Bug 241538 - JavascriptCore Crash on iOS16.0
Summary: JavascriptCore Crash on iOS16.0
Status: NEW
Alias: None
Product: WebKit
Classification: Unclassified
Component: JavaScriptCore (show other bugs)
Version: Other
Hardware: All Other
: P1 Critical
Assignee: Nobody
URL:
Keywords: InRadar
Depends on:
Blocks:
 
Reported: 2022-06-12 02:42 PDT by 894110476
Modified: 2022-08-18 04:46 PDT (History)
7 users (show)

See Also:


Attachments
crash report (21.36 KB, text/plain)
2022-06-14 04:30 PDT, 894110476
no flags Details

Note You need to log in before you can comment on or make changes to this bug.
Description 894110476 2022-06-12 02:42:53 PDT
we found a crash on our crash report system. we didn't reproduce it. from our system, we found serveral features below:

first, it may happened much times on one device;
second, it may happened on low-memory device.
finally, it may happened related to webview and react-native.

Thread 0(crashed)

1       JavaScriptCore  WTF::StringImpl::hashSlowCase() const (in JavaScriptCore) + 132
2       JavaScriptCore	WTF::HashTable<WTF::Packed<WTF::StringImpl*>, WTF::Packed<WTF::StringImpl*>, WTF::IdentityExtractor, WTF::DefaultHash<WTF::Packed<WTF::StringImpl*> >, WTF::HashTraits<WTF::Packed<WTF::StringImpl*> >, WTF::HashTraits<WTF::Packed<WTF::StringImpl*> > >::rehash(unsigned int, WTF::Packed<WTF::StringImpl*>*) (in JavaScriptCore) + 308
3	JavaScriptCore	WTF::AtomStringImpl::remove(WTF::AtomStringImpl*) (in JavaScriptCore) + 448
4	JavaScriptCore	WTF::StringImpl::~StringImpl() (in JavaScriptCore) + 76
5	JavaScriptCore	JSC::Structure::destroy(JSC::JSCell*) (in JavaScriptCore) + 104
6	JavaScriptCore	JSC::HeapCellType::finishSweep(JSC::MarkedBlock::Handle&, JSC::FreeList*) const (in JavaScriptCore) + 5540
7	JavaScriptCore	JSC::MarkedBlock::Handle::sweep(JSC::FreeList*) (in JavaScriptCore) + 1164
8	JavaScriptCore	JSC::MarkedSpace::lastChanceToFinalize() (in JavaScriptCore) + 136
9	JavaScriptCore	JSC::Heap::lastChanceToFinalize() (in JavaScriptCore) + 372
10	JavaScriptCore	JSC::VM::~VM() (in JavaScriptCore) + 656
11	JavaScriptCore	JSC::JSLockHolder::~JSLockHolder() (in JavaScriptCore) + 316
12	JavaScriptCore	-[JSVirtualMachine dealloc] (in JavaScriptCore) + 84
13	libobjc.A.dylib	object_cxxDestructFromClass(objc_object*, objc_class*) (in libobjc.A.dylib) + 116
14	libobjc.A.dylib	objc_destructInstance (in libobjc.A.dylib) + 80
15	libobjc.A.dylib	_objc_rootDealloc (in libobjc.A.dylib) + 80
16	JavaScriptCore	-[JSContext dealloc] (in JavaScriptCore) + 76
17	JavaScriptCore	-[JSValue dealloc] (in JavaScriptCore) + 148
18	libobjc.A.dylib	AutoreleasePoolPage::releaseUntil(objc_object**) (in libobjc.A.dylib) + 196
19	libobjc.A.dylib	objc_autoreleasePoolPop (in libobjc.A.dylib) + 256
20	CoreFoundation	_CFAutoreleasePoolPop (in CoreFoundation) + 32
21	CoreFoundation	__CFRunLoopPerCalloutARPEnd (in CoreFoundation) + 48
22	CoreFoundation	__CFRunLoopRun (in CoreFoundation) + 2076
23	CoreFoundation	CFRunLoopRunSpecific (in CoreFoundation) + 612
24	GraphicsServices	GSEventRunModal (in GraphicsServices) + 164
25	UIKitCore	-[UIApplication _run] (in UIKitCore) + 888
26	UIKitCore	UIApplicationMain (in UIKitCore) + 340
27	OurAppication	main (in JD4iPhone) (main.m:15)
Comment 1 Mark Lam 2022-06-13 22:46:57 PDT
Can you attach the full crash log?
Comment 2 894110476 2022-06-14 04:30:25 PDT
Created attachment 460230 [details]
crash report

crash report
Comment 3 894110476 2022-06-14 04:31:49 PDT
(In reply to Mark Lam from comment #1)
> Can you attach the full crash log?

I have added an attachment which is produced by our custom crash system. hope it is hopeful.
Comment 4 Mark Lam 2022-06-14 08:46:53 PDT
(In reply to 894110476 from comment #3)
> (In reply to Mark Lam from comment #1)
> > Can you attach the full crash log?
> 
> I have added an attachment which is produced by our custom crash system.
> hope it is hopeful.

Sorry but your custom crash log did not capture the relevant info.  Is it possible to get a crash and file a radar with a sysdiagnose?  That's the best way to make this more actionable.
Comment 5 Mark Lam 2022-06-14 09:30:57 PDT
Nevermind, I managed to find some internal crash logs for this crash.  This appears to be a null pointer deref.  Investigating.
Comment 6 Radar WebKit Bug Importer 2022-06-14 09:31:35 PDT
<rdar://problem/95120120>
Comment 7 894110476 2022-06-15 07:17:56 PDT
(In reply to Mark Lam from comment #5)
> Nevermind, I managed to find some internal crash logs for this crash.  This
> appears to be a null pointer deref.  Investigating.

Good news, hope fixed next beta-version
Comment 8 MrShang110 2022-08-18 04:46:10 PDT
Did you find out what caused the crash ? We still have a lot of crashes in our applications.