Endpoint security system extension crash

Hi all,

I have been using the endpoint system extension for some months now. Recently when I had checked the crash logs, I found that within an hour there were a lot crashes reported. I am not able to make sense from the log.

Here is the crash report

Process:               com.test.xyz.EndpointSecurityExtension [2851]
Path:                  /Library/SystemExtensions/*/com.test.xyz.EndpointSecurityExtension
Identifier:            com.test.xyz.EndpointSecurityExtension
Version:               1.1.0 (4)
Code Type:             X86-64 (Native)
Parent Process:        launchd [1]
Responsible:           com.test.xyz.EndpointSecurityExtension [2851]
User ID:               0

Date/Time:             2021-09-01 11:50:57.698 +0530
OS Version:            macOS 11.5.2 (20G95)
Report Version:        12
Anonymous UUID:        0F843683-C812-EEE7-668E-2DCAADAE35B6

Sleep/Wake UUID:       C67D7ECA-22E6-451F-8766-CB2DCA3FC287

Time Awake Since Boot: 42000 seconds
Time Since Wake:       5500 seconds

System Integrity Protection: disabled

Crashed Thread:        1  Dispatch queue: BBReaderQueue

Exception Type:        EXC_BAD_INSTRUCTION (SIGILL)
Exception Codes:       0x0000000000000001, 0x0000000000000000
Exception Note:        EXC_CORPSE_NOTIFY

Termination Signal:    Illegal instruction: 4
Termination Reason:    Namespace SIGNAL, Code 0x4
Terminating Process:   exc handler [2851]

Thread 0:
0   libsystem_kernel.dylib        	0x00007fff20381b0a __sigsuspend_nocancel + 10
1   libdispatch.dylib             	0x00007fff202184e1 _dispatch_sigsuspend + 36
2   libdispatch.dylib             	0x00007fff202184bd _dispatch_sig_thread + 53

Thread 1 Crashed:: Dispatch queue: BBReaderQueue
0   com.test.xyz.EndpointSecurityExtension	0x00000001006b836e closure #1 in  + 8270
1   com.test.xyz.EndpointSecurityExtension	0x00000001006b8627 thunk for @escaping @callee_guaranteed (@unowned OpaquePointer, @unowned UnsafePointer<es_message_t>) -> () + 23
2   libEndpointSecurity.dylib     	0x00007fff2fe2f52b __es_new_client_with_config_block_invoke + 43
3   libEndpointSecurity.dylib     	0x00007fff2fe2ff92 BBReader<ESMessageReaderConfig>::handleItems() + 130
4   libEndpointSecurity.dylib     	0x00007fff2fe2fe41 BBReader<ESMessageReaderConfig>::woke(void*) + 17
5   libdispatch.dylib             	0x00007fff20207806 _dispatch_client_callout + 8
6   libdispatch.dylib             	0x00007fff2020a1b0 _dispatch_continuation_pop + 423
7   libdispatch.dylib             	0x00007fff2021a564 _dispatch_source_invoke + 2061
8   libdispatch.dylib             	0x00007fff2020d493 _dispatch_lane_serial_drain + 263
9   libdispatch.dylib             	0x00007fff2020e0e0 _dispatch_lane_invoke + 417
10  libdispatch.dylib             	0x00007fff2020f318 _dispatch_workloop_invoke + 1784
11  libdispatch.dylib             	0x00007fff20217c0d _dispatch_workloop_worker_thread + 811
12  libsystem_pthread.dylib       	0x00007fff203ae45d _pthread_wqthread + 314
13  libsystem_pthread.dylib       	0x00007fff203ad42f start_wqthread + 15

Thread 1 crashed with X86 Thread State (64-bit):
  rax: 0x0000000100743108  rbx: 0x0000000100743028  rcx: 0x0000000000000000  rdx: 0x00007fc6c07091c0
  rdi: 0x0000000000000000  rsi: 0x0000000100743370  rbp: 0x000070000cee8690  rsp: 0x000070000cee7ed0
   r8: 0x0000000000000515   r9: 0x0000000000000519  r10: 0x00000000fe1fffff  r11: 0x00007fc5bffc5e90
  r12: 0x000000020236c1a1  r13: 0x00000000000001f6  r14: 0x00000000000041ed  r15: 0x0000000000000026
  rip: 0x00000001006b836e  rfl: 0x0000000000010246  cr2: 0x0000000110b5492e
  
Logical CPU:     0
Error Code:      0x00000000
Trap Number:     6

Thread 1 instruction stream:
  8b 70 10 31 ff 31 d2 e8-d6 08 00 00 e9 45 fd ff  .p.1.1.......E..
  ff 4c 8d 2d ca 71 00 00-48 8b 05 c3 71 00 00 48  .L.-.q..H...q..H
  8b 70 10 48 ff c6 31 ff-ba 01 00 00 00 e8 b0 08  .p.H..1.........
  00 00 e9 af e7 ff ff 4c-8d 2d a4 71 00 00 bf 01  .......L.-.q....
  00 00 00 4c 89 fe ba 01-00 00 00 e8 92 08 00 00  ...L............
  48 8b 05 8b 71 00 00 e9-a9 e7 ff ff 0f 0b 0f 0b  H...q...........
 [0f]0b 0f 0b 66 2e 0f 1f-84 00 00 00 00 00 0f 1f  ....f...........	<==
  40 00 55 48 89 e5 41 57-41 56 41 55 41 54 53 48  @.UH..AWAVAUATSH
  83 ec 28 49 bc 13 00 00-00 00 00 00 d0 48 89 7d  ..(I.........H.}
  b0 48 89 75 b8 48 c7 45-c0 2f 25 40 00 48 b8 00  .H.u.H.E./%@.H..
  00 00 00 00 00 00 e3 48-89 45 c8 48 8d 3d 30 70  .......H.E.H.=0p
  00 00 e8 1b db ff ff 49-89 c7 be 48 00 00 00 ba  .......I...H....
  
Thread 1 last branch register state not available.

It restarts again, sometimes it crashes again and sometimes it starts working normally.

Any idea on where I might have made a mistake?

Because when i usually get crash reports it has the line, the function name and the file(eg main.swift) where I had made a mistake, but this is a bit confusing.

Thanks in advanced

Is that the full crash report? If not, please post the full report. See Posting a Crash Report for advice on that.

Share and Enjoy

Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

Apologies, I was not able to paste the whole crash report. I have attached it as text file.

  
[[crash_endpoint_security_extension](](https://developer.apple.com/forums/content/attachment/2abc041e-1975-4ae5-9691-ce77bcb16024))

[

]

Ah, I see what’s going on here. Consider this:

Thread 1 instruction stream:
  …
  48 8b 05 8b 71 00 00 e9-a9 e7 ff ff 0f 0b 0f 0b  H...q...........
 [0f]0b 0f 0b 66 2e 0f 1f-84 00 00 00 00 00 0f 1f  ....f...........	<==

The crashing instruction is in square brackets. This in 0x0f, which is a ud2 instruction. On Intel, Swift uses that instruction to implement a trap. For example, if you force unwrap a nil optional, you’ll crash like this.

So, let’s look at your backtrace:

Thread 1 Crashed:: Dispatch queue: BBReaderQueue
0   com.test.xyz.EndpointSecurityExtension	0x00000001006b836e closure #1 in  + 8270
1   com.test.xyz.EndpointSecurityExtension	0x00000001006b8627 thunk for @escaping @callee_guaranteed (@unowned OpaquePointer, @unowned UnsafePointer<es_message_t>) -> () + 23
2   libEndpointSecurity.dylib     	0x00007fff2fe2f52b __es_new_client_with_config_block_invoke + 43

Frame 2 is a block within Endpoint Security (ES). This is almost certainly the block that ES uses to call the block that you pass to es_new_client.

Frame 1 is a Swift thunk that adapts from the Objective-C block calling convention used by ES to the Swift closure calling convention used by your code.

Given frame 2, it’s almost certain than frame 0 is the Swift closure that you passed to es_new_client.

In short, your Swift ES client callback has tripped a Swift trap.

It’s hard to say why this has happened without more info. You’ll need to properly symbolicate your log to uncover the identity of the code that crashed in frame 0. For instructions on how to do that, see Adding Identifiable Symbol Names to a Crash Report.

Share and Enjoy

Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

Endpoint security system extension crash
 
 
Q