(Following up comment #25) Oops, I got my previous analysis badly wrong. I'll try again: For what it's worth, these crashes happen when `-[NSView(NSTrackingArea) trackingAreas]` is called on a deleted `NSView` object. I found this out by looking at the AppKit framework's `-[_NSTrackingAreaAKManager _updateActiveTrackingAreasForWindowLocation:modifierFlags:]` in a disassembler. In `objc_msgSend()` the `self` argument (`arg0`) isn't invalid. But since it now points to a block of poisoned memory, `self->isa` *is* invalid (`== 0xe5e5e5e5e5e5e5e5`).
Bug 1880582 Comment 27 Edit History
Note: The actual edited comment in the bug view page will always show the original commenter’s name and original timestamp.
(Following up comment #25) Oops, I got my previous analysis badly wrong. I'll try again: For what it's worth, these crashes happen when `-[NSView(NSTrackingArea) trackingAreas]` is called on a deleted `NSView` object. I found this out by looking at the AppKit framework's `-[_NSTrackingAreaAKManager _updateActiveTrackingAreasForWindowLocation:modifierFlags:]` in a disassembler. In `objc_msgSend()` the `self` argument (`arg0`) isn't invalid. But since it now points to a block of poisoned memory, `self->isa` (`r10`) *is* invalid (`== 0xe5e5e5e5e5e5e5e5`).
(Following up comment #25) Oops, I got my previous analysis badly wrong. I'll try again: For what it's worth, these crashes happen when `-[NSView(NSTrackingArea) trackingAreas]` is called on a deleted `NSView` object. I found this out by looking at the AppKit framework's `-[_NSTrackingAreaAKManager _updateActiveTrackingAreasForWindowLocation:modifierFlags:]` in a disassembler. In `objc_msgSend()` the `self` argument (`arg0`) isn't invalid. But since it now points to a block of poisoned memory, `self->isa` (`r10`) *is* invalid (`== 0x000065e5e5e5e5e0`).