Skip to content

Instantly share code, notes, and snippets.

@lewurm

lewurm/.gitignore

Last active June 30, 2022 08:50
Show Gist options
  • Save lewurm/40fb8f7edb81f5e715ee6c7217feed32 to your computer and use it in GitHub Desktop.
Save lewurm/40fb8f7edb81f5e715ee6c7217feed32 to your computer and use it in GitHub Desktop.
Download ZIP
Reproducer for https://openradar.appspot.com/FB10500605 / rdar://FB10500605
Raw
README.md

Reproducer for https://openradar.appspot.com/FB10500605 / rdar://FB10500605

$ sw_vers
ProductName:    macOS
ProductVersion: 12.4
BuildVersion:   21F79

$ xcodebuild -version
Xcode 13.3
Build version 13E113

$ make && time ./driver
cc -O2    driver.c   -o driver
cc -O2    sub.c   -o sub
[+++] Let's crunch for SIGTRAP
child 55123 process was terminated by signal Trace/BPT trap: 5.
spawned 49559 times
please check crash logs at ~/Library/Logs/DiagnosticReports/ and look for 'sub'
./driver  8.04s user 30.80s system 693% cpu 5.604 total

$ make && time ./driver
make: Nothing to be done for `all'.
[+++] Let's crunch for SIGTRAP
child 97934 process was terminated by signal Trace/BPT trap: 5.
spawned 15199 times
please check crash logs at ~/Library/Logs/DiagnosticReports/ and look for 'sub'
./driver  2.46s user 9.20s system 766% cpu 1.520 total

$ make && time ./driver
make: Nothing to be done for `all'.
[+++] Let's crunch for SIGTRAP
child 4505 process was terminated by signal Trace/BPT trap: 5.
spawned 600817 times
please check crash logs at ~/Library/Logs/DiagnosticReports/ and look for 'sub'
./driver  97.30s user 364.05s system 762% cpu 1:00.47 total
Raw
driver.c
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <spawn.h>
#include <pthread.h>
#include <unistd.h>
static volatile long spawned = 0;
static void* thread_fun(void *arg) {
long i = 0x654321;
int status;
while (i-- > 0) {
#define POOL 0x3
pid_t pid[POOL];
for (int j = 0; j < POOL; j++) {
char *argv[] = {"sub", NULL};
int ret = posix_spawn(&pid[j], "./sub", NULL, NULL, argv, NULL);
__atomic_fetch_add(&spawned, 1, __ATOMIC_SEQ_CST);
if (ret != 0) {
printf("should not reach\n");
exit(2);
}
}
for (int j = 0; j < POOL; j++) {
waitpid(pid[j], &status, 0);
if (WIFSIGNALED(status)) {
printf("child %d process was terminated by signal %s.\n", pid[j], strsignal(WTERMSIG(status)));
printf("spawned %ld times\n", spawned);
printf("please check crash logs at ~/Library/Logs/DiagnosticReports/ and look for 'sub'\n");
exit(3);
}
}
}
return NULL;
}
int main(void) {
#define COUNT 0x40
pthread_t tids[COUNT];
printf("[+++] Let's crunch for SIGTRAP\n");
for(int j = 0; j < COUNT; j++) {
pthread_create(&tids[j], NULL, &thread_fun, NULL);
}
for(int j = 0; j < COUNT; j++) {
pthread_join(tids[j], NULL);
printf("[+++] joined thread %d\n", j);
}
printf("bye jit protect, no crash.\n");
return 0;
}
Raw
Makefile
CFLAGS=-O2
all: driver sub
Raw
sub-2022-06-30-104542.ips
{"app_name":"sub","timestamp":"2022-06-30 10:45:42.00 +0200","app_version":"","slice_uuid":"ea9b2e4b-4f6d-3d1f-96f0-1a59aa7aa92a","build_version":"","platform":1,"share_with_app_devs":0,"is_first_party":1,"bug_type":"309","os_version":"macOS 12.4 (21F79)","incident_id":"3125CCDD-83BD-49D5-82F7-9BB4C608412F","name":"sub"}
{
"uptime" : 230000,
"procLaunch" : "2022-06-30 10:45:42.6901 +0200",
"procRole" : "Unspecified",
"version" : 2,
"userID" : 501,
"deployVersion" : 210,
"modelCode" : "MacBookPro18,1",
"procStartAbsTime" : 5601075845667,
"coalitionID" : 534,
"osVersion" : {
"train" : "macOS 12.4",
"build" : "21F79",
"releaseType" : "User"
},
"captureTime" : "2022-06-30 10:45:42.6922 +0200",
"incident" : "3125CCDD-83BD-49D5-82F7-9BB4C608412F",
"bug_type" : "309",
"pid" : 55123,
"procExitAbsTime" : 5601075885079,
"translated" : false,
"cpuType" : "ARM-64",
"procName" : "sub",
"procPath" : "\/Users\/USER\/*\/sub",
"parentProc" : "driver",
"parentPid" : 5378,
"coalitionName" : "com.googlecode.iterm2",
"crashReporterKey" : "FD799C5C-B49C-FE21-E039-C7D7806E798C",
"responsiblePid" : 575,
"responsibleProc" : "iTerm2",
"wakeTime" : 2295,
"sleepWakeUUID" : "2DC1BA5B-DA28-4C08-AFCE-6D6438FD4D95",
"sip" : "enabled",
"isCorpse" : 1,
"exception" : {"codes":"0x0000000000000001, 0x000000019bb35160","rawCodes":[1,6907187552],"type":"EXC_BREAKPOINT","signal":"SIGTRAP"},
"termination" : {"flags":0,"code":5,"namespace":"SIGNAL","indicator":"Trace\/BPT trap: 5","byProc":"exc handler","byPid":55123},
"extMods" : {"caller":{"thread_create":0,"thread_set_state":0,"task_for_pid":0},"system":{"thread_create":0,"thread_set_state":1021,"task_for_pid":44},"targeted":{"thread_create":0,"thread_set_state":0,"task_for_pid":0},"warnings":0},
"faultingThread" : 0,
"threads" : [{"triggered":true,"id":97075288,"threadState":{"x":[{"value":2310346609649516544},{"value":68719460624},{"value":6123060688},{"value":6123060696},{"value":0},{"value":0},{"value":0},{"value":0},{"value":68719460620},{"value":2310346609649516544},{"value":2310346609647419392},{"value":2},{"value":2},{"value":0},{"value":8},{"value":0},{"value":6907187036,"symbolLocation":0,"symbol":"pthread_jit_write_protect_np"},{"value":7701436843903316064},{"value":0},{"value":4343873632},{"value":4343840656,"symbolLocation":0,"symbol":"main"},{"value":4345954416,"symbolLocation":0,"symbol":"dyld4::sConfigBuffer"},{"value":0},{"value":0},{"value":0},{"value":0},{"value":0},{"value":0},{"value":0}],"flavor":"ARM_THREAD_STATE64","lr":{"value":11618020405564522400},"cpsr":{"value":536875008},"fp":{"value":6123060288},"sp":{"value":6123060288},"esr":{"value":4060086273,"description":"(Breakpoint) brk 1"},"pc":{"value":6907187552,"matchesCrashFrame":1},"far":{"value":8418949648}},"queue":"com.apple.main-thread","frames":[{"imageOffset":33120,"symbol":"pthread_jit_write_protect_np","symbolLocation":516,"imageIndex":0},{"imageOffset":16288,"symbol":"main","symbolLocation":16,"imageIndex":1},{"imageOffset":20620,"symbol":"start","symbolLocation":520,"imageIndex":2}]}],
"usedImages" : [
{
"source" : "P",
"arch" : "arm64e",
"base" : 6907154432,
"size" : 53248,
"uuid" : "42166a2c-89a9-3c38-a215-f028544cea23",
"path" : "\/usr\/lib\/system\/libsystem_pthread.dylib",
"name" : "libsystem_pthread.dylib"
},
{
"source" : "P",
"arch" : "arm64",
"base" : 4343824384,
"size" : 16384,
"uuid" : "ea9b2e4b-4f6d-3d1f-96f0-1a59aa7aa92a",
"path" : "\/Users\/USER\/*\/sub",
"name" : "sub"
},
{
"source" : "P",
"arch" : "arm64e",
"base" : 4345561088,
"size" : 393216,
"uuid" : "d9c2a46e-8dc4-3950-9d6a-f799e8ccb683",
"path" : "\/usr\/lib\/dyld",
"name" : "dyld"
}
],
"sharedCache" : {
"base" : 6903857152,
"size" : 3136077824,
"uuid" : "513553bb-5ca5-3b9e-a613-b0603ffe3038"
},
"vmSummary" : "ReadOnly portion of Libraries: Total=581.9M resident=0K(0%) swapped_out_or_unallocated=581.9M(100%)\nWritable regions: Total=529.1M written=0K(0%) resident=0K(0%) swapped_out=0K(0%) unallocated=529.1M(100%)\n\n VIRTUAL REGION \nREGION TYPE SIZE COUNT (non-coalesced) \n=========== ======= ======= \nKernel Alloc Once 32K 1 \nMALLOC 137.2M 11 \nMALLOC guard page 96K 5 \nMALLOC_NANO (reserved) 384.0M 1 reserved VM address space (unallocated)\nSTACK GUARD 56.0M 1 \nStack 8176K 1 \n__AUTH 46K 11 \n__AUTH_CONST 67K 38 \n__DATA 181K 36 \n__DATA_CONST 258K 40 \n__DATA_DIRTY 73K 21 \n__LINKEDIT 577.3M 3 \n__OBJC_CONST 10K 5 \n__OBJC_RO 83.0M 1 \n__OBJC_RW 3152K 1 \n__TEXT 4708K 43 \ndyld private memory 1024K 1 \nshared memory 16K 1 \n=========== ======= ======= \nTOTAL 1.2G 221 \nTOTAL, minus reserved VM space 870.9M 221 \n",
"legacyInfo" : {
"threadTriggered" : {
"queue" : "com.apple.main-thread"
}
},
"trialInfo" : {
"rollouts" : [
{
"rolloutId" : "60356660bbe37970735c5624",
"factorPackIds" : {
},
"deploymentId" : 240000027
},
{
"rolloutId" : "61301e3a61217b3110231469",
"factorPackIds" : {
"SIRI_FIND_MY_CONFIGURATION_FILES" : "6216ae152a40e71046e16225"
},
"deploymentId" : 240000016
}
],
"experiments" : [
]
}
}
Raw
sub.c
#include <pthread.h>
int main(void) {
pthread_jit_write_protect_np(0);
return 0;
}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment