Bug 16392 - Crash on undo after editing text and closing tab
Summary: Crash on undo after editing text and closing tab
Status: REOPENED
Alias: None
Product: WebKit
Classification: Unclassified
Component: HTML Editing (show other bugs)
Version: 528+ (Nightly build)
Hardware: Macintosh OS X 10.4
: P1 Normal
Assignee: Nobody
URL:
Keywords: InRadar
Depends on:
Blocks:
 
Reported: 2007-12-10 20:41 PST by opendarwin
Modified: 2009-01-31 20:42 PST (History)
2 users (show)

See Also:


Attachments
Sample Xcode project demonstrating crash (18.50 KB, application/octet-stream)
2007-12-10 20:42 PST, opendarwin
no flags Details
Crash log (14.98 KB, text/plain)
2007-12-10 20:54 PST, opendarwin
no flags Details

Note You need to log in before you can comment on or make changes to this bug.
Description opendarwin 2007-12-10 20:41:23 PST
Overview Description:
If you type in a text field in a WebView, the Edit/Undo menu item becomes enabled.  However, if the WebView is the subview of a tab view item, and the tab view item is removed, deallocating the WebView, the Undo menu item still remains enabled.  If you then try to undo, the app will crash.

Steps to Reproduce:
(1) Build and run the attached UndoCrash sample Xcode project.
(2) In the text field below the WebView, enter the URL of a page containing a text field, e.g., <http://trac.webkit.org/projects/webkit/changeset/22065>, and press return to load the page.
(3) When the page has finished loading, enter some text in the Search text field.
(4) Notice that the Edit/Undo menu item is enabled.
(5) Press the "Remove Tab" button to remove the tab.
(6) Notice that the Edit/Undo menu item is still enabled.
(7) Type command-z to undo.

Actual Results:
The application crashed.  The backtrace is below.


Expected Results:
The Edit/Undo menu item should not be enabled after the tab is removed, and the application should not crash.

Build Date & Platform:
MacBook Pro Intel Core 2 Duo, Mac OS X 10.4.11.

Additional Builds and Platforms:
MacBook Pro Intel Core 2 Duo, WebKit revision 28605 (TOT).
iBook G4, Mac OS X 10.4.11.

Notes:
Attached sample Xcode project as UndoCrash.zip.
Backtrace of crash:

#0  0x90a594c7 in objc_msgSend ()
#1  0x928aa2e8 in -[_NSUndoLightInvocation invoke] ()
#2  0x928aa0d3 in -[_NSUndoStack popAndInvoke] ()
#3  0x928a9f65 in -[NSUndoManager undoNestedGroup] ()
#4  0x93362dbc in -[NSApplication sendAction:to:from:] ()
#5  0x93410d0f in -[NSMenu performActionForItemAtIndex:] ()
#6  0x93410a51 in -[NSCarbonMenuImpl performActionWithHighlightingForItemAtIndex:] ()
#7  0x934106a8 in -[NSMenu performKeyEquivalent:] ()
#8  0x93410149 in -[NSApplication _handleKeyEquivalent:] ()
#9  0x93343dbb in -[NSApplication sendEvent:] ()
#10 0x9326ee1e in -[NSApplication run] ()
#11 0x93262d4f in NSApplicationMain ()
#12 0x00001ed8 in main (argc=1, argv=0xbffff99c) at /Users/jeff/Documents/Programming/TestProjects/UndoCrash/main.m:13
Comment 1 opendarwin 2007-12-10 20:42:22 PST
Created attachment 17834 [details]
Sample Xcode project demonstrating crash
Comment 3 opendarwin 2007-12-10 20:54:50 PST
Created attachment 17835 [details]
Crash log
Comment 4 Mark Rowe (bdash) 2007-12-10 20:58:12 PST
(gdb) set env NSZombieEnabled=YES
(gdb) set env NSDeallocateZombies=YES
(gdb) r
Starting program: /Volumes/Data/Home/Downloads/UndoCrash/build/Debug/UndoCrash.app/Contents/MacOS/UndoCrash 
2007-12-11 15:57:14.632 UndoCrash[4627:813] *** -[WebFramePrivate undoEditing:]: message sent to deallocated instance 0x127690

Program received signal SIGTRAP, Trace/breakpoint trap.
0x92769a27 in ___forwarding___ ()
(gdb) bt
#0  0x92769a27 in ___forwarding___ ()
#1  0x92769b32 in __forwarding_prep_0___ ()
#2  0x90e666c2 in -[_NSUndoLightInvocation invoke] ()
#3  0x90e54204 in -[_NSUndoStack popAndInvoke] ()
#4  0x90e54007 in -[NSUndoManager undoNestedGroup] ()
#5  0x91f5df94 in -[NSApplication sendAction:to:from:] ()
#6  0x9200c868 in -[NSMenu performActionForItemAtIndex:] ()
#7  0x9200c56d in -[NSCarbonMenuImpl performActionWithHighlightingForItemAtIndex:] ()
#8  0x91fe9482 in AppKitMenuEventHandler ()
#9  0x903c4863 in DispatchEventToHandlers ()
#10 0x903c3c9d in SendEventToEventTargetInternal ()
#11 0x903e008e in SendEventToEventTarget ()
#12 0x90414c9d in SendHICommandEvent ()
#13 0x9043b377 in SendMenuCommandWithContextAndModifiers ()
#14 0x9043b334 in SendMenuItemSelectedEvent ()
#15 0x9043b242 in FinishMenuSelection ()
#16 0x90417f32 in MenuSelectCore ()
#17 0x9041791d in _HandleMenuSelection2 ()
#18 0x90417791 in _HandleMenuSelection ()
#19 0x91f2639b in _NSHandleCarbonMenuEvent ()
#20 0x91e8d1f4 in _DPSNextEvent ()
#21 0x91e8c6a0 in -[NSApplication nextEventMatchingMask:untilDate:inMode:dequeue:] ()
#22 0x91e856d1 in -[NSApplication run] ()
#23 0x91e529ba in NSApplicationMain ()
#24 0x00001eec in main (argc=1, argv=0xbffff780) at /Volumes/Data/Home/Downloads/UndoCrash/main.m:13
(gdb) 

Comment 5 Mark Rowe (bdash) 2007-12-10 20:59:08 PST
Definitely looks like the WebView isn't cleaning up after itself.
Comment 6 Alexey Proskuryakov 2007-12-10 23:59:33 PST
Reproducible crash -> P1.
Comment 7 Alexey Proskuryakov 2008-07-28 01:43:29 PDT
Still crashes with r35406 under Mac OS X 10.5.4.
Comment 8 Alexey Proskuryakov 2008-07-28 01:44:21 PDT
<rdar://problem/6105521>
Comment 9 Eric Seidel (no email) 2008-11-10 16:32:12 PST
It seems that the WebView just needs to call [NSUndoManager removeAllActionsWithTarget:self] before it dies.

http://developer.apple.com/documentation/Cocoa/Reference/Foundation/Classes/NSUndoManager_Class/Reference/Reference.html#//apple_ref/occ/instm/NSUndoManager/removeAllActionsWithTarget:
Comment 10 Eric Seidel (no email) 2008-11-10 16:40:38 PST
Hum... probably not actually quite that simple.  See:
void WebEditorClient::clearUndoRedoOperations()
WebEditorClient.mm:388
Comment 11 Eric Seidel (no email) 2008-11-10 16:44:57 PST
I expect what should happen to fix this, is that we should abstract this workaround into a category method on NSUndoManager (Something like _webkit_removeAllActionsWithTarget:) and then call that method instead from WebEditor client... or find some way for WebView to grab at the WebEditorClient (where would that even be?) during its dealloc.  Should be relatively simple to trace through, but I'm going to look at other p1s for the moment.
Comment 12 Justin Garcia 2009-01-29 01:21:29 PST
Cannot reproduce on 10.5.6 w/ WebKit r40304.
Comment 13 opendarwin 2009-01-31 20:42:31 PST
This does not seem to be fixed. I just reproduced the crash on 10.5.6 with r40468.