iOS 6.0: EXC_BAD_ACCESS in JavaScriptCore`JSC::Heap::collect(JSC::Heap::SweepToggle): after releasing a JSCocoaController
217 views
Skip to first unread message
Thomas Elstner
Sep 25, 2012, 5:33:35 AM9/25/12
to jsc...@googlegroups.com
Hello all,
I'm using JSCocoa with multiple instances of JSCocoaController, i.e. we have a scenario similar to the example 'Multiple JSCocoa instances' but on iOS.
While migrating my project to iOS 6.0 I noticed that the JSCocoaController has a problem with GC after being released - this problem occurs only on iOS 6 simulator & devices, but not on iOS 5.x simulator or devices.
I have created a mininum testcase (available here: http://dl.dropbox.com/u/12685842/parmanoir-jscocoa.zip, see folder xoJSCocoaTest), which basically consists of a
Any ideas what is going wrong here?
Best regards,
Thomas
1 0x665e342 JSC::Heap::collectAllGarbage()
2 0x665a93a JSC::DefaultGCActivityCallbackPlatformData::timerDidFire(__CFRunLoopTimer*, void*)
3 0x2113376 __CFRUNLOOP_IS_CALLING_OUT_TO_A_TIMER_CALLBACK_FUNCTION__
4 0x2112e06 __CFRunLoopDoTimer
5 0x20faa82 __CFRunLoopRun
6 0x20f9f44 CFRunLoopRunSpecific
7 0x20f9e1b CFRunLoopRunInMode
8 0x20ae7e3 GSEventRunModal
9 0x20ae668 GSEventRun
10 0x19565c UIApplicationMain
11 0x2662 main
12 0x2595 start
(lldb)
JavaScriptCore`JSC::Heap::collect(JSC::Heap::SweepToggle):
0x665c600: pushl %ebp
0x665c601: movl %esp, %ebp
0x665c603: pushl %ebx
0x665c604: pushl %edi
0x665c605: pushl %esi
0x665c606: subl $44, %esp
0x665c609: calll 0x665c60e ; JSC::Heap::collect(JSC::Heap::SweepToggle) + 14
0x665c60e: popl %edi
0x665c60f: nop
0x665c610: nopl (%eax)
0x665c614: movl 8(%ebp), %esi
0x665c617: cmpl $0, 24(%esi)
0x665c61b: je 0x665c633 ; JSC::Heap::collect(JSC::Heap::SweepToggle) + 51
0x665c61d: calll 0x67e0460 ; WTFReportBacktrace
0x665c622: calll 0x67e05b0 ; WTFInvokeCrashHook
0x665c627: movl $0, -1146241297
0x665c631: ud2
0x665c633: movl $2, 24(%esi)
0x665c63a: movl 2756(%esi), %eax
0x665c640: testl %eax, %eax
0x665c642: je 0x665c64c ; JSC::Heap::collect(JSC::Heap::SweepToggle) + 76
0x665c644: movl (%eax), %ecx
0x665c646: movl %eax, (%esp)
0x665c649: calll *12(%ecx)
0x665c64c: calll 0x67e0ff0 ; WTF::currentTime()
0x665c651: fstpl -24(%ebp)
0x665c654: movsd -24(%ebp), %xmm0
0x665c659: movsd %xmm0, -40(%ebp)
0x665c65e: subsd 2740(%esi), %xmm0
0x665c666: ucomisd2157906(%edi), %xmm0
0x665c66e: jbe 0x665c6aa ; JSC::Heap::collect(JSC::Heap::SweepToggle) + 170
0x665c670: movl 2728(%esi), %eax
0x665c676: cmpl $0, 6480(%eax)
0x665c67d: jne 0x665c69f ; JSC::Heap::collect(JSC::Heap::SweepToggle) + 159
0x665c67f: movl 2748(%esi), %edi
0x665c685: jmp 0x665c69b ; JSC::Heap::collect(JSC::Heap::SweepToggle) + 155
0x665c687: nopw (%eax,%eax)
0x665c690: movl %edi, (%esp)
0x665c693: calll 0x6653520 ; JSC::FunctionExecutable::discardCode()
0x665c698: movl 112(%edi), %edi
0x665c69b: testl %edi, %edi
0x665c69d: jne 0x665c690 ; JSC::Heap::collect(JSC::Heap::SweepToggle) + 144
0x665c69f: calll 0x67e0ff0 ; WTF::currentTime()
0x665c6a4: fstpl 2740(%esi)
0x665c6aa: leal 28(%esi), %edi
0x665c6ad: movl %edi, (%esp)
0x665c6b0: calll 0x670eab0 ; JSC::MarkedSpace::canonicalizeCellLivenessData()
0x665c6b5: movl %esi, (%esp)
0x665c6b8: movl $0, 4(%esp)
0x665c6c0: calll 0x665cd20 ; JSC::Heap::markRoots(bool)
0x665c6c5: leal 2492(%esi), %eax
0x665c6cb: movl %eax, (%esp)
0x665c6ce: calll 0x6710b20 ; JSC::SlotVisitor::finalizeUnconditionalFinalizers()
0x665c6d3: leal 2548(%esi), %ebx
0x665c6d9: movl %ebx, (%esp)
0x665c6dc: calll 0x67d73a0 ; JSC::WeakSet::sweep()
0x665c6e1: movl 2728(%esi), %eax
0x665c6e7: addl $3000, %eax
0x665c6ec: movl %eax, (%esp)
0x665c6ef: calll 0x67872d0 ; JSC::SmallStrings::finalizeSmallStrings()
0x665c6f4: nop
0x665c6f5: nopl (%eax)
0x665c6f9: movl %edi, (%esp)
0x665c6fc: calll 0x670ea10 ; JSC::MarkedSpace::resetAllocators()
0x665c701: movl %ebx, (%esp)
0x665c704: calll 0x67d7450 ; JSC::WeakSet::resetAllocator()
0x665c709: leal 2700(%esi), %eax
0x665c70f: movl %eax, (%esp)
0x665c712: calll 0x65f49c0 ; JSC::DFGCodeBlocks::deleteUnmarkedJettisonedCodeBlocks()
0x665c717: cmpl $1, 12(%ebp)
0x665c71b: jne 0x665c73c ; JSC::Heap::collect(JSC::Heap::SweepToggle) + 316
0x665c71d: movl %esi, (%esp)
0x665c720: calll 0x665c450 ; JSC::Heap::sweep()
0x665c725: movl %edi, (%esp)
0x665c728: calll 0x670ed40 ; JSC::MarkedSpace::shrink()
0x665c72d: movl %ebx, (%esp)
0x665c730: calll 0x67d73f0 ; JSC::WeakSet::shrink()
0x665c735: movl $0, 20(%esi)
0x665c73c: movl %esi, (%esp)
0x665c73f: calll 0x665d720 ; JSC::Heap::size()
0x665c744: movl %eax, 8(%esi)
0x665c747: movl 4(%esi), %ecx
0x665c74a: cmpl %ecx, %eax
0x665c74c: cmovbl %ecx, %eax
0x665c74f: movl %eax, 12(%esi)
0x665c752: movl $0, 16(%esi)
0x665c759: calll 0x67e0ff0 ; WTF::currentTime()
0x665c75e: fstpl -32(%ebp)
0x665c761: movsd -32(%ebp), %xmm0
0x665c766: subsd -40(%ebp), %xmm0
0x665c76b: movsd %xmm0, 2732(%esi)
0x665c773: cmpl $2, 24(%esi)
0x665c777: je 0x665c78f ; JSC::Heap::collect(JSC::Heap::SweepToggle) + 399
0x665c779: calll 0x67e0460 ; WTFReportBacktrace
0x665c77e: calll 0x67e05b0 ; WTFInvokeCrashHook
0x665c783: movl $0, -1146241297
0x665c78d: ud2
0x665c78f: movl $0, 24(%esi)
0x665c796: nop
0x665c797: nopl (%eax)
0x665c79b: addl $44, %esp
0x665c79e: popl %esi
0x665c79f: popl %edi
0x665c7a0: popl %ebx
0x665c7a1: popl %ebp
0x665c7a2: ret
0x665c7a3: nopw %cs:(%eax,%eax)
I'm using JSCocoa with multiple instances of JSCocoaController, i.e. we have a scenario similar to the example 'Multiple JSCocoa instances' but on iOS.
While migrating my project to iOS 6.0 I noticed that the JSCocoaController has a problem with GC after being released - this problem occurs only on iOS 6 simulator & devices, but not on iOS 5.x simulator or devices.
I have created a mininum testcase (available here: http://dl.dropbox.com/u/12685842/parmanoir-jscocoa.zip, see folder xoJSCocoaTest), which basically consists of a
self.jsc = [[[JSCocoaController alloc] init] autorelease];
and aself.jsc = nil;
The latter is triggering the EXC_BAD_ACCESS during GC.Any ideas what is going wrong here?
Best regards,
Thomas
1 0x665e342 JSC::Heap::collectAllGarbage()
2 0x665a93a JSC::DefaultGCActivityCallbackPlatformData::timerDidFire(__CFRunLoopTimer*, void*)
3 0x2113376 __CFRUNLOOP_IS_CALLING_OUT_TO_A_TIMER_CALLBACK_FUNCTION__
4 0x2112e06 __CFRunLoopDoTimer
5 0x20faa82 __CFRunLoopRun
6 0x20f9f44 CFRunLoopRunSpecific
7 0x20f9e1b CFRunLoopRunInMode
8 0x20ae7e3 GSEventRunModal
9 0x20ae668 GSEventRun
10 0x19565c UIApplicationMain
11 0x2662 main
12 0x2595 start
(lldb)
JavaScriptCore`JSC::Heap::collect(JSC::Heap::SweepToggle):
0x665c600: pushl %ebp
0x665c601: movl %esp, %ebp
0x665c603: pushl %ebx
0x665c604: pushl %edi
0x665c605: pushl %esi
0x665c606: subl $44, %esp
0x665c609: calll 0x665c60e ; JSC::Heap::collect(JSC::Heap::SweepToggle) + 14
0x665c60e: popl %edi
0x665c60f: nop
0x665c610: nopl (%eax)
0x665c614: movl 8(%ebp), %esi
0x665c617: cmpl $0, 24(%esi)
0x665c61b: je 0x665c633 ; JSC::Heap::collect(JSC::Heap::SweepToggle) + 51
0x665c61d: calll 0x67e0460 ; WTFReportBacktrace
0x665c622: calll 0x67e05b0 ; WTFInvokeCrashHook
0x665c627: movl $0, -1146241297
0x665c631: ud2
0x665c633: movl $2, 24(%esi)
0x665c63a: movl 2756(%esi), %eax
0x665c640: testl %eax, %eax
0x665c642: je 0x665c64c ; JSC::Heap::collect(JSC::Heap::SweepToggle) + 76
0x665c644: movl (%eax), %ecx
0x665c646: movl %eax, (%esp)
0x665c649: calll *12(%ecx)
0x665c64c: calll 0x67e0ff0 ; WTF::currentTime()
0x665c651: fstpl -24(%ebp)
0x665c654: movsd -24(%ebp), %xmm0
0x665c659: movsd %xmm0, -40(%ebp)
0x665c65e: subsd 2740(%esi), %xmm0
0x665c666: ucomisd2157906(%edi), %xmm0
0x665c66e: jbe 0x665c6aa ; JSC::Heap::collect(JSC::Heap::SweepToggle) + 170
0x665c670: movl 2728(%esi), %eax
0x665c676: cmpl $0, 6480(%eax)
0x665c67d: jne 0x665c69f ; JSC::Heap::collect(JSC::Heap::SweepToggle) + 159
0x665c67f: movl 2748(%esi), %edi
0x665c685: jmp 0x665c69b ; JSC::Heap::collect(JSC::Heap::SweepToggle) + 155
0x665c687: nopw (%eax,%eax)
0x665c690: movl %edi, (%esp)
0x665c693: calll 0x6653520 ; JSC::FunctionExecutable::discardCode()
0x665c698: movl 112(%edi), %edi
0x665c69b: testl %edi, %edi
0x665c69d: jne 0x665c690 ; JSC::Heap::collect(JSC::Heap::SweepToggle) + 144
0x665c69f: calll 0x67e0ff0 ; WTF::currentTime()
0x665c6a4: fstpl 2740(%esi)
0x665c6aa: leal 28(%esi), %edi
0x665c6ad: movl %edi, (%esp)
0x665c6b0: calll 0x670eab0 ; JSC::MarkedSpace::canonicalizeCellLivenessData()
0x665c6b5: movl %esi, (%esp)
0x665c6b8: movl $0, 4(%esp)
0x665c6c0: calll 0x665cd20 ; JSC::Heap::markRoots(bool)
0x665c6c5: leal 2492(%esi), %eax
0x665c6cb: movl %eax, (%esp)
0x665c6ce: calll 0x6710b20 ; JSC::SlotVisitor::finalizeUnconditionalFinalizers()
0x665c6d3: leal 2548(%esi), %ebx
0x665c6d9: movl %ebx, (%esp)
0x665c6dc: calll 0x67d73a0 ; JSC::WeakSet::sweep()
0x665c6e1: movl 2728(%esi), %eax
0x665c6e7: addl $3000, %eax
0x665c6ec: movl %eax, (%esp)
0x665c6ef: calll 0x67872d0 ; JSC::SmallStrings::finalizeSmallStrings()
0x665c6f4: nop
0x665c6f5: nopl (%eax)
0x665c6f9: movl %edi, (%esp)
0x665c6fc: calll 0x670ea10 ; JSC::MarkedSpace::resetAllocators()
0x665c701: movl %ebx, (%esp)
0x665c704: calll 0x67d7450 ; JSC::WeakSet::resetAllocator()
0x665c709: leal 2700(%esi), %eax
0x665c70f: movl %eax, (%esp)
0x665c712: calll 0x65f49c0 ; JSC::DFGCodeBlocks::deleteUnmarkedJettisonedCodeBlocks()
0x665c717: cmpl $1, 12(%ebp)
0x665c71b: jne 0x665c73c ; JSC::Heap::collect(JSC::Heap::SweepToggle) + 316
0x665c71d: movl %esi, (%esp)
0x665c720: calll 0x665c450 ; JSC::Heap::sweep()
0x665c725: movl %edi, (%esp)
0x665c728: calll 0x670ed40 ; JSC::MarkedSpace::shrink()
0x665c72d: movl %ebx, (%esp)
0x665c730: calll 0x67d73f0 ; JSC::WeakSet::shrink()
0x665c735: movl $0, 20(%esi)
0x665c73c: movl %esi, (%esp)
0x665c73f: calll 0x665d720 ; JSC::Heap::size()
0x665c744: movl %eax, 8(%esi)
0x665c747: movl 4(%esi), %ecx
0x665c74a: cmpl %ecx, %eax
0x665c74c: cmovbl %ecx, %eax
0x665c74f: movl %eax, 12(%esi)
0x665c752: movl $0, 16(%esi)
0x665c759: calll 0x67e0ff0 ; WTF::currentTime()
0x665c75e: fstpl -32(%ebp)
0x665c761: movsd -32(%ebp), %xmm0
0x665c766: subsd -40(%ebp), %xmm0
0x665c76b: movsd %xmm0, 2732(%esi)
0x665c773: cmpl $2, 24(%esi)
0x665c777: je 0x665c78f ; JSC::Heap::collect(JSC::Heap::SweepToggle) + 399
0x665c779: calll 0x67e0460 ; WTFReportBacktrace
0x665c77e: calll 0x67e05b0 ; WTFInvokeCrashHook
0x665c783: movl $0, -1146241297
0x665c78d: ud2
0x665c78f: movl $0, 24(%esi)
0x665c796: nop
0x665c797: nopl (%eax)
0x665c79b: addl $44, %esp
0x665c79e: popl %esi
0x665c79f: popl %edi
0x665c7a0: popl %ebx
0x665c7a1: popl %ebp
0x665c7a2: ret
0x665c7a3: nopw %cs:(%eax,%eax)
Patrick Geiller
Sep 27, 2012, 6:02:55 PM9/27/12
to jsc...@googlegroups.com
I'm using JSCocoa with multiple instances of JSCocoaController, i.e. we have a scenario similar to the example 'Multiple JSCocoa instances' but on iOS.
While migrating my project to iOS 6.0 I noticed that the JSCocoaController has a problem with GC after being released - this problem occurs only on iOS 6 simulator & devices, but not on iOS 5.x simulator or devices.
Does GC happen on another thread ? Maybe try cleaning up on the main thread ?
self.jsc = [[[JSCocoaController alloc] init] autorelease];
[self.jsc cleanUp];
self.jsc = nil;
Did the setting for "Automatic Reference Counting" change between 5 and 6 ?
Thomas Elstner
Sep 28, 2012, 3:08:13 AM9/28/12
to jsc...@googlegroups.com
Hi,
[self.jsc cleanUp] didn't help, now I get an EXC_BAD_ACCESS when jsCocoaObject_finalize is trying to obtain the controller via jsc = [JSCocoa controllerFromContext:ctx];.
Anyway, GC seems to happen on the main thread, at least that's where JSC::Heap::collectAllGarbage()is executed.
The example project does not use ARC nor any other nasty multithreaded GC stuff, just change the hardware version in the simulator from 5.1 to 6.0 to reproduce the problem... so I guess that there are major differences in JSC's Garbage Collection engine between both versions.
Cheers,
Thomas
[self.jsc cleanUp] didn't help, now I get an EXC_BAD_ACCESS when jsCocoaObject_finalize is trying to obtain the controller via jsc = [JSCocoa controllerFromContext:ctx];.
Anyway, GC seems to happen on the main thread, at least that's where JSC::Heap::collectAllGarbage()is executed.
The example project does not use ARC nor any other nasty multithreaded GC stuff, just change the hardware version in the simulator from 5.1 to 6.0 to reproduce the problem... so I guess that there are major differences in JSC's Garbage Collection engine between both versions.
Cheers,
Thomas
Thomas Elstner
Oct 8, 2012, 3:39:13 PM10/8/12
to jsc...@googlegroups.com
Hi again,
I have narrowed down the problem to the lines
[self removeObjectWithName:@"__jsc__"];
if (ownsContext)
JSGlobalContextRelease(ctx);
in the cleanUp method mentioned below, but just commenting out those lines does not seem to be a good solution ;)
Any ideas?
Thomas
I have narrowed down the problem to the lines
[self removeObjectWithName:@"__jsc__"];
if (ownsContext)
JSGlobalContextRelease(ctx);
in the cleanUp method mentioned below, but just commenting out those lines does not seem to be a good solution ;)
Any ideas?
Thomas
Reply all
Reply to author
Forward
0 new messages