This is in Radar as <rdar://problem/8395558> The method -[NSArray _web_makePluginViewsPerformSelector:withObject:], which is implemented in WebHTMLView.mm, uses -[NSArray objectEnumerator] to enumerate the receiver array. The two callers to this method both send it to [self subviews]. [NSView subviews] returns the "live" mutable NSArray holding a view's subviews, so if the selector causes the view's subviews to change, the array will be mutated while it's being enumerated, which is an ObjC no-no that causes an NSException to be thrown (and ensuing havoc).
Created attachment 67870 [details] Patch to avoid mutating array while enumerating it.
Comment on attachment 67870 [details] Patch to avoid mutating array while enumerating it. Historically, objectEnumerator creating a copy of the entire array! Iām surprised that it has changed so that it no longer does so. Does this work properly when there are no subviews? Instead of initWithArray: you could have used the copy method. r=me
The fast enumeration introduced with ObjC-2.0 is used with objectEnumerator; that's when the prohibition against mutating a collection while enumerating it began. Other bugs like this have been fixed in WebKit, though maybe the others were all a long time ago (e.g. <http://trac.webkit.org/changeset/24827>). initWithArray: will return an empty array when passed nil, but the documentation is not clear about this. -copy will call -initWithArray:, but I guess it's a little bit better because it's unambiguous about what you'll get with a nil initial array, so I'll switch to using that. Thanks for reviewing!
Fixed in r67691.