memory-leaks - UIWebView 中类型范围泄漏的输入元素

Question

当我发现我的 UIWebView 中类型范围的输入元素在添加到文档时泄漏了 12 个字节时，我正要提交我的应用程序以供审核。没有后续泄漏；即使使用 slider 也不行。

对于如何继续我的提交的任何建议，我将不胜感激。我应该担心 12 个字节吗？我是否应该找到解决这个问题的方法，比如说，根本不使用这个元素？或者，我应该向审阅者记录泄漏情况(在审阅注释栏下)吗？

泄漏可以用最小的 UIWebView 应用程序复制:

#import "TjaViewController.h"

@interface TjaViewController ()
@property (weak, nonatomic) IBOutlet UIWebView *webView;
@end

@implementation TjaViewController

- (void)viewDidLoad
{
    [super viewDidLoad];
    [self.webView loadHTMLString:@"<input type='range'>" baseURL:nil];
}

@end

使用 Instruments 分析应用程序会产生具有以下属性的单个泄漏:

类别:Malloc 12 字节
保留计数:1
负责库:JavaScriptCore
负责任的调用者:WTF::fastMalloc(unsigned long)

堆栈发呆:

32 libsystem_pthread.dylib thread_start
31 libsystem_pthread.dylib _pthread_start
30 libsystem_pthread.dylib _pthread_body
29 WebCore RunWebThread(void*)
28 CoreFoundation CFRunLoopRunInMode
27 CoreFoundation CFRunLoopRunSpecific
26 CoreFoundation __CFRunLoopRun
25 CoreFoundation __CFRunLoopDoSources0
24 CoreFoundation __CFRUNLOOP_IS_CALLING_OUT_TO_A_SOURCE0_PERFORM_FUNCTION__
23 WebCore HandleRunSource
22 WebCore ___ZN7WebCoreL26applicationDidBecomeActiveEP22__CFNotificationCenterPvPK10__CFStringPKvPK14__CFDictionary_block_invoke
21 WebCore WebCore::ThreadTimers::sharedTimerFiredInternal()
20 WebCore WebCore::DocumentLoader::handleSubstituteDataLoadNow(WebCore::Timer<WebCore::DocumentLoader>*)
19 WebCore WebCore::DocumentLoader::responseReceived(WebCore::CachedResource*, WebCore::ResourceResponse const&)
18 WebCore WebCore::DocumentLoader::continueAfterContentPolicy(WebCore::PolicyAction)
17 WebCore WebCore::DocumentLoader::dataReceived(WebCore::CachedResource*, char const*, int)
16 WebCore WebCore::DocumentLoader::commitLoad(char const*, int)
15 WebKit WebFrameLoaderClient::committedLoad(WebCore::DocumentLoader*, char const*, int)
14 WebKit -[WebDataSource(WebInternal) _receivedData:]
13 WebKit -[WebHTMLRepresentation receivedData:withDataSource:]
12 WebCore WebCore::DocumentLoader::commitData(char const*, unsigned long)
11 WebCore WebCore::DecodedDataDocumentParser::appendBytes(WebCore::DocumentWriter*, char const*, unsigned long)
10 WebCore WebCore::HTMLDocumentParser::append(WTF::PassRefPtr<WTF::StringImpl>)
9 WebCore WebCore::HTMLDocumentParser::pumpTokenizer(WebCore::HTMLDocumentParser::SynchronousMode)
8 WebCore WebCore::HTMLDocumentParser::constructTreeFromHTMLToken(WebCore::HTMLToken&)
7 WebCore WebCore::HTMLConstructionSite::executeQueuedTasks()
6 WebCore WebCore::executeTask(WebCore::HTMLConstructionSiteTask&)
5 WebCore WebCore::insert(WebCore::HTMLConstructionSiteTask&, bool)
4 WebCore WebCore::HTMLInputElement::attach(WebCore::Node::AttachContext const&)
3 WebCore WebCore::FeatureObserver::didObserve(WebCore::FeatureObserver::Feature)
2 JavaScriptCore WTF::BitVector::resizeOutOfLine(unsigned long)
1 JavaScriptCore WTF::fastMalloc(unsigned long)
0 JavaScriptCore WTF::MallocHook::recordAllocation(void*, unsigned long)

Answer 1

我想我明白了

似乎是 libWTF 中的一个漏洞

这是来自 https://github.com/leolannenmaki/JavaScriptCore-iOS 的原始代码

void BitVector::resizeOutOfLine(size_t numBits)
{
    ASSERT(numBits > maxInlineBits());
    OutOfLineBits* newOutOfLineBits = OutOfLineBits::create(numBits);
    size_t newNumWords = newOutOfLineBits->numWords();
    if (isInline()) {
    // Make sure that all of the bits are zero in case we do a no-op resize.
        *newOutOfLineBits->bits() = m_bitsOrPointer & ~(static_cast<uintptr_t>(1) << maxInlineBits());
        memset(newOutOfLineBits->bits() + 1, 0, (newNumWords - 1) * sizeof(void*));
    } else {
        if (numBits > size()) {
            size_t oldNumWords = outOfLineBits()->numWords();
            memcpy(newOutOfLineBits->bits(), outOfLineBits()->bits(), oldNumWords * sizeof(void*));
            memset(newOutOfLineBits->bits() + oldNumWords, 0, (newNumWords - oldNumWords) * sizeof(void*));
        } else
            memcpy(newOutOfLineBits->bits(), outOfLineBits()->bits(), newOutOfLineBits->numWords() * sizeof(void*));
        OutOfLineBits::destroy(outOfLineBits());
    }
    m_bitsOrPointer = bitwise_cast<uintptr_t>(newOutOfLineBits) >> 1;
}

很明显，当代码进入 isInline() 时，newOutOfLineBits 没有被破坏

我尝试替换系统JavascriptCore.framework

/Applications/Xcode.app/Contents/Developer/Platforms/iPhoneSimulator.platform/Developer/SDKs/iPhoneSimulator7.1.sdk/System/Library/Frameworks/JavaScriptCore.framework

但是失败了，系统框架是动态库编译的

据我所知，苹果禁止为iOS编译动态库...

所以我认为唯一的办法是向 Apple 报告此泄漏...