前言

看此篇文章之前請先閱讀xcode調(diào)試效率.
ios9.0上遇到一個問題，UITableView中長按section，如果我們的交互中要求彈出menu菜單，那么就會出現(xiàn)如圖所示的必現(xiàn)崩潰

"操作"

安裝lldb的malloc命令

vim ~/.lldbinit
command script import lldb.macosx.heap
按一下esc 
wq 保存退出

一. 分析

問題:

1.這個NSDictionary到底是什么?是UITableView的數(shù)據(jù)源嗎？
2.如果是數(shù)據(jù)源是否是多線程導(dǎo)致的呢？(NSDictionary在多線程下如未處理好極容易崩潰,set和get同時調(diào)用的時候,一個對象被remove之后野指針了，然后get操作會立馬導(dǎo)致崩潰)

3. 是否是mrc導(dǎo)致問題？

驗證過程:

1.由于工程比較大，建議先寫一個demo去做。(大工程的一些配置選項可能導(dǎo)致lldb的某些命令無法使用），這一點耗費了我們很大的精力去分析NSZombie的malloc歷史，都沒有結(jié)果

結(jié)果:

在工程中拆分出demo之后，由于我們根本沒有NSDictionary，所以排除了這種情況，但是為什么會有這個問題呢。這個NSDictionay又是什么呢?

二. 過程分析

1. 查看崩潰源

(lldb) command script import "lldb.macosx.heap"
(lldb) bt
* thread #1: tid = 0xbe55, 0x0000000100ded805 libobjc.A.dylib`objc_msgSend + 5, queue = 'com.apple.main-thread', stop reason = EXC_BAD_ACCESS (code=1, address=0x1)
    frame #0: 0x0000000100ded805 libobjc.A.dylib`objc_msgSend + 5
    frame #1: 0x00000001012fb1a5 CoreFoundation`-[NSDictionary descriptionWithLocale:indent:] + 373
    frame #2: 0x000000010097d3f4 Foundation`_NSDescriptionWithLocaleFunc + 64
    frame #3: 0x000000010124fe4d CoreFoundation`__CFStringAppendFormatCore + 9597
    frame #4: 0x000000010133c563 CoreFoundation`_CFStringCreateWithFormatAndArgumentsAux2 + 259
    frame #5: 0x000000010134ce0a CoreFoundation`_CFLogvEx2 + 154
    frame #6: 0x000000010134cf6b CoreFoundation`_CFLogvEx3 + 171
    frame #7: 0x0000000100a53d5e Foundation`_NSLogv + 117
    frame #8: 0x00000001009a35e2 Foundation`NSLog + 152
  * frame #9: 0x000000010183fc5e UIKit`-[UITableView reloadData] + 1853
    frame #10: 0x00000001008d436c Test`-[SectionHeader showPendingMenu](self=0x00007fab6b443250, _cmd="showPendingMenu") + 572 at FirstViewController.m:47
    frame #11: 0x00000001008d411b Test`-[SectionHeader longPress](self=0x00007fab6b443250, _cmd="longPress") + 43 at FirstViewController.m:27
    frame #12: 0x0000000101bc6b40 UIKit`_UIGestureRecognizerSendTargetActions + 153
    frame #13: 0x0000000101bc36af UIKit`_UIGestureRecognizerSendActions + 162
    frame #14: 0x0000000101bc1f01 UIKit`-[UIGestureRecognizer _updateGestureWithEvent:buttonEvent:] + 822
    frame #15: 0x0000000101bc93f3 UIKit`___UIGestureRecognizerUpdate_block_invoke809 + 79
    frame #16: 0x0000000101bc9291 UIKit`_UIGestureRecognizerRemoveObjectsFromArrayAndApplyBlocks + 342
    frame #17: 0x0000000101bbaeb4 UIKit`_UIGestureRecognizerUpdate + 2624
    frame #18: 0x00000001012899d7 CoreFoundation`__CFRUNLOOP_IS_CALLING_OUT_TO_AN_OBSERVER_CALLBACK_FUNCTION__ + 23
    frame #19: 0x0000000101289947 CoreFoundation`__CFRunLoopDoObservers + 391
    frame #20: 0x000000010127f59b CoreFoundation`__CFRunLoopRun + 1147
    frame #21: 0x000000010127ee98 CoreFoundation`CFRunLoopRunSpecific + 488
    frame #22: 0x0000000104a5aad2 GraphicsServices`GSEventRunModal + 161
    frame #23: 0x000000010170a676 UIKit`UIApplicationMain + 171
    frame #24: 0x00000001008d4c9f Test`main(argc=1, argv=0x00007fff5f32c618) + 111 at main.m:14
    frame #25: 0x00000001039e992d libdyld.dylib`start + 1
    frame #26: 0x00000001039e992d libdyld.dylib`start + 1  

2. 異常截獲

"操作"

通過條件斷點我們查看最后一次調(diào)用的地方，然后打印當(dāng)前寄存器的值

(lldb) register read
General Purpose Registers:
 rax = 0x0000000109a1b001  CoreFoundation`_CFRuntimeGetClassWithTypeID + 17
 rbx = 0x00007feb75041a70
 rcx = 0x0000000000000000
 rdx = 0x0000000000000000
 rdi = 0x00007feb75041a70
 rsi = 0x0000000109c8db63  "descriptionWithLocale:"
 rbp = 0x00007fff56c08380
 rsp = 0x00007fff56c08368
 r8 = 0x0000000080000000
 r9 = 0x000000000000001f
 r10 = 0x00007feb736203e0
 r11 = 0x0000000109ca0ef0  (void *)0x0000000109ca0f18: __NSCFDictionary
 r12 = 0x00007feb7346f180
 r13 = 0x00007fff56c08fe0
 r14 = 0x0000000000000000
 r15 = 0x000000010a98788e  "There are visible views left after reusing them all: %@"
 rip = 0x0000000109a1b010  CoreFoundation`-[NSDictionary descriptionWithLocale:]
 rflags = 0x0000000000000246
 cs = 0x000000000000002b
 fs = 0x0000000000000000
 gs = 0x0000000000000000  

通過

"操作"

我們可以去找到rdi,這個返回參數(shù)。此時去找這個參數(shù)的地址

x00007fc93a638050: malloc(    64) -> 0x7fc93a638050 __NSCFDictionary.NSMutableDictionary.NSDictionary.NSObject.isa
stack[0]: addr = 0x7fc93a638050, type=malloc, frames:
[0] 0x000000010bb44391 libsystem_malloc.dylib`malloc_zone_malloc + 107
[1] 0x00000001091b3c36 CoreFoundation`_CFRuntimeCreateInstance + 310
[2] 0x00000001091b3712 CoreFoundation`CFBasicHashCreate + 114
[3] 0x00000001091b6674 CoreFoundation`CFDictionaryCreateMutable + 212
[4] 0x00000001097d482e UIKit`-[UITableView _setupTableViewCommon] + 137
[5] 0x00000001097d4e89 UIKit`-[UITableView initWithFrame:style:] + 205
[6] 0x000000010886e63e Test`-[FirstViewController loadView] + 254 at FirstViewController.m:0
[7] 0x000000010982f47c UIKit`-[UIViewController loadViewIfRequired] + 139
[8] 0x0000000109872c26 UIKit`-[UINavigationController _layoutViewController:] + 54  

CFDictionaryCreateMutable是關(guān)鍵方法，通過它我們知道了如何去分配對象，理想當(dāng)然，我們得去找到系統(tǒng)的CFDictionary，這時候會發(fā)現(xiàn)有一個CFDictionarySetValue的方法

三. 解決方案

1. hook截獲

要截獲CounFoundation庫的C方法，普通的oc的swizzle當(dāng)然是做不到的，但是幸好有facebook提供的fishhook，fishhook原理可以參照iOS安全攻防（十七）：Fishhook.
我們現(xiàn)在來截獲一把,

"key的值"

2. 替換判斷

void my_CFDictionarySetValue(CFMutableDictionaryRef theDict, const void *key, const void *value) {
NSLog(@"wym Calling my_CFDictionarySetValue, %p, k:%p, v:%p\n", theDict, key, value);
const void *newKey = key;
if ((int)key == 1 && [NSStringFromClass([(__bridge NSObject *)value class]) isEqualToString:@"SectionHeader"]) {
   newKey = (__bridge void *)[NSNumber numberWithUnsignedInteger:[(__bridge NSObject *)value hash]];
   //NSLog(@"%@", [NSThread callStackSymbols]);
}
orig_CFDictionarySetValue(theDict, newKey, value);
}    

這樣我們就不會崩潰了。

3. 結(jié)論

整個事情的來龍去脈已經(jīng)清楚了，這里提供了只是提供一個思路去解決問題。但是實際開發(fā)中不推薦這么去做，這個方法會對app性能有影響，建議用UIButton去模擬規(guī)避這個問題。

這個問題的解決并不是本人，只是對大神岳明哥的思路進(jìn)行了總結(jié)，一切版權(quán)以及所有權(quán)歸岳明哥所有！非經(jīng)作者允許不得轉(zhuǎn)載！～

demo下載

demo

參考鏈接：

1.iOS安全攻防（十七）：Fishhook
2.lldb官方命令大全