Example driver project crashes

App & System Services Drivers
TomasNaplava
TomasNaplava OP
Created Feb ’22
Replies 4
Boosts 0
Views 2.1k
Participants 4

Hi, I am trying to run an example driver project from https://developer.apple.com/documentation/driverkit/communicating_between_a_driverkit_extension_and_a_client_app?language=objc

The project compiles fine, the driver extension is successfully installed and running, however when the client application tries to communicate with the driver (calls IOConnectCallScalarMethod CppUserClient/main.cpp, line 236), the driver crashes, even though there are no modifications of the example code. Does anybody know how to fix it?

The project doesn't use any provisioning profile, all three targets are signed to run locally as described in the link.

My system:

  • MacOS 11.5.2 BigSur

  • Apple M1 chip

  • XCode 13.2.1

  • System Integrity Protection status: disabled.

  • systemextensionsctl developer: Developer mode is on

  • also ran command "sudo nvram boot-args=-arm64e_preview_abi"

Process:               com.example.apple-samplecode.dext-to-user-client.driver [93854]
Path:                  /Library/SystemExtensions/*/com.example.apple-samplecode.dext-to-user-client.driver
Identifier:            com.example.apple-samplecode.dext-to-user-client.driver
Version:               1.0 (1)
Code Type:             ARM-64 (Native)
Parent Process:        launchd [1]
Responsible:           com.example.apple-samplecode.dext-to-user-client.driver [93854]
User ID:               270

Date/Time:             2022-02-11 14:57:41.457 +0100
OS Version:            macOS 11.5.2 (20G95)
Report Version:        12
Anonymous UUID:        FF756BCC-A417-F3F9-F3F7-783ACD03D22F

Sleep/Wake UUID:       41F39E26-2DC1-480E-A302-7F53345D1007

Time Awake Since Boot: 92000 seconds
Time Since Wake:       6000 seconds

System Integrity Protection: disabled

Crashed Thread:        0  Dispatch queue: Root

Exception Type:        EXC_CRASH (SIGABRT)
Exception Codes:       0x0000000000000000, 0x0000000000000000
Exception Note:        EXC_CORPSE_NOTIFY

Application Specific Information:
dyld2 mode
abort() called

Thread 0 Crashed:: Dispatch queue: Root
0   libsystem_kernel.dylib        	0x00000001032cb3e4 __pthread_kill + 8
1   libsystem_pthread.dylib       	0x0000000103386844 pthread_kill + 272
2   libsystem_c.dylib             	0x0000000103268f24 abort + 124
3   com.apple.DriverKit           	0x0000000102e9d2b4 __assert_rtn + 92
4   com.apple.DriverKit           	0x0000000102e9d51c OSMetaClassBase::QueueForObject(unsigned long long) (.cold.2) + 44
5   com.apple.DriverKit           	0x0000000102e7f068 OSMetaClassBase::QueueForObject(unsigned long long) + 176
6   com.apple.DriverKit           	0x0000000102e7f780 OSMetaClassBase::Invoke(IORPC) + 412
7   com.apple.DriverKit           	0x0000000102e8025c Server(void*, mach_msg_header_t*, mach_msg_header_t*) + 512
8   com.apple.DriverKit           	0x0000000102e819c8 uiomachchannel(void*, dispatch_mach_reason_t, dispatch_mach_msg_s*, int) + 156
9   libdispatch.dylib             	0x00000001031a3b90 _dispatch_mach_msg_invoke + 476
10  libdispatch.dylib             	0x00000001031913ec _dispatch_lane_serial_drain + 308
11  libdispatch.dylib             	0x00000001031a48f4 _dispatch_mach_invoke + 464
12  libdispatch.dylib             	0x00000001031913ec _dispatch_lane_serial_drain + 308
13  libdispatch.dylib             	0x0000000103192154 _dispatch_lane_invoke + 456
14  libdispatch.dylib             	0x0000000103193408 _dispatch_workloop_invoke + 1680
15  libdispatch.dylib             	0x000000010319c9f0 _dispatch_workloop_worker_thread + 764
16  libsystem_pthread.dylib       	0x00000001033875e0 _pthread_wqthread + 276
17  libsystem_pthread.dylib       	0x000000010338e7fc start_wqthread + 8

Thread 1:
0   libsystem_kernel.dylib        	0x00000001032cbce0 __sigsuspend_nocancel + 8
1   libdispatch.dylib             	0x000000010319d394 _dispatch_sigsuspend + 48
2   libdispatch.dylib             	0x000000010319d364 _dispatch_sig_thread + 60

Thread 0 crashed with ARM Thread State (64-bit):
    x0: 0x0000000000000000   x1: 0x0000000000000000   x2: 0x0000000000000000   x3: 0x0000000000000000
    x4: 0x0000000000000008   x5: 0x0000000000000000   x6: 0x000000016d0b9190   x7: 0x0000000000000000
    x8: 0x194ea7652aa8024b   x9: 0x194ea76447a3b24b  x10: 0x00000000000003f7  x11: 0x0000000000000001
   x12: 0x0000000000000002  x13: 0x0000000000000000  x14: 0x0000000000000001  x15: 0xcfe0c99e739d92f9
   x16: 0x0000000000000148  x17: 0x00000001033900a0  x18: 0x0000000000000000  x19: 0x0000000000000006
   x20: 0x0000000000002c03  x21: 0x000000016d0bb0e0  x22: 0x0000600000af8058  x23: 0x0000600000af8058
   x24: 0xcfe0c99e739d92f9  x25: 0x0000000000000005  x26: 0x0000000102ea8000  x27: 0x0000600002efc328
   x28: 0x00000001031c8b20   fp: 0x000000016d0b9e40   lr: 0x0000000103386844
    sp: 0x000000016d0b9e20   pc: 0x00000001032cb3e4 cpsr: 0x40001000
   far: 0x0000600000af8018  esr: 0x56000080


Binary Images:
       0x102e58000 -        0x102e5ffff +com.example.apple-samplecode.dext-to-user-client.driver (1.0 - 1) <4236B0BB-60E7-3673-9B85-3EA07CF9B612> /Library/SystemExtensions/*/com.example.apple-samplecode.dext-to-user-client.driver
       0x102e7c000 -        0x102ea3fff  com.apple.DriverKit (1.0 - ???) <09CF3961-1EAC-398A-A641-0A35B27EFC9D> /System/DriverKit/System/Library/Frameworks/DriverKit.framework/DriverKit
       0x102ed8000 -        0x102edbfff  libmacho.dylib (980) <0A8459D0-056F-3BB5-B5C3-43EDB596A8D8> /System/DriverKit/usr/lib/system/libmacho.dylib
       0x102ef0000 -        0x102f03fff  libc++.dylib (905.6) <3DE59E7A-74FD-38C0-9E87-E79D7800EF77> /System/DriverKit/usr/lib/libc++.dylib
       0x102f28000 -        0x102f2bfff  libSystem.dylib (1292.120.1) <AAAA1EEA-64FB-39EA-9652-7A444915F6BC> /System/DriverKit/usr/lib/libSystem.dylib
       0x102f3c000 -        0x102f3ffff  libsystem_blocks.dylib (79) <8D88BD96-D15E-38CB-A1DA-9EEA0DE2BB75> /System/DriverKit/usr/lib/system/libsystem_blocks.dylib
       0x102f50000 -        0x102f53fff  libcompiler_rt.dylib (102.2) <82B9BDDE-EC01-306B-BF97-7B4883518656> /System/DriverKit/usr/lib/system/libcompiler_rt.dylib
       0x102f64000 -        0x102f6bfff  libsystem_trace.dylib (1277.120.1) <0FC506FE-EB2C-3823-B67E-75E0C1A0EF49> /System/DriverKit/usr/lib/system/libsystem_trace.dylib
       0x102f7c000 -        0x102feffff  libcorecrypto.dylib (1000.140.4) <7E4E4BB6-8016-3FC4-BE43-C02108A4B96B> /System/DriverKit/usr/lib/system/libcorecrypto.dylib
       0x103014000 -        0x103027fff  libdyld.dylib (852.2) <AFDE9D1D-9A6E-3F77-8F81-F2B899A3CC82> /System/DriverKit/usr/lib/system/libdyld.dylib
       0x103044000 -        0x10304bfff  libsystem_platform.dylib (254.80.2) <B1E4D1E4-E2BB-35BF-93F8-B94CC0A30774> /System/DriverKit/usr/lib/system/libsystem_platform.dylib
       0x10307c000 -        0x1030fbfff  dyld (852.2) <17D14D9B-B6B2-35DC-B157-4FD60213BE99> /usr/lib/dyld
       0x103184000 -        0x1031c7fff  libdispatch.dylib (1271.120.2) <5B283EC2-DC19-3ED9-9219-51930EF02793> /System/DriverKit/usr/lib/system/libdispatch.dylib
       0x103200000 -        0x10326ffff  libsystem_c.dylib (1439.141.1) <A2E5859F-ACD0-3F91-929F-DF6ED51DB08F> /System/DriverKit/usr/lib/system/libsystem_c.dylib
       0x1032a0000 -        0x1032d3fff  libsystem_kernel.dylib (7195.141.2) <1242F258-2BB6-3E1F-BF36-BCC5FC136993> /System/DriverKit/usr/lib/system/libsystem_kernel.dylib
       0x1032f8000 -        0x103327fff  libsystem_m.dylib (3186.100.3) <A5A68E7C-8BDC-3B97-B61A-39C2E2F616AB> /System/DriverKit/usr/lib/system/libsystem_m.dylib
       0x103338000 -        0x103363fff  libsystem_malloc.dylib (317.140.5) <1DECB192-346C-392C-9B0D-F8BBF3FA971D> /System/DriverKit/usr/lib/system/libsystem_malloc.dylib
       0x103384000 -        0x10338ffff  libsystem_pthread.dylib (454.120.2) <02CF1C1D-D380-302C-9B90-1B433BC36A11> /System/DriverKit/usr/lib/system/libsystem_pthread.dylib
       0x1033a8000 -        0x1033bbfff  libc++abi.dylib (905.6) <5E32F6AB-5D32-3AD2-9F31-74C9D6937A0D> /System/DriverKit/usr/lib/libc++abi.dylib

External Modification Summary:
  Calls made by other processes targeting this process:
    task_for_pid: 0
    thread_create: 0
    thread_set_state: 0
  Calls made by this process:
    task_for_pid: 0
    thread_create: 0
    thread_set_state: 0
  Calls made by all processes on this machine:
    task_for_pid: 17
    thread_create: 0
    thread_set_state: 1802

VM Region Summary:
ReadOnly portion of Libraries: Total=4256K resident=0K(0%) swapped_out_or_unallocated=4256K(100%)
Writable regions: Total=522.7M written=0K(0%) resident=0K(0%) swapped_out=0K(0%) unallocated=522.7M(100%)
 
                                VIRTUAL   REGION 
REGION TYPE                        SIZE    COUNT (non-coalesced) 
===========                     =======  ======= 
Kernel Alloc Once                   32K        1 
MALLOC                           137.1M       10 
MALLOC guard page                   64K        4 
MALLOC_NANO (reserved)           384.0M        1         reserved VM address space (unallocated)
STACK GUARD                         32K        2 
Stack                             1120K        3 
Stack Guard                       64.0M        2 
VM_ALLOCATE                        1.0G        1 
__DATA                             592K       20 
__DATA_CONST                       384K       19 
__DATA_DIRTY                        32K        2 
__LINKEDIT                        1552K       30 
__TEXT                            2880K       19 
===========                     =======  ======= 
TOTAL                              1.6G      114 
TOTAL, minus reserved VM space     1.2G      114 



Searching for dext service...
	Opened service.
1. Scalar
2. Struct
3. Large Struct (structureInputDescriptor flow)
4. Checked Scalar
5. Checked Struct
6. Assign Callback to Dext
7. Async Action
0. Exit
Select a message type to send: 1
IOConnectCallScalarMethod failed with error: 0xfffffecc.
	System: 0x3f
	Subsystem: 0xfff
	Code: 0x3ecc
Answered by in 705097022

It looks like there is an issue with Big Sur and Xcode 13.1 and later causing this problem. The problem shouldn't be present if you upgrade to Monterey.

Replies  4
Boosts  0
Views  2.1k
Participants  4
Apple Staff,
OP
Apple
Feb ’22
Accepted Answer

It looks like there is an issue with Big Sur and Xcode 13.1 and later causing this problem. The problem shouldn't be present if you upgrade to Monterey.

0
TomasNaplava
TomasNaplava OP
Feb ’22

thanks, after upgrade to Monterey the issue is gone

0
jdv85
jdv85 OP
May ’22

@Drewbadour - does this mean that it is not possible to use Xcode 13.1 and later to build DEXTs that work on both Big Sur and Monterey?

1
pmdj
pmdj OP
May ’23

None of the workarounds (get users to upgrade to Monterey, build the dext on Xcode 12, etc.) seemed particularly attractive or sustainable, so I've finally done a deep dive on this and figured out the problem.

The change that introduces the crash is that starting with DriverKit 21, IOUserClient::ExternalMethod is annotated to run on a named dispatch queue rather than the default dispatch queue: QUEUENAME(IOUserClientQueueExternalMethod). According to the documentation, this queue is by default the dispatch queue, but I guess this association is only made in the DriverKit 21+ runtime, while macOS 11/DriverKit 20 doesn't have an entry for it in its dispatch queue name table by default.

You can work around the issue quite easily by adding the entry yourself, using something like:

IODispatchQueue* default_queue = nullptr;
kern_return_t res = uc->CopyDispatchQueue(kIOServiceDefaultQueueName, &amp;default_queue);
if (res == KERN_SUCCESS &amp;&amp; default_queue != nullptr)
{
    res = uc->SetDispatchQueue(kIOUserClientQueueNameExternalMethod, default_queue);
}
OSSafeReleaseNULL(default_queue);

This explicitly sets the kIOUserClientQueueNameExternalMethod queue to the object's default queue. You'll want to do this during init or Start of any user client subclass, and it's of course not needed if you're otherwise explicitly setting the external method queue; make sure to get the order right if you're changing the user client's default queue and want external methods to run on the same queue.

1
Example driver project crashes
First post date Last post date
 
 
Q