0x1 背景
线上监控发现 iOS17 beta2 __TCC_CRASHING_DUE_TO_PRIVACY_VIOLATION__ 崩溃上涨,崩溃栈如下:
OS Version: iPhone OS 17.0 (21A5268h)
Thread 11 Crashed:
0 libsystem_kernel.dylib 0x00000001e8b5b1c4 __abort_with_payload + 8
1 libsystem_kernel.dylib 0x00000001e8b7ecb4 0x1e8b4c000 + 208052
2 TCC 0x00000001c3555928 __TCC_CRASHING_DUE_TO_PRIVACY_VIOLATION__ + 172
3 TCC 0x00000001c35560a0 __TCCAccessRequest_block_invoke.245 + 0
4 TCC 0x00000001c3553154 __tccd_send_message_block_invoke + 624
5 libxpc.dylib 0x000000020adedb14 _xpc_connection_reply_callout + 116
6 libxpc.dylib 0x000000020ade0484 _xpc_connection_call_reply_async + 80
7 libdispatch.dylib 0x00000001aab22380 _dispatch_client_callout3 + 20
8 libdispatch.dylib 0x00000001aab3fb04 _dispatch_mach_msg_async_reply_invoke + 344
9 libdispatch.dylib 0x00000001aab34d40 _dispatch_root_queue_drain_deferred_item + 336
10 libdispatch.dylib 0x00000001aab34628 _dispatch_kevent_worker_thread + 500
11 libsystem_pthread.dylib 0x000000020ad8ce88 _pthread_wqthread + 344
12 libsystem_pthread.dylib 0x000000020ad8cbf0 start_wqthread + 8
Thread 27:
0 libsystem_kernel.dylib 0x00000001e8b4cba0 semaphore_wait_trap + 8
1 libdispatch.dylib 0x00000001aab22f4c _dispatch_semaphore_wait_slow + 132
2 LocalAuthentication 0x00000001d72189b8 -[LAClient _checkIdResultForTCC:synchronous:error:retryBlock:finally:] + 500
3 LocalAuthentication 0x00000001d7219828 __64-[LAClient evaluatePolicy:options:uiDelegate:synchronous:reply:]_block_invoke_2 + 180
4 CoreFoundation 0x00000001a2eba5b4 __invoking___ + 148
5 CoreFoundation 0x00000001a2e67a0c -[NSInvocation invoke] + 428
6 Foundation 0x00000001a1ee3df4 __NSXPCCONNECTION_IS_CALLING_OUT_TO_REPLY_BLOCK__ + 16
7 Foundation 0x00000001a1eb5f64 -[NSXPCConnection _decodeAndInvokeReplyBlockWithEvent:sequence:replyInfo:] + 520
8 Foundation 0x00000001a25f2b5c __88-[NSXPCConnection _sendInvocation:orArguments:count:methodSignature:selector:withProxy:]_block_invoke_5 + 188
9 Foundation 0x00000001a1e7a5fc -[NSXPCConnection _sendInvocation:orArguments:count:methodSignature:selector:withProxy:] + 2244
10 CoreFoundation 0x00000001a2e66c0c ___forwarding___ + 1008
11 CoreFoundation 0x00000001a2ecb9d0 _CF_forwarding_prep_0 + 96
12 LocalAuthentication 0x00000001d721973c __64-[LAClient evaluatePolicy:options:uiDelegate:synchronous:reply:]_block_invoke + 204
13 LocalAuthentication 0x00000001d7218fe4 __47-[LAClient _performSynchronous:callId:finally:]_block_invoke + 504
14 libdispatch.dylib 0x00000001aab22300 _dispatch_client_callout + 20
15 libdispatch.dylib 0x00000001aab31ce8 _dispatch_sync_invoke_and_complete + 56
16 LocalAuthentication 0x00000001d7218dac -[LAClient _performSynchronous:callId:finally:] + 196
17 LocalAuthentication 0x00000001d7219634 -[LAClient evaluatePolicy:options:uiDelegate:synchronous:reply:] + 296
18 LocalAuthentication 0x00000001d722338c -[LAContext _evaluatePolicy:options:synchronous:reply:] + 188
19 LocalAuthentication 0x00000001d7223084 -[LAContext _evaluatePolicy:options:log:cid:synchronous:reply:] + 388
20 LocalAuthentication 0x00000001d7208268 -[LAContext _evaluatePolicy:options:log:cid:error:] + 272
21 LocalAuthentication 0x00000001d7207fec -[LAContext canEvaluatePolicy:error:] + 276
22 CoreFoundation 0x00000001a2eba5b4 __invoking___ + 148
... 省略 。。。
0x2 分析
TCC arm64e <d268b3dc8e5c3d5abb07cba5759881da> /System/Library/PrivateFrameworks/TCC.framework/TCC 是一个私有库。
TCC是“Transparency, Consent, and Control” ,表示权限被应用获取是透明度、允许且可控。
搜索 feedback:
- developer.apple.com/forums/thre… 获得线索 1:使用了
LAContext提示配置NSFaceIDUsageDescription,通过排查日志其他线程,发现有相同调用。区别是 feedback 崩溃日志是同一线程,而我的不是。 - developer.apple.com/forums/thre… 获得线索 2:Apple 崩溃日志会有更多信息,abort 会告知我们具体权限需要在
Info.plist声明。
下一步:
- 找到 owner 尝试复现,根据 Apple 崩溃日志,检查应用使用的敏感信息是否合理?
- 合理使用,根据提示适配
ps: 观察后续 beta,判断是系统问题还是新适配点
0x3 思考
- 不要惧怕系统崩溃
- 根据关键词寻找相关信息
- 日志聚类分析场景
- 学习到系统 abort,苹果崩溃日志具有更多信息(三方库没有,是否能完善)
