Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

FPRSessionDetails: Attempted to dereference garbage pointer #8691

Closed
azouts opened this issue Sep 23, 2021 · 5 comments · Fixed by #8924
Closed

FPRSessionDetails: Attempted to dereference garbage pointer #8691

azouts opened this issue Sep 23, 2021 · 5 comments · Fixed by #8924
Assignees
@visumickey
Labels
api: performance

Comments

@azouts
Copy link

azouts commented Sep 23, 2021

[REQUIRED] Step 1: Describe your environment

  • Xcode version: 12.3
  • Firebase SDK version: 8.2
  • Installation method: CocoaPods
  • Firebase Component: Performance

[REQUIRED] Step 2: Describe the problem

A random crash of the app that uses the firebase SDK.

Steps to reproduce:

EXC_BAD_ACCESS: remoteConfigFlags > sessionCreationTime > sessionLengthInMinutes >
Attempted to dereference garbage pointer 0x43b8c8b79110.
File "FirebasePerformance/FirebasePerformance/Sources/AppActivity/FPRSessionDetails.m", line 43, in -[FPRSessionDetails sessionLengthInMinutes]
File "FirebasePerformance/FirebasePerformance/Sources/AppActivity/FPRSessionManager.m", line 78, in -[FPRSessionManager renewSessionIdIfRunningTooLong]
File "FirebasePerformance/FirebasePerformance/Sources/FPRClient.m", line 246, in -[FPRClient logGaugeMetric:forSessionId:]
File "FirebasePerformance/FirebasePerformance/Sources/Gauges/FPRGaugeManager.m", line 184, in __69-[FPRGaugeManager prepareAndDispatchCollectedGaugeDataWithSessionId:]_block_invoke_2
...

Relevant Code:

  • (NSUInteger)sessionLengthInMinutes {
    NSTimeInterval sessionLengthInSeconds = ABS([self.sessionCreationTime timeIntervalSinceNow]);
    return (sessionLengthInSeconds / 60);
    }

Don't know how to reproduce.
@rizafran
Copy link
Contributor

Hi @azouts, do you also encounter the issue when using the latest SDK version?

@azouts
Copy link
Author

azouts commented Sep 27, 2021

Hi @rizafran, the issue came from some user in Sentry and we don't know how to reproduce it. It's a random thing. We have updated to the latest SDK but the new SDK change log doesn't include something relevant to this crash.

@morganchen12
Copy link
Contributor

Are you able to reproduce this with any memory debugging tools (zombies, asan)?

@azouts
Copy link
Author

azouts commented Sep 30, 2021
edited

@rizafran In the SDK 8.7.0 I got this error on firebase performance with zombies and asan

ERROR: AddressSanitizer: heap-buffer-overflow on address 0x608001b0ad80 at pc 0x00011d175464 bp 0x70000ed59940 sp 0x70000ed59100
#0 0x11d175463 in wrap_strlen+0x183 (libclang_rt.asan_iossim_dynamic.dylib:x86_64+0x14463)
#1 0x7fff20843b12 in +[NSString stringWithCString:encoding:]+0x20 (Foundation:x86_64+0x128b12)
    #2 0x11ee1f354 in FPRDecodeString FPRNanoPbUtils.m:160
    #3 0x11edef869 in __29-[FPRClient logNetworkTrace:]_block_invoke FPRClient.m:220
    #4 0x11d1a1afa in __wrap_dispatch_group_async_block_invoke+0xca (libclang_rt.asan_iossim_dynamic.dylib:x86_64+0x40afa)
    #5 0x121bb77eb in _dispatch_call_block_and_release+0xb (libdispatch.dylib:x86_64+0x27eb)
    #6 0x121bb89c7 in _dispatch_client_callout+0x7 (libdispatch.dylib:x86_64+0x39c7)
    #7 0x121bbf43f in _dispatch_lane_serial_drain+0x4c5 (libdispatch.dylib:x86_64+0xa43f)
    #8 0x121bbff66 in _dispatch_lane_invoke+0x1b6 (libdispatch.dylib:x86_64+0xaf66)
    #9 0x121bcbde1 in _dispatch_workloop_worker_thread+0x371 (libdispatch.dylib:x86_64+0x16de1)
    #10 0x7fff60c8f45c in _pthread_wqthread+0x139 (libsystem_pthread.dylib:x86_64+0x345c)
    #11 0x7fff60c8e42e in start_wqthread+0xe (libsystem_pthread.dylib:x86_64+0x242e)

0x608001b0ad80 is located 0 bytes to the right of 96-byte region [0x608001b0ad20,0x608001b0ad80)
allocated by thread T202 here:
    #0 0x11d1a2b02 in wrap_calloc+0xa2 (libclang_rt.asan_iossim_dynamic.dylib:x86_64+0x41b02)
    #1 0x7fff20188a0e in class_createInstance+0x36 (libobjc.A.dylib:x86_64+0x16a0e)
    #2 0x7fff207f1afd in NSAllocateObject+0xe (Foundation:x86_64+0xd6afd)
    #3 0x7fff2074f041 in -[_NSPlaceholderData initWithBytes:length:copy:deallocator:]+0x40 (Foundation:x86_64+0x34041)
    #4 0x7fff20751456 in -[NSData(NSData) initWithBytes:length:]+0x24 (Foundation:x86_64+0x36456)
    #5 0x7fff2075117a in +[NSData(NSData) dataWithBytes:length:]+0x27 (Foundation:x86_64+0x3617a)
    #6 0x11ee1f0a2 in FPRDecodeData FPRNanoPbUtils.m:154
    #7 0x11ee1f279 in FPRDecodeString FPRNanoPbUtils.m:159
    #8 0x11edef869 in __29-[FPRClient logNetworkTrace:]_block_invoke FPRClient.m:220
    #9 0x11d1a1afa in __wrap_dispatch_group_async_block_invoke+0xca (libclang_rt.asan_iossim_dynamic.dylib:x86_64+0x40afa)
    #10 0x121bb77eb in _dispatch_call_block_and_release+0xb (libdispatch.dylib:x86_64+0x27eb)
    #11 0x121bb89c7 in _dispatch_client_callout+0x7 (libdispatch.dylib:x86_64+0x39c7)
    #12 0x121bbf43f in _dispatch_lane_serial_drain+0x4c5 (libdispatch.dylib:x86_64+0xa43f)
    #13 0x121bbff66 in _dispatch_lane_invoke+0x1b6 (libdispatch.dylib:x86_64+0xaf66)
    #14 0x121bcbde1 in _dispatch_workloop_worker_thread+0x371 (libdispatch.dylib:x86_64+0x16de1)
    #15 0x7fff60c8f45c in _pthread_wqthread+0x139 (libsystem_pthread.dylib:x86_64+0x345c)
    #16 0x7fff60c8e42e in start_wqthread+0xe (libsystem_pthread.dylib:x86_64+0x242e)

Thread T202 created by T0 here:
    <empty stack>

SUMMARY: AddressSanitizer: heap-buffer-overflow (libclang_rt.asan_iossim_dynamic.dylib:x86_64+0x14463) in wrap_strlen+0x183
Shadow bytes around the buggy address:
  0x0c11223a9560: fa fa fa fa 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c11223a9570: fa fa fa fa fd fd fd fd fd fd fd fd fd fd fd fa
  0x0c11223a9580: fa fa fa fa 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c11223a9590: fa fa fa fa 00 00 00 00 00 00 00 00 00 00 04 fa
  0x0c11223a95a0: fa fa fa fa 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0c11223a95b0:[fa]fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c11223a95c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c11223a95d0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c11223a95e0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c11223a95f0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c11223a9600: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
  Shadow gap:              cc
2021-09-30 10:15:17.386935+0300 FB[57960:10843583] =================================================================
2021-09-30 10:15:17.387137+0300 FB[57960:10843583] ==57960==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x608001b0ad80 at pc 0x00011d175464 bp 0x70000ed59940 sp 0x70000ed59100
2021-09-30 10:15:17.387340+0300 FB[57960:10843583] READ of size 81 at 0x608001b0ad80 thread T202
2021-09-30 10:15:17.387521+0300 FB[57960:10843583]     #0 0x11d175463 in wrap_strlen+0x183 (libclang_rt.asan_iossim_dynamic.dylib:x86_64+0x14463)
2021-09-30 10:15:17.387690+0300 FB[57960:10843583]     #1 0x7fff20843b12 in +[NSString stringWithCString:encoding:]+0x20 (Foundation:x86_64+0x128b12)
2021-09-30 10:15:17.387846+0300 FB[57960:10843583]     #2 0x11ee1f354 in FPRDecodeString FPRNanoPbUtils.m:160
2021-09-30 10:15:17.387996+0300 FB[57960:10843583]     #3 0x11edef869 in __29-[FPRClient logNetworkTrace:]_block_invoke FPRClient.m:220
2021-09-30 10:15:17.388164+0300 FB[57960:10843583]     #4 0x11d1a1afa in __wrap_dispatch_group_async_block_invoke+0xca (libclang_rt.asan_iossim_dynamic.dylib:x86_64+0x40afa)
2021-09-30 10:15:17.388314+0300 FB[57960:10843583]     #5 0x121bb77eb in _dispatch_call_block_and_release+0xb (libdispatch.dylib:x86_64+0x27eb)
2021-09-30 10:15:17.388486+0300 FB[57960:10843583]     #6 0x121bb89c7 in _dispatch_client_callout+0x7 (libdispatch.dylib:x86_64+0x39c7)
2021-09-30 10:15:17.388662+0300 FB[57960:10843583]     #7 0x121bbf43f in _dispatch_lane_serial_drain+0x4c5 (libdispatch.dylib:x86_64+0xa43f)
2021-09-30 10:15:17.388817+0300 FB[57960:10843583]     #8 0x121bbff66 in _dispatch_lane_invoke+0x1b6 (libdispatch.dylib:x86_64+0xaf66)
2021-09-30 10:15:17.388978+0300 FB[57960:10843583]     #9 0x121bcbde1 in _dispatch_workloop_worker_thread+0x371 (libdispatch.dylib:x86_64+0x16de1)
2021-09-30 10:15:17.389138+0300 FB[57960:10843583]     #10 0x7fff60c8f45c in _pthread_wqthread+0x139 (libsystem_pthread.dylib:x86_64+0x345c)
2021-09-30 10:15:17.389287+0300 FB[57960:10843583]     #11 0x7fff60c8e42e in start_wqthread+0xe (libsystem_pthread.dylib:x86_64+0x242e)
2021-09-30 10:15:17.389438+0300 FB[57960:10843583] 
2021-09-30 10:15:17.389597+0300 FB[57960:10843583] 0x608001b0ad80 is located 0 bytes to the right of 96-byte region [0x608001b0ad20,0x608001b0ad80)
2021-09-30 10:15:17.389759+0300 FB[57960:10843583] allocated by thread T202 here:
2021-09-30 10:15:17.389922+0300 FB[57960:10843583]     #0 0x11d1a2b02 in wrap_calloc+0xa2 (libclang_rt.asan_iossim_dynamic.dylib:x86_64+0x41b02)
2021-09-30 10:15:17.390093+0300 FB[57960:10843583]     #1 0x7fff20188a0e in class_createInstance+0x36 (libobjc.A.dylib:x86_64+0x16a0e)
2021-09-30 10:15:17.390281+0300 FB[57960:10843583]     #2 0x7fff207f1afd in NSAllocateObject+0xe (Foundation:x86_64+0xd6afd)
2021-09-30 10:15:17.390461+0300 FB[57960:10843583]     #3 0x7fff2074f041 in -[_NSPlaceholderData initWithBytes:length:copy:deallocator:]+0x40 (Foundation:x86_64+0x34041)
2021-09-30 10:15:17.390669+0300 FB[57960:10843583]     #4 0x7fff20751456 in -[NSData(NSData) initWithBytes:length:]+0x24 (Foundation:x86_64+0x36456)
2021-09-30 10:15:17.390902+0300 FB[57960:10843583]     #5 0x7fff2075117a in +[NSData(NSData) dataWithBytes:length:]+0x27 (Foundation:x86_64+0x3617a)
2021-09-30 10:15:17.391144+0300 FB[57960:10843583]     #6 0x11ee1f0a2 in FPRDecodeData FPRNanoPbUtils.m:154
2021-09-30 10:15:17.391482+0300 FB[57960:10843583]     #7 0x11ee1f279 in FPRDecodeString FPRNanoPbUtils.m:159
2021-09-30 10:15:17.391863+0300 FB[57960:10843583]     #8 0x11edef869 in __29-[FPRClient logNetworkTrace:]_block_invoke FPRClient.m:220
2021-09-30 10:15:17.392147+0300 FB[57960:10843583]     #9 0x11d1a1afa in __wrap_dispatch_group_async_block_invoke+0xca (libclang_rt.asan_iossim_dynamic.dylib:x86_64+0x40afa)
2021-09-30 10:15:17.392371+0300 FB[57960:10843583]     #10 0x121bb77eb in _dispatch_call_block_and_release+0xb (libdispatch.dylib:x86_64+0x27eb)
2021-09-30 10:15:17.392552+0300 FB[57960:10843583]     #11 0x121bb89c7 in _dispatch_client_callout+0x7 (libdispatch.dylib:x86_64+0x39c7)
2021-09-30 10:15:17.392767+0300 FB[57960:10843583]     #12 0x121bbf43f in _dispatch_lane_serial_drain+0x4c5 (libdispatch.dylib:x86_64+0xa43f)
2021-09-30 10:15:17.392913+0300 FB[57960:10843583]     #13 0x121bbff66 in _dispatch_lane_invoke+0x1b6 (libdispatch.dylib:x86_64+0xaf66)
2021-09-30 10:15:17.393057+0300 FB[57960:10843583]     #14 0x121bcbde1 in _dispatch_workloop_worker_thread+0x371 (libdispatch.dylib:x86_64+0x16de1)
2021-09-30 10:15:17.393203+0300 FB[57960:10843583]     #15 0x7fff60c8f45c in _pthread_wqthread+0x139 (libsystem_pthread.dylib:x86_64+0x345c)
2021-09-30 10:15:17.393324+0300 FB[57960:10843583]     #16 0x7fff60c8e42e in start_wqthread+0xe (libsystem_pthread.dylib:x86_64+0x242e)
2021-09-30 10:15:17.393471+0300 FB[57960:10843583] 
2021-09-30 10:15:17.400465+0300 FB[57960:10843583] Thread T202 created by T0 here:
2021-09-30 10:15:17.400673+0300 FB[57960:10843583]     <empty stack>
2021-09-30 10:15:17.400881+0300 FB[57960:10843583] 
2021-09-30 10:15:17.401130+0300 FB[57960:10843583] SUMMARY: AddressSanitizer: heap-buffer-overflow (libclang_rt.asan_iossim_dynamic.dylib:x86_64+0x14463) in wrap_strlen+0x183
2021-09-30 10:15:17.401317+0300 FB[57960:10843583] Shadow bytes around the buggy address:
2021-09-30 10:15:17.401491+0300 FB[57960:10843583]   0x0c11223a9560: fa fa fa fa 00 00 00 00 00 00 00 00 00 00 00 00
2021-09-30 10:15:17.401671+0300 FB[57960:10843583]   0x0c11223a9570: fa fa fa fa fd fd fd fd fd fd fd fd fd fd fd fa
2021-09-30 10:15:17.401872+0300 FB[57960:10843583]   0x0c11223a9580: fa fa fa fa 00 00 00 00 00 00 00 00 00 00 00 00
2021-09-30 10:15:17.402081+0300 FB[57960:10843583]   0x0c11223a9590: fa fa fa fa 00 00 00 00 00 00 00 00 00 00 04 fa
2021-09-30 10:15:17.402335+0300 FB[57960:10843583]   0x0c11223a95a0: fa fa fa fa 00 00 00 00 00 00 00 00 00 00 00 00
2021-09-30 10:15:17.402531+0300 FB[57960:10843583] =>0x0c11223a95b0:[fa]fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
2021-09-30 10:15:17.402726+0300 FB[57960:10843583]   0x0c11223a95c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
2021-09-30 10:15:17.402868+0300 FB[57960:10843583]   0x0c11223a95d0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
2021-09-30 10:15:17.403021+0300 FB[57960:10843583]   0x0c11223a95e0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
2021-09-30 10:15:17.403171+0300 FB[57960:10843583]   0x0c11223a95f0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
2021-09-30 10:15:17.403341+0300 FB[57960:10843583]   0x0c11223a9600: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
2021-09-30 10:15:17.403493+0300 FB[57960:10843583] Shadow byte legend (one shadow byte represents 8 application bytes):
2021-09-30 10:15:17.403635+0300 FB[57960:10843583]   Addressable:           00
2021-09-30 10:15:17.403766+0300 FB[57960:10843583]   Partially addressable: 01 02 03 04 05 06 07
2021-09-30 10:15:17.403913+0300 FB[57960:10843583]   Heap left redzone:       fa
2021-09-30 10:15:17.404073+0300 FB[57960:10843583]   Freed heap region:       fd
2021-09-30 10:15:17.404218+0300 FB[57960:10843583]   Stack left redzone:      f1
2021-09-30 10:15:17.404387+0300 FB[57960:10843583]   Stack mid redzone:       f2
2021-09-30 10:15:17.404586+0300 FB[57960:10843583]   Stack right redzone:     f3
2021-09-30 10:15:17.404732+0300 FB[57960:10843583]   Stack after return:      f5
2021-09-30 10:15:17.404901+0300 FB[57960:10843583]   Stack use after scope:   f8
2021-09-30 10:15:17.405049+0300 FB[57960:10843583]   Global redzone:          f9
2021-09-30 10:15:17.405200+0300 FB[57960:10843583]   Global init order:       f6
2021-09-30 10:15:17.405365+0300 FB[57960:10843583]   Poisoned by user:        f7
2021-09-30 10:15:17.405518+0300 FB[57960:10843583]   Container overflow:      fc
2021-09-30 10:15:17.405700+0300 FB[57960:10843583]   Array cookie:            ac
2021-09-30 10:15:17.405845+0300 FB[57960:10843583]   Intra object redzone:    bb
2021-09-30 10:15:17.405958+0300 FB[57960:10843583]   ASan internal:           fe
2021-09-30 10:15:17.406127+0300 FB[57960:10843583]   Left alloca redzone:     ca
2021-09-30 10:15:17.406309+0300 FB[57960:10843583]   Right alloca redzone:    cb
2021-09-30 10:15:17.406489+0300 FB[57960:10843583]   Shadow gap:              cc
==57960==ABORTING

Screenshot 2021-09-30 at 10 23 17 AM

@visumickey
Copy link
Contributor

There are 2 issues relevant to this bug:

  1. Issue related to the sessionLengthInMinutes
  2. Issue related to running address sanitizer on Firebase performance SDK.

For the second issue, already a fix is already rolled out here.

For the first issue, I see an obvious issue where we are are dividing NSTimeInterval (float) with an integer and returning back an NSUInteger which is prone to issues. So, we will rollout a fix to handle this cleanly. But apart from that, we don't see anything concerning on this piece of code.

@visumickey visumickey mentioned this issue Nov 3, 2021
Merged
@firebase firebase locked and limited conversation to collaborators Dec 4, 2021
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees

@visumickey visumickey

Labels
api: performance
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Perf return session length return type firebase/firebase-ios-sdk
5 participants
@azouts @visumickey @morganchen12 @google-oss-bot @rizafran