[TIMOB-10406] Android: KS crashes on Galaxy Tab and HTC Sensation 4G on V8 only
| GitHub Issue | n/a | 
|---|---|
| Type | Bug | 
| Priority | Critical | 
| Status | Closed | 
| Resolution | Fixed | 
| Resolution Date | 2012-09-07T12:50:33.000+0000 | 
| Affected Version/s | Release 3.0.0 | 
| Fix Version/s | Release 3.0.0, Sprint 2012-18 API | 
| Components | Android | 
| Labels | api | 
| Reporter | Ping Wang | 
| Assignee | Josh Roesslein | 
| Created | 2012-08-10T17:07:41.000+0000 | 
| Updated | 2012-12-06T19:29:41.000+0000 | 
Description
	KS crashes on Galaxy Tab (3.2) and HTC Sensation 4G (2.3.4) on V8 only. It doesn't happen on Galaxy SII (2.3.6) and Galaxy Nexus (4.0.2). The log is attached.
This crash happens on master but not on 2.1.1.GA.
The stack trace is
********** Crash dump: **********
Build fingerprint: 'samsung/SGH-I777/SGH-I777:2.3.6/GINGERBREAD/UCKK6:user/release-keys'
pid: 5031, tid: 5040  >>> com.appcelerator.kitchensink <<<
signal 11 (SIGSEGV), code 1 (SEGV_MAPERR), fault addr 0000000c
Stack frame #00  pc 0006f474  /data/data/com.appcelerator.kitchensink/lib/libkroll-v8.so: Routine _M_insert in /Users/pwang/android-ndk/sources/cxx-stl/stlport/stlport/stl/_alloc.h:306
Stack frame #01  pc 00073c0e  /data/data/com.appcelerator.kitchensink/lib/libkroll-v8.so: Routine Handle in src/native/V8Runtime.cpp:371
Stack frame #02  pc 000926da  /data/data/com.appcelerator.kitchensink/lib/libkroll-v8.so: Routine setter_tab in src/native/../../generated/org.appcelerator.titanium.proxy.TiWindowProxy.cpp:1113
Crash dump is completed
Attachments
| File | Date | Size | 
|---|---|---|
| app.js | 2012-08-29T14:45:04.000+0000 | 848 | 
| log | 2012-08-10T17:07:41.000+0000 | 10499 | 
It turns out PR#2673 (https://github.com/appcelerator/titanium_mobile/pull/2673) causes this crash.
This might be related to a GC bug we have seen before with TabGroup. We might want to hold off until TIMOB-9911 is merged which will refactor a lot of the tab group code.
Haven't seen the crash yet, but did notice sometimes the tab group comes up with no tabs. Seen this so far on my HTC One X, I'll try some other devices and see what happens. I am not sure yet if this is related to this crash.
So it seems the crash I reproduced is caused by the TabGroup being unreachable (thus eligible for GC) between the open() call and the tab group being opened (this is an async operation). A simple solution that seems to fix the crash is to change the "ApplicationTabGroup" variable in app.js to a global.
This issue occurs only on master and not on 2.1.2 so it does not need the backport.
With some more tedious debugging I figured out what's going on. So it appears the windows for each tab are getting "detached" due to not being reachable anymore in JS. This is normal behavior and the window proxies won't get deleted since Java still references them. The problem is with the window's children views. Due to how we lazy load these into the Java Window object, they don't have any references in Java. So when they get detached (same time as the window since they are also "weak") Java will come along later, finalize the Java object, and delete the native object for the proxy. Eventually we go to open the window and load its child views. When we try to access the native object for the proxy the application crashes since we deleted it earlier. The easiest solution here is to probably create an array of pending windows to keep the windows from ever detaching until we have opened them. It's sort of a hack, but it wouldn't require any immediate major changes to our memory management. So I'll probably implement the quick solution for now and open a task to research a better solution to this problem which may arrise in other cases.
We could also update the KS example to not discard the reference. Right now it creates the tab group in a closure and only keeps it in a local variable. Out side of KS this would basically require any developer to retain a reference to the group until it has opened.
Attaching a test case which reproduces the underlying flaw in a more simplified case.
Created [PR #2877](https://github.com/appcelerator/titanium_mobile/pull/2877) to resolve issue.
Functional Testing
*Note*: The issue is device sensitive. Try testing on a variety of devices including those listed in this ticket as being affected by this bug.Simplified Case
1. Run the simplified test case attached (app.js). 2. Try moving finger in the blue view area to generate events. 3. Click the button and you should see an alert. 4. Repeat steps 2-3 to verify the application does not crash.KitchenSink
1. Build KS and install onto device. 2. Run KS and verify it doesn't crash on startup. 3. Try changing tabs and verify it does not crash.Created [PR #2887](https://github.com/appcelerator/titanium_mobile/pull/2887) to fix regression with Rhino runtime.
Verified the issue,not reproducible.KS does not crash on 2.3.4 & 4.0.3 Titanium studio : 3.0.0.201211301903 SDK Version : 3.0.0.v20121204154658 CLI version : 3.0.19 OS : OSX 10.8.2 Android : 2.3.4 & 4.0.3 KS : 2.1.4