Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Android: fix JSC crash in dev #11804

Closed
wants to merge 1 commit into from
Closed

Android: fix JSC crash in dev #11804

wants to merge 1 commit into from

Conversation

AlbertBrand
Copy link
Contributor

On Android with dev mode on, we're seeing a regular SIGSEGV when pushing a lot of animation declarations over the bridge. We tracked this down to being not specific to animations, but the crash is caused in deepFreezeAndThrowOnMutationInDev.

Specifically: the provided object to freeze is modified while looping, replacing the current key access to a getter/setter. After the modification, JSC crashes during retrieval of the next key - but only when there are a lot of events passing over the bridge.

We have a hunch that this is due to a bug in JSC object enumeration but did we not look into it further yet. Any help here is welcome. The JS code seems all right at first sight and shouldn't cause a segmentation crash.

The workaround in this PR is to retrieve the keys first from the object and then looping over that array. In our app and in a reduced app test case this fixes the crash.

If needed I can provide the reduced app test case. It's really tricky to make a test for this as it requires to be run on Android and causes a segmentation crash.

Crash log:

A/libc: Fatal signal 11 (SIGSEGV), code 2, fault addr 0xd0cd002c in tid 26981 (mqt_js)
                                                            
                                                            [ 01-10 13:10:31.704  1236: 1236 W/         ]
                                                            debuggerd: handling request: pid=26952 uid=10026 gid=10026 tid=26981
01-10 13:10:31.764 27015-27015/? A/DEBUG: *** *** *** *** *** *** *** *** *** *** *** *** *** *** *** ***
01-10 13:10:31.764 27015-27015/? A/DEBUG: Build fingerprint: 'Android/sdk_google_phone_x86_64/generic_x86_64:7.0/NYC/3513876:userdebug/dev-keys'
01-10 13:10:31.764 27015-27015/? A/DEBUG: Revision: '0'
01-10 13:10:31.764 27015-27015/? A/DEBUG: ABI: 'x86'
01-10 13:10:31.764 27015-27015/? A/DEBUG: pid: 26952, tid: 26981, name: mqt_js  >>> com.investigatecrash <<<
01-10 13:10:31.764 27015-27015/? A/DEBUG: signal 11 (SIGSEGV), code 2 (SEGV_ACCERR), fault addr 0xd0cd002c
01-10 13:10:31.764 27015-27015/? A/DEBUG:     eax d0c6c870  ebx d0ccff48  ecx 0000001c  edx 0000001a
01-10 13:10:31.764 27015-27015/? A/DEBUG:     esi d5e4ffe0  edi 00000003
01-10 13:10:31.764 27015-27015/? A/DEBUG:     xcs 00000023  xds 0000002b  xes 0000002b  xfs 0000006b  xss 0000002b
01-10 13:10:31.764 27015-27015/? A/DEBUG:     eip d328d235  ebp d637d7f8  esp d637d720  flags 00000293
01-10 13:10:31.764 27015-27015/? A/DEBUG: backtrace:
01-10 13:10:31.764 27015-27015/? A/DEBUG:     #00 pc 00000235  <anonymous:d328d000>

@facebook-github-bot facebook-github-bot added CLA Signed This label is managed by the Facebook bot. Authors need to sign the CLA before a PR can be reviewed. GH Review: review-needed labels Jan 10, 2017
@rmhartog
Copy link

Tracing back the native (c++) execution suggests that the error occurs in the JIT-ed code. Because JIT is disabled on iOS, this bug cannot occur there. Additionally, the fact that the crash only occurs when many calls are made points towards a bug in optimizations within JavascriptCore. If we can reproduce the problem outside of react native it would be interesting to port back upstream.

@davidaurelio
Copy link
Contributor

cc @michalgr @dcaspi

This was referenced Jan 11, 2017
Closed
Closed
Closed
hollanderbart
hollanderbart reviewed Jan 11, 2017
View reviewed changes
Libraries/Utilities/deepFreezeAndThrowOnMutationInDev.js
for (var key in object) {
var keys = Object.keys(object);

for (var i = 0; i < keys.length; i++) {
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Because you copied the keys from the object, i.e.: there is no direct reference anymore, I think you can still use the enhanced for loop. So it could look like this:
var keys = Object.keys(object); for (var key in keys) { if (object.hasOwnProperty(key)) { object.__defineGetter__(key, identity.bind(null, object[key])); ... }}

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

key will be a numeric array index in your code.

@hollanderbart
Copy link
Contributor

+1

@davidaurelio
Copy link
Contributor

ok let’s try this out

@facebook-github-bot facebook-github-bot added the Import Started This pull request has been imported. This does not imply the PR has been approved. label Jan 11, 2017
@facebook-github-bot
Copy link
Contributor

@davidaurelio has imported this pull request. If you are a Facebook employee, you can view this diff on Phabricator.

@fdnhkj
Copy link

fdnhkj commented Feb 3, 2017

It fixed my issue! Thank you @AlbertBrand 👍

dslounge pushed a commit to dslounge/react-native that referenced this pull request Feb 6, 2017
@AlbertBrand @dslounge
Android: fix JSC crash in dev
3021704 
Summary:
On Android with dev mode on, we're seeing a regular SIGSEGV when pushing a lot of animation declarations over the bridge. We tracked this down to being not specific to animations, but the crash is caused in `deepFreezeAndThrowOnMutationInDev`.

Specifically: the provided object to freeze is modified while looping, replacing the current key access to a getter/setter. After the modification, JSC crashes during retrieval of the next key - but only when there are a lot of events passing over the bridge.

We have a hunch that this is due to a bug in JSC object enumeration but did we not look into it further yet. Any help here is welcome. The JS code seems all right at first sight and shouldn't cause a segmentation crash.

The workaround in this PR is to retrieve the keys first from the object and then looping over that array. In our app and in a reduced app test case this fixes the crash.

If needed I can provide the reduced app test case. It's really tricky to make a test for this as it requires to be run
Closes facebook#11804

Differential Revision: D4403483

Pulled By: davidaurelio

fbshipit-source-id: a31e5cff734e96bfec56e4a39dc1c6854798e245
@sethvincent sethvincent mentioned this pull request Sep 22, 2017
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@hollanderbart hollanderbart hollanderbart left review comments

@davidaurelio davidaurelio davidaurelio left review comments

Assignees
No one assigned
Labels
CLA Signed This label is managed by the Facebook bot. Authors need to sign the CLA before a PR can be reviewed. Import Started This pull request has been imported. This does not imply the PR has been approved.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
6 participants
@AlbertBrand @rmhartog @davidaurelio @hollanderbart @facebook-github-bot @fdnhkj