Crash in objc_assign_ivar due to page marked no-execute; dyld cache problem
|Product:||Mac OS X
||Product Version:||10.8.0 12A269|
Some users of our application have reported crashing in objc_assign_ivar with EXC_BAD_ACCESS / KERN_PROTECTION_FAILURE (SIGBUS). The crash occurs when loading a nib from -[NSNib instantiateNibWithOwner:topLevelObjects:]. The crash occurs when attempting to execute code on a page not marked as executable; it is in the __IMPORT segment of /usr/lib/libobjc.A.dylib, erroneously marked as rw-/rw- (current and maximum permissions are read-write, no execute). Our 32-bit application has MH_NO_HEAP_EXECUTION set so this attempt to execute is fatal. Running the application with the DYLD_SHARED_REGION environment variable set to "avoid" allows the application to run normally with no crash. Rebuilding the dyld shared cache by running "sudo update_dyld_shared_cache -force" and then rebooting fixes the system.
Based on this, it appears that there’s something in the dyld shared cache that causes the __IMPORT segment of /usr/lib/libobjc.A.dylib to have the wrong protection bits set, which proves fatal in a 32-bit application where MH_NO_HEAP_EXECUTION is set. (64-bit applications always have hardware enforcement against executing data pages.)
Steps to Reproduce:
Launch Google Chrome.app on an affected system. We have reports of this bug occurring with Mac OS X 10.8.0 12A269 and Google Chrome 20.0.1132.57 (our currently-released stable version). Download Google Chrome from https://www.google.com/intl/en/chrome/browser/ .
Chrome should launch.
On affected systems, Chrome crashes at launch.
We’ve had no reports of this bug prior to 10.8.0.
All of the customers that report this issue have upgraded their Macs from a previous OS version, but we have not noticed any pattern. We have not reproduced this issue in-house.
Our bug report is http://crbug.com/136801. There, you will find a series of crash reports and various troubleshooting information we have collected. A sample crash:
Crashed Thread: 0 Dispatch queue: com.apple.main-thread
Exception Type: EXC_BAD_ACCESS (SIGBUS)
Exception Codes: KERN_PROTECTION_FAILURE at 0x00000000ac801000
VM Regions Near 0xac801000:
__OBJC 00000000ac800000-00000000ac801000 [ 4K] rw-/rwx SM=PRV /usr/lib/libobjc.A.dylib
--> Submap 00000000ac801000-00000000ac802000 r-x/rwx process-only submap
__IMPORT 00000000ac801000-00000000ac802000 [ 4K] rw-/rw- SM=COW /usr/lib/libobjc.A.dylib
Thread 0 Crashed:: Dispatch queue: com.apple.main-thread
0 ??? 0xac801000 objc_assign_ivar + 0
1 libobjc.A.dylib 0x96261d47 object_setIvar + 353
2 libobjc.A.dylib 0x96261bda object_setInstanceVariable + 80
3 com.apple.AppKit 0x93cd6461 -[NSNibOutletConnector establishConnection] + 486
4 com.apple.AppKit 0x93ca815f -[NSIBObjectData nibInstantiateWithOwner:topLevelObjects:] + 1002
5 com.apple.AppKit 0x93ebf7d0 -[NSNib _instantiateNibWithExternalNameTable:] + 634
6 com.apple.AppKit 0x93ebf4a2 -[NSNib instantiateNibWithOwner:topLevelObjects:] + 166
7 com.google.Chrome.framework 0x00340118 ChromeMain + 3217304
8 com.google.Chrome.framework 0x0239e16b ChromeMain + 37156843
9 com.google.Chrome.framework 0x0239edc2 ChromeMain + 37160002
10 com.google.Chrome.framework 0x0239da1d ChromeMain + 37154973
11 com.google.Chrome.framework 0x008fe67b ChromeMain + 9239803
12 com.google.Chrome.framework 0x008fd840 ChromeMain + 9236160
13 com.google.Chrome.framework 0x0002e9a9 ChromeMain + 41
14 com.google.Chrome 0x00025f58 main + 24
15 com.google.Chrome 0x00025f16 0x25000 + 3862
We have noticed that other applications appear to be affected by this bug. For example, https://www.google.com/search?q=objc_assign_ivar+"mountain+lion" shows at https://discussions.apple.com/message/19047618#19047618 that this has come up for iPhoto, and at http://discussion.evernote.com/topic/27980-bug-evernote-crashes-on-launch-after-mountain-lion-upgrade/ that this has come up for Evernote.
A sample crash report provided by a customer experiencing this problem is attached [http://chromium.googlecode.com/issues/attachment?aid=1368010009000&name=chrome_crash.txt&token=K6xs6-Ay2vsYdYfvjIQrEIRANo0%3A1343414997980].
This bug was initially reported to us at https://productforums.google.com/d/topic/chrome/U2vPuZEX2so and http://crbug.com/136801.
Reports posted here will not necessarily be seen by Apple.
All problems should be submitted at bugreport.apple.com before they are posted here.
Please only post information for Radars that you have filed yourself, and please do
not include Apple confidential information in your posts. Thank you!