(3.1.0) crash on launch when installed using deb/jailbreak

[greybaron]

3.1.0 only starts when properly sideloaded. When clean installed or upgraded using the deb (or ipa+Filza) it crashes on launch.

iPadOS 14.3 A12X
crash.log

[conath]

Looks like it's crashing during a SwiftUI view update. Relevant portion of the log:

Date: 2/14/22, 10:44 AM
Process: UTM
Bundle id: com.utmapp.UTM
Device: iPad Pro (11-inch), iOS 14.3
Bundle version: 3.1.0

Exception type: EXC_BAD_ACCESS (SIGSEGV)
Exception subtype: KERN_INVALID_ADDRESS: 0x0
Exception codes: 0x0000000000000001, 0x0000000000000000
Culprit: Unknown
VM Protection: 0x0 is not in any region.

Triggered by thread: 0
Thread name: Dispatch queue: com.apple.main-thread
Call stack:
0   libswiftCore.dylib            	0x0000000187d2d4c0 0x1879a0000 + 3724480    	// swift::ResolveAsSymbolicReference::operator()(swift::Demangle::SymbolicReferenceKind, swift::Demangle::Directness, int, void const*)
1   libswiftCore.dylib            	0x0000000187d47f44 0x1879a0000 + 3833668    	// swift::Demangle::Demangler::demangleSymbolicReference(unsigned char)
2   libswiftCore.dylib            	0x0000000187d47f44 0x1879a0000 + 3833668    	// swift::Demangle::Demangler::demangleSymbolicReference(unsigned char)
3   libswiftCore.dylib            	0x0000000187d44dd4 0x1879a0000 + 3821012    	// swift::Demangle::Demangler::demangleType(llvm::StringRef, std::__1::function<swift::Demangle::Node* (swift::Demangle::SymbolicReferenceKind, swift::Demangle::Directness, int, void const*)>)
4   libswiftCore.dylib            	0x0000000187d32d70 0x1879a0000 + 3747184    	// swift_getTypeByMangledNameImpl(swift::MetadataRequest, llvm::StringRef, void const* const*, std::__1::function<swift::TargetMetadata<swift::InProcess> const* (unsigned int, unsigned int)>, std::__1::function<swift::TargetWitnessTable<swift::InProcess> const* (swift::TargetMetadata<swift::InProcess> const*, unsigned int)>)
5   libswiftCore.dylib            	0x0000000187d303c4 0x1879a0000 + 3736516    	// swift::swift_getTypeByMangledName(swift::MetadataRequest, llvm::StringRef, void const* const*, std::__1::function<swift::TargetMetadata<swift::InProcess> const* (unsigned int, unsigned int)>, std::__1::function<swift::TargetWitnessTable<swift::InProcess> const* (swift::TargetMetadata<swift::InProcess> const*, unsigned int)>)
6   libswiftCore.dylib            	0x0000000187d30600 0x1879a0000 + 3737088    	// swift_getTypeByMangledNameInContext
7   UTM                           	0x0000000100a5a67c 0x1009e4000 + 484988     	// func_100076648
8   SwiftUI                       	0x000000018a7eed24 0x18a315000 + 5086500    	// thunk for @escaping @callee_guaranteed () -> ()
9   SwiftUI                       	0x000000018a7eed4c 0x18a315000 + 5086540    	// thunk for @escaping @callee_guaranteed () -> (@out ())
10  SwiftUI                       	0x000000018a7eed24 0x18a315000 + 5086500    	// thunk for @escaping @callee_guaranteed () -> ()
11  SwiftUI                       	0x000000018ac35c34 0x18a315000 + 9571380    	// closure #1 in ViewRendererHost.render(interval:updateDisplayList:)
12  SwiftUI                       	0x000000018ac2ccd4 0x18a315000 + 9534676    	// ViewRendererHost.render(interval:updateDisplayList:)
13  SwiftUI                       	0x000000018adb1c30 0x18a315000 + 11127856   	// _UIHostingView.layoutSubviews()
14  SwiftUI                       	0x000000018adb1c64 0x18a315000 + 11127908   	// @objc _UIHostingView.layoutSubviews()
15  UIKitCore                     	0x0000000186cb2f84 0x185b9d000 + 17915780   	// -[UIView(CALayerDelegate) layoutSublayersOfLayer:]
16  QuartzCore                    	0x00000001871cd7b4 0x18706e000 + 1439668    	// -[CALayer layoutSublayers]
17  QuartzCore                    	0x00000001871cdc88 0x18706e000 + 1440904    	// CA::Layer::layout_if_needed(CA::Transaction*)
18  QuartzCore                    	0x00000001871e247c 0x18706e000 + 1524860    	// CA::Layer::layout_and_display_if_needed(CA::Transaction*)
19  QuartzCore                    	0x0000000187127a6c 0x18706e000 + 760428     	// CA::Context::commit_transaction(CA::Transaction*, double, double*)
20  QuartzCore                    	0x0000000187152f34 0x18706e000 + 937780     	// CA::Transaction::commit()
21  UIKitCore                     	0x0000000186785020 0x185b9d000 + 12484640   	// __34-[UIApplication _firstCommitBlock]_block_invoke_2
22  CoreFoundation                	0x0000000183d2e49c 0x183c8d000 + 660636     	// __CFRUNLOOP_IS_CALLING_OUT_TO_A_BLOCK__
23  CoreFoundation                	0x0000000183d2d6e4 0x183c8d000 + 657124     	// __CFRunLoopDoBlocks
24  CoreFoundation                	0x0000000183d27aa0 0x183c8d000 + 633504     	// __CFRunLoopRun
25  CoreFoundation                	0x0000000183d2721c 0x183c8d000 + 631324     	// CFRunLoopRunSpecific
26  GraphicsServices              	0x000000019b82b784 0x19b828000 + 14212      	// GSEventRunModal
27  UIKitCore                     	0x0000000186765fe0 0x185b9d000 + 12357600   	// -[UIApplication _run]
28  UIKitCore                     	0x000000018676b854 0x185b9d000 + 12380244   	// UIApplicationMain
29  SwiftUI                       	0x000000018ac6fb78 0x18a315000 + 9808760    	// closure #1 in KitRendererCommon(_:)
30  SwiftUI                       	0x000000018ac6fb04 0x18a315000 + 9808644    	// runApp<A>(_:)
31  SwiftUI                       	0x000000018a7c7734 0x18a315000 + 4925236    	// static App.main()
32  UTM                           	0x0000000100b2a858 0x1009e4000 + 1337432    	// func_100145fc4
33  UTM                           	0x0000000100a599f4 0x1009e4000 + 481780     	// func_1000759e8
34  libdyld.dylib                 	0x00000001839e76b0 0x1839e6000 + 5808       	// start

[osy]

Does this happen for sideloaded IPA as well?

[osy]

I am unable to reproduce this crash on a jailbroken iOS 14.3 device with no installed tweaks. I suspect some tweak is causing the issue.

[greybaron]

Does this happen for sideloaded IPA as well?

No, when sideloaded it works fine. I have disabled all tweaks except AppSync and it still happens. Let me know if I can test anything else

[osy]

If you sideload it but launch it while jailbroken (with app sync, do not use AltJIT or anything), what happens? Are you able to launch VMs?

[greybaron]

Yes, sideloaded also works when jailbroken.

[osy]

How are you installing the DEB?

[greybaron]

Using Sileo, but the same issue occurs when installing the IPA using Filza.

[greybaron]

I've now tested this on an iPhone 6 (iOS 12.5.5), also using Filza, and it crashes there as well

[osy]

Can you also attach the crash log from iPhone 6?

[greybaron]

I think it is crashing for a different reason, here you go
crash-ios12.txt

[osy]

I think it is crashing for a different reason, here you go
crash-ios12.txt

This seems to be an Xcode issue that will be fixed https://forums.swift.org/t/swift-concurrency-back-deploy-issue/53917/28

Let's focus on the original issue for now.

[osy]

How are you jailbreaking?

[greybaron]

I'm jailbroken using Taurine (latest/1.1.1)

[osy]

Okay I can reproduce it with Taurine. I used unc0ver which is working. I think the issue may be with libhooker since that's the main difference. Anyone know the best way to contact the devs?

[osy]

Building on Xcode 13.3 beta is gated on GitHub Actions updating to macOS 12 actions/runner-images#3649

If this isn't solved soon, we may have to use an alternative CI...

[osy]

@greybaron Can you test the latest deb on iOS 12 (I think it's still broken in taurine) https://github.com/utmapp/UTM/releases/download/v3.1.1/UTM.deb

[greybaron]

@osy 3.1.1 now works on iOS 12. Still broken on Taurine.
Also I just wanted to clarify, 3.0.x worked on Taurine. So maybe the new setup wizard or another UI change for some reason breaks when using Taurine + not sideloading

[osy]

Yes I know, I can reproduce the issue on my side.

[osy]

I’m not up to date with jailbreaking but is there a reason to choose Taurine over unc0ver?

[greybaron]

Well since both serve the same goal it comes down to what works better for each setup. The last time I used unc0ver, I had issues with Spotlight and Airdrop stopping working after not rebooting for a while, and more jetsam memory violations. Since I haven't used u0 for a while, I'm going to switch to u0 to test this again. But it would be great if UTM implements a Taurine workaround, if coolstar won‘t fix this. (I see you already reported this)

[zhuowei]

I have a really stupid workaround: (Taurine 1.1.3, iOS 14.1, UTM built from 2224ffa; I sftped the UTM.app directly into /Applications since I don't have AppSync)

• ssh into my phone as root
• run DYLD_INSERT_LIBRARIES=/Applications/UTM.app/Frameworks/libswift_Concurrency.dylib /Applications/UTM.app/UTM once
• UTM will open normally until the library gets removed from disk cache or the next userspace reboot

I noticed the crash happens in swift_getTypeByMangledNameInContext: since the concurrency stuff introduced new manglings, crashing here means that the concurrency/async backdeploy stuff is failing to load on Taurine. Indeed, when i look at the crash log, there's no libswift_Concurrency.dylib. It looks like running from the command line once forces the library to load for some strange reason.

[osy]

I’m wondering if maybe libhooker is some causing it to load for some reason. Because the same error doesn’t happen on unc0ver.

[zhuowei]

I've tried creating /.disable_tweakinject and even attaching at startup and manually removing the DYLD_INSERT_LIBRARIES from env vars - even without any Taurine libs injected into the process, the libswift_Concurrency.dylib still didn't load. Only way to get it to load is to run DYLD_INSERT_LIBRARIES=/Applications/UTM.app/Frameworks/libswift_Concurrency.dylib any_other_process in an ssh.

I'm guessing Taurine has trouble validating libswift_Concurrency.dylib when it's included in an app?

[htdag]

UTM.HV.ipa 4.1.0 (TrollStore) still doesn't work.

@zhuowei
This app can load libswift_Concurrency.dylib without any problem:https://github.com/SerenaKit/Santander (tested TrollStore ;Taurine; 14.2; 7+)
Please take a look.

[CubeBag]

A user on the r/Jailbreak discord also reported this issue on Taurine with the latest version of UTM (both the tweak version and the TrollStore version while jailbroken). They said that disabling tweaks inside UTM using libhooker-configurator did not work (while rebooting into an unjailbroken state and using TrollStore did). Here is their log: https://cdn.discordapp.com/attachments/688122301975363591/1082475809392042015/UTM-2023-03-06-163701.ips

[osy]

Yes, we had a conversation about this, here's the relevant line:

2   pspawn_payload-stg2.dylib     	0x000000010327ebac 0x103278000 + 27564

It's crashing because UTM uses posix_spawn to get JIT working for TrollStore. This is hooked by https://github.com/coolstar/electra/blob/master/basebinaries/pspawn_payload/pspawn_payload.m which causes the crash. I believe it's a separate issue than the one referenced in the top of this issue.

[eglacias]

Just to confirm, I have the same issue. Shortly I will have an iOS 14.4 device to test on as well. I also have one on 12.4.1 and one on 12.4 running UTM

Ie, Installing the latest TrollStore version, installing from sileo either the latest version or the version 3.1 X from filza, or installing latest from filza, crashes on launch. Unjailbroken, it will launch but of course cannot do anything until it’s jailbroken, go and jailbroke with Taurine and it crashes immediately

iOS 14.3 iPhone 6s Plus

[eglacias]

So should we open a separate issue referencing
pspawn_payload-stg2.dylib
?

[osy]

No, you should contact the devs of your jailbreak as it’s injecting code that breaks UTM.