[Chrome] -[NSTextView mouseDown:] zombie accesses NSEvents it just autoreleased

Originator:motownavi
Number:rdar://43338442 Date Originated:August 15 2018
Status:Open Resolved:
Product:macOS + SDK Product Version:Mojave
Classification:Crash Reproducible:
 
This is a Mojave crash we see in our crash reports. It is new in 10.14.0 18A353d and 18A347e.

In Chromium we have a zombie treadmill. Essentially we run with NSZombiesEnabled in production Chromes we ship to users. This allows us to debug our zombie issues. We seem to have caught a Mojave zombie issue.

The msgsend to the zombie is:

0x000000010a49cdac (Google Chrome Framework - objc_zombie.mm: 234)	(anonymous namespace)::ZombieObjectCrash(objc_object*, objc_selector*, objc_selector*)
0x000000010a49cc00 (Google Chrome Framework - objc_zombie.mm: 269)	-[CrZombie forwardingTargetForSelector:]
0x00007fff52700519 (CoreFoundation + 0x00067519)	___forwarding___
0x00007fff527003b7 (CoreFoundation + 0x000673b7)	__forwarding_prep_0___
0x00007fff503b4230 (AppKit + 0x0078f230)	-[NSApplication(NSEvent) discardEventsMatchingMask:beforeEvent:]
0x00007fff5043b019 (AppKit + 0x00816019)	-[NSTextView _consumeMouseEventsUntilMouseUpStartingWithEvent:]
0x00007fff4ffb9912 (AppKit + 0x00394912)	-[NSTextView mouseDown:]

This message was attempting to send the -_cgsEventTime message to a deallocated NSEvent. What is interesting is that the NSEvent was deallocated at:

0x03977312 [Google Chrome Framework -	 objc_zombie.mm:134] (anonymous namespace)::ZombieDealloc(objc_object*, objc_selector*)
0x0015da3c [AppKit +	 0x15da3c] -[NSEvent dealloc]
0x0000ac8c [libobjc.A.dylib +	 0xac8c] (anonymous namespace)::AutoreleasePoolPage::pop(void*)
0x0092a2e0 [AppKit +	 0x92a2e0] -[NSWindow(NSEventRouting) trackEventsMatchingMask:timeout:mode:handler:]
0x00815fef [AppKit +	 0x815fef] -[NSTextView _consumeMouseEventsUntilMouseUpStartingWithEvent:]
0x00394913 [AppKit +	 0x394913] -[NSTextView mouseDown:]

What appears to be happening is that -[NSTextView _consumeMouseEventsUntilMouseUpStartingWithEvent:] is

1. calling -[NSWindow(NSEventRouting) trackEventsMatchingMask:timeout:mode:handler:] which uses an @autorelease{} to dispose of events
2. calling -[NSApplication(NSEvent) discardEventsMatchingMask:beforeEvent:] which is querying the event times of NSEvents that were released and deallocated in step 1

Again, this appears to be new in Mojave. We hope that, given this information and these stack traces, you can track down the issue.

Thank you! Please let us know if we can help.

This is accessible in the Chromium bug tracker as crbug.com/873933

Comments


Please note: Reports posted here will not necessarily be seen by Apple. All problems should be submitted at bugreport.apple.com before they are posted here. Please only post information for Radars that you have filed yourself, and please do not include Apple confidential information in your posts. Thank you!