Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[SR-8481] Crash in storeEnumTagSinglePayload #51002

Closed
swift-ci opened this issue Aug 7, 2018 · 7 comments
Closed

[SR-8481] Crash in storeEnumTagSinglePayload #51002

swift-ci opened this issue Aug 7, 2018 · 7 comments

Comments

@swift-ci
Copy link
Collaborator

@swift-ci swift-ci commented Aug 7, 2018

Previous ID SR-8481
Radar None
Original Reporter fabb (JIRA User)
Type Bug
Status Resolved
Resolution Duplicate

Attachment: Download

Environment

Swift 4.1.2

Additional Detail from JIRA
Votes 0
Component/s Compiler
Labels Bug, RunTimeCrash, Runtime
Assignee @mikeash
Priority Medium

md5: 257b1885667984f82c4d2cb09ceda5c6

duplicates:

  • SR-7743 JSONDecoder.decode(_:from:) EXC_BAD_ACCESS

relates to:

  • SR-7743 JSONDecoder.decode(_:from:) EXC_BAD_ACCESS

Issue Description:

In production I have quite a few crashes with varying backtraces, but all crashing at this point:

swift::metadataimpl::NonFixedValueWitnesses<swift::metadataimpl::NonFixedOpaqueExistentialBox, true>::storeEnumTagSinglePayload(swift::OpaqueValue*, int, unsigned int, swift::TargetMetadata<swift::InProcess> const*) + 20

I cannot reproduce it locally.
Attached there is the code that seems to be affected (cannot be run by itself). Crashes happen in different UICollectionView delegate/datasource callbacks. All the crashes seem to point to the method WHCollectionViewSectionsModel.sectionModelAtSectionIndex(_ section: Int), even though in different crash reports, some of the methods in between do not show up.

Example:

Crashed: com.apple.main-thread
EXC_BAD_ACCESS KERN_INVALID_ADDRESS 0x0000000105174008
specialized WHCollectionViewSectionsModel.dequeueAndConfigureCell(collectionView:indexPath:)
0  libswiftCore.dylib             0x10285e734 swift::metadataimpl::NonFixedValueWitnesses<swift::metadataimpl::NonFixedOpaqueExistentialBox, true>::storeEnumTagSinglePayload(swift::OpaqueValue*, int, unsigned int, swift::TargetMetadata<swift::InProcess> const*) + 20
1  willhaben                      0x1004e2c9c specialized WHCollectionViewSectionsModel.dequeueAndConfigureCell(collectionView:indexPath:) (WHCollectionViewModel.swift:103)
2  willhaben                      0x100376770 @objc CollectionViewFlowLayoutDataSourceAndDelegate.collectionView(_:cellForItemAt:) (CollectionViewFlowLayoutDataSourceAndDelegate.swift)
3  UIKit                          0x19a2e44a8 -[UICollectionView _createPreparedCellForItemAtIndexPath:withLayoutAttributes:applyAttributes:isFocused:notify:] + 448
4  UIKit                          0x199a59b6c -[UICollectionView _updateVisibleCellsNow:] + 3828
5  UIKit                          0x199a545c0 -[UICollectionView layoutSubviews] + 288
@swift-ci
Copy link
Collaborator Author

@swift-ci swift-ci commented Aug 7, 2018

Comment by Fabian Ehrentraud (JIRA)

Maybe the issue somehow stems from the code accessing an array with an element type of two protocols (WHCollectionViewModelInterface & WHCollectionViewSupplementaryModelInterface)? It's just strange that the crash only happens relatively rarely.

@belkadan
Copy link
Contributor

@belkadan belkadan commented Aug 30, 2018

@jckarter, @slavapestov, do you remember anything like this? Fabian, have you tested with Xcode 10 betas yet?

@jckarter
Copy link
Member

@jckarter jckarter commented Aug 30, 2018

@jckarter
Copy link
Member

@jckarter jckarter commented Aug 30, 2018

We had inconclusive anecdata from @mattneub that SR-7743 doesn't appear in Xcode 10 beta 1, but we were never able to narrow down the underlying cause AFAIK. I do recall @mikeash caught and fixed a sporadic out-of-bounds access during value witness table instantiation with types with extra inhabitants, which seems like it could have been one possible underlying cause of these crashes.

@mikeash
Copy link
Contributor

@mikeash mikeash commented Aug 30, 2018

This and SR-7743 both look exactly like the problem I fixed. The PR for the fix is: #17880

The bug was a read to memory slightly beyond the end of a metadata structure. This happened frequently (any time these functions were called on a metadata structure that's not `ExtraInhabitantsValueWitnessTable`) but the value was never used, so most of the time it was harmless. Every so often, you'd line things up just right where the read spilled over onto the next page and the next page wasn't readable, and you'd crash.

The key indicator is a crash in `storeEnumTagSinglePayload` or a similar function at an address that's either exactly at the start of a page, or 8 (or possibly 16) bytes beyond it. That's exactly what this crash shows.

@swift-ci
Copy link
Collaborator Author

@swift-ci swift-ci commented Aug 31, 2018

Comment by Fabian Ehrentraud (JIRA)

Since we cannot reproduce the issue locally, I can only judge by the amount of crashes from our live app. Crashes nearly have completely dropped off in iOS 12. Of course that also could be related to the sporadic nature of this crash, and the low iOS 12 beta adoption rate from users of our live app.

Here I have one crash from iOS 12 build 16A5345f:

Crashed: com.apple.main-thread
EXC_BAD_ACCESS KERN_INVALID_ADDRESS 0x000000010b8ac008
Crashed: com.apple.main-thread
0  libswiftCore.dylib             0x107396734 swift::metadataimpl::NonFixedValueWitnesses<swift::metadataimpl::NonFixedOpaqueExistentialBox, true>::storeEnumTagSinglePayload(swift::OpaqueValue*, int, unsigned int, swift::TargetMetadata<swift::InProcess> const*) + 20
1  willhaben                      0x104fb1b0c specialized WHCollectionViewSectionsModel.dequeueAndConfigureSupplementaryView(withKind:collectionView:indexPath:) (WHCollectionViewModel.swift:103)
2  willhaben                      0x104f6a43c @objc FeedViewController.collectionView(_:viewForSupplementaryElementOfKind:at:) (FeedViewController.swift:262)
3  UIKitCore                      0x223b105dc <redacted> + 504
4  UIKitCore                      0x223b13d0c <redacted> + 4072
5  UIKitCore                      0x223b18d88 <redacted> + 324
6  UIKitCore                      0x22411d570 <redacted> + 1380

And here is one from iOS 12 build 16A5327f:

Crashed: com.apple.main-thread
EXC_BAD_ACCESS KERN_INVALID_ADDRESS 0x000000010fae8008
Crashed: com.apple.main-thread
0  libswiftCore.dylib             0x107676734 swift::metadataimpl::NonFixedValueWitnesses<swift::metadataimpl::NonFixedOpaqueExistentialBox, true>::storeEnumTagSinglePayload(swift::OpaqueValue*, int, unsigned int, swift::TargetMetadata<swift::InProcess> const*) + 20
1  willhaben                      0x10525223c @objc FeedViewController.collectionView(_:numberOfItemsInSection:) (WHCollectionViewModel.swift:124)
2  UIKitCore                      0x25ff28dd4 -[UICollectionViewData _updateItemCounts] + 380
3  UIKitCore                      0x25ff2ae38 -[UICollectionViewData numberOfSections] + 28
4  UIKitCore                      0x25ff34ab8 -[UICollectionViewFlowLayout _getSizingInfosWithExistingSizingDictionary:] + 580
5  UIKitCore                      0x25ff36a20 -[UICollectionViewFlowLayout _fetchItemsInfoForRect:] + 260
6  UIKitCore                      0x25ff30874 -[UICollectionViewFlowLayout prepareLayout] + 224
7  UIKitCore                      0x25ff290c4 -[UICollectionViewData _prepareToLoadData] + 228
8  UIKitCore                      0x25ff29904 -[UICollectionViewData validateLayoutInRect:] + 104
9  UIKitCore                      0x25fefaf98 -[UICollectionView layoutSubviews] + 228
10 UIKitCore                      0x2604fd0c0 -[UIView(CALayerDelegate) layoutSublayersOfLayer:] + 1444

@mikeash
Copy link
Contributor

@mikeash mikeash commented Aug 31, 2018

The bug is/was in the Swift dylibs which get embedded in your app, so an updated OS won't fix it. It's possible that it will cause the crash to happen more or less frequently due to differences in where pages are allocated, but the fundamental problem won't change. So the bad news is that if you use Xcode 9.something, you'll have the bug even on iOS 12. The good news is that once you build with an Xcode that has the fix, the bug will go away even on older versions of iOS.

@swift-ci swift-ci transferred this issue from apple/swift-issues Apr 25, 2022
This issue was closed.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

No branches or pull requests

4 participants