Occasional crash in [FSObjectBrowserSearchField filterAction]

[krackers]

I occasionally see crashes for the release inside setClassLabel or setLabel within FSObjectBrowserCell when called as part of filterAction:

Exception Type:  EXC_BAD_ACCESS (SIGSEGV)
Exception Codes: KERN_INVALID_ADDRESS at 0x0000000000000019

VM Regions Near 0x19:
--> 
    __TEXT                 0000000103207000-0000000103222000 [  108K] r-x/rwx SM=COW  /Applications/TextEdit.app/Contents/MacOS/TextEdit

Application Specific Information:
objc_msgSend() selector name: release
Performing @selector(filterAction:) from sender FSObjectBrowserSearchField 0x6000003a2920

Thread 0 Crashed:: Dispatch queue: com.apple.main-thread
0   libobjc.A.dylib                 0x00007fff85761097 objc_msgSend + 23
1   org.fscript.fscriptframework    0x0000000109efbdb9 -[FSObjectBrowserCell setLabel:] + 73 (FSObjectBrowserCell.m:88)
2   org.fscript.fscriptframework    0x0000000109f53ef0 addRowToMatrix + 272 (FSObjectBrowserView.m:1619)
3   org.fscript.fscriptframework    0x0000000109f55367 -[FSObjectBrowserView addObject:toMatrix:label:classLabel:indentationLevel:leaf:] + 71 (FSObjectBrowserView.m:511)
4   org.fscript.fscriptframework    0x0000000109f55bca -[FSObjectBrowserView addObject:withLabel:toMatrix:leaf:classLabel:selectedClassLabel:selectedLabel:selectedObject:indentationLevel:] + 490 (FSObjectBrowserView.m:577)
5   org.fscript.fscriptframework    0x0000000109f55cfc -[FSObjectBrowserView addObject:withLabel:toMatrix:classLabel:selectedClassLabel:selectedLabel:selectedObject:] + 188 (FSObjectBrowserView.m:592)
6   org.fscript.fscriptframework    0x0000000109f6c9ec -[FSObjectBrowserViewObjectHelper addObject:valueType:getter:setter:withLabel:enumBiDict:mask:valueClass:notNil:] + 236 (FSObjectBrowserViewObjectInfo.m:149)
7   org.fscript.fscriptframework    0x000000010a00de0c -[FSObjectBrowserViewObjectHelper processNSView:] + 19484 (FSObjectBrowserViewObjectInfo.m:2415)
8   org.fscript.fscriptframework    0x0000000109fecc5f -[FSObjectBrowserViewObjectHelper addNSResponder:] + 16351 (FSObjectBrowserViewObjectInfo.m:2038)
9   org.fscript.fscriptframework    0x0000000109f72077 -[FSObjectBrowserViewObjectHelper populateModelWithObject:] + 967 (FSObjectBrowserViewObjectInfo.m:655)
10  org.fscript.fscriptframework    0x0000000109f715be -[FSObjectBrowserViewObjectHelper fillMatrix:withObject:] + 17838 (FSObjectBrowserViewObjectInfo.m:629)
11  org.fscript.fscriptframework    0x0000000109f6c634 -[FSObjectBrowserView(FSObjectBrowserViewObjectInfo) fillMatrix:column:withObject:] + 100 (FSObjectBrowserViewObjectInfo.m:90)
12  org.fscript.fscriptframework    0x0000000109f5a025 -[FSObjectBrowserView filter] + 965 (FSObjectBrowserView.m:1075)
13  org.fscript.fscriptframework    0x0000000109f5a4e5 -[FSObjectBrowserView filterAction:] + 85 (FSObjectBrowserView.m:1129)
14  com.apple.AppKit                0x00007fff83753260 -[NSApplication sendAction:to:from:] + 327
15  com.apple.AppKit                0x00007fff837530de -[NSControl sendAction:to:] + 86
16  com.apple.AppKit                0x00007fff8379fc4d -[NSCell _sendActionFrom:] + 128
17  com.apple.AppKit                0x00007fff83b74329 -[NSSearchFieldCell(NSSearchFieldCell_Local) _sendPartialString] + 161
18  com.apple.Foundation            0x00007fff88eb0714 __NSFireTimer + 96
19  com.apple.CoreFoundation        0x00007fff833c93e4 __CFRUNLOOP_IS_CALLING_OUT_TO_A_TIMER_CALLBACK_FUNCTION__ + 20
20  com.apple.CoreFoundation        0x00007fff833c8f1f __CFRunLoopDoTimer + 1151
21  com.apple.CoreFoundation        0x00007fff8343a5aa __CFRunLoopDoTimers + 298
22  com.apple.CoreFoundation        0x00007fff833846a5 __CFRunLoopRun + 1525
23  com.apple.CoreFoundation        0x00007fff83383e75 CFRunLoopRunSpecific + 309
24  com.apple.HIToolbox             0x00007fff8ad8da0d RunCurrentEventLoopInMode + 226
25  com.apple.HIToolbox             0x00007fff8ad8d685 ReceiveNextEventCommon + 173
26  com.apple.HIToolbox             0x00007fff8ad8d5bc _BlockUntilNextEventMatchingListInModeWithFilter + 65
27  com.apple.AppKit                0x00007fff8353524e _DPSNextEvent + 1434
28  com.apple.AppKit                0x00007fff8353489b -[NSApplication nextEventMatchingMask:untilDate:inMode:dequeue:] + 122
29  com.apple.AppKit                0x00007fff8352899c -[NSApplication run] + 553
30  com.apple.AppKit                0x00007fff83513783 NSApplicationMain + 940
31  libdyld.dylib                   0x00007fff8972a5fd start + 1

It happens rarely enough that I cannot reproduce it on demand. I'm guessing this is some use-after-free thing, but I tried skimming the code and the callers of this seem OK to me. Was wondering if anyone else experienced this

[krackers]

Here's another such example:

Exception Type:  EXC_BAD_ACCESS (SIGSEGV)
Exception Codes: EXC_I386_GPFLT

Application Specific Information:
objc_msgSend() selector name: release
Performing @selector(filterAction:) from sender FSObjectBrowserSearchField 0x6100003a0fc0

Thread 0 Crashed:: Dispatch queue: com.apple.main-thread
0   libobjc.A.dylib                 0x00007fff85761097 objc_msgSend + 23
1   org.fscript.fscriptframework    0x000000010f5afd49 -[FSObjectBrowserCell setClassLabel:] + 73 (FSObjectBrowserCell.m:79)
2   org.fscript.fscriptframework    0x000000010f607ed9 addRowToMatrix + 249 (FSObjectBrowserView.m:1618)
3   org.fscript.fscriptframework    0x000000010f60916f -[FSObjectBrowserView addLabel:toMatrix:indentationLevel:] + 63 (FSObjectBrowserView.m:479)
4   org.fscript.fscriptframework    0x000000010f609b6d -[FSObjectBrowserView addObject:withLabel:toMatrix:leaf:classLabel:selectedClassLabel:selectedLabel:selectedObject:indentationLevel:] + 397 (FSObjectBrowserView.m:576)
5   org.fscript.fscriptframework    0x000000010f609cfc -[FSObjectBrowserView addObject:withLabel:toMatrix:classLabel:selectedClassLabel:selectedLabel:selectedObject:] + 188 (FSObjectBrowserView.m:592)
6   org.fscript.fscriptframework    0x000000010f6209ec -[FSObjectBrowserViewObjectHelper addObject:valueType:getter:setter:withLabel:enumBiDict:mask:valueClass:notNil:] + 236 (FSObjectBrowserViewObjectInfo.m:149)
7   org.fscript.fscriptframework    0x000000010f6c6945 -[FSObjectBrowserViewObjectHelper processNSView:] + 38741 (FSObjectBrowserViewObjectInfo.m:2486)
8   org.fscript.fscriptframework    0x000000010f6a0c5f -[FSObjectBrowserViewObjectHelper addNSResponder:] + 16351 (FSObjectBrowserViewObjectInfo.m:2038)
9   org.fscript.fscriptframework    0x000000010f626077 -[FSObjectBrowserViewObjectHelper populateModelWithObject:] + 967 (FSObjectBrowserViewObjectInfo.m:655)
10  org.fscript.fscriptframework    0x000000010f6255be -[FSObjectBrowserViewObjectHelper fillMatrix:withObject:] + 17838 (FSObjectBrowserViewObjectInfo.m:629)
11  org.fscript.fscriptframework    0x000000010f620634 -[FSObjectBrowserView(FSObjectBrowserViewObjectInfo) fillMatrix:column:withObject:] + 100 (FSObjectBrowserViewObjectInfo.m:90)
12  org.fscript.fscriptframework    0x000000010f60e025 -[FSObjectBrowserView filter] + 965 (FSObjectBrowserView.m:1075)
13  org.fscript.fscriptframework    0x000000010f60e4e5 -[FSObjectBrowserView filterAction:] + 85 (FSObjectBrowserView.m:1129)
14  com.apple.AppKit                0x00007fff83753260 -[NSApplication sendAction:to:from:] + 327
15  com.apple.AppKit                0x00007fff837530de -[NSControl sendAction:to:] + 86
16  com.apple.AppKit                0x00007fff8379fc4d -[NSCell _sendActionFrom:] + 128
17  com.apple.AppKit                0x00007fff8389501d -[NSSearchFieldCell textDidChange:] + 602
18  com.apple.AppKit                0x00007fff837927df -[NSTextField textDidChange:] + 209
19  com.apple.CoreFoundation        0x00007fff83430e0c __CFNOTIFICATIONCENTER_IS_CALLING_OUT_TO_AN_OBSERVER__ + 12
20  com.apple.CoreFoundation        0x00007fff8332482d _CFXNotificationPost + 2893
21  com.apple.Foundation            0x00007fff88e4edda -[NSNotificationCenter postNotificationName:object:userInfo:] + 68
22  com.apple.AppKit                0x00007fff837921b4 -[NSTextView(NSSharing) didChangeText] + 345
23  com.apple.AppKit                0x00007fff837e72a1 _NSDoUserReplaceForCharRange + 466
24  com.apple.AppKit                0x00007fff837e70c2 _NSDoUserDeleteForCharRange + 38
25  com.apple.AppKit                0x00007fff83c0f31e -[NSTextView delete:] + 337
26  com.apple.AppKit                0x00007fff83753260 -[NSApplication sendAction:to:from:] + 327
27  com.apple.AppKit                0x00007fff837530de -[NSControl sendAction:to:] + 86
28  com.apple.AppKit                0x00007fff8379fc4d -[NSCell _sendActionFrom:] + 128
29  com.apple.AppKit                0x00007fff837b9655 -[NSCell trackMouse:inRect:ofView:untilMouseUp:] + 2316
30  com.apple.AppKit                0x00007fff837b8a27 -[NSButtonCell trackMouse:inRect:ofView:untilMouseUp:] + 487
31  com.apple.AppKit                0x00007fff83b746cb -[NSSearchFieldCell(NSSearchFieldCell_Local) _trackButton:forEvent:inRect:ofView:] + 548
32  com.apple.AppKit                0x00007fff83b7380f -[NSSearchFieldCell trackMouse:inRect:ofView:untilMouseUp:] + 678
33  com.apple.AppKit                0x00007fff837fa357 -[NSTextField mouseDown:] + 760
34  com.apple.AppKit                0x00007fff83739a58 -[NSWindow sendEvent:] + 11296
35  org.fscript.fscriptframework    0x000000010f5af83a -[FSObjectBrowser sendEvent:] + 314 (FSObjectBrowser.m:92)
36  com.apple.AppKit                0x00007fff836d85d4 -[NSApplication sendEvent:] + 2021
37  net.infinite-labs.Afloat        0x000000010f5450b5 -[NSApplication(Afloat) afloat_sendEvent:] + 729 (Afloat.m:674)
38  com.apple.AppKit                0x00007fff835289f9 -[NSApplication run] + 646
39  com.apple.AppKit                0x00007fff83513783 NSApplicationMain + 940
40  libdyld.dylib                   0x00007fff8972a5fd start + 1

[krackers]

One more: this one seems to clearly show that the corruption likely happens before it's even assigned:

Exception Type:  EXC_BAD_ACCESS (SIGSEGV)
Exception Codes: EXC_I386_GPFLT

Application Specific Information:
objc_msgSend() selector name: class
Performing @selector(filterAction:) from sender FSObjectBrowserSearchField 0x6000001b9b40

Thread 0 Crashed:: Dispatch queue: com.apple.main-thread
0   libobjc.A.dylib                 0x00007fff85761097 objc_msgSend + 23
1   com.apple.CoreFoundation        0x00007fff8334bafa -[__NSCFString isEqualToString:] + 58
2   org.fscript.fscriptframework    0x000000010f7afd33 -[FSObjectBrowserView addObject:withLabel:toMatrix:leaf:classLabel:selectedClassLabel:selectedLabel:selectedObject:indentationLevel:] + 179 (FSObjectBrowserView.m:613)
3   org.fscript.fscriptframework    0x000000010f7aff9c -[FSObjectBrowserView addObject:withLabel:toMatrix:classLabel:selectedClassLabel:selectedLabel:selectedObject:] + 188 (FSObjectBrowserView.m:634)
4   org.fscript.fscriptframework    0x000000010f7c6c8c -[FSObjectBrowserViewObjectHelper addObject:valueType:getter:setter:withLabel:enumBiDict:mask:valueClass:notNil:] + 236 (FSObjectBrowserViewObjectInfo.m:149)
5   org.fscript.fscriptframework    0x000000010f8bf739 -[FSObjectBrowserViewObjectHelper processNSWindow:] + 35961 (FSObjectBrowserViewObjectInfo.m:3295)
6   org.fscript.fscriptframework    0x000000010f8479fd -[FSObjectBrowserViewObjectHelper addNSResponder:] + 19165 (FSObjectBrowserViewObjectInfo.m:2057)
7   org.fscript.fscriptframework    0x000000010f7cc317 -[FSObjectBrowserViewObjectHelper populateModelWithObject:] + 967 (FSObjectBrowserViewObjectInfo.m:655)
8   org.fscript.fscriptframework    0x000000010f7cb85d -[FSObjectBrowserViewObjectHelper fillMatrix:withObject:] + 17837 (FSObjectBrowserViewObjectInfo.m:629)
9   org.fscript.fscriptframework    0x000000010f7c68d4 -[FSObjectBrowserView(FSObjectBrowserViewObjectInfo) fillMatrix:column:withObject:] + 100 (FSObjectBrowserViewObjectInfo.m:90)
10  org.fscript.fscriptframework    0x000000010f7b42c5 -[FSObjectBrowserView filter] + 965 (FSObjectBrowserView.m:1117)
11  org.fscript.fscriptframework    0x000000010f7b4785 -[FSObjectBrowserView filterAction:] + 85 (FSObjectBrowserView.m:1171)

(note I built at commit 3825a44a so line nums won't match head)