[jsc-dev] Crashing on iOS 9

shuan zhao hszhsh at icloud.com
Mon Feb 6 00:34:20 PST 2017


I do have some modifications to run JSC on Android, but I think these modifications have nothing to do with iOS. All the modifications are here: https://github.com/hszhsh/JavaScriptCore

> On 6 Feb 2017, at 4:26 PM, shuan zhao <hszhsh at icloud.com> wrote:
> 
> I didn’t modify JSC, and I didn’t try linking against system’s JSC because TypedArray is not supported until iOS 10, which is required in my project.
> 
> It seems to be hard to reproduce the crash in a smaller test case. I’ll export my project and send you off-list later.
> 
>> On 6 Feb 2017, at 12:09 PM, Saam Barati <sbarati at apple.com <mailto:sbarati at apple.com>> wrote:
>> 
>> If you're not able to get a smaller reduced test case, it'd be great if you can send me what you have and steps to reproduce. (You can send me the project off-list as well.) I've spent some time trying to reproduce a crash like this.
>> 
>> Are you linking your app against a modified JSC? Or does this crash happen when linking against the system's JSC as well?
>> 
>> - Saam
>> 
>> On Feb 5, 2017, at 7:58 PM, shuan zhao <hszhsh at icloud.com <mailto:hszhsh at icloud.com>> wrote:
>> 
>>> Thanks for your reply. I changed to a debug version of JSC build, and the stack looks a little different. It seems that source.provider()->source() became empty for some reason. The weird thing is that the crash did not happen when launched with “Malloc Scribble” or “Malloc Guard Edges” in Xcode.
>>> 
>>> My project is complicated, so it’s hard to say how to reproduce this. But I will try to reproduce the crash with a simplified project, and report the steps later.
>>> 
>>> 
>>> #0	0x00000001017515e0 in ::WTFCrash() at /Users/hoolai/WebKit-GIT/Source/WTF/wtf/Assertions.cpp:379
>>> #1	0x000000010162887c in std::__1::unique_ptr<JSC::FunctionNode, std::__1::default_delete<JSC::FunctionNode> > JSC::parse<JSC::FunctionNode>(JSC::VM*, JSC::SourceCode const&, JSC::Identifier const&, JSC::JSParserBuiltinMode, JSC::JSParserStrictMode, JSC::JSParserScriptMode, JSC::SourceParseMode, JSC::SuperBinding, JSC::ParserError&, JSC::JSTextPosition*, JSC::ConstructorKind, JSC::DerivedContextType, JSC::EvalContextType, JSC::DebuggerParseData*) at /Users/hoolai/WebKit-GIT/Source/JavaScriptCore/parser/Parser.h:1877
>>> #2	0x0000000101627db8 in JSC::generateUnlinkedFunctionCodeBlock(JSC::VM&, JSC::UnlinkedFunctionExecutable*, JSC::SourceCode const&, JSC::CodeSpecializationKind, JSC::DebuggerMode, JSC::UnlinkedFunctionKind, JSC::ParserError&, JSC::SourceParseMode) at /Users/hoolai/WebKit-GIT/Source/JavaScriptCore/bytecode/UnlinkedFunctionExecutable.cpp:56
>>> #3	0x0000000101627b80 in JSC::UnlinkedFunctionExecutable::unlinkedCodeBlockFor(JSC::VM&, JSC::SourceCode const&, JSC::CodeSpecializationKind, JSC::DebuggerMode, JSC::ParserError&, JSC::SourceParseMode) at /Users/hoolai/WebKit-GIT/Source/JavaScriptCore/bytecode/UnlinkedFunctionExecutable.cpp:210
>>> #4	0x000000010157e2f0 in JSC::ScriptExecutable::newCodeBlockFor(JSC::CodeSpecializationKind, JSC::JSFunction*, JSC::JSScope*, JSC::JSObject*&) at /Users/hoolai/WebKit-GIT/Source/JavaScriptCore/runtime/ScriptExecutable.cpp:217
>>> #5	0x000000010157f3cc in JSC::ScriptExecutable::prepareForExecutionImpl(JSC::VM&, JSC::JSFunction*, JSC::JSScope*, JSC::CodeSpecializationKind, JSC::CodeBlock*&) at /Users/hoolai/WebKit-GIT/Source/JavaScriptCore/runtime/ScriptExecutable.cpp:310
>>> #6	0x0000000101130340 in JSC::JSObject* JSC::ScriptExecutable::prepareForExecution<JSC::FunctionExecutable>(JSC::VM&, JSC::JSFunction*, JSC::JSScope*, JSC::CodeSpecializationKind, JSC::CodeBlock*&) at /Users/hoolai/WebKit-GIT/Source/JavaScriptCore/bytecode/CodeBlock.h:1095
>>> #7	0x00000001013711a0 in JSC::LLInt::setUpCall(JSC::ExecState*, JSC::Instruction*, JSC::CodeSpecializationKind, JSC::JSValue, JSC::LLIntCallLinkInfo*) at /Users/hoolai/WebKit-GIT/Source/JavaScriptCore/llint/LLIntSlowPaths.cpp:1304
>>> #8	0x00000001013703d4 in JSC::LLInt::genericCall(JSC::ExecState*, JSC::Instruction*, JSC::CodeSpecializationKind) at /Users/hoolai/WebKit-GIT/Source/JavaScriptCore/llint/LLIntSlowPaths.cpp:1354
>>> #9	0x00000001013702cc in ::llint_slow_path_call(JSC::ExecState *, JSC::Instruction *) at /Users/hoolai/WebKit-GIT/Source/JavaScriptCore/llint/LLIntSlowPaths.cpp:1361
>>> #10	0x0000000101381ba0 in llint_entry ()
>>> #11	0x0000000101381bb0 in llint_entry ()
>>> #12	0x0000000101381bb0 in llint_entry ()
>>> #13	0x000000010137b258 in llintPCRangeStart ()
>>> #14	0x0000000101178864 in JSC::JITCode::execute(JSC::VM*, JSC::ProtoCallFrame*) at /Users/hoolai/WebKit-GIT/Source/JavaScriptCore/jit/JITCode.cpp:81
>>> #15	0x00000001011301d4 in JSC::Interpreter::executeCall(JSC::ExecState*, JSC::JSObject*, JSC::CallType, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&) at /Users/hoolai/WebKit-GIT/Source/JavaScriptCore/interpreter/Interpreter.cpp:927
>>> #16	0x0000000100afa078 in JSC::call(JSC::ExecState*, JSC::JSValue, JSC::CallType, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&) at /Users/hoolai/WebKit-GIT/Source/JavaScriptCore/runtime/CallData.cpp:39
>>> #17	0x0000000100afa16c in JSC::profiledCall(JSC::ExecState*, JSC::ProfilingReason, JSC::JSValue, JSC::CallType, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&) at /Users/hoolai/WebKit-GIT/Source/JavaScriptCore/runtime/CallData.cpp:59
>>> #18	0x000000010128003c in ::JSObjectCallAsFunction(JSContextRef, JSObjectRef, JSObjectRef, size_t, const JSValueRef *, JSValueRef *) at /Users/hoolai/WebKit-GIT/Source/JavaScriptCore/API/JSObjectRef.cpp:563
>>> 
>>> 
>>>> On 6 Feb 2017, at 1:36 AM, Geoffrey Garen <ggaren at apple.com <mailto:ggaren at apple.com>> wrote:
>>>> 
>>>> Hi Shuan.
>>>> 
>>>> The backtrace you included does not remind me of Bug 160337, but it does remind me of another crash that we’d like to diagnose and fix.
>>>> 
>>>> Do you think you could provide Saam instructions on how to reproduce this crash?
>>>> 
>>>> Thanks,
>>>> Geoff
>>>> 
>>>>> On Feb 5, 2017, at 1:32 AM, shuan zhao <hszhsh at icloud.com <mailto:hszhsh at icloud.com>> wrote:
>>>>> 
>>>>> I’m running apps embedding my own build of JavaScriptCore on iOS (using C APIs only). It runs well on iOS 10 but crashes on iOS 9 or iOS 8. I guess it will also crash on iOS 7 or earlier systems which I have not tested on.
>>>>> 
>>>>> I found the bug (Bug 160337 <https://bugs.webkit.org/show_bug.cgi?id=160337> - Crash in JavaScriptCore GC when using JSC on dispatch queues (thread_get_state returns NULL stack pointer)). But my case is totally different because I have never got null stack pointer from thread_get_state. And I found that when launched with the option “Malloc Scribble” or “Malloc Guard Edges” checked in Xcode, my app won’t crash any more.
>>>>> 
>>>>> I have no idea what causes this crash. It would be very nice of you if you would give me some hints on the issue.
>>>>> 
>>>>> Mostly the crash stack was as follows, but sometimes it was different. And sometimes it reported errors that should not exist and crashed later.
>>>>> 
>>>>> #0	0x0000000100d66ca4 in JSC::Lexer<unsigned short>::setCode(JSC::SourceCode const&, JSC::ParserArena*) at /Users/hoolai/WebKit-GIT/Source/JavaScriptCore/parser/Lexer.cpp:571
>>>>> #1	0x0000000100e037f8 in JSC::Parser<JSC::Lexer<unsigned short> >::Parser(JSC::VM*, JSC::SourceCode const&, JSC::JSParserBuiltinMode, JSC::JSParserStrictMode, JSC::JSParserScriptMode, JSC::SourceParseMode, JSC::SuperBinding, JSC::ConstructorKind, JSC::DerivedContextType, bool, JSC::EvalContextType, JSC::DebuggerParseData*) at /Users/hoolai/WebKit-GIT/Source/JavaScriptCore/parser/Parser.cpp:125
>>>>> #2	0x0000000100e03c28 in JSC::Parser<JSC::Lexer<unsigned short> >::Parser(JSC::VM*, JSC::SourceCode const&, JSC::JSParserBuiltinMode, JSC::JSParserStrictMode, JSC::JSParserScriptMode, JSC::SourceParseMode, JSC::SuperBinding, JSC::ConstructorKind, JSC::DerivedContextType, bool, JSC::EvalContextType, JSC::DebuggerParseData*) at /Users/hoolai/WebKit-GIT/Source/JavaScriptCore/parser/Parser.cpp:123
>>>>> #3	0x0000000100f3311c in std::__1::unique_ptr<JSC::FunctionNode, std::__1::default_delete<JSC::FunctionNode> > JSC::parse<JSC::FunctionNode>(JSC::VM*, JSC::SourceCode const&, JSC::Identifier const&, JSC::JSParserBuiltinMode, JSC::JSParserStrictMode, JSC::JSParserScriptMode, JSC::SourceParseMode, JSC::SuperBinding, JSC::ParserError&, JSC::JSTextPosition*, JSC::ConstructorKind, JSC::DerivedContextType, JSC::EvalContextType, JSC::DebuggerParseData*) at /Users/hoolai/WebKit-GIT/Source/JavaScriptCore/parser/Parser.h:1890
>>>>> #4	0x0000000100f32b8c in JSC::generateUnlinkedFunctionCodeBlock(JSC::VM&, JSC::UnlinkedFunctionExecutable*, JSC::SourceCode const&, JSC::CodeSpecializationKind, JSC::DebuggerMode, JSC::UnlinkedFunctionKind, JSC::ParserError&, JSC::SourceParseMode) [inlined] at /Users/hoolai/WebKit-GIT/Source/JavaScriptCore/bytecode/UnlinkedFunctionExecutable.cpp:56
>>>>> #5	0x0000000100f32b4c in JSC::UnlinkedFunctionExecutable::unlinkedCodeBlockFor(JSC::VM&, JSC::SourceCode const&, JSC::CodeSpecializationKind, JSC::DebuggerMode, JSC::ParserError&, JSC::SourceParseMode) at /Users/hoolai/WebKit-GIT/Source/JavaScriptCore/bytecode/UnlinkedFunctionExecutable.cpp:210
>>>>> #6	0x0000000100ee8518 in JSC::ScriptExecutable::newCodeBlockFor(JSC::CodeSpecializationKind, JSC::JSFunction*, JSC::JSScope*, JSC::JSObject*&) at /Users/hoolai/WebKit-GIT/Source/JavaScriptCore/runtime/ScriptExecutable.cpp:217
>>>>> #7	0x0000000100ee8bc8 in JSC::ScriptExecutable::prepareForExecutionImpl(JSC::VM&, JSC::JSFunction*, JSC::JSScope*, JSC::CodeSpecializationKind, JSC::CodeBlock*&) at /Users/hoolai/WebKit-GIT/Source/JavaScriptCore/runtime/ScriptExecutable.cpp:310
>>>>> #8	0x0000000100da0cd4 in JSC::JSObject* JSC::ScriptExecutable::prepareForExecution<JSC::FunctionExecutable>(JSC::VM&, JSC::JSFunction*, JSC::JSScope*, JSC::CodeSpecializationKind, JSC::CodeBlock*&) [inlined] at /Users/hoolai/WebKit-GIT/Source/JavaScriptCore/bytecode/CodeBlock.h:1095
>>>>> #9	0x0000000100da0cbc in JSC::LLInt::setUpCall(JSC::ExecState*, JSC::Instruction*, JSC::CodeSpecializationKind, JSC::JSValue, JSC::LLIntCallLinkInfo*) at /Users/hoolai/WebKit-GIT/Source/JavaScriptCore/llint/LLIntSlowPaths.cpp:1304
>>>>> #10	0x0000000100daa270 in llint_entry ()
>>>>> #11	0x0000000100da9e84 in llint_entry ()
>>>>> #12	0x0000000100da9ee8 in llint_entry ()
>>>>> #13	0x0000000100da35f8 in vmEntryToJavaScript ()
>>>>> #14	0x0000000100c4defc in JSC::JITCode::execute(JSC::VM*, JSC::ProtoCallFrame*) at /Users/hoolai/WebKit-GIT/Source/JavaScriptCore/jit/JITCode.cpp:81
>>>>> #15	0x0000000100c20fc0 in JSC::Interpreter::executeCall(JSC::ExecState*, JSC::JSObject*, JSC::CallType, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&) at /Users/hoolai/WebKit-GIT/Source/JavaScriptCore/interpreter/Interpreter.cpp:927
>>>>> #16	0x00000001008d8000 in JSC::call(JSC::ExecState*, JSC::JSValue, JSC::CallType, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&) [inlined] at /Users/hoolai/WebKit-GIT/Source/JavaScriptCore/runtime/CallData.cpp:39
>>>>> #17	0x00000001008d7fd0 in JSC::profiledCall(JSC::ExecState*, JSC::ProfilingReason, JSC::JSValue, JSC::CallType, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&) at /Users/hoolai/WebKit-GIT/Source/JavaScriptCore/runtime/CallData.cpp:59
>>>>> #18	0x0000000100cecb38 in ::JSObjectCallAsFunction(JSContextRef, JSObjectRef, JSObjectRef, size_t, const JSValueRef *, JSValueRef *) at /Users/hoolai/WebKit-GIT/Source/JavaScriptCore/API/JSObjectRef.cpp:563
>>>>> 
>>>>> _______________________________________________
>>>>> jsc-dev mailing list
>>>>> jsc-dev at lists.webkit.org <mailto:jsc-dev at lists.webkit.org>
>>>>> https://lists.webkit.org/mailman/listinfo/jsc-dev <https://lists.webkit.org/mailman/listinfo/jsc-dev>
>>>> 
>>> 
> 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.webkit.org/pipermail/jsc-dev/attachments/20170206/42d48465/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 1789 bytes
Desc: not available
URL: <https://lists.webkit.org/pipermail/jsc-dev/attachments/20170206/42d48465/attachment-0001.p7s>


More information about the jsc-dev mailing list