Bug 247662

Summary: Android arm64 signal 4 (SIGILL) /data/app/com.netease.cloudmusic/lib/arm/libjsc.so
Product: WebKit Reporter: wang <1184503206>
Component: JavaScriptCoreAssignee: Nobody <webkit-unassigned>
Status: RESOLVED WONTFIX    
Severity: Normal CC: bugs-noreply, mcatanzaro
Priority: P2    
Version: Other   
Hardware: Unspecified   
OS: Unspecified   
Attachments:
Description Flags
crash stack none

Description wang 2022-11-08 23:55:30 PST 
Created attachment 463465 [details]
crash stack

### Version
webkit-2.26.1

we use the libjsc.so from[https://github.com/react-native-community/jsc-android-buildscripts/releases/tag/v250230.2.1]
the libjsc.so use webkit-2.26.1
### Component
We decompile with ida to check the assembly instructions, and suspect that m_regExpJITCode is the wrong address
```
            if (s.is8Bit())
                result = m_regExpJITCode->execute(s.characters8(), startOffset, s.length(), patternContextBufferHolder.buffer(), patternContextBufferHolder.size());
            else
                result = m_regExpJITCode->execute(s.characters16(), startOffset, s.length(), patternContextBufferHolder.buffer(), patternContextBufferHolder.size());
```
### Platform and OS
Android 10

### Summary

Our app is used by 30 million users every day, when the app is launched, react-native is turned on, and the js code is run using the jsc engine. About 3000 users are experiencing SIGILL crashes every day.

### Description
Detailed crash stackļ¼š
```
signal 4 (SIGILL), code 1 (ILL_ILLOPC), fault addr 0x6e780714c0 (*pc=0x54000109)
    x0  000000779881cb63  x1  0000000000000000  x2  0000000000000000  x3  00000077e1be7458
    x4  0000000000000000  x5  0000000000000000  x6  f2aa8611d2997b11  x7  3900023ff2c00dd1
    x8  0000006e780714a0  x9  0000000000002000  x10 000000000000009c  x11 0000000000000040
    x12 0000006e780716c0  x13 d4200000d4200000  x14 0000000000000000  x15 0000006e78071660
    x16 0000000000000001  x17 0000006e5430cbd8  x18 0000006e4f3aa000  x19 0000006e55cc4000
    x20 0000006e4c439d60  x21 0000006e5430b300  x22 0000006e54300000  x23 0000000000000000
    x24 0000006e55c2b990  x25 0000000000000000  x26 00000077e1be7458  x27 ffff000000000000
    x28 0000000000000000  x29 00000077e1be7560
    sp  00000077e1be7390  lr  00000077986a39d8  pc  0000006e780714c0
backtrace:
    #00 pc 00000000000724c0  <anonymous:      6e77fff000>
    #01 pc 00000000005629d4  /data/app/com.netease.cloudmusic-MWwXW1Ro6eqwDgCypqXt2w==/lib/arm64/libjsc.so
    #02 pc 0000000000058b4c  <anonymous:      6e77fff000>
java stacktrace:
  at com.facebook.react.bridge.queue.NativeRunnable.run(Native method)
  at android.os.Handler.handleCallback(Handler.java:883)
  at android.os.Handler.dispatchMessage(Handler.java:100)
  at com.facebook.react.bridge.queue.MessageQueueThreadHandler.dispatchMessage(ProGuard:1)
  at android.os.Looper.loop(Looper.java:224)
  at com.facebook.react.bridge.queue.MessageQueueThreadImpl$4.run(ProGuard:8)
  at java.lang.Thread.run(Thread.java:919)
```

```
signal 4 (SIGILL), code 1 (ILL_ILLOPC), fault addr 0x78baa3b4e0 (*pc=0xd3407c21)
    x0  00000078c8e1db63  x1  0000000000000000  x2  0000000000000000  x3  0000000000000000
    x4  0000000000000000  x5  0000000000000000  x6  f2c00f11f2b73411  x7  d65f03c03900023f
    x8  00000078baa3b4e0  x9  0000000000002000  x10 000000000000009c  x11 0000000000000280
    x12 00000078b3a10770  x13 0000000000000001  x14 0000000000000000  x15 00000078baa3b5a0
    x16 00000078c8fcf3d8  x17 0000007978cfc168  x18 0000000000000000  x19 00000078b10c3c30
    x20 0000000000000000  x21 00000078b3a0d6a8  x22 00000078b9a00000  x23 00000078b10c3c50
    x24 0000000000000000  x25 00000078b15cc010  x26 00000078b9a0ccc8  x27 ffff000000000000
    x28 ffff000000000002  x29 00000078b3a0d7d0
    sp  00000078b3a0d5b0  lr  00000078c8c99844  pc  00000078baa3b4e0
backtrace:
    #00 pc 000000000004a4e0  <anonymous:      78ba9f1000>
    #01 pc 0000000000557840  /data/app/com.netease.cloudmusic-8TiD-LQZ_naq2wWtS0dKpA==/lib/arm64/libjsc.so
    #02 pc 00000000005636b0  /data/app/com.netease.cloudmusic-8TiD-LQZ_naq2wWtS0dKpA==/lib/arm64/libjsc.so
    #03 pc 00000000000106ac  <anonymous:      78ba9f1000>
java stacktrace:
  at com.facebook.react.bridge.queue.NativeRunnable.run(Native method)
  at android.os.Handler.handleCallback(Handler.java:790)
  at android.os.Handler.dispatchMessage(Handler.java:99)
  at com.facebook.react.bridge.queue.MessageQueueThreadHandler.dispatchMessage(ProGuard:1)
  at android.os.Looper.loop(Looper.java:192)
  at com.facebook.react.bridge.queue.MessageQueueThreadImpl$4.run(ProGuard:8)
  at java.lang.Thread.run(Thread.java:764)
```
Comment 1 Michael Catanzaro 2022-11-09 10:10:12 PST 
Interesting... I didn't know anyone had JavaScriptCore working on Android.

That said, I'm afraid 2.26.1 is three years old, much too old to be worth investigating. So your first step is to try upgrading to 2.38.2. There's a pretty decent chance your problem will go away just by doing that, so definitely worth it.

If you're still seeing crashes after the upgrade, then you can reopen this bug, but it's unlikely to be solved without a *way* better backtrace. I'm not sure what is customary for Android backtraces, but ideally you'd show something as close as possible to what would be provided by gdb on Linux or lldb on macOS, e.g. as in bug #245968, with function names and line numbers at bare minimum, and ideally also stack variables. You might need to build your application with more debugging enabled than normal (e.g. using -g) to do this.
Comment 2 Michael Catanzaro 2022-11-09 10:13:42 PST 
(In reply to Michael Catanzaro from comment #1)
> Interesting... I didn't know anyone had JavaScriptCore working on Android.

Oh that's not true, because there's also https://github.com/Igalia/wpe-android/, and JSC is clearly working there.

Regardless, good luck!