
Do Not Type "File:///" in OS X - 67726e
http://openradar.appspot.com/13128709
======
NelsonMinar
Hilariously, this bug seems to also crash the Mac error reporter, maybe
because it has the evil string in it. I did manage to copy and paste a crash
dump before the crash reporter crashed: <http://pastebin.com/UkhERvaA>

The underlying reported error is __* Terminating app due to uncaught exception
'NSInternalInconsistencyException', reason: 'condition "wrong extraction:
File:///"'

Interesting that it's an asynchronous crash. What part of MacOS is paying such
close attention to typed URLs?

~~~
0x0
From the openradar bug, it is obvious that the bug is inside the "Data
Detectors" thing. Looks like it triggers on anything starting with file://
(+/) case-insensitive, but then something later in the data extraction makes
the incorrect assumption that the string should start with file:// (+/)
lowercase, and throws an assert.

It's really quite bad that a bug inside the data detectors can bring down a
whole app.

Edit: some interesting links:

<http://support.apple.com/kb/PH4519> ("This feature is called “data
detectors.”")

[https://developer.apple.com/library/mac/#documentation/Found...](https://developer.apple.com/library/mac/#documentation/Foundation/Reference/NSDataDetector_Class/Reference/Reference.html)

~~~
nikcub
checkDataDetectors will extract 'File://a/' - or any other 'complete' file URL
- which at a minimum is a schema (file://) and a path '/' - as a valid data
URL and then pass it to DDResultCopyExtractURL, which does some additional
sanity checking.

There it validates it by asserting that the URL begins with 'file://', which
it doesn't. It then converts to an NSInternalInconsistencyException which is
what crashes the application, since it isn't caught.

The timing differences that people are seeing is because the
NSSpellCheckerCheckString process checks the spelling only after your key
entry has been idle for a short period.

checkDataDetectors will also run if you simply open a file or application with
this text inside it in a text control. When declaring your text control class
you can disable the automated spell checking and data extraction (which will
run even if you have spell checking disabled).

There really is no need for this thread to be filling up with 'it works on x,
doesn't work on y', since we know what causes this (any NSTextField on
Mountain Lion).

If you want to have a look at it and can't read the crash report, attach to
TextEdit with gdb

    
    
        $ gdb /Applications/TextEdit.app/Contents/MacOS/TextEdit
        (gdb) r
        <switch to textmate and type 'file://a/aaaaa' into a new doc'>
        (gdb) <crash report>
        (gdb) disass DDResultCopyExtractedURL
        <dump of function>
    

Also, this means the bug can't be exploited

~~~
codeka
What do you mean "exploited"? It certainly can be exploited to cause a denial
of service (like the one at this page:
<http://gironda.org/this_will_crash_safari.html>).

~~~
nikcub
'exploit' is the term for getting a bug to run your own shellcode

------
zbowling
Everything crashing:

    
    
      - Skype (type and right mouse click)
      - Sparrow (type and wait)
      - Chrome (address bar)
      - Safari (address bar)
      - Tweetbot
      - Twitter.app 
      - Mac App Store (search bar)
      - Base (any textbox)
      - terminal (in the preferences screen)
    

Not crashing:

    
    
      - SublimeText
    

Pretty much each and every text box on the entire system.

~~~
paulschreiber
That's because SublimeText doesn't use NSTextFields, and therefore, doesn't
use Data Detectors. It's not voodoo.

~~~
paulschreiber
Seriously, people, learn how to read a backtrace. This is _hacker_ news, not
social-media-manager-who-claims-they-are-a-geek news.

~~~
arcatek
Great. Now, can you say who ever said that it was voodoo ?

I only see someone who said that it was safe to type it in a software, but I
can be wrong.

~~~
lloeki
> _can you say who ever said that it was voodoo_

Listing every single app under the sun when it's completely obvious a common
and widely used component (doesn't matter what's its name so really no need to
know Cocoa and that it's probably NSTextView) is used is acknowledging it as
voodoo.

~~~
46Bit
No. It's being curious as to what you might be able to do with it. In my case,
bricking Messages.app until they send themselves lots of messages.

------
antics
The cause of this bug seems to be the OSX system spell checker; I've crashed a
few applications to take a look at the dumps, and so far they common point of
failure seems to be that they all have some call to something like
`NSSpellChecker`.

In the OP for example:

    
    
        6   AppKit                              0x00007fff921dbd1a checkDataDetectors + 536
        7   AppKit                              0x00007fff921d9429 NSSpellCheckerCheckString + 13334
        8   AppKit                              0x00007fff921d5f9f -[NSTextCheckingOperation main] + 152
    
        7   AppKit                              0x00007fff921d9429 NSSpellCheckerCheckString + 13334
    

This explanation makes sense to me because the spell checker is integrated
very tightly into the user-facing text entry experience across the board in
OSX. It is one of the few bits of code that could explain reliable failures
across applications that we've been seeing.

~~~
sgt
I've disabled the spell checker a long time ago, but it still happens. So
NSSpellCheckCheckString is still being invoked even though the spell check is
not running.

------
niggler
I think the title needs to be amended to say 'OS X Mountain Lion' because the
bug is not reproducible in Lion or Snow Leopard ...

~~~
program
Confirmed that the bug doesn't affect Lion.

------
jclem
Does not crash:

\- 'File:///' typed slowly

\- 'File://a' typed slowly

\- 'File:// a' typed at any speed.

Does crash:

\- 'File:///' typed quickly

\- 'File://X' (X being any non-whitespace character) quickly

\- 'File://X ' (any number of non-whitespace followed by any whitespace) at
any speed

------
lloeki
The word is out so it's only a matter of minutes for people to come up with
this Safari DOS in Javascript:

<https://gist.github.com/4696484>

(remember to change to _F_ ile)

Chrome survives, while Safari either crashes or behaves erratically up to
being unusable. Firefox requires slight modifications to the event, but I'm
bored.

------
nukerhazz
Binary patch, for entertainment purposes only, do not actually use:
<http://twitter.com/landonfuller/status/297592929923502080>

~~~
danabramov
Landon is a really nice guy, by the way. He is the author of PLCrashReporter
library and helped us out making it work with MonoTouch.

------
sly010
There was an x-ray machine called "Therac-25" which had a chance of killing
you if the operator typed a specific (non-lethal) configuration too fast.

<http://en.wikipedia.org/wiki/Therac-25>

That was a disaster. This is a bug.

~~~
smtddr
This is why I never want to work in dev or qa for medical machines. If I were
involve in this product's design, the guilt would destroy me.

------
0x0
I wish they'd just fix the bug where typing "~" crashes Terminal.app
(depending on your keyboard language) :(

~~~
pivo
Have you tried iTerm?

~~~
0x0
Maybe I should, but 10.8's Terminal.app seemed to have everything I need
(well, except for the crash reporter ruining my work every time I forget and
type ~)

~~~
artursapek
I switched to iTerm a long time ago and never looked back. I recommend it.

~~~
pidg
iTerm 2 is brilliant, I can't imagine using the default Terminal for anything,
ever.

~~~
rsl7
Enlighten us. I have read the feature list over the years and don't see
anything that really stands out enough.

~~~
colomon
You know, it's funny. I said the exact same thing you did, then a friend
convinced me to try iTerm2 about a year ago. I still couldn't put my finger on
what's better about it, exactly, but I've never considered going back after
the first day. It just feels right.

It's probably easier to try than it is to find out why to try it...

~~~
pclark
I say the same thing about why I loathe Chrome and adore Safari. I can't
really say why, Safari just feels right.

------
mmastrac
This also happens in the address bar of Chrome. Great fun.

~~~
niggler
What version of chrome? Does not happen with 24.0.1312.56 or 24.0.1312.57

~~~
0x0
Happens with 24.0.1312.57 on osx 10.8.2.

~~~
niggler
Oh that may be a mountain lion issue. I tried with Snow Leopard 10.6.8 and
Lion 10.7.5

------
mmastrac
Fun exploit of this - you can use it to lock up Safari hard:

<http://grack.com/hangsafari.html>

(not a reduced testcase - it's more of a brute force)

You can also trigger a mailto: link that crashes Mail:

mailto:pete@bar.com?subject=File:///&body=File:///

~~~
ubershmekel
Welp, sadly, Safari on Windows isn't affected.

------
nukerhazz
If you have Xcode you can reproduce the crash in a scratch Xcode project. Drop
an NSSearchField into a window, run the app, enter you-know-what, and boom. (I
used NSSearchField since that's what I found most easily crashes Finder,
VoodooPad, and System Preferences. Maybe NSTextField works as well.)

The assert that fails is this:

assertion on
/SourceCache/DataDetectorsCore/DataDetectorsCore-269.1/Sources/PushDown/DDResultExtraction.c:1576
"CFStringHasPrefix(urlVal, CFSTR("file://"))" failed :wrong extraction:
File://

There's an extra slash at the end, but I left it out because it crashes
Safari.

------
VPrime
I sent an iMessage (from iPhone) saying File:/// to my iMac and it crashed
iMessage on the other end.. and now messages app crashes every time I try to
launch!

Also Sent myself an email (from the iPhone) with File:/// as the subject (and
in the body for good measure). The Mail.app won't crash on the incoming email,
but it won't open that message.

~~~
46Bit
Send yourself 80 messages and it'll open again, then delete the conversation
the File:/// is in.

------
watmough
Worst Easter Egg ever.

------
speeder
I would appreciate if someone can explain to me why I am feeling a urge to
visit the office tomorrow only to see stuff crashing on my OSX workstation.

~~~
lostlogin
That feeling was me for 10+ years, mainly teenage ones. Not sure where it
went, but I prefer working stuff these days.

------
MysticFear
Quick everyone go to their respective Apple Stores around the world. We will
then see how long it will be fixed then ...

------
zacharypinter
Tried it out by sending an email to myself (from webmail) and opening the mail
in Mail.app. Mail.app doesn't crash, but if you hit reply to the message and
put the cursor on the "File:///" part, it does crash.

~~~
zhoutong
Reproduced on Sparrow with success. Whenever you touch the line with
File://(/) it will crash.

In one instance the Sparrow crash caused the entire mail library to be corrupt
and I have to download all my mails again.

------
JosephRedfern
Tried to tweet about this - Twitter client for OSX crashed instantly. Strange
that it's not been discovered before!

~~~
JosephRedfern
Also crashes Alfred, Spotify, Calendar and Messages... It would probably be
easier to make a list of un-affected apps.

------
kunai
Hilarious. I pranked my friend with this, and now he's pissed. Oh well, it was
certainly worth it.

Interesting, though, what exactly causes this bug. It seems as if the built-in
spellcheck seems to misinterpret the string "file:///" as some sort of alien
construct, or perhaps false typed directories trigger some sort of lockdown.
Either way, it's very puzzling how this sort of thing made it past the OS X
developers, especially with Apple's level and standard of ultra-high quality
control.

~~~
omaranto
Doesn't Apple's quality control only apply to hardware? I hear people complain
about bugs and just shear ugliness of their software pretty often.

~~~
kunai
Up until 10.6, actually, Apple used to produce very good, generally bug-free
software. Starting with 10.7, they've begun to rush their software just
because they have, say, 4 new "features". The yearly release cycle is partly
to blame, but even then, iOS bugs are much more minor.

------
kc0bfv
Several people have said that these apps are crashing at an assert. How did
asserts make it into production code? Is it just a C thing to make them debug-
only?

~~~
lloeki
Sometimes (especially in dynamic-land) you assert stuff before doing some
processing, so that stuff does not blow up halfway but upfront.

"- but, it should never happen?!"

"- so, make it not happen, ever"

~~~
kc0bfv
My understanding is that asserts are for debugging, and exceptions/more robust
error handling are for production.

Asserts make the code blow up, which can make a problem easier to spot in
dev/testing. In production it seems better to throw an exception, even if the
program can't handle it well and just has to quit nicely.

I like your defensive programming strategy - see if the tires are flat before
you get out on the highway.

------
bla2
This is the original discovery, before shess copied it into openradar:
<http://crbug.com/173405#c17>

~~~
smackfu
Original bug report was interesting, just typing "F" in the address bar and
getting a reproducible crash that no one else could repro.

~~~
bla2
"F" probably autocompleted to "File:///" on that person's profile.

------
quasque
This is a bit nostalgic. Back in the day, Opera used to crash if you typed
<http:///> into the address bar.

(Edit: talking about bugs, HN formatting won't let me put <http:///> in double
quotes - it eats the closing quote.)

------
TallboyOne
Can someone explain this error to me simply, like one might talk to a golden
retriever?

~~~
iSnow
Somewhere in the system is a friendly program called "DataDetectors", which
sniffes at text so find out if there are links in it which should be
highlighted by the application handling the text.

Now the programmer who developed DataDetectors wanted to make sure (maybe for
tests) that a subcomponent was fed only valid file-urls (that is: file:/// is
OK, File:/// not) and therefore inserted an assert-statement. Assertions stop
the program flow if their condition is not met (an exception is thrown) and
normally a code block upstream should handle this case.

I can only speculate, but either the assertion was left in the code despite
being only intended for debugging/testing (ie. it was meant to be there only
temporarily) or the upstream code has a bug that causes it not to catch the
exception.

Either way, it is not handled and therefore bubbles up the whole code chain
until some monitor in OS X or Objective C terminates the program because it
sees a program error.

Someone at Apple forgot a test case feeding text with File:/// to
DataDetectors.

~~~
martinced
_"Someone at Apple forgot a test case feeding text with File:/// to
DataDetectors."_

There's obviously and blatantly a combinatorial explosion of possible inputs
into a textbox so it's physically impossible ("physically" as in: "there
aren't enough atoms in the universe to build a machine able to handle this) to
test all the possible inputs.

By your logic when the terrible endless loop in the Java floating-point
parsing library (you could stuck any JVM by trying to parse:
2.2250738585072012e-308) was discovered, it's because:

"Someone forgot to write a test case trying to parse 2.2250738585072012e-308"

Yeah. Sure.

~~~
iSnow
I am not sure why you sound so angry, but let me try to explain: Every time
you build in an assertion like that you should have a test case to prove the
program handles it like you intended it to.

And concerning the Java FP bug: yes, someone forgot to test the corner cases
of the Java FP range.

You don't need to test every FP number out there, but you absolutely need the
highest, lowest, highest+1, lowest+1, zero, +/-infinity, division by zero and
if you are good highest +0, lowest + 0 and some conversions from and to long,
int etc.

------
lovamova
Another reason to use Snow Leopard, best operating system until now.

~~~
TallboyOne
Yes because every day one types "File:///".

This seems like hardly something that outweighs the massive performance
improvements.

~~~
Jyaif
_improvements_ ?!

~~~
petercooper
Yes, now you too can drain your battery in just half the time as before! ;-)

------
elptacek
ETA: Yeah... I can't make this stick. So it kinda-sorta works, but is not a
real workaround. Guess I'm glad I kept testing it...

I found a workaround:

defaults write $DOMAIN DisableDataDetectors YES

Credit goes to: [http://www.macosxtips.co.uk/index_files/data-detectors-in-
ma...](http://www.macosxtips.co.uk/index_files/data-detectors-in-mail.php) The
following works for Adium:

defaults write com.adiumX.adiumX DisableDataDetectors YES

ETA: Doesn't seem to persist. Might be sleep/awake or some sort of
refresh/timeout. Investigating...

~~~
elptacek
Tested this a bit more. It seems to work on Adium "only some of the time." I
am told it works for Colloquy. It does not work for the Google Chrome Browser,
TextEdit or Mail.

------
human_error
I think it only affects 10.8. I have tried the suggested methods of this
thread in Chrome, TextEdit, iTunes, terminal and Safari but nothing happened
in 10.6.8.

------
zero_z3r0
For the impatient among us...

A shell script that patches the offending binary and bypasses the issue:
<http://pastebin.com/pqyePXqa>

Copy script contents to a file, then execute (using sudo) This has been tested
by others with positive results. It is however a community provided fix.

Original file is backed up before patching.

------
taf2
so, uh anyone else sense a zero day exploit? <a href="File:///<insert code
here>">click me</a>... not saying that will work, but usually if you can hard
crash something you just found some corruption in memory maybe bad use of
memcpy, sprintf instead of snprintf... something along those lines...

~~~
czhiddy
Highly unlikely. If you look at the backtrace, it's dying on an assert, not
some random memory dereference.

~~~
im3w1l
Seems to work in email though: <http://news.ycombinator.com/item?id=5154915>

------
MBCook
What an interesting bug.

Just tried in Mobile Safari and Noted in iOS 6.1, no problems there.

~~~
0x0
The iOS Simulator's mobile safari seemed to survive OK on OS X too.

------
gabrielgironda
Figured you can crash Safari on page load with this.
<http://gironda.org/this_will_crash_safari.html>

------
nu2ycombinator
I never felt need to upgrade my snow leopard. This bug is not happening in
Snow leopard. I am going to Apple store and try this on one of the display
laptop. :)

------
jensen2k
I put ut a JSFiddle crashing Safari. This is fun.
<http://jsfiddle.net/EJzhH/3>

------
h4rrison
It's definitely a spell check bug, I've got that feature turned off (always
hated it) and none of this is doing anything for me.

~~~
JeffKnol
How do you turn it off globally? Even removing the AppleSpell.service
directory and quitting the accompanying process doesn't seem to work.

Also, are you sure you're both affected and doing it right? It only affects
10.8.x and you have to capitalize the "F".

------
emehrkay
Seems to crash just about everything except Textmate 1&2 which is strange
because they both use the built-in spellchecker

------
scottbartell
Anyone else wasting a lot of time typing "File:///" into every input in every
program...? Just because they were told not to.

------
eyko
Not for me <http://cl.ly/image/2i0S3r2b3q0d>

~~~
delinka
OS X version?

Bug report says 10.8.2. I don't see this problem on 10.7.5 as the addendum
mentions no problem in Lion.

------
Fizzadar
Spotlight, Finder, Chrome & Activity Monitor all crash; Terminal, Firefox &
Sparrow are fine...

------
Vecrios
I just did. I haven't seen a program crash this abruptly in a while, I'm
happy.

------
cranklin
in other words, this would wreak a lot of havoc: window.location = "File:///"

~~~
X-Istence
None of the browsers will redirect from the web to local, nor will they allow
you to load images and whatnot from local either, so doing it that way won't
work either.

------
agracey
It just crashed an App that I was working on and then crashed XCode itself.

------
peterkelly
Can't reproduce it in Lion.

------
bsno
Do not send this string in an iMessage, unless, of course, you're evil.

------
josteink
Also, do not send file:/// to anyone using iMessage on their computer.

------
maximem
Now when I try to acces F ...acebook it crashes... calling File://[.]

------
nK0de
Crashes:

XCode 4.5.2

TextEdit

iTunes

Preview

I'm typing File:/// in every textbox I could find. This is some weird fun. Way
to spend my Saturday morning.

------
lucb1e
Sounds like an easter egg gone horribly wrong

------
steeve
And here I thought this was a Chrome bug...

------
suyash
Did not crash on LION MAC OS X 10.7.5

------
philfreo
iMessage your friends with this string and their Messages app will start
crashing. Fun!

------
frostnovazzz
Works fine in sublime text 2

------
jayferd
File:///

------
andymcsherry
Crashes search in iTunes

~~~
lostlogin
Weird - doesn't for me, just asked me if I wanted to search App Store. But
kills finder, makes chrome do odd stuff etc.

------
ajaimk
It crashes finder. WTH?

------
stallmanuu
irc.mactalk.com final solution! room cleared

------
d0m
It's a bug, it happens, let's move on.

------
spiritplumber
Fail:///

------
akadien
Cool!

------
gavinh
LINUX

------
ajsharp
This. IS. AWESOME.

