Hello, my application experiences crashes related to JavaScriptCore in iOS 17 and 18. I would like to consult about potential causes, to determine whether it is a bug in JavaScriptCore or an issue with my code implementation.
First, the crash stack always includes the call to
JSC::MarkedBlock::aboutToMarkSlow(unsigned int).
In the iOS 17 version, the crash occurs on this line, typically
JSC::MarkedBlock::aboutToMarkSlow(unsigned int) + 88.
In iOS 18 and later, the stack crashes atJSC::MarkedBlock::dumpInfoAndCrashForInvalidHandle(WTF::AbstractLocker&, JSC::HeapCell*).
I checked the source code of JavaScriptCore for both iOS 17.6 and iOS 18.2 and observed modifications in the implementation of aboutToMarkSlow.
My question is under what circumstances could this crash occur?
I have attached a crash log encountered in iOS 18, hoping you can provide more effective information for problem diagnosis, especially since there are specific details worth noting near the crash registers.
INVALID HANDLE: MarkedBlock = 0x141158000; heapCell = 0x14115bfa0; type = 0
INVALID HANDLE: found 24 0s at beginning of block
INVALID HANDLE: block in another VM: 1, block in another VM: 1; other VM is 0x1324b6000
Moreover, in iOS 18.4, due to the implementation of dumpInfoAndCrashForInvalidHandleV2, the message has changed to:
INVALID HANDLE 587: markedBlock=0x303518000; heapCell=0x303518fe0; cellFirst8Bytes=0; subspaceHash=0; contiguousZeros=0; totalzeros=0; blockVM=0x0; actualVM=0x0; isBlockVMValid=0; isBlockInSet=0; isBlockInDir=0; foundInBlockVM=0;
INVALID HANDLE 606: markedBlock=0x303518000; heapCell=0x303518fe0; cellFirst8Bytes=0; subspaceHash=0; contiguousZeros=16384; totalZeros=16384; blockVM=0x0; actualVM=0x0; isBlockVMValid=0; isBlockInSet=0; isBlockInDir=0; foundInBlockVM=0;
INVALID HANDLE 615: markedBlock=0x303518000; heapCell=0x303518fe0; cellFirst8Bytes=0; subspaceHash=0; contiguousZeros=16384; totalZeros=16384; blockVM=0x0; actualVM=0x0; isBlockVMValid=0; isBlockInSet=1; isBlockInDir=1; foundInBlockVM=0;
(Further INVALID HANDLE messages follow the same format)
I hope this provides you with more information.
Are you using JavaScriptCore library directly in your app or are you using it inside of a web view? If you are using it directly, going by the crash log it appears that JavaScriptCore is trying to recover memory. I would start by reviewing the memory allocation strategies in all of your JavaScriptCore API usage - especially custom objects.
If you're not using JavaScriptCore directly and you're using a web view, please file a bug report, include a small Xcode project and some directions that can be used to reproduce the problem, and post the FB number here once you do. If you post the bug number here I'll check the status next time I do a sweep of forums posts where I've suggested bug reports.
Bug Reporting: How and Why? has tips on creating your bug report.
