Bug 138961

The same thing: https://groups.google.com/forum/#!topic/ima-sdk/u9yZWccWe3E

This is one of the possible stacks of where this CAAnimation is created. It points to that it's related to HTML audio element, and MPVolumeView / MPVolumeSlider, which has an animation on it. frame #1: 0x000000018bb4498c QuartzCore`+[CAPropertyAnimation animationWithKeyPath:] + 48 16:25 frame #2: 0x000000018c4ab1c8 UIKit`-[UIViewAnimationState animationForLayer:forKey:forView:] + 628 16:25 frame #3: 0x000000018c221724 UIKit`-[UIViewAnimationState actionForLayer:forKey:forView:] + 44 16:25 frame #4: 0x000000018c1e5f44 UIKit`-[UIView(CALayerDelegate) actionForLayer:forKey:] + 140 16:25 frame #5: 0x000000018bb40e88 QuartzCore`-[CALayer actionForKey:] + 104 16:25 frame #6: 0x000000018bb3686c QuartzCore`actionForKey(CALayer*, CA::Transaction*, NSString*) + 100 16:25 frame #7: 0x000000018bb366d8 QuartzCore`CA::Layer::begin_change(CA::Transaction*, unsigned int, objc_object*&) + 176 16:25 frame #8: 0x000000018bb396a0 QuartzCore`CA::Layer::setter(unsigned int, _CAValueType, void const*) + 156 16:25 frame #9: 0x000000018bb40e14 QuartzCore`-[CALayer setOpacity:] + 48 16:25 frame #10: 0x000000018c1e5a5c UIKit`-[UIView(Rendering) setAlpha:] + 104 16:26 frame #11: 0x0000000189c101dc MediaPlayer`-[MPVolumeSlider _layoutForAvailableRoutes] + 1448 16:26 frame #12: 0x0000000189c0eb68 MediaPlayer`-[MPVolumeSlider layoutSubviews] + 80 16:26 frame #13: 0x000000018c1e9648 UIKit`-[UIView(CALayerDelegate) layoutSublayersOfLayer:] + 572 16:26 frame #14: 0x000000018bb41994 QuartzCore`-[CALayer layoutSublayers] + 168 16:26 frame #15: 0x000000018bb3c564 QuartzCore`CA::Layer::layout_if_needed(CA::Transaction*) + 320 16:26 frame #16: 0x000000018c1fda2c UIKit`-[UIView(Hierarchy) layoutBelowIfNeeded] + 160 16:26 frame #17: 0x000000018c203318 UIKit`-[UISlider setValue:animated:] + 196 16:26 frame #18: 0x0000000189c0f358 MediaPlayer`-[MPVolumeSlider volumeController:volumeValueDidChange:] + 92 16:26 frame #19: 0x0000000189c81fc4 MediaPlayer`-[MPVolumeController updateVolumeValue] + 260 16:26 frame #20: 0x0000000189c0ecb0 MediaPlayer`-[MPVolumeSlider didMoveToSuperview] + 144 16:26 frame #21: 0x000000018c1e81dc UIKit`-[UIView(Hierarchy) _postMovedFromSuperview:] + 484 16:26 frame #22: 0x000000018c1f3cbc UIKit`-[UIView(Internal) _addSubview:positioned:relativeTo:] + 1764 16:26 frame #23: 0x0000000189c11f54 MediaPlayer`-[MPVolumeView _createSubviews] + 264 16:26 frame #24: 0x0000000189c109d4 MediaPlayer`-[MPVolumeView _initWithStyle:] + 240 16:26 frame #25: 0x0000000189c10a60 MediaPlayer`-[MPVolumeView initWithFrame:style:] + 88 16:26 frame #26: 0x0000000195e60684 WebCore`-[WebMediaSessionHelper initWithCallback:] + 132 16:26 frame #27: 0x0000000195e5fdb8 WebCore`WebCore::MediaSessionManageriOS::MediaSessionManageriOS() + 96 16:26 frame #28: 0x0000000195e5fd28 WebCore`WebCore::MediaSessionManager::sharedManager() + 56 16:26 frame #29: 0x0000000195e5e890 WebCore`WebCore::MediaSession::MediaSession(WebCore::MediaSessionClient&) + 44 16:26 frame #30: 0x00000001959a4604 WebCore`WebCore::HTMLMediaSession::create(WebCore::MediaSessionClient&) + 36 16:26 frame #31: 0x000000019598cfb0 WebCore`WebCore::HTMLMediaElement::HTMLMediaElement(WebCore::QualifiedName const&, WebCore::Document&, bool) + 1100 16:26 frame #32: 0x0000000195963fe0 WebCore`WebCore::HTMLAudioElement::create(WebCore::QualifiedName const&, WebCore::Document&, bool) + 64 16:26 frame #33: 0x0000000195978ecc WebCore`WebCore::audioConstructor(WebCore::QualifiedName const&, WebCore::Document&, WebCore::HTMLFormElement*, bool) + 92 16:26 frame #34: 0x0000000195978c8c WebCore`WebCore::HTMLElementFactory::createElement(WebCore::QualifiedName const&, WebCore::Document&, WebCore::HTMLFormElement*, bool) + 336 16:26 frame #35: 0x000000019545b51c WebCore`WebCore::HTMLDocument::createElement(WTF::AtomicString const&, int&) + 112 16:26 frame #36: 0x000000019545b418 WebCore`WebCore::jsDocumentPrototypeFunctionCreateElement(JSC::ExecState*) + 364 16:26 frame #37: 0x0000000189226620 JavaScriptCore`llint_entry + 26144 16:26 frame #38: 0x000000018922604c JavaScriptCore`llint_entry + 24652 16:26 frame #39: 0x000000018922604c JavaScriptCore`llint_entry + 24652 16:26 frame #40: 0x000000018922622c JavaScriptCore`llint_entry + 25132 16:27 frame #41: 0x000000018922622c JavaScriptCore`llint_entry + 25132 16:27 frame #42: 0x000000018922604c JavaScriptCore`llint_entry + 24652 16:27 frame #43: 0x000000018921fde4 JavaScriptCore`callToJavaScript + 308 16:27 frame #44: 0x000000018918e448 JavaScriptCore`JSC::JITCode::execute(JSC::VM*, JSC::ProtoCallFrame*) + 48 16:27 frame #45: 0x0000000188ef9548 JavaScriptCore`JSC::Interpreter::executeCall(JSC::ExecState*, JSC::JSObject*, JSC::CallType, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&) + 420 16:27 frame #46: 0x0000000189025498 JavaScriptCore`JSC::call(JSC::ExecState*, JSC::JSValue, JSC::CallType, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&, JSC::JSValue*) + 92 16:27 frame #47: 0x0000000195452a4c WebCore`WebCore::ScheduledAction::executeFunctionInContext(JSC::JSGlobalObject*, JSC::JSValue, WebCore::ScriptExecutionContext*) + 492 16:27 frame #48: 0x00000001954525e0 WebCore`WebCore::ScheduledAction::execute(WebCore::Document*) + 144 16:27 frame #49: 0x0000000195451d84 WebCore`WebCore::DOMTimer::fired() + 508 16:27 frame #50: 0x00000001954517ec WebCore`WebCore::ThreadTimers::sharedTimerFiredInternal() + 148 16:27 frame #51: 0x0000000195451730 WebCore`WebCore::timerFired(__CFRunLoopTimer*, void*) + 36 16:27 frame #52: 0x00000001879f28d8 CoreFoundation`__CFRUNLOOP_IS_CALLING_OUT_TO_A_TIMER_CALLBACK_FUNCTION__ + 28 16:27 frame #53: 0x00000001879f2588 CoreFoundation`__CFRunLoopDoTimer + 888 16:27 frame #54: 0x00000001879effd4 CoreFoundation`__CFRunLoopRun + 1372 16:27 frame #55: 0x000000018791d0a4 CoreFoundation`CFRunLoopRunSpecific + 396 16:27 frame #56: 0x00000001954d8858 WebCore`RunWebThread(void*) + 468 16:27 frame #57: 0x000000019896be80 libsystem_pthread.dylib`_pthread_body + 164 16:27 frame #58: 0x000000019896bddc libsystem_pthread.dylib`_pthread_start + 160

Moved it to "Platform" category. I think this happens, because iOS-specific WebCore classes (like MediaSessionManageriOS) might be calling UIKit methods from the WebThread, which is not a safe thing to do. In the stack above MediaSessionManageriOS is creating MPVolumeView from the WebThread, which eventually creates some UIView-s. Related code line: https://github.com/WebKit/webkit/blob/master/Source/WebCore/platform/audio/ios/MediaSessionManagerIOS.mm#L239

When fixing this it would be nice to think about how to provide more information in the crash. This is a multithreading issue, and it's very hard to reproduce. Seeing "CAAnimation dealloc" doesn't give a clue. I expect that MediaSessionManageriOS is not the only WebThread UIKit offender, so it would be good to prepare to this happening again.

*** This bug has been marked as a duplicate of bug 138971 ***

(In reply to comment #0) > Crashed: WebThread > EXC_BAD_ACCESS KERN_INVALID_ADDRESS at 0xf000000c > See the stack below. > > This crash existed since 2013, but it increased a lot since iOS 8 release. > 40% of the time it happens on iPhone 5s. > > Stack: > > Thread : Crashed: WebThread (com.apple.root.default-qos.overcommit) > 0 libobjc.A.dylib 0x3a507f46 objc_msgSend + 5 > 1 CoreFoundation 0x2cc2ee5d CFRelease + 600 > 2 QuartzCore 0x2fc0ba65 > CA::release_objects(X::List<void const*>*) + 16 > 3 QuartzCore 0x2fc10dc7 -[CAAnimation dealloc] + 54 > 4 libobjc.A.dylib 0x3a515d5f > objc_object::sidetable_release(bool) + 166 > 5 libobjc.A.dylib 0x3a5161a9 (anonymous > namespace)::AutoreleasePoolPage::pop(void*) + 404 > 6 CoreFoundation 0x2cc39f99 _CFAutoreleasePoolPop + 16 > 7 Foundation 0x2d9780ff -[NSAutoreleasePool drain] + 122 > 8 CFNetwork 0x2c84f9d1 > AutoAutoreleasePool::~AutoAutoreleasePool() + 24 > 9 CFNetwork 0x2c833a43 > ___ZN27URLConnectionClient_Classic18_withDelegateAsyncEPKcU13block_pointerFvP > 16_CFURLConnectionPK33CFURLConnectionClientCurrent_VMaxE_block_invoke_2 + 166 > 10 CFNetwork 0x2c78834d > RunloopBlockContext::_invoke_block(void const*, void*) + 60 > 11 CoreFoundation 0x2cc39c7d CFArrayApplyFunction + 36 > 12 CFNetwork 0x2c788207 RunloopBlockContext::perform() > + 182 > 13 CFNetwork 0x2c7880cd MultiplexerSource::perform() + > 216 > 14 CFNetwork 0x2c787f61 > MultiplexerSource::_perform(void*) + 48 > 15 CoreFoundation 0x2ccee377 > __CFRUNLOOP_IS_CALLING_OUT_TO_A_SOURCE0_PERFORM_FUNCTION__ + 14 > 16 CoreFoundation 0x2cced787 __CFRunLoopDoSources0 + 218 > 17 CoreFoundation 0x2ccebded __CFRunLoopRun + 772 > 18 CoreFoundation 0x2cc3a211 CFRunLoopRunSpecific + 476 > 19 CoreFoundation 0x2cc3a023 CFRunLoopRunInMode + 106 > 20 WebCore 0x38061ec3 RunWebThread(void*) + 418 > 21 libsystem_pthread.dylib 0x3abbee93 _pthread_body + 138 > 22 libsystem_pthread.dylib 0x3abbee07 _pthread_start + 118 > > Some related info: > http://stackoverflow.com/questions/26656342/uiwebview-random-crash-at- > uiviewanimationstate-release-message-sent-to-deallo > Sample project: > https://github.com/crarau/WebViewCrash > > Sites that can crash with this: > http://www.amazon.com > http://www.yandex.ru > http://m.vk.com We see this crash very often in our UIWebView-based application (Cordova). I noticed if we reduce size of JS file that we load on the startup, it almost disappears but still exist.

> This crash existed since 2013, but it increased a lot since iOS 8 release. > 40% of the time it happens on iPhone 5s. Reopened because the changes in bug 138971 are to code that was new to iOS 8 (see bug 130855).

Reopened

Hi, friends. This bug occurred since ios8. Today i fixed this bug. @interface H5WebKitBugsManager : NSObject + (void)fixAllBugs; @end #import "H5WebKitBugsManager.h" #import <objc/runtime.h> void H5Swizzle(Class c, SEL orig, SEL new) { Method origMethod = class_getInstanceMethod(c, orig); Method newMethod = class_getInstanceMethod(c, new); if(class_addMethod(c, orig, method_getImplementation(newMethod), method_getTypeEncoding(newMethod))) { class_replaceMethod(c, new, method_getImplementation(origMethod), method_getTypeEncoding(origMethod)); } else { method_exchangeImplementations(origMethod, newMethod); } } @implementation H5WebKitBugsManager + (void)fixAllBugs { [self fixBug_MediaPlayerVolumeView]; } + (void)fixBug_MediaPlayerVolumeView { CGFloat systemVersion = [UIDevice currentDevice].systemVersion.floatValue; if (systemVersion < 8.0f || systemVersion > 9.0) { // 8.0以下没有VolumeView，9.0尚未测试是否由此问题，条件待修改 return; } Class cls = NSClassFromString(@"WebMediaSessionHelper"); NSString *allocateVolumeView = @"allocateVolumeView"; SEL orig = NSSelectorFromString(allocateVolumeView); SEL new = @selector(H5WKBMAllocateVolumeView); Method newMethod = class_getInstanceMethod(self, new); if(class_addMethod(cls, new, method_getImplementation(newMethod), method_getTypeEncoding(newMethod))) { H5Swizzle(cls, orig, new); } } - (void)H5WKBMAllocateVolumeView { // WebKit's MediaSessionManageriOS is a singleton，in MediaSessionManageriOS.m. svn version181,859. static dispatch_once_t onceToken; dispatch_once(&onceToken, ^{ dispatch_async(dispatch_get_global_queue(DISPATCH_QUEUE_PRIORITY_DEFAULT, 0), ^{ // must be dispatch in background thread [self H5WKBMAllocateVolumeView]; }); }); } @end

tt

<rdar://problem/22758408>

Has anyone observed this crash on iOS9? If so, could you attach a crash log and some information about which app(s) this reproduces on? We think that this might be fixed by http://trac.webkit.org/changeset/182029. Using the websites listed (amazon, m.vk and yandex) as well as the sample app at https://github.com/crarau/WebViewCrash, we haven't been able to reproduce the crash. Thanks!

Found this crash on iOS 9.2.1 Crashed: WebThread EXC_BAD_ACCESS KERN_INVALID_ADDRESS 0x0000000000000010 Thread : Crashed: WebThread 0 libobjc.A.dylib 0x18298dbd0 objc_msgSend + 16 1 UIKit 0x18847cc6c -[UIWebView webView:resource:canAuthenticateAgainstProtectionSpace:forDataSource:] + 92 2 WebKitLegacy 0x187d3991c <redacted> + 76 3 WebKitLegacy 0x187d1dfd0 <redacted> + 184 4 WebCore 0x186e81004 <redacted> + 72 5 WebCore 0x1879037ac <redacted> + 120 6 WebCore 0x187a9f500 <redacted> + 64 7 CFNetwork 0x1838e9bf8 ___ZN27URLConnectionClient_Classic51_delegate_willSendRequestForAuthenticationChallengeEP19_CFURLAuthChallenge_block_invoke + 372 8 CFNetwork 0x1839d0e7c ___ZN27URLConnectionClient_Classic18_withDelegateAsyncEPKcU13block_pointerFvP16_CFURLConnectionPK33CFURLConnectionClientCurrent_VMaxE_block_invoke_2 + 108 9 libdispatch.dylib 0x182d615f0 _dispatch_client_callout + 16 10 libdispatch.dylib 0x182d6a92c _dispatch_block_invoke + 540 11 CFNetwork 0x1838cfa88 RunloopBlockContext::_invoke_block(void const*, void*) + 36 12 CoreFoundation 0x1831f10ac CFArrayApplyFunction + 68 13 CFNetwork 0x1838cf96c RunloopBlockContext::perform() + 136 14 CFNetwork 0x1838cf82c MultiplexerSource::perform() + 312 15 CFNetwork 0x1838cf658 MultiplexerSource::_perform(void*) + 68 16 CoreFoundation 0x1832c4efc __CFRUNLOOP_IS_CALLING_OUT_TO_A_SOURCE0_PERFORM_FUNCTION__ + 24 17 CoreFoundation 0x1832c4990 __CFRunLoopDoSources0 + 540 18 CoreFoundation 0x1832c2690 __CFRunLoopRun + 724 19 CoreFoundation 0x1831f1680 CFRunLoopRunSpecific + 384 20 WebCore 0x186da1998 <redacted> + 456 21 libsystem_pthread.dylib 0x182f77b28 <redacted> + 156 22 libsystem_pthread.dylib 0x182f77a8c _pthread_start + 154 23 libsystem_pthread.dylib 0x182f75028 thread_start + 4

Could you please file a separate bug for that? This doesn't seem related.