求问如果是v8引擎引起的crash,如何跟进堆栈调试,定位问题?

v8不升级能跑吗?可以跑的话,给的demo不用升级方便定位

v8不升级没有这个spine相关的crash,升级了才有的。而且是要勾选场景的自动释放资源才会在切换场景的时候crash,看堆栈也是和spine资源释放有关系

先给demo吧,后面能发现再看

demo链接: https://github.com/nai6514531/v8-crash-demo,
我把build产物都传上去了,目前只能用ios的本地调试,克隆下来可以点击V8_SPINE_CRASH.xcodeproj连着真机运行,不断的点击按钮切换场景就会复现crash了。

native的改动:v8从8.0.4升级到11.6.189.22,改动参考了cocos3.8的官方,详见

crash的具体堆栈如下,辛苦官方帮忙一起定位下

Initializing V8, version: 11.6.189.22
libuv version: 1.23.1-dev
Debugger listening…, visit [ devtools://devtools/bundled/js_app.html?v8only=true&ws=0.0.0.0:6086/00010002-0003-4004-8005-000600070008 ] in chrome browser to debug!
For help see https://nodejs.org/en/docs/inspector
JS: Enable batch GL commands optimization!
D/renderer (626): Device caps: maxVextexTextures: 16, maxFragUniforms: 224, maxTextureUints: 16, maxVertexAttributes: 16, maxDrawBuffers: 1, maxColorAttatchments: 1
libpng warning: iCCP: known incorrect sRGB profile
JS: Cocos Creator v2.4.7
JS: LoadScene helloworld2: 31.842999999999847ms
JS: LoadScene helloworld3: 17.128999999999905ms
JS: LoadScene helloworld1: 16.302999999999884ms
JS: LoadScene helloworld2: 16.54399999999987ms
JS: LoadScene helloworld3: 16.248000000000047ms
JS: LoadScene helloworld1: 16.820000000000164ms
JS: LoadScene helloworld2: 33.971000000000004ms

Fatal error in , line 0

Invoke in DisallowJavascriptExecutionScope

#FailureMessage Object: 0x16f473d28
==== C stack trace ===============================

0   V8_SPINE_CRASH-mobile               0x00000001011ebadc v8::base::debug::StackTrace::StackTrace() + 24
1   V8_SPINE_CRASH-mobile               0x00000001011f1260 v8::platform::(anonymous namespace)::PrintStackTrace() + 24
2   V8_SPINE_CRASH-mobile               0x00000001011e1edc V8_Fatal(char const*, ...) + 268
3   V8_SPINE_CRASH-mobile               0x00000001012d66b4 v8::internal::(anonymous namespace)::Invoke(v8::internal::Isolate*, v8::internal::(anonymous namespace)::InvokeParams const&) + 3008
4   V8_SPINE_CRASH-mobile               0x00000001012d5ac4 v8::internal::Execution::Call(v8::internal::Isolate*, v8::internal::Handle<v8::internal::Object>, v8::internal::Handle<v8::internal::Object>, int, v8::internal::Handle<v8::internal::Object>*) + 124
5   V8_SPINE_CRASH-mobile               0x00000001012025f4 v8::Object::CallAsFunction(v8::Local<v8::Context>, v8::Local<v8::Value>, int, v8::Local<v8::Value>*) + 444
6   V8_SPINE_CRASH-mobile               0x0000000101082ef8 se::Object::call(std::__1::vector<se::Value, std::__1::allocator<se::Value>> const&, se::Object*, se::Value*) + 1308
7   V8_SPINE_CRASH-mobile               0x0000000100b62d98 _ZZL52js_cocos2dx_spine_SkeletonDataMgr_setDestroyCallbackRN2se5StateEENK4$_12clEi + 280
8   V8_SPINE_CRASH-mobile               0x0000000100b62c74 _ZNSt3__18__invokeB7v160006IRZL52js_cocos2dx_spine_SkeletonDataMgr_setDestroyCallbackRN2se5StateEE4$_12JiEEEDTclclsr3stdE7declvalIT_EEspclsr3stdE7declvalIT0_EEEEOS6_DpOS7_ + 36
9   V8_SPINE_CRASH-mobile               0x0000000100b62c20 _ZNSt3__128__invoke_void_return_wrapperIvLb1EE6__callIJRZL52js_cocos2dx_spine_SkeletonDataMgr_setDestroyCallbackRN2se5StateEE4$_12iEEEvDpOT_ + 32
10  V8_SPINE_CRASH-mobile               0x0000000100b62bf4 _ZNSt3__110__function12__alloc_funcIZL52js_cocos2dx_spine_SkeletonDataMgr_setDestroyCallbackRN2se5StateEE4$_12NS_9allocatorIS5_EEFviEEclB7v160006EOi + 36
11  V8_SPINE_CRASH-mobile               0x0000000100b619d4 _ZNSt3__110__function6__funcIZL52js_cocos2dx_spine_SkeletonDataMgr_setDestroyCallbackRN2se5StateEE4$_12NS_9allocatorIS5_EEFviEEclEOi + 36
12  V8_SPINE_CRASH-mobile               0x0000000100de383c std::__1::__function::__value_func<void (int)>::operator()[abi:v160006](int&&) const + 76
13  V8_SPINE_CRASH-mobile               0x0000000100de37e4 std::__1::function<void (int)>::operator()(int) const + 36
14  V8_SPINE_CRASH-mobile               0x0000000101035088 spine::SkeletonDataMgr::releaseByUUID(std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char>> const&) + 280
15  V8_SPINE_CRASH-mobile               0x0000000100d035fc spine::SkeletonRenderer::~SkeletonRenderer() + 484
16  V8_SPINE_CRASH-mobile               0x0000000101158f90 spine::SkeletonAnimation::~SkeletonAnimation() + 400
17  V8_SPINE_CRASH-mobile               0x0000000101159008 spine::SkeletonAnimation::~SkeletonAnimation() + 28
18  V8_SPINE_CRASH-mobile               0x0000000101159050 spine::SkeletonAnimation::~SkeletonAnimation() + 28
19  V8_SPINE_CRASH-mobile               0x0000000100c22b34 cocos2d::Ref::release() + 232
20  V8_SPINE_CRASH-mobile               0x0000000100b21ebc js_spine_SkeletonAnimation_finalize(se::State&) + 48
21  V8_SPINE_CRASH-mobile               0x0000000100b218a8 js_spine_SkeletonAnimation_finalizeRegistry(void*) + 88
22  V8_SPINE_CRASH-mobile               0x0000000101080148 se::Object::nativeObjectFinalizeHook(void*) + 148
23  V8_SPINE_CRASH-mobile               0x0000000100f4403c se::ObjectWrap::weakCallback(v8::WeakCallbackInfo<se::ObjectWrap> const&) + 232
24  V8_SPINE_CRASH-mobile               0x0000000101305158 v8::internal::GlobalHandles::InvokeFirstPassWeakCallbacks() + 464
25  V8_SPINE_CRASH-mobile               0x0000000101350e98 v8::internal::Heap::PerformGarbageCollection(v8::internal::GarbageCollector, v8::internal::GarbageCollectionReason, char const*) + 1356
26  V8_SPINE_CRASH-mobile               0x000000010134e844 v8::internal::Heap::CollectGarbage(v8::internal::AllocationSpace, v8::internal::GarbageCollectionReason, v8::GCCallbackFlags) + 984
27  V8_SPINE_CRASH-mobile               0x000000010134629c v8::internal::HeapAllocator::AllocateRawWithLightRetrySlowPath(int, v8::internal::AllocationType, v8::internal::AllocationOrigin, v8::internal::AllocationAlignment) + 1880
28  V8_SPINE_CRASH-mobile               0x0000000101346b00 v8::internal::HeapAllocator::AllocateRawWithRetryOrFailSlowPath(int, v8::internal::AllocationType, v8::internal::AllocationOrigin, v8::internal::AllocationAlignment) + 52
29  V8_SPINE_CRASH-mobile               0x00000001013330d4 v8::internal::Factory::NewFillerObject(int, v8::internal::AllocationAlignment, v8::internal::AllocationType, v8::internal::AllocationOrigin) + 744
30  V8_SPINE_CRASH-mobile               0x00000001016863b8 v8::internal::Runtime_AllocateInYoungGeneration(int, unsigned long*, v8::internal::Isolate*) + 96
31  V8_SPINE_CRASH-mobile               0x0000000101831618 Builtins_CEntry_Return1_ArgvOnStack_NoBuiltinExit + 88
32  V8_SPINE_CRASH-mobile               0x00000001017f5d30 Builtins_StoreIC + 4592
33  V8_SPINE_CRASH-mobile               0x00000001018d99b0 Builtins_SetNamedPropertyHandler + 144
34  V8_SPINE_CRASH-mobile               0x00000001017ac364 Builtins_InterpreterEntryTrampoline + 260
35  V8_SPINE_CRASH-mobile               0x00000001017ac364 Builtins_InterpreterEntryTrampoline + 260
36  V8_SPINE_CRASH-mobile               0x00000001017ac364 Builtins_InterpreterEntryTrampoline + 260
37  V8_SPINE_CRASH-mobile               0x00000001017ac364 Builtins_InterpreterEntryTrampoline + 260
38  V8_SPINE_CRASH-mobile               0x00000001017ac364 Builtins_InterpreterEntryTrampoline + 260
39  V8_SPINE_CRASH-mobile               0x00000001017ac364 Builtins_InterpreterEntryTrampoline + 260
40  V8_SPINE_CRASH-mobile               0x00000001017ac364 Builtins_InterpreterEntryTrampoline + 260
41  V8_SPINE_CRASH-mobile               0x00000001017ac364 Builtins_InterpreterEntryTrampoline + 260
42  V8_SPINE_CRASH-mobile               0x00000001017ac364 Builtins_InterpreterEntryTrampoline + 260
43  V8_SPINE_CRASH-mobile               0x00000001017ac364 Builtins_InterpreterEntryTrampoline + 260
44  V8_SPINE_CRASH-mobile               0x00000001017ac364 Builtins_InterpreterEntryTrampoline + 260
45  V8_SPINE_CRASH-mobile               0x00000001017aa48c Builtins_JSEntryTrampoline + 172
46  V8_SPINE_CRASH-mobile               0x00000001017aa174 Builtins_JSEntry + 148
47  V8_SPINE_CRASH-mobile               0x00000001012d61b8 v8::internal::(anonymous namespace)::Invoke(v8::internal::Isolate*, v8::internal::(anonymous namespace)::InvokeParams const&) + 1732
48  V8_SPINE_CRASH-mobile               0x00000001012d5ac4 v8::internal::Execution::Call(v8::internal::Isolate*, v8::internal::Handle<v8::internal::Object>, v8::internal::Handle<v8::internal::Object>, int, v8::internal::Handle<v8::internal::Object>*) + 124
49  V8_SPINE_CRASH-mobile               0x00000001012025f4 v8::Object::CallAsFunction(v8::Local<v8::Context>, v8::Local<v8::Value>, int, v8::Local<v8::Value>*) + 444
50  V8_SPINE_CRASH-mobile               0x0000000101082ef8 se::Object::call(std::__1::vector<se::Value, std::__1::allocator<se::Value>> const&, se::Object*, se::Value*) + 1308
51  V8_SPINE_CRASH-mobile               0x0000000100e15f5c _ZZZZ21jsb_global_load_imageRKNSt3__112basic_stringIcNS_11char_traitsIcEENS_9allocatorIcEEEERKN2se5ValueEENK3$_4clES7_PhiS7_ENUliE_clEiENUlvE_clEv + 2356
52  V8_SPINE_CRASH-mobile               0x0000000100e1561c _ZNSt3__18__invokeB7v160006IRZZZ21jsb_global_load_imageRKNS_12basic_stringIcNS_11char_traitsIcEENS_9allocatorIcEEEERKN2se5ValueEENK3$_4clES8_PhiS8_ENUliE_clEiEUlvE_JEEEDTclclsr3stdE7declvalIT_EEspclsr3stdE7declvalIT0_EEEEOSI_DpOSJ_ + 24
53  V8_SPINE_CRASH-mobile               0x0000000100e155d4 _ZNSt3__128__invoke_void_return_wrapperIvLb1EE6__callIJRZZZ21jsb_global_load_imageRKNS_12basic_stringIcNS_11char_traitsIcEENS_9allocatorIcEEEERKN2se5ValueEENK3$_4clESA_PhiSA_ENUliE_clEiEUlvE_EEEvDpOT_ + 24
54  V8_SPINE_CRASH-mobile               0x0000000100e155b0 _ZNSt3__110__function12__alloc_funcIZZZ21jsb_global_load_imageRKNS_12basic_stringIcNS_11char_traitsIcEENS_9allocatorIcEEEERKN2se5ValueEENK3$_4clES9_PhiS9_ENUliE_clEiEUlvE_NS5_ISH_EEFvvEEclB7v160006Ev + 28
55  V8_SPINE_CRASH-mobile               0x0000000100e1411c _ZNSt3__110__function6__funcIZZZ21jsb_global_load_imageRKNS_12basic_stringIcNS_11char_traitsIcEENS_9allocatorIcEEEERKN2se5ValueEENK3$_4clES9_PhiS9_ENUliE_clEiEUlvE_NS5_ISH_EEFvvEEclEv + 28
56  V8_SPINE_CRASH-mobile               0x00000001009db4f8 std::__1::__function::__value_func<void ()>::operator()[abi:v160006]() const + 68
57  V8_SPINE_CRASH-mobile               0x00000001009db484 std::__1::function<void ()>::operator()() const + 24
58  V8_SPINE_CRASH-mobile               0x0000000100d79b3c cocos2d::Scheduler::update(float) + 512
59  V8_SPINE_CRASH-mobile               0x0000000100bb4518 -[MainLoop doCaller:] + 240
60  GPUToolsCore                        0x0000000234a97c68 E798020E-11E3-3866-BC87-53CF886B1528 + 68712
61  QuartzCore                          0x000000018f8b8dc4 AEDC1A56-1731-3315-A87E-C6610024A405 + 859588

windows可以复现?

你那边是想要安卓的环境调试吗?

@18234101603


我合并了这几个pr不会崩溃; 之前的回复有让你合并对应代码了。给的demo都没合并,你之前有合并验证看看?

我刚刚合并试了一下,ios还是会crash,不过crash信息变了。好像没有spine相关的堆栈了。

,你那边快速切换场景不会有这个问题吗?

不会的,我用模拟器验证的。你看是否必现?
你尝试改下 jsb_cocos2dx_spine_auto.cpp
SkeletonDataMgr_setDestroyCallback
se::Value jsThis(s.thisObject()); => se::Value jsThis(s.thisObject(), true); 看堆栈目前没看到具体的问题

我用模拟器确实也不会蹦,然后真机加了 se::Value jsThis(s.thisObject(), true)还是会蹦。真机和模拟器环境是不是还是有差异,要不你用真机试一下。

我 2.4.13 升级 v8 之后也是这里出问题了,
而且我试过,即便不升级 v8 把 WeakCallbackType 改为 kParameter, 就会出这个问题了, 但是新版 v8 又没有 kFinalizer 了
void ObjectWrap::makeWeak() {
persistent().SetWeak(this, weakCallback, v8::WeakCallbackType::kParameter);
}

而且我在 mac 模拟器上出现过这个 crash

Simulator: 18 Simulator 0x0000000000a3fd45 spine::SkeletonAnimation::~SkeletonAnimation() + 21
    19  Simulator                           0x0000000000a3fd89 spine::SkeletonAnimation::~SkeletonAnimation() + 25
    20  Simulator                           0x000000000088a808 cocos2d::Ref::release() + 216
    21  Simulator                           0x0000000000b41c67 js_spine_SkeletonAnimation_finalize(se::State&) + 39
    22  Simulator                           0x0000000000b4162d js_spine_SkeletonAnimation_finalizeRegistry(void*) + 77
    23  Simulator                           0x000000000073741f se::Object::nativeObjectFinalizeHook(void*) + 143
    24  Simulator                           0x0000000000627da0 se::ObjectWrap::weakCallback(v8::WeakCallbackInfo<se::ObjectWrap> const&) + 208
    25  Simulator                           0x0000000000e67b17 v8::internal::GlobalHandles::InvokeFirstPassWeakCallbacks() + 535
    26  Simulator                           0x0000000000ed0b34 v8::internal::Heap::PerformGarbageCollection(v8::internal::GarbageCollector, v8::internal::GarbageCollectionReason, char const*) + 1604
    27  Simulator                           0x0000000000ecda07 v8::internal::Heap::CollectGarbage(v8::internal::AllocationSpace, v8::internal::GarbageCollectionReason, v8::GCCallbackFlags) + 1047
    28  Simulator                           0x0000000000ecd5ab v8::internal::Heap::HandleGCRequest() + 203
    29  Simulator                           0x0000000000e5a8df v8::internal::StackGuard::HandleInterrupts(v8::internal::StackGuard::InterruptLevel) + 543
    30  Simulator                           0x000000000132d7bf v8::internal::Runtime_StackGuard(int, unsigned long*, v8::internal::Isolate*) + 319
    31  Simulator                           0x0000000001fa57f6 Builtins_CEntry_Return1_ArgvOnStack_NoBuiltinExit + 54
    32  Simulator                           0x0000000001f4619f Builtins_ArrayPrototypePush + 2271

可以试下不要切换场景 做成单场景的游戏看还会不会

我们项目就是单场景,照样会崩溃

@dumganhar @minggo @song2008_2001官方可以帮忙看看吗,具体的demo和复现场景都提供了。

我是崩在了这个断言里,_finalzeCb是空指针了,地址是0x0,把这个断言注释就不crash了。不清楚什么情况下会导致_finalzeCb是空指针 @song2008_2001可以帮忙看下吗

给你发 PR 了:

参考我上个回复

感谢感谢,验证过了ok的