0
代码
代码
Issues
Pull Requests
讨论
Wiki
分析
0
Ggyangedocs(Docs): optimize the docs structure
eec718bb创建于 4月22日历史提交

03-内存异常

本文件汇总该版本中归类为内存异常的历史修复,重点包括 UAF、悬空指针、空指针、野指针、越界访问和对象引用清理异常等问题。

1. 图片回调晚于实例销毁导致悬空 URI 崩溃

  • 修改日期:2026-01-08
  • 版本:0.82.3
  • 问题描述:ImageComponentInstance::onComplete 中的 ON_LOAD 回调直接读取 m_imageSource.uri.c_str()。当主线程已销毁实例、而 JS 线程稍后才执行回调时,会解引用悬空指针并崩溃。
  • 影响模块:ImageComponentInstance
  • 提交 / PR:409e3d355 / !1985
  • 详细修复内容:把 m_imageSource.uri 按值拷贝进 lambda capture,使回调持有自己的字符串副本,不再依赖已经销毁的实例对象内存。

日志

Tid:23245, Name:RNOH_JS
#00 pc 0000000000139950 /system/lib/ld-musl-aarch64.so.1(strlen+16)
#01 pc 0000000000195b68 /data/storage/el1/bundle/libs/arm64/librnoh_core_package.so(facebook::jsi::String::createFromAscii(facebook::jsi::Runtime&, char const*)+48)
#02 pc 00000000001979a8 /data/storage/el1/bundle/libs/arm64/librnoh_core_package.so(facebook::jsi::detail::toValue(facebook::jsi::Runtime&, char const*)+60)
#03 pc 00000000001978fc /data/storage/el1/bundle/libs/arm64/librnoh_core_package.so(void facebook::jsi::Object::setProperty<char const*>(facebook::jsi::Runtime&, facebook::jsi::String const&, char const*&&) const+80)
#04 pc 0000000000197854 /data/storage/el1/bundle/libs/arm64/librnoh_core_package.so(void facebook::jsi::Object::setProperty<char const*>(facebook::jsi::Runtime&, char const*, char const*&&) const+88)
#05 pc 0000000000197698 /data/storage/el1/bundle/libs/arm64/librnoh_core_package.so
#06 pc 00000000001975d0 /data/storage/el1/bundle/libs/arm64/librnoh_core_package.so
#07 pc 000000000019754c /data/storage/el1/bundle/libs/arm64/librnoh_core_package.so
#08 pc 00000000001974d8 /data/storage/el1/bundle/libs/arm64/librnoh_core_package.so
#09 pc 00000000001973cc /data/storage/el1/bundle/libs/arm64/librnoh_core_package.so
#10 pc 000000000047fa60 /data/storage/el1/bundle/libs/arm64/libreactnative.so
#11 pc 000000000047fa18 /data/storage/el1/bundle/libs/arm64/libreactnative.so(std::__n1::function<facebook::jsi::Value (facebook::jsi::Runtime&)>::operator()(facebook::jsi::Runtime&) const+32)
#12 pc 00000000006b98f0 /data/storage/el1/bundle/libs/arm64/libreactnative.so(facebook::react::ValueFactoryEventPayload::asJSIValue(facebook::jsi::Runtime&) const+36)
#13 pc 00000000007e22f4 /data/storage/el1/bundle/libs/arm64/libreactnative.so
#14 pc 00000000007e209c /data/storage/el1/bundle/libs/arm64/libreactnative.so
#15 pc 00000000007589c8 /data/storage/el1/bundle/libs/arm64/libreactnative.so
#16 pc 0000000000758980 /data/storage/el1/bundle/libs/arm64/libreactnative.so
#17 pc 0000000000758954 /data/storage/el1/bundle/libs/arm64/libreactnative.so
#18 pc 0000000000758904 /data/storage/el1/bundle/libs/arm64/libreactnative.so
#19 pc 0000000000758808 /data/storage/el1/bundle/libs/arm64/libreactnative.so
#20 pc 00000000007aca44 /data/storage/el1/bundle/libs/arm64/libreactnative.so
#21 pc 00000000007aca00 /data/storage/el1/bundle/libs/arm64/libreactnative.so(std::__n1::function<void (facebook::react::UIManagerBinding const&)>::operator()(facebook::react::UIManagerBinding const&) const+28)
#22 pc 00000000007ac940 /data/storage/el1/bundle/libs/arm64/libreactnative.so(facebook::react::UIManager::visitBinding(std::__n1::function<void (facebook::react::UIManagerBinding const&)> const&, facebook::jsi::Runtime&) const+88)
#23 pc 0000000000757a9c /data/storage/el1/bundle/libs/arm64/libreactnative.so
#24 pc 0000000000757a08 /data/storage/el1/bundle/libs/arm64/libreactnative.so
#25 pc 00000000007579b4 /data/storage/el1/bundle/libs/arm64/libreactnative.so
#26 pc 0000000000757944 /data/storage/el1/bundle/libs/arm64/libreactnative.so
#27 pc 0000000000757828 /data/storage/el1/bundle/libs/arm64/libreactnative.so
#28 pc 000000000069060c /data/storage/el1/bundle/libs/arm64/libreactnative.so
#29 pc 0000000000690588 /data/storage/el1/bundle/libs/arm64/libreactnative.so
#30 pc 0000000000690300 /data/storage/el1/bundle/libs/arm64/libreactnative.so(facebook::react::EventQueueProcessor::flushEvents(facebook::jsi::Runtime&, std::__n1::vector<facebook::react::RawEvent, std::__n1::allocator<facebook::react::RawEvent>>&&) const+600)
#31 pc 000000000068b314 /data/storage/el1/bundle/libs/arm64/libreactnative.so(facebook::react::EventQueue::flushEvents(facebook::jsi::Runtime&) const+168)
#32 pc 000000000068b16c /data/storage/el1/bundle/libs/arm64/libreactnative.so(facebook::react::EventQueue::onBeat(facebook::jsi::Runtime&) const+44)

2. JSVMPointerValue 克隆与弱引用恢复路径崩溃

  • 修改日期:2026-03-07
  • 版本:0.82.17
  • 问题描述:JSVMPointerValue 的 clone、弱引用恢复和引用链管理逻辑彼此不一致,导致对象在 clone、lockWeakObject 或值转换过程中可能重复构造或错误清理,从而触发崩溃。
  • 影响模块:JSVMRuntime / JSVMPointerValue
  • 提交 / PR:7029f4747 / !2337
  • 详细修复内容:统一通过 JSVMPointerValue::New 创建引用对象,补充 clone() 共享引用计数逻辑,并在 lockWeakObject 时先判断 null 再恢复对象,消除 clone 与弱引用路径上的异常状态。

3. Enumerator 解包 Proxy 路径空指针崩溃

  • 修改日期:2026-03-09
  • 版本:0.82.17
  • 问题描述:引擎在枚举属性时如果把非 wrapped host object 的 thisArg 传给 HostObjectProxy::Enumerator,原实现直接 Unwrap,会在 Proxy/原型链场景中得到空对象并崩溃。
  • 影响模块:HostObjectProxy
  • 提交 / PR:fd6f29ca0 / !2330
  • 详细修复内容:当 Unwrap 失败时沿原型链继续查找有效 HostObject,只有在确实找不到对象时才抛错,避免直接对空指针执行枚举逻辑。

日志

00 pc 00000000000c4944 /data/storage/el1/bundle/libs/arm64/libjsvmtooling.so(std::__n1::shared_ptr<facebook::jsi_newarch::HostObject>::operator->[abi:v15004]() const+52)
01 pc 00000000000c45e8 /data/storage/el1/bundle/libs/arm64/libjsvmtooling.so(jsvm::HostObjectProxy::Enumerator(JSVM_Env__*, JSVM_Value__*, JSVM_Value__*)+364)
02 pc 0000000000043f2c /system/lib64/ndk/libjsvm.so(v8impl::(anonymous namespace)::PropertyCallbackWrapper<v8::Array>::NameEnumeratorInvoke(v8::PropertyCallbackInfo<v8::Array> const&)+176)
03 pc 00000000007f8d34 /system/lib64/libv8_shared.so(v8::internal::PropertyCallbackArguments::CallPropertyEnumerator(v8::internal::Handle<v8::internal::InterceptorInfo>)+324)
04 pc 00000000007f6e3c /system/lib64/libv8_shared.so
05 pc 00000000007f744c /system/lib64/libv8_shared.so(v8::internal::KeyAccumulator::CollectOwnPropertyNames(v8::internal::DirectHandle<v8::internal::JSReceiver>, v8::internal::Handle<v8::internal::JSObject>)+724)
06 pc 00000000007f552c /system/lib64/libv8_shared.so(v8::internal::KeyAccumulator::CollectOwnKeys(v8::internal::DirectHandle<v8::internal::JSReceiver>, v8::internal::Handle<v8::internal::JSObject>)+260)
07 pc 00000000007f4b64 /system/lib64/libv8_shared.so(v8::internal::KeyAccumulator::CollectKeys(v8::internal::DirectHandle<v8::internal::JSReceiver>, v8::internal::Handle<v8::internal::JSReceiver>)+316)
08 pc 00000000007f4218 /system/lib64/libv8_shared.so(v8::internal::FastKeyAccumulator::GetKeys(v8::internal::GetKeysConversion)+220)
09 pc 00000000009084f8 /system/lib64/libv8_shared.so(v8::internal::Runtime_ForInEnumerate(int, unsigned long*, v8::internal::Isolate*)+324)
10 pc 00000000002c2240 /system/lib64/libv8_shared.so(Builtins_CEntry_Return1_ArgvOnStack_NoBuiltinExit+96)
11 pc 00000000002a02b8 /system/lib64/libv8_shared.so(Builtins_ForInEnumerate+152)
12 pc 000000000ae855e0 [anon:JSVM_JIT_26547]

4. JSVMPointerValue 构造阶段触发 Mapping error82

  • 修改日期:2026-03-10
  • 版本:0.82.17
  • 问题描述:JSVMPointerValue 构造阶段成员初始化顺序不稳,引用对象在早期状态下参与后续链表或引用操作时,可能触发 libjsvm.so Mapping error82
  • 影响模块:JSVMRuntime / JSVMPointerValue
  • 提交 / PR:431297d2e / !2361
  • 详细修复内容:把 reference 提前初始化为空,再初始化 env 和链表节点相关状态,减少构造早期对象被错误消费的机会,稳定 JSVM 引用包装对象的创建流程。

5. JSVM 销毁阶段 UAF 崩溃

  • 修改日期:2026-03-12
  • 版本:0.82.18
  • 问题描述:JSVM 环境销毁期间,JSVMPointerValue 仍尝试删除引用或清理包装对象,导致 OH_JSVM_DestroyEnv 过程中访问已经失效的 C++/JSVM 状态,引发 use-after-free。
  • 影响模块:JSVMRuntime / JSVMPointerValue
  • 提交 / PR:15c664801 / !2387
  • 详细修复内容:销毁阶段不再从 JSVMPointerValue 调用 OH_JSVM_DeleteReference 去触碰正在关闭的 env,同时调整 JSVMRuntime::~JSVMRuntime 的析构顺序,先销毁 JSVM env/VM,再释放指针值链表,避免 teardown 期间的交叉访问。

6. ShadowView 组件名悬空指针风险

  • 修改日期:2026-03-12
  • 版本:0.82.18
  • 问题描述:isCAPIComponentByTag 先从组件实例取出组件名,再把临时字符串的 c_str() 填给 ShadowView.componentName。如果后续调用链延迟消费该字段,就可能读到失效内存。
  • 影响模块:MountingManagerCAPI / ShadowView
  • 提交 / PR:ab62e9d2f / !2384
  • 详细修复内容:改为先校验组件实例是否存在,再把组件名保存到局部 std::string 中,并用该字符串构造 ShadowView。这样 componentNameisCAPIComponent 调用期间保持有效,避免临时对象释放后留下悬空指针。