SIGSEGV (segfault) on Samsung S7

[chapko]

I got SIGSEGV twice today on Samsung S7 running node tests in native mode. First time I was running almost all tests. Second time I had only 2 tests enabled: testThaliManagerCoordinated.js and testThaliReplicationPeerActionCoordinated.js (but in reversed order).

Logs:

• all-tests.log
• testThaliReplicationPeerActionCoordinated.log

Branch: iOS_chapko_899-complete (120c5ea)

To reproduce issue apply 899.patch to the iOS_chapko_899-complete branch, build apk, and run it with 2 other devices.

[chapko]

I was testing WiFi-only mode on devices and this bug was reproducing very often on one of the connected Samsungs. I created a separate branch segfault-on-samsung-s7.

Logs: segfaults-fe9e390.zip

• 1st run - App crashes on Samsung (ad081603480f209327) at the (2016-12-02T11:14:39.436Z folder)
• 2nd run - App crashes on Samsung (ad081603480f209327) at the same test (2016-12-02T11:27:25.919Z folder)
• 3rd run - App crashes on Samsung (ad081603480f209327) at the same test again (2016-12-02T11:35:00.677Z folder)

I disconnected "bad" Samsung

• 4th run - Success (not included in logs)

I disconnected "good" Samsung and connected "bad" one

• 5th run - App crashes on Samsung (ad081603480f209327) during different test (2016-12-02T11:49:29.206Z folder)

I rebooted both Samsung devices, connected to my machine and reinstalled the same apk.

• 6th run - Success (not included in logs)
• 7th run - App crashes on "good" Samsung (988667514534423146) (2016-12-02T12:08:45.991Z folder)
• 8th run - App crashes on "bad" Samsung (ad081603480f209327) (2016-12-02T12:22:14.322Z folder)

[chapko]

The same issue with iOS devices. I can't complete all tests most of the time. Logs from the devices: segfaults-ios.zip
Branch to reproduce: segfault-on-ios-devices

[chapko]

I created a new branch segfault-on-ios-devices-2. There are only three tests enabled that make jxcore crash very often.

UPD: my bad, I named this branch wrong, it should be called segfault-on-samsung-s7-2 (it fails on samsung devices)

[enricogior]

Using the segfault-on-ios-devices-2 branch and S6, S7 and 6p, I usually get the tests to pass or the following error, but not a crash so far.

2016-12-13 11:32:55 - DEBUG UnitTestFramework: 'starting unit tests on 3 devices, platformName: 'android''
2016-12-13 11:32:55 - DEBUG UnitTestFramework: 'scheduling tests'
2016-12-13 11:32:55 - DEBUG UnitTestFramework: 'tests scheduled'
2016-12-13 11:32:55 - DEBUG UnitTestFramework: '#setup: 'test write''
2016-12-13 11:32:57 - DEBUG UnitTestFramework: '#setup ok: 'test write''
2016-12-13 11:32:57 - DEBUG UnitTestFramework: '#run: 'test write''
2016-12-13 11:33:39 - DEBUG UnitTestFramework: '#run ok: 'test write''
2016-12-13 11:33:39 - DEBUG UnitTestFramework: '#teardown: 'test write''
2016-12-13 11:33:41 - DEBUG UnitTestFramework: '#teardown ok: 'test write''
2016-12-13 11:33:41 - DEBUG UnitTestFramework: '#setup: 'test repeat write 1''
2016-12-13 11:33:42 - DEBUG UnitTestFramework: '#setup ok: 'test repeat write 1''
2016-12-13 11:33:42 - DEBUG UnitTestFramework: '#run: 'test repeat write 1''
2016-12-13 11:36:42 - ERROR UnitTestFramework: '#run failed: 'test repeat write 1', error: 'TimeoutError: timeout exceeded, event: 'run_test repeat write 1_finished', test: 'test repeat write 1'', stack: 'TimeoutError: timeout exceeded, event: 'run_test repeat write 1_finished', test: 'test repeat write 1'
    at afterTimeout (/Users/enrico/temp/issue1592-b/Thali_CordovaPlugin/test/TestServer/node_modules/bluebird/js/release/timers.js:49:15)
    at timeoutTimeout [as _onTimeout] (/Users/enrico/temp/issue1592-b/Thali_CordovaPlugin/test/TestServer/node_modules/bluebird/js/release/timers.js:76:13)
    at Timer.listOnTimeout [as ontimeout] (timers.js:120:15)''
2016-12-13 11:36:42 - ERROR UnitTestFramework: 'failed to run unit tests, platformName: 'android', error: 'TimeoutError: timeout exceeded, event: 'run_test repeat write 1_finished', test: 'test repeat write 1'', stack: 'TimeoutError: timeout exceeded, event: 'run_test repeat write 1_finished', test: 'test repeat write 1'
    at afterTimeout (/Users/enrico/temp/issue1592-b/Thali_CordovaPlugin/test/TestServer/node_modules/bluebird/js/release/timers.js:49:15)
    at timeoutTimeout [as _onTimeout] (/Users/enrico/temp/issue1592-b/Thali_CordovaPlugin/test/TestServer/node_modules/bluebird/js/release/timers.js:76:13)
    at Timer.listOnTimeout [as ontimeout] (timers.js:120:15)''
2016-12-13 11:36:42 - ERROR HttpServer: 'unexpected server error: 'TimeoutError: timeout exceeded, event: 'run_test repeat write 1_finished', test: 'test repeat write 1'''
2016-12-13 11:36:42 - ERROR HttpServer: 'unexpected server error: 'TimeoutError: timeout exceeded, event: 'run_test repeat write 1_finished', test: 'test repeat write 1'''
2016-12-13 11:36:42 - ERROR HttpServer: 'unexpected server error: 'TimeoutError: timeout exceeded, event: 'run_test repeat write 1_finished', test: 'test repeat write 1'''

[chapko]

I have upgraded to jxcore 0.3.1.8 and it is still crashes (I had 7 crashes of total 12 runs) on iOS devices in WiFi-mode.
Branch: segfault-on-ios-jx0138

Example logs:

• 1.log
• 2.log
• 3.log
• 4.log
• 5.log

[enricogior]

The latest logs show two different types of problems.
The first problem is this:

* thread #1: tid = 0x4b5e5b, 0x0000000197348c30 libsystem_kernel.dylib`mach_msg_trap + 8, queue = 'com.apple.main-thread'
  * frame #0: 0x0000000197348c30 libsystem_kernel.dylib`mach_msg_trap + 8
    frame #1: 0x0000000197348aac libsystem_kernel.dylib`mach_msg + 72
    frame #2: 0x0000000182104168 CoreFoundation`<redacted> + 196
    frame #3: 0x0000000182101e6c CoreFoundation`<redacted> + 1032
    frame #4: 0x0000000182030dc0 CoreFoundation`CFRunLoopRunSpecific + 384
    frame #5: 0x000000018cfac088 GraphicsServices`GSEventRunModal + 180
    frame #6: 0x000000018770af44 UIKit`UIApplicationMain + 204
    frame #7: 0x00000001000c31b0 ThaliTest`main(argc=1, argv=0x000000016fd43bf8) + 76 at main.m:32
    frame #8: 0x00000001972468b8 libdyld.dylib`<redacted> + 4

and it doesn't involve jxcore.

The second problem looks like a stack overflow occurring in the SM's sandbox and may be caused by node code (a callback calling into itself):

Process 4568 stopped
* thread #12: tid = 0x47464e, 0x00000001002ef1ec ThaliTest`js::CallObject::create(JSContext*, JS::Handle<JSScript*>, JS::Handle<JSObject*>, JS::Handle<JSFunction*>), stop reason = EXC_BAD_ACCESS (code=2, address=0x16e4c7fe0)
    frame #0: 0x00000001002ef1ec ThaliTest`js::CallObject::create(JSContext*, JS::Handle<JSScript*>, JS::Handle<JSObject*>, JS::Handle<JSFunction*>)
ThaliTest`js::CallObject::create:
->  0x1002ef1ec <+0>:  stp    x24, x23, [sp, #-64]!
    0x1002ef1f0 <+4>:  stp    x22, x21, [sp, #16]
    0x1002ef1f4 <+8>:  stp    x20, x19, [sp, #32]
    0x1002ef1f8 <+12>: stp    x29, x30, [sp, #48]
warning: could not load any Objective-C class information. This will significantly reduce the quality of type information available.
* thread #12: tid = 0x47464e, 0x00000001002ef1ec ThaliTest`js::CallObject::create(JSContext*, JS::Handle<JSScript*>, JS::Handle<JSObject*>, JS::Handle<JSFunction*>), stop reason = EXC_BAD_ACCESS (code=2, address=0x16e4c7fe0)
  * frame #0: 0x00000001002ef1ec ThaliTest`js::CallObject::create(JSContext*, JS::Handle<JSScript*>, JS::Handle<JSObject*>, JS::Handle<JSFunction*>)
    frame #1: 0x00000001002ef320 ThaliTest`js::CallObject::createForFunction(JSContext*, JS::Handle<JSObject*>, JS::Handle<JSFunction*>) + 112
    frame #2: 0x00000001002ef478 ThaliTest`js::CallObject::createForFunction(JSContext*, js::AbstractFramePtr) + 208
    frame #3: 0x00000001002fd60c ThaliTest`js::InterpreterFrame::initFunctionScopeObjects(JSContext*) + 40
    frame #4: 0x00000001002fd6b4 ThaliTest`js::InterpreterFrame::prologue(JSContext*) + 120
    frame #5: 0x00000001002db578 ThaliTest`___lldb_unnamed_function1044$$ThaliTest + 460
    frame #6: 0x00000001002db378 ThaliTest`js::RunScript(JSContext*, js::RunState&) + 244
    frame #7: 0x00000001002e3758 ThaliTest`js::Invoke(JSContext*, JS::CallArgs, js::MaybeConstruct) + 608
    frame #8: 0x000000010025f37c ThaliTest`js_fun_call(JSContext*, unsigned int, JS::Value*) + 180
    frame #9: 0x00000001002e3640 ThaliTest`js::Invoke(JSContext*, JS::CallArgs, js::MaybeConstruct) + 328
    frame #10: 0x00000001002e09ac ThaliTest`___lldb_unnamed_function1044$$ThaliTest + 22016
    frame #11: 0x00000001002db378 ThaliTest`js::RunScript(JSContext*, js::RunState&) + 244
    frame #12: 0x00000001002e3758 ThaliTest`js::Invoke(JSContext*, JS::CallArgs, js::MaybeConstruct) + 608
    frame #13: 0x000000010025f37c ThaliTest`js_fun_call(JSContext*, unsigned int, JS::Value*) + 180
    frame #14: 0x00000001002e3640 ThaliTest`js::Invoke(JSContext*, JS::CallArgs, js::MaybeConstruct) + 328
    frame #15: 0x00000001002e09ac ThaliTest`___lldb_unnamed_function1044$$ThaliTest + 22016

...

    frame #1280: 0x00000001002e09ac ThaliTest`___lldb_unnamed_function1044$$ThaliTest + 22016
    frame #1281: 0x00000001002db378 ThaliTest`js::RunScript(JSContext*, js::RunState&) + 244
    frame #1282: 0x00000001002e3758 ThaliTest`js::Invoke(JSContext*, JS::CallArgs, js::MaybeConstruct) + 608
    frame #1283: 0x00000001002e3a38 ThaliTest`js::Invoke(JSContext*, JS::Value const&, JS::Value const&, unsigned int, JS::Value const*, JS::MutableHandle<JS::Value>) + 376
    frame #1284: 0x0000000100242fc8 ThaliTest`JS_CallFunctionValue(JSContext*, JS::Handle<JSObject*>, JS::Handle<JS::Value>, JS::HandleValueArray const&, JS::MutableHandle<JS::Value>) + 76
    frame #1285: 0x00000001001615c8 ThaliTest`MozJS::Value::Call(MozJS::Value const&, int, JS::Value*) const + 144
    frame #1286: 0x000000010013f558 ThaliTest`node::MakeCallback(node::commons*, MozJS::Value const&, MozJS::Value const&, int, MozJS::Value*) + 344
    frame #1287: 0x000000010046f1fc ThaliTest`NanCallback::Call_(MozJS::Value, int, MozJS::Value*) + 120
    frame #1288: 0x000000010046a638 ThaliTest`leveldown::ReadWorker::HandleOKCallback() + 260
    frame #1289: 0x000000010046ed8c ThaliTest`NanAsyncWorker::WorkComplete() + 48
    frame #1290: 0x000000010046a1bc ThaliTest`leveldown::IOWorker::WorkComplete() + 56
    frame #1291: 0x000000010046e2a4 ThaliTest`NanAsyncExecuteComplete(uv_work_s*) + 32
    frame #1292: 0x0000000100444984 ThaliTest`uv__work_done + 180
    frame #1293: 0x000000010043b9c8 ThaliTest`___lldb_unnamed_function3145$$ThaliTest + 88
    frame #1294: 0x000000010043bb90 ThaliTest`___lldb_unnamed_function3146$$ThaliTest + 168
    frame #1295: 0x0000000100447b8c ThaliTest`uv__io_poll_jx + 1256
    frame #1296: 0x000000010043c264 ThaliTest`uv_run_jx + 332
    frame #1297: 0x00000001000ba8bc ThaliTest`+[JXcore threadMain](self=0x00000001005d46d0, _cmd="threadMain") + 388 at JXcore.m:410
    frame #1298: 0x0000000181ae7e4c Foundation`<redacted> + 1000
    frame #1299: 0x0000000180d77b28 libsystem_pthread.dylib`<redacted> + 156
    frame #1300: 0x0000000180d77a8c libsystem_pthread.dylib`_pthread_start + 156
    frame #1301: 0x0000000180d75028 libsystem_pthread.dylib`thread_start + 4

[enricogior]

Two new issues created to track the problems reported on the segfault-on-ios-jx0138 branch.
Assigning this issue back to @chapko in case he can reproduce the original Android crash.
If not, please close it.

[chapko]

I still can reproduce it with jx 0.3.1.8 using two Samsung s7 phones.

Happened on 1 of 2 phones:

• 1.log

Happened on both phones simultaneously:

• 2-1.log
• 2-2.log

Branch: iOS_chapko_1629-segfault

[enricogior]

Seems similar to #563

[andrew-aladev]

I've reproduced same issue. Log here. I was testing with 2 samsungs and 1 nexus.

[enricogior]

@andrew-aladev on which branch?

[andrew-aladev]

It works in the current iOS branch. But it is hard to reproduce this issue.

[enricogior]

We tried to repro on the iOS branch using S6, S7 and 6P, but the tests fail pretty soon:

01-12 18:55:48.884 13148-13217/com.test.thalitest I/jxcore-log: 1..835
01-12 18:55:48.884 13148-13217/com.test.thalitest I/jxcore-log: # tests 835
01-12 18:55:48.884 13148-13217/com.test.thalitest I/jxcore-log: # pass  56
01-12 18:55:48.884 13148-13217/com.test.thalitest I/jxcore-log: # fail  779

TestServer log:
https://gist.github.com/enricogior/d753ab83ce545d3eea996c338b973986

Device Log:
https://gist.github.com/enricogior/da922206099a1937502794bb766927b5

[chapko]

@enricogior I created a separate branch iOS_aaladev_1721-segfault where I can reliably reproduce this segfault (with ThingIsPermanentAtom) on three Samsung S7 devices.

[enricogior]

@chapko is there any change I should make before running the tests? I'm asking because I built ThaliTest and run the tests 5 times on S7, S6 and 6P and the 152 tests passed every time. I only got once an Android error on the S7 "bluetooth share has stopped", but it didn't seem to effect the test results.

When you run the tests, the crash happens on multiple devices at the same time or just on one device at the time? If it happens only on one device at the time, does it happens always on the same devices or on any device?

[chapko]

@enricogior It usually happens on one of the three devices, but sometimes on two or even on all of them. I am using three S7 devices so maybe this is the reason. Example of the logs (all 3 devices crashed almost simultaneously):

• 1.log
• 2.log
• 3.log

I can upload more logs tomorrow if necessary

[chapko]

is there any change I should make before running the tests?

No. The logs in the previous comment are produced by fresh build from the iOS_aaladev_1721-segfault branch.

If it happens only on one device at the time, does it happens always on the same devices or on any device?

On different devices.

[chapko]

@enricogior I got probably the same crash on CI. This is the ThaliTester comment to the #1741 PR:

Test 102446911a6c1be7(a6c1be7) has failed

See https://github.com/ThaliTester/TestResults/tree/102446911a6c1be7__1734_Fix_race_conditions_in_the_pouchDBCheckpointsPlugin_chapko/ for the fail logs

What's interesting is that these 3 devices were not running node tests. They were just trying to connect to the coordinated server but couldn't (there's something wrong with CI itself). And all of them crashed.

Raw logs:

• thali02_samsung-SM-G930F.md
• thali03_samsung-SM-G930F.md
• thali04_samsung-SM-G935F.md

[enricogior]

It turned out the crash doesn't occur when compiling ThaliTest with Android build tools 25.0.2 (available with Android Studio 2.2.3).

[enricogior]

More testing confirmed the issue is only present when using the build tool version 25.0.

[chapko]

@enricogior I was testing one of my branches on samsung devices and was able to reproduce this bug several times. Sometimes it is one device, sometimes 2 or all of them.
I removed all android build-tools versions except 25.0.2 and used jxcore-cordova v0.1.9.

Logs (all 3 devices crashed):

• 988667514534423146.log
• ad081603480f209327.log
• ad091603590587540b.log

Branch: iOS_chapko_1500-segfault

Please, let me know if you need more info.

[enricogior]

@chapko can you try using just two devices (both S7), does it reproduce? Thank you.

[evabishchevich]

There are some more logs:
https://github.com/ThaliTester/TestResults/tree/104320879c47ddeb_Update_jxcore_to_0_3_1_9_evabishchevich/

jxcore 0.3.1.9

[enricogior]

I finally managed to reproduce the crash building ThaliTest with the command line build tools.
If I use Android Studio to build and install the APK, the crash never happens. Using the command line tools it occurs 100% of the times.

[enricogior]

The crash occurs here:
https://github.com/thaliproject/jxcore/blob/master/deps/mozjs/src/gc/Marking.cpp#L154
because sym is NULL.

[enricogior]

After modifying return sym->isWellKnownSymbol(); to avoid the crash there when sym is NULL, we finally got a more interesting call stack:

02-02 18:09:15.838 4667-4667/? A/DEBUG:     #01 pc 003cf2d4  /data/app/com.test.thalitest-1/lib/arm/libjxcore.so (_ZN2js2gc13MarkValueRootEP8JSTracerPN2JS5ValueEPKc+76)
02-02 18:09:15.838 4667-4667/? A/DEBUG:     #02 pc 003d4050  /data/app/com.test.thalitest-1/lib/arm/libjxcore.so (_ZN2js2gc9GCRuntime11markRuntimeEP8JSTracerNS1_18TraceOrMarkRuntimeENS1_21TraceRootsOrUsedSavedE+1452)
02-02 18:09:15.838 4667-4667/? A/DEBUG:     #03 pc 00580ae0  /data/app/com.test.thalitest-1/lib/arm/libjxcore.so (_ZN2js2gc9GCRuntime14beginMarkPhaseEN2JS8gcreason6ReasonE+1308)
02-02 18:09:15.838 4667-4667/? A/DEBUG:     #04 pc 00583ec8  /data/app/com.test.thalitest-1/lib/arm/libjxcore.so (_ZN2js2gc9GCRuntime23incrementalCollectSliceExN2JS8gcreason6ReasonE+500)
02-02 18:09:15.838 4667-4667/? A/DEBUG:     #05 pc 005848c4  /data/app/com.test.thalitest-1/lib/arm/libjxcore.so (_ZN2js2gc9GCRuntime7gcCycleEbxNS_18JSGCInvocationKindEN2JS8gcreason6ReasonE+244)
02-02 18:09:15.838 4667-4667/? A/DEBUG:     #06 pc 00584a6c  /data/app/com.test.thalitest-1/lib/arm/libjxcore.so (_ZN2js2gc9GCRuntime7collectEbxNS_18JSGCInvocationKindEN2JS8gcreason6ReasonE+224)
02-02 18:09:15.838 4667-4667/? A/DEBUG:     #07 pc 00584f74  /data/app/com.test.thalitest-1/lib/arm/libjxcore.so (_ZN2js2gc9GCRuntime10gcIfNeededEP9JSContext+48)
02-02 18:09:15.838 4667-4667/? A/DEBUG:     #08 pc 00677c1c  /data/app/com.test.thalitest-1/lib/arm/libjxcore.so (_ZN2js20NewStringDontDeflateILNS_7AllowGCE1EhEEP12JSFlatStringPNS_17ThreadSafeContextEPT0_j+80)
02-02 18:09:15.838 4667-4667/? A/DEBUG:     #09 pc 0067c2b0  /data/app/com.test.thalitest-1/lib/arm/libjxcore.so (_ZN2js12StringBuffer12finishStringEv+184)
02-02 18:09:15.838 4667-4667/? A/DEBUG:     #10 pc 005bf914  /data/app/com.test.thalitest-1/lib/arm/libjxcore.so (_Z14json_stringifyP9JSContextjPN2JS5ValueE+340)

[enricogior]

We made some progress, the SIGSEGV is occurring in the SpiderMonkey's GC when accessing a root object that later on gets corrupted.
The root object is a persistent object created at JXcore startup:
https://github.com/thaliproject/jxcore/blob/master/src/jx/Proxy/Mozilla_340/MozJS/MozValue.cc#L1210

The root object is created passing an address that is on the stack, we need to understand if that is done on purpose or not, because it seems wrong.

[enricogior]

We are testing a fix.

[enricogior]

Tests passed on all platforms. The fix will be released in v0.3.1.10.

[enricogior]

Fix released in JXcore 0.3.1.10 and JXcore-Cordova 0.1.10.