hoakley June 17, 2020 Macs, Technology

What caused that kernel panic? How to use the log in diagnosis

Kernel panics, and anything else which causes your Mac to freeze completely or restart, are among the most difficult problems to diagnose. You may not even know when they happened: you just notice that your Mac restarted at some time when you weren’t there. There are also limited options as to what you can do to see what went wrong in the log. To use Console, as the event occurred in the past, you have to make a logarchive and open that. Trying to use the log command can be easier in that it can examine the live log, so long as you understand its complicated command structure and how to locate the panic.

This tutorial shows how you can use my free log browser Ulbow to identify and investigate this type of event. If you prefer using Consolation, please read this article as well, as it shows that app’s controls in use.

1. Get the best estimate of the time of the restart

If you witnessed the restart, make a note of the time that your Mac started up. If you weren’t present, and can’t work it out any other way, open System Information and select the Software heading at the left. This will reveal the Time since boot, which you can then subtract from the current clock time to establish roughly when that restart occurred.

2. Prepare Ulbow for browsing

Open the Ulbow app and set its controls to start browsing. In this case, ensure that Enable Chart View, in the Ulbow menu, is ticked so that you can use those. In the View menu, ensure that only the following commands are ticked:

Get info messages
Limit entries shown
Show log entries.

These minimise the number of log entries which will be displayed when you get log extracts. By default, the number of log entries which will be shown when limited is around a thousand. If you want to change that, the control is at the foot of Ulbow’s Preferences dialog.

When you’re happy with those, make the settings your defaults so that each new window you open will use the same; to do that, use the Save as defaults command in the Ulbow menu.

3. Find the beginning of startup

In a new log browser window, set the time and date in the relative to control to around 30 seconds before your best estimate of the startup, and the Period to 2 min, so that the log extract should capture the first minute or more of startup. Set the style to basic+, leaving Predicate and filter set to none. Then click the Get log button.

Here I struck gold at the first attempt: nearly 200,000 log entries have been found, of which only around 1700 are displayed in the view below. Those, from the start of that two minute period, refer to processes being shut down in readiness for the restart.

To confirm this, and orientate yourself in time, use the Open Chart command in the Window menu to see the distribution of log entries over that two minute period. Note that this chart view plots all 200,000 entries, not just the 1700 or so shown in the limited log extract.

The Mac used here has a T2 chip, and is using Secure Boot with FileVault enabled. This results in a characteristic three-step restart:

at the left are the many log entries immediately prior to shutdown;
there’s then a period of log silence during the early boot phase;
a small peak appears for the login screen;
log silence resumes during the T2 phase of startup;
once that’s complete, there’s a sustained peak of log entries marking the main startup phase.

Macs without a T2 chip or FileVault are simpler, with just a single silent period.

You can see this even more clearly if you switch the popup to show *kernel* entries.

Let the pointer hover over that centre bar and a tooltip pops up giving the date and time of the start of that period, together with the number of log entries there from that sub-system, here just over 500, which is typical for the login screen phase. One invaluable feature of the chart view is that it’s easy to set the date and time in one of Ulbow’s browser windows to any time taken from a chart view bar: simply Command-click on the selected bar to copy it. Do that with the first bar from this chart which you think indicates the beginning of startup.

Then open a new browser window using the New command in Ulbow’s File menu, click anywhere in the relative to date and time control, and Paste (Command-V). That sets the reference time to that displayed in the tooltip for that bar. Set the Period in that window to 10 sec (in Sierra you may need to make that longer, as the log can have problems retrieving entries for short time periods), and using other settings the same as in your first window, click on the Get log button.

4. Inspect the startup process

If you’ve hit the beginning of startup, you’ll now see entries such as
20:03:51.024993 0 0 === system boot: 9C9E2A20-955E-4568-84EE-1821877DBC3E 20:03:51.025042 0 0 mem_actual: 0x800000000 legacy sane_size: 0x7f0000000 20:03:51.025052 0 0 PMAP: PCID enabled 20:03:51.025055 0 0 PMAP: Supervisor Mode Execute Protection enabled 20:03:51.025058 0 0 PMAP: Supervisor Mode Access Protection enabled 20:03:51.027102 0 0 Darwin Kernel Version 19.5.0: Tue May 26 20:41:44 PDT 2020; root:xnu-6153.121.2~2/RELEASE_X86_64
In early versions of Sierra, the initial entry refers to BOOT_TIME instead.

If your browser window is a little later in the process, step the relative to time back a few seconds, and iteratively reach the starting point. You can always go back to the chart view and copy the time from a different bar.

The first entry in startup, with its characteristic === system boot: log message is an important landmark in the log. Tweak the time in that window to the same, and Get log again.

On my T2 Mac, it’s now easy to scroll down the relatively few log entries to discover the second long gap in the log, corresponding to the T2 phase of startup. Here the gap in entries lasts around 22.5 seconds. Soon after they resume, you’ll notice the characteristic clock time adjustment, another useful landmark.

5. Find the shutdown cause

One of the most important pieces of information you should discover from the startup is the reason for the previous shutdown. This is given in a message containing the word cause, so the next task is to locate that.

Ulbow provides two powerful methods for this. The first and more specific is to list just those log entries containing that word. Select the text currently in the filter combo box, remove it and replace with the word cause, then press the Tab key. This doesn’t get another log extract, but immediately shows only those log entries whose message contains that word.

Here it’s the first entry.

You can also use the normal Find command in the Edit menu. To do that, set filter back to none using the popup menu, then open the Find dialog using the menu command. Type the word cause in and click on the Next button.

Like any other Find, this will highlight the first appearance of the word in the text of the log entries that are displayed. The big differences here are that filter works only on text in each log entry’s message field, and displays all entries containing that word or characters. The Find command searches all the text you can see in that view, and continues to display all those entries regardless of their content.

Cause codes like this are detailed in Ulbow’s Help book. If you haven’t already opened it, do so now using the Ulbow Help command in the Help menu. Go to the Contents page and click on the Cause codes item there. In the second page about them you’ll see a list of known shutdown cause codes. Although a code of 1 is relatively recent, it is essentially the same as 5, for a shutdown initiated normally by the user.

If you can’t find the shutdown cause, you may need to temporarily disable Limit entries shown, so that all log entries for the period are displayed. You may also find messages referring to a previous panic, and writing additional logs or a dump.

6. Examine the previous shutdown

Having established its cause, now’s the time to go back in time and browse the seconds before the panic occurred. Go back to your original chart showing the whole sequence of shutdown and startup. Identify the last bar before shutdown, Command-click to copy its datestamp, and paste that into a new log browser window’s relative to control. Set the Period there to -20 sec, which means the twenty seconds immediately prior to the reference time, and Get log.

You may now need to tweak the reference time setting one second at a time until you capture the last entry before log silence. It can help to reduce the Period to -5 sec and turn Limit entries shown off, stepping slowly until you reach the very last entry. Once you’ve got its time, set the reference time to the next whole second, the Period to -20 sec, and Get log.

To view some of the most important entries during this period, enter === in the filter box and press Tab. You might then see evidence of a more orderly shutdown sequence, such as
20:03:06.957483 com.apple.spotlightserver 5734072 171 ====^^^^ paired volume data media unmounted 0x7fa2b1040600 20:03:06.957527 com.apple.spotlightserver 5734072 171 ====^^^^ paired volume data media unmounted 0x7fa2b2014000 20:03:06.957539 com.apple.spotlightserver 5734072 171 =====^^^^ diskGoingAway forced:0 fromDiskArb:1 20:03:06.957553 com.apple.spotlightserver 5734072 171 =====^^^^ diskGoingAway forced:0 fromDiskArb:1 20:03:06.957818 com.apple.spotlightserver 5734734 171 =====^^^^^ Final Store Closed on Volume 20:03:06.957833 com.apple.spotlightserver 5734068 171 =====^^^^^ Final Store Closed on Volume 20:03:06.958626 com.apple.spotlightserver 5734072 171 ====^^^^ paired volume index location media unmounted 0x7fa29200b400 targetVolume:0x0 20:03:06.958685 com.apple.spotlightserver 5734072 171 =====^^^^ diskGoingAway forced:0 fromDiskArb:1 20:03:06.962088 com.apple.spotlightserver 5734098 171 =====^^^^^ Final Store Closed on Volume 20:03:06.962904 com.apple.spotlightserver 5734072 171 =====^^^^ diskGoingAway forced:0 fromDiskArb:1 20:03:06.970055 com.apple.spotlightserver 5734734 171 =====^^^^^ Final Store Closed on Volume 20:03:07.015608 com.apple.spotlightserver 5734064 171 =====^^^^^^ whyFail:-5, <private> 0x0 20:03:07.074029 com.apple.spotlightserver 5734064 171 =====^^^^^^ whyFail:-5, <private> 0x0 20:03:07.135167 com.apple.spotlightserver 5734069 171 =====^^^^^^ whyFail:-5, <private> 0x0 20:03:08.822309 0 0 === system wallclock time adjusted 20:03:08.822993 com.apple.spotlightserver 5734737 171 === tryShutdown, not clean count:2 20:03:08.895414 com.apple.metadata 5735124 1220 ==== XPC handleXPCMessage unknown error 20:03:08.903976 com.apple.metadata 5735102 93122 ==== XPC handleXPCMessage unknown error 20:03:08.959096 com.apple.spotlightserver 5733133 610 === tryShutdown, not clean count:1 20:03:09.023059 com.apple.spotlightserver 5734098 171 === processClean transaction:0x7fa2b2806e80, shutdownTimeStart:6.13941e+08 transaction:0x7fa2b2806e80 20:03:09.023095 com.apple.spotlightserver 5734098 171 === processClean - EXIT 20:03:09.031353 com.apple.metadata 5733697 1220 ==== XPC handleXPCMessage XPC_ERROR_CONNECTION_INVALID 20:03:09.236298 com.apple.spotlightindex 5734762 420 === processClean transaction:0x7fe9fad096e0, shutdownTimeStart:0 transaction:0x7fe9fad096e0 20:03:09.236302 com.apple.spotlightindex 5734762 420 === processClean - EXIT 20:03:13.652260 0 0 === system wallclock time adjusted

Exploring the exact sequence of events leading up to a kernel panic or similar takes more time. Use the same basic technique, using a reference time which marks the end of the log entries you want to view, with a negative Period determining the number of entries in the view, with limits turned off so long as you aren’t seeing thousands of entries. Use charts to look at specific subsystems to see where they went awry. I’ll look at some of those techniques in a further tutorial here.

7. Using Ulbow is different

Traditional techniques for browsing the log still work in Ulbow, but it has unique tools which are specifically designed to work with the unified log. You won’t find these in Apple’s underpowered Console, nor when using the log command. They make it much quicker to identify and navigate through its tens of thousands of entries, while still supporting tools such as filter predicates.

It’s relatively quick and simple to get a log excerpt covering a couple of minutes, limiting the entries displayed, and exploring the whole series using a chart. Chart view lets you see how active different sub-systems and the kernel were so you can hone in on a narrower period of interest.

Looking for anything among tens of thousands of log entries is unlikely to be successful, even when you know exactly what you’re trying to find. Limiting the number of entries displayed makes a big difference when you need to browse those entries.

Selecting entries to be displayed on the basis of filter terms is much quicker than using filter predicates, which are complex and prone to error.

Working with structured fields in log extracts is much preferred to unstructured text, and displaying them using different colours aids understanding.

21Comments

Add yours

1

Michele Galvagno on June 17, 2020 at 7:00 am

A “time since boot” of 9:13 means … 9h 13mins?
Just because that is impossible as there was a restart around 6hrs ago and before that the Mac was turned on for about 20hrs (and then 2-3 days since the previous reboot)

LikeLiked by 1 person
- 2
  
  hoakley on June 17, 2020 at 8:16 am
  
  Yes. Days are given separately, with the time period elapsed since the last startup given as HH:MM.
  Perhaps you need to check that using Ulbow…
  Howard.
  
  LikeLike
  - 3
    
    Michele Galvagno on June 17, 2020 at 8:44 am
    
    Thanks, how should I set it up for this?
    
    LikeLiked by 1 person
    - 4
      
      hoakley on June 17, 2020 at 8:46 am
      
      I had hoped this article explained how to do that.
      Howard
      
      LikeLiked by 1 person
    - 5
      
      Michele Galvagno on June 17, 2020 at 10:00 am
      
      Sorry my bad… as what I had was not a crash I thought the usage would have been different.
      I had put the Mac to sleep yesterday evening and this morning the metal was dead cold.
      I’ll keep you posted, thanks.
      
      LikeLiked by 1 person
    - 6
      
      hoakley on June 17, 2020 at 11:20 am
      
      It may be easier to take this to email if you like, Michele. I gather your MBP had just shut itself down then, and not even restarted?
      Howard.
      
      LikeLike
    - 7
      
      Michele Galvagno on June 17, 2020 at 11:21 am
      
      Thanks, I’ll write you ASAP (sorry once more for not reading the article more thoroughly before).
      
      LikeLiked by 1 person
8

EcleX on June 17, 2020 at 5:14 pm

Wow. Amazing. Many thanks!

The Time since boot can be useful, but sometimes the Mac freezes and you know exactly the hour:minute:second showing in the frozen Apple Mac Finder menu bar. Could that be used as well? How?

LikeLiked by 1 person
- 9
  
  hoakley on June 17, 2020 at 10:34 pm
  
  Yes – you’ll need to write it down though, as you can’t take a screenshot or copy it anywhere because of the freeze. You may find log entries stop before or after that time.
  Howard.
  
  LikeLike
10

Javier Gallardo on June 17, 2020 at 7:04 pm

Thank you.
Being far beyond my knowledge how to decipher the log entries, I’ve learned a couple of things, and it’s a pleasure reading your articles, as you achieve to explain quite complicated things in a very clear and pedagogic style.
I keep my iMac always “on” (save when leaving home for some days). I think macs are designed with that idea. Consumption at “sleep” is quite moderate, and I believe whatever electronic device suffers the most with extreme temp./state variations (bulbs break at switching).
In more than two years I’ve only seen my iMac auto-restarted in two, perhaps three occasions (and knew because of state of “start-up items”). I suppose those were kernel-panic auto-starts, but didn’t bother, because I consider such limited number of kernel panics statistically expected, and don’t deserve further investigation. Am I wrong when ignoring these infrequent restarts?
Of course, Ulbow is a nice tool to know exactly what happened when problems are worrying recursive, I think.
Should we panic at a rare and very infrequent kernel-panic?

LikeLiked by 1 person
- 11
  
  hoakley on June 17, 2020 at 10:35 pm
  
  Thank you.
  No Mac should ever suffer a kernel panic. In practice, though, life is too short to spend a day investigating every one, so maybe we just live the them if they remain rare. Pragmatism.
  Howard.
  
  LikeLike
12

Christopher Arbeiter-Grimus on June 18, 2020 at 9:41 am

Hi, thanks for that article! And Ulbow! Fantastic tools.
Trying to track down what crashes my Mac (mostly over night when unattended) since Mac OS 10.15.4 …
Previous shutdown Cause -20

last entries before crash:
17:06:22.906295 com.apple.securityd 1702828 30259 MacOS error: -67061
… then some TimeMaschine stuff ending in
17:06:23.132622 com.apple.TimeMachine 1788863 31033 Failed preflight of “Muli_1Ti” (device: /dev/disk1s1 mount: ‘/’ fsUUID: AD03BA07-2FFA-4DCB-921B-8A23F51725F5 eventDBUUID: CD3C4EAD-06FE-4CF1-A987-B57681F42B73) error: Error Domain=com.apple.backupd.ErrorDomain Code=302 “(null)”
17:06:23.179484 com.apple.symptomsd 1790737 245 869 Exceeded lower TH system-wide flow count of 333, 0.000000 seconds after the primary interface changed
17:06:23.341559 com.apple.DiskArbitration.diskarbitrationd 836 140
last message repeats at least 50 times…..

No help on Google. Ideas someone?

LikeLiked by 1 person
- 13
  
  hoakley on June 18, 2020 at 11:08 am
  
  Unfortunately, -20 isn’t on my list of cause codes, but it’s hardware-related, and somewhere around the disk/storage zone.
  That TM error also appears to be associated with mounting the Data volume.
  Have you tried restarting in Recovery mode and running First Aid on your internal storage in Disk Utility there?
  Howard.
  
  LikeLike
  - 14
    
    Christopher on June 19, 2020 at 10:40 am
    
    Yes I did. All ok.
    anyhow there are more reports on the Web and in Apples discussion forms that Catalina seems to crash Macs that have connected external displays either while they are unattended or while watching Videostreams. Let’s see how this turns out.
    
    LikeLiked by 1 person
15

Theorist on June 20, 2020 at 5:12 am

Thanks for posting this. My mid-2014 MBP (now running 10.13.6) used to freeze regularly — once every couple of weeks. An AppleCare senior advisor helping me with this said the feedback he got from an Apple engineer was that I restart it weekly. That worked; now the freezes are much rarer (once every couple of months).

The senior advisor said the engineer said (so this is second-hand) that, with non-ECC RAM, errors can accumulate over time, eventually causing freezes or panics. Restarting flushes them, thus obviating the problem; he added that how often you need to restart to avoid freezes/panics depends on your usage. Apparently my usage is on the tail end of the distribution, requiring more frequent restarts than normal.

Others have told me this explanation makes no sense at all, and that the senior advisor must have misinterpreted the engineer’s explanation for why regular restarts would help. But for whatever reason, they did.

Any thoughts? Does the fact that regular restarts (i.e., keeping uptime to < 1 week) significantly reduce the occurence of freezes give a clue as to what might be causing them? I.e., are there known classes of problems that are helped by regular restarts, vs. classes of problems that aren't? Or to put it another way, are there classes of problems whose likelihood of occurrence increases with uptime?

LikeLiked by 1 person
- 16
  
  hoakley on June 20, 2020 at 5:55 am
  
  There are two separate issues here.
  From the pragmatic, yes, it is also my experience with Mac laptops that leaving them sleep repeatedly over several days isn’t a wise choice. They do benefit from being started up afresh every few days, so what you are doing is a well-known solution.
  However, the explanation about ECC RAM is utter nonsense. If your RAM is defective, it needs to be replaced. Standard hardware diagnostics don’t always pick up RAM errors, for which a stress test is better. That said, I don’t think this is anything to do with hardware, but reflects shortcomings in macOS and firmware, which are long-standing. macOS is still fundamentally Unix, and incorporates many features which should prevent this sort of thing from being possible. There are many Unix servers which run happily for years without having to be restarted. So why not macOS?
  Howard.
  
  LikeLike
  - 17
    
    Theorist on June 20, 2020 at 6:25 pm
    
    Thanks for your reply.
    
    ” it is also my experience with Mac laptops that leaving them sleep repeatedly over several days isn’t a wise choice.”
    
    Interesting about the sleep; I hadn’t considered that more uptime means more sleep cycles since last boot. But why would a the probability of crashing/freezing increase with the number of sleep cycles since last boot? I.e., why would a machine that’s see a max of 6 sleep cycles since last boot (which is what you’d get if you rebooted weekly) be less likely to crash than one that has seen more than this number? How does the machine’s state change as the number of sleep cycles since boot increases, and what would be the mechanism by which this state change alters the probability of freezing/crashing?
    
    Is this issue specific to Mac laptops? I’ve owned the 1st, 2nd, and 3rd gen MBP’s, and all had crashing/freezing issues. By contrast, the desktop Mac I owned before (PowerMac G5) only panicked once every year or two. But that was a PPC-based Mac, which adds an additional variable. The only way to directly compare Mac laptops vs desktops would be to compare Intel-to-Intel running the same software.
    
    LikeLiked by 1 person
    - 18
      
      hoakley on June 20, 2020 at 8:18 pm
      
      Thank you.
      As I wrote, this is a solution based on pragmatics and experience with a succession of Mac laptops over the years. Some users do manage to get away with long periods between starting them up, but it’s quite common that only letting it sleep for more than a week or so will precipitate a kernel panic or other catastrophe.
      I can’t give a precise cause – I did warn this was from experience rather than reasoning – but when you start up, the firmware etc. and macOS are loaded afresh. When you wake your Mac from sleep, whatever was there before is simply restored and any accumulated memory leaks or similar problems remain, only to be compounded by further use and the next sleep-wake cycle.
      You could of course monitor the logs, Activity Monitor, etc. to try to determine the precise cause. But as up-to-date documentation is largely absent, you’d probably end up without any better understanding.
      Howard.
      
      LikeLike
  - 19
    
    Theorist on June 20, 2020 at 6:45 pm
    
    The reason I ask these questions — and posted on your thread — is that while it would be nice to find a fix for this, I do have a workaround (frequent restarts). So my main interest is in *understanding* why there’s a relationship between uptime and probability of failure. To me, this is a fascinating question. Clearly there must be some progressive change in the state of the machine as uptime increases that correspondingly increases the probability of failure. If there weren’t, then frequent rebooting wouldn’t help.
    
    Since I’m a theoretical chemist, I work extensively with computers; but I don’t understand them at a level that would enable me to answer this question. I’m posting on your site because you seem serious and experienced, so was hoping you might.
    
    Come to think of it, I could alternately try querying one of the faculty in CS…
    
    LikeLiked by 1 person
    - 20
      
      hoakley on June 20, 2020 at 8:19 pm
      
      Thanks.
      If you do get a better explanation, I’d love to hear it.
      Howard.
      
      LikeLike
21

Theorist on June 20, 2020 at 5:18 am

….I’ll add it’s unlikely to be a hardware problem, because the entire motherboard assembly was replaced a year ago by Apple, and this had no effect on the frequency of freezes. Also, the Apple hardware test says my machine is fine, and I keep my 1 TB SSD <= 70% full, so there's enough free space.

LikeLiked by 1 person