Bug 190804

Summary:

REGRESSION (r237257): [iOS] Crashes in com.apple.WebKit: WebKit::RemoteScrollingCoordinator::scheduleTreeStateCommit

Product:

WebKit

Reporter:

Ryan Haddad <ryanhaddad>

Component:

New Bugs

Assignee:

Chris Dumez <cdumez>

Status:

RESOLVED FIXED

Severity:

Normal

CC:

achristensen, cdumez, ggaren, jlewis3, koivisto, realdawei, tsavell, webkit-bug-importer

Priority:

Version:

Other

Hardware:

Unspecified

OS:

Unspecified

See Also:

https://bugs.webkit.org/show_bug.cgi?id=190688

Attachments:

Description	Flags
Crash log	none
Patch	none

Ryan Haddad

Reported 2018-10-22 13:56:09 PDT

Created attachment 352907 [details] Crash log The following crash is seen multiple times in the "Other crashes" section on iOS Simulator layout test results: Thread 0 Crashed:: Dispatch queue: com.apple.main-thread 0 com.apple.WebKit 0x000000010462d9af WebKit::RemoteScrollingCoordinator::scheduleTreeStateCommit() + 15 (RemoteScrollingCoordinator.mm:64) 1 com.apple.WebCore 0x00000006812cd139 WebCore::ScrollingStateTree::recursiveNodeWillBeRemoved(WebCore::ScrollingStateNode*, WebCore::ScrollingStateTree::SubframeNodeRemoval) + 169 (ScrollingStateTree.cpp:233) 2 com.apple.WebCore 0x00000006812cc8f9 WebCore::ScrollingStateTree::removeNodeAndAllDescendants(WebCore::ScrollingStateNode*, WebCore::ScrollingStateTree::SubframeNodeRemoval) + 25 (ScrollingStateTree.cpp:210) 3 com.apple.WebCore 0x00000006812ccc74 WebCore::ScrollingStateTree::detachNode(unsigned long long) + 52 (ScrollingStateTree.cpp:158) 4 com.apple.WebCore 0x00000006815bad03 WebCore::RenderLayerBacking::~RenderLayerBacking() + 467 (RenderLayerBacking.cpp:247) 5 com.apple.WebCore 0x00000006815bd4ce WebCore::RenderLayerBacking::~RenderLayerBacking() + 14 (RenderLayerBacking.cpp:238) 6 com.apple.WebCore 0x000000068159b6ab WebCore::RenderLayer::~RenderLayer() + 859 (RenderLayer.cpp:374) 7 com.apple.WebCore 0x000000068159ba8e WebCore::RenderLayer::~RenderLayer() + 14 (RenderLayer.cpp:339) 8 com.apple.WebCore 0x00000006815d16c7 WebCore::RenderLayerModelObject::willBeDestroyed() + 167 (RenderLayerModelObject.cpp:80) 9 com.apple.WebCore 0x0000000681519bc3 WebCore::RenderBoxModelObject::willBeDestroyed() + 115 (RenderBoxModelObject.cpp:248) 10 com.apple.WebCore 0x0000000681519896 WebCore::RenderBox::willBeDestroyed() + 662 (RenderBox.cpp:169) 11 com.apple.WebCore 0x00000006815f27a8 WebCore::RenderObject::destroy() + 88 (RenderObject.cpp:1510) 12 com.apple.WebCore 0x0000000680d802fd WebCore::Document::destroyRenderTree() + 301 (Document.cpp:2405) 13 com.apple.WebCore 0x0000000680d80658 WebCore::Document::prepareForDestruction() + 680 (Document.cpp:2465) 14 com.apple.WebCore 0x000000068122c0f9 WebCore::Frame::setView(WTF::RefPtr<WebCore::FrameView, WTF::DumbPtrTraits<WebCore::FrameView> >&&) + 249 (RefPtr.h:87) 15 com.apple.WebCore 0x0000000681165e02 WebCore::FrameLoader::detachFromParent() + 498 (RefPtr.h:69) 16 com.apple.WebKit 0x000000010471a24a WebKit::WebPage::close() + 902 (WebPage.cpp:1245) 17 com.apple.WebKit 0x00000001043bca79 IPC::MessageReceiverMap::dispatchMessage(IPC::Connection&, IPC::Decoder&) + 127 (MessageReceiverMap.cpp:123) 18 com.apple.WebKit 0x000000010466f672 WebKit::WebProcess::didReceiveMessage(IPC::Connection&, IPC::Decoder&) + 28 (WebProcess.cpp:656) 19 com.apple.WebKit 0x00000001043afa92 IPC::Connection::dispatchMessage(std::__1::unique_ptr<IPC::Decoder, std::__1::default_delete<IPC::Decoder> >) + 108 (Connection.cpp:1007) 20 com.apple.WebKit 0x00000001043b2ef4 IPC::Connection::dispatchOneIncomingMessage() + 180 (Connection.cpp:1074) 21 JavaScriptCore 0x000000010a5f3667 WTF::RunLoop::performWork() + 231 (RunLoop.cpp:106) 22 JavaScriptCore 0x000000010a5f38f2 WTF::RunLoop::performWork(void*) + 34 (RunLoopCF.cpp:39) 23 com.apple.CoreFoundation 0x0000000105d43b31 __CFRUNLOOP_IS_CALLING_OUT_TO_A_SOURCE0_PERFORM_FUNCTION__ + 17 24 com.apple.CoreFoundation 0x0000000105d433a3 __CFRunLoopDoSources0 + 243 25 com.apple.CoreFoundation 0x0000000105d3da4f __CFRunLoopRun + 1263 26 com.apple.CoreFoundation 0x0000000105d3d221 CFRunLoopRunSpecific + 625 27 com.apple.Foundation 0x0000000103e2a522 -[NSRunLoop(NSRunLoop) runMode:beforeDate:] + 277 28 com.apple.Foundation 0x0000000103e2a692 -[NSRunLoop(NSRunLoop) run] + 76 29 libxpc.dylib 0x00000001079ee812 _xpc_objc_main + 460 30 libxpc.dylib 0x00000001079f0cbd xpc_main + 143 31 com.apple.WebKit.WebContent 0x0000000103d72248 WebKit::XPCServiceMain(int, char const**) + 403 32 com.apple.WebKit.WebContent 0x0000000103d723e9 main + 9 33 libdyld.dylib 0x00000001076de551 start + 1 https://build.webkit.org/results/Apple%20iOS%2012%20Simulator%20Release%20WK2%20(Tests)/r237326%20(487)/results.html

Attachments
Crash log (87.67 KB, text/plain) 2018-10-22 13:56 PDT, Ryan Haddad	no flags	Details
Patch (1.80 KB, patch) 2018-10-23 15:55 PDT, Chris Dumez	no flags	Details Formatted Diff Diff
View All Add attachment proposed patch, testcase, etc.

Ryan Haddad

Comment 1 2018-10-22 14:02:48 PDT

From the crashlogs: CRASHING TEST: /security/cors-post-redirect-301.html CRASHING TEST: /cookies/same-site/fetch-after-navigating-iframe-in-cross-origin-page.html CRASHING TEST: /cache/partitioned-cache-iframe.html CRASHING TEST: /cache/partitioned-cache.html CRASHING TEST: /cookies/same-site/fetch-after-top-level-navigation-initiated-from-iframe-in-cross-origin-page.html CRASHING TEST: /cookies/same-site/fetch-in-cross-origin-page.html CRASHING TEST: /cookies/same-site/fetch-in-cross-origin-service-worker.html CRASHING TEST: /cookies/same-site/fetch-in-cross-origin-worker.html CRASHING TEST: /security/cross-origin-local-storage-allowed.html CRASHING TEST: /websocket/tests/hybi/websocket-allowed-setting-cookie-as-third-party.html CRASHING TEST: /websocket/tests/hybi/websocket-cookie-overwrite-behavior.html

Ryan Haddad

Comment 2 2018-10-22 14:08:26 PDT

The crashes don't appear on this run @ r237255: https://build.webkit.org/builders/Apple%20iOS%2012%20Simulator%20Debug%20WK2%20%28Tests%29/builds/366 They do appear on this run @ r237257: https://build.webkit.org/builders/Apple%20iOS%2012%20Simulator%20Debug%20WK2%20%28Tests%29/builds/367 I guess this regressed with https://trac.webkit.org/changeset/237257/webkit

Chris Dumez

Comment 3 2018-10-23 14:22:45 PDT

Odd but will take a look soon.

Chris Dumez

Comment 4 2018-10-23 15:55:51 PDT

Created attachment 352998 [details] Patch

Chris Dumez

Comment 5 2018-10-24 08:38:31 PDT

Comment on attachment 352998 [details] Patch Clearing flags on attachment: 352998 Committed r237384: <https://trac.webkit.org/changeset/237384>

Chris Dumez

Comment 6 2018-10-24 08:38:33 PDT

All reviewed patches have been landed. Closing bug.

Note You need to log in before you can comment on or make changes to this bug.