Bug 195629

Summary: Crash when reloading test with async overflow scrolling
Product: WebKit Reporter: Simon Fraser (smfr) <simon.fraser>
Component: ScrollingAssignee: Simon Fraser (smfr) <simon.fraser>
Status: RESOLVED FIXED    
Severity: Normal CC: graouts, simon.fraser, webkit-bug-importer
Priority: P2 Keywords: InRadar
Version: WebKit Nightly Build   
Hardware: Unspecified   
OS: Unspecified   
Attachments:
Description Flags
Testcase
none
Patch graouts: review+

Simon Fraser (smfr)
Reported 2019-03-12 10:52:27 PDT
Created attachment 364406 [details] Testcase Attached testcase can crash in the simulator on reload, accessing a deleted layer: * thread #1, queue = 'com.apple.main-thread', stop reason = EXC_BAD_ACCESS (code=EXC_I386_GPFLT) frame #0: 0x00000001ac8a5f6c WebCore`WebCore::RenderLayer::isStackingContext(this=0xfbf95304000004f9) const at RenderLayer.h:167:45 frame #1: 0x00000001ac8a5eb4 WebCore`WebCore::RenderLayer::stackingContext(this=0x00000001c8a98690) const at RenderLayer.cpp:614:29 frame #2: 0x00000001ac8a6a92 WebCore`WebCore::RenderLayer::paintOrderParent(this=0x00000001c8a98690) const at RenderLayer.h:1313:44 frame #3: 0x00000001ac8a4ba8 WebCore`WebCore::RenderLayer::setAncestorsHaveCompositingDirtyFlag(this=0x00000001c8a98690, flag=HasDescendantNeedingBackingOrHierarchyTraversal) at RenderLayer.cpp:739:24 frame #4: 0x00000001ac8f650a WebCore`void WebCore::RenderLayer::setBackingAndHierarchyTraversalDirtyBit<(WebCore::RenderLayer::Compositing)256>(this=0x00000001c8a98690) at RenderLayer.h:269:9 frame #5: 0x00000001ac8e0445 WebCore`WebCore::RenderLayer::setNeedsScrollingTreeUpdate(this=0x00000001c8a98690) at RenderLayer.h:275:42 * frame #6: 0x00000001ac8eb658 WebCore`WebCore::RenderLayerCompositor::detachScrollCoordinatedLayerWithRole(this=0x00000001c8a77000, layer=0x00000001c8a98540, scrollingCoordinator=0x00000001c8a9b160, role=Scrolling) at RenderLayerCompositor.cpp:3872:20 frame #7: 0x00000001ac8ea856 WebCore`WebCore::RenderLayerCompositor::detachScrollCoordinatedLayer(this=0x00000001c8a77000, layer=0x00000001c8a98540, roles={ size = 0 }) at RenderLayerCompositor.cpp:3887:9 frame #8: 0x00000001ac8cf0f1 WebCore`WebCore::RenderLayerCompositor::removeFromScrollCoordinatedLayers(this=0x00000001c8a77000, layer=0x00000001c8a98540) at RenderLayerCompositor.cpp:3740:5 frame #9: 0x00000001ac8c7542 WebCore`WebCore::RenderLayerBacking::willBeDestroyed(this=0x00000001c8add3e8) at RenderLayerBacking.cpp:259:18 frame #10: 0x00000001ac8a3e73 WebCore`WebCore::RenderLayer::clearBacking(this=0x00000001c8a98540, layerBeingDestroyed=true) at RenderLayer.cpp:5932:16 frame #11: 0x00000001ac8a38e1 WebCore`WebCore::RenderLayer::~RenderLayer(this=0x00000001c8a98540) at RenderLayer.cpp:371:5 frame #12: 0x00000001ac8a3fa5 WebCore`WebCore::RenderLayer::~RenderLayer(this=0x00000001c8a98540) at RenderLayer.cpp:339:1 frame #13: 0x00000001ac8a3fc9 WebCore`WebCore::RenderLayer::~RenderLayer(this=0x00000001c8a98540) at RenderLayer.cpp:339:1 Deleted layers are being left in m_scrollingNodeToLayerMap.
Attachments
Testcase (2.27 KB, text/html)
2019-03-12 10:52 PDT, Simon Fraser (smfr) 		no flags
Details
Patch (2.73 KB, patch)
2019-03-18 17:08 PDT, Simon Fraser (smfr) 		graouts: review+
DetailsFormatted DiffDiff
View All Add attachment proposed patch, testcase, etc.
Radar WebKit Bug Importer
Comment 1 2019-03-12 10:52:46 PDT
<rdar://problem/48814045>
Simon Fraser (smfr)
Comment 2 2019-03-18 13:35:18 PDT
Seems to affect these tests: compositing/clipping/border-radius-async-overflow-non-stacking.html scrollingcoordinator/scrolling-tree/remove-coordinated-frame.html
Simon Fraser (smfr)
Comment 3 2019-03-18 17:08:51 PDT
Created attachment 365093 [details] Patch
Simon Fraser (smfr)
Comment 4 2019-03-18 17:33:45 PDT
https://trac.webkit.org/changeset/243120/webkit
Note You need to log in before you can comment on or make changes to this bug.