RenderBox::clippedOverflowRectForRepaint() calls enclosingLayer()->hasVisibleContent(), but hasVisibleContent() relies on an up-to-date RenderLayer tree with updated z-order lists, which we can't guarantee at the time when clippedOverflowRectForRepaint() is called (i.e. during layout). Here's an example of a bad stack: 2 com.apple.WebCore 0x000000076b2537aa WebCore::RenderLayer::hasVisibleContent() const + 122 (RenderLayer.cpp:956) 3 com.apple.WebCore 0x000000076b14a754 WebCore::RenderBox::clippedOverflowRectForRepaint(WebCore::RenderLayerModelObject const*) const + 68 (RenderBox.cpp:2120) 4 com.apple.WebCore 0x000000076b372946 WebCore::RenderText::clippedOverflowRectForRepaint(WebCore::RenderLayerModelObject const*) const + 214 (RenderText.cpp:1399) 5 com.apple.WebCore 0x000000076b2eb4b5 WebCore::RenderObject::repaint() const + 133 (RenderObject.cpp:900) 6 com.apple.WebCore 0x000000076b55ad12 WebCore::RenderTreeBuilder::detachFromRenderElement(WebCore::RenderElement&, WebCore::RenderObject&) + 578 (RenderTreeBuilder.cpp:795) 7 com.apple.WebCore 0x000000076b570f14 WebCore::RenderTreeBuilder::Inline::splitInlines(WebCore::RenderInline&, WebCore::RenderBlock*, WebCore::RenderBlock*, WebCore::RenderBlock*, WebCore::RenderObject*, WebCore::RenderBoxModelObject*) + 4084 8 com.apple.WebCore 0x000000076b56fa3f WebCore::RenderTreeBuilder::Inline::splitFlow(WebCore::RenderInline&, WebCore::RenderObject*, std::__1::unique_ptr<WebCore::RenderBlock, WebCore::RenderObjectDeleter>, std::__1::unique_ptr<WebCore::RenderObject, WebCore::RenderObjectDeleter>, WebCore::RenderBoxModelObject*) + 4655 (RenderTreeBuilderInline.cpp:246) 9 com.apple.WebCore 0x000000076b56debf WebCore::RenderTreeBuilder::Inline::attachIgnoringContinuation(WebCore::RenderInline&, std::__1::unique_ptr<WebCore::RenderObject, WebCore::RenderObjectDeleter>, WebCore::RenderObject*) + 1551 (RenderTreeBuilderInline.cpp:188) 10 com.apple.WebCore 0x000000076b56c662 WebCore::RenderTreeBuilder::Inline::attach(WebCore::RenderInline&, std::__1::unique_ptr<WebCore::RenderObject, WebCore::RenderObjectDeleter>, WebCore::RenderObject*) + 1282 (RenderTreeBuilderInline.cpp:116) 11 com.apple.WebCore 0x000000076b558611 WebCore::RenderTreeBuilder::attach(WebCore::RenderElement&, std::__1::unique_ptr<WebCore::RenderObject, WebCore::RenderObjectDeleter>, WebCore::RenderObject*) + 12049 (RenderTreeBuilder.cpp:298) 12 com.apple.WebCore 0x000000076b55b254 WebCore::RenderTreeBuilder::attach(WebCore::RenderTreePosition&, std::__1::unique_ptr<WebCore::RenderObject, WebCore::RenderObjectDeleter>) + 516 (RenderTreeBuilder.cpp:363) 13 com.apple.WebCore 0x000000076b5870a5 WebCore::RenderTreeUpdater::createRenderer(WebCore::Element&, WebCore::RenderStyle&&) + 2517 (RenderTreeUpdater.cpp:397) 14 com.apple.WebCore 0x000000076b58521a WebCore::RenderTreeUpdater::updateElementRenderer(WebCore::Element&, WebCore::Style::ElementUpdate const&) + 970 (RenderTreeUpdater.cpp:338) 15 com.apple.WebCore 0x000000076b584752 WebCore::RenderTreeUpdater::updateRenderTree(WebCore::ContainerNode&) + 1138 (RenderTreeUpdater.cpp:204) 16 com.apple.WebCore 0x000000076b583fcd WebCore::RenderTreeUpdater::commit(std::__1::unique_ptr<WebCore::Style::Update const, std::__1::default_delete<WebCore::Style::Update const> >) + 1005 17 com.apple.WebCore 0x000000076a01abe8 WebCore::Document::resolveStyle(WebCore::Document::ResolveStyleType) + 2072 (Document.cpp:1916) 18 com.apple.WebCore 0x000000076a01c3dd WebCore::Document::updateStyleIfNeeded() + 493 (Document.cpp:2024) 19 com.apple.WebCore 0x000000076a034f43 WebCore::Document::finishedParsing() + 595 (Document.cpp:5524) 20 com.apple.WebCore 0x000000076a5c7cb8 WebCore::HTMLConstructionSite::finishedParsing() + 24 (HTMLConstructionSite.cpp:420)