Null pointer deref when loading DYLD Shared Cache image using an address

[WeiN76LQh]

Version and Platform (required):

• Binary Ninja Version: 5.3.9429-dev Ultimate (ea9c02c3)
• Edition: Ultimate
• OS: macOS
• OS Version: 26.4
• CPU Architecture: M1

Bug Description:
I attempted to load a DYLD Shared Cache image via the UI using the Load Image by Address right-click option. When I hit enter to load the address Binary Ninja crashed.

Steps To Reproduce:
Please provide all steps required to reproduce the behavior:

1. Load a copy of DYLD Shared Cache. In my case this was 26.2 for an iPhone 17 Pro Max
2. Wait for initial analysis to complete
3. Shortly after right-click linear view and select Load Image by Address
4. Press enter on a pre-populated value. I had loaded by that address on previous runs so its pre-populated in the text box so I just hit enter after the text box appeared

Additional Information:
It doesn't happen everytime. I'm kind of just hoping that the crash file is enough to diagnose the issue as it looks pretty shallow.

Crash dump: civic ward replicates proudly

[bdash]

I'm a little confused as to how the crash report relates to the described steps. It seems to show a crash when dispatching the action of a menu item (it is below QMenuPrivate::activateAction), but it sounds like the crash happens after hitting Accept in the Load Image by Address Dialog. Are you 100% sure that crash report corresponds to those steps?

[WeiN76LQh]

Yes the crash is happening immediately after hitting accept (or in my case pressing enter). I caught the crash in a debugger straight after doing the above steps, disconnected the debugger and then uploaded the crash file. I was doing some plugin dev and the cycle was to load DSC, wait for initial analysis to finish and then I needed to jump to a specific address which was unloaded and therefore had to load the image first and was doing it by address.

I'm wondering if its a macOS window tracking related issue as there's been stuff with regards to that before in Binary Ninja. I think in all cases (I caused the crash a bunch of times) I might have been active in a different program and then jumped backed to Binary Ninja to load an image by address.

[bdash]

I have tried to reproduce a number of times with multiple different shared caches and addresses, but haven't been able to hit it. Are you able to reproduce the crash after launching with third-party plug-ins disabled?

[WeiN76LQh]

Okay I can reproduce this deterministically with plugins disabled:

1. Open a copy of DYLD Shared Cache. You don't need to wait for analysis to complete before doing the next step.
2. I clicked on an application on a second monitor to take focus away from Binary Ninja.
3. I then right-clicked linear view in Binary Ninja. I did not click on Binary Ninja in any other way to bring focus back to it.
4. I selected Load Image by Address.
5. I hit enter on whatever address was pre-populated in there (it was a valid address for an unloaded image).

Might also be worth mentioning that both Binary Ninja and the other application were in macOS fullscreen mode.