Open Radar

 
Summary:
Chrome is seeing several crashes in _CSGetNamedData(). According to our data, this primarily affects 10.10 and 10.9:

%   OS Version
39%	10.10.4 14E46
16%	10.10.3 14D136
8.4%	10.10.2 14C109
7.8%	10.10.2 14C1514
6.5%	10.10.1 14B25
4.5%	10.9.5 13F1077
4.25%	10.9.5 13F34

Sample from 10.10.4 14E46:
Thread 65 CRASHED [EXC_BAD_ACCESS / KERN_INVALID_ADDRESS @ 0x000007f7ff314c43 ]
0x00007fff8c80fdb6	[CarbonCore + 0x0000ddb6 ]	_CSGetNamedData
0x00007fff91aa425f	[CoreFoundation + 0x0007a25f ]	_CFPropertyListCopyShared
0x00007fff91bb923c	[CoreFoundation + 0x0018f23c ]	CFBundleCopyLocalizedStringForLocalization
0x00007fff88290c54	[Foundation + 0x00022c54 ]	-[NSBundle localizedStringForKey:value:table:]
0x00007fff883408bd	[Foundation + 0x000d28bd ]	-[NSError(NSErrorPrivate) _cocoaErrorString:fromBundle:tableName:]
0x00007fff88340564	[Foundation + 0x000d2564 ]	-[NSError(NSErrorPrivate) _cocoaErrorString:]
0x00007fff883404f6	[Foundation + 0x000d24f6 ]	-[NSError _cocoaErrorStringWithKind:variant:]
0x00007fff88340420	[Foundation + 0x000d2420 ]	-[NSError _cocoaErrorStringWithKind:]
0x00007fff8830cea0	[Foundation + 0x0009eea0 ]	-[NSError _retainedUserInfoCallBackForKey:]
0x00007fff91b431a7	[CoreFoundation + 0x001191a7 ]	_CFErrorCocoaCallBack
0x00007fff91b4171d	[CoreFoundation + 0x0011771d ]	_CFErrorCreateLocalizedDescription
0x00007fff8830ccf4	[Foundation + 0x0009ecf4 ]	-[NSError localizedDescription]
0x00007fff91b429d0	[CoreFoundation + 0x001189d0 ]	CFErrorCopyDescription
0x00007fff91b424f8	[CoreFoundation + 0x001184f8 ]	_CFErrorCreateDebugDescription
0x00007fff8830cc61	[Foundation + 0x0009ec61 ]	-[NSError description]
0x00007fff88278747	[Foundation + 0x0000a747 ]	_NSDescriptionWithLocaleFunc
0x00007fff91a68d26	[CoreFoundation + 0x0003ed26 ]	__CFStringAppendFormatCore
0x00007fff91b5e39f	[CoreFoundation + 0x0013439f ]	_CFStringCreateWithFormatAndArgumentsAux2
0x00007fff88278630	[Foundation + 0x0000a630 ]	-[NSPlaceholderString initWithFormat:locale:arguments:]
0x00007fff85485cbb	[LaunchServices + 0x00094cbb ]	-[LSUserActivityDebuggingManager log:common:format:args:file:line:]
0x00007fff854520e9	[LaunchServices + 0x000610e9 ]	__ACTLOG
0x00007fff8545311d	[LaunchServices + 0x0006211d ]	__52-[LSUserActivityManager(Private) sendInitialMessage]_block_invoke
0x00007fff88365f9a	[Foundation + 0x000f7f9a ]	__NSXPCCONNECTION_IS_CALLING_OUT_TO_ERROR_BLOCK__
0x00007fff884f512f	[Foundation + 0x0028712f ]	__95-[NSXPCConnection _sendInvocation:withProxy:remoteInterface:withErrorHandler:timeout:userInfo:]_block_invoke322
0x00007fff86b5252b	[libxpc.dylib + 0x0000b52b ]	_xpc_connection_reply_callout
0x00007fff86b524b7	[libxpc.dylib + 0x0000b4b7 ]	_xpc_connection_call_reply
0x00007fff8fda4c12	[libdispatch.dylib + 0x00001c12 ]	_dispatch_client_callout
0x00007fff8fda8364	[libdispatch.dylib + 0x00005364 ]	_dispatch_queue_drain
0x00007fff8fda9ecb	[libdispatch.dylib + 0x00006ecb ]	_dispatch_queue_invoke
0x00007fff8fda76b6	[libdispatch.dylib + 0x000046b6 ]	_dispatch_root_queue_drain
0x00007fff8fdb5fe3	[libdispatch.dylib + 0x00012fe3 ]	_dispatch_worker_thread3
0x00007fff8b1a4636	[libsystem_pthread.dylib + 0x00003636 ]	_pthread_wqthread
0x00007fff8b1a240c	[libsystem_pthread.dylib + 0x0000140c ]	start_wqthread
0x00007fff8fdb5f88	[libdispatch.dylib + 0x00012f88 ]	_dispatch_barrier_sync_f



A different sample from 10.10.4 14E46:
Thread 0 CRASHED [EXC_BAD_ACCESS / 0x0000000d @ 0x00007fff93cebdb6 ]
0x00007fff93cebdb6	[CarbonCore + 0x0000ddb6 ]	_CSGetNamedData
0x00007fff8f8c625f	[CoreFoundation + 0x0007a25f ]	_CFPropertyListCopyShared
0x00007fff8f9db23c	[CoreFoundation + 0x0018f23c ]	CFBundleCopyLocalizedStringForLocalization
0x00007fff940c6c54	[Foundation + 0x00022c54 ]	-[NSBundle localizedStringForKey:value:table:]
0x00007fff97ddbe68	[AppKit + 0x006a5e68 ]	-[NSSavePanel(NSSavePanelLayout) _initContentView]
0x00007fff97dc9408	[AppKit + 0x00693408 ]	-[NSSavePanel initWithContentRect:styleMask:backing:defer:]
0x00007fff9798b2f8	[AppKit + 0x002552f8 ]	+[NSSavePanel _crunchyRawUnbonedPanel]
0x0000000106074620	[Google Chrome Framework -select_file_dialog_mac.mm:180 ]	SelectFileDialogImpl::SelectFileImpl(ui::SelectFileDialog::Type, std::basic_string<unsigned short, base::string16_char_traits, std::allocator<unsigned short> > const&, base::FilePath const&, ui::SelectFileDialog::FileTypeInfo const*, int, std::string const&, NSWindow*, void*)
0x00000001050ba518	[Google Chrome Framework -save_package_file_picker.cc:210 ]	SavePackageFilePicker::SavePackageFilePicker(content::WebContents*, base::FilePath const&, std::string const&, bool, DownloadPrefs*, base::Callback<void (base::FilePath const&, content::SavePageType, base::Callback<void (content::DownloadItem*)> const&)> const&)
0x00000001050a664b	[Google Chrome Framework -chrome_download_manager_delegate.cc:422 ]	ChromeDownloadManagerDelegate::ChooseSavePath(content::WebContents*, base::FilePath const&, std::string const&, bool, base::Callback<void (base::FilePath const&, content::SavePageType, base::Callback<void (content::DownloadItem*)> const&)> const&)
0x00000001082ffd43	[Google Chrome Framework -save_package.cc:1388 ]	content::SavePackage::ContinueGetSaveInfo(base::FilePath const&, bool)
0x0000000105627f8e	[Google Chrome Framework -callback.h:396 ]	base::debug::TaskAnnotator::RunTask(char const*, char const*, base::PendingTask const&)
0x000000010564761e	[Google Chrome Framework -message_loop.cc:444 ]	base::MessageLoop::RunTask(base::PendingTask const&)
0x00000001056477ad	[Google Chrome Framework -message_loop.cc:454 ]	base::MessageLoop::DeferOrRunPendingTask(base::PendingTask const&)
0x00000001056479ab	[Google Chrome Framework -message_loop.cc:566 ]	base::MessageLoop::DoWork()
0x000000010561e660	[Google Chrome Framework -message_pump_mac.mm:325 ]	base::MessagePumpCFRunLoopBase::RunWork()
0x00007fff8f8cca00	[CoreFoundation + 0x00080a00 ]	__CFRUNLOOP_IS_CALLING_OUT_TO_A_SOURCE0_PERFORM_FUNCTION__
0x00007fff8f8bec5b	[CoreFoundation + 0x00072c5b ]	__CFRunLoopDoSources0
0x00007fff8f8be1be	[CoreFoundation + 0x000721be ]	__CFRunLoopRun
0x00007fff8f8bdbd7	[CoreFoundation + 0x00071bd7 ]	CFRunLoopRunSpecific
0x00007fff9474f56e	[HIToolbox + 0x0003256e ]	RunCurrentEventLoopInMode
0x00007fff9474f1ed	[HIToolbox + 0x000321ed ]	ReceiveNextEventCommon
0x00007fff9474f12a	[HIToolbox + 0x0003212a ]	_BlockUntilNextEventMatchingListInModeWithFilter
0x00007fff977c78aa	[AppKit + 0x000918aa ]	_DPSNextEvent
0x00007fff977c6e57	[AppKit + 0x00090e57 ]	-[NSApplication nextEventMatchingMask:untilDate:inMode:dequeue:]
0x00007fff977bcaf2	[AppKit + 0x00086af2 ]	-[NSApplication run]
0x000000010561eccd	[Google Chrome Framework -message_pump_mac.mm:649 ]	base::MessagePumpNSApplication::DoRun(base::MessagePump::Delegate*)
0x000000010561e4bb	[Google Chrome Framework -message_pump_mac.mm:235 ]	base::MessagePumpCFRunLoopBase::Run(base::MessagePump::Delegate*)
0x0000000105659642	[Google Chrome Framework -run_loop.cc:55 ]	base::RunLoop::Run()
0x0000000105089130	[Google Chrome Framework -chrome_browser_main.cc:1710 ]	ChromeBrowserMainParts::MainMessageLoopRun(int*)
0x000000010827f308	[Google Chrome Framework -browser_main_loop.cc:887 ]	content::BrowserMainLoop::RunMainMessageLoopParts()
0x00000001082818d1	[Google Chrome Framework -browser_main_runner.cc:209 ]	content::BrowserMainRunnerImpl::Run()
0x000000010827b596	[Google Chrome Framework -browser_main.cc:26 ]	content::BrowserMain(content::MainFunctionParams const&)
0x00000001055dcf2c	[Google Chrome Framework -content_main_runner.cc:783 ]	content::ContentMainRunnerImpl::Run()
0x00000001055dc5d5	[Google Chrome Framework -content_main.cc:19 ]	content::ContentMain(content::ContentMainParams const&)
0x0000000104ff1571	[Google Chrome Framework -chrome_main.cc:66 ]	ChromeMain
0x0000000104fe4f38	[Google Chrome -chrome_exe_main_mac.cc:16 ]	main
0x0000000104fe4f23	[Google Chrome + 0x00000f23 ]	start


Yet a different sample from 10.10.4 14E46:
Thread 0 CRASHED [EXC_BAD_ACCESS / 0x0000000d @ 0x00007fff80611db6 ]
0x00007fff80611db6	[CarbonCore + 0x0000ddb6 ]	_CSGetNamedData
0x00007fff8115625f	[CoreFoundation + 0x0007a25f ]	_CFPropertyListCopyShared
0x00007fff8126b23c	[CoreFoundation + 0x0018f23c ]	CFBundleCopyLocalizedStringForLocalization
0x00007fff896c6c54	[Foundation + 0x00022c54 ]	-[NSBundle localizedStringForKey:value:table:]
0x00007fff87a5abaa	[AppKit + 0x00251baa ]	-[_NSServicesPrincipalMenuUpdater addNonserviceMenuItemsToMenu:]
0x00007fff87a5a4c6	[AppKit + 0x002514c6 ]	-[_NSServicesPrincipalMenuUpdater populateMenu:withServiceEntries:forDisplay:]
0x00007fff87a542c0	[AppKit + 0x0024b2c0 ]	-[_NSServicesMenuUpdater insertServicesIntoMenu:withKeyEvent:isForDisplay:]
0x00007fff87a53ff2	[AppKit + 0x0024aff2 ]	-[_NSServicesMenuUpdater updateMenu:withEvent:withFlags:]
0x00007fff87a53f6d	[AppKit + 0x0024af6d ]	-[_NSServicesPrincipalMenuUpdater updateMenu:withEvent:withFlags:]
0x00007fff87a46ea4	[AppKit + 0x0023dea4 ]	-[NSMenu _populateFromDelegateWithEventRef:]
0x00007fff87a408d2	[AppKit + 0x002378d2 ]	-[NSMenu _populateWithEventRef:]
0x00007fff87a46015	[AppKit + 0x0023d015 ]	-[NSCarbonMenuImpl _carbonPopulateEvent:handlerCallRef:]
0x00007fff87a45d6a	[AppKit + 0x0023cd6a ]	NSSLMMenuEventHandler
0x00007fff83004b6b	[HIToolbox + 0x00008b6b ]	DispatchEventToHandlers(EventTargetRec*, OpaqueEventRef*, HandlerCallRec*)
0x00007fff83003fad	[HIToolbox + 0x00007fad ]	SendEventToEventTargetInternal(OpaqueEventRef*, OpaqueEventTargetRef*, HandlerCallRec*)
0x00007fff83003e21	[HIToolbox + 0x00007e21 ]	SendEventToEventTargetWithOptions
0x00007fff83050aeb	[HIToolbox + 0x00054aeb ]	SendMenuPopulate(MenuData*, OpaqueEventTargetRef*, unsigned int, double, unsigned int, OpaqueEventRef*, unsigned char*)
0x00007fff830508b0	[HIToolbox + 0x000548b0 ]	PopulateMenu(MenuData*, OpaqueEventTargetRef*, CheckMenuData*, unsigned int, double)
0x00007fff8304ff6b	[HIToolbox + 0x00053f6b ]	Check1MenuForKeyEvent(MenuData*, CheckMenuData*)
0x00007fff8305077c	[HIToolbox + 0x0005477c ]	Check1MenuForKeyEvent(MenuData*, CheckMenuData*)
0x00007fff8304f823	[HIToolbox + 0x00053823 ]	CheckMenusForKeyEvent(MenuData*, CheckMenuData*)
0x00007fff8304f428	[HIToolbox + 0x00053428 ]	_IsMenuKeyEvent(MenuData*, OpaqueEventRef*, unsigned int, MenuData**, unsigned short*)
0x00007fff8304f11f	[HIToolbox + 0x0005311f ]	IsMenuKeyEvent
0x00007fff87a45995	[AppKit + 0x0023c995 ]	+[NSCarbonMenuImpl _menuItemWithKeyEquivalentMatchingEventRef:inMenu:]
0x00007fff87a45719	[AppKit + 0x0023c719 ]	_NSFindMenuItemMatchingCommandKeyEvent
0x00007fff87963c20	[AppKit + 0x0015ac20 ]	_NSHandleCarbonMenuEvent
0x00007fff8789abfc	[AppKit + 0x00091bfc ]	_DPSNextEvent
0x00007fff87899e57	[AppKit + 0x00090e57 ]	-[NSApplication nextEventMatchingMask:untilDate:inMode:dequeue:]
0x00007fff8788faf2	[AppKit + 0x00086af2 ]	-[NSApplication run]
0x0000000109a04bcd	[Google Chrome Framework -message_pump_mac.mm:649 ]	base::MessagePumpNSApplication::DoRun(base::MessagePump::Delegate*)
0x0000000109a043bb	[Google Chrome Framework -message_pump_mac.mm:235 ]	base::MessagePumpCFRunLoopBase::Run(base::MessagePump::Delegate*)
0x0000000109a3f542	[Google Chrome Framework -run_loop.cc:55 ]	base::RunLoop::Run()
0x000000010946f030	[Google Chrome Framework -chrome_browser_main.cc:1710 ]	ChromeBrowserMainParts::MainMessageLoopRun(int*)
0x000000010c665208	[Google Chrome Framework -browser_main_loop.cc:887 ]	content::BrowserMainLoop::RunMainMessageLoopParts()
0x000000010c6677d1	[Google Chrome Framework -browser_main_runner.cc:209 ]	content::BrowserMainRunnerImpl::Run()
0x000000010c661496	[Google Chrome Framework -browser_main.cc:26 ]	content::BrowserMain(content::MainFunctionParams const&)
0x00000001099c2e2c	[Google Chrome Framework -content_main_runner.cc:783 ]	content::ContentMainRunnerImpl::Run()
0x00000001099c24d5	[Google Chrome Framework -content_main.cc:19 ]	content::ContentMain(content::ContentMainParams const&)
0x00000001093d7471	[Google Chrome Framework -chrome_main.cc:66 ]	ChromeMain
0x00000001093cff38	[Google Chrome -chrome_exe_main_mac.cc:16 ]	main
0x00000001093cff23	[Google Chrome + 0x00000f23 ]	start



Sample from 10.9.5 13F34:
Thread 34 CRASHED [EXC_BAD_ACCESS / 0x0000000d @ 0x00007fff843bb06d ]
0x00007fff843bb06d	[CarbonCore + 0x0000706d ]	_CSGetNamedData
0x00007fff8e202b59	[AppKit + 0x00018b59 ]	_NSPersistentUIGetShmem
0x00007fff8e20710c	[AppKit + 0x0001d10c ]	___NSPersistentUIFetchEncryptionKey_block_invoke
0x00007fff8eb402f6	[AppKit + 0x009562f6 ]	run_cocoa_block
0x00007fff8eb402ae	[AppKit + 0x009562ae ]	my_io_execute_passive_block_with_release
0x00007fff8dae928c	[libdispatch.dylib + 0x0000128c ]	_dispatch_client_callout
0x00007fff8daeb081	[libdispatch.dylib + 0x00003081 ]	_dispatch_root_queue_drain
0x00007fff8daec176	[libdispatch.dylib + 0x00004176 ]	_dispatch_worker_thread2
0x00007fff8ad49ef7	[libsystem_pthread.dylib + 0x00002ef7 ]	_pthread_wqthread
0x00007fff8ad4cfb8	[libsystem_pthread.dylib + 0x00005fb8 ]	start_wqthread
0x00007fff8daec14e	[libdispatch.dylib + 0x0000414e ]	_dispatch_force_cache_cleanup

Steps to Reproduce:
We do not have reproduction steps for this issue, however we have received several reports of it in our issue tracker. Generally reporters find that repairing disk permissions fixes it temporarily, but then the problem reoccurs.

This crash appears to happen either with only system code on the stack or as the result of Chrome calling a system API. There are reports of this crash with similar stacks in other products as well:

https://trac.videolan.org/vlc/ticket/11828
http://log.sequelpro.com/viewreports/2428
https://discussions.apple.com/thread/5590392?tstart=0

Chrome is tracking this issue at https://code.google.com/p/chromium/issues/detail?id=511679.

Expected Results:


Actual Results:


Version:
10.10.*

Notes:

Configuration:
This appears to primarily affect 10.10 but it was also present on 10.9.

Attachments: