Random crash when executing ssh after closing the only tab with Cmd-W

[l2dy]

Checklist

• Using latest version on the App Store
• Read the docs
• Searched for existing GitHub issues

Configuration

Custom build of Blink commit df04676, iPadOS 17.3.1

Describe the bug

Note: I'm reporting a crash on my custom build of Blink because I don't have access to TestFlight or official build. Please try to reproduce the crash on official build before investigating.

With the following steps, I can reliably reproduce a crash of the ssh command or the entire app after a few attempts.

Steps to reproduce:

1. Open Blink.
2. Execute ssh <unreachable_host> (e.g. ssh ::1) once.
3. Press Cmd+W to close the current tab.
4. Execute ssh <unreachable_host> several times.
5. If app or ssh command is not crashing, repeat from step 3.

Address Sanitizer logs

Report 1 of 2:

=================================================================
==2156==ERROR: AddressSanitizer: heap-use-after-free on address 0x00010e57cdc0 at pc 0x000109256674 bp 0x00016b671900 sp 0x00016b671098
READ of size 1 at 0x00010e57cdc0 thread T1
    #0 0x109256670 in wrap_strcmp+0x488 (/private/var/containers/Bundle/Application/073A24BF-FB47-4621-867D-1D644A80E01D/Blink.app/Frameworks/libclang_rt.asan_ios_dynamic.dylib:arm64e+0x1a670)
    #1 0x1090e8168 in ios_switchSession+0x7c (/private/var/containers/Bundle/Application/073A24BF-FB47-4621-867D-1D644A80E01D/Blink.app/Frameworks/ios_system.framework/ios_system:arm64+0x10168)
    #2 0x10483a590 in -[MCPSession setActiveSession]+0x6c (/private/var/containers/Bundle/Application/073A24BF-FB47-4621-867D-1D644A80E01D/Blink.app/Blink:arm64+0x100026590)
    #3 0x1048340c4 in -[MCPSession _runCommand:skipHistoryRecord:]+0x6a8 (/private/var/containers/Bundle/Application/073A24BF-FB47-4621-867D-1D644A80E01D/Blink.app/Blink:arm64+0x1000200c4)
    #4 0x104833824 in __47-[MCPSession enqueueCommand:skipHistoryRecord:]_block_invoke+0x19c (/private/var/containers/Bundle/Application/073A24BF-FB47-4621-867D-1D644A80E01D/Blink.app/Blink:arm64+0x10001f824)
    #5 0x10928e408 in __wrap_dispatch_async_block_invoke+0xc0 (/private/var/containers/Bundle/Application/073A24BF-FB47-4621-867D-1D644A80E01D/Blink.app/Frameworks/libclang_rt.asan_ios_dynamic.dylib:arm64e+0x52408)
    #6 0x19a2046a4 in <redacted>+0x1c (/usr/lib/system/libdispatch.dylib:arm64e+0x26a4)
    #7 0x19a2062fc in <redacted>+0x10 (/usr/lib/system/libdispatch.dylib:arm64e+0x42fc)
    #8 0x19a20d890 in <redacted>+0x2e8 (/usr/lib/system/libdispatch.dylib:arm64e+0xb890)
    #9 0x19a20e3c0 in <redacted>+0x178 (/usr/lib/system/libdispatch.dylib:arm64e+0xc3c0)
    #10 0x19a219000 in <redacted>+0x11c (/usr/lib/system/libdispatch.dylib:arm64e+0x17000)
    #11 0x19a218874 in <redacted>+0x190 (/usr/lib/system/libdispatch.dylib:arm64e+0x16874)
    #12 0x1fc18f960 in _pthread_wqthread+0x11c (/usr/lib/system/libsystem_pthread.dylib:arm64e+0x1960)
    #13 0x1fc18fa00 in start_wqthread+0x4 (/usr/lib/system/libsystem_pthread.dylib:arm64e+0x1a00)

0x00010e57cdc0 is located 0 bytes inside of 194-byte region [0x00010e57cdc0,0x00010e57ce82)
freed by thread T0 here:
    #0 0x109290080 in __sanitizer_mz_free+0xf8 (/private/var/containers/Bundle/Application/073A24BF-FB47-4621-867D-1D644A80E01D/Blink.app/Frameworks/libclang_rt.asan_ios_dynamic.dylib:arm64e+0x54080)
    #1 0x192216694 in <redacted>+0xc0 (/System/Library/Frameworks/CoreFoundation.framework/CoreFoundation:arm64e+0xc694)
    #2 0x19221609c in <redacted>+0x120 (/System/Library/Frameworks/CoreFoundation.framework/CoreFoundation:arm64e+0xc09c)
    #3 0x19222655c in _CFStringCreateWithFormatAndArgumentsReturningMetadata+0xfc (/System/Library/Frameworks/CoreFoundation.framework/CoreFoundation:arm64e+0x1c55c)
    #4 0x192281200 in CFStringCreateWithFormatAndArguments+0x9c (/System/Library/Frameworks/CoreFoundation.framework/CoreFoundation:arm64e+0x77200)
    #5 0x192281138 in CFStringCreateWithFormat+0x2c (/System/Library/Frameworks/CoreFoundation.framework/CoreFoundation:arm64e+0x77138)
    #6 0x19226e7a0 in <redacted>+0xd4 (/System/Library/Frameworks/CoreFoundation.framework/CoreFoundation:arm64e+0x647a0)
    #7 0x192211b30 in <redacted>+0x114 (/System/Library/Frameworks/CoreFoundation.framework/CoreFoundation:arm64e+0x7b30)
    #8 0x1922119f8 in <redacted>+0x30 (/System/Library/Frameworks/CoreFoundation.framework/CoreFoundation:arm64e+0x79f8)
    #9 0x1922119ac in <redacted>+0x1c (/System/Library/Frameworks/CoreFoundation.framework/CoreFoundation:arm64e+0x79ac)
    #10 0x1922628b8 in <redacted>+0x184 (/System/Library/Frameworks/CoreFoundation.framework/CoreFoundation:arm64e+0x588b8)
    #11 0x1922626c8 in <redacted>+0x160 (/System/Library/Frameworks/CoreFoundation.framework/CoreFoundation:arm64e+0x586c8)
    #12 0x19226253c in <redacted>+0xa0 (/System/Library/Frameworks/CoreFoundation.framework/CoreFoundation:arm64e+0x5853c)
    #13 0x19226243c in <redacted>+0x98 (/System/Library/Frameworks/CoreFoundation.framework/CoreFoundation:arm64e+0x5843c)
    #14 0x192262244 in _CFPreferencesCopyAppValueWithContainerAndConfiguration+0x6c (/System/Library/Frameworks/CoreFoundation.framework/CoreFoundation:arm64e+0x58244)
    #15 0x1912087e8 in <redacted>+0x38 (/System/Library/Frameworks/Foundation.framework/Foundation:arm64e+0x647e8)
    #16 0x1cc0354bc in <redacted>+0x44 (/System/Library/Frameworks/PencilKit.framework/PencilKit:arm64e+0x654bc)
    #17 0x1cc0378d4 in <redacted>+0x10 (/System/Library/Frameworks/PencilKit.framework/PencilKit:arm64e+0x678d4)
    #18 0x1cc037888 in <redacted>+0x10 (/System/Library/Frameworks/PencilKit.framework/PencilKit:arm64e+0x67888)
    #19 0x1cc1f3b58 in <redacted>+0x44 (/System/Library/Frameworks/PencilKit.framework/PencilKit:arm64e+0x223b58)
    #20 0x1cc1f3e14 in <redacted>+0x30 (/System/Library/Frameworks/PencilKit.framework/PencilKit:arm64e+0x223e14)
    #21 0x1947d6ecc in <redacted>+0xb8 (/System/Library/PrivateFrameworks/UIKitCore.framework/UIKitCore:arm64e+0x39fecc)
    #22 0x19474ac34 in <redacted>+0x34 (/System/Library/PrivateFrameworks/UIKitCore.framework/UIKitCore:arm64e+0x313c34)
    #23 0x19474a9e4 in <redacted>+0xe4 (/System/Library/PrivateFrameworks/UIKitCore.framework/UIKitCore:arm64e+0x3139e4)
    #24 0x194538270 in <redacted>+0x128 (/System/Library/PrivateFrameworks/UIKitCore.framework/UIKitCore:arm64e+0x101270)
    #25 0x194641c14 in <redacted>+0xb8 (/System/Library/PrivateFrameworks/UIKitCore.framework/UIKitCore:arm64e+0x20ac14)
    #26 0x1945e51c4 in <redacted>+0x1e4 (/System/Library/PrivateFrameworks/UIKitCore.framework/UIKitCore:arm64e+0x1ae1c4)
    #27 0x1945e55b0 in <redacted>+0x54 (/System/Library/PrivateFrameworks/UIKitCore.framework/UIKitCore:arm64e+0x1ae5b0)
    #28 0x1945e3d9c in <redacted>+0x156c (/System/Library/PrivateFrameworks/UIKitCore.framework/UIKitCore:arm64e+0x1acd9c)
    #29 0x1945e27c4 in <redacted>+0xb4 (/System/Library/PrivateFrameworks/UIKitCore.framework/UIKitCore:arm64e+0x1ab7c4)

previously allocated by thread T0 here:
    #0 0x10928fbcc in __sanitizer_mz_malloc+0x94 (/private/var/containers/Bundle/Application/073A24BF-FB47-4621-867D-1D644A80E01D/Blink.app/Frameworks/libclang_rt.asan_ios_dynamic.dylib:arm64e+0x53bcc)
    #1 0x1a223a190 in <redacted>+0x84 (/usr/lib/system/libsystem_malloc.dylib:arm64e+0x13190)
    #2 0x1a223a0f8 in <redacted>+0x44 (/usr/lib/system/libsystem_malloc.dylib:arm64e+0x130f8)
    #3 0x19222ce50 in <redacted>+0x60 (/System/Library/Frameworks/CoreFoundation.framework/CoreFoundation:arm64e+0x22e50)
    #4 0x19222c73c in <redacted>+0x290 (/System/Library/Frameworks/CoreFoundation.framework/CoreFoundation:arm64e+0x2273c)
    #5 0x19222c2fc in __CFStringAppendBytes+0x220 (/System/Library/Frameworks/CoreFoundation.framework/CoreFoundation:arm64e+0x222fc)
    #6 0x19222896c in <redacted>+0x23cc (/System/Library/Frameworks/CoreFoundation.framework/CoreFoundation:arm64e+0x1e96c)
    #7 0x192226514 in _CFStringCreateWithFormatAndArgumentsReturningMetadata+0xb4 (/System/Library/Frameworks/CoreFoundation.framework/CoreFoundation:arm64e+0x1c514)
    #8 0x192281200 in CFStringCreateWithFormatAndArguments+0x9c (/System/Library/Frameworks/CoreFoundation.framework/CoreFoundation:arm64e+0x77200)
    #9 0x192281138 in CFStringCreateWithFormat+0x2c (/System/Library/Frameworks/CoreFoundation.framework/CoreFoundation:arm64e+0x77138)
    #10 0x19226e7a0 in <redacted>+0xd4 (/System/Library/Frameworks/CoreFoundation.framework/CoreFoundation:arm64e+0x647a0)
    #11 0x192211b30 in <redacted>+0x114 (/System/Library/Frameworks/CoreFoundation.framework/CoreFoundation:arm64e+0x7b30)
    #12 0x1922119f8 in <redacted>+0x30 (/System/Library/Frameworks/CoreFoundation.framework/CoreFoundation:arm64e+0x79f8)
    #13 0x1922119ac in <redacted>+0x1c (/System/Library/Frameworks/CoreFoundation.framework/CoreFoundation:arm64e+0x79ac)
    #14 0x1922628b8 in <redacted>+0x184 (/System/Library/Frameworks/CoreFoundation.framework/CoreFoundation:arm64e+0x588b8)
    #15 0x1922626c8 in <redacted>+0x160 (/System/Library/Frameworks/CoreFoundation.framework/CoreFoundation:arm64e+0x586c8)
    #16 0x19226253c in <redacted>+0xa0 (/System/Library/Frameworks/CoreFoundation.framework/CoreFoundation:arm64e+0x5853c)
    #17 0x19226243c in <redacted>+0x98 (/System/Library/Frameworks/CoreFoundation.framework/CoreFoundation:arm64e+0x5843c)
    #18 0x192262244 in _CFPreferencesCopyAppValueWithContainerAndConfiguration+0x6c (/System/Library/Frameworks/CoreFoundation.framework/CoreFoundation:arm64e+0x58244)
    #19 0x1912087e8 in <redacted>+0x38 (/System/Library/Frameworks/Foundation.framework/Foundation:arm64e+0x647e8)
    #20 0x1cc0354bc in <redacted>+0x44 (/System/Library/Frameworks/PencilKit.framework/PencilKit:arm64e+0x654bc)
    #21 0x1cc0378d4 in <redacted>+0x10 (/System/Library/Frameworks/PencilKit.framework/PencilKit:arm64e+0x678d4)
    #22 0x1cc037888 in <redacted>+0x10 (/System/Library/Frameworks/PencilKit.framework/PencilKit:arm64e+0x67888)
    #23 0x1cc1f3b58 in <redacted>+0x44 (/System/Library/Frameworks/PencilKit.framework/PencilKit:arm64e+0x223b58)
    #24 0x1cc1f3e14 in <redacted>+0x30 (/System/Library/Frameworks/PencilKit.framework/PencilKit:arm64e+0x223e14)
    #25 0x1947d6ecc in <redacted>+0xb8 (/System/Library/PrivateFrameworks/UIKitCore.framework/UIKitCore:arm64e+0x39fecc)
    #26 0x19474ac34 in <redacted>+0x34 (/System/Library/PrivateFrameworks/UIKitCore.framework/UIKitCore:arm64e+0x313c34)
    #27 0x19474a9e4 in <redacted>+0xe4 (/System/Library/PrivateFrameworks/UIKitCore.framework/UIKitCore:arm64e+0x3139e4)
    #28 0x194538270 in <redacted>+0x128 (/System/Library/PrivateFrameworks/UIKitCore.framework/UIKitCore:arm64e+0x101270)
    #29 0x194641c14 in <redacted>+0xb8 (/System/Library/PrivateFrameworks/UIKitCore.framework/UIKitCore:arm64e+0x20ac14)

Thread T1 created by T0 here:
    <empty stack>

SUMMARY: AddressSanitizer: heap-use-after-free (/private/var/containers/Bundle/Application/073A24BF-FB47-4621-867D-1D644A80E01D/Blink.app/Frameworks/libclang_rt.asan_ios_dynamic.dylib:arm64e+0x1a670) in wrap_strcmp+0x488
Shadow bytes around the buggy address:
  0x00010e57cb00: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00
  0x00010e57cb80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x00010e57cc00: 00 00 00 00 00 00 00 00 fa fa fa fa fa fa fa fa
  0x00010e57cc80: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x00010e57cd00: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
=>0x00010e57cd80: fa fa fa fa fa fa fa fa[fd]fd fd fd fd fd fd fd
  0x00010e57ce00: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x00010e57ce80: fd fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x00010e57cf00: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x00010e57cf80: fd fd fd fd fd fd fd fd fd fa fa fa fa fa fa fa
  0x00010e57d000: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==2156==ABORTING

Report 2 of 2:

=================================================================
==2186==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x00010ed890c0 at pc 0x000109b22674 bp 0x00016b11d900 sp 0x00016b11d098
READ of size 1 at 0x00010ed890c0 thread T6
    #0 0x109b22670 in wrap_strcmp+0x488 (/private/var/containers/Bundle/Application/7E635F76-A137-412A-B958-F851608D9D42/Blink.app/Frameworks/libclang_rt.asan_ios_dynamic.dylib:arm64e+0x1a670)
    #1 0x10986c168 in ios_switchSession+0x7c (/private/var/containers/Bundle/Application/7E635F76-A137-412A-B958-F851608D9D42/Blink.app/Frameworks/ios_system.framework/ios_system:arm64+0x10168)
    #2 0x104fbe590 in -[MCPSession setActiveSession]+0x6c (/private/var/containers/Bundle/Application/7E635F76-A137-412A-B958-F851608D9D42/Blink.app/Blink:arm64+0x100026590)
    #3 0x104fb80c4 in -[MCPSession _runCommand:skipHistoryRecord:]+0x6a8 (/private/var/containers/Bundle/Application/7E635F76-A137-412A-B958-F851608D9D42/Blink.app/Blink:arm64+0x1000200c4)
    #4 0x104fb7824 in __47-[MCPSession enqueueCommand:skipHistoryRecord:]_block_invoke+0x19c (/private/var/containers/Bundle/Application/7E635F76-A137-412A-B958-F851608D9D42/Blink.app/Blink:arm64+0x10001f824)
    #5 0x109b5a408 in __wrap_dispatch_async_block_invoke+0xc0 (/private/var/containers/Bundle/Application/7E635F76-A137-412A-B958-F851608D9D42/Blink.app/Frameworks/libclang_rt.asan_ios_dynamic.dylib:arm64e+0x52408)
    #6 0x19a2046a4 in <redacted>+0x1c (/usr/lib/system/libdispatch.dylib:arm64e+0x26a4)
    #7 0x19a2062fc in <redacted>+0x10 (/usr/lib/system/libdispatch.dylib:arm64e+0x42fc)
    #8 0x19a20d890 in <redacted>+0x2e8 (/usr/lib/system/libdispatch.dylib:arm64e+0xb890)
    #9 0x19a20e3c0 in <redacted>+0x178 (/usr/lib/system/libdispatch.dylib:arm64e+0xc3c0)
    #10 0x19a219000 in <redacted>+0x11c (/usr/lib/system/libdispatch.dylib:arm64e+0x17000)
    #11 0x19a218874 in <redacted>+0x190 (/usr/lib/system/libdispatch.dylib:arm64e+0x16874)
    #12 0x1fc18f960 in _pthread_wqthread+0x11c (/usr/lib/system/libsystem_pthread.dylib:arm64e+0x1960)
    #13 0x1fc18fa00 in start_wqthread+0x4 (/usr/lib/system/libsystem_pthread.dylib:arm64e+0x1a00)

0x00010ed890c0 is located 96 bytes after 224-byte region [0x00010ed88f80,0x00010ed89060)
allocated by thread T0 here:
    #0 0x109b5b6c8 in wrap_calloc+0x9c (/private/var/containers/Bundle/Application/7E635F76-A137-412A-B958-F851608D9D42/Blink.app/Frameworks/libclang_rt.asan_ios_dynamic.dylib:arm64e+0x536c8)
    #1 0x1a2248828 in <redacted>+0x60 (/usr/lib/system/libsystem_malloc.dylib:arm64e+0x21828)
    #2 0x18a5f78d8 in class_createInstance+0x40 (/usr/lib/libobjc.A.dylib:arm64e+0x2b8d8)
    #3 0x19222adac in <redacted>+0x10 (/System/Library/Frameworks/CoreFoundation.framework/CoreFoundation:arm64e+0x20dac)
    #4 0x1922338c0 in <redacted>+0x8c (/System/Library/Frameworks/CoreFoundation.framework/CoreFoundation:arm64e+0x298c0)
    #5 0x19223377c in CFDictionaryCreate+0x34 (/System/Library/Frameworks/CoreFoundation.framework/CoreFoundation:arm64e+0x2977c)
    #6 0x193dc50bc in <redacted>+0x178 (/System/Library/Frameworks/CoreGraphics.framework/CoreGraphics:arm64e+0x360bc)
    #7 0x193dc44a4 in <redacted>+0x58 (/System/Library/Frameworks/CoreGraphics.framework/CoreGraphics:arm64e+0x354a4)
    #8 0x193dc3b6c in <redacted>+0x190 (/System/Library/Frameworks/CoreGraphics.framework/CoreGraphics:arm64e+0x34b6c)
    #9 0x193dc3960 in <redacted>+0xe0 (/System/Library/Frameworks/CoreGraphics.framework/CoreGraphics:arm64e+0x34960)
    #10 0x193d9be84 in CGColorTransformConvertColorComponents+0x26c (/System/Library/Frameworks/CoreGraphics.framework/CoreGraphics:arm64e+0xce84)
    #11 0x193d9b09c in <redacted>+0x318 (/System/Library/Frameworks/CoreGraphics.framework/CoreGraphics:arm64e+0xc09c)
    #12 0x193dcaa88 in <redacted>+0xe4 (/System/Library/Frameworks/CoreGraphics.framework/CoreGraphics:arm64e+0x3ba88)
    #13 0x193d93e08 in <redacted>+0x1b0 (/System/Library/Frameworks/CoreGraphics.framework/CoreGraphics:arm64e+0x4e08)
    #14 0x193d93bbc in <redacted>+0x460 (/System/Library/Frameworks/CoreGraphics.framework/CoreGraphics:arm64e+0x4bbc)
    #15 0x193d9372c in <redacted>+0x538 (/System/Library/Frameworks/CoreGraphics.framework/CoreGraphics:arm64e+0x472c)
    #16 0x193dbb960 in CGContextShowGlyphsWithAdvances+0x224 (/System/Library/Frameworks/CoreGraphics.framework/CoreGraphics:arm64e+0x2c960)
    #17 0x193bed6c4 in <redacted>+0x61c (/System/Library/Frameworks/CoreText.framework/CoreText:arm64e+0x356c4)
    #18 0x193bed088 in <redacted>+0x838 (/System/Library/Frameworks/CoreText.framework/CoreText:arm64e+0x35088)
    #19 0x193bec7b8 in <redacted>+0x398 (/System/Library/Frameworks/CoreText.framework/CoreText:arm64e+0x347b8)
    #20 0x193bec33c in <redacted>+0xe4 (/System/Library/Frameworks/CoreText.framework/CoreText:arm64e+0x3433c)
    #21 0x19c7737b8 in <redacted>+0x6e8 (/System/Library/PrivateFrameworks/TextInputUI.framework/TextInputUI:arm64e+0x207b8)
    #22 0x19c773080 in <redacted>+0xa4 (/System/Library/PrivateFrameworks/TextInputUI.framework/TextInputUI:arm64e+0x20080)
    #23 0x194ec3364 in <redacted>+0x1a4 (/System/Library/PrivateFrameworks/UIKitCore.framework/UIKitCore:arm64e+0xa8c364)
    #24 0x194ec2cf8 in <redacted>+0x24c (/System/Library/PrivateFrameworks/UIKitCore.framework/UIKitCore:arm64e+0xa8bcf8)
    #25 0x194ec1f70 in <redacted>+0x74 (/System/Library/PrivateFrameworks/UIKitCore.framework/UIKitCore:arm64e+0xa8af70)
    #26 0x1954c4c98 in <redacted>+0x13c (/System/Library/PrivateFrameworks/UIKitCore.framework/UIKitCore:arm64e+0x108dc98)
    #27 0x1954c4da4 in <redacted>+0x28 (/System/Library/PrivateFrameworks/UIKitCore.framework/UIKitCore:arm64e+0x108dda4)
    #28 0x1954c5984 in <redacted>+0x31c (/System/Library/PrivateFrameworks/UIKitCore.framework/UIKitCore:arm64e+0x108e984)
    #29 0x194c66c90 in <redacted>+0xf4 (/System/Library/PrivateFrameworks/UIKitCore.framework/UIKitCore:arm64e+0x82fc90)

Thread T6 created by unknown thread
SUMMARY: AddressSanitizer: heap-buffer-overflow (/private/var/containers/Bundle/Application/7E635F76-A137-412A-B958-F851608D9D42/Blink.app/Frameworks/libclang_rt.asan_ios_dynamic.dylib:arm64e+0x1a670) in wrap_strcmp+0x488
Shadow bytes around the buggy address:
  0x00010ed88e00: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd fd
  0x00010ed88e80: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x00010ed88f00: fd fd fd fd fd fd fa fa fa fa fa fa fa fa fa fa
  0x00010ed88f80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x00010ed89000: 00 00 00 00 00 00 00 00 00 00 00 00 fa fa fa fa
=>0x00010ed89080: fa fa fa fa fa fa fa fa[fa]fa fa fa fa fa fa fa
  0x00010ed89100: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x00010ed89180: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x00010ed89200: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x00010ed89280: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fa fa
  0x00010ed89300: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==2186==ABORTING

[carloscabanero]

I think this is an issue with ios_system. It may also happen when launching a command after closing a window you receive a "segmentation fault".

I will try to track this down for 17.3.0.

Please let me know if you find anything from your side. It is hard to catch though.

PS: Other tools in ios_system also have problems when dealing with control sequences, etc... It would be a good moment to take a deep look at them too.

[l2dy]

From Address Sanitizer logs I have attached in OP, it seems that ios_switchSession is having trouble with an strcmp() call.

With the traditional "printf" debug method (l2dy-forks/ios_system@0de9a6e), I found a UAF that came from dereferencing currentSession->context (0x10c156580 in backtrace).

This may or may not be related to the segment fault, but is definitely a bug.

ios_switchSession: before strcmp currentSession=0x10d817a80,currentSession.context=0x10c1480c0,sessionName=0x10cfb6421
ios_switchSession: strcmp currentSession=\M-IW\M^P\^D\^A,sessionName=7C01E794-38E9-4E88-9EED-006825C2643E-9060-000005AF28421777
ios_switchSession: before strcmp currentSession=0x10d815e80,currentSession.context=0x10c156580,sessionName=0x10cfb6421
ios_switchSession: strcmp currentSession=\M-IW\M^P\^D\^A,sessionName=7C01E794-38E9-4E88-9EED-006825C2643E-9060-000005AF28421777

[...snip...]

ios_switchSession: before strcmp currentSession=0x10d815e80,currentSession.context=0x10c156580,sessionName=0x10cf685b1
=================================================================
==9060==ERROR: AddressSanitizer: heap-use-after-free on address 0x00010c156580 at pc 0x000106be1ef0 bp 0x00016e00c070 sp 0x00016e00b830
READ of size 4 at 0x00010c156580 thread T8
    #0 0x106be1eec in wrap_strlen+0x244 (/private/var/containers/Bundle/Application/89A015D9-DB19-4474-8111-3ED5237A49F8/Blink.app/Frameworks/libclang_rt.asan_ios_dynamic.dylib:arm64e+0x19eec)
    #1 0x1abab33a4 in <redacted>+0x7bc (/usr/lib/system/libsystem_trace.dylib:arm64e+0x53a4)
    #2 0x1abaafc0c in <redacted>+0x190 (/usr/lib/system/libsystem_trace.dylib:arm64e+0x1c0c)
    #3 0x1922a8b0c in _CFLogvEx3+0xb8 (/System/Library/Frameworks/CoreFoundation.framework/CoreFoundation:arm64e+0x9eb0c)
    #4 0x191246074 in <redacted>+0xa0 (/System/Library/Frameworks/Foundation.framework/Foundation:arm64e+0xa2074)
    #5 0x191245fa8 in NSLog+0x34 (/System/Library/Frameworks/Foundation.framework/Foundation:arm64e+0xa1fa8)
    #6 0x107b879bc in ios_switchSession+0xb0 (/private/var/containers/Bundle/Application/89A015D9-DB19-4474-8111-3ED5237A49F8/Blink.app/Frameworks/ios_system.framework/ios_system:arm64+0xf9bc)

[l2dy]

https://github.com/holzschu/ios_system/blob/430d87dd15b42fc321cc256dc394ea93ab256e48/ios_system.m#L168-L170

currentSession seems to be a thread-local variable. Does Blink use separate threads to start each shell's ios_system session?

PS: currentSession is initialized on first use of int ios_system(const char* inputCmd) in each thread. https://github.com/holzschu/ios_system/blob/430d87dd15b42fc321cc256dc394ea93ab256e48/ios_system.m#L2629-L2632

[l2dy]

Without Address Sanitizer, Xcode pauses execution here. thread_context is also among the thread-local variables in ios_system, so it's very likely a thread-safety issue.

// Thread-local input and output streams
extern __thread FILE* thread_stdin;
extern __thread FILE* thread_stdout;
extern __thread FILE* thread_stderr;
extern __thread void* thread_context;

[carloscabanero]

If I recall, and I have not touched this for some time, yeah we should be using separate threads. But there may be some internal mechanisms though that are not working well or that we are not using properly. I have another hunch that there is something with the descriptors getting mixed in some cases.