Tk Source Code

View Ticket
Login
Core Home Timeline Branches Tags Tickets Download Wiki
Attach Edit Formatted New Ticket
Ticket UUID: fc5073a451c4cc95d0bebe963d9c440ab3b31481
Title: macOS Aqua : Tk crash
Type: Bug Version: trunk
Submitter: nab Created on: 2022-02-04 12:38:37
Subsystem: 11. Aqua Menus Assigned To: nobody
Priority: 5 Medium Severity: Minor
Status: Closed Last Modified: 2023-07-03 02:57:19
Resolution: Fixed Closed By: chrstphrchvz
    Closed on: 2023-07-03 02:57:19
Description: 
Hi Marc,

please consider attached script.
it involves baltip (a tooltip extension) but it's the easiest way to trigger it:
https://github.com/aplsimple/baltip

nothing urgent as Wish does not crash when filedialog proc is not coming from a bind...

so to trigger the crash:
-launch the script
-put the mouse over the 'Browse' button
-while 'Import file' tool tip is displayed click on the 'Browse' button
-on the FileDialog window click on 'options' buttons in order to display file filters
-click on the file filter menubutton in order to display available filters and wait

++
User Comments: chrstphrchvz added on 2023-07-03 02:57:19: (text/x-fossil-wiki) 
In response to Marc’s comment dated 2022-02-07 14:08:13: my comment on [bb7f5785a5] dated 2023-07-03 02:11:40 tries to explain the crashes in these tickets as well as a more general problem which may still exist.
chrstphrchvz added on 2022-04-10 19:24:10: (text/x-fossil-wiki) 
The fix for this issue appears to also resolve another error I’ve encountered (and seen other reports of):

<pre>
objc&#91;19074&#93;: Invalid or prematurely-freed autorelease pool 0x7f8c0789dd40.
</pre>

One trigger for this other error is to destroy the root window immediately after loading Tk but before entering any idle event loops, as done by some Tcl::pTk tests, but also by this example:

<pre>package require Tk
after idle {destroy .}</pre>

For the examples I tried, I notice that the idle task gets handled during <tt>generateExposeEvents:</tt>.
kevin_walzer added on 2022-02-12 16:31:31: 
As this fix has been tested with no apparent regressions, I have committed it to core-8-6-branch and trunk.
nab added on 2022-02-09 09:27:30: 
after more digging it appears that my winfo exists issue is due to baltip...
so I'm good with Kevin's fix

++
chrstphrchvz added on 2022-02-09 00:27:45: (text/x-fossil-wiki) 
Using core-8-6-branch, I do not observe the autorelease corruption issue once the proposed fix is applied. The use-after-free I mentioned seems to occur for any file selection dialog, so I opened a separate issue: [88cfdcb304]
nab added on 2022-02-08 15:51:13: 
so,
after 2 days of testing mac_styles_87 branch with Kevin fix I only saw one weird thing.
winfo exists have reported that a toplevel exists but it wasn't displayed.
I use to create toplevel with withdraw/deiconify sequence.

I need more time though in order to see if it happens again with/without the fix.

but provided script does not crash anymore.
thanks,
++
kevin_walzer added on 2022-02-07 14:31:51: 
The crash does not occur if the window is destroyed after the menu posts, only before. My theory is that the presence of the menu may cause the re-set of the autorelease pool to be premature - the menu may be trying to access memory that has been released. 

I don't know of any additional tests that can be conducted other than the test suite, which passed with no issues.
marc_culler (claiming to be Marc Culler) added on 2022-02-07 14:08:13: 
Indeed, this must be tested very, very thoroughly.  This is definitely the
sort of thin ice situation where one fix can cause many breakages.

The purpose of _resetAutoreleasePool method is to replicate an undocumented
component of Apple's event loop which Tk must replace in order to work.
Apple does say that aach cycle of Apple's event loop creates a new outermost
autorelease pool, but they provide no details.  The main call to that function
in Tk occurs in TkMacOSXNotify.c and that one seems more or less comparable to what Apple describes.

It is possible that calling that method when a window is destroyed is wrong.
There are definitely situations when the method must not be called and some
work is done to prevent those (nested) calls which are known to lead to
crashes.  (Please read the discussion in macOS/README.)  I am not able to
provide an explanation for why it was being called in TkDeadWindow, so that
may have been a workaround which was wrong at the time it was added.  But I
would feel much better about the change if someone could provide an
explanation for why it leads to a crash in this situation.
kevin_walzer added on 2022-02-07 03:08:24: 
I have committed a possible fix for this crash in the autorelease_pool_corrupted branch. The fix is simple - I am disabling a re-set of an autorelease pool. The crash error suggests memory corruption. I believe this code was put in place by Marc and I'm not sure of all of its use cases - please test carefully and see if you discover any side effects. The test suite passes without issue with this fix.
nab added on 2022-02-05 17:01:29: 
@Kevin,
the crash seems to occur when destroying a toplevel while a menu is posted.
In the attached script baltip (a great extension by the way which provide method to hide a displayed tip (that's what I use in real life...)) is destroying its toplevel after a certain amount of time (-per10 1000 option) and it seems that's the cause of crash.

for example you'll find attached another script without baltip and which trigger the same crash

++
kevin_walzer added on 2022-02-05 15:00:11: 
As an additional note, I am unable to reproduce the crash using the tooltip package from Tklib.
kevin_walzer added on 2022-02-05 14:45:31: 
I see the crash. I suspect it's caused somehow by the integration between the tooltip window and the native file dialog - something may be overloading Tk there.  But my initial question is why isn't the tooltip window being destroyed when the "Browse" button is  pushed - that's terrible UI design. The design of that baltip package doesn't provide an easy way to get at the actual tooltip window to configure it to be destroyed via a <Button-1> event, so this is difficult to address at the script level. But while I also understand crashes should not happen, crashes that are triggered by bad behavior from an extension package are not necessarily a priority for core maintainers. Have you filed a bug with the baltip maintainer?
nab added on 2022-02-05 11:23:42: 
Hi Christopher,
here's mine:
Exception Type:        EXC_CRASH (SIGABRT)
Exception Codes:       0x0000000000000000, 0x0000000000000000
Exception Note:        EXC_CORPSE_NOTIFY

Termination Reason:    Namespace OBJC, Code 1 

Application Specific Information:
autorelease pool page 0x7fb69c03e000 corrupted
magic     0x00000000 0x00000000 0x00000000 0x00000000
should be 0xa1a1a1a1 0x4f545541 0x454c4552 0x21455341
pthread   0x10782d600
should be 0x10782d600


Thread 0 Crashed::  Dispatch queue: com.apple.main-thread
0   libsystem_kernel.dylib        	    0x7ff81ade4dfe __abort_with_payload + 10
1   libsystem_kernel.dylib        	    0x7ff81ade6893 abort_with_payload_wrapper_internal + 80
2   libsystem_kernel.dylib        	    0x7ff81ade6843 abort_with_reason + 19
3   libobjc.A.dylib               	    0x7ff81acb2bce _objc_fatalv(unsigned long long, unsigned long long, char const*, __va_list_tag*) + 114
4   libobjc.A.dylib               	    0x7ff81acb2b5c _objc_fatal(char const*, ...) + 135
5   libobjc.A.dylib               	    0x7ff81acb1fe6 void AutoreleasePoolPage::busted<void (*)(char const*, ...)>(void (*)(char const*, ...)) const + 120
6   libobjc.A.dylib               	    0x7ff81acb38a1 AutoreleasePoolPage::busted_die() const + 9
7   libobjc.A.dylib               	    0x7ff81ac960e8 objc_autoreleasePoolPop + 41
8   CoreFoundation                	    0x7ff81ae8702c _CFAutoreleasePoolPop + 22
9   Foundation                    	    0x7ff81bd4bb29 __NSThreadPerformPerform + 217
10  CoreFoundation                	    0x7ff81aec58fd __CFRUNLOOP_IS_CALLING_OUT_TO_A_SOURCE0_PERFORM_FUNCTION__ + 17
11  CoreFoundation                	    0x7ff81aec5865 __CFRunLoopDoSource0 + 180
12  CoreFoundation                	    0x7ff81aec55e4 __CFRunLoopDoSources0 + 242
13  CoreFoundation                	    0x7ff81aec401b __CFRunLoopRun + 893
14  CoreFoundation                	    0x7ff81aec35dd CFRunLoopRunSpecific + 563
15  HIToolbox                     	    0x7ff823b004f1 RunCurrentEventLoopInMode + 292
16  HIToolbox                     	    0x7ff823b00247 ReceiveNextEventCommon + 587
17  HIToolbox                     	    0x7ff823afffe5 _BlockUntilNextEventMatchingListInModeWithFilter + 70
18  AppKit                        	    0x7ff81d8f2d88 _DPSNextEvent + 886
19  AppKit                        	    0x7ff81d8f13f4 -[NSApplication(NSEvent) _nextEventMatchingEventMask:untilDate:inMode:dequeue:] + 1411
20  AppKit                        	    0x7ff81e04a747 _NSHLTBMenuEventProc + 213
21  HIToolbox                     	    0x7ff823b66add IsUserStillTracking(MenuSelectData*, unsigned char*) + 198
22  HIToolbox                     	    0x7ff823c844aa TrackMenuCommon(MenuSelectData&, unsigned char*, SelectionData*, MenuResult*, MenuResult*) + 1605
23  HIToolbox                     	    0x7ff823c8089a PopUpMenuSelectCore(MenuData*, Point, double, Point, unsigned short, unsigned int, unsigned int, Rect const*, unsigned short, unsigned int, Rect const*, Rect const*, __CFDictionary const*, __CFString const*, OpaqueMenuRef**, unsigned short*) + 1932
24  HIToolbox                     	    0x7ff823c7fc2c _HandlePopUpMenuSelection8(OpaqueMenuRef*, OpaqueEventRef*, unsigned int, Point, unsigned short, unsigned int, unsigned int, Rect const*, unsigned short, Rect const*, Rect const*, __CFDictionary const*, __CFString const*, OpaqueMenuRef**, unsigned short*) + 410
25  HIToolbox                     	    0x7ff823b53f19 _HandlePopUpMenuSelectionWithDictionary + 329
26  AppKit                        	    0x7ff81dd8b874 SLMPerformPopUpCarbonMenu + 2232
27  AppKit                        	    0x7ff81dc30c81 _NSSLMPopUpCarbonMenu3 + 1125
28  AppKit                        	    0x7ff81dc30776 -[NSCarbonMenuImpl popUpMenu:atLocation:width:forView:withSelectedItem:withFont:withFlags:withOptions:] + 462
29  AppKit                        	    0x7ff81dc651b2 -[NSPopUpButtonCell trackMouse:inRect:ofView:untilMouseUp:] + 562
30  AppKit                        	    0x7ff81daf2f78 -[NSControl mouseDown:] + 678
31  AppKit                        	    0x7ff81daf1457 -[NSWindow(NSEventRouting) _handleMouseDownEvent:isDelayedEvent:] + 4949
32  AppKit                        	    0x7ff81da65390 -[NSWindow(NSEventRouting) _reallySendEvent:isDelayedEvent:] + 2582
33  AppKit                        	    0x7ff81da6475a -[NSWindow(NSEventRouting) sendEvent:] + 352
34  AppKit                        	    0x7ff81da62b28 -[NSApplication(NSEvent) sendEvent:] + 352
35  Tk                            	       0x103186d9d -[TKApplication(TKNotify) sendEvent:] + 125 (tkMacOSXNotify.c:207)
36  AppKit                        	    0x7ff81dba51df -[NSApplication _doModalLoop:peek:] + 364
37  AppKit                        	    0x7ff81dba3cc3 __35-[NSApplication runModalForWindow:]_block_invoke_2 + 64
38  AppKit                        	    0x7ff81dba3c70 __35-[NSApplication runModalForWindow:]_block_invoke + 78
39  AppKit                        	    0x7ff81dba3512 _NSTryRunModal + 100
40  AppKit                        	    0x7ff81dba33f9 -[NSApplication runModalForWindow:] + 128
41  AppKit                        	    0x7ff81e303429 -[NSSavePanel runModal] + 451
42  Tk                            	       0x103172b29 showOpenSavePanel + 409 (tkMacOSXDialog.c:378)
43  Tk                            	       0x10317229a Tk_GetOpenFileObjCmd + 2074 (tkMacOSXDialog.c:852)
44  Tcl                           	       0x1032b13a4 0x10328f000 + 140196
45  Tcl                           	       0x1032ad4eb Tcl_EvalObjv + 363
46  Tcl                           	       0x1032aed8d 0x10328f000 + 130445
47  Tcl                           	       0x1032ae29a Tcl_EvalEx + 26
48  Tk                            	       0x1030aac73 Tk_BindEvent + 3059 (tkBind.c:2631)
49  Tk                            	       0x1030b308f TkBindEventProc + 383 (tkCmds.c:319)
50  Tk                            	       0x1030bab58 Tk_HandleEvent + 456 (tkEvent.c:1307)
51  Tk                            	       0x1030bb500 WindowEventProc + 96 (tkEvent.c:1738)
52  Tcl                           	       0x1033712cc Tcl_ServiceEvent + 156
53  Tcl                           	       0x1033715c8 Tcl_DoOneEvent + 376
54  Tk                            	       0x1030bb9db Tk_MainLoop + 43 (tkEvent.c:2124)
55  Tk                            	       0x1030c9b52 Tk_MainEx + 1218 (tkMain.c:377)
56  Wish                          	       0x102da1de9 main + 73 (tkAppInit.c:96)
57  dyld                          	       0x1077b24fe start + 462


so yes, it seems to be the same
I've seen many autorelease pool corruption issue with Tk8.7 on macOS and I've adressed many of them by after 1 [list ...]
but not this one :)

++
chrstphrchvz added on 2022-02-05 06:03:35: (text/x-fossil-wiki) 
From looking online for any similar issues, I notice an autorelease pool corruption issue seen in gitk in the past year. Users and downstream packagers have not figured out a cause or actual fix for it (there is a workaround of changing/removing a configuration file). I don’t know if it’s related to this ticket, but it could probably use Tk Aqua developers’ help investigating: [https://stackoverflow.com/q/65938739], [https://github.com/Homebrew/discussions/discussions/705]
chrstphrchvz added on 2022-02-05 06:01:20: (text/x-fossil-wiki) 
I may have reproduced the issue; does this error and backtrace match what Nicolas sees?

<pre>
objc&#91;7822&#93;: autorelease pool page 0x6250005a6000 corrupted
  magic     0x5a800219 0x00000000 0x00000000 0x00000000
  should be 0xa1a1a1a1 0x4f545541 0x454c4552 0x21455341
  pthread   0x100094600
  should be 0x100094600

* thread #1, queue = <span style="color:green">'com.apple.main-thread'</span>, stop reason = <span style="color:firebrick">signal SIGABRT</span>
  * frame #0: <span style="color:olive">0x00007ff818ad0dfe</span> libsystem_kernel.dylib`__abort_with_payload + 10
    frame #1: <span style="color:olive">0x00007ff818ad2893</span> libsystem_kernel.dylib`abort_with_payload_wrapper_internal + 80
    frame #2: <span style="color:olive">0x00007ff818ad2843</span> libsystem_kernel.dylib`abort_with_reason + 19
    frame #3: <span style="color:olive">0x00007ff81899ebce</span> libobjc.A.dylib`_objc_fatalv(unsigned long long, unsigned long long, char const*, __va_list_tag*) + 114
    frame #4: <span style="color:olive">0x00007ff81899eb5c</span> libobjc.A.dylib`_objc_fatal(char const*, ...) + 135
    frame #5: <span style="color:olive">0x00007ff81899dfe6</span> libobjc.A.dylib`void AutoreleasePoolPage::busted<void (*)(char const*, ...)>(void (*)(char const*, ...)) const + 120
    frame #6: <span style="color:olive">0x00007ff81899f8a1</span> libobjc.A.dylib`AutoreleasePoolPage::busted_die() const + 9
    frame #7: <span style="color:olive">0x00007ff8189820e8</span> libobjc.A.dylib`objc_autoreleasePoolPop + 41
    frame #8: <span style="color:olive">0x00007ff818b7302c</span> CoreFoundation`_CFAutoreleasePoolPop + 22
    frame #9: <span style="color:olive">0x00007ff819a37b29</span> Foundation`__NSThreadPerformPerform + 217
    frame #10: <span style="color:olive">0x00007ff818bb18fd</span> CoreFoundation`__CFRUNLOOP_IS_CALLING_OUT_TO_A_SOURCE0_PERFORM_FUNCTION__ + 17
    frame #11: <span style="color:olive">0x00007ff818bb1865</span> CoreFoundation`__CFRunLoopDoSource0 + 180
    frame #12: <span style="color:olive">0x00007ff818bb15e4</span> CoreFoundation`__CFRunLoopDoSources0 + 242
    frame #13: <span style="color:olive">0x00007ff818bb001b</span> CoreFoundation`__CFRunLoopRun + 893
    frame #14: <span style="color:olive">0x00007ff818baf5dd</span> CoreFoundation`CFRunLoopRunSpecific + 563
    frame #15: <span style="color:olive">0x00007ff8217ec4f1</span> HIToolbox`RunCurrentEventLoopInMode + 292
    frame #16: <span style="color:olive">0x00007ff8217ec247</span> HIToolbox`ReceiveNextEventCommon + 587
    frame #17: <span style="color:olive">0x00007ff8217ebfe5</span> HIToolbox`_BlockUntilNextEventMatchingListInModeWithFilter + 70
    frame #18: <span style="color:olive">0x00007ff81b5ded88</span> AppKit`_DPSNextEvent + 886
    frame #19: <span style="color:olive">0x00007ff81b5dd3f4</span> AppKit`-&#91;NSApplication(NSEvent) _nextEventMatchingEventMask:untilDate:inMode:dequeue:&#93; + 1411
    frame #20: <span style="color:olive">0x00007ff81bd36747</span> AppKit`_NSHLTBMenuEventProc + 213
    frame #21: <span style="color:olive">0x00007ff821852add</span> HIToolbox`IsUserStillTracking(MenuSelectData*, unsigned char*) + 198
    frame #22: <span style="color:olive">0x00007ff8219704aa</span> HIToolbox`TrackMenuCommon(MenuSelectData&, unsigned char*, SelectionData*, MenuResult*, MenuResult*) + 1605
    frame #23: <span style="color:olive">0x00007ff82196c89a</span> HIToolbox`PopUpMenuSelectCore(MenuData*, Point, double, Point, unsigned short, unsigned int, unsigned int, Rect const*, unsigned short, unsigned int, Rect const*, Rect const*, __CFDictionary const*, __CFString const*, OpaqueMenuRef**, unsigned short*) + 1932
    frame #24: <span style="color:olive">0x00007ff82196bc2c</span> HIToolbox`_HandlePopUpMenuSelection8(OpaqueMenuRef*, OpaqueEventRef*, unsigned int, Point, unsigned short, unsigned int, unsigned int, Rect const*, unsigned short, Rect const*, Rect const*, __CFDictionary const*, __CFString const*, OpaqueMenuRef**, unsigned short*) + 410
    frame #25: <span style="color:olive">0x00007ff82183ff19</span> HIToolbox`_HandlePopUpMenuSelectionWithDictionary + 329
    frame #26: <span style="color:olive">0x00007ff81ba77874</span> AppKit`SLMPerformPopUpCarbonMenu + 2232
    frame #27: <span style="color:olive">0x00007ff81b91cc81</span> AppKit`_NSSLMPopUpCarbonMenu3 + 1125
    frame #28: <span style="color:olive">0x00007ff81b91c776</span> AppKit`-&#91;NSCarbonMenuImpl popUpMenu:atLocation:width:forView:withSelectedItem:withFont:withFlags:withOptions:&#93; + 462
    frame #29: <span style="color:olive">0x00007ff81b9511b2</span> AppKit`-&#91;NSPopUpButtonCell trackMouse:inRect:ofView:untilMouseUp:&#93; + 562
    frame #30: <span style="color:olive">0x00007ff81b7def78</span> AppKit`-&#91;NSControl mouseDown:&#93; + 678
    frame #31: <span style="color:olive">0x00007ff81b7dd457</span> AppKit`-&#91;NSWindow(NSEventRouting) _handleMouseDownEvent:isDelayedEvent:&#93; + 4949
    frame #32: <span style="color:olive">0x00007ff81b751390</span> AppKit`-&#91;NSWindow(NSEventRouting) _reallySendEvent:isDelayedEvent:&#93; + 2582
    frame #33: <span style="color:olive">0x00007ff81b75075a</span> AppKit`-&#91;NSWindow(NSEventRouting) sendEvent:&#93; + 352
    frame #34: <span style="color:olive">0x00007ff81b74eb28</span> AppKit`-&#91;NSApplication(NSEvent) sendEvent:&#93; + 352
    frame #35: <span style="color:olive">0x00000001021a409e</span> libtk8.6.dylib`-&#91;TKApplication(self=0x0000614000012040, _cmd="sendEvent:", theEvent=0x00006100000a2940) sendEvent:&#93; at <span style="color:darkcyan">tkMacOSXNotify.c</span>:<span style="color:olive">205</span>:<span style="color:olive">5</span>
    frame #36: <span style="color:olive">0x00007ff81b8911df</span> AppKit`-&#91;NSApplication _doModalLoop:peek:&#93; + 364
    frame #37: <span style="color:olive">0x00007ff81b88fcc3</span> AppKit`__35-&#91;NSApplication runModalForWindow:&#93;_block_invoke_2 + 64
    frame #38: <span style="color:olive">0x00007ff81b88fc70</span> AppKit`__35-&#91;NSApplication runModalForWindow:&#93;_block_invoke + 78
    frame #39: <span style="color:olive">0x00007ff81b88f512</span> AppKit`_NSTryRunModal + 100
    frame #40: <span style="color:olive">0x00007ff81b88f3f9</span> AppKit`-&#91;NSApplication runModalForWindow:&#93; + 128
    frame #41: <span style="color:olive">0x00007ff81bfef429</span> AppKit`-&#91;NSSavePanel runModal&#93; + 451
    frame #42: <span style="color:olive">0x00000001020ed8c5</span> libtk8.6.dylib`showOpenSavePanel(panel=0x00006160007e0080, parent=0x000061400001c040, callbackInfo=0x000060300038fef0) at <span style="color:darkcyan">tkMacOSXDialog.c</span>:<span style="color:olive">378</span>:<span style="color:olive">24</span>
    frame #43: <span style="color:olive">0x00000001020ea775</span> libtk8.6.dylib`Tk_GetOpenFileObjCmd(clientData=0x0000614000008a40, interp=0x000061a000000080, objc=5, objv=0x0000611000273520) at <span style="color:darkcyan">tkMacOSXDialog.c</span>:<span style="color:olive">852</span>:<span style="color:olive">23</span>
    frame #44: <span style="color:olive">0x00000001043aed22</span> libtcl8.6.dylib`Dispatch(data=0x0000604000ac7e58, interp=0x000061a000000080, result=0) at <span style="color:darkcyan">tclBasic.c</span>:<span style="color:olive">4468</span>:<span style="color:olive">12</span>
    frame #45: <span style="color:olive">0x000000010438f85f</span> libtcl8.6.dylib`TclNRRunCallbacks(interp=0x000061a000000080, result=0, rootPtr=0x0000000000000000) at <span style="color:darkcyan">tclBasic.c</span>:<span style="color:olive">4504</span>:<span style="color:olive">11</span>
    frame #46: <span style="color:olive">0x000000010438dbdc</span> libtcl8.6.dylib`Tcl_EvalObjv(interp=0x000061a000000080, objc=2, objv=0x0000611000273230, flags=2097168) at <span style="color:darkcyan">tclBasic.c</span>:<span style="color:olive">4226</span>:<span style="color:olive">12</span>
    frame #47: <span style="color:olive">0x000000010439b1d4</span> libtcl8.6.dylib`TclEvalEx(interp=0x000061a000000080, script="\n    fileDialog .f.but\n", numBytes=23, flags=131072, line=2, clNextOuter=0x0000000000000000, outerScript="\n    fileDialog .f.but\n") at <span style="color:darkcyan">tclBasic.c</span>:<span style="color:olive">5373</span>:<span style="color:olive">13</span>
    frame #48: <span style="color:olive">0x000000010439469a</span> libtcl8.6.dylib`Tcl_EvalEx(interp=0x000061a000000080, script="\n    fileDialog .f.but\n", numBytes=23, flags=131072) at <span style="color:darkcyan">tclBasic.c</span>:<span style="color:olive">5038</span>:<span style="color:olive">12</span>
    frame #49: <span style="color:olive">0x000000010162fdc4</span> libtk8.6.dylib`Tk_BindEvent(bindPtr=0x0000625000075900, eventPtr=0x0000611000272e50, tkwin=0x0000614000046840, numObjects=5, objArr=0x00007ff7bfefe140) at <span style="color:darkcyan">tkBind.c</span>:<span style="color:olive">2602</span>:<span style="color:olive">9</span>
    frame #50: <span style="color:olive">0x000000010169066c</span> libtk8.6.dylib`TkBindEventProc(winPtr=0x0000614000046840, eventPtr=0x0000611000272e50) at <span style="color:darkcyan">tkCmds.c</span>:<span style="color:olive">319</span>:<span style="color:olive">5</span>
    frame #51: <span style="color:olive">0x0000000101700335</span> libtk8.6.dylib`Tk_HandleEvent(eventPtr=0x0000611000272e50) at <span style="color:darkcyan">tkEvent.c</span>:<span style="color:olive">1292</span>:<span style="color:olive">6</span>
    frame #52: <span style="color:olive">0x0000000101707cc1</span> libtk8.6.dylib`WindowEventProc(evPtr=0x0000611000272e40, flags=-3) at <span style="color:darkcyan">tkEvent.c</span>:<span style="color:olive">1723</span>:<span style="color:olive">5</span>
    frame #53: <span style="color:olive">0x0000000104ff8fe9</span> libtcl8.6.dylib`Tcl_ServiceEvent(flags=-3) at <span style="color:darkcyan">tclNotify.c</span>:<span style="color:olive">670</span>:<span style="color:olive">11</span>
    frame #54: <span style="color:olive">0x0000000104ffbb22</span> libtcl8.6.dylib`Tcl_DoOneEvent(flags=-3) at <span style="color:darkcyan">tclNotify.c</span>:<span style="color:olive">967</span>:<span style="color:olive">6</span>
    frame #55: <span style="color:olive">0x000000010170b8b0</span> libtk8.6.dylib`Tk_MainLoop at <span style="color:darkcyan">tkEvent.c</span>:<span style="color:olive">2109</span>:<span style="color:olive">2</span>
    frame #56: <span style="color:olive">0x00000001017da5e5</span> libtk8.6.dylib`Tk_MainEx(argc=-1, argv=0x00007ff7bfeff9d8, appInitProc=(wish8.6`Tcl_AppInit at <span style="color:darkcyan">tkAppInit.c</span>:<span style="color:olive">119), interp=0x000061a000000080) at tkMain.c</span>:<span style="color:olive">377</span>:5
    frame #57: <span style="color:olive">0x0000000100006c5f</span> wish8.6`main(argc=2, argv=0x00007ff7bfeff9c8) at <span style="color:darkcyan">tkAppInit.c</span>:<span style="color:olive">93</span>:<span style="color:olive">5</span>
    frame #58: <span style="color:olive">0x00000001000194fe</span> dyld`start + 462
</pre>

This is likely not an area of Tk Aqua I’m familiar with enough to suggest a fix for. Something strange I notice is that when LLDB is attached to Tk, once the crash happens, the keyboard stops working in other programs until I force quit the LLDB process. I wonder if there is a special environment variable or similar to help debug the Objective-C runtime abort.


I do not always get a crash after clicking the filter menubutton, but AddressSanitizer (<tt>-fsanitize=address -DPURIFY</tt>) does report a use-after-free if I dismiss the dialog:

<pre>
=================================================================
<span style="color:firebrick">==7704==ERROR: AddressSanitizer: heap-use-after-free on address 0x60300037d3e8 at pc 0x0001020edb72 bp 0x7ff7bfefa690 sp 0x7ff7bfefa688</span>
<span style="color:blue">READ of size 8 at 0x60300037d3e8 thread T0</span>
    #0 0x1020edb71 in showOpenSavePanel tkMacOSXDialog.c:390
    #1 0x1020ea774 in Tk_GetOpenFileObjCmd tkMacOSXDialog.c:852
    #2 0x1043aed21 in Dispatch tclBasic.c:4468
    #3 0x10438f85e in TclNRRunCallbacks tclBasic.c:4504
    #4 0x10438dbdb in Tcl_EvalObjv tclBasic.c:4226
    #5 0x10439b1d3 in TclEvalEx tclBasic.c:5373
    #6 0x104394699 in Tcl_EvalEx tclBasic.c:5038
    #7 0x10162fdc3 in Tk_BindEvent tkBind.c:2602
    #8 0x10169066b in TkBindEventProc tkCmds.c:319
    #9 0x101700334 in Tk_HandleEvent tkEvent.c:1292
    #10 0x101707cc0 in WindowEventProc tkEvent.c:1723
    #11 0x104ff8fe8 in Tcl_ServiceEvent tclNotify.c:670
    #12 0x104ffbb21 in Tcl_DoOneEvent tclNotify.c:967
    #13 0x10170b8af in Tk_MainLoop tkEvent.c:2109
    #14 0x1017da5e4 in Tk_MainEx tkMain.c:377
    #15 0x100006c5e in main tkAppInit.c:93
    #16 0x1000194fd in start+0x1cd (dyld:x86_64+0x54fd)

<span style="color:green">0x60300037d3e8 is located 8 bytes inside of 24-byte region &#91;0x60300037d3e0,0x60300037d3f8)</span>
<span style="color:darkmagenta">freed by thread T0 here:</span>
    #0 0x10051f829 in wrap_free+0xa9 (libclang_rt.asan_osx_dynamic.dylib:x86_64h+0x47829)
    #1 0x104325cc4 in TclpFree tclAlloc.c:722
    #2 0x104405324 in Tcl_Free tclCkalloc.c:1226
    #3 0x1020e297e in -&#91;TKApplication(TKDialog) tkFilePanelDidEnd:returnCode:contextInfo:&#93; tkMacOSXDialog.c:261
    #4 0x1020ed97b in showOpenSavePanel tkMacOSXDialog.c:379
    #5 0x1020ea774 in Tk_GetOpenFileObjCmd tkMacOSXDialog.c:852
    #6 0x1043aed21 in Dispatch tclBasic.c:4468
    #7 0x10438f85e in TclNRRunCallbacks tclBasic.c:4504
    #8 0x10438dbdb in Tcl_EvalObjv tclBasic.c:4226
    #9 0x10439b1d3 in TclEvalEx tclBasic.c:5373
    #10 0x104394699 in Tcl_EvalEx tclBasic.c:5038
    #11 0x10162fdc3 in Tk_BindEvent tkBind.c:2602
    #12 0x10169066b in TkBindEventProc tkCmds.c:319
    #13 0x101700334 in Tk_HandleEvent tkEvent.c:1292
    #14 0x101707cc0 in WindowEventProc tkEvent.c:1723
    #15 0x104ff8fe8 in Tcl_ServiceEvent tclNotify.c:670
    #16 0x104ffbb21 in Tcl_DoOneEvent tclNotify.c:967
    #17 0x10170b8af in Tk_MainLoop tkEvent.c:2109
    #18 0x1017da5e4 in Tk_MainEx tkMain.c:377
    #19 0x100006c5e in main tkAppInit.c:93
    #20 0x1000194fd in start+0x1cd (dyld:x86_64+0x54fd)

<span style="color:darkmagenta">previously allocated by thread T0 here:</span>
    #0 0x10051f6e0 in wrap_malloc+0xa0 (libclang_rt.asan_osx_dynamic.dylib:x86_64h+0x476e0)
    #1 0x104325ca4 in TclpAlloc tclAlloc.c:699
    #2 0x104404fd2 in Tcl_Alloc tclCkalloc.c:1059
    #3 0x1020ea27a in Tk_GetOpenFileObjCmd tkMacOSXDialog.c:836
    #4 0x1043aed21 in Dispatch tclBasic.c:4468
    #5 0x10438f85e in TclNRRunCallbacks tclBasic.c:4504
    #6 0x10438dbdb in Tcl_EvalObjv tclBasic.c:4226
    #7 0x10439b1d3 in TclEvalEx tclBasic.c:5373
    #8 0x104394699 in Tcl_EvalEx tclBasic.c:5038
    #9 0x10162fdc3 in Tk_BindEvent tkBind.c:2602
    #10 0x10169066b in TkBindEventProc tkCmds.c:319
    #11 0x101700334 in Tk_HandleEvent tkEvent.c:1292
    #12 0x101707cc0 in WindowEventProc tkEvent.c:1723
    #13 0x104ff8fe8 in Tcl_ServiceEvent tclNotify.c:670
    #14 0x104ffbb21 in Tcl_DoOneEvent tclNotify.c:967
    #15 0x10170b8af in Tk_MainLoop tkEvent.c:2109
    #16 0x1017da5e4 in Tk_MainEx tkMain.c:377
    #17 0x100006c5e in main tkAppInit.c:93
    #18 0x1000194fd in start+0x1cd (dyld:x86_64+0x54fd)

SUMMARY: AddressSanitizer: heap-use-after-free tkMacOSXDialog.c:390 in showOpenSavePanel
Shadow bytes around the buggy address:
  0x1c060006fa20: <span style="color:firebrick">fa</span> <span style="color:firebrick">fa</span> <span style="color:darkmagenta">fd</span> <span style="color:darkmagenta">fd</span> <span style="color:darkmagenta">fd</span> <span style="color:firebrick">fa</span> <span style="color:firebrick">fa</span> <span style="color:firebrick">fa</span> <span style="color:darkmagenta">fd</span> <span style="color:darkmagenta">fd</span> <span style="color:darkmagenta">fd</span> <span style="color:firebrick">fa</span> <span style="color:firebrick">fa</span> <span style="color:firebrick">fa</span> <span style="color:darkmagenta">fd</span> <span style="color:darkmagenta">fd</span>
  0x1c060006fa30: <span style="color:darkmagenta">fd</span> <span style="color:firebrick">fa</span> <span style="color:firebrick">fa</span> <span style="color:firebrick">fa</span> <span style="color:darkmagenta">fd</span> <span style="color:darkmagenta">fd</span> <span style="color:darkmagenta">fd</span> <span style="color:firebrick">fa</span> <span style="color:firebrick">fa</span> <span style="color:firebrick">fa</span> <span style="color:darkmagenta">fd</span> <span style="color:darkmagenta">fd</span> <span style="color:darkmagenta">fd</span> <span style="color:firebrick">fa</span> <span style="color:firebrick">fa</span> <span style="color:firebrick">fa</span>
  0x1c060006fa40: <span style="color:darkmagenta">fd</span> <span style="color:darkmagenta">fd</span> <span style="color:darkmagenta">fd</span> <span style="color:firebrick">fa</span> <span style="color:firebrick">fa</span> <span style="color:firebrick">fa</span> <span style="color:darkmagenta">fd</span> <span style="color:darkmagenta">fd</span> <span style="color:darkmagenta">fd</span> <span style="color:firebrick">fa</span> <span style="color:firebrick">fa</span> <span style="color:firebrick">fa</span> <span style="color:darkmagenta">fd</span> <span style="color:darkmagenta">fd</span> <span style="color:darkmagenta">fd</span> <span style="color:firebrick">fa</span>
  0x1c060006fa50: <span style="color:firebrick">fa</span> <span style="color:firebrick">fa</span> <span style="color:darkmagenta">fd</span> <span style="color:darkmagenta">fd</span> <span style="color:darkmagenta">fd</span> <span style="color:firebrick">fa</span> <span style="color:firebrick">fa</span> <span style="color:firebrick">fa</span> <span style="color:darkmagenta">fd</span> <span style="color:darkmagenta">fd</span> <span style="color:darkmagenta">fd</span> <span style="color:darkmagenta">fd</span> <span style="color:firebrick">fa</span> <span style="color:firebrick">fa</span> <span style="color:darkmagenta">fd</span> <span style="color:darkmagenta">fd</span>
  0x1c060006fa60: <span style="color:darkmagenta">fd</span> <span style="color:firebrick">fa</span> <span style="color:firebrick">fa</span> <span style="color:firebrick">fa</span> <span style="color:darkmagenta">fd</span> <span style="color:darkmagenta">fd</span> <span style="color:darkmagenta">fd</span> <span style="color:firebrick">fa</span> <span style="color:firebrick">fa</span> <span style="color:firebrick">fa</span> <span style="color:darkmagenta">fd</span> <span style="color:darkmagenta">fd</span> <span style="color:darkmagenta">fd</span> <span style="color:darkmagenta">fd</span> <span style="color:firebrick">fa</span> <span style="color:firebrick">fa</span>
=>0x1c060006fa70: 00 00 00 00 <span style="color:firebrick">fa</span> <span style="color:firebrick">fa</span> 00 00 00 00 <span style="color:firebrick">fa</span> <span style="color:firebrick">fa</span> <span style="color:darkmagenta">fd</span>&#91;<span style="color:darkmagenta">fd</span>&#93;<span style="color:darkmagenta">fd</span> <span style="color:firebrick">fa</span>
  0x1c060006fa80: <span style="color:firebrick">fa</span> <span style="color:firebrick">fa</span> <span style="color:darkmagenta">fd</span> <span style="color:darkmagenta">fd</span> <span style="color:darkmagenta">fd</span> <span style="color:darkmagenta">fd</span> <span style="color:firebrick">fa</span> <span style="color:firebrick">fa</span> 00 00 00 00 <span style="color:firebrick">fa</span> <span style="color:firebrick">fa</span> 00 00
  0x1c060006fa90: 00 00 <span style="color:firebrick">fa</span> <span style="color:firebrick">fa</span> <span style="color:darkmagenta">fd</span> <span style="color:darkmagenta">fd</span> <span style="color:darkmagenta">fd</span> <span style="color:darkmagenta">fd</span> <span style="color:firebrick">fa</span> <span style="color:firebrick">fa</span> 00 00 00 00 <span style="color:firebrick">fa</span> <span style="color:firebrick">fa</span>
  0x1c060006faa0: 00 00 00 00 <span style="color:firebrick">fa</span> <span style="color:firebrick">fa</span> 00 00 00 00 <span style="color:firebrick">fa</span> <span style="color:firebrick">fa</span> 00 00 00 00
  0x1c060006fab0: <span style="color:firebrick">fa</span> <span style="color:firebrick">fa</span> <span style="color:darkmagenta">fd</span> <span style="color:darkmagenta">fd</span> <span style="color:darkmagenta">fd</span> <span style="color:darkmagenta">fd</span> <span style="color:firebrick">fa</span> <span style="color:firebrick">fa</span> <span style="color:darkmagenta">fd</span> <span style="color:darkmagenta">fd</span> <span style="color:darkmagenta">fd</span> <span style="color:darkmagenta">fd</span> <span style="color:firebrick">fa</span> <span style="color:firebrick">fa</span> <span style="color:darkmagenta">fd</span> <span style="color:darkmagenta">fd</span>
  0x1c060006fac0: <span style="color:darkmagenta">fd</span> <span style="color:darkmagenta">fd</span> <span style="color:firebrick">fa</span> <span style="color:firebrick">fa</span> <span style="color:darkmagenta">fd</span> <span style="color:darkmagenta">fd</span> <span style="color:darkmagenta">fd</span> <span style="color:firebrick">fa</span> <span style="color:firebrick">fa</span> <span style="color:firebrick">fa</span> <span style="color:darkmagenta">fd</span> <span style="color:darkmagenta">fd</span> <span style="color:darkmagenta">fd</span> <span style="color:firebrick">fa</span> <span style="color:firebrick">fa</span> <span style="color:firebrick">fa</span>
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
…
  Heap left redzone:       <span style="color:firebrick">fa</span>
  Freed heap region:       <span style="color:darkmagenta">fd</span>
…
==7704==ABORTING
</pre>

Attachments:

This page was generated in about 0.01s by Fossil 2.24 [f4ffefe708] 2024-04-17 14:02:19