Binary ninja plugin crashes on "Analyze and Rank functions"

[AsherDLL]

Hi,

I updated the binary ninja plugin today to version 2.0.5 of fuzzable and it crashes every time I run "Analyze and Rank functions". I am using Binary Ninja version 3.3.3996.

Please find attached the report of the crashed thread:

OS Version: macOS 12.6 (21G115)

Crashed Thread:        0  Dispatch queue: com.apple.main-thread

Exception Type:        EXC_CRASH (SIGABRT)
Exception Codes:       0x0000000000000000, 0x0000000000000000
Exception Note:        EXC_CORPSE_NOTIFY

Application Specific Information:
abort() called

Thread 0 Crashed::  Dispatch queue: com.apple.main-thread
0   libsystem_kernel.dylib                 0x18204ed98 __pthread_kill + 8
1   libsystem_pthread.dylib                0x182083ee0 pthread_kill + 288
2   libsystem_c.dylib                      0x181fbe340 abort + 168
3   libc++abi.dylib                        0x18203eb08 abort_message + 132
4   libc++abi.dylib                        0x18202e938 demangling_terminate_handler() + 312
5   libobjc.A.dylib                        0x181f24330 _objc_terminate() + 160
6   libc++abi.dylib                        0x18203dea4 std::__terminate(void (*)()) + 20
7   libc++abi.dylib                        0x182040c1c __cxxabiv1::failed_throw(__cxxabiv1::__cxa_exception*) + 36
8   libc++abi.dylib                        0x182040bc8 __cxa_throw + 140
9   libbinaryninjacore.1.dylib             0x111f8931c 0x111f50000 + 234268
10  libbinaryninjacore.1.dylib             0x111f7e15c 0x111f50000 + 188764
11  libbinaryninjacore.1.dylib             0x1127b3350 0x111f50000 + 8794960
12  libbinaryninjacore.1.dylib             0x1127b6b24 BNSettingsGetStringList + 192
13  libffi.dylib                           0x190314050 ffi_call_SYSV + 80
14  libffi.dylib                           0x19031cae8 ffi_call_int + 1208
15  _ctypes.cpython-310-darwin.so          0x1100310e0 _ctypes_callproc + 872
16  _ctypes.cpython-310-darwin.so          0x11002b91c PyCFuncPtr_call + 216
17  Python                                 0x11bfed290 _PyObject_MakeTpCall + 136
18  Python                                 0x11c0e6f0c call_function + 272
19  Python                                 0x11c0e46bc _PyEval_EvalFrameDefault + 42928
20  Python                                 0x11c0d8cac _PyEval_Vector + 376
21  Python                                 0x11c0e6e7c call_function + 128
22  Python                                 0x11c0e4694 _PyEval_EvalFrameDefault + 42888
23  Python                                 0x11c0d8cac _PyEval_Vector + 376
24  Python                                 0x11c0e6e7c call_function + 128
25  Python                                 0x11c0e461c _PyEval_EvalFrameDefault + 42768
26  Python                                 0x11c0d8cac _PyEval_Vector + 376
27  Python                                 0x11c0e6e7c call_function + 128
28  Python                                 0x11c0e46bc _PyEval_EvalFrameDefault + 42928
29  Python                                 0x11c0d8cac _PyEval_Vector + 376
30  Python                                 0x11c0e6e7c call_function + 128
31  Python                                 0x11c0e4694 _PyEval_EvalFrameDefault + 42888
32  Python                                 0x11c0d8cac _PyEval_Vector + 376
33  _ctypes.cpython-310-darwin.so          0x11002f870 _CallPythonObject + 548
34  libffi.dylib                           0x19031cf34 ffi_closure_SYSV_inner + 816
35  libffi.dylib                           0x1903141e8 ffi_closure_SYSV + 56
36  libbinaryninjaui.1.dylib               0x102b23520 0x102ac0000 + 406816
37  libbinaryninjaui.1.dylib               0x102af4b78 UIActionHandler::executeAction(QString const&, UIActionContext const&) + 164
38  libbinaryninjaui.1.dylib               0x102b30120 0x102ac0000 + 459040
39  QtCore                                 0x1024db63c void doActivate<false>(QObject*, int, void**) + 780
40  QtGui                                  0x101f58164 QAction::activate(QAction::ActionEvent) + 368
41  QtCore                                 0x1024d418c QObject::event(QEvent*) + 604
42  QtWidgets                              0x103220990 QApplicationPrivate::notify_helper(QObject*, QEvent*) + 272
43  QtWidgets                              0x103221914 QApplication::notify(QObject*, QEvent*) + 512
44  QtCore                                 0x102491fb0 QCoreApplication::notifyInternal2(QObject*, QEvent*) + 292
45  QtCore                                 0x1024932c4 QCoreApplicationPrivate::sendPostedEvents(QObject*, int, QThreadData*) + 1428
46  libqcocoa.dylib                        0x1019bbf08 QCocoaEventDispatcherPrivate::processPostedEvents() + 312
47  libqcocoa.dylib                        0x1019bc584 QCocoaEventDispatcherPrivate::postedEventsSourceCallback(void*) + 48
48  CoreFoundation                         0x182150f94 __CFRUNLOOP_IS_CALLING_OUT_TO_A_SOURCE0_PERFORM_FUNCTION__ + 28
49  CoreFoundation                         0x182150ee0 __CFRunLoopDoSource0 + 208
50  CoreFoundation                         0x182150be0 __CFRunLoopDoSources0 + 268
51  CoreFoundation                         0x18214f560 __CFRunLoopRun + 828
52  CoreFoundation                         0x18214ea84 CFRunLoopRunSpecific + 600
53  HIToolbox                              0x18ad8e338 RunCurrentEventLoopInMode + 292
54  HIToolbox                              0x18ad8dfc4 ReceiveNextEventCommon + 324
55  HIToolbox                              0x18ad8de68 _BlockUntilNextEventMatchingListInModeWithFilter + 72
56  AppKit                                 0x184cb651c _DPSNextEvent + 860
57  AppKit                                 0x184cb4e14 -[NSApplication(NSEvent) _nextEventMatchingEventMask:untilDate:inMode:dequeue:] + 1328
58  AppKit                                 0x184ca6fe0 -[NSApplication run] + 596
59  libqcocoa.dylib                        0x1019bb394 QCocoaEventDispatcher::processEvents(QFlags<QEventLoop::ProcessEventsFlag>) + 1792
60  QtCore                                 0x10249b3d0 QEventLoop::exec(QFlags<QEventLoop::ProcessEventsFlag>) + 532
61  QtCore                                 0x10249264c QCoreApplication::exec() + 128
62  binaryninja                            0x10049aedc 0x10046c000 + 192220
63  dyld                                   0x101b2d08c start + 520

Thread 0 crashed with ARM Thread State (64-bit):
    x0: 0x0000000000000000   x1: 0x0000000000000000   x2: 0x0000000000000000   x3: 0x0000000000000000
    x4: 0x00000001820420c8   x5: 0x000000016f98f740   x6: 0x0000000000000065   x7: 0x0000000000000fe0
    x8: 0x551d38a5e140622e   x9: 0x551d38a4e0fa67ae  x10: 0x0000000000000200  x11: 0x0000000000000031
   x12: 0x0000000000000031  x13: 0x0000600001781f00  x14: 0x00000001820420f2  x15: 0x0000000000000000
   x16: 0x0000000000000148  x17: 0x00000001dc1a7680  x18: 0x0000000000000000  x19: 0x0000000000000006
   x20: 0x0000000101ba0580  x21: 0x0000000000000103  x22: 0x0000000101ba0660  x23: 0x000000013400fd00
   x24: 0x0000000000000000  x25: 0x000000016f98fe50  x26: 0x0000000000000000  x27: 0x0000000000000005
   x28: 0x000000016f9900d0   fp: 0x000000016f98f6b0   lr: 0x0000000182083ee0
    sp: 0x000000016f98f690   pc: 0x000000018204ed98 cpsr: 0x40001000
   far: 0x000000010281d1cc  esr: 0x56000080  Address size fault

Binary Images:
       0x182045000 -        0x18207cfff libsystem_kernel.dylib (*) <a9d87740-9c1d-3468-bf60-720a8d713cba> /usr/lib/system/libsystem_kernel.dylib
       0x18207d000 -        0x182089fff libsystem_pthread.dylib (*) <63c4eef9-69a5-38b1-996e-8d31b66a051d> /usr/lib/system/libsystem_pthread.dylib
       0x181f44000 -        0x181fc5fff libsystem_c.dylib (*) <b25d2080-bb9e-38d6-8236-9cef4b2f11a3> /usr/lib/system/libsystem_c.dylib
       0x18202d000 -        0x182044fff libc++abi.dylib (*) <4e8d8a11-4217-3d56-9d41-5426f7cf307c> /usr/lib/libc++abi.dylib
       0x181f03000 -        0x181f40fff libobjc.A.dylib (*) <ec96f0fa-6341-3e1d-be54-49b544e17f7d> /usr/lib/libobjc.A.dylib
       0x111f50000 -        0x1183affff libbinaryninjacore.1.dylib (*) <d26947a9-7b6f-3e62-8420-2d29cfdc0039> /Applications/Binary Ninja.app/Contents/MacOS/libbinaryninjacore.1.dylib
       0x19030c000 -        0x19031dfff libffi.dylib (*) <2dc42b53-6510-3538-a6d7-30035e16c717> /usr/lib/libffi.dylib
       0x110024000 -        0x110037fff _ctypes.cpython-310-darwin.so (*) <8120cab1-7585-3a51-8a8b-20dd1eb3be05> /opt/homebrew/*/Python.framework/Versions/3.10/lib/python3.10/lib-dynload/_ctypes.cpython-310-darwin.so
       0x11bf84000 -        0x11c257fff org.python.python (3.10.8, (c) 2001-2021 Python Software Foundation.) <f2371089-60d8-3b91-a475-4f4dcb3b84e3> /opt/homebrew/*/Python.framework/Versions/3.10/Python
       0x102ac0000 -        0x1030affff libbinaryninjaui.1.dylib (*) <c318f987-bf40-30da-b238-c5c477a991ee> /Applications/Binary Ninja.app/Contents/MacOS/libbinaryninjaui.1.dylib
       0x102428000 -        0x102893fff org.qt-project.QtCore (6.4) <65a3a1c3-75d3-3748-97e9-48949910701d> /Applications/Binary Ninja.app/Contents/Frameworks/QtCore.framework/Versions/A/QtCore
       0x101bdc000 -        0x1021dffff org.qt-project.QtGui (6.4) <82d6f631-5559-3350-a769-08b6a8540a77> /Applications/Binary Ninja.app/Contents/Frameworks/QtGui.framework/Versions/A/QtGui
       0x103214000 -        0x103657fff org.qt-project.QtWidgets (6.4) <28ae0d49-59cc-32ec-be36-a2b2c235bcd8> /Applications/Binary Ninja.app/Contents/Frameworks/QtWidgets.framework/Versions/A/QtWidgets
       0x1019a4000 -        0x101a3bfff libqcocoa.dylib (*) <3c3914e7-5638-3731-8eb1-d0877d321c9e> /Applications/Binary Ninja.app/Contents/MacOS/qt/platforms/libqcocoa.dylib
       0x1820cc000 -        0x182612fff com.apple.CoreFoundation (6.9) <fc3c193d-0cdb-3569-9f0e-bd2507ca1dbb> /System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation
       0x18ad5c000 -        0x18b08ffff com.apple.HIToolbox (2.1.1) <aaf900bd-bfb6-3af0-a8d3-e24bbe1d57f5> /System/Library/Frameworks/Carbon.framework/Versions/A/Frameworks/HIToolbox.framework/Versions/A/HIToolbox
       0x184c75000 -        0x185b2dfff com.apple.AppKit (6.9) <5e432f87-5b58-391a-a542-fa2d909dd210> /System/Library/Frameworks/AppKit.framework/Versions/C/AppKit
       0x10046c000 -        0x1016c3fff com.vector35.binaryninja (3.3.3996) <4bbd5cf1-b1a6-38f9-8022-3bad8e66b771> /Applications/Binary Ninja.app/Contents/MacOS/binaryninja
       0x101b28000 -        0x101b87fff dyld (*) <38ee9fe9-b66d-3066-8c5c-6ddf0d6944c6> /usr/lib/dyld
       0x135800000 -        0x136bd7fff libopenblas64_.0.dylib (*) <3dd132fc-be72-33cc-baf0-4c7df2669307> /opt/homebrew/*/libopenblas64_.0.dylib
       0x170024000 -        0x17128bfff libopenblas.0.dylib (*) <5431bff3-be1a-3fe5-a552-bcdbb3e0536e> /opt/homebrew/*/libopenblas.0.dylib
       0x181fc6000 -        0x18202cfff libc++.1.dylib (*) <3d1e6031-901d-3df1-9e9a-f85ff1c2e803> /usr/lib/libc++.1.dylib

External Modification Summary:
  Calls made by other processes targeting this process:
    task_for_pid: 0
    thread_create: 0
    thread_set_state: 0
  Calls made by this process:
    task_for_pid: 0
    thread_create: 0
    thread_set_state: 0
  Calls made by all processes on this machine:
    task_for_pid: 5
    thread_create: 0
    thread_set_state: 976

[ex0dus-0x]

Looking at the stack trace, the culprit function is BNSettingsGetStringList. How does your settings configuration look like for fuzzable? Are they the default configured parameters?

I've tried setting mine to different settings, and I'm not able to repro this. However, if you have customized settings that is causing this crash, that may be edge cases we're not accounting for when parsing from the configuration.

[AsherDLL]

Thanks for looking into this issue. Yes, I have the default configured parameters, haven't changed anything. Will try with other binaries and they crash as well when running Analyze and Rank functions.

[the-emmons]

Hi there, just wanted to report that I'm getting this as well in all binaries I try on the most up-to-date Binary Ninja.

Looking at the stack trace, the culprit function is BNSettingsGetStringList. How does your settings configuration look like for fuzzable? Are they the default configured parameters?

I've tried setting mine to different settings, and I'm not able to repro this. However, if you have customized settings that is causing this crash, that may be edge cases we're not accounting for when parsing from the configuration.