Windows kernel IRP hooking - usb

Why am i only seeing IRP_MJ_PNP events upon plugging / unplugging / using various USB devices ?
The vast majority are some
IRP_MJ_PNP - IRP_MN_QUERY_CAPABILITIES
Using the tool from here
I am hooking these devices / drivers:
{
Reference count: 6
BLUETOOTH
DEVICE_SECURE_OPEN
Dispatch table: 1111111111111111111111111111
\Driver\BTHUSB
Reference count: 2
ACPI
DEVICE_SECURE_OPEN
Dispatch table: 1111111111111111111111111111
\Driver\RtkBtFilter
Reference count: 1
ACPI
DEVICE_SECURE_OPEN
Dispatch table: 1111111111111111111111111111
\Driver\ACPI
Reference count: 11
UNKNOWN
DEVICE_SECURE_OPEN
Dispatch table: 1111111111111111111111111111
\Driver\USBHUB3
\Device\USBPDO-3
}
Last error g: 0Last error h: 0Last error i: 01 : DEVICE LIST : STACK
{
Reference count: 4
UNKNOWN
DEVICE_SECURE_OPEN
Dispatch table: 1111111111111111111111111111
\Driver\USBHUB3
Reference count: 1
ACPI
DEVICE_SECURE_OPEN
Dispatch table: 1111111111111111111111111111
\Driver\ACPI
Reference count: 8
UNKNOWN
DEVICE_SECURE_OPEN
Dispatch table: 1111111111111111111111111111
\Driver\USBXHCI
\Device\USBPDO-0
}
Last error g: 0Last error h: 0Last error i: 02 : DEVICE LIST : STACK
{
Reference count: 4
UNKNOWN
DEVICE_SECURE_OPEN
Dispatch table: 1111111111111111111111111111
\Driver\USBXHCI
\Device\USBFDO-0
Reference count: 1
ACPI
DEVICE_SECURE_OPEN
Dispatch table: 1111111111111111111111111111
\Driver\ACPI
Reference count: 7
UNKNOWN
DEVICE_SECURE_OPEN
Dispatch table: 1111111111111111111111111111
\Driver\pci
\Device\NTPNP_PCI0003
}
Which are obtained by enumerating the first 4 parents of GUID_CLASS_USB_DEVICE
Dispatch table: 1111111111111111111111111111 signifies that all of the 28 IRPs are marked for hooking.
Maybe there is some other tool for hooking IRPs that I can check against ?

Related

Nanomsg gives signal 6 abort during fetching from couchbase

I am getting a signal 6 error when i am trying to fetch data from couchbase, this occurs at erratic intervals. I am using version 1.1 and from the code i can see if poll returns value less than 0, errno_assert is being triggered which crashes the application with signal 6.
Below is the backtrace of nanomsg thread:
Program terminated with signal 6, Aborted.
#0 0x00007ffff4c74a33 in select () from /usr/lib64/libc.so.6
Missing separate debuginfos, use: debuginfo-install boost-system-1.53.0-28.el7.x86_64 cyrus-sasl-lib-2.1.26-23.el7.x86_64 keyutils-libs-1.5.8-3.el7.x86_64 krb5-libs-1.15.1-50.el7.x86_64 libcom_err-1.42.9-19.el7.x86_64 libcurl-7.29.0-59.el7_9.1.x86_64 libidn-1.28-4.el7.x86_64 libselinux-2.5-15.el7.x86_64 libssh2-1.8.0-4.el7.x86_64 nspr-4.32.0-1.el7_9.x86_64 nss-3.53.1-3.el7_9.x86_64 nss-util-3.67.0-1.el7_9.x86_64 openldap-2.4.44-22.el7.x86_64 openssl-libs-1.0.2k-21.el7_9.x86_64 pcre-8.32-17.el7.x86_64 zlib-1.2.7-19.el7_9.x86_64
(gdb) thread 18
[Switching to thread 18 (Thread 0x7fffcef74700 (LWP 40630))]
#0 0x00007ffff4bfce00 in _IO_cleanup () from /usr/lib64/libc.so.6
(gdb) bt full
#0 0x00007ffff4bfce00 in _IO_cleanup () from /usr/lib64/libc.so.6
No symbol table info available.
#1 0x00007ffff4bb6be5 in abort () from /usr/lib64/libc.so.6
No symbol table info available.
#2 0x00000000009ff371 in nn_err_abort ()
No symbol table info available.
#3 0x00000000009ff2cd in nn_efd_wait ()
No symbol table info available.
#4 0x00000000009fbb13 in nn_sock_recv ()
No symbol table info available.
#5 0x00000000009f95fa in nn_recvmsg ()
No symbol table info available.
#6 0x00000000009f9015 in nn_recv ()
No symbol table info available.
#7 0x000000000099b8c9 in vcmNpsIcmMsgRecv ()
No symbol table info available.
#8 0x0000000000975a57 in __vcmNpsIcmRecv ()
No symbol table info available.
#9 0x00000000007261f5 in vcmDpeEmaIcmStatsCb(void*) ()
No symbol table info available.
#10 0x000000000099a54b in vcmNpsIcmInterfaceCreate ()
No symbol table info available.
#11 0x000000000095b1c0 in ?? ()
No symbol table info available.
#12 0x00007ffff7250ea5 in start_thread (arg=0x7fffcef74700) at pthread_create.c:307
__res =
pd = 0x7fffcef74700
now =
unwind_buf = {cancel_jmp_buf = {{jmp_buf = {140736665700096, -1738215837302118578, 0, 33558528, 0, 140736665700096, 1738108024908031822,
1738235171653297998}, mask_was_saved = 0}}, priv = {pad = {0x0, 0x0, 0x0, 0x0}, data = {prev = 0x0, cleanup = 0x0, canceltype = 0}}}
#13 0x00007ffff4c7d9fd in clone () from /usr/lib64/libc.so.6
This is present in one of our stdout files:
Invalid argument [22] (home/3rd-party/nanomsg/src/utils/efd.c:91)
Code::
88 rc = poll (&pfd, 1, timeout);
89 if (nn_slow (rc < 0 && errno == EINTR))
90 return -EINTR;
91 errno_assert (rc >= 0);
I found that in version 1.2, this errno_assert is not present in the code, Can this errno_assert be safely removed from our code without updating the nanomsg version . Please help.

BTLE ServiceData is always null

I am working on a react-native Android app using react-native-ble-plx for BTLE support, and Windows 10 using the .NET API Windows.Devices.Bluetooth.GenericAttributeProfile for the GATT server/peripheral.
When I add any "ServiceData" to the advertising payload in the Windows GATT service, the scanned device's 'serviceData' payload is always null in the react-native client.
In the Windows 10 server, if the GattServiceProviderAdvertisingParameters.ServiceData property is not null, then the service advertisement status is GattServiceProviderAdvertisementStatus.StartedWithoutAllAdvertisementData. (When leaving 'ServiceData' set to null, it is GattServiceProviderAdvertisementStatus.Started, as expected).
Using the Silicon Labs "EFR Connect" app in android, it also does not show any ServiceData for the device in the advertising packet.
Using WireShark with BTVS to inspect the packets on the Windows machine, it does show the Service Data bytes, and the controller shows a 'Success' response.
Here is the code where I set up the ServiceData in Windows:
...
GattServiceProviderAdvertisingParameters advParameters = new GattServiceProviderAdvertisingParameters
{
IsConnectable = _peripheralSupported,
IsDiscoverable = true,
ServiceData = GetServiceData().AsBuffer()
};
_serviceProvider.AdvertisementStatusChanged += ServiceProvider_AdvertisementStatusChanged;
_serviceProvider.StartAdvertising(advParameters);
...
private byte[] GetServiceData()
{
var flagsData = new List<byte> { 0xFF, 0xFF, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 };
flagsData.AddRange(new List<byte>(Encoding.ASCII.GetBytes("ABCDEFGHIJKLMNOP")));
return flagsData.ToArray();
}
Here is the code in the react-native scanner:
public scanDevices(
timeoutSeconds: number,
listener: (error: string | null, scannedDevice: IPhoenixDevice | null) => void,
): void {
console.log('Entered PhoenixDeviceManager.scanDevices');
this.isScanning = true;
try {
this.scannedDevices.length = 0; // Clear array of devices
this.bleManager.startDeviceScan(this.serviceUUIDs, null, (error, scannedDevice) => {
console.log('In device scan callback');
if (error) {
console.warn(error);
listener(`Error message: ${error.message}, reason: ${error.reason}`, null);
}
if (!scannedDevice) {
console.log('scannedDevice is null');
} else if (!this.scannedDevices.some((d) => d.id === scannedDevice.id)) {
this.scannedDevices.push(scannedDevice);
listener(null, new PhoenixDevice(scannedDevice.id, scannedDevice.name));
console.log(
`Device discovered, id: ${scannedDevice.id}, name: ${scannedDevice.name}, localName: ${scannedDevice.localName}, serviceData: ${scannedDevice.serviceData}`,
);
}
});
const timeoutMs = timeoutSeconds * 1000;
// stop scanning devices after specified number of seconds
setTimeout(() => {
this.stopScanning();
}, timeoutMs);
} catch (error) {
console.error(error);
this.stopScanning();
}
}
Here is the WireShark trace running on Windows 10 showing the packet containing the ServiceData (and the Success response):
Frame 499: 84 bytes on wire (672 bits), 84 bytes captured (672 bits) on interface TCP#127.0.0.1:24352, id 0
Bluetooth
Bluetooth HCI H4
Bluetooth HCI Command - LE Set Extended Advertising Data
Command Opcode: LE Set Extended Advertising Data (0x2037)
Parameter Total Length: 80
Advertising Handle: 0x02
Data Operation: Complete scan response data (0x03)
Fragment Preference: The Controller should not fragment or should minimize fragmentation of Host data (0x01)
Data Length: 76
Advertising Data
Flags
Length: 2
Type: Flags (0x01)
000. .... = Reserved: 0x0
...1 .... = Simultaneous LE and BR/EDR to Same Device Capable (Host): true (0x1)
.... 1... = Simultaneous LE and BR/EDR to Same Device Capable (Controller): true (0x1)
.... .0.. = BR/EDR Not Supported: false (0x0)
.... ..1. = LE General Discoverable Mode: true (0x1)
.... ...0 = LE Limited Discoverable Mode: false (0x0)
16-bit Service Class UUIDs
Length: 3
Type: 16-bit Service Class UUIDs (0x03)
UUID 16: Device Information (0x180a)
128-bit Service Class UUIDs
Length: 17
Type: 128-bit Service Class UUIDs (0x07)
Custom UUID: caecface-e1d9-11e6-bf01-fe55135034f0 (Unknown)
Service Data - 128 bit UUID
Length: 50
Type: Service Data - 128 bit UUID (0x21)
Custom UUID: caecface-e1d9-11e6-bf01-fe55135034f0 (Unknown)
Service Data: ffff0000000000000000000000000000004142434445464748494a4b4c4d4e4f50
[Response in frame: 500]
[Command-Response Delta: 1.889ms]
Frame 500: 7 bytes on wire (56 bits), 7 bytes captured (56 bits) on interface TCP#127.0.0.1:24352, id 0
Bluetooth
Bluetooth HCI H4
Bluetooth HCI Event - Command Complete
Event Code: Command Complete (0x0e)
Parameter Total Length: 4
Number of Allowed Command Packets: 1
Command Opcode: LE Set Extended Advertising Data (0x2037)
0010 00.. .... .... = Opcode Group Field: LE Controller Commands (0x08)
.... ..00 0011 0111 = Opcode Command Field: LE Set Extended Advertising Data (0x037)
Status: Success (0x00)
[Command in frame: 499]
[Command-Response Delta: 1.889ms]
I've also tried using the exact code verbatim in this example and it has the exact same problem:
https://github.com/ProH4Ck/treadmill-bridge/blob/98e683e2380178319972af522d9251f44350a448/src/TreadmillBridge/Services/VirtualTreadmill/VirtualTreadmillService.cs#L90
Does anyone know what the problem might be?

hang in google/protobuf/pyext/_message.so at exit

This is TensorFlow 1.0.1 installed via pip.
It runs via an embedded CPython (libpython).
Sometimes (maybe 30% of my runs) it hangs in Py_Finalize(), and I see this backtrace:
/work/asr2/zeyer/sprint-executables/20160902.235443.fad8965.linux-x86_64-standard/Flf/flf-tool.linux-intel-standard(_ZN17AssertionsPrivate15safe_stackTraceEi+0x21)[0xc5b891]
/work/asr2/zeyer/sprint-executables/20160902.235443.fad8965.linux-x86_64-standard/Flf/flf-tool.linux-intel-standard[0xc5b8ef]
/u/zeyer/tools/glibc217/libpthread.so.0(+0x113d0)[0x2b6d89bad3d0]
/u/zeyer/tools/glibc217/libpthread.so.0(raise+0x29)[0x2b6d89bad2a9]
/u/zeyer/py-envs/py2-ubuntu16/local/lib/python2.7/site-packages/faulthandler.so(+0x3198)[0x2b6dc2372198]
/u/zeyer/tools/glibc217/libpthread.so.0(+0x113d0)[0x2b6d89bad3d0]
/u/zeyer/py-envs/py2-ubuntu16/local/lib/python2.7/site-packages/google/protobuf/pyext/_message.so(+0xaa943)[0x2b6dc14f0943]
/usr/lib/x86_64-linux-gnu/libpython2.7.so.1.0(+0x160f6b)[0x2b6d8b23af6b]
/usr/lib/x86_64-linux-gnu/libpython2.7.so.1.0(+0xc8f0e)[0x2b6d8b1a2f0e]
/usr/lib/x86_64-linux-gnu/libpython2.7.so.1.0(+0x15d747)[0x2b6d8b237747]
/usr/lib/x86_64-linux-gnu/libpython2.7.so.1.0(PyDict_SetItem+0x7b)[0x2b6d8b23becb]
/usr/lib/x86_64-linux-gnu/libpython2.7.so.1.0(_PyModule_Clear+0xb5)[0x2b6d8b278565]
/usr/lib/x86_64-linux-gnu/libpython2.7.so.1.0(PyImport_Cleanup+0x437)[0x2b6d8b2280e7]
/usr/lib/x86_64-linux-gnu/libpython2.7.so.1.0(Py_Finalize+0xfe)[0x2b6d8b1fed9e]
/work/asr2/zeyer/sprint-executables/20160902.235443.fad8965.linux-x86_64-standard/Flf/flf-tool.linux-intel-standard(_ZN6Python11Initializer19AtExitUninitHandlerEv+0x2e)[0xff80de]
/u/zeyer/tools/glibc217/libc.so.6(+0x39fe8)[0x2b6d8bc39fe8]
/u/zeyer/tools/glibc217/libc.so.6(+0x3a035)[0x2b6d8bc3a035]
/u/zeyer/tools/glibc217/libc.so.6(__libc_start_main+0xf7)[0x2b6d8bc20837]
/work/asr2/zeyer/sprint-executables/20160902.235443.fad8965.linux-x86_64-standard/Flf/flf-tool.linux-intel-standard[0x7d6991]
or with GDB:
(gdb) bt full
#0 0x00002b6dc14f0943 in std::tr1::_Hashtable<google::protobuf::DescriptorPool const*, std::pair<google::protobuf::DescriptorPool const* const, google::protobuf::python::PyDescriptorPool*>, std::allocator<std::pair<google::protobuf::DescriptorPool const* const, google::protobuf::python::PyDescriptorPool*> >, std::_Select1st<std::pair<google::protobuf::DescriptorPool const* const, google::protobuf::python::PyDescriptorPool*> >, std::equal_to<google::protobuf::DescriptorPool const*>, google::protobuf::hash<google::protobuf::DescriptorPool const*>, std::tr1::__detail::_Mod_range_hashing, std::tr1::__detail::_Default_ranged_hash, std::tr1::__detail::_Prime_rehash_policy, false, false, true>::erase (
__k=#0x7ffd1bbea740: 0x8269780, this=0x2b6dc1826e40 <google::protobuf::python::descriptor_pool_map>)
at /opt/rh/devtoolset-2/root/usr/include/c++/4.8.2/tr1/hashtable.h:1041
__slot = <optimized out>
__saved_slot = <optimized out>
__code = 136746880
__n = 0
__result = 0
#1 google::protobuf::python::cdescriptor_pool::Dealloc (self=0x2b6dc0d86880)
at google/protobuf/pyext/descriptor_pool.cc:152
No locals.
#2 0x00002b6d8b23af6b in ?? () from /usr/lib/x86_64-linux-gnu/libpython2.7.so.1.0
No symbol table info available.
#3 0x00002b6d8b1a2f0e in ?? () from /usr/lib/x86_64-linux-gnu/libpython2.7.so.1.0
No symbol table info available.
#4 0x00002b6d8b237747 in ?? () from /usr/lib/x86_64-linux-gnu/libpython2.7.so.1.0
No symbol table info available.
#5 0x00002b6d8b23becb in PyDict_SetItem () from /usr/lib/x86_64-linux-gnu/libpython2.7.so.1.0
No symbol table info available.
#6 0x00002b6d8b278565 in _PyModule_Clear () from /usr/lib/x86_64-linux-gnu/libpython2.7.so.1.0
No symbol table info available.
#7 0x00002b6d8b2280e7 in PyImport_Cleanup () from /usr/lib/x86_64-linux-gnu/libpython2.7.so.1.0
No symbol table info available.
#8 0x00002b6d8b1fed9e in Py_Finalize () from /usr/lib/x86_64-linux-gnu/libpython2.7.so.1.0
No symbol table info available.
#9 0x0000000000ff80de in Python::Initializer::AtExitUninitHandler() ()
No symbol table info available.
#10 0x00002b6d8bc39fe8 in ?? () from /u/zeyer/tools/glibc217/libc.so.6
No symbol table info available.
#11 0x00002b6d8bc3a035 in exit () from /u/zeyer/tools/glibc217/libc.so.6
No symbol table info available.
#12 0x00002b6d8bc20837 in __libc_start_main () from /u/zeyer/tools/glibc217/libc.so.6
No symbol table info available.
#13 0x00000000007d6991 in _start ()
No symbol table info available.
I.e. it happens in _PyModule_Clear, and then inside google/protobuf/pyext/_message.so, that's why I think this is TF related.
In the case when it does not hang, I see this output:
Exception AttributeError: AttributeError("'NoneType' object has no attribute 'raise_exception_on_not_ok_status'",) in <bound method Session.__del__ of <tensorflow.python.client.session.Session object at 0x2afd625b12d0>> ignored
I also asked upstream on TF but they suggested to post it here.
Any idea why it might hang and how to resolve this?
Note that this crash was happening inside a callback via std::atexit. I guess the problem is that some stuff from Google or std is cleaned up before I call Py_Finalize from my atexit-handler which leads to this crash. I think this should not happen though.
Anyway, I kind of worked around the problem by not using std::atexit now but by using my own exit handler logic instead (which however would not work if I directly use exit() anywhere).

USB interface of an AVCaptureDevice

If I have an AVCaptureDevice, how can I get the related USB interface so I can access the underlying hardware via IOKit?
I've tried finding it via vid & pid, but this won't work if I plug in two devices with the same vid, pid. Here's the code I use to extract vid and pid from AVCaptureDevice:
AVCaptureDevice *device = [AVCaptureDevice defaultDeviceWithDeviceType:AVMediaTypeVideo];
NSString *modelID = [device modelID];
NSRange vidRange = [modelID rangeOfString:#"VendorID_"];
int vid = [[modelID substringWithRange:NSMakeRange(vidRange.location + 9, 5)] intValue];
NSRange pidRange = [modelID rangeOfString:#"ProductID_"];
int vid = [[modelID substringWithRange:NSMakeRange(pidRange.location + 10, 5)] intValue];
And then I search for a matching IOService:
CFMutableDictionaryRef matchingDict = IOServiceMatching(kIOUSBDeviceClassName);
CFNumberRef numberRef;
numberRef = CFNumberCreate(kCFAllocatorDefault, kCFNumberSInt32Type, &vid);
CFDictionarySetValue(matchingDict, CFSTR(kUSBVendorID), numberRef);
CFRelease(numberRef);
numberRef = CFNumberCreate(kCFAllocatorDefault, kCFNumberSInt32Type, &pid);
CFDictionarySetValue(matchingDict, CFSTR(kUSBProductID), numberRef);
CFRelease(numberRef);
io_service_t camera = IOServiceGetMatchingService(kIOMasterPortDefault, matchingDict);
Maybe a combination of AVCaptureDevice modelID and uniqueID could help you find the matching IOService. The formatting of the two IDs looks to be both undocumented and dependent on transport and media-type, but you should be able to figure something out. Here is a tentative mapping for USB audio (because I don't have any USB cameras), based on two devices:
modelID: USB Headphone Set:0C76:1607
uniqueID: AppleUSBAudioEngine:Unknown Manufacturer:USB Headphone Set:14200000:2,1,
USB Headphone Set:
Product ID: 0x1607
Vendor ID: 0x0c76 (Solid State System Co., Ltd.)
Version: 1.00
Speed: Up to 12 Mb/sec
Location ID: 0x14200000 / 9
Current Available (mA): 1000
Current Required (mA): 100
Extra Operating Current (mA): 0
uniqueID: AppleUSBAudioEngine:Burr-Brown from TI :USB Audio CODEC :14200000:2,
modelID: USB Audio CODEC :08BB:2902
USB Audio CODEC :
Product ID: 0x2902
Vendor ID: 0x08bb (Texas Instruments Japan)
Version: 1.00
Speed: Up to 12 Mb/sec
Manufacturer: Burr-Brown from TI
Location ID: 0x14200000 / 10
Current Available (mA): 1000
Current Required (mA): 100
Extra Operating Current (mA): 0
The (usb audio) format is something like
modelID: name:vendorID:productID
uniqueID: AppleUSBAudioEngine:Manufacturer or Unknown Manufacturer:location ID:???
If USB video's uniqueID is similar, then the combination of productID, vendorID and locationID (which USB port) should be enough to uniquely identify the underlying device's hardware, albeit in a fragile and undocumented way.

Load objective-c library in R with RCocoa

I found the R package Cocoa at http://www.rforge.net/Cocoa/, and I want to use it call my customized objective-c classes.
I've tried to load a dylib which contains a simple custom class (called DOHello as below) and then call:
hc <- .MClass("DOHello")
h <- .M(hc, "alloc")
h <- .M(h, "init")
.M(h, "hello")
The first three line of code is ok, but when I call .M(h, "hello"), the whole RStudio session crashes. I also tried to add the source code of DOHello to the Cocoa package directly, the result is same.
The class DOHello:
#interface DOHello : NSObject
- (void)hello;
#end
#implementation DOHello
- (void)hello {
printf("Hey, there");
}
#end
The crash report:
Process: rsession [8215]
Path: /Applications/RStudio.app/Contents/MacOS/rsession
Identifier: rsession
Version: ???
Code Type: X86-64 (Native)
Parent Process: RStudio [1931]
User ID: 502
Date/Time: 2013-03-04 11:47:44.858 +0800
OS Version: Mac OS X 10.8.2 (12C54)
Report Version: 10
Crashed Thread: 0 Dispatch queue: com.apple.main-thread
Exception Type: EXC_BREAKPOINT (SIGTRAP)
Exception Codes: 0x0000000000000002, 0x0000000000000000
Thread 0 Crashed:: Dispatch queue: com.apple.main-thread
0 com.apple.CoreFoundation 0x00007fff867d301d __NSI0 + 621
1 com.apple.CoreFoundation 0x00007fff867d2aee -[NSInvocation getArgument:atIndex:] + 302
2 Cocoa.so 0x000000010c4fef4f ObjCsendMsg + 1135
3 libR.dylib 0x0000000109ffee37 do_External + 327 (dotcode.c:540)
4 libR.dylib 0x000000010a02e448 Rf_eval + 1672 (eval.c:494)
5 libR.dylib 0x000000010a02fedd do_begin + 141 (eval.c:1415)
6 libR.dylib 0x000000010a02e29c Rf_eval + 1244 (eval.c:468)
7 libR.dylib 0x000000010a0333b1 Rf_applyClosure + 849 (eval.c:861)
8 libR.dylib 0x000000010a02e1b2 Rf_eval + 1010 (eval.c:512)
9 libR.dylib 0x000000010a0669e2 Rf_ReplIteration + 514 (main.c:256)
10 libR.dylib 0x000000010a066cd1 R_ReplConsole + 161 (main.c:306)
11 libR.dylib 0x000000010a0671ea run_Rmainloop + 90 (main.c:988)
12 rsession 0x0000000109786b1b r::session::runEmbeddedR(core::FilePath const&, core::FilePath const&, bool, bool, SA_TYPE, r::session::Callbacks const&, r::session::InternalCallbacks*) + 427
13 rsession 0x0000000109769b29 r::session::run(r::session::ROptions const&, r::session::RCallbacks const&) + 3193
14 rsession 0x0000000109386f35 main + 14517
15 rsession 0x000000010936e154 start + 52
The crash report is not complete, I just copied the section which I think is useful.
This was a bug in Cocoa where it was trying to retrieve the result from a void method - now fixed. Please use stats-rosuda-devel mailing list or e-mail the author for questions and bug reports.