What does 'corrupt value' mean on iOS?

Question

I'm writing C++ on my iOS app. When I call a v->assign(anotherVec.begin(), anotherVec.end()) it always show me malloc: Incorrect checksum for freed object 0x7fe87824ea00: probably modified after being freed. Corrupt value: 0x0. v is a vector<double> pointer, the vector size is 0 before it crashes. The anotherVec is also vector<double>, it's size is 208. The freed object address differs every time. The app memory seems sufficient.

Here is the crash function and position in STL vector, I paste this just to show where it crashes in STL code:

template <class _Tp, class _Allocator>
template <class _ForwardIterator>
typename enable_if
<
    __is_cpp17_forward_iterator<_ForwardIterator>::value &&
    is_constructible<
       _Tp,
       typename iterator_traits<_ForwardIterator>::reference>::value,
    void
>::type
vector<_Tp, _Allocator>::assign(_ForwardIterator __first, _ForwardIterator __last)
{
    size_type __new_size = static_cast<size_type>(_VSTD::distance(__first, __last));
    if (__new_size <= capacity())
    {
        _ForwardIterator __mid = __last;
        bool __growing = false;
        if (__new_size > size())
        {
            __growing = true;
            __mid =  __first;
            _VSTD::advance(__mid, size());
        }
        pointer __m = _VSTD::copy(__first, __mid, this->__begin_);
        if (__growing)
            __construct_at_end(__mid, __last, __new_size - size());
        else
            this->__destruct_at_end(__m);
    }
    else
    {
        __vdeallocate();
        __vallocate(__recommend(__new_size));              // Crashes here!!!!!!
        __construct_at_end(__first, __last, __new_size);
    }
    __invalidate_all_iterators();
}

I'm running this with Apple Clang 12.0.x and 13.0.x, Xcode. My compile options are -Os --std=c++11 -fPIC -pthread -fno-exceptions. It occurs about 0.01% percent with our users, with different data, iphones and iOS versions.

My macOS version is 12.1.

So I would like to know:

1. What is Corrupt value: 0x0 mean? I have searched for several hours but found no explanations for this.
2. Is there any way to monitor which code visited or modified a certain memory address? And how?
3. What else can I do with this crash? Since I can't make a minimal reproducible example, I'm asking just for train of thoughts or tools to analyse.

Answer 1

The Address Sanitizer is such a sharp tool. Using it on my isolate demo app, it shows several memory problems, one of them is the anotherVec may cause an index out of bound problem on certain cases. With it fixed, the assign crash goes away. With all problems fixed, crashes we collected in my module become unreproducible on the main app.

With ASan I even find more problems with other modules in my app. I announced my co-workers about them, and it also fixes their crashes.

However, I still don't find what does Corrupt value: 0x0 mean. Any info is welcomed, thx very much!