UIGestureRecognizerFailureMap crash (failure map messaging zombies?)

Originator:golden
Number:rdar://15827524 Date Originated:15-Jan-2014 12:27 PM
Status:Open Resolved:
Product:iOS Product Version:5.1.1
Classification:Crash Reproducible:Sometimes
 
App crashes with a variety of stacks which all include "-[_UIGestureRecognizerFailureMap _queueRecognizersForResetIfFinished]".  In every case it looks like this method is trying to message deallocated objects.

Steps to Reproduce:
It's unclear exactly how to reproduce the issue, but we've seen it a few times, always on first generation iPads, always around the time that view controllers managing UIWebViews were being deallocated.

Expected Results:
No crashes.

Actual Results:
Some crashes.

Version:
iOS 5.1.1

Configuration:
I've seen the crash once and another developer on my team has seen it three times, always on a first generation iPad running iOS 5.1 and around the time that view controllers managing UIWebViews were being deallocated (and new ones were being allocated).

Comments

Crash circumstances

Context: I work with golden. This crash appears to be caused by a failure of the gesture recognition runtime to immediately update the dependency map when gesture recognizers drop out of scope.

In our app, a gesture recognizer owned by a container view controller is dependent on gesture recognizers owned by a series of child view controllers. As child view controllers are removed from the container, their gesture recognizers are freed, while the container's recognizer remains alive. The gesture recognition runtime removes the invalid references from the dependency map--but not immediately. If the user touches upon the container view soon after a child view controller is unloaded, the runtime may try to message what are now dangling references to the child recognizers, causing the segfaults seen above.

This issue could be resolved by: having the gesture recognition dependency map update immediately after gesture recognizers are removed from their views; having the gesture recognition map use weak references to the gesture recognizers; or giving developers an API to remove dependencies registered using -requireGestureRecognizerToFail:.

By jeff at Jan. 22, 2014, 2:06 a.m. (reply...)

Crash 3

Date/Time:       2014-01-08 19:51:13.562 -0800
OS Version:      iPhone OS 5.1.1 (9B206)
Report Version:  104

Exception Type:  EXC_BAD_ACCESS (SIGSEGV)
Exception Codes: KERN_INVALID_ADDRESS at 0x414604b0
Crashed Thread:  0

Thread 0 name:  Dispatch queue: com.apple.main-thread
Thread 0 Crashed:
0   libobjc.A.dylib               	0x33712f7e objc_msgSend + 22
1   CoreFoundation                	0x35a5445a -[NSArray makeObjectsPerformSelector:] + 146
2   UIKit                         	0x3328495c -[_UIGestureRecognizerFailureMap _queueRecognizersForResetIfFinished] + 68
3   UIKit                         	0x3328758e -[UIGestureRecognizer _updateGestureWithEvent:] + 2394
4   UIKit                         	0x334b7472 ___UIGestureRecognizerUpdate_block_invoke_0541 + 42
5   UIKit                         	0x33202f4e _UIGestureRecognizerApplyBlocksToArray + 170
6   UIKit                         	0x33201a9c _UIGestureRecognizerUpdate + 892
7   UIKit                         	0x3320e7e2 _UIGestureRecognizerUpdateGesturesFromSendEvent + 22
8   UIKit                         	0x3320e620 -[UIWindow _sendGesturesForEvent:] + 768
9   UIKit                         	0x3320e1ee -[UIWindow sendEvent:] + 82
10  UIKit                         	0x331f468e -[UIApplication sendEvent:] + 350
11  UIKit                         	0x331f3f34 _UIApplicationHandleEvent + 5820
12  GraphicsServices              	0x337e6224 PurpleEventCallback + 876
13  CoreFoundation                	0x35ac8acc __CFRUNLOOP_IS_CALLING_OUT_TO_A_SOURCE0_PERFORM_FUNCTION__ + 8
14  CoreFoundation                	0x35ac8298 __CFRunLoopDoSources0 + 208
15  CoreFoundation                	0x35ac703e __CFRunLoopRun + 646
16  CoreFoundation                	0x35a4a49e CFRunLoopRunSpecific + 294
17  CoreFoundation                	0x35a4a366 CFRunLoopRunInMode + 98
18  GraphicsServices              	0x337e5432 GSEventRunModal + 130
19  UIKit                         	0x33222cce UIApplicationMain + 1074
By golden at Jan. 17, 2014, 10:47 p.m. (reply...)

Crash 2

Date/Time:       2014-01-08 19:53:33.069 -0800
OS Version:      iPhone OS 5.1.1 (9B206)
Report Version:  104

Exception Type:  EXC_CRASH (SIGABRT)
Exception Codes: 0x00000000, 0x00000000
Crashed Thread:  0

Last Exception Backtrace:
0   CoreFoundation                	0x35af488f __exceptionPreprocess + 163
1   libobjc.A.dylib               	0x33718259 objc_exception_throw + 32
2   CoreFoundation                	0x35af7a9b -[NSObject doesNotRecognizeSelector:] + 174
3   CoreFoundation                	0x35af6915 ___forwarding___ + 300
4   CoreFoundation                	0x35a51650 _CF_forwarding_prep_0 + 48
5   CoreFoundation                	0x35a537d3 -[NSObject performSelector:] + 38
6   CoreFoundation                	0x35a54461 -[NSArray makeObjectsPerformSelector:] + 152
7   UIKit                         	0x33284963 -[_UIGestureRecognizerFailureMap _queueRecognizersForResetIfFinished] + 74
8   UIKit                         	0x33287595 -[UIGestureRecognizer _updateGestureWithEvent:] + 2400
9   UIKit                         	0x334b7479 ___UIGestureRecognizerUpdate_block_invoke_0541 + 48
10  UIKit                         	0x33202f55 _UIGestureRecognizerApplyBlocksToArray + 176
11  UIKit                         	0x33201aa3 _UIGestureRecognizerUpdate + 898
12  UIKit                         	0x3320e7e9 _UIGestureRecognizerUpdateGesturesFromSendEvent + 28
13  UIKit                         	0x3320e627 -[UIWindow _sendGesturesForEvent:] + 774
14  UIKit                         	0x3320e1f5 -[UIWindow sendEvent:] + 88
15  UIKit                         	0x331f4695 -[UIApplication sendEvent:] + 356
16  UIKit                         	0x331f3f3b _UIApplicationHandleEvent + 5826
17  GraphicsServices              	0x337e622b PurpleEventCallback + 882
18  CoreFoundation                	0x35ac8ad3 __CFRUNLOOP_IS_CALLING_OUT_TO_A_SOURCE0_PERFORM_FUNCTION__ + 14
19  CoreFoundation                	0x35ac829f __CFRunLoopDoSources0 + 214
20  CoreFoundation                	0x35ac7045 __CFRunLoopRun + 652
21  CoreFoundation                	0x35a4a4a5 CFRunLoopRunSpecific + 300
22  CoreFoundation                	0x35a4a36d CFRunLoopRunInMode + 104
23  GraphicsServices              	0x337e5439 GSEventRunModal + 136
24  UIKit                         	0x33222cd5 UIApplicationMain + 1080
By golden at Jan. 17, 2014, 10:46 p.m. (reply...)

Crash 1

Date/Time:       2014-01-08 19:49:20.650 -0800
OS Version:      iPhone OS 5.1.1 (9B206)
Report Version:  104

Exception Type:  EXC_BAD_ACCESS (SIGSEGV)
Exception Codes: KERN_INVALID_ADDRESS at 0xd16303a8
Crashed Thread:  0

Thread 0 name:  Dispatch queue: com.apple.main-thread
Thread 0 Crashed:
0   libobjc.A.dylib               	0x33712f78 objc_msgSend + 16
1   CoreFoundation                	0x35a5445a -[NSArray makeObjectsPerformSelector:] + 146
2   UIKit                         	0x3328495c -[_UIGestureRecognizerFailureMap _queueRecognizersForResetIfFinished] + 68
3   UIKit                         	0x3323b996 -[UIGestureRecognizer setView:] + 134
4   UIKit                         	0x33240b98 -[UILongPressGestureRecognizer setView:] + 60
5   UIKit                         	0x3323c026 -[UIView(UIViewGestures) removeGestureRecognizer:] + 46
6   UIKit                         	0x3339e3e6 -[UIWebSelectionAssistant dealloc] + 78
7   libobjc.A.dylib               	0x3371416e _objc_rootRelease + 30
8   UIKit                         	0x3335631e -[UIWebDocumentView dealloc] + 462
9   UIKit                         	0x3339e29e -[UIWebBrowserView dealloc] + 354
10  libdispatch.dylib             	0x33e8ce8a _dispatch_main_queue_callback_4CF$VARIANT$up + 190
11  CoreFoundation                	0x35ac72a6 __CFRunLoopRun + 1262
12  CoreFoundation                	0x35a4a49e CFRunLoopRunSpecific + 294
13  CoreFoundation                	0x35a4a366 CFRunLoopRunInMode + 98
14  GraphicsServices              	0x337e5432 GSEventRunModal + 130
15  UIKit                         	0x33222cce UIApplicationMain + 1074
By golden at Jan. 17, 2014, 10:46 p.m. (reply...)

Please note: Reports posted here will not necessarily be seen by Apple. All problems should be submitted at bugreport.apple.com before they are posted here. Please only post information for Radars that you have filed yourself, and please do not include Apple confidential information in your posts. Thank you!