Crashes on Apple Silicon #2033
Description
I use Unicorn to emulate iOS executable file. It works normally on Windows, Linux, and macOS x86, but crashes on Apple Silicon (Not all scenes will crash, but they can be stably reproduced).
The environment I am using is macOS 14.2 with M3 pro.
The error message is:
Process finished with exit code 138 (interrupted by signal 10:SIGBUS)
The crash log is:
-------------------------------------
Translated Report (Full Report Below)
-------------------------------------
Process: Python [94418]
Path: /Library/Frameworks/Python.framework/Versions/3.10/Resources/Python.app/Contents/MacOS/Python
Identifier: org.python.python
Version: 3.10.11 (3.10.11)
Code Type: ARM-64 (Native)
Parent Process: pycharm [704]
Responsible: pycharm [704]
User ID: 502
Date/Time: 2024-10-11 10:52:49.8220 +0800
OS Version: macOS 14.2 (23C64)
Report Version: 12
Anonymous UUID: 3C136E55-0B58-2F1D-FB15-5C5259FAED20
Sleep/Wake UUID: 224F1CAF-BC1B-4AA2-A424-7F3ACB9489AD
Time Awake Since Boot: 160000 seconds
Time Since Wake: 2470 seconds
System Integrity Protection: enabled
Crashed Thread: 0 Dispatch queue: com.apple.main-thread
Exception Type: EXC_BAD_ACCESS (SIGBUS)
Exception Codes: KERN_PROTECTION_FAILURE at 0x000000028021e208
Exception Codes: 0x0000000000000002, 0x000000028021e208
Termination Reason: Namespace SIGNAL, Code 10 Bus error: 10
Terminating Process: exc handler [94418]
VM Region Info: 0x28021e208 is in 0x280000000-0x2c0000000; bytes after start: 2220552 bytes before end: 1071521271
REGION TYPE START - END [ VSIZE] PRT/MAX SHRMOD REGION DETAIL
unused __TEXT 27c1e0000-27c1e4000 [ 16K] r--/r-- SM=COW ...ed lib __TEXT
GAP OF 0x3e1c000 BYTES
---> VM_ALLOCATE 280000000-2c0000000 [ 1.0G] rwx/rwx SM=PRV
VM_ALLOCATE (reserved) 2c0000000-2c8000000 [128.0M] rw-/rwx SM=NUL ...(unallocated)
Thread 0 Crashed:: Dispatch queue: com.apple.main-thread
0 libunicorn.2.dylib 0x1086e0ddc tb_add_jump + 160 (cpu-exec.c:228)
1 libunicorn.2.dylib 0x1086e0400 tb_find + 828 (cpu-exec.c:291)
2 libunicorn.2.dylib 0x1086df8b8 cpu_exec_aarch64 + 296 (cpu-exec.c:602)
3 libunicorn.2.dylib 0x10867fa34 tcg_cpu_exec + 96 (cpus.c:96)
4 libunicorn.2.dylib 0x10867f94c resume_all_vcpus_aarch64 + 100 (cpus.c:215)
5 libunicorn.2.dylib 0x10867fc28 vm_start_aarch64 + 24 (cpus.c:234)
6 libunicorn.2.dylib 0x10841c5c4 uc_emu_start + 1176 (uc.c:1101)
7 libffi.dylib 0x19b082050 ffi_call_SYSV + 80
8 libffi.dylib 0x19b08aadc ffi_call_int + 1208
9 _ctypes.cpython-310-darwin.so 0x104c682a8 _ctypes_callproc + 1396
10 _ctypes.cpython-310-darwin.so 0x104c62338 PyCFuncPtr_call + 208
11 Python 0x105434cf8 _PyObject_MakeTpCall + 136
12 Python 0x10556b238 call_function + 380
13 Python 0x105563470 _PyEval_EvalFrameDefault + 23772
14 Python 0x10555bf28 _PyEval_Vector + 360
15 Python 0x10556b140 call_function + 132
16 Python 0x10556247c _PyEval_EvalFrameDefault + 19688
17 Python 0x10555bf28 _PyEval_Vector + 360
18 Python 0x105438c64 method_vectorcall + 288
19 Python 0x10555dd54 _PyEval_EvalFrameDefault + 1472
20 Python 0x10555bf28 _PyEval_Vector + 360
21 Python 0x10556b140 call_function + 132
22 Python 0x10556247c _PyEval_EvalFrameDefault + 19688
23 Python 0x10555bf28 _PyEval_Vector + 360
24 Python 0x10556b140 call_function + 132
25 Python 0x10556247c _PyEval_EvalFrameDefault + 19688
26 Python 0x10555bf28 _PyEval_Vector + 360
27 Python 0x10556b140 call_function + 132
28 Python 0x10556247c _PyEval_EvalFrameDefault + 19688
29 Python 0x10555bf28 _PyEval_Vector + 360
30 Python 0x10556b140 call_function + 132
31 Python 0x105561b5c _PyEval_EvalFrameDefault + 17352
32 Python 0x10555bf28 _PyEval_Vector + 360
33 Python 0x10556b140 call_function + 132
34 Python 0x105561b5c _PyEval_EvalFrameDefault + 17352
35 Python 0x10555bf28 _PyEval_Vector + 360
36 Python 0x10556b140 call_function + 132
37 Python 0x105561b5c _PyEval_EvalFrameDefault + 17352
38 Python 0x10555bf28 _PyEval_Vector + 360
39 Python 0x10555dd54 _PyEval_EvalFrameDefault + 1472
40 Python 0x10555bf28 _PyEval_Vector + 360
41 _ctypes.cpython-310-darwin.so 0x104c6680c _CallPythonObject + 564
42 libffi.dylib 0x19b08af28 ffi_closure_SYSV_inner + 816
43 libffi.dylib 0x19b0821e8 ffi_closure_SYSV + 56
44 libunicorn.2.dylib 0x10841eb60 helper_uc_tracecode + 752 (uc.c:2014)
45 ??? 0x28021d72c ???
46 libunicorn.2.dylib 0x1086e0ef4 cpu_tb_exec + 92 (cpu-exec.c:60)
47 libunicorn.2.dylib 0x1086e043c cpu_loop_exec_tb + 40 (cpu-exec.c:504)
48 libunicorn.2.dylib 0x1086df8fc cpu_exec_aarch64 + 364 (cpu-exec.c:606)
49 libunicorn.2.dylib 0x10867fa34 tcg_cpu_exec + 96 (cpus.c:96)
50 libunicorn.2.dylib 0x10867f94c resume_all_vcpus_aarch64 + 100 (cpus.c:215)
51 libunicorn.2.dylib 0x10867fc28 vm_start_aarch64 + 24 (cpus.c:234)
52 libunicorn.2.dylib 0x10841c5c4 uc_emu_start + 1176 (uc.c:1101)
53 libffi.dylib 0x19b082050 ffi_call_SYSV + 80
54 libffi.dylib 0x19b08aadc ffi_call_int + 1208
55 _ctypes.cpython-310-darwin.so 0x104c682a8 _ctypes_callproc + 1396
56 _ctypes.cpython-310-darwin.so 0x104c62338 PyCFuncPtr_call + 208
57 Python 0x105434cf8 _PyObject_MakeTpCall + 136
58 Python 0x10556b238 call_function + 380
59 Python 0x105563470 _PyEval_EvalFrameDefault + 23772
60 Python 0x10555bf28 _PyEval_Vector + 360
61 Python 0x10556b140 call_function + 132
62 Python 0x10556247c _PyEval_EvalFrameDefault + 19688
63 Python 0x10555bf28 _PyEval_Vector + 360
64 Python 0x105438c64 method_vectorcall + 288
65 Python 0x10555dd54 _PyEval_EvalFrameDefault + 1472
66 Python 0x10555bf28 _PyEval_Vector + 360
67 Python 0x10556b140 call_function + 132
68 Python 0x10556247c _PyEval_EvalFrameDefault + 19688
69 Python 0x10555bf28 _PyEval_Vector + 360
70 Python 0x10556b140 call_function + 132
71 Python 0x10556247c _PyEval_EvalFrameDefault + 19688
72 Python 0x10555bf28 _PyEval_Vector + 360
73 Python 0x105438bc0 method_vectorcall + 124
74 Python 0x10556b140 call_function + 132
75 Python 0x105561be0 _PyEval_EvalFrameDefault + 17484
76 Python 0x10555bf28 _PyEval_Vector + 360
77 Python 0x10556b140 call_function + 132
78 Python 0x105561b5c _PyEval_EvalFrameDefault + 17352
79 Python 0x10555bf28 _PyEval_Vector + 360
80 Python 0x1055c6c54 pyrun_file + 308
81 Python 0x1055c6398 _PyRun_SimpleFileObject + 336
82 Python 0x1055c59e4 _PyRun_AnyFileObject + 216
83 Python 0x1055f1dd0 pymain_run_file_obj + 180
84 Python 0x1055f1470 pymain_run_file + 72
85 Python 0x1055f0a58 pymain_run_python + 300
86 Python 0x1055f08ec Py_RunMain + 24
87 Python 0x1055f1f78 pymain_main + 56
88 Python 0x1055f223c Py_BytesMain + 40
89 dyld 0x18a18d0e0 start + 2360
Thread 0 crashed with ARM Thread State (64-bit):
x0: 0x000000028021e180 x1: 0x0000000000000000 x2: 0x0000000280041800 x3: 0x000000016b7e6008
x4: 0x000000008cb07ee3 x5: 0x0000000067800000 x6: 0x000000016b7e5f8f x7: 0x0000000000000001
x8: 0x0000000000000000 x9: 0x0000000000000000 x10: 0x0000000280041800 x11: 0x000000028021e208
x12: 0x0000000000000001 x13: 0x00000000ffffffa0 x14: 0x00000000000007fb x15: 0x00000000e762fffb
x16: 0x000000018a50edb4 x17: 0x00000001e9d5fd38 x18: 0x0000000000000000 x19: 0x000000000000001e
x20: 0x000000016b7e6440 x21: 0x0000000000000008 x22: 0x000000016b7e6438 x23: 0x000000016b7e6510
x24: 0x0000000000000000 x25: 0x0000000000000000 x26: 0x0000000000000005 x27: 0x0000000000000005
x28: 0x000000016b7e64c0 fp: 0x000000016b7e60d0 lr: 0x00000001086e0400
sp: 0x000000016b7e6070 pc: 0x00000001086e0ddc cpsr: 0x40001000
far: 0x000000028021e208 esr: 0x9200004f (Data Abort) byte write Permission fault
Binary Images:
0x104c34000 - 0x104c3bfff libffi-trampolines.dylib (*) <8adf6d3b-1308-39d8-912c-bd55ed01fa49> /usr/lib/libffi-trampolines.dylib
0x105f8c000 - 0x105f8ffff _uuid.cpython-310-darwin.so (*) <5406893a-16a9-3917-a57c-a18c30673b38> /Library/Frameworks/Python.framework/Versions/3.10/lib/python3.10/lib-dynload/_uuid.cpython-310-darwin.so
0x10539c000 - 0x10539ffff _queue.cpython-310-darwin.so (*) <421c1fa3-f6da-33d4-a43e-3e744dbe86d8> /Library/Frameworks/Python.framework/Versions/3.10/lib/python3.10/lib-dynload/_queue.cpython-310-darwin.so
0x104f0c000 - 0x104f0ffff _heapq.cpython-310-darwin.so (*) <46bf4b96-5b44-3371-92d8-bdaf78687925> /Library/Frameworks/Python.framework/Versions/3.10/lib/python3.10/lib-dynload/_heapq.cpython-310-darwin.so
0x10536c000 - 0x105383fff _pickle.cpython-310-darwin.so (*) <a9a32f5b-90ee-322a-95ef-0e49ca3071bc> /Library/Frameworks/Python.framework/Versions/3.10/lib/python3.10/lib-dynload/_pickle.cpython-310-darwin.so
0x104ef8000 - 0x104efbfff resource.cpython-310-darwin.so (*) <db02e1a1-4927-3447-aad4-fa49616d354d> /Library/Frameworks/Python.framework/Versions/3.10/lib/python3.10/lib-dynload/resource.cpython-310-darwin.so
0x10686c000 - 0x106ceffff _lief.so (*) <4c4c4441-5555-3144-a1f8-7f67f50e3728> /Users/USER/*/_lief.so
0x108418000 - 0x1095ebfff libunicorn.2.dylib (*) <3f664aa8-7f38-339a-bdd2-4faae3533d84> /Users/USER/*/libunicorn.2.dylib
0x10617c000 - 0x1066effff libcapstone.dylib (*) <21a25ccd-589f-36eb-b38c-b159f4a70161> /Users/USER/*/libcapstone.dylib
0x104ee4000 - 0x104ee7fff _opcode.cpython-310-darwin.so (*) <6aabe736-53ef-3a3d-9492-e0edaf02007b> /Library/Frameworks/Python.framework/Versions/3.10/lib/python3.10/lib-dynload/_opcode.cpython-310-darwin.so
0x104c5c000 - 0x104c6ffff _ctypes.cpython-310-darwin.so (*) <8710ee5e-53a1-3c8e-a6be-35fba5383f42> /Library/Frameworks/Python.framework/Versions/3.10/lib/python3.10/lib-dynload/_ctypes.cpython-310-darwin.so
0x104ea8000 - 0x104eabfff _posixsubprocess.cpython-310-darwin.so (*) <d28f8d29-7210-37d1-964f-a77a83f76c3f> /Library/Frameworks/Python.framework/Versions/3.10/lib/python3.10/lib-dynload/_posixsubprocess.cpython-310-darwin.so
0x104e94000 - 0x104e97fff fcntl.cpython-310-darwin.so (*) <f8cce0d7-6b5e-3da9-a207-fb714939b81c> /Library/Frameworks/Python.framework/Versions/3.10/lib/python3.10/lib-dynload/fcntl.cpython-310-darwin.so
0x104cb0000 - 0x104cb3fff _scproxy.cpython-310-darwin.so (*) <90df22dd-8cfb-365d-a85b-8d0d6745c42f> /Library/Frameworks/Python.framework/Versions/3.10/lib/python3.10/lib-dynload/_scproxy.cpython-310-darwin.so
0x104f24000 - 0x104f53fff _lzma.cpython-310-darwin.so (*) <13cfe756-b593-353d-bfcf-a74de53f6135> /Library/Frameworks/Python.framework/Versions/3.10/lib/python3.10/lib-dynload/_lzma.cpython-310-darwin.so
0x1049d4000 - 0x1049d7fff _bz2.cpython-310-darwin.so (*) <3d88ed77-d0ef-329d-9f57-4c94ae0b28e4> /Library/Frameworks/Python.framework/Versions/3.10/lib/python3.10/lib-dynload/_bz2.cpython-310-darwin.so
0x104c94000 - 0x104c9bfff zlib.cpython-310-darwin.so (*) <2ef52731-249d-3f3d-ade2-f68b45332f10> /Library/Frameworks/Python.framework/Versions/3.10/lib/python3.10/lib-dynload/zlib.cpython-310-darwin.so
0x104ccc000 - 0x104ce3fff _ssl.cpython-310-darwin.so (*) <759becaa-d660-3255-a17a-87b137de5bb1> /Library/Frameworks/Python.framework/Versions/3.10/lib/python3.10/lib-dynload/_ssl.cpython-310-darwin.so
0x104c14000 - 0x104c1ffff array.cpython-310-darwin.so (*) <502fda2b-73c2-3caa-a980-e4f282becc61> /Library/Frameworks/Python.framework/Versions/3.10/lib/python3.10/lib-dynload/array.cpython-310-darwin.so
0x104c44000 - 0x104c4bfff select.cpython-310-darwin.so (*) <06443efd-a639-3015-833c-f473f172608c> /Library/Frameworks/Python.framework/Versions/3.10/lib/python3.10/lib-dynload/select.cpython-310-darwin.so
0x1049b0000 - 0x1049bffff _socket.cpython-310-darwin.so (*) <7422f970-d83c-3060-8807-dd28ffe7fb58> /Library/Frameworks/Python.framework/Versions/3.10/lib/python3.10/lib-dynload/_socket.cpython-310-darwin.so
0x104c00000 - 0x104c03fff _sha512.cpython-310-darwin.so (*) <b8911246-bb80-3ad9-8ecb-d17357ac6122> /Library/Frameworks/Python.framework/Versions/3.10/lib/python3.10/lib-dynload/_sha512.cpython-310-darwin.so
0x104bec000 - 0x104beffff _random.cpython-310-darwin.so (*) <b0e2bf49-f1db-3ea8-b7b9-99823e9c84ec> /Library/Frameworks/Python.framework/Versions/3.10/lib/python3.10/lib-dynload/_random.cpython-310-darwin.so
0x104a04000 - 0x104a0bfff _blake2.cpython-310-darwin.so (*) <c041ce87-55d9-38fa-93ef-5ab054d494c8> /Library/Frameworks/Python.framework/Versions/3.10/lib/python3.10/lib-dynload/_blake2.cpython-310-darwin.so
0x1049e8000 - 0x1049effff _hashlib.cpython-310-darwin.so (*) <466a8544-4477-363e-aedd-9743d1c608d0> /Library/Frameworks/Python.framework/Versions/3.10/lib/python3.10/lib-dynload/_hashlib.cpython-310-darwin.so
0x104d0c000 - 0x104d5ffff libssl.1.1.dylib (*) <c76ba228-631b-3dd6-9bbc-434903544d36> /Library/Frameworks/Python.framework/Versions/3.10/lib/libssl.1.1.dylib
0x105854000 - 0x1059effff libcrypto.1.1.dylib (*) <469ec5bb-4083-363a-abee-47602ddc717f> /Library/Frameworks/Python.framework/Versions/3.10/lib/libcrypto.1.1.dylib
0x10494c000 - 0x10494ffff _bisect.cpython-310-darwin.so (*) <a37eb635-fe7a-3d44-b1ba-3bb7dc7b0e14> /Library/Frameworks/Python.framework/Versions/3.10/lib/python3.10/lib-dynload/_bisect.cpython-310-darwin.so
0x104ac0000 - 0x104ad3fff _datetime.cpython-310-darwin.so (*) <2f82bafe-ae6c-3ba1-b5eb-6e28f8c0dd9a> /Library/Frameworks/Python.framework/Versions/3.10/lib/python3.10/lib-dynload/_datetime.cpython-310-darwin.so
0x10492c000 - 0x104937fff math.cpython-310-darwin.so (*) <44e05e35-d5f1-37c1-bd86-cc43e0de1bbf> /Library/Frameworks/Python.framework/Versions/3.10/lib/python3.10/lib-dynload/math.cpython-310-darwin.so
0x104998000 - 0x10499ffff _json.cpython-310-darwin.so (*) <14a6b043-a013-37b0-80b0-80710318d95b> /Library/Frameworks/Python.framework/Versions/3.10/lib/python3.10/lib-dynload/_json.cpython-310-darwin.so
0x104980000 - 0x104987fff binascii.cpython-310-darwin.so (*) <f619bcc2-4d06-34f7-ae65-8001170d28a7> /Library/Frameworks/Python.framework/Versions/3.10/lib/python3.10/lib-dynload/binascii.cpython-310-darwin.so
0x104964000 - 0x10496bfff _struct.cpython-310-darwin.so (*) <133bfe87-3bd9-3bd6-9afe-c0b504af5b78> /Library/Frameworks/Python.framework/Versions/3.10/lib/python3.10/lib-dynload/_struct.cpython-310-darwin.so
0x1053b8000 - 0x105717fff org.python.python (3.10.11, (c) 2001-2023 Python Software Foundation.) <3fe90b0d-d091-3b4e-ac7c-15d5cf743818> /Library/Frameworks/Python.framework/Versions/3.10/Python
0x104614000 - 0x104617fff org.python.python (3.10.11) <ef677878-e7fb-329d-bb8b-0f651210d52b> /Library/Frameworks/Python.framework/Versions/3.10/Resources/Python.app/Contents/MacOS/Python
0x19b07a000 - 0x19b08b64f libffi.dylib (*) <3d2c1bb7-e1c9-3831-976a-c1acd53e7ab7> /usr/lib/libffi.dylib
0x0 - 0xffffffffffffffff ??? (*) <00000000-0000-0000-0000-000000000000> ???
0x18a187000 - 0x18a21b347 dyld (*) <324e4ad9-e01f-3183-b09f-3e20b326643a> /usr/lib/dyld
0x18a507000 - 0x18a513ff3 libsystem_pthread.dylib (*) <a7d94c96-7b1f-3229-9bea-048d037c3292> /usr/lib/system/libsystem_pthread.dylib
External Modification Summary:
Calls made by other processes targeting this process:
task_for_pid: 0
thread_create: 0
thread_set_state: 0
Calls made by this process:
task_for_pid: 0
thread_create: 0
thread_set_state: 0
Calls made by all processes on this machine:
task_for_pid: 0
thread_create: 0
thread_set_state: 0
VM Region Summary:
ReadOnly portion of Libraries: Total=1.0G resident=0K(0%) swapped_out_or_unallocated=1.0G(100%)
Writable regions: Total=6.8G written=0K(0%) resident=0K(0%) swapped_out=0K(0%) unallocated=6.8G(100%)
VIRTUAL REGION
REGION TYPE SIZE COUNT (non-coalesced)
=========== ======= =======
Kernel Alloc Once 32K 1
MALLOC 1.4G 31
MALLOC guard page 96K 6
STACK GUARD 16K 1
Stack 16.0M 1
VM_ALLOCATE 1.4G 533
VM_ALLOCATE (reserved) 4.0G 3 reserved VM address space (unallocated)
__AUTH 339K 65
__AUTH_CONST 4056K 147
__DATA 3503K 176
__DATA_CONST 7201K 182
__DATA_DIRTY 365K 59
__LINKEDIT 902.9M 36
__OBJC_RO 71.1M 1
__OBJC_RW 2168K 1
__TEXT 154.1M 190
dyld private memory 272K 2
mapped file 32K 1
shared memory 32K 2
=========== ======= =======
TOTAL 7.9G 1438
TOTAL, minus reserved VM space 3.9G 1438
I noticed this crash log is similar to stackoverflow, so I guess it may also be due to the same reason.
Reproduce this issue:
git clone https://github.com/sledgeh4w/chomper.git
cd chomper
pip3 install capstone lief pyelftools unicorn
pip3 install .
# Replace libunicorn.2.dylib with a locally compiled version, otherwise it will crash directly (This is another issue).
# example_ios_ali_vmp_sign.py and example_ios_bangbang.py will crash, but example_ios_ijm.py don't crash.
python3 examples/example_ios_ali_vmp_sign.py
# Now you can see some output logs, but after running for a while, it will finally crash.