243949 2022-08-15 12:41:13 -0700 iOS 15.6 compositing with z-index causes crash 2023-02-24 11:52:53 -0800 1 1 1 Unclassified WebKit Compositing Safari 15 Unspecified Unspecified RESOLVED FIXED https://bugs.webkit.org/show_bug.cgi?id=244543 InRadar P2 Normal --- 1 ldebeasi webkit-unassigned ahmad.saleem792 ap bfulgham hanskrywaa jameson lollollipop878 majainle mattwoodrow rniwa simon.fraser webkit-bug-importer zalan oldest_to_newest 1891412 0 461639 ldebeasi 2022-08-15 12:41:13 -0700 Created attachment 461639 Code reproduction When compositing a large number of elements that have z-index, WebKit will crash. This behavior first appeared on iOS 15.6. Steps to reproduce: 1. Open the code reproduction on a device running iOS 15.6. 2. Inspect the page and open the "Layers" tab in dev tools. 3. Tap the "Crash" button. 4. Observe that memory usage spikes and Safari reloads the page. Other Information: - I tested this on an iPhone 11 running iOS 15.6. In my tests, the memory usage spiked to over 1GB. - This code reproduction does use a large number of elements. While using a smaller number of elements (such as 100) won't crash the browser, it will still cause the memory usage to spike. - This issue can also been seen on Safari for macOS. On Safari 15.5, clicking the "Crash" button brings the memory usage up to 40mb. On STP 151, clicking the "Crash" button brings the memory usage up to over 700mb. (Tested on a 2021 MacBook Pro with M1 Pro) - This issue also happens on WKWebView. 1891426 1 simon.fraser 2022-08-15 13:41:55 -0700 The testcase triggers backing store allocation on all the `div.native` but I'm not sure why the ones outside the viewport have backing store. 1891428 2 webkit-bug-importer 2022-08-15 13:42:48 -0700 <rdar://problem/98686446> 1891572 3 461661 simon.fraser 2022-08-15 21:27:25 -0700 Created attachment 461661 Static testcase We make backing store for all the layers because they are inside a large, animated element ("container") so we keep all their backing stores alive. There are several issues here: 1. The animation is a no-op, so we shouldn't consider it as something that extends backing store 2. z-index:-1 should not trigger backing store (`.native`) is a stacking context 3. Only `.container` should have backing while animating, because it's a stacking context. 1897939 4 hanskrywaa 2022-09-12 11:10:39 -0700 Still an issue with iOS 16, please fix as this is highly affecting users in one of our apps 😕 1898205 5 jameson 2022-09-13 06:14:02 -0700 This issue is also severely affecting our application and in some cases rendering it almost un-usable. 1898228 6 jameson 2022-09-13 07:05:31 -0700 Looks like this is still an issue in iOS 15.7 as well. 1898352 7 simon.fraser 2022-09-13 15:27:25 -0700 I think the fix for https://bugs.webkit.org/show_bug.cgi?id=244543 will fix this. 1901483 8 majainle 2022-09-27 06:50:19 -0700 I can confirm that I can reproduce this with 15.7 as well. Since our app is based on pinch zoom it makes it not usable at all. Would be nice if we can get this fixed soon. 1901576 9 ap 2022-09-27 11:00:50 -0700 > I think the fix for https://bugs.webkit.org/show_bug.cgi?id=244543 will fix this. Simon or Matt, would you mind confirming that it did? 1911063 10 ldebeasi 2022-11-08 12:30:54 -0800 The issue seems to be resolved on STP 156 on macOS. However, the issue persists on iOS 16.2 beta 2. The memory usage spikes to over 2GB when following the original steps to reproduce on an iPhone 13. 1927852 11 lollollipop878 2023-01-24 10:16:27 -0800 I experience the same issue with cordova on 16.2 1936611 12 ldebeasi 2023-02-24 11:52:53 -0800 This no longer reproduces on iOS 16.3. 461639 2022-08-15 12:41:13 -0700 2022-08-15 12:41:13 -0700 Code reproduction index.html text/html 1341 ldebeasi PCFET0NUWVBFIGh0bWw+CjxodG1sPgogIDxoZWFkPgogICAgPG1ldGEgY2hhcnNldD0iVVRGLTgi IC8+CiAgICA8dGl0bGU+ei1pbmRleCBjcmFzaDwvdGl0bGU+CiAgICA8bWV0YQogICAgICBuYW1l PSJ2aWV3cG9ydCIKICAgICAgY29udGVudD0id2lkdGg9ZGV2aWNlLXdpZHRoLCBpbml0aWFsLXNj YWxlPTEuMCwgbWluaW11bS1zY2FsZT0xLjAiCiAgICAvPgogICAgPHN0eWxlPgogICAgICAuaXRl bSAubmF0aXZlIHsKICAgICAgICBwb3NpdGlvbjogcmVsYXRpdmU7CiAgICAgICAgei1pbmRleDog MTsKICAgICAgfQogICAgICAgIAogICAgICAuaXRlbSAubmF0aXZlOjphZnRlciB7CiAgICAgICAg cG9zaXRpb246IHJlbGF0aXZlOwogICAgICAgIGNvbnRlbnQ6ICIiOwogICAgICAgIHotaW5kZXg6 IC0xOwogICAgICB9CiAgICA8L3N0eWxlPgogIDwvaGVhZD4KCgogIDxib2R5PgogICAgPGJ1dHRv biBvbmNsaWNrPSJjcmFzaCgpIj5DcmFzaDwvYnV0dG9uPgogICAgPGRpdiBjbGFzcz0iY29udGFp bmVyIj4KICAgICAgPGRpdiBjbGFzcz0iaXRlbSI+CiAgICAgICAgPGRpdiBjbGFzcz0ibmF0aXZl Ij4KICAgICAgICAgIDxkaXYgY2xhc3M9ImlubmVyIj4KICAgICAgICAgICAgPGltZyBzcmM9Imh0 dHBzOi8vcGljc3VtLnBob3Rvcy8yMDAvMzAwIiAvPgogICAgICAgICAgPC9kaXY+CiAgICAgICAg PC9kaXY+CiAgICAgIDwvZGl2PgogICAgPC9kaXY+CiAgPC9ib2R5PgogIAogIDxzY3JpcHQ+CiAg ICBjb25zdCBjb250YWluZXIgPSBkb2N1bWVudC5xdWVyeVNlbGVjdG9yKCcuY29udGFpbmVyJyk7 CiAgICAKICAgIGxldCB0ZW1wbGF0ZSA9ICcnOwogICAgCiAgICBmb3IgKGxldCBpID0gMDsgaSA8 IDUwMDsgaSsrKSB7CiAgICAgIHRlbXBsYXRlICs9IGAKICAgICAgICA8ZGl2IGNsYXNzPSJpdGVt Ij4KICAgICAgICAgIDxkaXYgY2xhc3M9Im5hdGl2ZSI+CiAgICAgICAgICAgIDxkaXY+CiAgICAg ICAgICAgICAgPGltZyBzcmM9Imh0dHBzOi8vcGljc3VtLnBob3Rvcy8yMDAvMzAwIiAvPgogICAg ICAgICAgICA8L2Rpdj4KICAgICAgICAgIDwvZGl2PgogICAgICAgIDwvZGl2PgogICAgICBgCiAg ICB9CiAgICAKICAgIGNvbnRhaW5lci5pbm5lckhUTUwgPSB0ZW1wbGF0ZTsKICAgIAogICAgY29u c3QgY3Jhc2ggPSAoKSA9PiB7CiAgICAgIGNvbnRhaW5lci5hbmltYXRlKFsKICAgICAgICB7IG9m ZnNldDogMCwgdHJhbnNmb3JtOiAndHJhbnNsYXRlM2QoMCwgMCwgMCknIH0sCiAgICAgICAgeyBv ZmZzZXQ6IDEsIHRyYW5zZm9ybTogJ3RyYW5zbGF0ZTNkKDAsIDAsIDApJyB9CiAgICAgIF0sIDUw MCk7CiAgICB9CiAgPC9zY3JpcHQ+CjwvaHRtbD4K 461661 2022-08-15 21:27:25 -0700 2022-08-15 21:27:25 -0700 Static testcase many-negative-z-pseudos.html text/html 1176 simon.fraser PCFET0NUWVBFIGh0bWw+CjxodG1sPgogIDxoZWFkPgogICAgPG1ldGEgY2hhcnNldD0iVVRGLTgi IC8+CiAgICA8dGl0bGU+ei1pbmRleCBjcmFzaDwvdGl0bGU+CiAgICA8bWV0YQogICAgICBuYW1l PSJ2aWV3cG9ydCIKICAgICAgY29udGVudD0id2lkdGg9ZGV2aWNlLXdpZHRoLCBpbml0aWFsLXNj YWxlPTEuMCwgbWluaW11bS1zY2FsZT0xLjAiCiAgICAvPgogICAgPHN0eWxlPgogICAgICAgIC5j b250YWluZXIgewogICAgICAgICAgICB0cmFuc2Zvcm06IHRyYW5zbGF0ZTNkKDAsIDAsIDApOwog ICAgICAgIH0KICAgICAgLml0ZW0gLm5hdGl2ZSB7CiAgICAgICAgcG9zaXRpb246IHJlbGF0aXZl OwogICAgICAgIHotaW5kZXg6IDE7CiAgICAgIH0KICAgICAgICAKICAgICAgLml0ZW0gLm5hdGl2 ZTo6YWZ0ZXIgewogICAgICAgIHBvc2l0aW9uOiByZWxhdGl2ZTsKICAgICAgICBjb250ZW50OiAi IjsKICAgICAgICB6LWluZGV4OiAtMTsKICAgICAgfQogICAgPC9zdHlsZT4KICA8L2hlYWQ+CiAg PGJvZHk+CiAgICA8ZGl2IGNsYXNzPSJjb250YWluZXIiPgogICAgICA8ZGl2IGNsYXNzPSJpdGVt Ij4KICAgICAgICA8ZGl2IGNsYXNzPSJuYXRpdmUiPgogICAgICAgICAgPGRpdiBjbGFzcz0iaW5u ZXIiPgogICAgICAgICAgICA8aW1nIHNyYz0iaHR0cHM6Ly9waWNzdW0ucGhvdG9zLzIwMC8zMDAi IC8+CiAgICAgICAgICA8L2Rpdj4KICAgICAgICA8L2Rpdj4KICAgICAgPC9kaXY+CiAgICA8L2Rp dj4KICA8L2JvZHk+CiAgCiAgPHNjcmlwdD4KICAgIGNvbnN0IGNvbnRhaW5lciA9IGRvY3VtZW50 LnF1ZXJ5U2VsZWN0b3IoJy5jb250YWluZXInKTsKICAgIAogICAgbGV0IHRlbXBsYXRlID0gJyc7 CiAgICAKICAgIGZvciAobGV0IGkgPSAwOyBpIDwgMjA7IGkrKykgewogICAgICB0ZW1wbGF0ZSAr PSBgCiAgICAgICAgPGRpdiBjbGFzcz0iaXRlbSI+CiAgICAgICAgICA8ZGl2IGNsYXNzPSJuYXRp dmUiPgogICAgICAgICAgICA8ZGl2PgogICAgICAgICAgICAgIDxpbWcgc3JjPSJodHRwczovL3Bp Y3N1bS5waG90b3MvMjAwLzMwMCIgLz4KICAgICAgICAgICAgPC9kaXY+CiAgICAgICAgICA8L2Rp dj4KICAgICAgICA8L2Rpdj4KICAgICAgYAogICAgfQogICAgCiAgICBjb250YWluZXIuaW5uZXJI VE1MID0gdGVtcGxhdGU7CiAgPC9zY3JpcHQ+CjwvaHRtbD4K