RESOLVED FIXED 222021
REGRESSION(r274025-r273811): Crash under RenderLayerBacking::updateGeometry() 
https://bugs.webkit.org/show_bug.cgi?id=222021
Summary REGRESSION(r274025-r273811): Crash under RenderLayerBacking::updateGeometry()
Simon Fraser (smfr)
Reported 2021-02-16 19:53:10 PST
Exception Type: EXC_BAD_ACCESS (SIGSEGV) Exception Codes: KERN_INVALID_ADDRESS at 0x0000000000000000 Exception Note: EXC_CORPSE_NOTIFY Termination Signal: Segmentation fault: 11 Termination Reason: Namespace SIGNAL, Code 0xb Terminating Process: exc handler [6031] Getting symbols for 3C6465D7-E536-34D1-87CE-D9AE5FF42453 /Applications/Safari Technology Preview.app/Contents/Frameworks/JavaScriptCore.framework/Versions/A/JavaScriptCore... ok Thread[0] EXC_BAD_ACCESS (SIGSEGV) (KERN_INVALID_ADDRESS at 0x0000000000000000) [ 0] 0x00000006d31d2c32 WebCore`WebCore::RenderLayerBacking::updateGeometry(WebCore::RenderLayer const*) [inlined] WebCore::ScrollableArea::scrollOffset() const at ScrollableArea.cpp:671:37 667 } 668 669 ScrollOffset ScrollableArea::scrollOffset() const 670 { -> 671 return scrollOffsetFromPosition(scrollPosition()); 672 } 673 674 ScrollPosition ScrollableArea::minimumScrollPosition() const 675 { 0x00000006d31d2c1a: leaq -0x190(%rbp), %rsi 0x00000006d31d2c21: callq *0xa0(%rax) 0x00000006d31d2c27: movq 0x10(%r15), %rax 0x00000006d31d2c2b: movq 0xe0(%rax), %r12 -> 0x00000006d31d2c32: movq (%r12), %rax 0x00000006d31d2c36: movq %r12, %rdi 0x00000006d31d2c39: callq *0x100(%rax) 0x00000006d31d2c3f: movl 0x28(%r12), %edx 0x00000006d31d2c44: movl 0x2c(%r12), %ecx [ 0] 0x00000006d31d2c32 WebCore`WebCore::RenderLayerBacking::updateGeometry(WebCore::RenderLayer const*) + 8066 at RenderLayerBacking.cpp:1379 1375 1376 auto* scrollableArea = m_owningLayer.scrollableArea(); 1377 ASSERT(scrollableArea); 1378 -> 1379 ScrollOffset scrollOffset = scrollableArea->scrollOffset(); 1380 updateScrollOffset(scrollOffset); 1381 1382 FloatSize oldScrollingLayerOffset = m_scrollContainerLayer->offsetFromRenderer(); 1383 m_scrollContainerLayer->setOffsetFromRenderer(toFloatSize(scrollContainerBox.location())); [ 1] 0x00000006d31ddd64 WebCore`WebCore::RenderLayerCompositor::updateBackingAndHierarchy(WebCore::RenderLayer&, WTF::Vector<WTF::Ref<WebCore::GraphicsLayer, WTF::RawPtrTraits<WebCore::GraphicsLayer> >, 0ul, WTF::CrashOnOverflow, 16ul, WTF::FastMalloc>&, WebCore::RenderLayerCompositor::UpdateBackingTraversalState&, WebCore::ScrollingTreeState&, WTF::OptionSet<WebCore::RenderLayerCompositor::UpdateLevel>) + 772 at RenderLayerCompositor.cpp:1302:27 1298 } 1299 1300 OptionSet<ScrollingNodeChangeFlags> scrollingNodeChanges = { ScrollingNodeChangeFlags::Layer }; 1301 if (layerNeedsUpdate || layer.needsCompositingGeometryUpdate()) { -> 1302 layerBacking->updateGeometry(traversalState.compositingAncestor); 1303 scrollingNodeChanges.add(ScrollingNodeChangeFlags::LayerGeometry); 1304 } else if (layer.needsScrollingTreeUpdate()) 1305 scrollingNodeChanges.add(ScrollingNodeChangeFlags::LayerGeometry); 1306 [ 2] 0x00000006d31df30c WebCore`WebCore::RenderLayerCompositor::updateBackingAndHierarchy(WebCore::RenderLayer&, WTF::Vector<WTF::Ref<WebCore::GraphicsLayer, WTF::RawPtrTraits<WebCore::GraphicsLayer> >, 0ul, WTF::CrashOnOverflow, 16ul, WTF::FastMalloc>&, WebCore::RenderLayerCompositor::UpdateBackingTraversalState&, WebCore::ScrollingTreeState&, WTF::OptionSet<WebCore::RenderLayerCompositor::UpdateLevel>) + 6316 at RenderLayerCompositor.cpp:1367:13 1363 for (auto* renderLayer : layer.normalFlowLayers()) 1364 updateBackingAndHierarchy(*renderLayer, childList, traversalStateForDescendants, scrollingStateForDescendants, updateLevel); 1365 1366 for (auto* renderLayer : layer.positiveZOrderLayers()) -> 1367 updateBackingAndHierarchy(*renderLayer, childList, traversalStateForDescendants, scrollingStateForDescendants, updateLevel); 1368 1369 // Pass needSynchronousScrollingReasonsUpdate back up. 1370 scrollingTreeState.needSynchronousScrollingReasonsUpdate |= scrollingStateForDescendants.needSynchronousScrollingReasonsUpdate; 1371 if (scrollingTreeState.parentNodeID == scrollingStateForDescendants.parentNodeID) [ 3] 0x00000006d31df30c WebCore`WebCore::RenderLayerCompositor::updateBackingAndHierarchy(WebCore::RenderLayer&, WTF::Vector<WTF::Ref<WebCore::GraphicsLayer, WTF::RawPtrTraits<WebCore::GraphicsLayer> >, 0ul, WTF::CrashOnOverflow, 16ul, WTF::FastMalloc>&, WebCore::RenderLayerCompositor::UpdateBackingTraversalState&, WebCore::ScrollingTreeState&, WTF::OptionSet<WebCore::RenderLayerCompositor::UpdateLevel>) + 6316 at RenderLayerCompositor.cpp:1367:13 [ 4] 0x00000006d133028d WebCore`WebCore::RenderLayerCompositor::updateCompositingLayers(WebCore::CompositingUpdateType, WebCore::RenderLayer*) + 2317 at RenderLayerCompositor.cpp:867:9
Attachments
Test case (needs HTTP server; load it dozen times) (832 bytes, text/html)
2021-03-05 19:57 PST, Ryosuke Niwa 		no flags
Details
Patch (6.21 KB, patch)
2021-03-08 16:34 PST, Simon Fraser (smfr) 		zalan: review+
ews-feeder: commit-queue-
DetailsFormatted DiffDiff
Patch (6.46 KB, patch)
2021-03-08 17:34 PST, Simon Fraser (smfr) 		no flags
DetailsFormatted DiffDiff
View All Add attachment proposed patch, testcase, etc.
Simon Fraser (smfr)
Comment 1 2021-02-16 19:53:31 PST
Looks like the RenderLayer/scrollable area split.
Nikolas Zimmermann
Comment 2 2021-02-17 22:43:41 PST
Thanks, I will have a look.
Nikolas Zimmermann
Comment 3 2021-02-22 04:47:31 PST
Do we have any testcase for this? How was this backtrace obtained? (I suspect Apple crash reports for the STP builds?) If I read the backtrace correctly, m_scrollableArea is null in line 1376, and we see a nullptr crash in a release build. However I fail to see how it can be null: According to the backtrace RenderLayerBacking::updateGeometry() is called for a RenderLayerBacking object that has a non-zero m_scrollContainerLayer. A m_scrollContainerLayer is only created if the associated RenderLayer (m_owningLayer) is using composited scrolling (that is checked via the RenderLayer::hasCompositedScrollableOverflow() condition). However RenderLayer::hasCompositedScrollableOverflow() only returns true if the RenderLayer has an associated RenderLayerScrollableArea, which in turn means the crash shouldn't be there ;-) I probably fail to understand something, hence a bug in the current code and thus the crash....
Radar WebKit Bug Importer
Comment 4 2021-02-23 19:54:13 PST
<rdar://problem/74675337>
Ryosuke Niwa
Comment 6 2021-03-05 20:05:43 PST
This is a regression between r273811 and r274025.
Simon Fraser (smfr)
Comment 7 2021-03-08 16:14:39 PST
RenderLayer 0x5f5c5c630 ensureLayerScrollableArea() made scrollableArea 0x5f5c9aaa0 RenderLayerBacking (layer 0x5f5c5c630) updateConfiguration - usesCompositedScrolling 0 RenderLayer 0x5f5c5c738 ensureLayerScrollableArea() made scrollableArea 0x5f5cc48c0 RenderLayer 0x5f5c5c840 ensureLayerScrollableArea() made scrollableArea 0x5f5cc4b40 RenderLayerBacking (layer 0x5f5c5c630) updateConfiguration - usesCompositedScrolling 0 RenderLayerBacking (layer 0x5f5c5c840) updateConfiguration - usesCompositedScrolling 1 file:///Volumes/Data/Radar%20Attachments/Problem/74414963/repro_535.html:29:20: CONSOLE LOG first offsettop; RenderLayer 0x5f5c5c840 clearLayerScrollableArea() 0x5f5cc4b40 RenderLayer 0x5f5c5c948 ensureLayerScrollableArea() made scrollableArea 0x5f5cc4e60 RenderLayerBacking (layer 0x5f5c5c948) updateConfiguration - usesCompositedScrolling 1 file:///Volumes/Data/Radar%20Attachments/Problem/74414963/repro_535.html:31:20: CONSOLE LOG designMode on; file:///Volumes/Data/Radar%20Attachments/Problem/74414963/repro_535.html:33:20: CONSOLE LOG appendChild; file:///Volumes/Data/Radar%20Attachments/Problem/74414963/repro_535.html:35:20: CONSOLE LOG second offsettop; RenderLayer 0x5f5c5ca50 ensureLayerScrollableArea() made scrollableArea 0x5f64c70a0 RenderLayerBacking (layer 0x5f5c5ca50) updateConfiguration - usesCompositedScrolling 1 RenderLayerBacking (layer 0x5f5c5c948) updateConfiguration - usesCompositedScrolling 1 file:///Volumes/Data/Radar%20Attachments/Problem/74414963/repro_535.html:37:20: CONSOLE LOG designMode off; RenderLayer 0x5f5c5c948 clearLayerScrollableArea() 0x5f5cc4e60 ASSERTION FAILED: scrollableArea ./rendering/RenderLayerBacking.cpp(1395) : void WebCore::RenderLayerBacking::updateGeometry(const WebCore::RenderLayer *) 1 0x5ee393549 WTFCrash
Simon Fraser (smfr)
Comment 8 2021-03-08 16:20:05 PST
We've cleared the scrollable area, but the layer is not marked as needing a config update: RenderLayer 0x69dc62948 clearLayerScrollableArea() 0x69dcd0e60 (S)tacking Context/(F)orced SC/O(P)portunistic SC, (N)ormal flow only, (O)verflow clip, (A)lpha (opacity or mask), has (B)lend mode, (I)solates blending, (T)ransform-ish, (F)ilter, Fi(X)ed position, Behaves as fi(x)ed, (C)omposited, (P)rovides backing/uses (p)rovided backing/paints to (a)ncestor, (c)omposited descendant, (s)scrolling ancestor, (t)transformed ancestor Dirty (z)-lists, Dirty (n)ormal flow lists Traversal needs: requirements (t)raversal on descendants, (b)acking or hierarchy traversal on descendants, (r)equirements traversal on all descendants, requirements traversal on all (s)ubsequent layers, (h)ierarchy traversal on all descendants, update of paint (o)rder children Update needs: post-(l)ayout requirements, (g)eometry, (k)ids geometry, (c)onfig, layer conne(x)ion, (s)crolling tree Scrolling scope: box contents S---------C-c-- -- tb---- ------ 3 3 0x69dc62630 (0,0) width=980 height=876 [SA 0x69dca1aa0] (layerID 31) {sc 3} RenderView 0x6a15492b0 S-----------c-- -- tb---- ------ 3 3 + 0x69dc62738 (0,0) width=980 height=0 [SA 0x69dcd08c0] RenderBlock 0x6a1549760 HTML 0x6a15495b0 -NO-------C---- -- ------ lg---- 3 6 n 0x69dc62a50 (949,8) width=1 height=0 [SA 0x69e4be0a0] (layerID 46) {sc 6} RenderBlock 0x6a0068010 DIV 0x6a154bed0 S-----T---C---- -- ------ -g---- 3 5 + 0x69dc62948 (966,8) width=0 height=0 (layerID 41) stacking {sc 5} RenderBlock 0x6a154bda0 FORM 0x6a154bb30
Simon Fraser (smfr)
Comment 9 2021-03-08 16:34:41 PST
Created attachment 422635 [details] Patch
Simon Fraser (smfr)
Comment 10 2021-03-08 17:34:48 PST
Created attachment 422644 [details] Patch
EWS
Comment 11 2021-03-08 21:22:07 PST
commit-queue failed to commit attachment 422644 [details] to WebKit repository. To retry, please set cq+ flag again.
EWS
Comment 12 2021-03-08 21:58:04 PST
Committed r274137: <https://commits.webkit.org/r274137> All reviewed patches have been landed. Closing bug and clearing flags on attachment 422644 [details].
Note You need to log in before you can comment on or make changes to this bug.