Bug 222021 - REGRESSION(r274025-r273811): Crash under RenderLayerBacking::updateGeometry()
Summary: REGRESSION(r274025-r273811): Crash under RenderLayerBacking::updateGeometry()
Status: RESOLVED FIXED
Alias: None
Product: WebKit
Classification: Unclassified
Component: Compositing (show other bugs)
Version: Safari Technology Preview
Hardware: Unspecified Unspecified
: P2 Normal
Assignee: Simon Fraser (smfr)
URL:
Keywords: InRadar
Depends on:
Blocks:
 
Reported: 2021-02-16 19:53 PST by Simon Fraser (smfr)
Modified: 2021-03-08 21:58 PST (History)
12 users (show)

See Also:

Attachments
Test case (needs HTTP server; load it dozen times) (832 bytes, text/html)
2021-03-05 19:57 PST, Ryosuke Niwa 		no flags Details
Patch (6.21 KB, patch)
2021-03-08 16:34 PST, Simon Fraser (smfr) 		zalan: review+
ews-feeder: commit-queue-
Details | Formatted Diff | Diff
Patch (6.46 KB, patch)
2021-03-08 17:34 PST, Simon Fraser (smfr) 		no flags Details | Formatted Diff | Diff
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Simon Fraser (smfr) 2021-02-16 19:53:10 PST 
Exception Type:        EXC_BAD_ACCESS (SIGSEGV)
Exception Codes:       KERN_INVALID_ADDRESS at 0x0000000000000000
Exception Note:        EXC_CORPSE_NOTIFY

Termination Signal:    Segmentation fault: 11
Termination Reason:    Namespace SIGNAL, Code 0xb
Terminating Process:   exc handler [6031]

Getting symbols for 3C6465D7-E536-34D1-87CE-D9AE5FF42453 /Applications/Safari Technology Preview.app/Contents/Frameworks/JavaScriptCore.framework/Versions/A/JavaScriptCore... ok
Thread[0] EXC_BAD_ACCESS (SIGSEGV) (KERN_INVALID_ADDRESS at 0x0000000000000000)
[  0] 0x00000006d31d2c32 WebCore`WebCore::RenderLayerBacking::updateGeometry(WebCore::RenderLayer const*) [inlined] WebCore::ScrollableArea::scrollOffset() const at ScrollableArea.cpp:671:37
       667 	}
       668 	
       669 	ScrollOffset ScrollableArea::scrollOffset() const
       670 	{
    -> 671 	    return scrollOffsetFromPosition(scrollPosition());
       672 	}
       673 	
       674 	ScrollPosition ScrollableArea::minimumScrollPosition() const
       675 	{
    

     0x00000006d31d2c1a:     leaq -0x190(%rbp), %rsi
     0x00000006d31d2c21:    callq *0xa0(%rax)
     0x00000006d31d2c27:     movq 0x10(%r15), %rax
     0x00000006d31d2c2b:     movq 0xe0(%rax), %r12
 ->  0x00000006d31d2c32:     movq (%r12), %rax
     0x00000006d31d2c36:     movq %r12, %rdi
     0x00000006d31d2c39:    callq *0x100(%rax)
     0x00000006d31d2c3f:     movl 0x28(%r12), %edx
     0x00000006d31d2c44:     movl 0x2c(%r12), %ecx

[  0] 0x00000006d31d2c32 WebCore`WebCore::RenderLayerBacking::updateGeometry(WebCore::RenderLayer const*) + 8066 at RenderLayerBacking.cpp:1379
       1375	
       1376	        auto* scrollableArea = m_owningLayer.scrollableArea();
       1377	        ASSERT(scrollableArea);
       1378	
    -> 1379	        ScrollOffset scrollOffset = scrollableArea->scrollOffset();
       1380	        updateScrollOffset(scrollOffset);
       1381	
       1382	        FloatSize oldScrollingLayerOffset = m_scrollContainerLayer->offsetFromRenderer();
       1383	        m_scrollContainerLayer->setOffsetFromRenderer(toFloatSize(scrollContainerBox.location()));
    
[  1] 0x00000006d31ddd64 WebCore`WebCore::RenderLayerCompositor::updateBackingAndHierarchy(WebCore::RenderLayer&, WTF::Vector<WTF::Ref<WebCore::GraphicsLayer, WTF::RawPtrTraits<WebCore::GraphicsLayer> >, 0ul, WTF::CrashOnOverflow, 16ul, WTF::FastMalloc>&, WebCore::RenderLayerCompositor::UpdateBackingTraversalState&, WebCore::ScrollingTreeState&, WTF::OptionSet<WebCore::RenderLayerCompositor::UpdateLevel>) + 772 at RenderLayerCompositor.cpp:1302:27
       1298	        }
       1299	        
       1300	        OptionSet<ScrollingNodeChangeFlags> scrollingNodeChanges = { ScrollingNodeChangeFlags::Layer };
       1301	        if (layerNeedsUpdate || layer.needsCompositingGeometryUpdate()) {
    -> 1302	            layerBacking->updateGeometry(traversalState.compositingAncestor);
       1303	            scrollingNodeChanges.add(ScrollingNodeChangeFlags::LayerGeometry);
       1304	        } else if (layer.needsScrollingTreeUpdate())
       1305	            scrollingNodeChanges.add(ScrollingNodeChangeFlags::LayerGeometry);
       1306	
    
[  2] 0x00000006d31df30c WebCore`WebCore::RenderLayerCompositor::updateBackingAndHierarchy(WebCore::RenderLayer&, WTF::Vector<WTF::Ref<WebCore::GraphicsLayer, WTF::RawPtrTraits<WebCore::GraphicsLayer> >, 0ul, WTF::CrashOnOverflow, 16ul, WTF::FastMalloc>&, WebCore::RenderLayerCompositor::UpdateBackingTraversalState&, WebCore::ScrollingTreeState&, WTF::OptionSet<WebCore::RenderLayerCompositor::UpdateLevel>) + 6316 at RenderLayerCompositor.cpp:1367:13
       1363	        for (auto* renderLayer : layer.normalFlowLayers())
       1364	            updateBackingAndHierarchy(*renderLayer, childList, traversalStateForDescendants, scrollingStateForDescendants, updateLevel);
       1365	        
       1366	        for (auto* renderLayer : layer.positiveZOrderLayers())
    -> 1367	            updateBackingAndHierarchy(*renderLayer, childList, traversalStateForDescendants, scrollingStateForDescendants, updateLevel);
       1368	
       1369	        // Pass needSynchronousScrollingReasonsUpdate back up.
       1370	        scrollingTreeState.needSynchronousScrollingReasonsUpdate |= scrollingStateForDescendants.needSynchronousScrollingReasonsUpdate;
       1371	        if (scrollingTreeState.parentNodeID == scrollingStateForDescendants.parentNodeID)
    
[  3] 0x00000006d31df30c WebCore`WebCore::RenderLayerCompositor::updateBackingAndHierarchy(WebCore::RenderLayer&, WTF::Vector<WTF::Ref<WebCore::GraphicsLayer, WTF::RawPtrTraits<WebCore::GraphicsLayer> >, 0ul, WTF::CrashOnOverflow, 16ul, WTF::FastMalloc>&, WebCore::RenderLayerCompositor::UpdateBackingTraversalState&, WebCore::ScrollingTreeState&, WTF::OptionSet<WebCore::RenderLayerCompositor::UpdateLevel>) + 6316 at RenderLayerCompositor.cpp:1367:13
[  4] 0x00000006d133028d WebCore`WebCore::RenderLayerCompositor::updateCompositingLayers(WebCore::CompositingUpdateType, WebCore::RenderLayer*) + 2317 at RenderLayerCompositor.cpp:867:9
Comment 1 Simon Fraser (smfr) 2021-02-16 19:53:31 PST 
Looks like the RenderLayer/scrollable area split.
Comment 2 Nikolas Zimmermann 2021-02-17 22:43:41 PST 
Thanks, I will have a look.
Comment 3 Nikolas Zimmermann 2021-02-22 04:47:31 PST 
Do we have any testcase for this? How was this backtrace obtained? (I suspect Apple crash reports for the STP builds?)

If I read the backtrace correctly, m_scrollableArea is null in line 1376, and we see a nullptr crash in a release build.

However I fail to see how it can be null:

According to the backtrace RenderLayerBacking::updateGeometry() is called for a RenderLayerBacking object that has a non-zero m_scrollContainerLayer. A m_scrollContainerLayer is only created if the associated RenderLayer (m_owningLayer) is using composited scrolling (that is checked via the RenderLayer::hasCompositedScrollableOverflow() condition).

However RenderLayer::hasCompositedScrollableOverflow() only returns true if the RenderLayer has an associated RenderLayerScrollableArea, which in turn means the crash shouldn't be there ;-)

I probably fail to understand something, hence a bug in the current code and thus the crash....
Comment 4 Radar WebKit Bug Importer 2021-02-23 19:54:13 PST 
<rdar://problem/74675337>
Comment 6 Ryosuke Niwa 2021-03-05 20:05:43 PST 
This is a regression between r273811 and r274025.
Comment 7 Simon Fraser (smfr) 2021-03-08 16:14:39 PST 
RenderLayer 0x5f5c5c630 ensureLayerScrollableArea() made scrollableArea 0x5f5c9aaa0
RenderLayerBacking (layer 0x5f5c5c630) updateConfiguration - usesCompositedScrolling 0
RenderLayer 0x5f5c5c738 ensureLayerScrollableArea() made scrollableArea 0x5f5cc48c0
RenderLayer 0x5f5c5c840 ensureLayerScrollableArea() made scrollableArea 0x5f5cc4b40
RenderLayerBacking (layer 0x5f5c5c630) updateConfiguration - usesCompositedScrolling 0
RenderLayerBacking (layer 0x5f5c5c840) updateConfiguration - usesCompositedScrolling 1
file:///Volumes/Data/Radar%20Attachments/Problem/74414963/repro_535.html:29:20: CONSOLE LOG first offsettop;
RenderLayer 0x5f5c5c840 clearLayerScrollableArea() 0x5f5cc4b40
RenderLayer 0x5f5c5c948 ensureLayerScrollableArea() made scrollableArea 0x5f5cc4e60
RenderLayerBacking (layer 0x5f5c5c948) updateConfiguration - usesCompositedScrolling 1
file:///Volumes/Data/Radar%20Attachments/Problem/74414963/repro_535.html:31:20: CONSOLE LOG designMode on;
file:///Volumes/Data/Radar%20Attachments/Problem/74414963/repro_535.html:33:20: CONSOLE LOG appendChild;
file:///Volumes/Data/Radar%20Attachments/Problem/74414963/repro_535.html:35:20: CONSOLE LOG second offsettop;
RenderLayer 0x5f5c5ca50 ensureLayerScrollableArea() made scrollableArea 0x5f64c70a0
RenderLayerBacking (layer 0x5f5c5ca50) updateConfiguration - usesCompositedScrolling 1
RenderLayerBacking (layer 0x5f5c5c948) updateConfiguration - usesCompositedScrolling 1
file:///Volumes/Data/Radar%20Attachments/Problem/74414963/repro_535.html:37:20: CONSOLE LOG designMode off;
RenderLayer 0x5f5c5c948 clearLayerScrollableArea() 0x5f5cc4e60
ASSERTION FAILED: scrollableArea
./rendering/RenderLayerBacking.cpp(1395) : void WebCore::RenderLayerBacking::updateGeometry(const WebCore::RenderLayer *)
1   0x5ee393549 WTFCrash
Comment 8 Simon Fraser (smfr) 2021-03-08 16:20:05 PST 
We've cleared the scrollable area, but the layer is not marked as needing a config update:

RenderLayer 0x69dc62948 clearLayerScrollableArea() 0x69dcd0e60

(S)tacking Context/(F)orced SC/O(P)portunistic SC, (N)ormal flow only, (O)verflow clip, (A)lpha (opacity or mask), has (B)lend mode, (I)solates blending, (T)ransform-ish, (F)ilter, Fi(X)ed position, Behaves as fi(x)ed, (C)omposited, (P)rovides backing/uses (p)rovided backing/paints to (a)ncestor, (c)omposited descendant, (s)scrolling ancestor, (t)transformed ancestor
Dirty (z)-lists, Dirty (n)ormal flow lists
Traversal needs: requirements (t)raversal on descendants, (b)acking or hierarchy traversal on descendants, (r)equirements traversal on all descendants, requirements traversal on all (s)ubsequent layers, (h)ierarchy traversal on all descendants, update of paint (o)rder children
Update needs:    post-(l)ayout requirements, (g)eometry, (k)ids geometry, (c)onfig, layer conne(x)ion, (s)crolling tree
Scrolling scope: box contents

S---------C-c-- -- tb---- ------ 3 3 0x69dc62630 (0,0) width=980 height=876 [SA 0x69dca1aa0] (layerID 31) {sc 3} RenderView 0x6a15492b0
S-----------c-- -- tb---- ------ 3 3   + 0x69dc62738 (0,0) width=980 height=0 [SA 0x69dcd08c0] RenderBlock 0x6a1549760 HTML 0x6a15495b0
-NO-------C---- -- ------ lg---- 3 6     n 0x69dc62a50 (949,8) width=1 height=0 [SA 0x69e4be0a0] (layerID 46) {sc 6} RenderBlock 0x6a0068010 DIV 0x6a154bed0
S-----T---C---- -- ------ -g---- 3 5     + 0x69dc62948 (966,8) width=0 height=0 (layerID 41) stacking {sc 5} RenderBlock 0x6a154bda0 FORM 0x6a154bb30
Comment 9 Simon Fraser (smfr) 2021-03-08 16:34:41 PST 
Created attachment 422635 [details]
Patch
Comment 10 Simon Fraser (smfr) 2021-03-08 17:34:48 PST 
Created attachment 422644 [details]
Patch
Comment 11 EWS 2021-03-08 21:22:07 PST 
commit-queue failed to commit attachment 422644 [details] to WebKit repository. To retry, please set cq+ flag again.
Comment 12 EWS 2021-03-08 21:58:04 PST 
Committed r274137: <https://commits.webkit.org/r274137>

All reviewed patches have been landed. Closing bug and clearing flags on attachment 422644 [details].