Dealing with a kernel panic

A kernel panic occurs when macOS can’t continue running any more due to (software) damage, and your Mac has to restart itself in order to resume normal services. When this happens during startup before the login window appears, it normally results in a boot loop, as discussed elsewhere. This article covers the more common situation when a Mac restarts spontaneously and completes login without a further panic occurring.

Saving the panic log

A minute or so after a spontaneous restart (or, in some older Macs, after starting up when they had spontaneously shut down) a Panic Alert is displayed, inviting the user to agree to sending the panic log to Apple. Don’t simply send the report to Apple, though, as it’s the only readily accessible record of what happened. Panic logs used to be saved in /Library/Logs/DiagnosticReports, from where you could open them in Console, but more recently may be found somewhere closer to /var/db/PanicReporter. They’re thus best copied as soon as they appear and before sending them to Apple.

If the alert isn’t already showing the panic log, click on its Report… button, then open a text editor like TextEdit. Copy the whole contents of the panic log into an empty text window and save it somewhere safe before clicking on the button to send the report to Apple. Once you’ve done that, the alert is dismissed and can’t be brought back.

It’s common to assume that sending a panic log to Apple means that an engineer will look through it and get back to you with some sort of diagnosis. That isn’t what the report does, though: it’s processed automatically and, while there’s nothing stopping someone at Apple contacting you about it, that simply doesn’t happen. Only by saving a copy of the log could you then contact Apple Support and ask for their help. Also consider filing a Feedback report containing a description of what happened and your copy of the panic log, particularly if you have clues as to its cause.

Immediate actions

There are three common reasons for a kernel panic:

hardware (and device firmware) failure or error,
kernel extensions,
conflict with a peripheral.

If you suspect a hardware failure, or wish to rule that out, shut your Mac down once you have captured the panic log, disconnect all non-essential peripherals, and start it up in Diagnostics to run its hardware test routines. If you’re not reassured that all is well, don’t hesitate to get your nearest Apple store or authorised service provider to run their more advanced diagnostics as well.

On Apple silicon Macs, Diagnostics is unique in relying on a hidden key combination: at the initial Recovery screen, hold Command-D until the Diagnostics Loader starts. This may require download of the disk image from Apple’s servers before testing can proceed, so a good Wi-Fi connection is important. Once loaded, there’s a hidden option for extended diagnostics that can be triggered by holding the Command-E key combination.

Panics associated with peripherals such as USB and Thunderbolt docks and hubs are best diagnosed by running the Mac without the suspect hardware connected, and seeing if panics continue. If they do, and you remembered to save panic reports, even if you don’t understand their details you can still compare them to see if they look similar.

Third-party kernel extensions are normally found in /Library/Extensions, and should be uninstalled using the apps that installed them. Most are only loaded on demand, so the mere presence of an extension there isn’t sufficient evidence to convict it of causing the panics. However, you should become suspicious when a third-party extension is named in the panic log as being part of the chain that may have caused it. Most software that used to rely on kernel extensions has now been updated to use system extensions or another modern replacement, so updating old software could solve the problem.

Tools for working with kernel extensions are detailed in the article on boot loops.

Reading the panic log

Unlike app crash logs, panic logs are normally relatively brief and to the point. Although they may be non-specific and not help you much, in many cases they contain obvious clues as to what caused the panic. Formats have changed over the years, but the following sections are likely to prove worthwhile examining.

Immediate cause

At the very top, following the first word panic, the log may suggest a cause. This is most common when a memory leak is to blame:
panic(cpu 8 caller 0xffffff80017729eb): "zalloc: zone map exhausted while allocating from zone kalloc.12288, likely due to memory leak in zone kalloc.48 (6586956000 total bytes, 137228148 elements allocated)"@/AppleInternal/BuildRoot/Library/Caches/com.apple.xbs/Sources/xnu/xnu-6153.141.1/osfmk/kern/zalloc.c:3627

This first tells you which CPU core the panic occurred on. If you have repeated panics, keep a note of these, as they may cast suspicion on a core with a hardware problem.

In other cases, you may not be as lucky, and the cause is just given as an ‘exception’, or
panic(cpu 0 caller 0xfffffe002f4e48bc): cannot find IOAESAccelerator
so you’ll need to look for other clues. As the name implies, exceptions are conditions requiring special handling by the operating system. They include page faults, in which something has tried to access an invalid memory address, invalid instruction codes for the processor, and general protection faults which include a wide variety of other bugs. As far as the user is concerned, all exceptions indicate a bug or problem in the code that’s being run.

OS details

You may see lines like
OS release type: Not set yet OS version: Not set yet
simply indicating that the versions haven’t been recorded yet. Most importantly, you should see a statement of the kernel version running:
Kernel version: Darwin Kernel Version 20.2.0: Wed Dec 2 20:40:21 PST 2020; root:xnu-7195.60.75~1/RELEASE_ARM64_T8101
You can check that against that shown in Software in System Information.

On Apple silicon Macs, you should also see the iBoot version, and the current level of boot security:
iBoot version: iBoot-6723.61.3 secure boot?: YES
The latter is important, as running in Secure Boot means that no third-party kernel extensions have been loaded.

Memory leak

If there has been a memory leak, the panic log may well contain a breakdown of system memory zones giving more detailed clues.
Zone Name Cur Size Free Size vm objects 78041088 26795008 …
Zone Name Cur Size Free Size kalloc.32 280834048 3040 kalloc.48 6586956000 4896 kalloc.64 4241453056 5000896 …
Note how the Free Sizes of kalloc.32 and kalloc.48 are very small, and that of kalloc.64 is fairly low too. This is consistent with the kernel running out of memory in one of those zones. Further information may follow:
Backtrace suspected of leaking: (outstanding bytes: 288) …
Because there’s the suspicion of memory leakage, the panic log also gives a detailed backtrace of where it suspects that leakage is occurring, and details of the kexts involved in that. Note that those are unlikely to coincide with any kexts identified earlier as possible culprits.

Panicked task

This may simply be the kernel
Panicked task 0xfffffe166cff1f18: 10735 pages, 374 threads: pid 0: kernel_task
or may give more specific information
BSD process name corresponding to current thread: WindowServer Boot args: chunklist-security-epoch=0 -chunklist-no-rev2-dev
This is the name of the process running its code at the time, and can be another clue as to where the problem lies. Unfortunately, in this case it’s WindowServer, which is running all the time that a user is logged in, thus is likely to be an innocent bystander in this particular panic.

You may also be given a list of kernel extensions that might be involved:
Kernel Extensions in backtrace: com.apple.filesystems.apfs(1412.141.1)[6DA33D13-4501-3D48-B4D8-0329E6AEC86D]@0xffffff7f84e7d000->0xffffff7f84fa4fff dependency: com.apple.kec.corecrypto(1.0)[804DD660-F561-3444-A076-05D7A52D65E3]@0xffffff7f82746000 …

Third-party kexts

Whatever the cause, you should next look at the list of unloaded and loaded kexts forming the rest of the panic log. These are listed in the order that they were loaded, with the most recent kext at the top. As third-party kexts are the last to be loaded, the top of the lists start with any third-party kexts installed on that system and loaded at the time of the panic.
last loaded kext at 939128480512562: >!UAudio 323.4 (addr 0xffffff7f86baa000, size 434176) last unloaded kext at 948795488738566: >usb.IOUSBHostHIDDevice 1.2 (addr 0xffffff7f8556c000, size 45056) loaded kexts: >!ATopCaseHIDEventDriver 3430.1 …
In most cases, the name of the kext as you’ll find it in /System/Library/Extensions is the last part of the ID given. For example, the kext with the ID of com.apple.driver.AppleMobileFileIntegrity is named AppleMobileFileIntegrity.kext.

If those lists contain any third-party kexts, they should be immediately suspected as being the cause of that panic, unless another cause is apparent.

Summary

Save the panic log before sending it to Apple.
Consider running Diagnostics if there’s the possibility of a hardware problem.
Consider disconnecting a peripheral if that could be the cause.
Consider removing/updating any third-party kernel extensions, or better, disabling them altogether.
Read the panic log to provisionally identify its most likely cause, and try to address that.
Report the panic to Apple Support and/or via Feedback.
Keep a careful watch for any further panics, and be prepared to revise your provisional diagnosis.

12Comments

Add yours

1

EcleX on May 29, 2023 at 8:31 am

Many thaks. Twice for the Summary. I would add updating/upgrading macOS, whenever possible.

LikeLiked by 1 person
- 2
  
  hoakley on May 29, 2023 at 12:22 pm
  
  Thank you.
  Although Apple takes the opportunity to make this a recommendation, I think we can do better in the light of what we discover from the panic log.
  If this turns out to be hardware failure, then updating macOS isn’t going to help at all, and in some cases could precipitate more serious failure.
  If this turns out to be a problem with a third-party kext, then that’s not going to resolve by update macOS, and could even get worse.
  If this is a peripheral, then it’s unpredictable, and depends on whether the update fixes the problem, which you’re unlikely to be able to tell in advance.
  So I think it’s more important to establish the most likely cause, and address that, rather than just updating macOS.
  Howard.
  
  LikeLike
3

BenSar on May 29, 2023 at 3:51 pm

As you have so often warned us – and so clearly repeat here – the old Voodoo Magic doesn’t work.

Worse than that, the mindset (and muscle memory) which drop us into that trap, actively prevent us from doing better.

Your check-list is “doing better”.

I shall try to memorize it; retrain my muscle memory – and keep on re-reading this article!

Thank you again for lifting our community to a higher level of competence and productivity.

LikeLiked by 1 person
- 4
  
  hoakley on May 29, 2023 at 5:13 pm
  
  Thank you.
  Howard.
  
  LikeLike
5

MarkC on June 1, 2023 at 5:14 pm

How fortuitous that your article should appear mere days after the first ever kernel panic on my old MBP 9,2. The log begins with:
panic(cpu 0 caller 0xffffff802bcc084f): assertion failed: m->m_flags & M_TAGHDR, file: /AppleInternal/BuildRoot/Library/Caches/com.apple.xbs/Sources/xnu/xnu-6153.141.66/bsd/kern/uipc_mbuf2.c, line: 479
I’ve had little success parsing that initial line and wonder if you might have any insight into it?
Meanwhile, thank you for the excellent, and timely for me, breakdown of a kp log,

LikeLiked by 1 person
- 6
  
  hoakley on June 1, 2023 at 5:18 pm
  
  Which version of macOS is it running?
  Does it have any third-party kernel extensions?
  Howard
  
  LikeLike
  - 7
    
    MarkC on June 1, 2023 at 7:50 pm
    
    10.15.7. The only 3rd party extension is Little Snitch. It’s the prime suspect of course. I should probably reinstall that kext if I get another kp. It’s a remote machine and I do it no favours by making it do so much uptime. It’s a bit cranky about that and often throws a fit and restarts itself if I don’t get to it first. It’s never panicked before tho’.
    
    LikeLiked by 1 person
    - 8
      
      hoakley on June 1, 2023 at 9:14 pm
      
      If you need Little Snitch, then you should ensure the version is installed is appropriate for Catalina.
      “often throws a fit and restarts itself”
      You do know that’s the practical definition of a kernel panic? What else causes a Mac to restart itself?
      Howard.
      
      LikeLike
9

MarkC on June 2, 2023 at 4:29 pm

My apologies Howard. That was a rather hurried, hence badly phrased, observation on my part. I should have just left out the “throwing a fit” part because those ‘fits’ never cause a kernel panic and are therefore, I think, unrelated to the topic of your post. The only time it’s ever panicked was this recent event.
It has been a very very long time since I had a machine panic so I was inordinately excited to see what I could learn from the log. Fortunately the MBP is no longer my principle machine – I have a refurbished M1 MBP now – so there’s much less of a concern for data etc. although I wouldn’t really want to lose the machine if it turns out to be motherboard related.
Your article came along at just the right time and has provided me with a roadmap for which I am very grateful. I’ll run hardware diagnostics and continue to watch for future panics with your advice in mind.
And yes, it is the correct version of LS for 10.15.7 and that’s the only third party extension which is loaded.

LikeLiked by 1 person
- 10
  
  hoakley on June 2, 2023 at 7:07 pm
  
  No problems: in that case, I’d watch and see what happens.
  Howard.
  
  LikeLike
11

Michele on August 17, 2023 at 6:00 pm

I don’t remember: Intel Macs simply hold down Cmd-D on startup to run diagnostic, while Apple Silicon Macs hold down power to start-modes, then Diagnostic and hold down Cmd-D?

LikeLiked by 1 person
- 12
  
  hoakley on August 17, 2023 at 6:39 pm
  
  Close: Intel Macs use just the D key at startup. Apple silicon Macs you start up in Recovery, then at the first screen hold Command-D until the Diagnostics Loader starts up.
  Howard.
  
  LikeLike