[Webkit-unassigned] [Bug 247662] New: Android arm64 signal 4 (SIGILL) /data/app/com.netease.cloudmusic/lib/arm/libjsc.so

bugzilla-daemon at webkit.org bugzilla-daemon at webkit.org
Tue Nov 8 23:55:30 PST 2022


https://bugs.webkit.org/show_bug.cgi?id=247662

            Bug ID: 247662
           Summary: Android arm64 signal 4 (SIGILL)
                    /data/app/com.netease.cloudmusic/lib/arm/libjsc.so
           Product: WebKit
           Version: Other
          Hardware: Unspecified
                OS: Unspecified
            Status: NEW
          Severity: Normal
          Priority: P2
         Component: New Bugs
          Assignee: webkit-unassigned at lists.webkit.org
          Reporter: 1184503206 at qq.com

Created attachment 463465

  --> https://bugs.webkit.org/attachment.cgi?id=463465&action=review

crash stack

### Version
webkit-2.26.1

we use the libjsc.so from[https://github.com/react-native-community/jsc-android-buildscripts/releases/tag/v250230.2.1]
the libjsc.so use webkit-2.26.1
### Component
We decompile with ida to check the assembly instructions, and suspect that m_regExpJITCode is the wrong address
```
            if (s.is8Bit())
                result = m_regExpJITCode->execute(s.characters8(), startOffset, s.length(), patternContextBufferHolder.buffer(), patternContextBufferHolder.size());
            else
                result = m_regExpJITCode->execute(s.characters16(), startOffset, s.length(), patternContextBufferHolder.buffer(), patternContextBufferHolder.size());
```
### Platform and OS
Android 10

### Summary

Our app is used by 30 million users every day, when the app is launched, react-native is turned on, and the js code is run using the jsc engine. About 3000 users are experiencing SIGILL crashes every day.

### Description
Detailed crash stack:
```
signal 4 (SIGILL), code 1 (ILL_ILLOPC), fault addr 0x6e780714c0 (*pc=0x54000109)
    x0  000000779881cb63  x1  0000000000000000  x2  0000000000000000  x3  00000077e1be7458
    x4  0000000000000000  x5  0000000000000000  x6  f2aa8611d2997b11  x7  3900023ff2c00dd1
    x8  0000006e780714a0  x9  0000000000002000  x10 000000000000009c  x11 0000000000000040
    x12 0000006e780716c0  x13 d4200000d4200000  x14 0000000000000000  x15 0000006e78071660
    x16 0000000000000001  x17 0000006e5430cbd8  x18 0000006e4f3aa000  x19 0000006e55cc4000
    x20 0000006e4c439d60  x21 0000006e5430b300  x22 0000006e54300000  x23 0000000000000000
    x24 0000006e55c2b990  x25 0000000000000000  x26 00000077e1be7458  x27 ffff000000000000
    x28 0000000000000000  x29 00000077e1be7560
    sp  00000077e1be7390  lr  00000077986a39d8  pc  0000006e780714c0
backtrace:
    #00 pc 00000000000724c0  <anonymous:      6e77fff000>
    #01 pc 00000000005629d4  /data/app/com.netease.cloudmusic-MWwXW1Ro6eqwDgCypqXt2w==/lib/arm64/libjsc.so
    #02 pc 0000000000058b4c  <anonymous:      6e77fff000>
java stacktrace:
  at com.facebook.react.bridge.queue.NativeRunnable.run(Native method)
  at android.os.Handler.handleCallback(Handler.java:883)
  at android.os.Handler.dispatchMessage(Handler.java:100)
  at com.facebook.react.bridge.queue.MessageQueueThreadHandler.dispatchMessage(ProGuard:1)
  at android.os.Looper.loop(Looper.java:224)
  at com.facebook.react.bridge.queue.MessageQueueThreadImpl$4.run(ProGuard:8)
  at java.lang.Thread.run(Thread.java:919)
```

```
signal 4 (SIGILL), code 1 (ILL_ILLOPC), fault addr 0x78baa3b4e0 (*pc=0xd3407c21)
    x0  00000078c8e1db63  x1  0000000000000000  x2  0000000000000000  x3  0000000000000000
    x4  0000000000000000  x5  0000000000000000  x6  f2c00f11f2b73411  x7  d65f03c03900023f
    x8  00000078baa3b4e0  x9  0000000000002000  x10 000000000000009c  x11 0000000000000280
    x12 00000078b3a10770  x13 0000000000000001  x14 0000000000000000  x15 00000078baa3b5a0
    x16 00000078c8fcf3d8  x17 0000007978cfc168  x18 0000000000000000  x19 00000078b10c3c30
    x20 0000000000000000  x21 00000078b3a0d6a8  x22 00000078b9a00000  x23 00000078b10c3c50
    x24 0000000000000000  x25 00000078b15cc010  x26 00000078b9a0ccc8  x27 ffff000000000000
    x28 ffff000000000002  x29 00000078b3a0d7d0
    sp  00000078b3a0d5b0  lr  00000078c8c99844  pc  00000078baa3b4e0
backtrace:
    #00 pc 000000000004a4e0  <anonymous:      78ba9f1000>
    #01 pc 0000000000557840  /data/app/com.netease.cloudmusic-8TiD-LQZ_naq2wWtS0dKpA==/lib/arm64/libjsc.so
    #02 pc 00000000005636b0  /data/app/com.netease.cloudmusic-8TiD-LQZ_naq2wWtS0dKpA==/lib/arm64/libjsc.so
    #03 pc 00000000000106ac  <anonymous:      78ba9f1000>
java stacktrace:
  at com.facebook.react.bridge.queue.NativeRunnable.run(Native method)
  at android.os.Handler.handleCallback(Handler.java:790)
  at android.os.Handler.dispatchMessage(Handler.java:99)
  at com.facebook.react.bridge.queue.MessageQueueThreadHandler.dispatchMessage(ProGuard:1)
  at android.os.Looper.loop(Looper.java:192)
  at com.facebook.react.bridge.queue.MessageQueueThreadImpl$4.run(ProGuard:8)
  at java.lang.Thread.run(Thread.java:764)
```

-- 
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20221109/9b3a00c5/attachment.htm>


More information about the webkit-unassigned mailing list