Bug 193955 - REGRESSION (r240553): Crash in WebCore::ScrollingTree::updateTreeFromStateNode
Summary: REGRESSION (r240553): Crash in WebCore::ScrollingTree::updateTreeFromStateNode
Status: RESOLVED DUPLICATE of bug 193907
Alias: None
Product: WebKit
Classification: Unclassified
Component: New Bugs (show other bugs)
Version: Other
Hardware: Unspecified Unspecified
: P2 Normal
Assignee: Nobody
URL:
Keywords: InRadar
Depends on:
Blocks:
 
Reported: 2019-01-28 21:52 PST by Ryan Haddad
Modified: 2019-01-28 23:36 PST (History)
5 users (show)

See Also:

Attachments
Crash log (88.41 KB, text/plain)
2019-01-28 21:52 PST, Ryan Haddad 		no flags Details
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Ryan Haddad 2019-01-28 21:52:20 PST 
Created attachment 360440 [details]
Crash log

After https://trac.webkit.org/changeset/240553/webkit, layout test compositing/iframes/remove-reinsert-webview-with-iframe.html is consistently crashing on iOS simulator bots.

https://webkit-test-results.webkit.org/dashboards/flakiness_dashboard.html#showAllRuns=true&tests=compositing%2Fiframes%2Fremove-reinsert-webview-with-iframe.html

Thread 0 Crashed:: Dispatch queue: com.apple.main-thread
0   libsystem_kernel.dylib        	0x000000010a546b66 __pthread_kill + 10
1   libsystem_pthread.dylib       	0x000000010a580080 pthread_kill + 333
2   libsystem_c.dylib             	0x000000010a2f3c45 abort + 127
3   libc++abi.dylib               	0x000000010728e5b1 abort_message + 231
4   libc++abi.dylib               	0x000000010729b7a2 __cxa_pure_virtual + 18
5   com.apple.WebCore             	0x000000010bc19aa2 WebCore::ScrollingTree::updateTreeFromStateNode(WebCore::ScrollingStateNode const*, WTF::HashMap<unsigned long long, WTF::RefPtr<WebCore::ScrollingTreeNode, WTF::DumbPtrTraits<WebCore::ScrollingTreeNode> >, WTF::IntHash<unsigned long long>, WTF::HashTraits<unsigned long long>, WTF::HashTraits<WTF::RefPtr<WebCore::ScrollingTreeNode, WTF::DumbPtrTraits<WebCore::ScrollingTreeNode> > > >&) + 1026 (ScrollingTree.cpp:184)
6   com.apple.WebCore             	0x000000010bc19bde WebCore::ScrollingTree::updateTreeFromStateNode(WebCore::ScrollingStateNode const*, WTF::HashMap<unsigned long long, WTF::RefPtr<WebCore::ScrollingTreeNode, WTF::DumbPtrTraits<WebCore::ScrollingTreeNode> >, WTF::IntHash<unsigned long long>, WTF::HashTraits<unsigned long long>, WTF::HashTraits<WTF::RefPtr<WebCore::ScrollingTreeNode, WTF::DumbPtrTraits<WebCore::ScrollingTreeNode> > > >&) + 1342 (ScrollingTree.cpp:197)
7   com.apple.WebCore             	0x000000010bc19bde WebCore::ScrollingTree::updateTreeFromStateNode(WebCore::ScrollingStateNode const*, WTF::HashMap<unsigned long long, WTF::RefPtr<WebCore::ScrollingTreeNode, WTF::DumbPtrTraits<WebCore::ScrollingTreeNode> >, WTF::IntHash<unsigned long long>, WTF::HashTraits<unsigned long long>, WTF::HashTraits<WTF::RefPtr<WebCore::ScrollingTreeNode, WTF::DumbPtrTraits<WebCore::ScrollingTreeNode> > > >&) + 1342 (ScrollingTree.cpp:197)
8   com.apple.WebCore             	0x000000010bc194dc WebCore::ScrollingTree::commitTreeState(std::__1::unique_ptr<WebCore::ScrollingStateTree, std::__1::default_delete<WebCore::ScrollingStateTree> >) + 444 (ScrollingTree.cpp:145)
9   com.apple.WebKit              	0x0000000104d90927 WebKit::RemoteScrollingCoordinatorProxy::commitScrollingTreeState(WebKit::RemoteScrollingCoordinatorTransaction const&, WebKit::RemoteScrollingCoordinatorProxy::RequestedScrollInfo&) + 111 (RemoteScrollingCoordinatorProxy.cpp:92)
10  com.apple.WebKit              	0x0000000104c9dedf WebKit::RemoteLayerTreeDrawingAreaProxy::commitLayerTree(WebKit::RemoteLayerTreeTransaction const&, WebKit::RemoteScrollingCoordinatorTransaction const&) + 239 (RemoteLayerTreeDrawingAreaProxy.mm:217)
11  com.apple.WebKit              	0x0000000104b31645 void IPC::handleMessage<Messages::RemoteLayerTreeDrawingAreaProxy::CommitLayerTree, WebKit::RemoteLayerTreeDrawingAreaProxy, void (WebKit::RemoteLayerTreeDrawingAreaProxy::*)(WebKit::RemoteLayerTreeTransaction const&, WebKit::RemoteScrollingCoordinatorTransaction const&)>(IPC::Decoder&, WebKit::RemoteLayerTreeDrawingAreaProxy*, void (WebKit::RemoteLayerTreeDrawingAreaProxy::*)(WebKit::RemoteLayerTreeTransaction const&, WebKit::RemoteScrollingCoordinatorTransaction const&)) + 126 (HandleMessage.h:134)
12  com.apple.WebKit              	0x0000000104b104c3 IPC::MessageReceiverMap::dispatchMessage(IPC::Connection&, IPC::Decoder&) + 127 (MessageReceiverMap.cpp:123)
13  com.apple.WebKit              	0x0000000104ceea70 WebKit::WebProcessProxy::didReceiveMessage(IPC::Connection&, IPC::Decoder&) + 24 (WebProcessProxy.cpp:532)
14  com.apple.WebKit              	0x0000000104c9ef1b bool IPC::Connection::waitForAndDispatchImmediately<Messages::RemoteLayerTreeDrawingAreaProxy::CommitLayerTree>(unsigned long long, WTF::Seconds, WTF::OptionSet<IPC::WaitForOption>) + 83 (Connection.h:490)
15  com.apple.WebKit              	0x0000000104c9ee4b WebKit::RemoteLayerTreeDrawingAreaProxy::waitForDidUpdateActivityState(unsigned long long) + 117 (RemoteLayerTreeDrawingAreaProxy.mm:461)
16  com.apple.WebKit              	0x0000000104cafdd0 WebKit::WebPageProxy::dispatchActivityStateChange() + 590 (WebPageProxy.cpp:1769)
17  com.apple.UIKitCore           	0x0000000113999e05 -[UIView(Internal) _didMoveFromWindow:toWindow:] + 1820
18  com.apple.UIKitCore           	0x000000011398c091 __45-[UIView(Hierarchy) _postMovedFromSuperview:]_block_invoke + 151
19  com.apple.UIKitCore           	0x000000011398bf70 -[UIView(Hierarchy) _postMovedFromSuperview:] + 804
20  com.apple.UIKitCore           	0x000000011399c9a5 -[UIView(Internal) _addSubview:positioned:relativeTo:] + 1951
21  org.webkit.WebKitTestRunnerApp	0x0000000102515abd WTR::JSUIScriptController::addViewToWindow(OpaqueJSContext const*, OpaqueJSValue*, OpaqueJSValue*, unsigned long, OpaqueJSValue const* const*, OpaqueJSValue const**) + 65
22  JavaScriptCore                	0x0000000102a06f2f long long JSC::APICallbackFunction::call<JSC::JSCallbackFunction>(JSC::ExecState*) + 495 (APICallbackFunction.h:63)
23  ???                           	0x0000073a3253c02d 0 + 7946533847085
24  JavaScriptCore                	0x00000001029dc271 llint_entry + 61758
25  JavaScriptCore                	0x00000001029dc271 llint_entry + 61758
Comment 1 Radar WebKit Bug Importer 2019-01-28 21:52:49 PST 
<rdar://problem/47622864>
Comment 2 Ryan Haddad 2019-01-28 21:56:20 PST 
I can't roll out r240553 cleanly, as Source/WebCore/rendering/RenderLayerCompositor.cpp has been modified multiple times since then.
Comment 3 Ryan Haddad 2019-01-28 22:02:45 PST 
Skipped test in https://trac.webkit.org/r240642 so iOS-sim EWS will stop bleeding.

Simon, would you please take a look at this?
Comment 4 Wenson Hsieh 2019-01-28 22:20:51 PST 
I think this is a dupe of <https://bugs.webkit.org/show_bug.cgi?id=193907>.
Comment 5 Wenson Hsieh 2019-01-28 23:36:02 PST 

*** This bug has been marked as a duplicate of bug 193907 ***