Titanium JIRA Archive
Titanium SDK/CLI (TIMOB)

[TIMOB-14697] iOS: layoutChildrenIfNeeded tries to access a deallocated view, causing crash

GitHub Issuen/a
TypeBug
PriorityHigh
StatusClosed
ResolutionCannot Reproduce
Resolution Date2013-10-30T22:23:45.000+0000
Affected Version/sRelease 3.1.1
Fix Version/s2013 Sprint 23, 2013 Sprint 23 API
ComponentsiOS
Labelscrash, ios, triage
ReporterPier Paolo Ramon
AssigneeIngo Muschenetz
Created2013-07-29T14:29:43.000+0000
Updated2017-03-31T17:32:43.000+0000

Description

Randomly during a fast paced view redraw (a lot of parent.add, a lot of parent.remove) the following crash happens: 
Date/Time:       2013-07-26 10:56:41.571 +0200
OS Version:      iPhone OS 5.1.1 (9B206)
Report Version:  104

Exception Type:  EXC_BAD_ACCESS (SIGSEGV)
Exception Codes: KERN_INVALID_ADDRESS at 0x20000008
Crashed Thread:  0

Thread 0 name:  Dispatch queue: com.apple.main-thread
Thread 0 Crashed:
0   libobjc.A.dylib               	0x333cdf78 objc_msgSend + 16
1   MyBigApp                    	0x000806d6 -[TiViewProxy layoutChildrenIfNeeded] (TiViewProxy.m:2272)
2   MyBigApp                    	0x001b2fb8 +[TiLayoutQueue layoutProxy:] (TiLayoutQueue.m:79)
3   MyBigApp                    	0x001b2dc8 performLayoutRefresh (TiLayoutQueue.m:46)
4   CoreFoundation                	0x35783a2c __CFRUNLOOP_IS_CALLING_OUT_TO_A_TIMER_CALLBACK_FUNCTION__ + 8
5   CoreFoundation                	0x35783692 __CFRunLoopDoTimer + 358
6   CoreFoundation                	0x35782268 __CFRunLoopRun + 1200
7   CoreFoundation                	0x3570549e CFRunLoopRunSpecific + 294
8   CoreFoundation                	0x35705366 CFRunLoopRunInMode + 98
9   GraphicsServices              	0x334a0432 GSEventRunModal + 130
10  UIKit                         	0x32eddcce UIApplicationMain + 1074
11  MyBigApp                    	0x000112ac main (main.m:36)
12  MyBigApp                    	0x0000d3b8 start + 32
This is in fact on the access to hidden in view.hidden (which is really a call to [view isHidden]) in [TiViewProxy layoutChildrenIfNeeded]. With NSZombieEnabled we can can in fact see this: 
2013-07-29 15:06:14.545 MyBigApp[878:907] *** -[TiUITableView isHidden]: message sent to deallocated instance 0x1eb01b30
But in the last few hours I saw that exact line on TiUILabelViewProxy, TiUIViewProxy, TiUIActivityIndicatorProxy, so that's not related to the fact that the view is a TableView. Anyway that's pretty strange, to understand what's going on I made the app crash with the history of retains and releases logged (Instruments » iOS Simulator » Zombies) and found the following history: 
#	Address	Category	Event Type	RefCt	Timestamp	Size	Responsible Library	Responsible Caller
0	0x1adb4970	TiUILabel	Malloc	1	00:42.335.257	288	MyBigApp	-[TiViewProxy newView]
1	0x1adb4970	TiUILabel	Retain	2	00:42.335.273	0	MyBigApp	-[TiProxy setModelDelegate:]
2	0x1adb4970	TiUILabel	Retain	3	00:42.335.640	0	UIKit	-[UIView(Internal) _addSubview:positioned:relativeTo:]
3	0x1adb4970	TiUILabel	Retain	4	00:42.335.832	0	QuartzCore	-[CALayer layoutSublayers]
4	0x1adb4970	TiUILabel	Release	3	00:42.335.832	0	QuartzCore	-[CALayer layoutSublayers]
5	0x1adb4970	TiUILabel	Release	2	00:42.390.437	0	UIKit	-[UIView(Hierarchy) removeFromSuperview]
6	0x1adb4970	TiUILabel	Release	1	00:42.391.407	0	MyBigApp	__TiThreadReleaseOnMainThread_block_invoke
7	0x1adb4970	TiUILabel	Release	0	00:42.391.445	0	MyBigApp	__TiThreadReleaseOnMainThread_block_invoke
8	0x1adb4970	TiUILabel	Zombie	-1	00:42.394.547	0	MyBigApp	-[TiViewProxy layoutChildrenIfNeeded]
Looks like a race condition to me. The really curious thing is, how can [self viewAttached] at the start of layoutChildrenIfNeeded pass if it has been destroyed? ---- Anyway I found a way to workaround this issue by modifying the resulting application directly on XCode: modify the line with view.hidden at Classes/API/TiViewProxy.m line ~2272 into: 
if (!self.parentVisible || view.hidden)
{
  ...
}
But we don't want to work on non-vanilla versions of Titanium.

Comments

  1. Daniel Sefton 2013-07-29

    Hi Pier, So that I can escalate it to engineering, we need a reproducible test case. Please can you provide one? Also, in which file did you make that change? Thanks!
  2. Pier Paolo Ramon 2013-07-30

    The strange fact is that I can always reproduce the crash on our complex application, but I cannot isolate the pattern which is causing this. I can technically give you a fully reproducible case (even if it's not a isolated one) by giving you the entire app we're working on. As you can understand, this issue is biting us *a lot* but I cannot give away our code so freely. Let me know if I can somehow get in touch with someone from engineering and do a remote-human-debug thing. The change is in Classes/API/TiViewProxy.m line ~2272 (at the file for SDK 3.1.1).
  3. Pier Paolo Ramon 2013-08-01

    Me (and my company) will be on holiday until the 20th of August. Please, don't think the absence of feedback from us means we're not able to reproduce the issue. As an additional information (which lead us to think it's a race-condition like issue) is that on 1st generation iPad this issue happens *a lot* (I mean, *a LOT*) more often.
  4. Ingo Muschenetz 2013-08-01

    [~yuchi] Can we please get a crash log and any sort of test case you can provide? You could also send us a copy of your code privately.
  5. Sabil Rahim 2013-08-07

    This definitely looks like race condition. But we would want a proper test case to exactly figure out what is leading to this behavior.
  6. Pier Paolo Ramon 2013-08-23

    [~ingo], [~srahim], ok, here we are again. We definitely choose to send you the full source code of a demo version of our App, including a small change to automate the necessary steps to reproduce the issue. Just tell us how can we send you the thing privately. Thank you for your support!
  7. Ingo Muschenetz 2013-08-23

    [yuchi] I would suggest emailing us a link to a dropbox or other account. My email is ingo [at] appcelerator
  8. Pier Paolo Ramon 2013-08-23

    [~ingo], I sent the email. I'll do all I can to help you through this.
  9. Pedro Enrique 2013-10-30

    Tested this with CI build 3.1.X and master and cannot reproduce. This seems to have been fixed by another bug sometime the past. Please test it with the master build from CI. http://builds.appcelerator.com.s3.amazonaws.com/index.html#master Closing ticket and marking as "Cannot Reproduce"
  10. Pier Paolo Ramon 2013-11-07

    I tested it last week on 3.1.3 on iOS 7 and the crash still happens.
  11. Lee Morris 2017-03-31

    Closing ticket as I am unable to reproduce the issue using the following environment; iPhone 7 (10.2) MacOS 10.11.6 (15G31) Studio 4.8.1.201612050850 Ti SDK 6.0.3 GA Appc NPM 4.2.8 Appc CLI 6.1.0 Ti CLI 5.0.11 Alloy 1.9.5 Arrow 1.10.1 Xcode 8.2 (8C38) Node v4.6.0 Java 1.7.0_80

JSON Source