In which Wowfunhappy and krackers talk about stuff

[Wowfunhappy]

Continued from: #44 (comment)

I could have recompiled Chromium but figuring out how to build chromium seemed harder than just hotpatching. In fact even figuring out how to parse the crash dump format from non-debug builds (minidump format) was quite an exercise.

Once I got a modern macOS VM set up bluebox's scripts pretty much just worked. Builds take a long time though, I basically can only do them overnight. Which is why I haven't done more with the code base. (Granted, I'm doing this in a Big Sur VM running on top of Mavericks running on a 4790K, it's no slouch but it's far from the fastest hardware available in 2022.)

(Btw, @Wowfunhappy I noticed many of your plugins usually done via insert_dylib approach, you should consider packaging as a simbl plugin instead since it's much easier to enable/disable and you don't break signatures).

I have written SIMBL plugins (GreenFullscreen), but it depends on what I'm doing and it's kind of an "aesthetic" decision. I don't want the Chromium Downloader Preference Pane to require users to install SIMBL, for example.

For non-Chromium stuff...

• QuickTime 10.2 will crash at launch on Mavericks without my library, so again I wanted to make that part of the app, not an optional plugin.
• The code I used to fix a graphical glitch in Pages occasionally doesn't work when loaded from SIMBL.
• The Dictionary patch I distribute with my proxy doesn't work via SIMBL at all (or even via insert_dylib, I have to crudely set the DYLD_INSERT_LIBRARIES environment variable), which according to the stackexchange user who actually wrote the code has something to do with the order things is loaded.
• I originally patched Apple Mail via a SIMBL plugin, but then I realized Mail has native plugin support, so I switched to using that instead.

So yeah, there's probably more I'm forgetting, but I often have a reason to not use SIMBL.

(surprisingly, Chrome is alright with the injection. I would have thought that they do crazy tricks to avoid process injection like in windows, but seems like not.)

I assume they figure that everyone on 10.11+ is "protected" by SIP anyway.

Actually, while I have you—I'm able to very easily replace Objective-C methods via ZKSwizzle, and I'm able to replace C functions via DYLD_INTERPOSE, but do you know if there's a similarly-easy way to replace C++ methods? (I have a feeling there's not.)

Objective-C swizzling is really fun, it makes it so damn easy to tell apps to just do whatever I want. 😈

Edit: It occurred to me that the conversation title is a bit exclusionary. Please feel free to join in regardless of your internet handle. 🙂

[krackers]

Actually, while I have you—I'm able to very easily replace Objective-C methods via ZKSwizzle, and I'm able to replace C functions via DYLD_INTERPOSE, if there's a similarly-easy way to replace C++ methods

Yes, you should just be able to use the same dyld_interpose technique on the mangled c++ name? Recall that when c++ is compiled down to code the fully qualified symbol (including namespace and type information) is mangled into a single identifier. As a result c++ code that does not have its symbols stripped can sometimes be easier to disassemble than c code because type information remains. And C and C++ are interoperable by definition. So just treat the entire mangled c++ symbol name as you would the C symbol and use that when interposing.

With C++ you also have another interesting technique at your disposable which is vtable hijacking

[Wowfunhappy]

Huh, I thought of using dyld_interpose on the mangled name (discovered via running nm on the binary) but that never seemed to have any effect, so I assumed I was doing something wrong.

Next time I have a reason to try it, I'll ask you, and maybe you can tell me what I screwed up. 🙂

[krackers]

It's possible the symbol was never exported? (capital vs lowercase in nm output). afaik interposition only works for exported symbols. If you want to hijack a non-exported symbol then patching via jmp insertion (e.g. mach_override, funchook) seems to be the only way I can think of at the moment

[krackers]

https://github.com/jslegendre/libSymRez might come in handy to use in conjunction with above

[krackers]

@Wowfunhappy just realized (after trying for dozens of minutes to try to inject into an app that was complaining about missing containsString selector) that SIMBL injection is not necessarily guaranteed to happen before the program code begins executing. As I understand it, the injection only happens after the app is recognized by the system as launched (whatever that means), see https://github.com/norio-nomura/EasySIMBL/blob/master/SIMBL%20Agent/SIMBLAgent.m#L100

This means that if the app crashes before it's recognized by the system as finished "launch" then you'll never be able to simbl inject. In that case dyld inject would be preferable.

[krackers]

Although even if you were able to inject into a Carbon process, I'm not sure you could do any swizzling? Not too familiar with Carbon but looks like its APIs are C-based, and things such as UI are done via HIToolbox.

[Wowfunhappy]

What happens if you run tell Fetch to inject SIMBL into Snow Leopard (with the version of simbl that has support for 32-bit arch).

Nothing. It runs in Script Editor but it has no affect. Nothing in the console, no changes in Fetch, etc.

[Wowfunhappy]

Although even if you were able to inject into a Carbon process, I'm not sure you could do any swizzling?

This isn't it either, because many of my plugins print something on load. Unless the load method doesn't work either? How would I know if it did anything, then?

[Wowfunhappy]

Okay, proxy icons fixed at last! @krackers Updated MySIMBLFixes is at https://github.com/Wowfunhappy/MacForgeFramework/blob/master/mySIMBLFixes/mySIMBLFixes/mySIMBLFixes.m.

The updated installer on my website includes a compiled version.

[krackers]

Thanks for sharing!

because many of my plugins print something on load. Unless the load method doesn't work either

Hmm you're right +load should be called by the obj-c runtime (libobjc.dylib would get pulled in even if the source app doesn't use it). I don't know then. Probably the next step might be to try creating a self-contained osax (or just modifying the simbl one to print some log message inside InjectEventHandler) to see if it's even getting called. Possibly not worth the hassle to chase this one down though, except for intellectual curiosity sake.

how I know if it did anything
Even if you don't use obj-c initializer, you can fall back to lowest level of ctor initialization. I'm pretty sure __attribute__((constructor)) should work on mach-o like it does on elf. Printf a message there, then invoke your app from the console and watch stdout.

[Wowfunhappy]

MacportsLegacySupport is the best.

The developer of imitone, an app I purchased years ago and haven't used much since, recently broke support for macOS 10.11 and below. He's been trying to add it back in and asked for testers. I offered because I like it when apps maintain support for old OS X, and actually I'd like to experiment with imitone again.

His test builds didn't work, but I was quickly able to see the problem: the app was expecting _clock_gettime to be in libSystem.B.dylib.

So I copied libMacportsLegacySystem.B.dylib into imitone.app/Contents/Frameworks, and ran:

install_name_tool -change /usr/lib/libSystem.B.dylib @executable_path/../Frameworks/libMacportsLegacySystem.B.dylib /path/to/imitone.app/Contents/MacOS/imitone

Followed by a quick codesign --deep -f -s - /path/to/imitone.app because I'd broken the signature. The app immediately started right up. Not bad for ten minutes of effort!

I told the developer all of this and even sent him a copy of the modified app. We'll see if he's okay getting an explanation from a random stranger. 🤷‍♂️ Of course, he probably shouldn't use this hacky method for the real release. He could presumably link libMacportsLegacySupport.a at compile time, or add a custom clock_gettime implementation.

[krackers]

@Wowfunhappy Question: have you ever noticed this issue where the stack icon for chrome downloads is blank? I recently cleaned up my dock to make use of the stack, and I'm seeing this issue but I don't know if it's just something with my setup or if the referenced bug still exists.

[Wowfunhappy]

Kind of? It happens to me occasionally (not just with files downloaded from Chrome), and usually goes away on its own, I assume when some indexing process reruns.

If it's happening to you consistently and doesn't go away, I haven't experienced that, no.

Fwiw, I've found booting into safe mode once (merely booting it, you don't need to do anything while in safe mode) to be a good way to clear out potentially-corrupted caches.

[krackers]

Yeah it happens consistently, but I don't think it's a QL cache related issue since it's only Chrome downloads, and the symptoms are identical to those in the above bug; the fact they were able to fix it by adding in a sleep makes me believe that it may be a race-condition issue, and so it might be particular to the environment. Oh well I can workaround this by adding a folder rule to touch $RAND_GUID && rm $RAND_GUID when a download is completed, which seems to force refresh.

I also found one other report of this dating back to the 2011-2014 era, but the fact that this isn't more widely reported similarly makes me thing it's a very environment specific issue. Someone pelse arrived at the same solution I did](https://web.archive.org/web/20140113221447/http://steforce.oin.name/read/google_chrome_and_stacks.html) regarding use of a folder rule to force refresh. (For posterity, he describes on a subsequent post a better solution he found, but unfortunately he doesn't go into more detail on that and the link is dead... Luckily I found a mirror at a sketchy site and disassembling that reveals that the "better solution" was to listen for the com.apple.DownloadFileFinished distributed notification.)

---

Completely unrelated to the above, I think I also found a (somewhat minor but still annoying to debug) bug in IOKIt's IOPMCopyAssertionsByProcess method. If you look at the documentation then it says

On success, this returns a dictionary of assertions per process

which seems to imply that so long as the return code is success, the resulting CFDictionaryRef will never be null. But if you actually look at the source then it seems like if there are no assertions at all then it skips the dictionary creation and ends up returning null

 if (0 == flattenedArrayCount) {
        goto exit;
    }

I'm not 100% exactly under what conditions array count is 0, but nonetheless there does seem to be a codepath where the return code is success and yet the dictionary ref is null. And I'd been trying to debug the source of a crash caused by this for the past few days... The fact that sending objective-c messages to the nil object works fine made it harder to trace.

(If you're curious, the reason I'm using this low-level API is because i wanted a way to figure out if media was playing. Unfortunately doing this at the coreaudio level (kAudioDevicePropertyDeviceIsRunningSomewhere) leads to false positives since it appears that Chrome sometimes randomly initializes audio output when browsing pages with media content (even if they're silent). So the next best option was to check the current wakelocks.

[Wowfunhappy]

(If you're curious, the reason I'm using this low-level API is because i wanted a way to figure out if media was playing. Unfortunately doing this at the coreaudio level (kAudioDevicePropertyDeviceIsRunningSomewhere) leads to false positives since it appears that Chrome sometimes randomly initializes audio output when browsing pages with media content (even if they're silent). So the next best option was to check the current wakelocks.

Chromium adds a speaker to the tab title when audio is playing, and it seems to be fairly reliable. Is this something you could use?

[krackers]

Hm I think that would work so long as you only cared about media played via Chrome. But unfortunately I don't think it helps if you have an external media player since there's no way to distinguish the false-positive of speaker active but no speaker in tab title versus the true positive of media playing with external player (which would also have no speaker in Chrome's tab title). I'm also not sure if it's possible to receive state changes via a callback (which can be done with the IOKit approach via IOPMAssertionNotify).

[Wowfunhappy]

@krackers So since you just helped me fix one of my biggest long-time frustrations with my OS X setup... any interest in helping with another one? 🙂

I am unduly upset that dragging an .app bundle out of the /Applications folder creates an alias, whereas dragging a file out of any other folder either moves the file or creates a copy. I'm not sure I can fully explain why this bothers me so much... I just can't stand how Apple gave that specific folder special behavior in Lion. It's a folder, and it should behave like any other folder. Part of the beauty of OS X is that apps are just files (I know they're folders under the hood, but they appear as files), and you don't have to "install" most of them like on an ugly PC, you just copy them somewhere. The Applications folder shouldn't be special, it's just a convention, like ~/Documents or ~/Downloads.

I want to stop Finder from creating aliases. I'm convinced it's something hardcoded in Finder, but I've never been able to figure out what is responsible...

[Wowfunhappy]

When you loaded it in a VM, did you try disassembling a mach-o file?

I was able to load DesktopServicesPriv on my real machine (as opposed to the VM I built it in) and decompile functions. But I didn't look at the disassembly tab or check the log.

W/e, clearly I screwed something up, sorry! I'll have to look later.

[krackers]

Oh I think it was my fault, for some reason the view it loaded didn't have any windows so I thought something was broken. But if I do View > Reset to Default Layout then things started working normally. Only odd thing is that the decompiler & disassembler use a dark theme. That's probably related to the missing themes thing. Even though nothing seems broken, if you go to Console.app it clearly isn't happy about the dylib referencing a path that doesn't exist, and it seems like Cutter does somehow communicate with that binary so it's probably better if that were fixed.

Should have run dylibbundler

The libraries it needs are already in Contents > Resources > Lib, it's just that the rizin binaries aren't referencing them relatively and are instead referencing the ones on your desktop, which is why I thought something went wonky (perhaps missing flag) during the build stage. I think the theme thing can probably be resolved by setting an environment variable somewhere to override the path.

[Wowfunhappy]

There's something weird going on with install_name_tool...

dylibbundler --search-path ../../../../Rizin-prefix/lib/ --overwrite-files -p '@executable_path/../Frameworks' -d Cutter.app/Contents/Frameworks/ -b -cd -ns -x Cutter.app/Contents/Frameworks/librz_util.0.4.0.dylib 
* Collecting dependencies..

* Checking output directory Cutter.app/Contents/Frameworks/

* Processing Cutter.app/Contents/Frameworks/librz_util.0.4.0.dylib
    chmod +w "Cutter.app/Contents/Frameworks/librz_util.0.4.0.dylib"
  * Fixing dependencies on Cutter.app/Contents/Frameworks/librz_util.0.4.0.dylib
    install_name_tool -rpath "$ORIGIN" "@executable_path/../Frameworks/" "Cutter.app/Contents/Frameworks/librz_util.0.4.0.dylib"
error: install_name_tool: no LC_RPATH load command with path:  found in: Cutter.app/Contents/Frameworks/librz_util.0.4.0.dylib (for architecture x86_64), required for specified option "-rpath  @executable_path/../Frameworks/"


Error : An error occured while trying to fix dependencies of Cutter.app/Contents/Frameworks/librz_util.0.4.0.dylib

[krackers]

I don't think that install_name_tool invocation is correct. What that is doing is trying to replace something in the rpath of the executable.

From what I gather (which could be wrong, but this is my current mental model), rpath is basically something like a baked-in equivalent of LDPATH. Or in other words, it's an additional set of places that can be specified to search for dylibs. A binary can have its rpath set separately, and then it can reference dylibs in relation to the rpath. So for instance if a binary has @rpath/foo.dylib and the value of rpath in the binary is set to /Users/bob/lib1 ; /Users/bob/lib2, then it will end up looking both in /Users/bob/lib1/foo.dylib and /Users/bob/lib2/foo.dylib. Hence why I mentioned it's kind of liked a baked in version of the LDPATH variable.

I've never seen anything use this though, and 99% of the time this additional layer of indirection is ueless. And in your case since the binary has no rpath set currently but the command you've given is to replace the value $ORIGIN in rpath with @executable_path/... it's giving an error. This isn't what you want, the correct install_name_tool invocation should be like

install_name_tool -change /Users/jonathan/<rest of path to dylib> "@executable_path/../resources/lib/<dylib name>

since we want to instead change the LC_LOAD command to point to the dylib that's already packaged in your app (inside resources/lib folder).

[krackers]

I don't know if you can batch-perform that process though. Also not sure how that would translate into a dylibundler invocation (if it even supports just pure find/replace behavior).

[pjpreilly]

I want to stop Finder from creating aliases.....

@Wowfunhappy .....Put in the trash then move it where you want it.....

[Wowfunhappy]

I can do that, but dragging a .app out of /Applications shouldn't default to an alias in the first place! It should either move the app (if the target directory is on the same disk) or copy the app (if it's on a different disk). Like every other folder!

It's annoying!

[pjpreilly]

It's annoying!

yep...

[pjpreilly]

Some Apple Developer doesn't want you movin' things outta the Applications Folder....

[Wowfunhappy]

Right, so the idea is to find whatever code that developer put it Finder and swizzle it out. I've never had any success with this, though. I've spent—well, I don't want to think about how much time it must have been—pouring through dumped headers and experimenting with every method that looked related, and I never found anything.

[krackers]

@Wowfunhappy Random question: do you happen to have Intel Power Gadget installed? Seems like all versions that work with 10.9 have been pulled, and I can't find any open source equivalent on github at the moment (basically needs a kext that polls the right CSR, but I'd rather have the official one if possible)

[Wowfunhappy]

@krackers Yes I saved a copy of 3.0.3! Feel free to shoot me an email.

[krackers]

Ah managed to find a copy of 3.0.7 and 3.5.2 on IA. 3.5.3 onwards require 10.11 and above (as per the info.plist), so these should be the two latest versions that work on 10.9. A bit skeptical of 3.5.2 though since I doubt it was actually tested on 10.9 and the huge version bump makes me wary of non-backwards compatible changes.

Power Gadget.zip

@Wowfunhappy Do you use 3.0.3 actively and can vouch for its stability? 3.0.3 seems to have been released April 2016 and 3.0.7 was Jul 2017, but they don't include any changelogs so not sure what's different between the two.

[krackers]

(Also this is unrelated, but I found this interesting example of a kext to read/write from the privileged CSRs https://github.com/veloek/DisableTurboBoost.kext – it's actually easier than I thought since apple already gives you the proper headers).

[Wowfunhappy]

@krackers Yes, I can vouch that 3.0.3 is stable on 10.9.5 with my 4790K. What I do not remember is why I picked that specific version to keep in my software archive.

[krackers]

Here's a reupload of 3.0.3 in case anyone else in the future stumbles upon this Intel® Power Gadget.dmg.zip

Also @Wowfunhappy I got the TurboBoost disable bit to be reapplied after wake from sleep thanks to a helpful pointer from someone a decade in the past. It works like absolute magic to reduce temps, and I haven't noticed any performance changes at all. In fact almost the contrary, since I can now actually run make -j16 without the entire thing burning up to the TJMax temperature of 100C and throttling itself.

One interesting side-note is that it's really hard to find info on kext development. I never would have found that key sleep callback function if the commenter hadn't mentioned it, and apple seems to actively scrub its documentation that it considers "legacy." Also debugging kext loading failures is annoying since if anything goes wrong all you get is a message that an error occurred and it's up to you to figure out if that's because you didn't add the right keys to info.plist, if you didn't declare the right dependencies, etc.

[krackers]

Since we're talking about CoreText, thought I'd dump some other notes here.

10.9 doesn't just have CoreText crashes, apparently it also contains a (rather servere) performance issue that Harfbuzz can trigger with the coretext AAT backend.

Now of course as seen in harfbuzz/harfbuzz@ba4b7be as of v2.0 harfbuzz has implemented its own support for Apple AAT and it (and Chrome) no longer relies on coretext for much, but the underlying codepaths still actually exist if you use the harfbuzz coretext shaper backend directly.

--

First some discussion of apple AAT fonts, since I didn't know much about typography. As seen in https://fontforge.org/docs/techref/gposgsub.html AAT fonts contain additional sections on glyph kerning, substitutions, and shaping data. I think OpenType does support many of the same things, but for whatever reason apple's fork of TrueType uses these non-standard sections instead. There's some detailed discussion by expert typographers that goes over my head in https://typedrawers.com/discussion/758/aat-in-decline-who-develops-aat-features.

Also https://www.opticentre.net/FAQ/Fonts/OpenType-font/

From a font developer's perspective, OpenType is, for many common situations, easier to develop for than AAT. First, the simple declarative substitutions and positioning of OpenType are more readily understood than AAT's more complex (but powerful) state tables. Second, Adobe's strategy of licensing at no charge the source code developed for its own font development allowed third-party font editing applications such as FontLab and FontMaster to add support with relative ease. Although Adobe's text-driven coding support is not as visual as Microsoft's separate tool, VOLT (Visual OpenType Layout Tool), the integration with the tools being used to make the fonts has been well received.

Another difference is that an OpenType support framework (such as Microsoft's Uniscribe) needs to provide a fair bit of knowledge about special language processing issues to handle (for example) Arabic. With AAT, the font developer of an AAT font has to encapsulate all that expertise in the font. This means that AAT can handle any arbitrary language, but that it requires more work and expertise from the font developers. On the other hand, OpenType fonts are easier to make, but can only support certain complicated languages if the application or operating system knows how to handle them.

Which apple themselves states in their whitepaper: https://web.archive.org/web/20090617063720/http://developer.apple.com/textfonts/WhitePapers/IUC15CG.pdf

One feature of OpenType is that client applications are expected to do all glyph substitution operations common to any font for a particular script and language themselves. Because of this, and because the OpenType client application has to
specifically interact with the font in order to do font-specific glyph substitutions, OpenType is not “fully intelligent” in terms of the character-glyph model. This should not be taken as derogatory towards OpenType, as its actual capacities are more than adequate to cover the needs of Unicode-based, high-end, multilingual typography

Practically, the effect of AAT fonts can be easily seen with Zapfino on mac (https://thatkeith.com/articles/zapfino-the-typeface-with-built-in-magic/), but even system fonts such as Helvetica rely on the AAT kerning sections (morx) as opposed to OpenType ones (GPOS?) for things like kerning numbers or slight baseline adjustment. (There are probably opentype versions of Zapfino and Helvetica though, so I'm not sure if there's anything practical that AAT can do that OpenType currently doesn't... maybe AAT font variations [dynamic width/height], which seem to only recently have an opentype equivalent)

---

With that background on AAT out of the way, there's a curious bug that persisted for about a year, all the way through until support for mavericks was officially discontinued (since 68 was the last to officially run on mavericks, while the harfbuzz AAT replacement happened at 72 or something): if you load pages with a lot of CJK text that have a "complex" layout, rendering can take on the order of 10 seconds, and fontd will have heavy CPU usage. Bisecting I found a "good" chrome version is 53.0.2767.6 and the issue was introduced somehwere around "54.0.2803.7"

What happened in between these versions? Well the chrome bug tracker and harfbuzz source give us the full story, and it is in fact related to the emoji crashes that I originally started this GH thread with.

We start with https://issues.chromium.org/issues/40441917 which mentions a commit r355800 (https://chromium.googlesource.com/chromium/src/+/9f6a2b03ccb7091804f173b70b5facff7dffbd61) which I don't quite understand but apparently causes shaping to be invoked a lot more than it used to be. In particular it seems to invoke the shaper once per specified font (e.g. in CSS if you specify 3 different possible fonts it will try to shape with each). CoreText also has its own font fallback logic though, so the two seem to interact poorly, resulting in quadratic behavior. If you list 5 different fonts, but none except the last exist, you can make on the order of 5^2 calls into coretext. Now the rub is that CoreText shaper is only invoked for AAT fonts anyway, and AAT shaping takes extra long.

If you disable coretext shaping using the obscure HB_SHAPER_LIST=ot env var, the performance gap disappears.

The clever chromium folks tried to fix the issue and avoid the quadratic behavior by telling CoreText not to try any fallback fonts. So far so good, and if you try a build with this fix in things work as expected.

But on 10.9 apparently things are not so good: disabling the fallback/cascade logic ends up causing crashes for certain symbols. https://issues.chromium.org/issues/40475517. So they decided to keep this fallback logic for 10.9, which brings back the performance issue for these platforms.

And I guess the cherry is that there's another issue where not disabling the cascade reconfiguration logic causes crashes on certain emoji which is the issue I created this discussion about.

TL;DR coretext on 10.9(+?) is quite cursed, no wonder they wanted add a native AAT backend in harfbuzz just to avoid using it. Also that you should ideally try avoid too many fallback fonts when making pages, e.g. it's strictly more performant to have a separate class for japanese text (using japanese font) and english text, rather than having one selector with fallback.

[krackers]

What pages does printing crash under? If you use a userstyle to force all fonts as non AAT fonts, does it work?

[Wowfunhappy]

Hmm, it doesn't seem that way, no, except I'm not sure what fonts do/don't use AAT.

Forcing pages to use Ariel, Courier, or Adelle Sans (a font that isn't installed by default on macOS, I figured a non-Apple font would be less likely to use AAT) did not fix the crash.

That said, the crash generally does not occur on pages which use webfonts exclusively (examples are vox.com, or my own jonathanalland.com). If I force one of the aforementioned system fonts with a user style, or launch chrome with remote fonts disabled, all pages crash. Some people say in #185 that the crash still occurs, it just happens to late (?) to affect printing, but on the two websites I mentioned above I am legitimately not seeing any crashes.

[krackers]

Arial and Courier do seem to be AAT actually, if you run ttx -l -y 0 /path/to/font (where ttx is in the fonttools python package), they seem to have a morx table which indicates AAT. Adelle Sans most likely wouldn't though...

If the divide is indeed between webfonts and native fonts, there might be some different codepath in there with regard how how Skia tries to (or doesn't try to) create the typeface.

[Wowfunhappy]

...It kind of doesn't help either way, but when I use use ttx on 10.9, I see a morx table on /Library/Fonts/Zapfino.ttf, but not on Arial. (Courier is a .dfont and ttx does not seem to be able to open it.) Were you checking on a newer OS, where maybe Apple updated the fonts?

[krackers]

Oh you're right! I was looking at ArialHB which is apparently hebrew (not bold) which is why I got confused.

And to make things more complicated on my side, apparently having MS Office 2011 messes with the font set as well:

• It brings duplicate copies of certain fonts which it puts in /Library/Fonts/Microsoft (font book seems to prioritize the inbuilt apple fonts over the microsoft copies though, marking microsoft's as disabled)
• It decides to remove(!) certain inbuilt fonts entirely, moving them to /Library/Fonts Disabled so they are invisible to font book. Arial is one such font, in its place Microsoft provides its own version. This is very rude of Microsoft, presumably they think their Arial is better than the native one? It also means uninstalling MS office is going to leave you without an active arial font, their own removal tool falls into the same trap. [Also their removal tool is literally just a bash script hosted on some random msft employee's github page lmao.]