[TIMOB-19903] Android: Fix crash due to GC of UI native proxies in hyperloop
| GitHub Issue | n/a |
|---|---|
| Type | Bug |
| Priority | Critical |
| Status | Closed |
| Resolution | Fixed |
| Resolution Date | 2015-11-24T20:22:46.000+0000 |
| Affected Version/s | n/a |
| Fix Version/s | Release 5.4.0 |
| Components | Android, Hyperloop |
| Labels | n/a |
| Reporter | Christopher Williams |
| Assignee | Christopher Williams |
| Created | 2015-11-10T14:49:39.000+0000 |
| Updated | 2016-07-28T22:20:56.000+0000 |
Description
If we generate a native UI proxy (say an android.view.View) and add it to a Titanium UI, we see crashes when the UI is GCed. This can bee easily seen in the hyperloop-examples repo. Once we go to an example where we generate a native view and add it to the UI from Titanium (like say Animate View example) and then go back to the main listing - causing a GC of the elements in that view, we see a crash of the app.
Finally managed to get a run with a debug build of the SDk so I can get real info:
*** *** *** *** *** *** *** *** *** *** *** *** *** *** *** *** Build fingerprint: 'generic_x86_64/sdk_google_phone_x86_64/generic_x86_64:6.0/MASTER/2401146:eng/test-keys' Revision: '0' ABI: 'x86' pid: 2750, tid: 2750, name: ample.hyperloop >>> com.appcelerator.sample.hyperloop <<< signal 6 (SIGABRT), code -6 (SI_TKILL), fault addr -------- Abort message: 'src/native/NativeObject.h:36: virtual titanium::NativeObject::~NativeObject(): assertion "handle_.IsNearDeath()" failed' eax 00000000 ebx 00000abe ecx 00000abe edx 00000006 esi f776dc50 edi 0000000b xcs 00000023 xds 0000002b xes 0000002b xfs 00000007 xss 0000002b eip f7338e06 ebp 00000abe esp ff9c6ab0 flags 00200206 backtrace: #00 pc 00085e06 /system/lib/libc.so (tgkill+22) #01 pc 00082468 /system/lib/libc.so (pthread_kill+70) #02 pc 000280a5 /system/lib/libc.so (raise+36) #03 pc 0002187d /system/lib/libc.so (abort+80) #04 pc 000255e1 /system/lib/libc.so (__libc_fatal+32) #05 pc 000219fc /system/lib/libc.so (__assert2+60) #06 pc 0008e1e3 /data/app/com.appcelerator.sample.hyperloop-1/lib/x86/libkroll-v8.so (titanium::NativeObject::~NativeObject()+117) #07 pc 0008e675 /data/app/com.appcelerator.sample.hyperloop-1/lib/x86/libkroll-v8.so (titanium::EventEmitter::~EventEmitter()+43) #08 pc 00090f74 /data/app/com.appcelerator.sample.hyperloop-1/lib/x86/libkroll-v8.so (titanium::JavaObject::~JavaObject()+74) #09 pc 0009c689 /data/app/com.appcelerator.sample.hyperloop-1/lib/x86/libkroll-v8.so (titanium::Proxy::~Proxy()+43) #10 pc 0009c6c3 /data/app/com.appcelerator.sample.hyperloop-1/lib/x86/libkroll-v8.so (titanium::Proxy::~Proxy()+29) #11 pc 000a3b0e /data/app/com.appcelerator.sample.hyperloop-1/lib/x86/libkroll-v8.so (Java_org_appcelerator_kroll_runtime_v8_V8Object_nativeRelease+165) #12 pc 01187c76 /data/app/com.appcelerator.sample.hyperloop-1/oat/x86/base.odex (offset 0xce3000) stack: ff9c6a70 00000010 ff9c6a74 ff9c6b40 [stack] ff9c6a78 00000010 ff9c6a7c 00000000 ff9c6a80 f7335390 /system/lib/libc.so (pthread_getspecific+7) ff9c6a84 00000000 ff9c6a88 00570000 ff9c6a8c f73ac71c /system/lib/libc.so ff9c6a90 f776dc00 /system/bin/linker ff9c6a94 f73b2c90 ff9c6a98 ff9c6bb8 [stack] ff9c6a9c f7335101 /system/lib/libc.so (__pthread_internal_find(long)+65) ff9c6aa0 f73b2c90 ff9c6aa4 ff9c6ab0 [stack] ff9c6aa8 ff9c6ab8 [stack] ff9c6aac 00000008 #00 ff9c6ab0 00000006 ff9c6ab4 00000002 ff9c6ab8 f73ac71c /system/lib/libc.so ff9c6abc f7335469 /system/lib/libc.so (pthread_kill+71) #01 ff9c6ac0 00000abe ff9c6ac4 00000abe ff9c6ac8 00000006 ff9c6acc f77723a9 /system/bin/app_process32 (sigprocmask+141) ff9c6ad0 00000002 ff9c6ad4 ff9c6aec [stack] ff9c6ad8 00000000 ff9c6adc f73ac71c /system/lib/libc.so ff9c6ae0 ff9c6b2c [stack] ff9c6ae4 12dd5040 /dev/ashmem/dalvik-main space (deleted) ff9c6ae8 ff9c6bb8 [stack] ff9c6aec f72db0a6 /system/lib/libc.so (raise+37) #02 ff9c6af0 f776dc00 /system/bin/linker ff9c6af4 00000006 ff9c6af8 ff9c6b78 [stack] ff9c6afc f73ac71c /system/lib/libc.so ff9c6b00 ff9c6b2c [stack] ff9c6b04 f73ac71c /system/lib/libc.so ff9c6b08 ff9c6b2c [stack] ff9c6b0c f72d487e /system/lib/libc.so (abort+81) #03 ff9c6b10 00000006 ff9c6b14 ff9c6b2c [stack] ff9c6b18 00000000 ff9c6b1c 00000009 ff9c6b20 f7335390 /system/lib/libc.so (pthread_getspecific+7) ff9c6b24 e159cdd0 /data/app/com.appcelerator.sample.hyperloop-1/lib/x86/libkroll-v8.so ff9c6b28 1308f1c0 /dev/ashmem/dalvik-main space (deleted) ff9c6b2c ffffffdf ff9c6b30 80000016 ff9c6b34 ff9c6b68 [stack] ff9c6b38 00000000 ff9c6b3c f73ac71c /system/lib/libc.so ff9c6b40 f73ac71c /system/lib/libc.so ff9c6b44 1308f1c0 /dev/ashmem/dalvik-main space (deleted) ff9c6b48 12dd5040 /dev/ashmem/dalvik-main space (deleted) ff9c6b4c f72d85e2 /system/lib/libc.so (__fortify_chk_fail) #04 ff9c6b50 ebaa7930 [anon:libc_malloc] ff9c6b54 0010050a ff9c6b58 f73ac71c /system/lib/libc.so ff9c6b5c f72d49fd /system/lib/libc.so (atof) #05 ff9c6b60 f7383094 /system/lib/libc.so ff9c6b64 e144b876 /data/app/com.appcelerator.sample.hyperloop-1/lib/x86/libkroll-v8.so ff9c6b68 00000024 ff9c6b6c e144ba60 /data/app/com.appcelerator.sample.hyperloop-1/lib/x86/libkroll-v8.so ff9c6b70 e144b860 /data/app/com.appcelerator.sample.hyperloop-1/lib/x86/libkroll-v8.so ff9c6b74 e159cdd0 /data/app/com.appcelerator.sample.hyperloop-1/lib/x86/libkroll-v8.so ff9c6b78 ff9c6ba8 [stack] ff9c6b7c e0f09d8d /data/app/com.appcelerator.sample.hyperloop-1/lib/x86/libkroll-v8.so (titanium::ReferenceTable::destroyReference(int)+69) ff9c6b80 f4019ae0 [anon:libc_malloc] ff9c6b84 e159cdd0 /data/app/com.appcelerator.sample.hyperloop-1/lib/x86/libkroll-v8.so ff9c6b88 e159cdd0 /data/app/com.appcelerator.sample.hyperloop-1/lib/x86/libkroll-v8.so ff9c6b8c e0ef91e4 /data/app/com.appcelerator.sample.hyperloop-1/lib/x86/libkroll-v8.so (titanium::NativeObject::~NativeObject()+118) #06 ff9c6b90 e144b876 /data/app/com.appcelerator.sample.hyperloop-1/lib/x86/libkroll-v8.so ff9c6b94 00000024 ff9c6b98 e144ba60 /data/app/com.appcelerator.sample.hyperloop-1/lib/x86/libkroll-v8.so ff9c6b9c e144b860 /data/app/com.appcelerator.sample.hyperloop-1/lib/x86/libkroll-v8.so ff9c6ba0 80000016 ff9c6ba4 e159cdd0 /data/app/com.appcelerator.sample.hyperloop-1/lib/x86/libkroll-v8.so ff9c6ba8 ff9c6bd8 [stack] ff9c6bac e0efbf19 /data/app/com.appcelerator.sample.hyperloop-1/lib/x86/libkroll-v8.so (titanium::JavaObject::deleteGlobalRef()+121) ff9c6bb0 0000004f ff9c6bb4 e159cdd0 /data/app/com.appcelerator.sample.hyperloop-1/lib/x86/libkroll-v8.so ff9c6bb8 ff9c6bd8 [stack] ff9c6bbc e0ef9676 /data/app/com.appcelerator.sample.hyperloop-1/lib/x86/libkroll-v8.so (titanium::EventEmitter::~EventEmitter()+44) #07 ff9c6bc0 e01bd860 [anon:libc_malloc] ff9c6bc4 e01bd860 [anon:libc_malloc] ff9c6bc8 ff9c6be8 [stack] ff9c6bcc f4019ae0 [anon:libc_malloc] ff9c6bd0 e01bd860 [anon:libc_malloc] ff9c6bd4 e159cdd0 /data/app/com.appcelerator.sample.hyperloop-1/lib/x86/libkroll-v8.so ff9c6bd8 ff9c6bf8 [stack] ff9c6bdc e0efbf75 /data/app/com.appcelerator.sample.hyperloop-1/lib/x86/libkroll-v8.so (titanium::JavaObject::~JavaObject()+75) #08 ff9c6be0 e01bd860 [anon:libc_malloc] ff9c6be4 e159cdd0 /data/app/com.appcelerator.sample.hyperloop-1/lib/x86/libkroll-v8.so ff9c6be8 ff9c6c18 [stack] ff9c6bec e0f051f2 /data/app/com.appcelerator.sample.hyperloop-1/lib/x86/libkroll-v8.so (v8::Object::GetPointerFromInternalField(int)+94) ff9c6bf0 e01bd860 [anon:libc_malloc] ff9c6bf4 e159cdd0 /data/app/com.appcelerator.sample.hyperloop-1/lib/x86/libkroll-v8.so ff9c6bf8 ff9c6c18 [stack] ff9c6bfc e0f0768a /data/app/com.appcelerator.sample.hyperloop-1/lib/x86/libkroll-v8.so (titanium::Proxy::~Proxy()+44) #09 ff9c6c00 e01bd860 [anon:libc_malloc] ff9c6c04 5cf1a4f5 ff9c6c08 0000000c ff9c6c0c e01bd860 [anon:libc_malloc] ff9c6c10 80000016 ff9c6c14 e159cdd0 /data/app/com.appcelerator.sample.hyperloop-1/lib/x86/libkroll-v8.so ff9c6c18 ff9c6c38 [stack] ff9c6c1c e0f076c4 /data/app/com.appcelerator.sample.hyperloop-1/lib/x86/libkroll-v8.so (titanium::Proxy::~Proxy()+30) #10 ff9c6c20 e01bd860 [anon:libc_malloc] ff9c6c24 00000000 ff9c6c28 f3f85070 [anon:libc_malloc] ff9c6c2c e159cdd0 /data/app/com.appcelerator.sample.hyperloop-1/lib/x86/libkroll-v8.so ff9c6c30 1308f1c0 /dev/ashmem/dalvik-main space (deleted) ff9c6c34 e159cdd0 /data/app/com.appcelerator.sample.hyperloop-1/lib/x86/libkroll-v8.so ff9c6c38 ff9c6c78 [stack] ff9c6c3c e0f0eb0f /data/app/com.appcelerator.sample.hyperloop-1/lib/x86/libkroll-v8.so (Java_org_appcelerator_kroll_runtime_v8_V8Object_nativeRelease+166) #11 ff9c6c40 e01bd860 [anon:libc_malloc] ff9c6c44 ebaa7930 [anon:libc_malloc] ff9c6c48 ebaa7930 [anon:libc_malloc] ff9c6c4c ffffffff ff9c6c50 00000000 ff9c6c54 00000000 ff9c6c58 ebaa7930 [anon:libc_malloc] ff9c6c5c e01bd860 [anon:libc_malloc] ff9c6c60 f3262000 [anon:libc_malloc] ff9c6c64 00000000 ff9c6c68 00000000 ff9c6c6c ffffff00 ff9c6c70 ffffffff ff9c6c74 1308f1c0 /dev/ashmem/dalvik-main space (deleted) ff9c6c78 1308f1c0 /dev/ashmem/dalvik-main space (deleted) ff9c6c7c e3b95c77 /data/app/com.appcelerator.sample.hyperloop-1/oat/x86/base.odex #12 ff9c6c80 f4019ae0 [anon:libc_malloc] ff9c6c84 ff9c6cac [stack] ff9c6c88 ebaa7930 [anon:libc_malloc] ff9c6c8c ffffffff ff9c6c90 f4034500 [anon:libc_malloc] ff9c6c94 12c77580 /dev/ashmem/dalvik-main space (deleted) ff9c6c98 73587bc0 /data/dalvik-cache/x86/system@framework@boot.oat ff9c6c9c f3955d6a /system/lib/libart.so (art::JniMethodEnd(unsigned int, art::Thread*)+15) ff9c6ca0 f0e55460 /dev/ashmem/dalvik-LinearAlloc (deleted) ff9c6ca4 ff9c7004 [stack] ff9c6ca8 00000001 ff9c6cac 12db4e00 /dev/ashmem/dalvik-main space (deleted) ff9c6cb0 00000006 ff9c6cb4 f4034500 [anon:libc_malloc] ff9c6cb8 00000000 ff9c6cbc 00000000Ok, so after a lot of looking at this, I finally nailed the crashes to coming from trying to release an ActivityProxy when we close a Window:
Here's what I think is happening: Our native hyperloop UI views are getting passed in a wrapped version of the current activity. We're not fully cleaning up all of our hyperloop proxies when the window closes - we're just getting the one call to release the views of the top-level ViewGroup we've added into our Ti.UI.View hierarchy. That HyperloopView is blissfully unaware of how to handle releasing all the children. We need to implement some system specifically for UI elements where we track children of a View and release the hyperloop proxies that correspond to all of them.Ok, so it _does_ look like we have some sort of memory leak regarding the view hierarchy, so that needs to be fixed _but_ that's not the cause of the crash. I can reliably reproduce with a simple example that _doesn't_ use hyperloop and only happens when running on main thread:
// Window 1 var win1 = Ti.UI.createWindow(); var view1 = Ti.UI.createView(); var label1 = Ti.UI.createLabel({ text: "Label 1" }); var button1 = Ti.UI.createButton({ title: "Open another Window" }); // Window 2 var win2 = Ti.UI.createWindow(); var view2 = Ti.UI.createView(); var label2 = Ti.UI.createLabel({ text: "Label 2" }); var button2 = Ti.UI.createButton({ title: "Close this window" }); view1.add(label1); view1.add(button1); win1.add(view1); win1.open(); view2.add(label2); view2.add(button2); win2.add(view2); button2.addEventListener('click', function() { win2.close(); }); button1.addEventListener('click', function() { win2.open(); }); win1.open();https://github.com/appcelerator/titanium_mobile/pull/7448
Verified the fix. Verified using the hyperloop sample app & the code above & running on main thread. No crash seen. Closing. Environment: Appc Studio : 4.7.0.201607111053 Ti SDK : 5.4.0.v20160727143921 Ti CLI : 5.0.9 Alloy : 1.9.1 MAC El Capitan : 10.11.5 Appc NPM : 4.2.8-1 Appc CLI : 5.4.0-34 Node: 4.4.4 Nexus 5X - Android 6.0.1