286356 2025-01-22 06:35:56 -0800 REGRESSION (iPadOS 18): RemoteScrollingCoordinatorProxyIOS Invalid message dispatched virtual void WebKit::RemoteScrollingCoordinatorProxyIOS::establishLayerTreeScrollingRelations 2025-02-12 03:49:59 -0800 1 1 1 Unclassified WebKit Compositing Safari 18 iPhone / iPad iOS 18 RESOLVED FIXED InRadar P2 Normal --- 1 adam mattwoodrow mattwoodrow simon.fraser webkit-bug-importer oldest_to_newest 2088968 0 adam 2025-01-22 06:35:56 -0800 After upgrade to iPAD OS 18 and all subsequent versions (18.1 - 18.3) there seems to be a quite specific bug that crashes the Safari browser (does not happen within Chrome on same device) and in-app webkit instance, seems to be only affecting iPAD OS devices. Bug reproduced on devices: M1 iPad Air 5th GEN (MM9E3FD/A) - iOS 18.3 (22D5040d) / iOS 18.3 (22D60) [Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/18.3 Safari/605.1.15] The error message printed in the Xcode console: ``` Library/Caches/com.apple.xbs/Sources/WebKit_Sim/Source/WebKit/UIProcess/RemoteLayerTree/ios/RemoteScrollingCoordinatorProxyIOS.mm 272: Invalid message dispatched virtual void WebKit::RemoteScrollingCoordinatorProxyIOS::establishLayerTreeScrollingRelations(const RemoteLayerTreeHost &)

Received an invalid message 'RemoteLayerTreeDrawingAreaProxy_CommitLayerTree' from the WebContent process with PID 22404 ``` HTML that reproduces the crash: ``` <!DOCTYPE html> <html lang="en"> <head> <meta charset="UTF-8"> <meta name="viewport" content="width=device-width, initial-scale=1.0"> <title>Crash iOS</title> <style> .element { position: relative; } .container { width: 0; } .container-2 { overflow-y: auto; transition: 0.3s; } .container-3 { overflow-y: auto; } .container-4 { position: relative; } </style> </head> <body> <button id="aa_click" style="margin-top: 200px;">click123</button> <div id="test" class="container"> <div class="container-4"> <div class="container-3"> <div class="container-2"> <div class="element"> test </div> </div> </div> </div> </div> <script> document.getElementById("aa_click").onclick = function () { let a = document.getElementById("test"); let b = a.style.visibility if (b == 'hidden') { a.style.visibility = "visible"; } else { a.style.visibility = "hidden"; } }; </script> </body> ``` How to reproduce: 1. Create webpage with HTML posted above and visit it via Safari. 2. Click the button 2-3 times. 3. Safari / Webkit should crash. 2089121 1 webkit-bug-importer 2025-01-22 16:37:16 -0800 <rdar://problem/143435840> 2089439 2 473996 mattwoodrow 2025-01-23 22:18:38 -0800 Created attachment 473996 Testcase 2089453 3 mattwoodrow 2025-01-23 23:12:03 -0800 Just to clarify, is this crashing Safari itself, or crashing the contents of the tab? 2089458 4 adam 2025-01-23 23:39:26 -0800 It crashes the tab only. 2089787 5 mattwoodrow 2025-01-25 16:28:35 -0800 Great, thanks for confirming, I can reproduce. Thanks for the reduced test case! 2089788 6 mattwoodrow 2025-01-25 16:35:04 -0800 Pull request: https://github.com/WebKit/WebKit/pull/39563 2090575 7 ews-feeder 2025-01-29 15:46:20 -0800 Committed 289527@main (79c73a5e0996): <https://commits.webkit.org/289527@main> Reviewed commits have been landed. Closing PR #39563 and removing active labels. 2094112 8 adam 2025-02-12 03:49:59 -0800 Any updates when the fix will be released? It's still breaking in 18.3.1 473996 2025-01-23 22:18:38 -0800 2025-01-23 22:18:38 -0800 Testcase hi.html text/html 1231 mattwoodrow PCFET0NUWVBFIGh0bWw+CjxodG1sIGxhbmc9ImVuIj4KPGhlYWQ+CiAgICA8bWV0YSBjaGFyc2V0 PSJVVEYtOCI+CiAgICA8bWV0YSBuYW1lPSJ2aWV3cG9ydCIgY29udGVudD0id2lkdGg9ZGV2aWNl LXdpZHRoLCBpbml0aWFsLXNjYWxlPTEuMCI+CiAgICA8dGl0bGU+Q3Jhc2ggaU9TPC90aXRsZT4K ICAgIDxzdHlsZT4KICAgICAgICAuZWxlbWVudCB7CiAgICAgICAgICAgIHBvc2l0aW9uOiByZWxh dGl2ZTsKICAgICAgICB9CgogICAgICAgIC5jb250YWluZXIgewogICAgICAgICAgICB3aWR0aDog MDsKICAgICAgICB9CgogICAgICAgIC5jb250YWluZXItMiB7CiAgICAgICAgICAgICAgICBvdmVy Zmxvdy15OiBhdXRvOwogICAgICAgICAgICAgICAgdHJhbnNpdGlvbjogMC4zczsKICAgICAgICB9 CgogICAgICAgIC5jb250YWluZXItMyB7CiAgICAgICAgICAgIG92ZXJmbG93LXk6IGF1dG87CiAg ICAgICAgfQoKICAgICAgICAuY29udGFpbmVyLTQgewogICAgICAgICAgICBwb3NpdGlvbjogcmVs YXRpdmU7CiAgICAgICAgfQoKICAgIDwvc3R5bGU+Cgo8L2hlYWQ+Cgo8Ym9keT4KCjxidXR0b24g aWQ9ImFhX2NsaWNrIiBzdHlsZT0ibWFyZ2luLXRvcDogMjAwcHg7Ij5jbGljazEyMzwvYnV0dG9u PgoKPGRpdiBpZD0idGVzdCIgY2xhc3M9ImNvbnRhaW5lciI+CiAgICA8ZGl2IGNsYXNzPSJjb250 YWluZXItNCI+CiAgICAgICAgPGRpdiBjbGFzcz0iY29udGFpbmVyLTMiPgogICAgICAgICAgICA8 ZGl2IGNsYXNzPSJjb250YWluZXItMiI+CiAgICAgICAgICAgICAgICA8ZGl2IGNsYXNzPSJlbGVt ZW50Ij4KICAgICAgICAgICAgICAgICAgICB0ZXN0CiAgICAgICAgICAgICAgICA8L2Rpdj4KICAg ICAgICAgICAgPC9kaXY+CiAgICAgICAgPC9kaXY+CiAgICA8L2Rpdj4KPC9kaXY+Cgo8c2NyaXB0 PgogICAgZG9jdW1lbnQuZ2V0RWxlbWVudEJ5SWQoImFhX2NsaWNrIikub25jbGljayA9IGZ1bmN0 aW9uICgpIHsKICAgICAgICBsZXQgYSA9IGRvY3VtZW50LmdldEVsZW1lbnRCeUlkKCJ0ZXN0Iik7 CiAgICAgICAgbGV0IGIgPSBhLnN0eWxlLnZpc2liaWxpdHkKICAgICAgICBpZiAoYiA9PSAnaGlk ZGVuJykgewogICAgICAgICAgICBhLnN0eWxlLnZpc2liaWxpdHkgPSAidmlzaWJsZSI7CiAgICAg ICAgfSBlbHNlIHsKICAgICAgICAgICAgYS5zdHlsZS52aXNpYmlsaXR5ID0gImhpZGRlbiI7CiAg ICAgICAgfQogICAgfTsKCjwvc2NyaXB0Pgo8L2JvZHk+Cg==