So, pretty much out of nowhere, my trusty old Macbook Pro started shutting down on me. Frequently. Sometimes several times within an hour. Sometimes it would go for hours on end with no trouble. This continued for a couple months of me trying different things: not putting the machine to sleep between uses, switching browsers, uninstalling extensions, I really had no idea when it all started. I seriously considered having the logic board replaced, which would not have been cheap. After hours of combing and reading the message boards and all the info I could find about kernel panics, I finally identified the culprit. Sophos Anti-Virus.

What is a kernel panic?

A kernel panic is an action taken by an operating system upon detecting an internal fatal error from which it cannot safely recover. The Unix kernel maintains internal consistency and runtime correctness with assertions as the fault detection mechanism. The basic assumption is that the hardware and the software should perform correctly and a failure of an assertion results in a panic, i.e. a voluntary halt to all system activity. When a kernel panic occurs in Mac OS X 10.2 through 10.7, the computer displays a multilingual message informing the user that they need to reboot the system. Prior to 10.2, a more traditional Unix-style panic message was displayed; in 10.8, the computer automatically reboots and displays a message after the restart. The format of the message varies from version to version.

A Google search of the topic will reveal many threads claiming that kernel panics are usually hardware problems and that you should take your machine to the Apple store and have the logic board replaced. Believe me, I considered it since I wasn't familiar with the crash reports yet and this problem is one of the most frustrating I've ever come across. Let's face it, who wouldn't be frustrated by what is supposed to be a high-end computer shutting down for no apparent reason several times a day or even several times an hour sometimes? Nobody, that's who.

The crash report

Here is an example of the crash reports I was seeing, yours may be different and I can't say for sure what yours will reveal, but hopefully describing the process I went through will help others to dissect and decode the data in the crash report.

The full report is pretty long, click here for a full example or we'll point out the important parts down further

Interval Since Last Panic Report: 53825 sec
Panics Since Last Report: 1

Wed Sep 18 09:26:25 2013
panic(cpu 0 caller 0xffffff7f9ddfcf1a): "GPU Panic: [<None>] 3 3 7f 0 0 0 0 3 : NVRM[0/1:0:0]: Read Error 0x00000100: CFG 0xffffffff 0xffffffff 0xffffffff, BAR0 0xd2000000 0xffffff811d162000 0x0a5480a2, D0, P3/4\n"@/SourceCache/AppleGraphicsControl/AppleGraphicsControl-3.4.5/src/AppleMuxControl/kext/GPUPanic.cpp:127
Backtrace (CPU 0), Frame : Return Address
0xffffff80fe2cadd0 : 0xffffff801bc1d626
0xffffff80fe2cae40 : 0xffffff7f9ddfcf1a
0xffffff80fe2caf10 : 0xffffff7f9c362f1e
0xffffff80fe2cafd0 : 0xffffff7f9c43712d
0xffffff80fe2cb010 : 0xffffff7f9c43718e
0xffffff80fe2cb080 : 0xffffff7f9c6fded0
0xffffff80fe2cb1b0 : 0xffffff7f9c45fa75
0xffffff80fe2cb1d0 : 0xffffff7f9c369d50
0xffffff80fe2cb280 : 0xffffff7f9c3677d0
0xffffff80fe2cb480 : 0xffffff7f9c36910a
0xffffff80fe2cb550 : 0xffffff7f9d3714a8
0xffffff80fe2cb690 : 0xffffff7f9d370f94
0xffffff80fe2cb6a0 : 0xffffff7f9d334348
0xffffff80fe2cb6b0 : 0xffffff7f9d3343bd
0xffffff80fe2cb6c0 : 0xffffff7f9d31543c
0xffffff80fe2cb700 : 0xffffff7f9d317b6c
0xffffff80fe2cb730 : 0xffffff7f9d36b15d
0xffffff80fe2cb7b0 : 0xffffff7f9d3523e0
0xffffff80fe2cb810 : 0xffffff7f9d352cc1
0xffffff80fe2cb860 : 0xffffff7f9d353214
0xffffff80fe2cb8d0 : 0xffffff7f9d3539d3
0xffffff80fe2cb910 : 0xffffff7f9d31ee2f
0xffffff80fe2cba90 : 0xffffff7f9d34ff0f
0xffffff80fe2cbb50 : 0xffffff7f9d31d8c8
0xffffff80fe2cbba0 : 0xffffff801c066e69
0xffffff80fe2cbbc0 : 0xffffff801c068410
0xffffff80fe2cbc20 : 0xffffff801c065e2f
0xffffff80fe2cbd70 : 0xffffff801bc98c01
0xffffff80fe2cbe80 : 0xffffff801bc20b3d
0xffffff80fe2cbeb0 : 0xffffff801bc10448
0xffffff80fe2cbf00 : 0xffffff801bc1961b
0xffffff80fe2cbf70 : 0xffffff801bca6536
0xffffff80fe2cbfb0 : 0xffffff801bcce9e3
Kernel Extensions in backtrace:[49FEF732-D7A3-327B-A7AA-6AC5A6E3DCFF]@0xffffff7f9ddef000->0xffffff7f9de01fff

BSD process name corresponding to current thread: WindowServer

Mac OS version:

Kernel version:
Darwin Kernel Version 12.4.0: Wed May 1 17:57:12 PDT 2013; root:xnu-2050.24.15~1/RELEASE_X86_64
Kernel UUID: 896CB1E3-AB79-3DF1-B595-549DFFDF3D36
Kernel slide: 0x000000001ba00000
Kernel text base: 0xffffff801bc00000
System model name: MacBookPro6,2 (Mac-F22586C8)

System uptime in nanoseconds: 51413455730117
last loaded kext at 19263259633095: com.sophos.kext.sav 8.0.14 (addr 0xffffff7f9df43000, size 24576)
last unloaded kext at 19254333897985: com.sophos.kext.sav 8.0.14 (addr 0xffffff7f9df3b000, size 20480)
loaded kexts:
com.sophos.kext.sav 8.0.14 4.1.23 1.8.4 1.8.1 1.9.5d0 4.1.4f2 3.0 1.60 100.12.87 1.0.2d2 2.3.7fc4 1.0.0d1 2.3.7fc4 122 8.1.2 4.1.4f2 2.0.3d0 170.2.5 3.5.10 4.1.4f2 8.1.2 8.1.2 1.6.0 1.0.0 2.3.7fc4 8.1.2 3.4.5 1.0.0 1.1.11 7.0.0 3.4.5 3.0.3d1 237.1 320.15 3.1.7 237.1 237.1 3.5.5 3.0.1 1.0.0d1 1.0.0d1 34 404 2.3.1 5.5.5 615.20.17 3.6.1b4 2.5.2 4.9.6 5.5.0 5.2.5 1.7 161.0.0 1.5 1.7 1.8 1.9 1.7 1.6 196.0.0 4.0.39 2.1 196.0.0 10.0.6 1.0 2.3.7fc4 1.8.9fc11 1.6 8.1.2 86.0.4 8.1.2 2.2.5 4.1.4f2 2.3.7fc4 2.3.7fc4 1.0.11d0 1.0.4 1.0.0 5.3.0d51 1.0.11d0 4.1.4f2 3.4.5 2.3.7 2.3.7 3.1.4d2 3.5.5 3.5.1 237.3 5.2.5 5.5.5 5.2.5 3.5.5 1.7 1.7.1 1.7.1 2.5.1 3.5.5 5.5.5 530.4 1.0.2b1 3.0 2.3.1 4.5.5 5.6.0 1.7 1.8.1 1.1 220.3 1.0.0d1 7 345 1.8 28.21 1.7 2.7.3 1.4 1.0
Model: MacBookPro6,2, BootROM MBP61.0057.B0F, 2 processors, Intel Core i7, 2.66 GHz, 8 GB, SMC 1.58f17
Graphics: Intel HD Graphics, Intel HD Graphics, Built-In, 288 MB
Graphics: NVIDIA GeForce GT 330M, NVIDIA GeForce GT 330M, PCIe, 512 MB
Memory Module: BANK 0/DIMM0, 4 GB, DDR3, 1067 MHz, 0x80CE, 0x4D34373142353237334248312D4346382020
Memory Module: BANK 1/DIMM0, 4 GB, DDR3, 1067 MHz, 0x80CE, 0x4D34373142353237334248312D4346382020
AirPort: spairport_wireless_card_type_airport_extreme (0x14E4, 0x93), Broadcom BCM43xx 1.0 (
Bluetooth: Version 4.1.4f2 12041, 2 service, 18 devices, 1 incoming serial ports
Network Service: Wi-Fi, AirPort, en1
Serial ATA Device: WDC WD7500BPKT-75PK4T0, 750.16 GB
Serial ATA Device: MATSHITADVD-R UJ-898
USB Device: hub_device, 0x0424 (SMSC), 0x2514, 0xfa100000 / 2
USB Device: iPhone, apple_vendor_id, 0x12a0, 0xfa140000 / 6
USB Device: BRCM2070 Hub, 0x0a5c (Broadcom Corp.), 0x4500, 0xfa110000 / 5
USB Device: Bluetooth USB Host Controller, apple_vendor_id, 0x8218, 0xfa113000 / 8
USB Device: Internal Memory Card Reader, apple_vendor_id, 0x8403, 0xfa130000 / 4
USB Device: Apple Internal Keyboard / Trackpad, apple_vendor_id, 0x0236, 0xfa120000 / 3
USB Device: hub_device, 0x0424 (SMSC), 0x2514, 0xfd100000 / 2
USB Device: Built-in iSight, apple_vendor_id, 0x8507, 0xfd110000 / 4
USB Device: IR Receiver, apple_vendor_id, 0x8242, 0xfd120000 / 3

 What you need to know

 The portion that is important to what we are doing here is the part about kexts, particularly if there is a mention of the last loaded kext or the last unloaded kext. If either of those point to a non-Apple function, then chances are you have your culprit. For instance, in our crash report the kexts section read:

System uptime in nanoseconds: 51413455730117
last loaded kext at 19263259633095: com.sophos.kext.sav 8.0.14 (addr 0xffffff7f9df43000, size 24576)
last unloaded kext at 19254333897985: com.sophos.kext.sav 8.0.14 (addr 0xffffff7f9df3b000, size 20480)
loaded kexts:
com.sophos.kext.sav 8.0.14 4.1.23 1.8.4 1.8.1

 Below this is a bunch more kexts that all start with "" and we're going to ignore those.

What this section tells us is that there was one non-Apple kext loaded when the error occurred: com.sophos.kext.sav. In addition, the sections above list that sophos kext as being the last one loaded and unloaded, which gives a pretty clear indication that it is the cause of the crash. There may be other non-Apple kextx listed on your report and those are your list of suspects

The solution

Uninstall Sophos. Restart. No more panics.

Your solution may be slightly different. You might need to uninstall or update or even just change the settings on the offending program, but this information should let you know what is most likely causing the panics. I'd recommend first running a few Google searches with the name of the program or kext and keywords "kernel panic" and see what happens. I was easily able to find out that Sophos is a known offender in this regard.

If you uninstall all applications that are loading non-Apple kexts or if the last kext loaded or unloaded points to a kext, the next step would be either running Apple Hardware Test on your computer if yu can or a clean install of OS X. If you get to the point of a clean install of OS X and are still getting panics or if your machine fails the hardware test, then I foresee a trip to the Apple Store in your future, but for now remember:

dontpanic large