236615 2022-02-14 15:41:30 -0800 REGRESSION(r289216): Crash in DocumentTimeline::animationCanBeRemoved 2022-02-15 06:23:43 -0800 1 1 1 Unclassified WebKit Animations WebKit Nightly Build PC Linux RESOLVED FIXED InRadar P2 Normal --- 1 mcatanzaro graouts dino graouts graouts mcatanzaro webkit-bug-importer oldest_to_newest 1841441 0 mcatanzaro 2022-02-14 15:41:30 -0800 I'm seeing a crash when scrolling a Glint survey. Turns out it was introduced in r289216 "[css-logical] [web-animations] Add support for logical properties in JS-originated animations". The backtrace looks like this: (gdb) bt #0 WebCore::RenderStyle::direction (this=<optimized out>) at /home/mcatanzaro/Projects/WebKit/Source/WebCore/rendering/style/RenderStyle.h:398 #1 WebCore::DocumentTimeline::animationCanBeRemoved (this=<optimized out>, animation=...) at /home/mcatanzaro/Projects/WebKit/Source/WebCore/animation/DocumentTimeline.cpp:243 #2 0x00007efc7895916a in WebCore::DocumentTimeline::animationCanBeRemoved (animation=..., this=0x7efb2c4fcf18) at /home/mcatanzaro/Projects/WebKit/Source/WebCore/animation/WebAnimation.h:90 #3 WebCore::DocumentTimeline::removeReplacedAnimations (this=0x7efb2c4fcf18) at /home/mcatanzaro/Projects/WebKit/Source/WebCore/animation/DocumentTimeline.cpp:282 #4 0x00007efc78959855 in WebCore::DocumentTimelinesController::updateAnimationsAndSendEvents (this=<optimized out>, timestamp=...) at /home/mcatanzaro/Projects/WebKit/Source/WebCore/animation/DocumentTimelinesController.cpp:133 #5 0x00007efc7921c8d8 in WTF::Function<void (WebCore::Document&)>::operator()(WebCore::Document&) const (in#0=..., this=0x7fffeb080ab0) at /home/mcatanzaro/Projects/WebKit/WebKitBuild/GNOME/WTF/Headers/wtf/Function.h:82 #6 WebCore::Page::forEachDocumentFromMainFrame(WebCore::Frame const&, WTF::Function<void (WebCore::Document&)> const&) (mainFrame=..., functor=...) at /home/mcatanzaro/Projects/WebKit/Source/WebCore/page/Page.cpp:3433 #7 0x00007efc7921c989 in WebCore::Page::forEachDocument(WTF::Function<void (WebCore::Document&)> const&) const ( this=<optimized out>, functor=...) at /home/mcatanzaro/Projects/WebKit/Source/WebCore/page/Page.cpp:3438 #8 0x00007efc7922d956 in operator() (perDocumentFunction=..., step=WebCore::RenderingUpdateStep::Animations, __closure=<synthetic pointer>) at /home/mcatanzaro/Projects/WebKit/Source/WebCore/page/Page.cpp:1597 #9 WebCore::Page::updateRendering (this=0x7efc60f81000) at /home/mcatanzaro/Projects/WebKit/Source/WebCore/page/Page.cpp:1617 #10 0x00007efc77fc85d9 in WebKit::WebPage::updateRendering (this=<optimized out>) at /home/mcatanzaro/Projects/WebKit/Source/WebKit/WebProcess/WebPage/WebPage.cpp:4275 #11 0x00007efc77ff9e0c in WebKit::CompositingCoordinator::flushPendingLayerChanges (this=this@entry=0x7efc60f44108, flags=...) at /home/mcatanzaro/Projects/WebKit/Source/WebKit/WebProcess/WebPage/CoordinatedGraphics/CompositingCoordinator.cpp:124 #12 0x00007efc77fffa16 in WebKit::LayerTreeHost::layerFlushTimerFired (this=0x7efc60f44000) at /home/mcatanzaro/Projects/WebKit/Source/WebKit/WebProcess/WebPage/CoordinatedGraphics/LayerTreeHost.cpp:157 #13 WebKit::LayerTreeHost::layerFlushTimerFired (this=0x7efc60f44000) at /home/mcatanzaro/Projects/WebKit/Source/WebKit/WebProcess/WebPage/CoordinatedGraphics/LayerTreeHost.cpp:136 #14 0x00007efc75f9ec95 in operator() (__closure=0x0, userData=userData@entry=0x7efc60f440d8) at /home/mcatanzaro/Projects/WebKit/Source/WTF/wtf/glib/RunLoopGLib.cpp:177 #15 _FUN () at /home/mcatanzaro/Projects/WebKit/Source/WTF/wtf/glib/RunLoopGLib.cpp:181 #16 0x00007efc75f9f0df in operator() (__closure=0x0, userData=0x7efc60f440d8, callback=0x7efc75f9ec20 <_FUN(gpointer)>, source=0xb7c190) at /home/mcatanzaro/Projects/WebKit/Source/WTF/wtf/glib/RunLoopGLib.cpp:53 #17 _FUN () at /home/mcatanzaro/Projects/WebKit/Source/WTF/wtf/glib/RunLoopGLib.cpp:56 #18 0x00007efc728ae26d in g_main_dispatch (context=0x797b80) at ../../../../Projects/glib/glib/gmain.c:3413 #19 0x00007efc728af1c0 in g_main_context_dispatch (context=0x797b80) at ../../../../Projects/glib/glib/gmain.c:4131 #20 0x00007efc728af3ac in g_main_context_iterate (context=0x797b80, block=1, dispatch=1, self=0x77b350) at ../../../../Projects/glib/glib/gmain.c:4207 #21 0x00007efc728af849 in g_main_loop_run (loop=0x7b4d60) at ../../../../Projects/glib/glib/gmain.c:4405 #22 0x00007efc75f9f200 in WTF::RunLoop::run () at /home/mcatanzaro/Projects/WebKit/Source/WTF/wtf/glib/RunLoopGLib.cpp:108 #23 0x00007efc7800ca1f in WebKit::AuxiliaryProcessMainBase<WebKit::WebProcess, true>::run (argc=3, argv=0x7fffeb080f68, this=0x7fffeb080dc0) at /home/mcatanzaro/Projects/WebKit/Source/WebKit/Shared/AuxiliaryProcessMain.h:70 #24 WebKit::AuxiliaryProcessMainBase<WebKit::WebProcess, true>::run (argv=0x7fffeb080f68, argc=3, this=0x7fffeb080dc0) at /home/mcatanzaro/Projects/WebKit/Source/WebKit/Shared/AuxiliaryProcessMain.h:57 #25 WebKit::AuxiliaryProcessMain<WebKit::WebProcessMainGtk> (argc=3, argv=0x7fffeb080f68) at /home/mcatanzaro/Projects/WebKit/Source/WebKit/Shared/AuxiliaryProcessMain.h:96 #26 0x00007efc72286560 in __libc_start_call_main (main=main@entry=0x401040 <main(int, char**)>, argc=argc@entry=3, argv=argv@entry=0x7fffeb080f68) at ../sysdeps/nptl/libc_start_call_main.h:58 #27 0x00007efc7228660c in __libc_start_main_impl (main=0x401040 <main(int, char**)>, argc=3, argv=0x7fffeb080f68, init=<optimized out>, fini=<optimized out>, rtld_fini=<optimized out>, stack_end=0x7fffeb080f58) at ../csu/libc-start.c:409 #28 0x0000000000401075 in _start () Poking at it, the problem is that target->render() is nullptr. The ASSERT(target->renderer()) would be failing in a debug build. The complication here is that the web content I have that triggers this crash cannot be made public, and I have no experience with trying to build minimal reproducers. I'm just gonna hope that this is enough info to solve the problem. If you need more, I'm happy to test changes. 1841542 1 webkit-bug-importer 2022-02-14 19:43:21 -0800 <rdar://problem/88943156> 1841611 2 452001 graouts 2022-02-15 00:56:05 -0800 Created attachment 452001 Patch 1841676 3 ews-feeder 2022-02-15 06:23:39 -0800 Committed r289806 (247270@main): <https://commits.webkit.org/247270@main> All reviewed patches have been landed. Closing bug and clearing flags on attachment 452001. 452001 2022-02-15 00:56:05 -0800 2022-02-15 06:23:41 -0800 Patch bug-236615-20220215095603.patch text/plain 1692 graouts U3VidmVyc2lvbiBSZXZpc2lvbjogMjg5NzI3CmRpZmYgLS1naXQgYS9Tb3VyY2UvV2ViQ29yZS9D aGFuZ2VMb2cgYi9Tb3VyY2UvV2ViQ29yZS9DaGFuZ2VMb2cKaW5kZXggODRmMzQ5MmE0N2VmYjY2 NDI1NGFhMWZjMWZhZjVhYWU2NzNkZjQ4OC4uZWNjNzM2YzY2OTFhMGMzOGZhMzhkZjM1NGU2ZjEw MmUwN2NhYThiYiAxMDA2NDQKLS0tIGEvU291cmNlL1dlYkNvcmUvQ2hhbmdlTG9nCisrKyBiL1Nv dXJjZS9XZWJDb3JlL0NoYW5nZUxvZwpAQCAtMSwzICsxLDE2IEBACisyMDIyLTAyLTE1ICBBbnRv aW5lIFF1aW50ICA8Z3Jhb3V0c0B3ZWJraXQub3JnPgorCisgICAgICAgIFJFR1JFU1NJT04ocjI4 OTIxNik6IENyYXNoIGluIERvY3VtZW50VGltZWxpbmU6OmFuaW1hdGlvbkNhbkJlUmVtb3ZlZAor ICAgICAgICBodHRwczovL2J1Z3Mud2Via2l0Lm9yZy9zaG93X2J1Zy5jZ2k/aWQ9MjM2NjE1Cisg ICAgICAgIDxyZGFyOi8vcHJvYmxlbS84ODk0MzE1Nj4KKworICAgICAgICBSZXZpZXdlZCBieSBO T0JPRFkgKE9PUFMhKS4KKworICAgICAgICBVc2UgdGhlIGRlZmF1bHQgc3R5bGUgaWYgd2UgY2Fu J3Qgb2J0YWluIG9uZSBmcm9tIHRoZSB0YXJnZXQncyByZW5kZXJlci4KKworICAgICAgICAqIGFu aW1hdGlvbi9Eb2N1bWVudFRpbWVsaW5lLmNwcDoKKyAgICAgICAgKFdlYkNvcmU6OkRvY3VtZW50 VGltZWxpbmU6OmFuaW1hdGlvbkNhbkJlUmVtb3ZlZCk6CisKIDIwMjItMDItMTMgIExhdXJvIE1v dXJhICA8bG1vdXJhQGlnYWxpYS5jb20+CiAKICAgICAgICAgVW5yZXZpZXdlZCwgbm9uLXVuaWZp ZWQgYnVpbGQgZml4ZXMKZGlmZiAtLWdpdCBhL1NvdXJjZS9XZWJDb3JlL2FuaW1hdGlvbi9Eb2N1 bWVudFRpbWVsaW5lLmNwcCBiL1NvdXJjZS9XZWJDb3JlL2FuaW1hdGlvbi9Eb2N1bWVudFRpbWVs aW5lLmNwcAppbmRleCA5ODgwNGMzYTgyMDRhMjM0MzJlZWE3MDliZTE3M2NhNDBjYzgxYWE5Li45 MzQ0YzRiMDEwM2ZhMTE4OTE2NzFjMzQyNDUwMDc3ZTRlOWQ0NTBiIDEwMDY0NAotLS0gYS9Tb3Vy Y2UvV2ViQ29yZS9hbmltYXRpb24vRG9jdW1lbnRUaW1lbGluZS5jcHAKKysrIGIvU291cmNlL1dl YkNvcmUvYW5pbWF0aW9uL0RvY3VtZW50VGltZWxpbmUuY3BwCkBAIC0yMzUsOCArMjM1LDExIEBA IGJvb2wgRG9jdW1lbnRUaW1lbGluZTo6YW5pbWF0aW9uQ2FuQmVSZW1vdmVkKFdlYkFuaW1hdGlv biYgYW5pbWF0aW9uKQogICAgIGlmICghdGFyZ2V0IHx8ICF0YXJnZXQtPmVsZW1lbnQuaXNEZXNj ZW5kYW50T2YoKm1fZG9jdW1lbnQpKQogICAgICAgICByZXR1cm4gZmFsc2U7CiAKLSAgICBBU1NF UlQodGFyZ2V0LT5yZW5kZXJlcigpKTsKLSAgICBhdXRvJiBzdHlsZSA9IHRhcmdldC0+cmVuZGVy ZXIoKS0+c3R5bGUoKTsKKyAgICBhdXRvJiBzdHlsZSA9IFsmXSgpIC0+IGNvbnN0IFJlbmRlclN0 eWxlJiB7CisgICAgICAgIGlmIChhdXRvKiByZW5kZXJlciA9IHRhcmdldC0+cmVuZGVyZXIoKSkK KyAgICAgICAgICAgIHJldHVybiByZW5kZXJlci0+c3R5bGUoKTsKKyAgICAgICAgcmV0dXJuIFJl bmRlclN0eWxlOjpkZWZhdWx0U3R5bGUoKTsKKyAgICB9KCk7CiAKICAgICBIYXNoU2V0PENTU1By b3BlcnR5SUQ+IHByb3BlcnRpZXNUb01hdGNoOwogICAgIGZvciAoYXV0byBjc3NQcm9wZXJ0eSA6 IGtleWZyYW1lRWZmZWN0LT5hbmltYXRlZFByb3BlcnRpZXMoKSkK