main (/var/containers/Bundle/Application/246725EB-0BB5-474C-9538-CD6F6DD73B2A/MyAppName.app/MyAppName:arm64+0x100438e3f)
    #20 0x186c8e56b in <redacted> (/usr/lib/system/libdyld.dylib:arm64+0x156b)

0x000175b41990 is located 0 bytes inside of 48-byte region [0x000175b41990,0x000175b419c0)
freed by thread T0 here:
    #0 0x103ee2de7 in wrap_free (/var/containers/Bundle/Application/246725EB-0BB5-474C-9538-CD6F6DD73B2A/MyAppName.app/Frameworks/libclang_rt.asan_ios_dynamic.dylib:arm64+0x4ede7)
    #1 0x186772787 in std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char> >::~basic_string() (/usr/lib/libc++.1.dylib:arm64+0x3e787)
    #2 0x102669dcb in -[OneSignalTrackIAP productsRequest:didReceiveResponse:] (/var/containers/Bundle/Application/246725EB-0BB5-474C-9538-CD6F6DD73B2A/MyAppName.app/MyAppName:arm64+0x101c01dcb)
    #3 0x10265f8cf in -[OneSignalTrackIAP productsRequest:didReceiveResponse:] (/var/containers/Bundle/Application/246725EB-0BB5-474C-9538-CD6F6DD73B2A/MyAppName.app/MyAppName:arm64+0x101bf78cf)
    #4 0x1025c9dbf in -[OneSignalTrackIAP productsRequest:didReceiveResponse:] (/var/containers/Bundle/Application/246725EB-0BB5-474C-9538-CD6F6DD73B2A/MyAppName.app/MyAppName:arm64+0x101b61dbf)
    #5 0x1025c956b in -[OneSignalTrackIAP productsRequest:didReceiveResponse:] (/var/containers/Bundle/Application/246725EB-0BB5-474C-9538-CD6F6DD73B2A/MyAppName.app/MyAppName:arm64+0x101b6156b)
    #6 0x1025cd80f in -[OneSignalTrackIAP productsRequest:didReceiveResponse:] (/var/containers/Bundle/Application/246725EB-0BB5-474C-9538-CD6F6DD73B2A/MyAppName.app/MyAppName:arm64+0x101b6580f)
    #7 0x1025cd673 in -[OneSignalTrackIAP productsRequest:didReceiveResponse:] (/var/containers/Bundle/Application/246725EB-0BB5-474C-9538-CD6F6DD73B2A/MyAppName.app/MyAppName:arm64+0x101b65673)
    #8 0x10106980b in -[NuanceSpeechRecognizer start] (/var/containers/Bundle/Application/246725EB-0BB5-474C-9538-CD6F6DD73B2A/MyAppName.app/MyAppName:arm64+0x10060180b)
    #9 0x100c35fab in __39-[LessonRViewController startRecording]_block_invoke (/var/containers/Bundle/Application/246725EB-0BB5-474C-9538-CD6F6DD73B2A/MyAppName.app/MyAppName:arm64+0x1001cdfab)
    #10 0x103ee20eb in __wrap_dispatch_after_block_invoke (/var/containers/Bundle/Application/246725EB-0BB5-474C-9538-CD6F6DD73B2A/MyAppName.app/Frameworks/libclang_rt.asan_ios_dynamic.dylib:arm64+0x4e0eb)
    #11 0x10516945b in _dispatch_client_callout (/usr/lib/system/introspection/libdispatch.dylib:arm64+0x145b)
    #12 0x1051767ff in _dispatch_continuation_pop (/usr/lib/system/introspection/libdispatch.dylib:arm64+0xe7ff)
    #13 0x10516b24b in _dispatch_source_invoke (/usr/lib/system/introspection/libdispatch.dylib:arm64+0x324b)
    #14 0x10516de8b in _dispatch_main_queue_callback_4CF (/usr/lib/system/introspection/libdispatch.dylib:arm64+0x5e8b)
    #15 0x18724bf1f in <redacted> (/System/Library/Frameworks/CoreFoundation.framework/CoreFoundation:arm64+0xe9f1f)
    #16 0x187249afb in <redacted> (/System/Library/Frameworks/CoreFoundation.framework/CoreFoundation:arm64+0xe7afb)
    #17 0x18716a2d7 in CFRunLoopRunSpecific (/System/Library/Frameworks/CoreFoundation.framework/CoreFoundation:arm64+0x82d7)
    #18 0x188ffbf83 in GSEventRunModal (/System/Library/PrivateFrameworks/GraphicsServices.framework/GraphicsServices:arm64+0xaf83)
    #19 0x19071687f in UIApplicationMain (/System/Library/Frameworks/UIKit.framework/UIKit:arm64+0x7387f)
    #20 0x100ea0e3f in main (/var/containers/Bundle/Application/246725EB-0BB5-474C-9538-CD6F6DD73B2A/MyAppName.app/MyAppName:arm64+0x100438e3f)
    #21 0x186c8e56b in <redacted> (/usr/lib/system/libdyld.dylib:arm64+0x156b)

previously allocated by thread T0 here:
    #0 0x103ee2c47 in wrap_malloc (/var/containers/Bundle/Application/246725EB-0BB5-474C-9538-CD6F6DD73B2A/MyAppName.app/Frameworks/libclang_rt.asan_ios_dynamic.dylib:arm64+0x4ec47)
    #1 0x104f655d3 in operator new(unsigned long) (/Developer/Library/PrivateFrameworks/GPUTools.framework/libglInterpose.dylib:arm64+0x2315d3)
    #2 0x186771593 in std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char> >::basic_string(std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char> > const&) (/usr/lib/libc++.1.dylib:arm64+0x3d593)
    #3 0x102669db3 in -[OneSignalTrackIAP productsRequest:didReceiveResponse:] (/var/containers/Bundle/Application/246725EB-0BB5-474C-9538-CD6F6DD73B2A/MyAppName.app/MyAppName:arm64+0x101c01db3)
    #4 0x10265f8cf in -[OneSignalTrackIAP productsRequest:didReceiveResponse:] (/var/containers/Bundle/Application/246725EB-0BB5-474C-9538-CD6F6DD73B2A/MyAppName.app/MyAppName:arm64+0x101bf78cf)
    #5 0x1025c9dbf in -[OneSignalTrackIAP productsRequest:didReceiveResponse:] (/var/containers/Bundle/Application/246725EB-0BB5-474C-9538-CD6F6DD73B2A/MyAppName.app/MyAppName:arm64+0x101b61dbf)
    #6 0x1025c956b in -[OneSignalTrackIAP productsRequest:didReceiveResponse:] (/var/containers/Bundle/Application/246725EB-0BB5-474C-9538-CD6F6DD73B2A/MyAppName.app/MyAppName:arm64+0x101b6156b)
    #7 0x1025cd80f in -[OneSignalTrackIAP productsRequest:didReceiveResponse:] (/var/containers/Bundle/Application/246725EB-0BB5-474C-9538-CD6F6DD73B2A/MyAppName.app/MyAppName:arm64+0x101b6580f)
    #8 0x1025cd673 in -[OneSignalTrackIAP productsRequest:didReceiveResponse:] (/var/containers/Bundle/Application/246725EB-0BB5-474C-9538-CD6F6DD73B2A/MyAppName.app/MyAppName:arm64+0x101b65673)
    #9 0x10106980b in -[NuanceSpeechRecognizer start] (/var/containers/Bundle/Application/246725EB-0BB5-474C-9538-CD6F6DD73B2A/MyAppName.app/MyAppName:arm64+0x10060180b)
    #10 0x100c35fab in __39-[LessonRViewController startRecording]_block_invoke (/var/containers/Bundle/Application/246725EB-0BB5-474C-9538-CD6F6DD73B2A/MyAppName.app/MyAppName:arm64+0x1001cdfab)
    #11 0x103ee20eb in __wrap_dispatch_after_block_invoke (/var/containers/Bundle/Application/246725EB-0BB5-474C-9538-CD6F6DD73B2A/MyAppName.app/Frameworks/libclang_rt.asan_ios_dynamic.dylib:arm64+0x4e0eb)
    #12 0x10516945b in _dispatch_client_callout (/usr/lib/system/introspection/libdispatch.dylib:arm64+0x145b)
    #13 0x1051767ff in _dispatch_continuation_pop (/usr/lib/system/introspection/libdispatch.dylib:arm64+0xe7ff)
    #14 0x10516b24b in _dispatch_source_invoke (/usr/lib/system/introspection/libdispatch.dylib:arm64+0x324b)
    #15 0x10516de8b in _dispatch_main_queue_callback_4CF (/usr/lib/system/introspection/libdispatch.dylib:arm64+0x5e8b)
    #16 0x18724bf1f in <redacted> (/System/Library/Frameworks/CoreFoundation.framework/CoreFoundation:arm64+0xe9f1f)
    #17 0x187249afb in <redacted> (/System/Library/Frameworks/CoreFoundation.framework/CoreFoundation:arm64+0xe7afb)
    #18 0x18716a2d7 in CFRunLoopRunSpecific (/System/Library/Frameworks/CoreFoundation.framework/CoreFoundation:arm64+0x82d7)
    #19 0x188ffbf83 in GSEventRunModal (/System/Library/PrivateFrameworks/GraphicsServices.framework/GraphicsServices:arm64+0xaf83)
    #20 0x19071687f in UIApplicationMain (/System/Library/Frameworks/UIKit.framework/UIKit:arm64+0x7387f)
    #21 0x100ea0e3f in main (/var/containers/Bundle/Application/246725EB-0BB5-474C-9538-CD6F6DD73B2A/MyAppName.app/MyAppName:arm64+0x100438e3f)
    #22 0x186c8e56b in <redacted> (/usr/lib/system/libdyld.dylib:arm64+0x156b)

SUMMARY: AddressSanitizer: heap-use-after-free (/var/containers/Bundle/Application/246725EB-0BB5-474C-9538-CD6F6DD73B2A/MyAppName.app/Frameworks/libclang_rt.asan_ios_dynamic.dylib:arm64+0x16ff7) in wrap_strlen
Shadow bytes around the buggy address:
  0x0001345c82e0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0001345c82f0: fa fa fa fa fa fa fa fa fa fa fd fd fd fd fd fd
  0x0001345c8300: fa fa fd fd fd fd fd fd fa fa fd fd fd fd fd fd
  0x0001345c8310: fa fa fd fd fd fd fd fd fa fa fd fd fd fd fd fd
  0x0001345c8320: fa fa fd fd fd fd fd fd fa fa fd fd fd fd fd fd
=>0x0001345c8330: fa fa[fd]fd fd fd fd fd fa fa fd fd fd fd fd fd
  0x0001345c8340: fa fa 00 00 00 00 00 00 fa fa 00 00 00 00 00 fa
  0x0001345c8350: fa fa 00 00 00 00 00 00 fa fa 00 00 00 00 00 00
  0x0001345c8360: fa fa 00 00 00 00 00 fa fa fa 00 00 00 00 00 00
  0x0001345c8370: fa fa 00 00 00 00 00 00 fa fa 00 00 00 00 00 fa
  0x0001345c8380: fa fa fd fd fd fd fd fd fa fa 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
2017-09-26 13:53:46.991814+0300 MyAppName[3482:1761365] =================================================================
2017-09-26 13:53:46.991887+0300 MyAppName[3482:1761365] ==3482==ERROR: AddressSanitizer: heap-use-after-free on address 0x000175b41990 at pc 0x000103eaaff8 bp 0x00016f3959e0 sp 0x00016f395178
2017-09-26 13:53:46.991940+0300 MyAppName[3482:1761365] READ of size 3 at 0x000175b41990 thread T0
2017-09-26 13:53:46.992009+0300 MyAppName[3482:1761365]     #0 0x103eaaff7 in wrap_strlen (/var/containers/Bundle/Application/246725EB-0BB5-474C-9538-CD6F6DD73B2A/MyAppName.app/Frameworks/libclang_rt.asan_ios_dynamic.dylib:arm64+0x16ff7)
2017-09-26 13:53:46.992036+0300 MyAppName[3482:1761365]     #1 0x18716b433 in CFStringCreateWithCString (/System/Library/Frameworks/CoreFoundation.framework/CoreFoundation:arm64+0x9433)
2017-09-26 13:53:46.992059+0300 MyAppName[3482:1761365]     #2 0x10265f8fb in -[OneSignalTrackIAP productsRequest:didReceiveResponse:] (/var/containers/Bundle/Application/246725EB-0BB5-474C-9538-CD6F6DD73B2A/MyAppName.app/MyAppName:arm64+0x101bf78fb)
2017-09-26 13:53:46.992124+0300 MyAppName[3482:1761365]     #3 0x1025c9dbf in -[OneSignalTrackIAP productsRequest:didReceiveResponse:] (/var/containers/Bundle/Application/246725EB-0BB5-474C-9538-CD6F6DD73B2A/MyAppName.app/MyAppName:arm64+0x101b61dbf)
2017-09-26 13:53:46.992152+0300 MyAppName[3482:1761365]     #4 0x1025c956b in -[OneSignalTrackIAP productsRequest:didReceiveResponse:] (/var/containers/Bundle/Application/246725EB-0BB5-474C-9538-CD6F6DD73B2A/MyAppName.app/MyAppName:arm64+0x101b6156b)
2017-09-26 13:53:46.992267+0300 MyAppName[3482:1761365]     #5 0x1025cd80f in -[OneSignalTrackIAP productsRequest:didReceiveResponse:] (/var/containers/Bundle/Application/246725EB-0BB5-474C-9538-CD6F6DD73B2A/MyAppName.app/MyAppName:arm64+0x101b6580f)
2017-09-26 13:53:46.992292+0300 MyAppName[3482:1761365]     #6 0x1025cd673 in -[OneSignalTrackIAP productsRequest:didReceiveResponse:] (/var/containers/Bundle/Application/246725EB-0BB5-474C-9538-CD6F6DD73B2A/MyAppName.app/MyAppName:arm64+0x101b65673)
2017-09-26 13:53:46.992316+0300 MyAppName[3482:1761365]     #7 0x10106980b in -[NuanceSpeechRecognizer start] (/var/containers/Bundle/Application/246725EB-0BB5-474C-9538-CD6F6DD73B2A/MyAppName.app/MyAppName:arm64+0x10060180b)
2017-09-26 13:53:46.992432+0300 MyAppName[3482:1761365]     #8 0x100c35fab in __39-[LessonRViewController startRecording]_block_invoke (/var/containers/Bundle/Application/246725EB-0BB5-474C-9538-CD6F6DD73B2A/MyAppName.app/MyAppName:arm64+0x1001cdfab)
2017-09-26 13:53:46.992459+0300 MyAppName[3482:1761365]     #9 0x103ee20eb in __wrap_dispatch_after_block_invoke (/var/containers/Bundle/Application/246725EB-0BB5-474C-9538-CD6F6DD73B2A/MyAppName.app/Frameworks/libclang_rt.asan_ios_dynamic.dylib:arm64+0x4e0eb)
2017-09-26 13:53:46.992482+0300 MyAppName[3482:1761365]     #10 0x10516945b in _dispatch_client_callout (/usr/lib/system/introspection/libdispatch.dylib:arm64+0x145b)
2017-09-26 13:53:46.992559+0300 MyAppName[3482:1761365]     #11 0x1051767ff in _dispatch_continuation_pop (/usr/lib/system/introspection/libdispatch.dylib:arm64+0xe7ff)
2017-09-26 13:53:46.992584+0300 MyAppName[3482:1761365]     #12 0x10516b24b in _dispatch_source_invoke (/usr/lib/system/introspection/libdispatch.dylib:arm64+0x324b)
2017-09-26 13:53:46.993034+0300 MyAppName[3482:1761365]     #13 0x10516de8b in _dispatch_main_queue_callback_4CF (/usr/lib/system/introspection/libdispatch.dylib:arm64+0x5e8b)
2017-09-26 13:53:46.993059+0300 MyAppName[3482:1761365]     #14 0x18724bf1f in <redacted> (/System/Library/Frameworks/CoreFoundation.framework/CoreFoundation:arm64+0xe9f1f)
2017-09-26 13:53:46.993081+0300 MyAppName[3482:1761365]     #15 0x187249afb in <redacted> (/System/Library/Frameworks/CoreFoundation.framework/CoreFoundation:arm64+0xe7afb)
2017-09-26 13:53:46.993128+0300 MyAppName[3482:1761365]     #16 0x18716a2d7 in CFRunLoopRunSpecific (/System/Library/Frameworks/CoreFoundation.framework/CoreFoundation:arm64+0x82d7)
2017-09-26 13:53:46.993152+0300 MyAppName[3482:1761365]     #17 0x188ffbf83 in GSEventRunModal (/System/Library/PrivateFrameworks/GraphicsServices.framework/GraphicsServices:arm64+0xaf83)
2017-09-26 13:53:46.993213+0300 MyAppName[3482:1761365]     #18 0x19071687f in UIApplicationMain (/System/Library/Frameworks/UIKit.framework/UIKit:arm64+0x7387f)
2017-09-26 13:53:46.993237+0300 MyAppName[3482:1761365]     #19 0x100ea0e3f in main (/var/containers/Bundle/Application/246725EB-0BB5-474C-9538-CD6F6DD73B2A/MyAppName.app/MyAppName:arm64+0x100438e3f)
2017-09-26 13:53:46.993294+0300 MyAppName[3482:1761365]     #20 0x186c8e56b in <redacted> (/usr/lib/system/libdyld.dylib:arm64+0x156b)
2017-09-26 13:53:46.993318+0300 MyAppName[3482:1761365] 
2017-09-26 13:53:46.993337+0300 MyAppName[3482:1761365] 0x000175b41990 is located 0 bytes inside of 48-byte region [0x000175b41990,0x000175b419c0)
2017-09-26 13:53:46.993360+0300 MyAppName[3482:1761365] freed by thread T0 here:
2017-09-26 13:53:46.993399+0300 MyAppName[3482:1761365]     #0 0x103ee2de7 in wrap_free (/var/containers/Bundle/Application/246725EB-0BB5-474C-9538-CD6F6DD73B2A/MyAppName.app/Frameworks/libclang_rt.asan_ios_dynamic.dylib:arm64+0x4ede7)
2017-09-26 13:53:46.993462+0300 MyAppName[3482:1761365]     #1 0x186772787 in std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char> >::~basic_string() (/usr/lib/libc++.1.dylib:arm64+0x3e787)
2017-09-26 13:53:46.993488+0300 MyAppName[3482:1761365]     #2 0x102669dcb in -[OneSignalTrackIAP productsRequest:didReceiveResponse:] (/var/containers/Bundle/Application/246725EB-0BB5-474C-9538-CD6F6DD73B2A/MyAppName.app/MyAppName:arm64+0x101c01dcb)
2017-09-26 13:53:46.993510+0300 MyAppName[3482:1761365]     #3 0x10265f8cf in -[OneSignalTrackIAP productsRequest:didReceiveResponse:] (/var/containers/Bundle/Application/246725EB-0BB5-474C-9538-CD6F6DD73B2A/MyAppName.app/MyAppName:arm64+0x101bf78cf)
2017-09-26 13:53:46.993533+0300 MyAppName[3482:1761365]     #4 0x1025c9dbf in -[OneSignalTrackIAP productsRequest:didReceiveResponse:] (/var/containers/Bundle/Application/246725EB-0BB5-474C-9538-CD6F6DD73B2A/MyAppName.app/MyAppName:arm64+0x101b61dbf)
2017-09-26 13:53:46.993782+0300 MyAppName[3482:1761365]     #5 0x1025c956b in -[OneSignalTrackIAP productsRequest:didReceiveResponse:] (/var/containers/Bundle/Application/246725EB-0BB5-474C-9538-CD6F6DD73B2A/MyAppName.app/MyAppName:arm64+0x101b6156b)
2017-09-26 13:53:46.993814+0300 MyAppName[3482:1761365]     #6 0x1025cd80f in -[OneSignalTrackIAP productsRequest:didReceiveResponse:] (/var/containers/Bundle/Application/246725EB-0BB5-474C-9538-CD6F6DD73B2A/MyAppName.app/MyAppName:arm64+0x101b6580f)
2017-09-26 13:53:46.993854+0300 MyAppName[3482:1761365]     #7 0x1025cd673 in -[OneSignalTrackIAP productsRequest:didReceiveResponse:] (/var/containers/Bundle/Application/246725EB-0BB5-474C-9538-CD6F6DD73B2A/MyAppName.app/MyAppName:arm64+0x101b65673)
2017-09-26 13:53:46.993879+0300 MyAppName[3482:1761365]     #8 0x10106980b in -[NuanceSpeechRecognizer start] (/var/containers/Bundle/Application/246725EB-0BB5-474C-9538-CD6F6DD73B2A/MyAppName.app/MyAppName:arm64+0x10060180b)
2017-09-26 13:53:46.994143+0300 MyAppName[3482:1761365]     #9 0x100c35fab in __39-[LessonRViewController startRecording]_block_invoke (/var/containers/Bundle/Application/246725EB-0BB5-474C-9538-CD6F6DD73B2A/MyAppName.app/MyAppName:arm64+0x1001cdfab)
2017-09-26 13:53:46.994168+0300 MyAppName[3482:1761365]     #10 0x103ee20eb in __wrap_dispatch_after_block_invoke (/var/containers/Bundle/Application/246725EB-0BB5-474C-9538-CD6F6DD73B2A/MyAppName.app/Frameworks/libclang_rt.asan_ios_dynamic.dylib:arm64+0x4e0eb)
2017-09-26 13:53:46.994191+0300 MyAppName[3482:1761365]     #11 0x10516945b in _dispatch_client_callout (/usr/lib/system/introspection/libdispatch.dylib:arm64+0x145b)
2017-09-26 13:53:46.994228+0300 MyAppName[3482:1761365]     #12 0x1051767ff in _dispatch_continuation_pop (/usr/lib/system/introspection/libdispatch.dylib:arm64+0xe7ff)
2017-09-26 13:53:46.994315+0300 MyAppName[3482:1761365]     #13 0x10516b24b in _dispatch_source_invoke (/usr/lib/system/introspection/libdispatch.dylib:arm64+0x324b)
2017-09-26 13:53:46.994339+0300 MyAppName[3482:1761365]     #14 0x10516de8b in _dispatch_main_queue_callback_4CF (/usr/lib/system/introspection/libdispatch.dylib:arm64+0x5e8b)
2017-09-26 13:53:46.994396+0300 MyAppName[3482:1761365]     #15 0x18724bf1f in <redacted> (/System/Library/Frameworks/CoreFoundation.framework/CoreFoundation:arm64+0xe9f1f)
2017-09-26 13:53:46.994585+0300 MyAppName[3482:1761365]     #16 0x187249afb in <redacted> (/System/Library/Frameworks/CoreFoundation.framework/CoreFoundation:arm64+0xe7afb)
2017-09-26 13:53:46.994627+0300 MyAppName[3482:1761365]     #17 0x18716a2d7 in CFRunLoopRunSpecific (/System/Library/Frameworks/CoreFoundation.framework/CoreFoundation:arm64+0x82d7)
2017-09-26 13:53:46.994651+0300 MyAppName[3482:1761365]     #18 0x188ffbf83 in GSEventRunModal (/System/Library/PrivateFrameworks/GraphicsServices.framework/GraphicsServices:arm64+0xaf83)
2017-09-26 13:53:46.995177+0300 MyAppName[3482:1761365]     #19 0x19071687f in UIApplicationMain (/System/Library/Frameworks/UIKit.framework/UIKit:arm64+0x7387f)
2017-09-26 13:53:46.995202+0300 MyAppName[3482:1761365]     #20 0x100ea0e3f in main (/var/containers/Bundle/Application/246725EB-0BB5-474C-9538-CD6F6DD73B2A/MyAppName.app/MyAppName:arm64+0x100438e3f)
2017-09-26 13:53:46.995225+0300 MyAppName[3482:1761365]     #21 0x186c8e56b in <redacted> (/usr/lib/system/libdyld.dylib:arm64+0x156b)
2017-09-26 13:53:46.995288+0300 MyAppName[3482:1761365] 
2017-09-26 13:53:46.995326+0300 MyAppName[3482:1761365] previously allocated by thread T0 here:
2017-09-26 13:53:46.995351+0300 MyAppName[3482:1761365]     #0 0x103ee2c47 in wrap_malloc (/var/containers/Bundle/Application/246725EB-0BB5-474C-9538-CD6F6DD73B2A/MyAppName.app/Frameworks/libclang_rt.asan_ios_dynamic.dylib:arm64+0x4ec47)
2017-09-26 13:53:46.995439+0300 MyAppName[3482:1761365]     #1 0x104f655d3 in operator new(unsigned long) (/Developer/Library/PrivateFrameworks/GPUTools.framework/libglInterpose.dylib:arm64+0x2315d3)
2017-09-26 13:53:46.995465+0300 MyAppName[3482:1761365]     #2 0x186771593 in std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char> >::basic_string(std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char> > const&) (/usr/lib/libc++.1.dylib:arm64+0x3d593)
2017-09-26 13:53:46.995500+0300 MyAppName[3482:1761365]     #3 0x102669db3 in -[OneSignalTrackIAP productsRequest:didReceiveResponse:] (/var/containers/Bundle/Application/246725EB-0BB5-474C-9538-CD6F6DD73B2A/MyAppName.app/MyAppName:arm64+0x101c01db3)
2017-09-26 13:53:46.995525+0300 MyAppName[3482:1761365]     #4 0x10265f8cf in -[OneSignalTrackIAP productsRequest:didReceiveResponse:] (/var/containers/Bundle/Application/246725EB-0BB5-474C-9538-CD6F6DD73B2A/MyAppName.app/MyAppName:arm64+0x101bf78cf)
2017-09-26 13:53:46.995781+0300 MyAppName[3482:1761365]     #5 0x1025c9dbf in -[OneSignalTrackIAP productsRequest:didReceiveResponse:] (/var/containers/Bundle/Application/246725EB-0BB5-474C-9538-CD6F6DD73B2A/MyAppName.app/MyAppName:arm64+0x101b61dbf)
2017-09-26 13:53:46.995807+0300 MyAppName[3482:1761365]     #6 0x1025c956b in -[OneSignalTrackIAP productsRequest:didReceiveResponse:] (/var/containers/Bundle/Application/246725EB-0BB5-474C-9538-CD6F6DD73B2A/MyAppName.app/MyAppName:arm64+0x101b6156b)
2017-09-26 13:53:46.995830+0300 MyAppName[3482:1761365]     #7 0x1025cd80f in -[OneSignalTrackIAP productsRequest:didReceiveResponse:] (/var/containers/Bundle/Application/246725EB-0BB5-474C-9538-CD6F6DD73B2A/MyAppName.app/MyAppName:arm64+0x101b6580f)
2017-09-26 13:53:46.995872+0300 MyAppName[3482:1761365]     #8 0x1025cd673 in -[OneSignalTrackIAP productsRequest:didReceiveResponse:] (/var/containers/Bundle/Application/246725EB-0BB5-474C-9538-CD6F6DD73B2A/MyAppName.app/MyAppName:arm64+0x101b65673)
2017-09-26 13:53:46.995935+0300 MyAppName[3482:1761365]     #9 0x10106980b in -[NuanceSpeechRecognizer start] (/var/containers/Bundle/Application/246725EB-0BB5-474C-9538-CD6F6DD73B2A/MyAppName.app/MyAppName:arm64+0x10060180b)
2017-09-26 13:53:46.995960+0300 MyAppName[3482:1761365]     #10 0x100c35fab in __39-[LessonRViewController startRecording]_block_invoke (/var/containers/Bundle/Application/246725EB-0BB5-474C-9538-CD6F6DD73B2A/MyAppName.app/MyAppName:arm64+0x1001cdfab)
2017-09-26 13:53:46.995983+0300 MyAppName[3482:1761365]     #11 0x103ee20eb in __wrap_dispatch_after_block_invoke (/var/containers/Bundle/Application/246725EB-0BB5-474C-9538-CD6F6DD73B2A/MyAppName.app/Frameworks/libclang_rt.asan_ios_dynamic.dylib:arm64+0x4e0eb)
2017-09-26 13:53:46.996006+0300 MyAppName[3482:1761365]     #12 0x10516945b in _dispatch_client_callout (/usr/lib/system/introspection/libdispatch.dylib:arm64+0x145b)
2017-09-26 13:53:46.996084+0300 MyAppName[3482:1761365]     #13 0x1051767ff in _dispatch_continuation_pop (/usr/lib/system/introspection/libdispatch.dylib:arm64+0xe7ff)
2017-09-26 13:53:46.996108+0300 MyAppName[3482:1761365]     #14 0x10516b24b in _dispatch_source_invoke (/usr/lib/system/introspection/libdispatch.dylib:arm64+0x324b)
2017-09-26 13:53:46.996130+0300 MyAppName[3482:1761365]     #15 0x10516de8b in _dispatch_main_queue_callback_4CF (/usr/lib/system/introspection/libdispatch.dylib:arm64+0x5e8b)
2017-09-26 13:53:46.996193+0300 MyAppName[3482:1761365]     #16 0x18724bf1f in <redacted> (/System/Library/Frameworks/CoreFoundation.framework/CoreFoundation:arm64+0xe9f1f)
2017-09-26 13:53:46.996239+0300 MyAppName[3482:1761365]     #17 0x187249afb in <redacted> (/System/Library/Frameworks/CoreFoundation.framework/CoreFoundation:arm64+0xe7afb)
2017-09-26 13:53:46.996262+0300 MyAppName[3482:1761365]     #18 0x18716a2d7 in CFRunLoopRunSpecific (/System/Library/Frameworks/CoreFoundation.framework/CoreFoundation:arm64+0x82d7)
2017-09-26 13:53:46.996356+0300 MyAppName[3482:1761365]     #19 0x188ffbf83 in GSEventRunModal (/System/Library/PrivateFrameworks/GraphicsServices.framework/GraphicsServices:arm64+0xaf83)
2017-09-26 13:53:46.996392+0300 MyAppName[3482:1761365]     #20 0x19071687f in UIApplicationMain (/System/Library/Frameworks/UIKit.framework/UIKit:arm64+0x7387f)
2017-09-26 13:53:46.996418+0300 MyAppName[3482:1761365]     #21 0x100ea0e3f in main (/var/containers/Bundle/Application/246725EB-0BB5-474C-9538-CD6F6DD73B2A/MyAppName.app/MyAppName:arm64+0x100438e3f)
2017-09-26 13:53:46.996453+0300 MyAppName[3482:1761365]     #22 0x186c8e56b in <redacted> (/usr/lib/system/libdyld.dylib:arm64+0x156b)
2017-09-26 13:53:46.996479+0300 MyAppName[3482:1761365] 
2017-09-26 13:53:46.996602+0300 MyAppName[3482:1761365] SUMMARY: AddressSanitizer: heap-use-after-free (/var/containers/Bundle/Application/246725EB-0BB5-474C-9538-CD6F6DD73B2A/MyAppName.app/Frameworks/libclang_rt.asan_ios_dynamic.dylib:arm64+0x16ff7) in wrap_strlen
2017-09-26 13:53:46.996719+0300 MyAppName[3482:1761365] Shadow bytes around the buggy address:
2017-09-26 13:53:46.996750+0300 MyAppName[3482:1761365]   0x0001345c82e0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
2017-09-26 13:53:46.996770+0300 MyAppName[3482:1761365]   0x0001345c82f0: fa fa fa fa fa fa fa fa fa fa fd fd fd fd fd fd
2017-09-26 13:53:46.996787+0300 MyAppName[3482:1761365]   0x0001345c8300: fa fa fd fd fd fd fd fd fa fa fd fd fd fd fd fd
2017-09-26 13:53:46.996804+0300 MyAppName[3482:1761365]   0x0001345c8310: fa fa fd fd fd fd fd fd fa fa fd fd fd fd fd fd
2017-09-26 13:53:46.996820+0300 MyAppName[3482:1761365]   0x0001345c8320: fa fa fd fd fd fd fd fd fa fa fd fd fd fd fd fd
2017-09-26 13:53:46.996836+0300 MyAppName[3482:1761365] =>0x0001345c8330: fa fa[fd]fd fd fd fd fd fa fa fd fd fd fd fd fd
2017-09-26 13:53:46.996885+0300 MyAppName[3482:1761365]   0x0001345c8340: fa fa 00 00 00 00 00 00 fa fa 00 00 00 00 00 fa
2017-09-26 13:53:46.996902+0300 MyAppName[3482:1761365]   0x0001345c8350: fa fa 00 00 00 00 00 00 fa fa 00 00 00 00 00 00
2017-09-26 13:53:46.996919+0300 MyAppName[3482:1761365]   0x0001345c8360: fa fa 00 00 00 00 00 fa fa fa 00 00 00 00 00 00
2017-09-26 13:53:46.996935+0300 MyAppName[3482:1761365]   0x0001345c8370: fa fa 00 00 00 00 00 00 fa fa 00 00 00 00 00 fa
2017-09-26 13:53:46.996951+0300 MyAppName[3482:1761365]   0x0001345c8380: fa fa fd fd fd fd fd fd fa fa 00 00 00 00 00 00
2017-09-26 13:53:46.996967+0300 MyAppName[3482:1761365] Shadow byte legend (one shadow byte represents 8 application bytes):
2017-09-26 13:53:46.996983+0300 MyAppName[3482:1761365]   Addressable:           00
2017-09-26 13:53:46.997001+0300 MyAppName[3482:1761365]   Partially addressable: 01 02 03 04 05 06 07
2017-09-26 13:53:46.997097+0300 MyAppName[3482:1761365]   Heap left redzone:       fa
2017-09-26 13:53:46.997116+0300 MyAppName[3482:1761365]   Freed heap region:       fd
2017-09-26 13:53:46.997132+0300 MyAppName[3482:1761365]   Stack left redzone:      f1
2017-09-26 13:53:46.997174+0300 MyAppName[3482:1761365]   Stack mid redzone:       f2
2017-09-26 13:53:46.997192+0300 MyAppName[3482:1761365]   Stack right redzone:     f3
2017-09-26 13:53:46.997209+0300 MyAppName[3482:1761365]   Stack after return:      f5
2017-09-26 13:53:46.997225+0300 MyAppName[3482:1761365]   Stack use after scope:   f8
2017-09-26 13:53:46.997240+0300 MyAppName[3482:1761365]   Global redzone:          f9
2017-09-26 13:53:46.997271+0300 MyAppName[3482:1761365]   Global init order:       f6
2017-09-26 13:53:46.997288+0300 MyAppName[3482:1761365]   Poisoned by user:        f7
2017-09-26 13:53:46.997305+0300 MyAppName[3482:1761365]   Container overflow:      fc
2017-09-26 13:53:46.997353+0300 MyAppName[3482:1761365]   Array cookie:            ac
2017-09-26 13:53:46.997378+0300 MyAppName[3482:1761365]   Intra object redzone:    bb
2017-09-26 13:53:46.997396+0300 MyAppName[3482:1761365]   ASan internal:           fe
2017-09-26 13:53:46.997412+0300 MyAppName[3482:1761365]   Left alloca redzone:     ca
2017-09-26 13:53:46.997428+0300 MyAppName[3482:1761365]   Right alloca redzone:    cb
2017-09-26 13:53:46.997443+0300 MyAppName[3482:1761365] 
==3482==ABORTING
AddressSanitizer report breakpoint hit. Use 'thread info -s' to get extended information about the report.

And some commands I ran:

(lldb) thread info -s
thread #1: tid = 0x1ae055, 0x0000000103eeaf68 libclang_rt.asan_ios_dynamic.dylib`__asan::AsanDie(), queue = 'com.apple.main-thread', stop reason = Use of deallocated memory

{
  "access_size" : 3,
  "access_type" : 0,
  "address" : 6269704592,
  "description" : "heap-use-after-free",
  "instrumentation_class" : "AddressSanitizer",
  "pc" : 4360679416,
  "stop_type" : "fatal_error"
}

(lldb) po 0x000175b41990
6269704592

(lldb) po self.speechTransaction
 nil

(lldb) po self.speechSession
<SKSession: 0x169c73350>

(lldb) po SKTransactionSpeechTypeDictation
dictation

(lldb) po self
<NuanceSpeechRecognizer: 0x16a07a550>

The actual line that crashed is:

self.speechTransaction = [self.speechSession recognizeWithType:SKTransactionSpeechTypeDictation detection:SKTransactionEndOfSpeechDetectionLong language:languageTagName delegate:self];

where the properties are:

@property (strong, nonatomic) SKTransaction *speechTransaction;
@property (strong, nonatomic) SKSession *speechSession;
NSString *languageTagName = @"spa-ESP";

Here is a screenshot of the Debug navigator:

screen shot 2017-09-26 at 14 50 38

where the long, truncated line is:

2   std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char> >::basic_string(std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char> > const&) ()

and I guess that the ___lldb_unnamed_symbols represent the -[OneSignalTrackIAP productsRequest:didReceiveResponse:] method.

I'm using the OneSignal Cocoapod version 2.5.4.

Nightsd01 commented 6 years ago

Hi @revolter , thank you so much for your very detailed bug report. We have been unable to reproduce this bug.

Are you still encountering it in the latest version of the SDK?

I'll be closing this issue due to inactivity, but if you are still encountering it in the latest version, please feel free to respond.