phoboslab / javascriptcore-ios Goto Github PK

Hi folks,

Wondering if anyone has experienced crashes on llint_op_call_varargs for certain JS sources. It happens only when running on a device (ARM arch) and not on a simulator.

Here's where it crashes:

ios`llint_op_call_varargs:
0x29beb4:  mov    r0, r7
0x29beb6:  mov    r1, r8
0x29beb8:  bl     0x295960                  ; llint_slow_path_size_and_alloc_frame_for_varargs
0x29bebc:  mov    r8, r0
0x29bebe:  mov    r7, r1
0x29bec0:  ldr    r4, [r7, #0x10]
0x29bec2:  movw   r12, #0x0
0x29bec6:  movt   r12, #0xffff
0x29beca:  ands.w r4, r4, r12
0x29bece:  ldr.w  r4, [r4, #1076]
0x29bed2:  movw   r12, #0x5f28
0x29bed6:  add    r12, r4
0x29bed8:  mvn    r10, #0x5
0x29bedc:  ldr.w  r11, [r12]
0x29bee0:  cmp    r11, r10
0x29bee2:  beq    0x29bee8                  ; llint_op_call_varargs + 52
0x29bee4:  b.w    0x29ab12                  ; llint_throw_from_slow_path_trampoline
0x29bee8:  str.w  r8, [r7, #36]
0x29beec:  mov    r0, r7
0x29beee:  mov    r1, r8
0x29bef0:  bl     0x2959e8                  ; llint_slow_path_call_varargs
0x29bef4:  mov    r7, r1
0x29bef6:  blx    r0
0x29bef8:  ldr.w  r8, [r7, #36]        ; <--------------- Thread 1: EXC_BAD_ACCESS (code=1, address=0x24)
0x29befc:  ldr.w  r2, [r8, #4]
0x29bf00:  add.w  r10, r7, r2, lsl #3
0x29bf04:  str.w  r1, [r10, #4]
0x29bf08:  str.w  r0, [r7, r2, lsl #3]
0x29bf0c:  ldr.w  r4, [r8, #28]
0x29bf10:  str    r1, [r4, #0x10]
0x29bf12:  str    r0, [r4, #0xc]
0x29bf14:  adds.w r8, r8, #0x20
0x29bf18:  ldr.w  r10, [r8]
0x29bf1c:  mov    pc, r10

The JS code is rather long and I can't really share it, since it's not yet in the public domain, but so far I've been able to find two potential causes for the issue:

• At some point we had too many methods attached to an object. When we inlined some of the private methods and thus made the method count lower, it stopped crashing there. This no longer seems to help (or I can't really find the object which has too many methods attached to it).
• Uglifying the code sometimes helps, sometimes doesn't.

I'm wondering if anyone has run into this issue or if they have any idea how this could be resolved.

Thanks a lot!

I was wondering if it was possible to compile with with WebGL support ?

@phoboslab Thanks for answering!!

And how can I enumerate a JSExport object?

See putNonEnumerable

Running on osx with latest xcode. Other times this issue has been seen online it has been mentioned as a 7.1 issue.

$ python make.py
xcodebuild: error: SDK "iphoneos7.0" cannot be located.
Traceback (most recent call last):
  File "make.py", line 60, in <module>
    outdir = build(args.out, args.derived_data)
  File "make.py", line 30, in build
    jsc.build()
  File "/Users/ben/code/JavaScriptCore-iOS/xcodebuild.py", line 145, in build
    self.devicebuildarm64.build()
  File "/Users/ben/code/JavaScriptCore-iOS/xcodebuild.py", line 97, in build
    self._xcodebuild("build")
  File "/Users/ben/code/JavaScriptCore-iOS/xcodebuild.py", line 81, in _xcodebuild
    self.project)
xcodebuild.PebbleXcodeBuildException: Build failed. xcodebuild exitedwith non-zero return code (None)

I think the version of JavaScriptCore has an incomplete implementation for arm64. Running into all kinds of missing pieces when compiling with ARCHS=arm64.

Is there an easy way to pull the source in from a newer version?
What files should be kept?

I have successfully compiled the latest from master branch. My device gives me an error that 'timeout occurred' during the installation.

any idea?

Hi,
With debugger enabled on arm64 build, isSafeToRecurse returns false for specific callFrames. curr pointer is less than limit. I don't know if it's a known issue, or i break something. It works great on armv7.

I want to stop evaluate script when running JSEvaluateScript function,
How can I do this?

"_OBJC_CLASS_$_JSContext", referenced from:

I look at the JSContext.h file there are defined.

How to use the jsc-ios for a project, have it any usage document?

I notice that the typed arrays branch is quite a bit ahead of master . Is this intentional ?

Hi — this isn't really an 'issue', but I was hoping I could pick your brain on a couple of things?

1. ICU (and App Store in general).
   I am slightly confused about your comment in the readme regarding Apple's rejection on the basis of ICU being a private framework; not because they said that (which doesn't surprise me in the least) but for the fact that this seems to imply this is AppStore-approvable otherwise. With regard to ICU, I would think this would be one of the easier issues to work around... one could roll one's own icu4c and link it in statically, or no? But I was under the impression that something like this would get rejected out of hand for a couple of other reasons. First, I thought it was Apple's policy to reject all JavaScript engines except their own (i.e., iOS chromium-based browsers must use JavaScriptCore rather than V8, etc.). Is this not this not the case here? Or is it allowable because it is (a variant of) JavaScriptCore? Second, I thought Apple rejected anything which JIT's its own code. Is JIT disabled here? Or is it allowed, maybe for the same reason as above BTW, I know this project is 'JavaScriptCore-iOS' (and your focus in general is iOS), but if this is indeed allowable in the App Store there, I think this project might be equally relevant in the Mac App Store as well, where I believe the same rules (to some extent at least) are applied...
2. jsc.
   I was hugely disappointed to see that this did not make its way into the version of jsc that ships with 10.9. Is it your sense that this maybe just 'missed the deadline', or was it deliberately left out?
3. I was wondering if by chance you have (or know of) a script or a makefile for building a standalone (statically linked) jsc executable on Darwin, (without using Xcode)?
   This project (JavaScriptCore-iOS, I mean) helps considerably to that end; but it would be really great to be able to do this in a platform-independant Xcode-independant manner, i.e., so that one could compile with one's own clang/LLVM and link in the same libraries as those used in the build toolchain. IMO, it is exceedingly cumbersome/difficult (and confusing to someone not familiar with the WebKit codebase) to compile a standalone jsc from the WebKit trunk since both the autotools scripts and CMakeLists don't target Darwin, and the Xcode projects don't really like to produce anything but system frameworks. I actually tried hacking on this for a while, but gave up... ended up writing this ridiculous script to forcibly extract and bundle up jsc from the nightlies instead...

Thanks!
~G

I'd like to investigate what it would take to use an iOS-8 version of WebKit, in particular what seems to be the version shipping with iOS 8 and 8.1, https://trac.webkit.org/browser/tags/Safari-600.1.4

What would be involved in making that update? We'd be interested in helping with that effort.

When compiling the release version of WTF iOS for iPhone 6.0 Simulator, I get errors in FastMalloc.cpp. Any idea how to fix the errors?

.../XCode Projects/JavaScriptCore-iOS/WTF/wtf/FastMalloc.cpp:2477:8: error: private field 'pad_' is not used [-Werror,-Wunused-private-field]
char pad_[(64 - (sizeof(TCMalloc_Central_FreeList) % 64)) % 64];

.../XCode Projects/JavaScriptCore-iOS/WTF/wtf/FastMalloc.cpp:4544:31: error: private field 'm_reader' is not used [-Werror,-Wunused-private-field]
const RemoteMemoryReader& m_reader;

This is not precisely a bug report but something to wonder about.

I have been experimenting with hijacking the UIWebView's JS context and working in that using the JSC APIs, as described here: http://stackoverflow.com/questions/19664206/access-the-javascriptcore-engine-of-a-uiwebview
Now, this approach works perfectly if I use the built-in JavaScriptCore framework -- the problem is that the typed array functions are not exposed there, which is a showstopper in my project. So I compiled your fork and tried doing the same but it crashes on any object-creation API (JSTypedArrayMake(), among others) with EXC_BAD_ACCESS, either in a Heap::didAllocate or some thread locking code. Needless to say, it works flawlessly in a manually created context.

I should mention that I was able to reproduce a similar crash when running the test against a manually compiled JSC from the original WebKit repo.

Have you perhaps run into this issue and/or know what the reason is?

   The following build commands failed:
    CompileC    /var/folders/bq/wl3n3w1120bgbpw6j_xvd62r0000gn/T/tmpdcsNcY/Build/Intermediates/WTF.build/Production-iphonesimulator/WTF\ iOS.build/Objects-normal/i386/Assertions.o wtf/Assertions.cpp normal i386 c++ com.apple.compilers.llvm.clang.1_0.compiler
       (1 failure)
     Traceback (most recent call last):
     File "make.py", line 60, in <module>
       outdir = build(args.out, args.derived_data)
      File "make.py", line 30, in build
       jsc.build()
       File "/Users/passol/Documents/gitcopy/JavaScriptCore-iOS/xcodebuild.py", line 147, in build
       self.simulatorbuild.build()
       File "/Users/passol/Documents/gitcopy/JavaScriptCore-iOS/xcodebuild.py", line 97, in build
      self._xcodebuild("build")
      File "/Users/passol/Documents/gitcopy/JavaScriptCore-iOS/xcodebuild.py", line 81, in _xcodebuild
      self.project)
   xcodebuild.PebbleXcodeBuildException: Build failed. xcodebuild exitedwith non-zero return code (None)

always build failed when compile simulator

is there any compiled version for simulator, amrv7 and armv7s?

For some reason the 'instanceof' operator does not work for typed arrays. For example:

(new Uint8Array()) instanceof Uint8Array

returns false.

Could it run in Apple Watch?

Hi,

I'm fiddling around with the code and I'm trying to enable the new Objective-C API in the build. As far as I can tell, I need to set JSC_OBJC_API_ENABLED=1 in JavaScriptCore-iOS-Static.xcconfig and replace usages of the NSMapTable C API to their Objective-C equivalents.

However, I noticed that the code relies on private stuff like _Block_has_signature and _protocol_getMethodTypeEncoding. Do you think it'd be safe to build JavaScriptCore with the Objective-C enabled, App Store-wise?

Also, thanks for making your efforts public.

Is there a chance you can refresh this project with a newer version from webkit? I'm running into two WTFCrashes, both of which have been addressed in newer version branches. Thanks so much for making this project happen! I've been using this for the last two years!!

Hi,

I am developing a project for ios. I wanted to ask if the project is still alive.

Thank you.

Currently the final framework generated by make.py creates a fat static library with armv7,armv7s, arm64, and i386 (simulator).

It would be nice to have x86_64 added for use in the 64 bit iPhone Simulator.

Hi @phoboslab ,
Do you have the plan for 64bit JSC ?
Thanks

One place is Library Search Path of the JavaScriptCore project.

Hi!

Now that the webkit shipped with iOS8 supports JIT, can we also use a JIT-enabled version of JavaScriptCore? Do you have an idea if updating jsc to latest will pass Apple review?

I assume another option could be getting a JSContext from WKWebView and working with that (it should be JIT-enabled).

Hello, I ran into a problem using JSTypedArray and was wondering if you could give me some help.

I read through the blog here and figured it out it could not solve my problem, but wondering if you might have ran into the same problem. I used an ArrayBuffer to transfer large amount of data from js to C, but the result is sometimes wrong. When I set a value in js, the underlying memory is untouched. for example

let arr = ... // arr is a Uint8Array
arr[0] = 1;
arr[1] = 2;
arr[2] = 3;
arr[3] = 4;
console.log(arr[0], arr[1], arr[2], arr[3]); // 1 2 3 4
console.log('' + arr); // something other than 1,2,3,4
console.log(arr[0], arr[1], arr[2], arr[3]); // something other than 1 2 3 4

It happens randomly, cannot be reproduced every time. The key is that when I made a native call, such as passing the TypedArray object into a native function, or calling toString of the typed array, the array then acts normally. Even if the native function does nothing with the array (such as JSObjectGetTypedArrayBytesPtr).

I sincerely hope that you could give some guidance about how to avoid this bug, many thanks.

I am able to successfully build JSC library and while trying to use it in my project gives below error

Undefined symbols for architecture armv7:
  "std::__1::__call_once(unsigned long volatile&, void*, void (*)(void*))", referenced from:
      JSC::initializeThreading() in libiOSJavaScriptCore.a(InitializeThreading.o)
      WTF::initializeCompilationThreads() in libiOSJavaScriptCore.a(CompilationThread.o)
  "void std::__1::__sort<std::__1::__less<unsigned long, unsigned long>&, unsigned long*>(unsigned long*, unsigned long*, std::__1::__less<unsigned long, unsigned long>&)", referenced from:
      JSC::DFG::NaturalLoops::compute(JSC::DFG::Graph&) in libiOSJavaScriptCore.a(DFGNaturalLoops.o)
  "void std::__1::__sort<std::__1::__less<unsigned int, unsigned int>&, unsigned int*>(unsigned int*, unsigned int*, std::__1::__less<unsigned int, unsigned int>&)", referenced from:
      JSC::JSObject::getOwnPropertyNames(JSC::JSObject*, JSC::ExecState*, JSC::PropertyNameArray&, JSC::EnumerationMode) in libiOSJavaScriptCore.a(JSObject.o)
      JSC::DFG::Graph::dumpBlockHeader(WTF::PrintStream&, char const*, JSC::DFG::BasicBlock*, JSC::DFG::Graph::PhiNodeDumpMode, JSC::DumpContext*) in libiOSJavaScriptCore.a(DFGGraph.o)
      JSC::computePreciseJumpTargets(JSC::CodeBlock*, WTF::Vector<unsigned int, 32ul, WTF::CrashOnOverflow>&) in libiOSJavaScriptCore.a(PreciseJumpTargets.o)
ld: symbol(s) not found for architecture armv7
clang: error: linker command failed with exit code 1 (use -v to see invocation)

I have verified all the required architecture of JSC and my project and it is common. But still while using JSC library I am having above error. Can you please suggest what is problem in above errors?