Bug 16392

Summary:

Crash on undo after editing text and closing tab

Product:

WebKit

Reporter:

Jeff Johnson <opendarwin>

Component:

HTML Editing

Assignee:

Nobody <webkit-unassigned>

Status:

REOPENED

Severity:

Normal

CC:

justin.garcia, mrowe

Priority:

Keywords:

InRadar

Version:

528+ (Nightly build)

Hardware:

Mac

OS:

OS X 10.4

Attachments:

Description	Flags
Sample Xcode project demonstrating crash	none
Crash log	none

Jeff Johnson

Reported 2007-12-10 20:41:23 PST

Overview Description: If you type in a text field in a WebView, the Edit/Undo menu item becomes enabled. However, if the WebView is the subview of a tab view item, and the tab view item is removed, deallocating the WebView, the Undo menu item still remains enabled. If you then try to undo, the app will crash. Steps to Reproduce: (1) Build and run the attached UndoCrash sample Xcode project. (2) In the text field below the WebView, enter the URL of a page containing a text field, e.g., <http://trac.webkit.org/projects/webkit/changeset/22065>, and press return to load the page. (3) When the page has finished loading, enter some text in the Search text field. (4) Notice that the Edit/Undo menu item is enabled. (5) Press the "Remove Tab" button to remove the tab. (6) Notice that the Edit/Undo menu item is still enabled. (7) Type command-z to undo. Actual Results: The application crashed. The backtrace is below. Expected Results: The Edit/Undo menu item should not be enabled after the tab is removed, and the application should not crash. Build Date & Platform: MacBook Pro Intel Core 2 Duo, Mac OS X 10.4.11. Additional Builds and Platforms: MacBook Pro Intel Core 2 Duo, WebKit revision 28605 (TOT). iBook G4, Mac OS X 10.4.11. Notes: Attached sample Xcode project as UndoCrash.zip. Backtrace of crash: #0 0x90a594c7 in objc_msgSend () #1 0x928aa2e8 in -[_NSUndoLightInvocation invoke] () #2 0x928aa0d3 in -[_NSUndoStack popAndInvoke] () #3 0x928a9f65 in -[NSUndoManager undoNestedGroup] () #4 0x93362dbc in -[NSApplication sendAction:to:from:] () #5 0x93410d0f in -[NSMenu performActionForItemAtIndex:] () #6 0x93410a51 in -[NSCarbonMenuImpl performActionWithHighlightingForItemAtIndex:] () #7 0x934106a8 in -[NSMenu performKeyEquivalent:] () #8 0x93410149 in -[NSApplication _handleKeyEquivalent:] () #9 0x93343dbb in -[NSApplication sendEvent:] () #10 0x9326ee1e in -[NSApplication run] () #11 0x93262d4f in NSApplicationMain () #12 0x00001ed8 in main (argc=1, argv=0xbffff99c) at /Users/jeff/Documents/Programming/TestProjects/UndoCrash/main.m:13

Attachments
Sample Xcode project demonstrating crash (18.50 KB, application/octet-stream) 2007-12-10 20:42 PST, Jeff Johnson	no flags	Details
Crash log (14.98 KB, text/plain) 2007-12-10 20:54 PST, Jeff Johnson	no flags	Details
View All Add attachment proposed patch, testcase, etc.

Jeff Johnson

Comment 1 2007-12-10 20:42:22 PST

Created attachment 17834 [details] Sample Xcode project demonstrating crash

Jeff Johnson

Comment 2 2007-12-10 20:46:49 PST

Related bugs: <http://bugs.webkit.org/show_bug.cgi?id=14152>, <http://bugs.webkit.org/show_bug.cgi?id=8095>, <http://bugs.webkit.org/show_bug.cgi?id=8109>.

Jeff Johnson

Comment 3 2007-12-10 20:54:50 PST

Created attachment 17835 [details] Crash log

Mark Rowe (bdash)

Comment 4 2007-12-10 20:58:12 PST

(gdb) set env NSZombieEnabled=YES (gdb) set env NSDeallocateZombies=YES (gdb) r Starting program: /Volumes/Data/Home/Downloads/UndoCrash/build/Debug/UndoCrash.app/Contents/MacOS/UndoCrash 2007-12-11 15:57:14.632 UndoCrash[4627:813] *** -[WebFramePrivate undoEditing:]: message sent to deallocated instance 0x127690 Program received signal SIGTRAP, Trace/breakpoint trap. 0x92769a27 in ___forwarding___ () (gdb) bt #0 0x92769a27 in ___forwarding___ () #1 0x92769b32 in __forwarding_prep_0___ () #2 0x90e666c2 in -[_NSUndoLightInvocation invoke] () #3 0x90e54204 in -[_NSUndoStack popAndInvoke] () #4 0x90e54007 in -[NSUndoManager undoNestedGroup] () #5 0x91f5df94 in -[NSApplication sendAction:to:from:] () #6 0x9200c868 in -[NSMenu performActionForItemAtIndex:] () #7 0x9200c56d in -[NSCarbonMenuImpl performActionWithHighlightingForItemAtIndex:] () #8 0x91fe9482 in AppKitMenuEventHandler () #9 0x903c4863 in DispatchEventToHandlers () #10 0x903c3c9d in SendEventToEventTargetInternal () #11 0x903e008e in SendEventToEventTarget () #12 0x90414c9d in SendHICommandEvent () #13 0x9043b377 in SendMenuCommandWithContextAndModifiers () #14 0x9043b334 in SendMenuItemSelectedEvent () #15 0x9043b242 in FinishMenuSelection () #16 0x90417f32 in MenuSelectCore () #17 0x9041791d in _HandleMenuSelection2 () #18 0x90417791 in _HandleMenuSelection () #19 0x91f2639b in _NSHandleCarbonMenuEvent () #20 0x91e8d1f4 in _DPSNextEvent () #21 0x91e8c6a0 in -[NSApplication nextEventMatchingMask:untilDate:inMode:dequeue:] () #22 0x91e856d1 in -[NSApplication run] () #23 0x91e529ba in NSApplicationMain () #24 0x00001eec in main (argc=1, argv=0xbffff780) at /Volumes/Data/Home/Downloads/UndoCrash/main.m:13 (gdb)

Mark Rowe (bdash)

Comment 5 2007-12-10 20:59:08 PST

Definitely looks like the WebView isn't cleaning up after itself.

Alexey Proskuryakov

Comment 6 2007-12-10 23:59:33 PST

Reproducible crash -> P1.

Alexey Proskuryakov

Comment 7 2008-07-28 01:43:29 PDT

Still crashes with r35406 under Mac OS X 10.5.4.

Alexey Proskuryakov

Comment 8 2008-07-28 01:44:21 PDT

<rdar://problem/6105521>

Eric Seidel (no email)

Comment 9 2008-11-10 16:32:12 PST

It seems that the WebView just needs to call [NSUndoManager removeAllActionsWithTarget:self] before it dies. http://developer.apple.com/documentation/Cocoa/Reference/Foundation/Classes/NSUndoManager_Class/Reference/Reference.html#//apple_ref/occ/instm/NSUndoManager/removeAllActionsWithTarget:

Eric Seidel (no email)

Comment 10 2008-11-10 16:40:38 PST

Hum... probably not actually quite that simple. See: void WebEditorClient::clearUndoRedoOperations() WebEditorClient.mm:388

Eric Seidel (no email)

Comment 11 2008-11-10 16:44:57 PST

I expect what should happen to fix this, is that we should abstract this workaround into a category method on NSUndoManager (Something like _webkit_removeAllActionsWithTarget:) and then call that method instead from WebEditor client... or find some way for WebView to grab at the WebEditorClient (where would that even be?) during its dealloc. Should be relatively simple to trace through, but I'm going to look at other p1s for the moment.

Justin Garcia

Comment 12 2009-01-29 01:21:29 PST

Cannot reproduce on 10.5.6 w/ WebKit r40304.

Jeff Johnson

Comment 13 2009-01-31 20:42:31 PST

This does not seem to be fixed. I just reproduced the crash on 10.5.6 with r40468.

Note You need to log in before you can comment on or make changes to this bug.