Bug 190804

Summary:

REGRESSION (r237257): [iOS] Crashes in com.apple.WebKit: WebKit::RemoteScrollingCoordinator::scheduleTreeStateCommit

Product:

WebKit

Reporter:

Ryan Haddad <ryanhaddad>

Component:

New Bugs

Assignee:

Chris Dumez <cdumez>

Status:

RESOLVED FIXED

Severity:

Normal

CC:

achristensen, cdumez, ggaren, jlewis3, koivisto, realdawei, tsavell, webkit-bug-importer

Priority:

Version:

Other

Hardware:

Unspecified

OS:

Unspecified

See Also:

https://bugs.webkit.org/show_bug.cgi?id=190688

Attachments:

Description	Flags
Crash log	none
Patch	none

Description Ryan Haddad 2018-10-22 13:56:09 PDT

Created attachment 352907 [details]
Crash log

The following crash is seen multiple times in the "Other crashes" section on iOS Simulator layout test results:

Thread 0 Crashed:: Dispatch queue: com.apple.main-thread
0   com.apple.WebKit              	0x000000010462d9af WebKit::RemoteScrollingCoordinator::scheduleTreeStateCommit() + 15 (RemoteScrollingCoordinator.mm:64)
1   com.apple.WebCore             	0x00000006812cd139 WebCore::ScrollingStateTree::recursiveNodeWillBeRemoved(WebCore::ScrollingStateNode*, WebCore::ScrollingStateTree::SubframeNodeRemoval) + 169 (ScrollingStateTree.cpp:233)
2   com.apple.WebCore             	0x00000006812cc8f9 WebCore::ScrollingStateTree::removeNodeAndAllDescendants(WebCore::ScrollingStateNode*, WebCore::ScrollingStateTree::SubframeNodeRemoval) + 25 (ScrollingStateTree.cpp:210)
3   com.apple.WebCore             	0x00000006812ccc74 WebCore::ScrollingStateTree::detachNode(unsigned long long) + 52 (ScrollingStateTree.cpp:158)
4   com.apple.WebCore             	0x00000006815bad03 WebCore::RenderLayerBacking::~RenderLayerBacking() + 467 (RenderLayerBacking.cpp:247)
5   com.apple.WebCore             	0x00000006815bd4ce WebCore::RenderLayerBacking::~RenderLayerBacking() + 14 (RenderLayerBacking.cpp:238)
6   com.apple.WebCore             	0x000000068159b6ab WebCore::RenderLayer::~RenderLayer() + 859 (RenderLayer.cpp:374)
7   com.apple.WebCore             	0x000000068159ba8e WebCore::RenderLayer::~RenderLayer() + 14 (RenderLayer.cpp:339)
8   com.apple.WebCore             	0x00000006815d16c7 WebCore::RenderLayerModelObject::willBeDestroyed() + 167 (RenderLayerModelObject.cpp:80)
9   com.apple.WebCore             	0x0000000681519bc3 WebCore::RenderBoxModelObject::willBeDestroyed() + 115 (RenderBoxModelObject.cpp:248)
10  com.apple.WebCore             	0x0000000681519896 WebCore::RenderBox::willBeDestroyed() + 662 (RenderBox.cpp:169)
11  com.apple.WebCore             	0x00000006815f27a8 WebCore::RenderObject::destroy() + 88 (RenderObject.cpp:1510)
12  com.apple.WebCore             	0x0000000680d802fd WebCore::Document::destroyRenderTree() + 301 (Document.cpp:2405)
13  com.apple.WebCore             	0x0000000680d80658 WebCore::Document::prepareForDestruction() + 680 (Document.cpp:2465)
14  com.apple.WebCore             	0x000000068122c0f9 WebCore::Frame::setView(WTF::RefPtr<WebCore::FrameView, WTF::DumbPtrTraits<WebCore::FrameView> >&&) + 249 (RefPtr.h:87)
15  com.apple.WebCore             	0x0000000681165e02 WebCore::FrameLoader::detachFromParent() + 498 (RefPtr.h:69)
16  com.apple.WebKit              	0x000000010471a24a WebKit::WebPage::close() + 902 (WebPage.cpp:1245)
17  com.apple.WebKit              	0x00000001043bca79 IPC::MessageReceiverMap::dispatchMessage(IPC::Connection&, IPC::Decoder&) + 127 (MessageReceiverMap.cpp:123)
18  com.apple.WebKit              	0x000000010466f672 WebKit::WebProcess::didReceiveMessage(IPC::Connection&, IPC::Decoder&) + 28 (WebProcess.cpp:656)
19  com.apple.WebKit              	0x00000001043afa92 IPC::Connection::dispatchMessage(std::__1::unique_ptr<IPC::Decoder, std::__1::default_delete<IPC::Decoder> >) + 108 (Connection.cpp:1007)
20  com.apple.WebKit              	0x00000001043b2ef4 IPC::Connection::dispatchOneIncomingMessage() + 180 (Connection.cpp:1074)
21  JavaScriptCore                	0x000000010a5f3667 WTF::RunLoop::performWork() + 231 (RunLoop.cpp:106)
22  JavaScriptCore                	0x000000010a5f38f2 WTF::RunLoop::performWork(void*) + 34 (RunLoopCF.cpp:39)
23  com.apple.CoreFoundation      	0x0000000105d43b31 __CFRUNLOOP_IS_CALLING_OUT_TO_A_SOURCE0_PERFORM_FUNCTION__ + 17
24  com.apple.CoreFoundation      	0x0000000105d433a3 __CFRunLoopDoSources0 + 243
25  com.apple.CoreFoundation      	0x0000000105d3da4f __CFRunLoopRun + 1263
26  com.apple.CoreFoundation      	0x0000000105d3d221 CFRunLoopRunSpecific + 625
27  com.apple.Foundation          	0x0000000103e2a522 -[NSRunLoop(NSRunLoop) runMode:beforeDate:] + 277
28  com.apple.Foundation          	0x0000000103e2a692 -[NSRunLoop(NSRunLoop) run] + 76
29  libxpc.dylib                  	0x00000001079ee812 _xpc_objc_main + 460
30  libxpc.dylib                  	0x00000001079f0cbd xpc_main + 143
31  com.apple.WebKit.WebContent   	0x0000000103d72248 WebKit::XPCServiceMain(int, char const**) + 403
32  com.apple.WebKit.WebContent   	0x0000000103d723e9 main + 9
33  libdyld.dylib                 	0x00000001076de551 start + 1

https://build.webkit.org/results/Apple%20iOS%2012%20Simulator%20Release%20WK2%20(Tests)/r237326%20(487)/results.html

Comment 1 Ryan Haddad 2018-10-22 14:02:48 PDT

From the crashlogs:

CRASHING TEST: /security/cors-post-redirect-301.html
CRASHING TEST: /cookies/same-site/fetch-after-navigating-iframe-in-cross-origin-page.html
CRASHING TEST: /cache/partitioned-cache-iframe.html
CRASHING TEST: /cache/partitioned-cache.html
CRASHING TEST: /cookies/same-site/fetch-after-top-level-navigation-initiated-from-iframe-in-cross-origin-page.html
CRASHING TEST: /cookies/same-site/fetch-in-cross-origin-page.html
CRASHING TEST: /cookies/same-site/fetch-in-cross-origin-service-worker.html
CRASHING TEST: /cookies/same-site/fetch-in-cross-origin-worker.html
CRASHING TEST: /security/cross-origin-local-storage-allowed.html
CRASHING TEST: /websocket/tests/hybi/websocket-allowed-setting-cookie-as-third-party.html
CRASHING TEST: /websocket/tests/hybi/websocket-cookie-overwrite-behavior.html

Comment 2 Ryan Haddad 2018-10-22 14:08:26 PDT

The crashes don't appear on this run @ r237255:
https://build.webkit.org/builders/Apple%20iOS%2012%20Simulator%20Debug%20WK2%20%28Tests%29/builds/366

They do appear on this run @ r237257:
https://build.webkit.org/builders/Apple%20iOS%2012%20Simulator%20Debug%20WK2%20%28Tests%29/builds/367

I guess this regressed with https://trac.webkit.org/changeset/237257/webkit

Comment 3 Chris Dumez 2018-10-23 14:22:45 PDT

Odd but will take a look soon.

Comment 4 Chris Dumez 2018-10-23 15:55:51 PDT

Created attachment 352998 [details]
Patch

Comment 5 Chris Dumez 2018-10-24 08:38:31 PDT

Comment on attachment 352998 [details]
Patch

Clearing flags on attachment: 352998

Committed r237384: <https://trac.webkit.org/changeset/237384>

Comment 6 Chris Dumez 2018-10-24 08:38:33 PDT

All reviewed patches have been landed.  Closing bug.