[TIMOB-23745] Android: Crash using Math.random

GitHub Issue	n/a
Type	Bug
Priority	Critical
Status	Closed
Resolution	Fixed
Resolution Date	2016-08-10T13:09:04.000+0000
Affected Version/s	Release 6.0.0
Fix Version/s	Release 6.0.0
Components	Android
Labels	n/a
Reporter	Martin Guillon
Assignee	Christopher Williams
Created	2016-08-08T18:21:43.000+0000
Updated	2016-08-23T22:25:07.000+0000

Description

trying to execute Math.random() in JS code will crash the app:

console.log(Math.random());

08-06 17:15:14.558: A/DEBUG(197):     #01 pc 0072d450  /data/app/akylas.alpi.maps-1/lib/arm/libkroll-v8.so (v8::internal::JSArrayBuffer::SetupAllocatingData(v8::internal::Handle<v8::internal::JSArrayBuffer>, v8::internal::Isolate*, unsigned int, bool, v8::internal::SharedFlag)+64)
08-06 17:15:14.559: A/DEBUG(197):     #02 pc 008362b4  /data/app/akylas.alpi.maps-1/lib/arm/libkroll-v8.so (v8::internal::Runtime_GenerateRandomNumbers(int, v8::internal::Object**, v8::internal::Isolate*)+996)
08-06 17:15:14.559: A/DEBUG(197):     #03 pc 00000098  <unknown>

Comments

Christopher Williams 2016-08-08

[~farfromrefuge]Do you have a sample to reproduce this? Is it just simply calling Math.random()?

Christopher Williams 2016-08-08

Just calling Math.random().toString() I get:

   08-08 14:55:40.178 1189-1189/? A/DEBUG: *** *** *** *** *** *** *** *** *** *** *** *** *** *** *** ***
   08-08 14:55:40.178 1189-1189/? A/DEBUG: Build fingerprint: 'Android/sdk_google_phone_x86_64/generic_x86_64:6.0/MASTER/2872745:userdebug/test-keys'
   08-08 14:55:40.178 1189-1189/? A/DEBUG: Revision: '0'
   08-08 14:55:40.178 1189-1189/? A/DEBUG: ABI: 'x86'
   08-08 14:55:40.178 1189-1189/? A/DEBUG: pid: 2715, tid: 2715, name: dsg.sdfg  >>> dsg.sdfg <<<
   08-08 14:55:40.178 1189-1189/? A/DEBUG: signal 11 (SIGSEGV), code 1 (SEGV_MAPERR), fault addr 0x4ac
   08-08 14:55:40.182 1189-1189/? A/DEBUG:     eax ff869fa0  ebx e3b3ad60  ecx ff869650  edx 12ce3000
   08-08 14:55:40.182 1189-1189/? A/DEBUG:     esi 00000200  edi eb3b5000
   08-08 14:55:40.182 1189-1189/? A/DEBUG:     xcs 00000023  xds 0000002b  xes 0000002b  xfs 00000007  xss 0000002b
   08-08 14:55:40.182 1189-1189/? A/DEBUG:     eip 000004ac  ebp ff8696e0  esp ff86958c  flags 00210202
   08-08 14:55:40.192 1189-1189/? A/DEBUG: backtrace:
   08-08 14:55:40.192 1189-1189/? A/DEBUG:     #00 pc 000004ac  <unknown>
   08-08 14:55:40.192 1189-1189/? A/DEBUG:     #01 pc 0006c2d0  <unknown>
   08-08 14:55:40.192 1189-1189/? A/DEBUG:     #02 pc 0006ac8c  <unknown>
   08-08 14:55:40.193 1189-1189/? A/DEBUG:     #03 pc 0001533d  <unknown>
   08-08 14:55:40.193 1189-1189/? A/DEBUG:     #04 pc 000112a2  <unknown>
   08-08 14:55:40.193 1189-1189/? A/DEBUG:     #05 pc 007ab4dc  /data/app/dsg.sdfg-2/lib/x86/libkroll-v8.so
   08-08 14:55:40.193 1189-1189/? A/DEBUG:     #06 pc 007ab7e8  /data/app/dsg.sdfg-2/lib/x86/libkroll-v8.so (v8::internal::Execution::Call(v8::internal::Isolate*, v8::internal::Handle<v8::internal::Object>, v8::internal::Handle<v8::internal::Object>, int, v8::internal::Handle<v8::internal::Object>*)+120)
   08-08 14:55:40.193 1189-1189/? A/DEBUG:     #07 pc 004e19ae  /data/app/dsg.sdfg-2/lib/x86/libkroll-v8.so (v8::Script::Run(v8::Local<v8::Context>)+382)
   08-08 14:55:40.193 1189-1189/? A/DEBUG:     #08 pc 004e1cb9  /data/app/dsg.sdfg-2/lib/x86/libkroll-v8.so (v8::Script::Run()+73)
   08-08 14:55:40.193 1189-1189/? A/DEBUG:     #09 pc 002d0af6  /data/app/dsg.sdfg-2/lib/x86/libkroll-v8.so (void titanium::WrappedScript::EvalMachine<(titanium::WrappedScript::EvalInputFlags)0, (titanium::WrappedScript::EvalContextFlags)0, (titanium::WrappedScript::EvalOutputFlags)0>(v8::FunctionCallbackInfo<v8::Value> const&)+262)
   08-08 14:55:40.193 1189-1189/? A/DEBUG:     #10 pc 002d0c6b  /data/app/dsg.sdfg-2/lib/x86/libkroll-v8.so (titanium::WrappedScript::CompileRunInThisContext(v8::FunctionCallbackInfo<v8::Value> const&)+27)
   08-08 14:55:40.193 1189-1189/? A/DEBUG:     #11 pc 004e9f94  /data/app/dsg.sdfg-2/lib/x86/libkroll-v8.so (v8::internal::FunctionCallbackArguments::Call(void (*)(v8::FunctionCallbackInfo<v8::Value> const&))+148)
   08-08 14:55:40.193 1189-1189/? A/DEBUG:     #12 pc 00548dbb  /data/app/dsg.sdfg-2/lib/x86/libkroll-v8.so
   08-08 14:55:40.193 1189-1189/? A/DEBUG:     #13 pc 005495cc  /data/app/dsg.sdfg-2/lib/x86/libkroll-v8.so
   08-08 14:55:40.197 1189-1189/? A/DEBUG:     #14 pc 0000007d  <unknown>
   08-08 14:55:40.198 1189-1189/? A/DEBUG:     #15 pc 0006a51e  <unknown>
   08-08 14:55:40.198 1189-1189/? A/DEBUG:     #16 pc 000681d2  <unknown>
   08-08 14:55:40.198 1189-1189/? A/DEBUG:     #17 pc 000666d6  <unknown>
   08-08 14:55:40.198 1189-1189/? A/DEBUG:     #18 pc 0001533d  <unknown>
   08-08 14:55:40.198 1189-1189/? A/DEBUG:     #19 pc 000112a2  <unknown>
   08-08 14:55:40.199 1189-1189/? A/DEBUG:     #20 pc 007ab4dc  /data/app/dsg.sdfg-2/lib/x86/libkroll-v8.so
   08-08 14:55:40.199 1189-1189/? A/DEBUG:     #21 pc 007ab7e8  /data/app/dsg.sdfg-2/lib/x86/libkroll-v8.so (v8::internal::Execution::Call(v8::internal::Isolate*, v8::internal::Handle<v8::internal::Object>, v8::internal::Handle<v8::internal::Object>, int, v8::internal::Handle<v8::internal::Object>*)+120)
   08-08 14:55:40.199 1189-1189/? A/DEBUG:     #22 pc 004dfd43  /data/app/dsg.sdfg-2/lib/x86/libkroll-v8.so (v8::Function::Call(v8::Local<v8::Context>, v8::Local<v8::Value>, int, v8::Local<v8::Value>*)+323)
   08-08 14:55:40.199 1189-1189/? A/DEBUG:     #23 pc 002cab95  /data/app/dsg.sdfg-2/lib/x86/libkroll-v8.so (Java_org_appcelerator_kroll_runtime_v8_V8Runtime_nativeRunModule+389)
   08-08 14:55:40.199 1189-1189/? A/DEBUG:     #24 pc 007e5ca0  /data/app/dsg.sdfg-2/oat/x86/base.odex (offset 0x4f6000)

Christopher Williams 2016-08-08

After using debug libraries, the ultimate crash is coming inside v8 itself when it calls JSArrayBuffer::SetupAllocatingData as Martin showed above. That method pretty much just deals with the array buffer allocator, which is something we create and set on the Isolate in V8Runtime. Looks like my copy-paste coding of that small impl must not behave properly on Android? My guess is that it's crashing on the Allocate(length) call, presumably when either realloc or memset is called. I'm going to try and just have Allocate always use calloc().
Christopher Williams 2016-08-08

https://github.com/appcelerator/titanium_mobile/pull/8196
Christopher Williams 2016-08-08

Once the PR is confirmed/merged, it needs to be cherry-picked to master branch.
Lokesh Choudhary 2016-08-23

Verified the fix. Math.random() does not cause the crash. Closing. Environment: Appc Studio : 4.7.1.201608190732 Ti SDK : 6.0.0.v20160822133504 Ti CLI : 5.0.9 Alloy : 1.9.1 MAC El Capitan : 10.11.6 Appc NPM : 4.2.7 Appc CLI : 6.0.0-26 Node: 4.4.4 Nexus 6 - Android 6.0.1

JSON Source