Issue metadata
Sign in to add a comment
|
Chrome_Mac: Crash Report - [Cocoa Zombie] -[NSEvent _cgsEventTime] |
||||||||||||||||||||
Issue descriptionreporter:pnangunoori@google.com Magic Signature: [Cocoa Zombie] -[NSEvent _cgsEventTime] Crash link: https://crash.corp.google.com/browse?q=product.name%3D%27Chrome_Mac%27+AND+expanded_custom_data.ChromeCrashProto.channel%3D%27beta%27+AND+expanded_custom_data.ChromeCrashProto.ptype%3D%27browser%27+AND+expanded_custom_data.ChromeCrashProto.magic_signature_1.name%3D%27%5BCocoa+Zombie%5D+-%5BNSEvent+_cgsEventTime%5D%27&engine=dremel&stbtiq=&reportid=&index=0 ------------------------------------------------------------------------------- Sample Report ------------------------------------------------------------------------------- Product name: Chrome_Mac Magic Signature : [Cocoa Zombie] -[NSEvent _cgsEventTime] Product Version: 69.0.3497.32 Process type: browser Report ID: c3153795a6cf8a6c Report Url: https://crash.corp.google.com/c3153795a6cf8a6c Report Time: 2018-08-13T10:56:25-07:00 Upload Time: 2018-08-13T10:56:28.963-07:00 Uptime: 6864000 ms OS Name: Mac OS X OS Version: 10.14.0 18A353d CPU Architecture: amd64 CPU Info: family 6 model 70 stepping 1 ------------------------------------------------------------------------------- Crashing thread: Thread index: 0. Stack Quality: 86%. Thread id: 1428695. ------------------------------------------------------------------------------- 0x000000010a49cdac (Google Chrome Framework - objc_zombie.mm: 234) (anonymous namespace)::ZombieObjectCrash(objc_object*, objc_selector*, objc_selector*) 0x000000010a49cc00 (Google Chrome Framework - objc_zombie.mm: 269) -[CrZombie forwardingTargetForSelector:] 0x00007fff52700519 (CoreFoundation + 0x00067519) ___forwarding___ 0x00007fff527003b7 (CoreFoundation + 0x000673b7) __forwarding_prep_0___ 0x00007fff503b4230 (AppKit + 0x0078f230) -[NSApplication(NSEvent) discardEventsMatchingMask:beforeEvent:] 0x00007fff5043b019 (AppKit + 0x00816019) -[NSTextView _consumeMouseEventsUntilMouseUpStartingWithEvent:] 0x00007fff4ffb9912 (AppKit + 0x00394912) -[NSTextView mouseDown:] 0x000000010b6e3928 (Google Chrome Framework - autocomplete_text_field_editor.mm: 366) -[AutocompleteTextFieldEditor mouseDown:] 0x00007fff4fed5cd4 (AppKit + 0x002b0cd4) -[NSTextField mouseDown:] 0x000000010b6def0b (Google Chrome Framework - autocomplete_text_field.mm: 156) -[AutocompleteTextField mouseDown:] 0x00007fff505536ae (AppKit + 0x0092e6ae) -[NSWindow(NSEventRouting) _handleMouseDownEvent:isDelayedEvent:] 0x00007fff50550482 (AppKit + 0x0092b482) -[NSWindow(NSEventRouting) _reallySendEvent:isDelayedEvent:] 0x00007fff5054f744 (AppKit + 0x0092a744) -[NSWindow(NSEventRouting) sendEvent:] 0x000000010b6a0e9e (Google Chrome Framework - chrome_event_processing_window.mm: 73) -[ChromeEventProcessingWindow sendEvent:] 0x00007fff503b289b (AppKit + 0x0078d89b) -[NSApplication(NSEvent) sendEvent:] 0x0000000108a78dfb (Google Chrome Framework - chrome_browser_application_mac.mm: 328) __34-[BrowserCrApplication sendEvent:]_block_invoke 0x0000000108e50329 (Google Chrome Framework + 0x0232a329) base::mac::CallWithEHFrame(void () block_pointer) 0x0000000108a78aa6 (Google Chrome Framework - chrome_browser_application_mac.mm: 311) -[BrowserCrApplication sendEvent:] 0x00007fff4fc5a8cc (AppKit + 0x000358cc) -[NSApplication run] 0x0000000108e606ab (Google Chrome Framework - message_pump_mac.mm: 808) base::MessagePumpNSApplication::DoRun(base::MessagePump::Delegate*) 0x0000000108e5f22d (Google Chrome Framework - message_pump_mac.mm: 184) base::MessagePumpCFRunLoopBase::Run(base::MessagePump::Delegate*) 0x0000000108e81d64 (Google Chrome Framework - run_loop.cc: 102) <name omitted> 0x0000000108a7ec0a (Google Chrome Framework - chrome_browser_main.cc: 2092) ChromeBrowserMainParts::MainMessageLoopRun(int*) 0x0000000107665113 (Google Chrome Framework - browser_main_loop.cc: 1034) content::BrowserMainLoop::RunMainMessageLoopParts() 0x0000000107667861 (Google Chrome Framework - browser_main_runner_impl.cc: 162) content::BrowserMainRunnerImpl::Run() 0x0000000107661bca (Google Chrome Framework - browser_main.cc: 47) content::BrowserMain(content::MainFunctionParams const&) 0x0000000108a32817 (Google Chrome Framework - content_main_runner_impl.cc: 596) content::ContentMainRunnerImpl::Run(bool) 0x000000010a37a53c (Google Chrome Framework - main.cc: 472) service_manager::Main(service_manager::MainParams const&) 0x0000000108a318c3 (Google Chrome Framework - content_main.cc: 19) content::ContentMain(content::ContentMainParams const&) 0x0000000106b2a1f2 (Google Chrome Framework - chrome_main.cc: 101) ChromeMain 0x00000001059a1dd0 (Google Chrome - chrome_exe_main_mac.cc: 101) main 0x00007fff7f710ea8 (libdyld.dylib + 0x00000ea8) start 0x00007fff7f710ea8 (libdyld.dylib + 0x00000ea8) start ------------------------------------------------------------------------------- Manual regression range finder link ------------------------------------------------------------------------------- https://crash.corp.google.com/browse?q=expanded_custom_data.ChromeCrashProto.magic_signature_1.name%3D%27%5BCocoa+Zombie%5D+-%5BNSEvent+_cgsEventTime%5D%27+AND+expanded_custom_data.ChromeCrashProto.ptype%3D%27browser%27&engine=dremel#-property-selector,-samplereports,+productname,+productversion:1000,+directory,-clientid,+operatingsystem,+url,+simplifiedurl,+extensions
,
Aug 14
It looks like [NSApplication(NSEvent) discardEventsMatchingMask:beforeEvent:] is draining an autorelease pool (!), thus causing the event it's waiting for to be autoreleased (!!). This crash is seen only on 10.14.0 18A353d and 18A347e, not on any other macOS release. I strongly suspect this is an AppKit bug on 10.14 and not a Chrome bug. I'm assigning this to avi@ - please file a radar about this :) Zombie stack: 0x03977312 [Google Chrome Framework - objc_zombie.mm:134] (anonymous namespace)::ZombieDealloc(objc_object*, objc_selector*) 0x0015da3c [AppKit + 0x15da3c] -[NSEvent dealloc] 0x0000ac8c [libobjc.A.dylib + 0xac8c] (anonymous namespace)::AutoreleasePoolPage::pop(void*) 0x0092a2e0 [AppKit + 0x92a2e0] -[NSWindow(NSEventRouting) trackEventsMatchingMask:timeout:mode:handler:] 0x00815fef [AppKit + 0x815fef] -[NSTextView _consumeMouseEventsUntilMouseUpStartingWithEvent:] 0x00394913 [AppKit + 0x394913] -[NSTextView mouseDown:] 0x04bbd929 [Google Chrome Framework - autocomplete_text_field_editor.mm:367] -[AutocompleteTextFieldEditor mouseDown:] 0x002b0cd5 [AppKit + 0x2b0cd5] -[NSTextField mouseDown:] 0x04bb8f0c [Google Chrome Framework - autocomplete_text_field.mm:166] -[AutocompleteTextField mouseDown:] 0x0092e6af [AppKit + 0x92e6af] -[NSWindow(NSEventRouting) _handleMouseDownEvent:isDelayedEvent:] 0x0092b483 [AppKit + 0x92b483] -[NSWindow(NSEventRouting) _reallySendEvent:isDelayedEvent:] 0x0092a745 [AppKit + 0x92a745] -[NSWindow(NSEventRouting) sendEvent:] 0x04b7ae9f [Google Chrome Framework - chrome_event_processing_window.mm:74] -[ChromeEventProcessingWindow sendEvent:] 0x0078d89c [AppKit + 0x78d89c] -[NSApplication(NSEvent) sendEvent:] 0x01f52dfc [Google Chrome Framework - chrome_browser_application_mac.mm:0] __34-[BrowserCrApplication sendEvent:]_block_invoke 0x0232a32a [Google Chrome Framework + 0x232a32a] base::mac::CallWithEHFrame(void () block_pointer) 0x01f52aa7 [Google Chrome Framework - crash_key.h:187] -[BrowserCrApplication sendEvent:] 0x000358cd [AppKit + 0x358cd] -[NSApplication run] 0x0233a6ac [Google Chrome Framework - message_pump_mac.mm:824] base::MessagePumpNSApplication::DoRun(base::MessagePump::Delegate*) 0x0233922e [Google Chrome Framework - message_pump_mac.mm:306] base::MessagePumpCFRunLoopBase::Run(base::MessagePump::Delegate*)
,
Aug 14
The implementation of discardEventsMatchingMask:beforeEvent: hasn't really changed from 10.13 to 10.14 at first glance. I'll keep looking at it.
,
Aug 14
--Stability-Sheriff-Desktop - please re-add if this needs any further attention from stability sheriffs!
,
Aug 15
The key lines seem to be
0x0000ac8c (anonymous namespace)::AutoreleasePoolPage::pop(void*)
0x0092a2e0 -[NSWindow(NSEventRouting) trackEventsMatchingMask:timeout:mode:handler:]
loc_92a2a5:
r13 = objc_autoreleasePoolPush();
rax = [var_68 nextEventMatchingMask:var_70 untilDate:rax inMode:var_80 dequeue:0x1];
rax = (*(rbx + 0x10))(rbx, rax, &var_29);
objc_autoreleasePoolPop(r13);
if (var_29 == 0x0) goto loc_92a26e;
It's not clear to me why they're using @autorelease{} around -[NSWindow nextEventMatchingMask:untilDate:inMode:dequeue:], but that didn't change between 10.13 and 10l.14.
,
Aug 15
Will file a radar.
,
Aug 15
rdar://43338442
,
Sep 7
Closed as a dup of rdar://42872487 |
|||||||||||||||||||||
►
Sign in to add a comment |
|||||||||||||||||||||
Comment 1 by pnangunoori@chromium.org
, Aug 14Components: Internals
Labels: -Type-Bug -Pri-2 RegressedIn-69 Stability-Sheriff-Desktop TE-CrashTriage M-69 Proj-MacMojave Target-69 FoundIn-69 Pri-1 Type-Bug-Regression