Bug 16392

Summary: Crash on undo after editing text and closing tab
Product: WebKit Reporter: Jeff Johnson <opendarwin>
Component: HTML EditingAssignee: Nobody <webkit-unassigned>
Status: REOPENED ---    
Severity: Normal CC: justin.garcia, mrowe
Priority: P1 Keywords: InRadar
Version: 528+ (Nightly build)   
Hardware: Mac   
OS: OS X 10.4   
Attachments:
Description Flags
Sample Xcode project demonstrating crash
none
Crash log none

Description Jeff Johnson 2007-12-10 20:41:23 PST 
Overview Description:
If you type in a text field in a WebView, the Edit/Undo menu item becomes enabled.  However, if the WebView is the subview of a tab view item, and the tab view item is removed, deallocating the WebView, the Undo menu item still remains enabled.  If you then try to undo, the app will crash.

Steps to Reproduce:
(1) Build and run the attached UndoCrash sample Xcode project.
(2) In the text field below the WebView, enter the URL of a page containing a text field, e.g., <http://trac.webkit.org/projects/webkit/changeset/22065>, and press return to load the page.
(3) When the page has finished loading, enter some text in the Search text field.
(4) Notice that the Edit/Undo menu item is enabled.
(5) Press the "Remove Tab" button to remove the tab.
(6) Notice that the Edit/Undo menu item is still enabled.
(7) Type command-z to undo.

Actual Results:
The application crashed.  The backtrace is below.


Expected Results:
The Edit/Undo menu item should not be enabled after the tab is removed, and the application should not crash.

Build Date & Platform:
MacBook Pro Intel Core 2 Duo, Mac OS X 10.4.11.

Additional Builds and Platforms:
MacBook Pro Intel Core 2 Duo, WebKit revision 28605 (TOT).
iBook G4, Mac OS X 10.4.11.

Notes:
Attached sample Xcode project as UndoCrash.zip.
Backtrace of crash:

#0  0x90a594c7 in objc_msgSend ()
#1  0x928aa2e8 in -[_NSUndoLightInvocation invoke] ()
#2  0x928aa0d3 in -[_NSUndoStack popAndInvoke] ()
#3  0x928a9f65 in -[NSUndoManager undoNestedGroup] ()
#4  0x93362dbc in -[NSApplication sendAction:to:from:] ()
#5  0x93410d0f in -[NSMenu performActionForItemAtIndex:] ()
#6  0x93410a51 in -[NSCarbonMenuImpl performActionWithHighlightingForItemAtIndex:] ()
#7  0x934106a8 in -[NSMenu performKeyEquivalent:] ()
#8  0x93410149 in -[NSApplication _handleKeyEquivalent:] ()
#9  0x93343dbb in -[NSApplication sendEvent:] ()
#10 0x9326ee1e in -[NSApplication run] ()
#11 0x93262d4f in NSApplicationMain ()
#12 0x00001ed8 in main (argc=1, argv=0xbffff99c) at /Users/jeff/Documents/Programming/TestProjects/UndoCrash/main.m:13
Comment 1 Jeff Johnson 2007-12-10 20:42:22 PST 
Created attachment 17834 [details]
Sample Xcode project demonstrating crash
Comment 3 Jeff Johnson 2007-12-10 20:54:50 PST 
Created attachment 17835 [details]
Crash log
Comment 4 Mark Rowe (bdash) 2007-12-10 20:58:12 PST 
(gdb) set env NSZombieEnabled=YES
(gdb) set env NSDeallocateZombies=YES
(gdb) r
Starting program: /Volumes/Data/Home/Downloads/UndoCrash/build/Debug/UndoCrash.app/Contents/MacOS/UndoCrash 
2007-12-11 15:57:14.632 UndoCrash[4627:813] *** -[WebFramePrivate undoEditing:]: message sent to deallocated instance 0x127690

Program received signal SIGTRAP, Trace/breakpoint trap.
0x92769a27 in ___forwarding___ ()
(gdb) bt
#0  0x92769a27 in ___forwarding___ ()
#1  0x92769b32 in __forwarding_prep_0___ ()
#2  0x90e666c2 in -[_NSUndoLightInvocation invoke] ()
#3  0x90e54204 in -[_NSUndoStack popAndInvoke] ()
#4  0x90e54007 in -[NSUndoManager undoNestedGroup] ()
#5  0x91f5df94 in -[NSApplication sendAction:to:from:] ()
#6  0x9200c868 in -[NSMenu performActionForItemAtIndex:] ()
#7  0x9200c56d in -[NSCarbonMenuImpl performActionWithHighlightingForItemAtIndex:] ()
#8  0x91fe9482 in AppKitMenuEventHandler ()
#9  0x903c4863 in DispatchEventToHandlers ()
#10 0x903c3c9d in SendEventToEventTargetInternal ()
#11 0x903e008e in SendEventToEventTarget ()
#12 0x90414c9d in SendHICommandEvent ()
#13 0x9043b377 in SendMenuCommandWithContextAndModifiers ()
#14 0x9043b334 in SendMenuItemSelectedEvent ()
#15 0x9043b242 in FinishMenuSelection ()
#16 0x90417f32 in MenuSelectCore ()
#17 0x9041791d in _HandleMenuSelection2 ()
#18 0x90417791 in _HandleMenuSelection ()
#19 0x91f2639b in _NSHandleCarbonMenuEvent ()
#20 0x91e8d1f4 in _DPSNextEvent ()
#21 0x91e8c6a0 in -[NSApplication nextEventMatchingMask:untilDate:inMode:dequeue:] ()
#22 0x91e856d1 in -[NSApplication run] ()
#23 0x91e529ba in NSApplicationMain ()
#24 0x00001eec in main (argc=1, argv=0xbffff780) at /Volumes/Data/Home/Downloads/UndoCrash/main.m:13
(gdb)
Comment 5 Mark Rowe (bdash) 2007-12-10 20:59:08 PST 
Definitely looks like the WebView isn't cleaning up after itself.
Comment 6 Alexey Proskuryakov 2007-12-10 23:59:33 PST 
Reproducible crash -> P1.
Comment 7 Alexey Proskuryakov 2008-07-28 01:43:29 PDT 
Still crashes with r35406 under Mac OS X 10.5.4.
Comment 8 Alexey Proskuryakov 2008-07-28 01:44:21 PDT 
<rdar://problem/6105521>
Comment 9 Eric Seidel (no email) 2008-11-10 16:32:12 PST 
It seems that the WebView just needs to call [NSUndoManager removeAllActionsWithTarget:self] before it dies.

http://developer.apple.com/documentation/Cocoa/Reference/Foundation/Classes/NSUndoManager_Class/Reference/Reference.html#//apple_ref/occ/instm/NSUndoManager/removeAllActionsWithTarget:
Comment 10 Eric Seidel (no email) 2008-11-10 16:40:38 PST 
Hum... probably not actually quite that simple.  See:
void WebEditorClient::clearUndoRedoOperations()
WebEditorClient.mm:388
Comment 11 Eric Seidel (no email) 2008-11-10 16:44:57 PST 
I expect what should happen to fix this, is that we should abstract this workaround into a category method on NSUndoManager (Something like _webkit_removeAllActionsWithTarget:) and then call that method instead from WebEditor client... or find some way for WebView to grab at the WebEditorClient (where would that even be?) during its dealloc.  Should be relatively simple to trace through, but I'm going to look at other p1s for the moment.
Comment 12 Justin Garcia 2009-01-29 01:21:29 PST 
Cannot reproduce on 10.5.6 w/ WebKit r40304.
Comment 13 Jeff Johnson 2009-01-31 20:42:31 PST 
This does not seem to be fixed. I just reproduced the crash on 10.5.6 with r40468.