null pointer dereference on jsc-android: 236355.1.1

[rotemmiz]

Issue Description

JSCore dereferences a null pointer (signal 11 (SIGSEGV), code 1 (SEGV_MAPERR), fault addr 0x0), at some regex calculation (?)

2019-02-07 13:10:27.057 5891-5923/com.reactnativenavigation.playground A/libc: Fatal signal 11 (SIGSEGV), code 1 (SEGV_MAPERR), fault addr 0x0 in tid 5923 (mqt_js), pid 5891 (tion.playground)
2019-02-07 13:10:27.107 1924-1941/? W/libprocessgroup: kill(-3655, 9) failed: No such process
2019-02-07 13:10:27.107 5946-5946/? A/DEBUG: *** *** *** *** *** *** *** *** *** *** *** *** *** *** *** ***
2019-02-07 13:10:27.107 5946-5946/? A/DEBUG: Build fingerprint: 'google/sdk_gphone_x86/generic_x86:9/PSR1.180720.075/5124027:user/release-keys'
2019-02-07 13:10:27.107 5946-5946/? A/DEBUG: Revision: '0'
2019-02-07 13:10:27.107 5946-5946/? A/DEBUG: ABI: 'x86'
2019-02-07 13:10:27.107 5946-5946/? A/DEBUG: pid: 5891, tid: 5923, name: mqt_js  >>> com.reactnativenavigation.playground <<<
2019-02-07 13:10:27.107 5946-5946/? A/DEBUG: signal 11 (SIGSEGV), code 1 (SEGV_MAPERR), fault addr 0x0
2019-02-07 13:10:27.107 5946-5946/? A/DEBUG: Cause: null pointer dereference
2019-02-07 13:10:27.107 5946-5946/? A/DEBUG:     eax 00000000  ebx cce66ff4  ecx cce6883c  edx cc1fc278
2019-02-07 13:10:27.107 5946-5946/? A/DEBUG:     edi cc1fc438  esi cce66ff4
2019-02-07 13:10:27.107 5946-5946/? A/DEBUG:     ebp cc1fc358  esp cc1fc23c  eip 00000000
2019-02-07 13:10:27.145 5946-5946/? A/DEBUG: backtrace:
2019-02-07 13:10:27.145 5946-5946/? A/DEBUG:     #00 pc 00000000  <unknown>
2019-02-07 13:10:27.145 5946-5946/? A/DEBUG:     #01 pc 006a98a6  /data/app/com.reactnativenavigation.playground-EcLLr4vUusPISFvj2SIIRg==/lib/x86/libjsc.so (JSC::JSObject::toPrimitive(JSC::ExecState*, JSC::PreferredPrimitiveType) const+2550)
2019-02-07 13:10:27.145 5946-5946/? A/DEBUG:     #02 pc 0064654b  /data/app/com.reactnativenavigation.playground-EcLLr4vUusPISFvj2SIIRg==/lib/x86/libjsc.so (JSC::JSValue::toStringSlowCase(JSC::ExecState*, bool) const+1323)
2019-02-07 13:10:27.145 5946-5946/? A/DEBUG:     #03 pc 0075182e  /data/app/com.reactnativenavigation.playground-EcLLr4vUusPISFvj2SIIRg==/lib/x86/libjsc.so (JSC::regExpProtoFuncExec(JSC::ExecState*)+222)
2019-02-07 13:10:27.145 5946-5946/? A/DEBUG:     #04 pc 000000e0  <anonymous:c9cff000>

Version, config, any additional info

jsc-android: 236355.1.1
react-native: 0.57.7/0.57.8

Issue was reproduced on 32bit version of libjsc, on both arm-v8 devices, x86 and x86_64 android emulators.
Issue is easily reproducible with the following test:
clone https://github.com/wix/react-native-navigation/tree/jscCrashRepro (jscCrashRepro branch)

npm install
cd playground/android
npm run start&
./gradlew installDebug

[rotemmiz]

@DanielZlotin is this the error you encountered when trying to build 64 bit JSCore?

[DanielZlotin]

No this looks like something else completely.

Do you know what is the regex reproducing the crash? Or at least what happened in RNN during this.. is this during runtime or while loading/parsing the bundle? a smaller clean project (like in this repo) will maybe help narrow this down.
We run lots of regex tests as part of the benchmark so I doubt it's that, but possible.
Might be just wrong use of API somewhere.

You mentioned 32bit version. Can you try reproduce with x64? (On arm 64)
Also curious to know if this happens with other RN version, and older JSC.

I could also suggest adding logs from those functions to understand what they are, when are they called, and what parameters (null or otherwise) were passed. Log-debugging :(

[rotemmiz]

An important info I forgot to add is that this does not happen on the previous jsc-android release and on stock RN JSCore.
I'll try gathering more data.

[kmagiera]

Thanks for this comprehensive report @rotemmiz

We've spent some time debugging arm64 crashes last year and I'm glad to see that this one is easily reproducible. Please feel free to mention me next time you make a report. I'll try to look into this one as soon as I have some availability

[creambyemute]

I'm not sure if the crash I'm experiencing is also related to this issue here. I'm using the latest JSC from here and got a cause: null pointer dereference.

I'm using React-Navigation and not React-Native-Navigation.

• It only happens on Android (works on iOS and react-native-windows)
• Only happens after navigating back and forth x amount of times (clicking on SearchIcon in the header)
• Stops happening when I remove https://github.com/mjsolidarios/react-native-search-filter component from header (which replaces the SearchIcon onPress)

I'll try again with a normal and after this "fix" has been released I'll try again with https://github.com/mjsolidarios/react-native-search-filter

[creambyemute]

FYI: I just upgraded from RN 0.57.8 to 0.59.0 and removed the jsc injection.

Couldn't reproduce the by me above mentioned crash anymore.

[Kudo]

Some update:

1. WebKitGTK has a new major release 2.24.0. Unfortunately did not solve the issue and confirm reproducible.

2. I built a debug build and able to reproduce the crash.
   Some context I found:
   For regExpProtoFuncExec, the regex is ^#([0-9a-fA-F]{6})$, seems comes from react-native/Libraries/Color/normalizeColor.js.
   The target string to do exec(), during call to toPrimitive() (i.e. Symbol.toPrimitive()), there is a null pointer in JSObject::getNonIndexPropertySlot().
   The structure from vm structureIDTable is a null object and structureIDTable is empty table in fact.
   From the backtrace, the call path is from JIT code.
   I guess there is some race condition during structureIDTable allocate and resize.

3. I try to disable DFG_JIT, so far no crash happens.
   And yes, as mentioned it needs some patches to fix build error to disable DFG_JIT after WebKitGTK 2.22.
   Furthermore, old JSC also turn off DFG_JIT as well.

For my personal available time slot,
I will further to check if release build without DFG_JIT could solve the problem.
And see if disabling DFG_JIT will bring back the 64bit crash issue back or not.
Thankfully to @rotemmiz having an easy reproducible steps for the crash.

[Kudo]

Have some more update for 64bit crash issue.

First I could reproduce the crash issue based on @DanielZlotin's work on https://github.com/react-community/jsc-android-buildscripts/tree/RN51x64.
Then I used my custom build JSC (release build WebKitGTK 2.22.6 but disable DFG_JIT).
It seems the DFG_JIT disabled build have no crash issue.

BTW, I cannot test the render deep list test case, there were JNI local reference table overflow from yoga. Other test cases could successfully run in 10 times.

[Kudo]

@rotemmiz I've built a JSC without DFG_JIT and seems there are no crash issues from the jscCrashRepro.
Could you please help to further verify that?

Two changes in jscCrashRepro, one for detox 12.0 upgrade as I upgrade Xcode to 10.2 today.
The other and the major one is use my JSC build.

For my JSC build, the changes are at https://github.com/Kudo/jsc-android-buildscripts/commits/develop and built by CircleCI as well.
I will create PRs if the DFG_JIT disabled build passed you testing.

[tafty]

On a project I am working on we experienced a similar issue whilst running a release build to Samsung S6s (see log below).

@Kudo I have just tested using a fork of react-native-navigation that used your JSC build and it has fixed our issue. Thanks!

2019-04-03 14:37:56.569 18149-18149/? A/DEBUG: *** *** *** *** *** *** *** *** *** *** *** *** *** *** *** ***
2019-04-03 14:37:56.570 18149-18149/? A/DEBUG: Build fingerprint: 'samsung/zerofltexx/zeroflte:7.0/NRD90M/G920FXXU6ERF5:user/release-keys'
2019-04-03 14:37:56.570 18149-18149/? A/DEBUG: Revision: '11'
2019-04-03 14:37:56.570 18149-18149/? A/DEBUG: ABI: 'arm'
2019-04-03 14:37:56.570 18149-18149/? A/DEBUG: pid: 18066, tid: 18119, name: mqt_js  >>> com.my.package.systest <<<
2019-04-03 14:37:56.570 18149-18149/? A/DEBUG: signal 11 (SIGSEGV), code 1 (SEGV_MAPERR), fault addr 0xbbadbeef
2019-04-03 14:37:56.570 18149-18149/? A/DEBUG:     r0 c517c40c  r1 fffffffe  r2 bbadbeef  r3 00000000
2019-04-03 14:37:56.570 18149-18149/? A/DEBUG:     r4 c37c7cb0  r5 10a592f4  r6 f5238e78  r7 00000014
2019-04-03 14:37:56.570 18149-18149/? A/DEBUG:     r8 376cb440  r9 c37c7cb0  sl 00000000  fp c517c520
2019-04-03 14:37:56.570 18149-18149/? A/DEBUG:     ip c9a0ce24  sp c517c490  lr c99bcd67  pc c99bcd9c  cpsr 400e0030
2019-04-03 14:37:56.571 18149-18149/? A/DEBUG: backtrace:
2019-04-03 14:37:56.575 18149-18149/? A/DEBUG:     #00 pc 00142d9c  /data/app/com.my.package.systest-1/lib/arm/libjsc.so (offset 0x40000)
2019-04-03 14:37:56.575 18149-18149/? A/DEBUG:     #01 pc 00142d63  /data/app/com.my.package.systest-1/lib/arm/libjsc.so (offset 0x40000)```

[huuthinh245]

@tafty can you explain how to fix it . Im' really newbie. So how to use JSC for android . I have a big problem when I sometimes push screen (react-native-navigation v2) and react native: 0.59.3 , my app is crash and just throw err Fatal signal 11 (SIGSEGV), code 1, fault addr 0x0 in tid 27604 (mqt_js), pid 27575. Please help me. Thank you so much.

[tafty]

@huuthinh245 I forked react-native-navigation and created a branch from the release that we are currently using in our project (2.11.0) then updated package.json to use Kudo's repository containing the JSC fix. You can see that commit here:

https://github.com/UnomeeLtd/react-native-navigation/commit/d2fdb886ccb1f632db8fdb8bb8f7641e3144de62

There is also a second commit on that branch to upgrade Detox to allow it to work with the latest XCode. I then altered pacakge.json in our project to reference my fork:

"react-native-navigation": "git+https://git@github.com/UnomeeLtd/react-native-navigation.git#jsc-android-fix-test",

This allowed me to prove that the fix would work. However, I should also add that in our project I was able to revert the change that resulted in hitting the fatal error and am waiting until Kudo's change is merged into the main jsc-android-buildscripts repository and picked up by react-native-navigation before re-instating that change. You may be less cautious than I am or perhaps are unable to wait...