[Webkit-unassigned] [Bug 247662] New: Android arm64 signal 4 (SIGILL) /data/app/com.netease.cloudmusic/lib/arm/libjsc.so
bugzilla-daemon at webkit.org
bugzilla-daemon at webkit.org
Tue Nov 8 23:55:30 PST 2022
https://bugs.webkit.org/show_bug.cgi?id=247662
Bug ID: 247662
Summary: Android arm64 signal 4 (SIGILL)
/data/app/com.netease.cloudmusic/lib/arm/libjsc.so
Product: WebKit
Version: Other
Hardware: Unspecified
OS: Unspecified
Status: NEW
Severity: Normal
Priority: P2
Component: New Bugs
Assignee: webkit-unassigned at lists.webkit.org
Reporter: 1184503206 at qq.com
Created attachment 463465
--> https://bugs.webkit.org/attachment.cgi?id=463465&action=review
crash stack
### Version
webkit-2.26.1
we use the libjsc.so from[https://github.com/react-native-community/jsc-android-buildscripts/releases/tag/v250230.2.1]
the libjsc.so use webkit-2.26.1
### Component
We decompile with ida to check the assembly instructions, and suspect that m_regExpJITCode is the wrong address
```
if (s.is8Bit())
result = m_regExpJITCode->execute(s.characters8(), startOffset, s.length(), patternContextBufferHolder.buffer(), patternContextBufferHolder.size());
else
result = m_regExpJITCode->execute(s.characters16(), startOffset, s.length(), patternContextBufferHolder.buffer(), patternContextBufferHolder.size());
```
### Platform and OS
Android 10
### Summary
Our app is used by 30 million users every day, when the app is launched, react-native is turned on, and the js code is run using the jsc engine. About 3000 users are experiencing SIGILL crashes every day.
### Description
Detailed crash stack:
```
signal 4 (SIGILL), code 1 (ILL_ILLOPC), fault addr 0x6e780714c0 (*pc=0x54000109)
x0 000000779881cb63 x1 0000000000000000 x2 0000000000000000 x3 00000077e1be7458
x4 0000000000000000 x5 0000000000000000 x6 f2aa8611d2997b11 x7 3900023ff2c00dd1
x8 0000006e780714a0 x9 0000000000002000 x10 000000000000009c x11 0000000000000040
x12 0000006e780716c0 x13 d4200000d4200000 x14 0000000000000000 x15 0000006e78071660
x16 0000000000000001 x17 0000006e5430cbd8 x18 0000006e4f3aa000 x19 0000006e55cc4000
x20 0000006e4c439d60 x21 0000006e5430b300 x22 0000006e54300000 x23 0000000000000000
x24 0000006e55c2b990 x25 0000000000000000 x26 00000077e1be7458 x27 ffff000000000000
x28 0000000000000000 x29 00000077e1be7560
sp 00000077e1be7390 lr 00000077986a39d8 pc 0000006e780714c0
backtrace:
#00 pc 00000000000724c0 <anonymous: 6e77fff000>
#01 pc 00000000005629d4 /data/app/com.netease.cloudmusic-MWwXW1Ro6eqwDgCypqXt2w==/lib/arm64/libjsc.so
#02 pc 0000000000058b4c <anonymous: 6e77fff000>
java stacktrace:
at com.facebook.react.bridge.queue.NativeRunnable.run(Native method)
at android.os.Handler.handleCallback(Handler.java:883)
at android.os.Handler.dispatchMessage(Handler.java:100)
at com.facebook.react.bridge.queue.MessageQueueThreadHandler.dispatchMessage(ProGuard:1)
at android.os.Looper.loop(Looper.java:224)
at com.facebook.react.bridge.queue.MessageQueueThreadImpl$4.run(ProGuard:8)
at java.lang.Thread.run(Thread.java:919)
```
```
signal 4 (SIGILL), code 1 (ILL_ILLOPC), fault addr 0x78baa3b4e0 (*pc=0xd3407c21)
x0 00000078c8e1db63 x1 0000000000000000 x2 0000000000000000 x3 0000000000000000
x4 0000000000000000 x5 0000000000000000 x6 f2c00f11f2b73411 x7 d65f03c03900023f
x8 00000078baa3b4e0 x9 0000000000002000 x10 000000000000009c x11 0000000000000280
x12 00000078b3a10770 x13 0000000000000001 x14 0000000000000000 x15 00000078baa3b5a0
x16 00000078c8fcf3d8 x17 0000007978cfc168 x18 0000000000000000 x19 00000078b10c3c30
x20 0000000000000000 x21 00000078b3a0d6a8 x22 00000078b9a00000 x23 00000078b10c3c50
x24 0000000000000000 x25 00000078b15cc010 x26 00000078b9a0ccc8 x27 ffff000000000000
x28 ffff000000000002 x29 00000078b3a0d7d0
sp 00000078b3a0d5b0 lr 00000078c8c99844 pc 00000078baa3b4e0
backtrace:
#00 pc 000000000004a4e0 <anonymous: 78ba9f1000>
#01 pc 0000000000557840 /data/app/com.netease.cloudmusic-8TiD-LQZ_naq2wWtS0dKpA==/lib/arm64/libjsc.so
#02 pc 00000000005636b0 /data/app/com.netease.cloudmusic-8TiD-LQZ_naq2wWtS0dKpA==/lib/arm64/libjsc.so
#03 pc 00000000000106ac <anonymous: 78ba9f1000>
java stacktrace:
at com.facebook.react.bridge.queue.NativeRunnable.run(Native method)
at android.os.Handler.handleCallback(Handler.java:790)
at android.os.Handler.dispatchMessage(Handler.java:99)
at com.facebook.react.bridge.queue.MessageQueueThreadHandler.dispatchMessage(ProGuard:1)
at android.os.Looper.loop(Looper.java:192)
at com.facebook.react.bridge.queue.MessageQueueThreadImpl$4.run(ProGuard:8)
at java.lang.Thread.run(Thread.java:764)
```
--
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20221109/9b3a00c5/attachment.htm>
More information about the webkit-unassigned
mailing list