Network Extension crash - AutoreleasePoolPage

Question

roee84 OP

Created Nov ’19

Replies 1

Boosts 0

Views 1.2k

Participants 2

I've got some crashes reports which aren't easy to understand.

All the crashes happened at the Packet Tunnel Provider (Network extension, macOS app).

My guess is that those crashes are related to the autorelease pool, which I'm using when I'm writing packets to packetFlow.

This is the stack:

Exception Type:  SIGSEGV
Exception Codes: SEGV_MAPERR at 0x12fe2328
Crashed Thread:  5


Thread 5 Crashed:
0   libobjc.A.dylib                      0x00000001a9b2c140 objc_release + 16
1   libobjc.A.dylib                      0x00000001a9b2d6d0 AutoreleasePoolPage::releaseUntil(objc_object**) + 176
2   libobjc.A.dylib                      0x00000001a9b2d5c8 objc_autoreleasePoolPop + 220
3   libdispatch.dylib                    0x00000001a9ab7164 _dispatch_last_resort_autorelease_pool_pop + 36
4   libdispatch.dylib                    0x00000001a9a63e54 _dispatch_lane_invoke$VARIANT$mp + 508
5   libdispatch.dylib                    0x00000001a9a6d314 _dispatch_workloop_worker_thread + 584
6   libsystem_pthread.dylib              0x00000001a9b06f88 _pthread_wqthread + 272
7   libsystem_pthread.dylib              0x00000001a9b09ad4 start_wqthread + 4


Thread 0:
0   libsystem_kernel.dylib               0x00000001a9bc0634 mach_msg_trap + 8
1   CoreFoundation                       0x00000001a9d6704c __CFRunLoopServiceMachPort + 212
2   CoreFoundation                       0x00000001a9d6216c __CFRunLoopRun + 1440
3   CoreFoundation                       0x00000001a9d618a0 CFRunLoopRunSpecific + 460
4   Foundation                           0x00000001aa0a1824 -[NSRunLoop(NSRunLoop) runMode:beforeDate:] + 224
5   Foundation                           0x00000001aa0db238 -[NSRunLoop(NSRunLoop) run] + 84
6   libxpc.dylib                         0x00000001a99bf1f8 _xpc_objc_main + 300
7   libxpc.dylib                         0x00000001a99c1b38 xpc_main + 144
8   Foundation                           0x00000001aa0dd368 -[NSXPCListener resume] + 168
9   PlugInKit                            0x00000001b702cbb0 __PLUGINKIT_CALLING_OUT_TO_CLIENT_SUBSYSTEM_FOR_BEGINUSING__ + 31872
10  PlugInKit                            0x00000001b702c8bc __PLUGINKIT_CALLING_OUT_TO_CLIENT_SUBSYSTEM_FOR_BEGINUSING__ + 31116
11  PlugInKit                            0x00000001b702cfc0 __PLUGINKIT_CALLING_OUT_TO_CLIENT_SUBSYSTEM_FOR_BEGINUSING__ + 32912
12  Foundation                           0x00000001aa2b8018 NSExtensionMain + 60
13  libdyld.dylib                        0x00000001a9bec360 start + 0


Thread 1:
0   libsystem_kernel.dylib               0x00000001a9be2a7c __workq_kernreturn + 8
1   libsystem_pthread.dylib              0x00000001a9b09ad4 start_wqthread + 4


Thread 2:
0   MyAppNEExtenstion                  0x000000010101de84 0x100e7c000 + 1711748
1   MyAppNEExtenstion                  0x000000010102c2b8 0x100e7c000 + 1770168
2   libsystem_pthread.dylib              0x00000001a9b061d0 _pthread_start + 120
3   libsystem_pthread.dylib              0x00000001a9b09ae0 thread_start + 4


Thread 3:
0   libsystem_kernel.dylib               0x00000001a9bc0634 mach_msg_trap + 8
1   CoreFoundation                       0x00000001a9d6704c __CFRunLoopServiceMachPort + 212
2   CoreFoundation                       0x00000001a9d6216c __CFRunLoopRun + 1440
3   CoreFoundation                       0x00000001a9d618a0 CFRunLoopRunSpecific + 460
4   CFNetwork                            0x00000001ad025034 0x1ad023000 + 8244
5   Foundation                           0x00000001aa1d20c4 __NSThread__start__ + 844
6   libsystem_pthread.dylib              0x00000001a9b061d0 _pthread_start + 120
7   libsystem_pthread.dylib              0x00000001a9b09ae0 thread_start + 4


Thread 4:
0   libsystem_kernel.dylib               0x00000001a9be2a7c __workq_kernreturn + 8
1   libsystem_pthread.dylib              0x00000001a9b09ad4 start_wqthread + 4


Thread 5 crashed with arm64 Thread State:
   x21: 0x00000000a1a1a1a1     x2: 0x000000000000a93f    x16: 0x00000001a9b2c130     x3: 0x0000000000000005
   x22: 0x000000016f1230e0     x4: 0x000000012fde05c0    x17: 0x0000000000000001   cpsr: 0x0000000020000000
    x5: 0x0000000000000005    x23: 0x00000003a3a3a3a3     x6: 0x0000000000000000    x18: 0x0000000000000000
   x10: 0x0000000130054040     lr: 0x00000001a9b2d6d0     x7: 0x0000000000000403    x24: 0x000000016f1230e0
   x11: 0x000000016f122a08     x8: 0x0000000012fe2308    x19: 0x0000000130054000    x25: 0x000000016f1230e0
    x9: 0x0000000130054048    x12: 0x000000012fde0000     fp: 0x000000016f122990    x26: 0x000000012fd1a9f8
   x13: 0x0000000000003fff     pc: 0x00000001a9b2c140    x27: 0x000000016f123180    x14: 0x00000000bb72fcc4
   x20: 0x0000000130054038     x0: 0x000000012fe22980     sp: 0x000000016f122960    x28: 0x000000016f122ab0
   x15: 0x00000000000065dc     x1: 0x0000000130054038

I'll be happy for a little help with those crashes, and to know if it's really related to the autorelease pool.

Boost

Answer 1

DTS Engineer OP

Apple

Nov ’19

Problems like this are almost always caused by over-release bugs, with things panning out roughly as follows:

Someone allocates an object.
As part of the object’s general use, a reference to it ends up in the autorelease pool.
Before that pool is drained, someone over-releases the object. This doesn’t crash because the object is still valid by virtual of the reference in the autorelease pool. However, it does trigger the object to be deallocated.
Eventually the autorelease pool gets drained, which releases its reference, which crashes because the object has been deallocated.

The standard tool for debugging problems like this is zombies. This is tricky to set up in a NetworkExtension provider, but it can be done. See this post.

Share and Enjoy
—
Quinn “The Eskimo!”
Apple Developer Relations, Developer Technical Support, Core OS/Hardware

let myEmail = "eskimo" + "1" + "@apple.com"

0