SwiftUI Pointer Authentication Failures (arm64e PAC crash)

Greetings,

We have observed an alarming number of crashes exceeding 1 million across various operating systems and devices. These crashes consistently point to a PAC failure in the specialized PreferenceNode.find<A>(key:) + 16 (PreferenceList.swift:146) function.

The stack trace is exclusively a system-level stack, lacking any application-level stacks for us to go on. This makes it rather impossible for us to debug within our own application, since we do not have system-level context.

Our analysis suggests that this issue may stem from either a compiler bug or an incorrectly implemented virtual-function in the AttributeGraph framework, resulting in a pointer-authentication failure in the SwiftUI framework.

Lastly, if it helps, based on our own logs, we have determined that the problem primarily occurs when users return from being in the background for more than 60 minutes. However, despite numerous attempts, we have been unable to reproduce the issue ourselves.

We kindly request your guidance on the most effective approach to address this matter confidently.

Up vote post of FilipBusic Down vote post of FilipBusic
408 views
Posted by
FilipBusic
Reply
Add a Comment

Replies

I'm having trouble uploading the .crash file so here's a snippet instead

Incident Identifier: A1A028B9-2730-4FFB-892E-09B9BD2629C4
Hardware Model:      iPhone12,8
Process:             Redacted [5226]
Path:                /private/var/containers/Bundle/Application/26154230-885D-4D8E-8EB4-84B53CCC6E52/Redacted.app/Redacted
Identifier:          Redacted.AppIdentifier
Version:             5.19.0 (134799)
AppStoreTools:       14E221
AppVariant:          1:iPhone12,8:15
Code Type:           ARM-64 (Native)
Role:                Foreground
Parent Process:      launchd [1]
Coalition:           Redacted.AppIdentifier [1268]

Date/Time:           2023-06-01 00:08:06.4269 -0400
Launch Time:         2023-05-31 13:05:47.9192 -0400
OS Version:          iPhone OS 16.4.1 (20E772520a)
Release Type:        User
Baseband Version:    4.01.02
Report Version:      104

Exception Type:  EXC_BAD_ACCESS (SIGSEGV)
Exception Subtype: KERN_INVALID_ADDRESS at 0xd2800000913f8094 -> 0xffffff80913f8094 (possible pointer authentication failure)
Exception Codes: 0x0000000000000001, 0xd2800000913f8094
VM Region Info: 0xffffff80913f8094 is not in any region.  Bytes after previous region: 18446743045354258581  
      REGION TYPE                 START - END      [ VSIZE] PRT/MAX SHRMOD  REGION DETAIL
      commpage (reserved)     1000000000-7000000000 [384.0G] ---/--- SM=NUL  ...(unallocated)
--->  
      UNUSED SPACE AT END
Termination Reason: SIGNAL 11 Segmentation fault: 11
Terminating Process: exc handler [5226]

Triggered by Thread:  0


Kernel Triage:
VM - (arg = 0x0) pmap_enter retried due to resource shortage


Thread 0 name:
Thread 0 Crashed:
0   SwiftUI                       	0x00000001ab0812f4 specialized PreferenceNode.find<A>(key:) + 16
1   SwiftUI                       	0x00000001aa7559ec specialized GraphHost.preferenceValue<A>(_:) + 148 (GraphHost.swift:739)
2   SwiftUI                       	0x00000001aa8c1340 specialized UIHostingController.promoteTitle(in:) + 236
3   SwiftUI                       	0x00000001aaaecb9c partial apply for specialized closure #1 in UINavigationController.updateRootHost<A>(root:environment:transaction:) + 40
4   SwiftUI                       	0x00000001aa5fc264 CustomGraphMutation.apply() + 28 (GraphHost.swift:789)
5   SwiftUI                       	0x00000001ab93d940 closure #1 in AsyncTransaction.apply() + 104 (GraphHost.swift:825)
6   SwiftUI                       	0x00000001aba4c0a4 specialized closure #1 in withTransaction<A>(_:_:) + 84 (Transaction.swift:115)
7   SwiftUI                       	0x00000001aa57814c GraphHost.flushTransactions() + 416 (GraphHost.swift:599)
8   SwiftUI                       	0x00000001aa575edc closure #1 in ViewRendererHost.render(interval:updateDisplayList:) + 480 (ViewRendererHost.swift:209)
9   SwiftUI                       	0x00000001aa610dfc ViewRendererHost.render(interval:updateDisplayList:) + 368 (ViewRendererHost.swift:0)
10  SwiftUI                       	0x00000001aad6b814 closure #1 in _UIHostingView.requestImmediateUpdate() + 72 (_UIHostingView.swift:543)
11  SwiftUI                       	0x00000001aa5aa238 thunk for @escaping @callee_guaranteed () -> () + 32 (<compiler-generated>:0)
12  libdispatch.dylib             	0x00000001ae190320 _dispatch_call_block_and_release + 32 (init.c:1518)
13  libdispatch.dylib             	0x00000001ae191eac _dispatch_client_callout + 20 (object.m:560)
14  libdispatch.dylib             	0x00000001ae1a06a4 _dispatch_main_queue_drain + 928 (inline_internal.h:2640)
15  libdispatch.dylib             	0x00000001ae1a02f4 _dispatch_main_queue_callback_4CF + 44 (queue.c:7954)
16  CoreFoundation                	0x00000001a6d61d18 __CFRUNLOOP_IS_SERVICING_THE_MAIN_DISPATCH_QUEUE__ + 16 (CFRunLoop.c:1780)
17  CoreFoundation                	0x00000001a6d43650 __CFRunLoopRun + 1992 (CFRunLoop.c:3147)
18  CoreFoundation                	0x00000001a6d484dc CFRunLoopRunSpecific + 612 (CFRunLoop.c:3418)
19  GraphicsServices              	0x00000001e1fb435c GSEventRunModal + 164 (GSEvent.c:2196)
20  UIKitCore                     	0x00000001a90d437c -[UIApplication _run] + 888 (UIApplication.m:3773)
21  UIKitCore                     	0x00000001a90d3fe0 UIApplicationMain + 340 (UIApplication.m:5363)
22  Redacted                      	0x00000001008dd2dc 0x1008d8000 + 21212
23  dyld                          	0x00000001c61dcdec start + 2220 (dyldMain.cpp:1165)

Thread 0 crashed with ARM Thread State (64-bit):
    x0: 0x00000001fec30070   x1: 0x0000000043000002   x2: 0x0000000000000000   x3: 0x0000000283181340
    x4: 0x0000000283181380   x5: 0x000000010c700200   x6: 0x0000000000000800   x7: 0x00000000000001e0
    x8: 0xf00008c3f9401681   x9: 0x0000000043000002  x10: 0x0000000243000002  x11: 0x0000000000000000
   x12: 0x000000005a21183e  x13: 0x00000000000007fd  x14: 0x000000005a412027  x15: 0x000000005a21183e
   x16: 0x00000001a0dd2f60  x17: 0x000000005a400000  x18: 0x0000000000000000  x19: 0x000000016f5260a8
   x20: 0xd2800000913f8084  x21: 0x000000012942f190  x22: 0x00000001fec30070  x23: 0x0000000281748e60
   x24: 0x00000001aa6850c4  x25: 0x00000001aab5608c  x26: 0x00000001aaaebf48  x27: 0x0000000281355b00
   x28: 0x00000001aaa257a4   fp: 0x000000016f525d20   lr: 0x1e1b2501aa7559ec
    sp: 0x000000016f525d10   pc: 0x00000001ab0812f4 cpsr: 0xa0000000
   esr: 0x92000004 (Data Abort) byte read Translation fault
Posted by
FilipBusic
Up vote reply of FilipBusic Down vote reply of FilipBusic
Add a Comment

Hi @FilipBusic, I would suggest filing a report with this information using Feedback Assistant. For more information, check out Bug Reporting.

Posted by
Developer Tools Engineer
Post not yet marked as solved Up vote reply of Developer Tools Engineer Down vote reply of Developer Tools Engineer
Add a Comment