Titanium JIRA Archive
Titanium SDK/CLI (TIMOB)

[TIMOB-10406] Android: KS crashes on Galaxy Tab and HTC Sensation 4G on V8 only

GitHub Issuen/a
TypeBug
PriorityCritical
StatusClosed
ResolutionFixed
Resolution Date2012-09-07T12:50:33.000+0000
Affected Version/sRelease 3.0.0
Fix Version/sRelease 3.0.0, Sprint 2012-18 API
ComponentsAndroid
Labelsapi
ReporterPing Wang
AssigneeJosh Roesslein
Created2012-08-10T17:07:41.000+0000
Updated2012-12-06T19:29:41.000+0000

Description

KS crashes on Galaxy Tab (3.2) and HTC Sensation 4G (2.3.4) on V8 only. It doesn't happen on Galaxy SII (2.3.6) and Galaxy Nexus (4.0.2). The log is attached. This crash happens on master but not on 2.1.1.GA. The stack trace is 

********** Crash dump: **********
Build fingerprint: 'samsung/SGH-I777/SGH-I777:2.3.6/GINGERBREAD/UCKK6:user/release-keys'
pid: 5031, tid: 5040  >>> com.appcelerator.kitchensink <<<
signal 11 (SIGSEGV), code 1 (SEGV_MAPERR), fault addr 0000000c
Stack frame #00  pc 0006f474  /data/data/com.appcelerator.kitchensink/lib/libkroll-v8.so: Routine _M_insert in /Users/pwang/android-ndk/sources/cxx-stl/stlport/stlport/stl/_alloc.h:306
Stack frame #01  pc 00073c0e  /data/data/com.appcelerator.kitchensink/lib/libkroll-v8.so: Routine Handle in src/native/V8Runtime.cpp:371
Stack frame #02  pc 000926da  /data/data/com.appcelerator.kitchensink/lib/libkroll-v8.so: Routine setter_tab in src/native/../../generated/org.appcelerator.titanium.proxy.TiWindowProxy.cpp:1113
Crash dump is completed

Attachments

FileDateSize
app.js2012-08-29T14:45:04.000+0000848
log2012-08-10T17:07:41.000+000010499

Comments

  1. Ping Wang 2012-08-13

    It turns out PR#2673 (https://github.com/appcelerator/titanium_mobile/pull/2673) causes this crash.
  2. Josh Roesslein 2012-08-14

    This might be related to a GC bug we have seen before with TabGroup. We might want to hold off until TIMOB-9911 is merged which will refactor a lot of the tab group code.
  3. Josh Roesslein 2012-08-16

    Haven't seen the crash yet, but did notice sometimes the tab group comes up with no tabs. Seen this so far on my HTC One X, I'll try some other devices and see what happens. I am not sure yet if this is related to this crash.
  4. Josh Roesslein 2012-08-16

    So it seems the crash I reproduced is caused by the TabGroup being unreachable (thus eligible for GC) between the open() call and the tab group being opened (this is an async operation). A simple solution that seems to fix the crash is to change the "ApplicationTabGroup" variable in app.js to a global.
  5. Neeraj Gupta 2012-08-16

    This issue occurs only on master and not on 2.1.2 so it does not need the backport.
  6. Josh Roesslein 2012-08-24

    With some more tedious debugging I figured out what's going on. So it appears the windows for each tab are getting "detached" due to not being reachable anymore in JS. This is normal behavior and the window proxies won't get deleted since Java still references them. The problem is with the window's children views. Due to how we lazy load these into the Java Window object, they don't have any references in Java. So when they get detached (same time as the window since they are also "weak") Java will come along later, finalize the Java object, and delete the native object for the proxy. Eventually we go to open the window and load its child views. When we try to access the native object for the proxy the application crashes since we deleted it earlier. The easiest solution here is to probably create an array of pending windows to keep the windows from ever detaching until we have opened them. It's sort of a hack, but it wouldn't require any immediate major changes to our memory management. So I'll probably implement the quick solution for now and open a task to research a better solution to this problem which may arrise in other cases.
  7. Josh Roesslein 2012-08-24

    We could also update the KS example to not discard the reference. Right now it creates the tab group in a closure and only keeps it in a local variable. Out side of KS this would basically require any developer to retain a reference to the group until it has opened.
  8. Josh Roesslein 2012-08-29

    Attaching a test case which reproduces the underlying flaw in a more simplified case.
  9. Josh Roesslein 2012-09-05

    Created [PR #2877](https://github.com/appcelerator/titanium_mobile/pull/2877) to resolve issue.

    Functional Testing

    *Note*: The issue is device sensitive. Try testing on a variety of devices including those listed in this ticket as being affected by this bug.

    Simplified Case

    1. Run the simplified test case attached (app.js). 2. Try moving finger in the blue view area to generate events. 3. Click the button and you should see an alert. 4. Repeat steps 2-3 to verify the application does not crash.

    KitchenSink

    1. Build KS and install onto device. 2. Run KS and verify it doesn't crash on startup. 3. Try changing tabs and verify it does not crash.
  10. Josh Roesslein 2012-09-07

    Created [PR #2887](https://github.com/appcelerator/titanium_mobile/pull/2887) to fix regression with Rhino runtime.
  11. Lokesh Choudhary 2012-12-06

    Verified the issue,not reproducible.KS does not crash on 2.3.4 & 4.0.3 Titanium studio : 3.0.0.201211301903 SDK Version : 3.0.0.v20121204154658 CLI version : 3.0.19 OS : OSX 10.8.2 Android : 2.3.4 & 4.0.3 KS : 2.1.4

JSON Source