-
Notifications
You must be signed in to change notification settings - Fork 44
SIGSEGV (segfault) on Samsung S7 #1592
Comments
I was testing WiFi-only mode on devices and this bug was reproducing very often on one of the connected Samsungs. I created a separate branch Logs: segfaults-fe9e390.zip
|
The same issue with iOS devices. I can't complete all tests most of the time. Logs from the devices: segfaults-ios.zip |
I created a new branch UPD: my bad, I named this branch wrong, it should be called |
Using the
|
The latest logs show two different types of problems.
and it doesn't involve jxcore. The second problem looks like a stack overflow occurring in the SM's sandbox and may be caused by node code (a callback calling into itself):
|
Two new issues created to track the problems reported on the |
I still can reproduce it with jx 0.3.1.8 using two Samsung s7 phones. Happened on 1 of 2 phones: Happened on both phones simultaneously: Branch: |
Seems similar to #563 |
I've reproduced same issue. Log here. I was testing with 2 samsungs and 1 nexus. |
@andrew-aladev on which branch? |
It works in the current iOS branch. But it is hard to reproduce this issue. |
We tried to repro on the iOS branch using S6, S7 and 6P, but the tests fail pretty soon:
TestServer log: Device Log: |
@enricogior I created a separate branch |
@chapko is there any change I should make before running the tests? I'm asking because I built ThaliTest and run the tests 5 times on S7, S6 and 6P and the 152 tests passed every time. I only got once an Android error on the S7 "bluetooth share has stopped", but it didn't seem to effect the test results. When you run the tests, the crash happens on multiple devices at the same time or just on one device at the time? If it happens only on one device at the time, does it happens always on the same devices or on any device? |
@enricogior It usually happens on one of the three devices, but sometimes on two or even on all of them. I am using three S7 devices so maybe this is the reason. Example of the logs (all 3 devices crashed almost simultaneously): I can upload more logs tomorrow if necessary |
No. The logs in the previous comment are produced by fresh build from the
On different devices. |
@enricogior I got probably the same crash on CI. This is the ThaliTester comment to the #1741 PR:
What's interesting is that these 3 devices were not running node tests. They were just trying to connect to the coordinated server but couldn't (there's something wrong with CI itself). And all of them crashed. Raw logs: |
It turned out the crash doesn't occur when compiling ThaliTest with Android build tools 25.0.2 (available with Android Studio 2.2.3). |
More testing confirmed the issue is only present when using the build tool version 25.0. |
@enricogior I was testing one of my branches on samsung devices and was able to reproduce this bug several times. Sometimes it is one device, sometimes 2 or all of them. Logs (all 3 devices crashed): Branch: Please, let me know if you need more info. |
@chapko can you try using just two devices (both S7), does it reproduce? Thank you. |
There are some more logs: jxcore 0.3.1.9 |
I finally managed to reproduce the crash building ThaliTest with the command line build tools. |
The crash occurs here: |
After modifying
|
We made some progress, the SIGSEGV is occurring in the SpiderMonkey's GC when accessing a root object that later on gets corrupted. The root object is created passing an address that is on the stack, we need to understand if that is done on purpose or not, because it seems wrong. |
We are testing a fix. |
Tests passed on all platforms. The fix will be released in v0.3.1.10. |
Despite che class type, `JS::Heap<JS::Value> rval;` is allocated on the stack and passed to `JS::AddNamedValueRoot(ctx, &rval, nullptr);` that expects an object address on the heap, that causes a SIGSEGV when the GC tries to access the object using an address that is not anymore pointing to the original object `reserved_obj`. Removing the call to `JS::AddNamedValueRoot(ctx, &rval, nullptr);` is valid fix since `reserved_obj` will be protected by calling `JS_SetReservedSlot(obj, GC_SLOT_JS_CLASS, rval);` Fixes: thaliproject/Thali_CordovaPlugin#1592
Despite che class type, `JS::Heap<JS::Value> rval;` is allocated on the stack and passed to `JS::AddNamedValueRoot(ctx, &rval, nullptr);` that expects an object address on the heap, that causes a SIGSEGV when the GC tries to access the object using an address that is not anymore pointing to the original object `reserved_obj`. Removing the call to `JS::AddNamedValueRoot(ctx, &rval, nullptr);` is a valid fix since `reserved_obj` will be protected by calling `JS_SetReservedSlot(obj, GC_SLOT_JS_CLASS, rval);` Fixes: thaliproject/Thali_CordovaPlugin#1592
`JS::Heap<JS::Value> rval;` is allocated on the stack and passed to `JS::AddNamedValueRoot(ctx, &rval, nullptr);` that expects the object address to remain valid until the root object it's removed, but since the root object, pointed by `rval`, lives for the entire lifecycle of the process, the GC will eventually access an invalid address. Removing the call to `JS::AddNamedValueRoot(ctx, &rval, nullptr);` is a valid fix since `reserved_obj` will be protected by calling `JS_SetReservedSlot(obj, GC_SLOT_JS_CLASS, rval);` Fixes: thaliproject/Thali_CordovaPlugin#1592
`JS::Heap<JS::Value> rval;` is allocated on the stack and passed to `JS::AddNamedValueRoot(ctx, &rval, nullptr);` that expects the object address to remain valid until the root object it's removed, but since the root object, pointed by `rval`, lives for the entire lifecycle of the process, the GC will eventually access an invalid address. Removing the call to `JS::AddNamedValueRoot(ctx, &rval, nullptr);` is a valid fix since `reserved_obj` will be protected by calling `JS_SetReservedSlot(obj, GC_SLOT_JS_CLASS, rval);` Fixes: thaliproject/Thali_CordovaPlugin#1592
Fix released in JXcore 0.3.1.10 and JXcore-Cordova 0.1.10. |
`JS::Heap<JS::Value> rval;` is allocated on the stack and passed by address to `JS::AddNamedValueRoot(ctx, &rval, nullptr);` that function expects the address to remain valid until the root is removed, but since the address of `rval` doesn't live past the end of the function, the GC will eventually access an invalid address. Removing the call to `JS::AddNamedValueRoot(ctx, &rval, nullptr);` is a valid fix since `reserved_obj` will be protected by calling `JS_SetReservedSlot(obj, GC_SLOT_JS_CLASS, rval);` Fixes: thaliproject/Thali_CordovaPlugin#1592
I got SIGSEGV twice today on Samsung S7 running node tests in native mode. First time I was running almost all tests. Second time I had only 2 tests enabled:
testThaliManagerCoordinated.js
andtestThaliReplicationPeerActionCoordinated.js
(but in reversed order).Logs:
Branch:
iOS_chapko_899-complete
(120c5ea)To reproduce issue apply 899.patch to the
iOS_chapko_899-complete
branch, build apk, and run it with 2 other devices.The text was updated successfully, but these errors were encountered: