263783 2023-10-27 08:30:53 -0700 REGRESSION (Sonoma): ASSERT(m_scrollingStateTree) on fast/scrolling/scroll-snap-crash.html 2023-11-08 09:33:51 -0800 1 1 1 Unclassified WebKit WebKit2 WebKit Nightly Build Unspecified Unspecified NEW https://bugs.webkit.org/show_bug.cgi?id=264419 InRadar P2 Normal --- 1 cdumez nmouchtaris ap ben_schwartz kkinnunen simon.fraser webkit-bug-importer wenson_hsieh oldest_to_newest 1988013 0 cdumez 2023-10-27 08:30:53 -0700 fast/scrolling/scroll-snap-crash.html is crashing consistently on my machine with a debug build like so: run-webkit-tests --debug --no-build --repeat-each=3 fast/scrolling/scroll-snap-crash.html Crash: ``` Thread 0 Crashed:: Dispatch queue: com.apple.main-thread 0 JavaScriptCore 0x10bd37c44 WTFCrash + 24 (Assertions.cpp:333) 1 WebCore 0x282d67ccc WTFCrashWithInfo(int, char const*, char const*, int) + 36 (Assertions.h:778) 2 WebCore 0x284e407e0 WebCore::ScrollingStateNode::scrollingStateTree() const + 124 (ScrollingStateNode.h:305) 3 WebCore 0x284e4a728 WebCore::ScrollingStateScrollingNode::~ScrollingStateScrollingNode() + 64 (ScrollingStateScrollingNode.cpp:89) 4 WebCore 0x284e3ef44 WebCore::ScrollingStateFrameScrollingNode::~ScrollingStateFrameScrollingNode() + 116 (ScrollingStateFrameScrollingNode.cpp:96) 5 WebCore 0x284e3ef74 WebCore::ScrollingStateFrameScrollingNode::~ScrollingStateFrameScrollingNode() + 32 (ScrollingStateFrameScrollingNode.cpp:96) 6 WebCore 0x284e3efa4 WebCore::ScrollingStateFrameScrollingNode::~ScrollingStateFrameScrollingNode() + 32 (ScrollingStateFrameScrollingNode.cpp:96) 7 WebKit 0x12c5b7210 void WTF::ThreadSafeWeakPtrControlBlock::strongDeref<WebCore::ScrollingStateNode, (WTF::DestructionThread)0>() const::'lambda'()::operator()() const + 104 (ThreadSafeWeakPtr.h:101) 8 WebKit 0x12c5b7190 void WTF::ThreadSafeWeakPtrControlBlock::strongDeref<WebCore::ScrollingStateNode, (WTF::DestructionThread)0>() const + 328 (ThreadSafeWeakPtr.h:107) 9 WebKit 0x12c5b703c WTF::ThreadSafeRefCountedAndCanMakeThreadSafeWeakPtr<WebCore::ScrollingStateNode, (WTF::DestructionThread)0>::deref() const + 32 (ThreadSafeWeakPtr.h:170) 10 WebKit 0x12c5b7008 WTF::Ref<WebCore::ScrollingStateFrameScrollingNode, WTF::RawPtrTraits<WebCore::ScrollingStateFrameScrollingNode>>::~Ref() + 80 (Ref.h:61) 11 WebKit 0x12c5b6fa8 WTF::Ref<WebCore::ScrollingStateFrameScrollingNode, WTF::RawPtrTraits<WebCore::ScrollingStateFrameScrollingNode>>::~Ref() + 32 (Ref.h:55) 12 WebKit 0x12dd7ebcc IPC::ArgumentCoder<WebCore::ScrollingStateFrameScrollingNode, void>::decode(IPC::Decoder&) + 2520 (RemoteScrollingCoordinatorTransaction.cpp:367) 13 WebKit 0x12c79f75c std::__1::optional<WTF::RefPtr<WebCore::ScrollingStateFrameScrollingNode, WTF::RawPtrTraits<WebCore::ScrollingStateFrameScrollingNode>, WTF::DefaultRefDerefTraits<WebCore::ScrollingStateFrameScrollingNode>>> IPC::ArgumentCoder<WTF::RefPtr<WebCore::ScrollingStateFrameScrollingNode, WTF::RawPtrTraits<WebCore::ScrollingStateFrameScrollingNode>, WTF::DefaultRefDerefTraits<WebCore::ScrollingStateFrameScrollingNode>>, void>::decode<IPC::Decoder, WebCore::ScrollingStateFrameScrollingNode>(IPC::Decoder&) + 172 (ArgumentCoders.h:294) 14 WebKit 0x12c4bd240 std::__1::optional<WTF::RefPtr<WebCore::ScrollingStateFrameScrollingNode, WTF::RawPtrTraits<WebCore::ScrollingStateFrameScrollingNode>, WTF::DefaultRefDerefTraits<WebCore::ScrollingStateFrameScrollingNode>>> IPC::Decoder::decode<WTF::RefPtr<WebCore::ScrollingStateFrameScrollingNode, WTF::RawPtrTraits<WebCore::ScrollingStateFrameScrollingNode>, WTF::DefaultRefDerefTraits<WebCore::ScrollingStateFrameScrollingNode>>>() + 60 (Decoder.h:137) 15 WebKit 0x12c4bd14c IPC::ArgumentCoder<WebCore::ScrollingStateTree, void>::decode(IPC::Decoder&) + 64 (GeneratedSerializers.mm:41721) 16 WebKit 0x12c79e808 std::__1::optional<WebCore::ScrollingStateTree> IPC::Decoder::decode<WebCore::ScrollingStateTree>() + 60 (Decoder.h:137) 17 WebKit 0x12c79e6b4 std::__1::optional<std::__1::unique_ptr<WebCore::ScrollingStateTree, std::__1::default_delete<WebCore::ScrollingStateTree>>> IPC::ArgumentCoder<std::__1::unique_ptr<WebCore::ScrollingStateTree, std::__1::default_delete<WebCore::ScrollingStateTree>>, void>::decode<IPC::Decoder>(IPC::Decoder&) + 128 (ArgumentCoders.h:336) 18 WebKit 0x12c4bce18 std::__1::optional<std::__1::unique_ptr<WebCore::ScrollingStateTree, std::__1::default_delete<WebCore::ScrollingStateTree>>> IPC::Decoder::decode<std::__1::unique_ptr<WebCore::ScrollingStateTree, std::__1::default_delete<WebCore::ScrollingStateTree>>>() + 60 (Decoder.h:137) 19 WebKit 0x12c4bccec IPC::ArgumentCoder<WebKit::RemoteScrollingCoordinatorTransaction, void>::decode(IPC::Decoder&) + 40 (GeneratedSerializers.mm:41694) 20 WebKit 0x12cc2dd34 std::__1::optional<WebKit::RemoteScrollingCoordinatorTransaction> IPC::Decoder::decode<WebKit::RemoteScrollingCoordinatorTransaction>() + 60 (Decoder.h:137) ``` 1988014 1 cdumez 2023-10-27 08:32:23 -0700 ``` CheckedPtr<ScrollingStateTree> m_scrollingStateTree; // Only null between deserialization and attachAfterDeserialization. ``` We crash during destruction because m_scrollingStateTree is null. The crash does occur during IPC deserialization so it seems it is expected for `m_scrollingStateTree` to be null. Seems like there may be 2 bugs: 1. IPC deserialization fails 2. The ScrollingStateScrollingNode doesn't support getting destroyed during IPC deserialization and crashes 1988015 2 cdumez 2023-10-27 08:40:45 -0700 For me, it looks like it fails IPC decoding for ScrollingStateNodeProperty::SnapOffsetsInfo 1988016 3 cdumez 2023-10-27 08:46:07 -0700 (In reply to Chris Dumez from comment #2) > For me, it looks like it fails IPC decoding for > ScrollingStateNodeProperty::SnapOffsetsInfo In particular, horizontalSnapOffsets inside FloatScrollSnapOffsetsInfo. 1988017 4 cdumez 2023-10-27 08:50:07 -0700 (In reply to Chris Dumez from comment #3) > (In reply to Chris Dumez from comment #2) > > For me, it looks like it fails IPC decoding for > > ScrollingStateNodeProperty::SnapOffsetsInfo > > In particular, horizontalSnapOffsets inside FloatScrollSnapOffsetsInfo. In particular, the snapTargetID of FloatSnapOffset fails decoding. 1988632 5 ap 2023-10-30 13:29:01 -0700 Also frequently crashes on macOS Sonoma bots, but not on older OS versions. 1988634 6 webkit-bug-importer 2023-10-30 13:29:33 -0700 <rdar://problem/117702748> 1990873 7 ben_schwartz 2023-11-08 09:33:51 -0800 I have related this bug to bug #264419, which is an umbrella bug tracking layout test regressions in macOS Sonoma 14.1.