OSX 12.3 hang

PostPosted: Wed Mar 15, 2017 2:14 pm
by kvmanoj

We work on a kernel extension authorized by Apple and for a specific case the OS X 12.3 (Sierra) hangs and doesn't respond and the code is quite massive to narrow it down.
We tried to take a dump but couldn't get any clue on how to look into the root cause from the dump.

We looked into cpu usage, process threads and other info.

Is there any tool to check memory corruption for kernel extension on OS X ?
Any other inputs are greatly help and appreciated.


PostPosted: Thu Mar 16, 2017 1:43 am
by morpheus
So I'm biased here, but the only tool I know of is my own - I call it Xnoop, and it directly inspects kernel memory - on MacOS via a kext helper (or /dev/kmem) and on iOS via task for pid. This is not public however, and Tg uses it internally when we perform such inspections during consulting on bugs such as yours.

If I may suggest, set up the NMI debugger trap, as well as KDP, and when you get the hang, KDP will kick in and dump the kernel memory to a remote IP, wherein you can collect and analyze it.

PostPosted: Thu Mar 16, 2017 6:23 am
by kvmanoj
Thanks for the quick reply.

We have currently setup NMI trap and got the core dump created in remote machine and also have KEXT with "Dwarf with DSym" also enabled.
I have used lldb macros like showallstacks, showtaskthreads, showschedusage etc but what might be the reason for a hang, I am not sure theoretically as well.

Do you think memory corruption might cause the hang as well ?

Can you provide any inputs on what data to look into incase of hang ?

In our case, the machine doesn't freeze immediately.
One of the application (in our case Terminal) doesn't respond as we just run a shell script which has "ls; date; sleep"). We get the spinning beachball.
After that within 5-10 min, the new process spawning doesn't happen and then it freezes completely.

How to we get the Xnoop tool from you ? Do you provide some consultation ?


PostPosted: Fri Mar 17, 2017 11:32 am
by morpheus
Hello Manoj,

If you still have a terminal, it's not a complete hang. Try "procexp 0 threads" - that gets kernel threads as well. From there, it's easy to see what's hogging the CPU and where threads are.

Consultation, sure, but that's not me - that's via @Technologeeks.