Loading an image from DSC often causes a crash related to BNForgetUndoActions

[WeiN76LQh]

Version and Platform (required):

• Binary Ninja Version: 4.1.5902 (f2165c5d) and 4.2.6228-dev (312c3c99)
• OS: macOS
• OS Version: 15.0
• CPU Architecture: M1

Bug Description:
The following crash frequently occurs when loading images in DSC:

* thread #3, name = 'Worker PRI ', stop reason = signal SIGABRT
  * frame #0: 0x000000018b512600 libsystem_kernel.dylib`__pthread_kill + 8
    frame #1: 0x000000018b54af70 libsystem_pthread.dylib`pthread_kill + 288
    frame #2: 0x000000018b457908 libsystem_c.dylib`abort + 128
    frame #3: 0x000000018b36167c libsystem_malloc.dylib`malloc_vreport + 896
    frame #4: 0x000000018b3894a8 libsystem_malloc.dylib`malloc_zone_error + 100
    frame #5: 0x000000018b38833c libsystem_malloc.dylib`free_tiny_botch + 40
    frame #6: 0x00000001037a20cc libbinaryninjacore.1.dylib`___lldb_unnamed_symbol29109 + 84
    frame #7: 0x00000001037a22b8 libbinaryninjacore.1.dylib`___lldb_unnamed_symbol29111 + 292
    frame #8: 0x0000000102fd4428 libbinaryninjacore.1.dylib`___lldb_unnamed_symbol14231 + 140
    frame #9: 0x0000000102fbfb98 libbinaryninjacore.1.dylib`___lldb_unnamed_symbol13841 + 280
    frame #10: 0x0000000102fc307c libbinaryninjacore.1.dylib`BNForgetUndoActions + 140
    frame #11: 0x000000010be1f44c libsharedcache.dylib`___lldb_unnamed_symbol2967 + 5300
    frame #12: 0x000000010be44f0c libsharedcache.dylib`___lldb_unnamed_symbol3314 + 1220
    frame #13: 0x000000010be54c64 libsharedcache.dylib`___lldb_unnamed_symbol3845 + 36
    frame #14: 0x00000001037d322c libbinaryninjacore.1.dylib`___lldb_unnamed_symbol29525 + 2160
    frame #15: 0x00000001037d26e4 libbinaryninjacore.1.dylib`___lldb_unnamed_symbol29520 + 12
    frame #16: 0x000000018b54b2e4 libsystem_pthread.dylib`_pthread_start + 136

I'm struggling to identify an exact DSC and image combination that always causes this crash. But it happens frequent enough that continually loading images will eventually cause it to happen. If I figure one out I'll post a comment with the information.

In the mean time running this script will often cause the crash eventually, although it can take some time due to how long analysis for each image takes:

import argparse
import binaryninja
import binaryninja.sharedcache

parser = argparse.ArgumentParser()
parser.add_argument('dsc')

args = parser.parse_args()

print("Loading DSC")
with binaryninja.load(args.dsc) as dsc_bv:
    dsc = binaryninja.sharedcache.SharedCache(dsc_bv)
    print("Waiting for symbols to load")
    # Unsure how to wait to ensure `dsc.images` is populated below. Calling `update_analysis_and_wait` doesn't seem to help either
    dsc.load_all_symbols_and_wait()
    if len(dsc.images) == 0:
        # Sometimes it doesn't work
        print("Failed to load DSC images, re-run the script")
    print("Waiting for initial analysis to complete")
    dsc_bv.update_analysis_and_wait()
    for image in dsc.images:
        print(f"Loading image '{image.name}'")
        dsc.load_section_at_address(image.headerAddress)
        print(f"Waiting for auto analysis to complete for image '{image.name}'")
        dsc_bv.update_analysis_and_wait()

All it does is go through each image in the DSC and load it, wait for the auto analysis to complete and then load the next image. This may take a while to cause a crash due to analysis times for loading images in the DSC.

Tbh this script in general is pretty good at finding current crashes in the DSC analysis just because there seem to be a couple that occur regularly.

Steps To Reproduce:

1. Load DSC in Binary Ninja
2. Wait for initial analysis to complete
3. Load an image
4. Wait for analysis to complete
5. Repeat steps 3 and 4 until Binary Ninja crashes

Binary:
Extract the DSC from any iOS 18+ IPSW. Not sure if its an iOS 18 related issues, its just the ones I've been testing on.