Created attachment 449909 [details] the html can make crash 1. build a debug webkit 2. open the html 3. crash ASSERTION FAILED: m_repaintRectsValid => m_repaintRects.outlineBoundsRect == renderer().outlineBoundsForRepaint(renderer().containerForRepaint()) ../../Source/WebCore/rendering/RenderLayer.cpp(1172) : void WebCore::RenderLayer::updateLayerPositionsAfterScroll(WebCore::RenderGeometryMap*, WTF::OptionSet<WebCore::RenderLayer::UpdateLayerPositionsAfterScrollFlag>) 1 0x7f944677c964 WTFReportBacktrace 2 0x7f944677cc01 WTFCrash 3 0x7f9469cbbaaf WebCore::RenderLayer::updateLayerPositionsAfterScroll(WebCore::RenderGeometryMap*, WTF::OptionSet<WebCore::RenderLayer::UpdateLayerPositionsAfterScrollFlag>) 4 0x7f9469cbbaee WebCore::RenderLayer::updateLayerPositionsAfterScroll(WebCore::RenderGeometryMap*, WTF::OptionSet<WebCore::RenderLayer::UpdateLayerPositionsAfterScrollFlag>) 5 0x7f9469cbbaee WebCore::RenderLayer::updateLayerPositionsAfterScroll(WebCore::RenderGeometryMap*, WTF::OptionSet<WebCore::RenderLayer::UpdateLayerPositionsAfterScrollFlag>) 6 0x7f9469cbbaee WebCore::RenderLayer::updateLayerPositionsAfterScroll(WebCore::RenderGeometryMap*, WTF::OptionSet<WebCore::RenderLayer::UpdateLayerPositionsAfterScrollFlag>) 7 0x7f9469de679f WebCore::RenderLayerScrollableArea::updateLayerPositionsAfterDocumentScroll() 8 0x7f9468a5a9f2 WebCore::FrameView::updateLayerPositionsAfterScrolling() 9 0x7f9468ec06fc WebCore::ScrollView::completeUpdatesAfterScrollTo(WebCore::IntSize const&) 10 0x7f9468ebfcf6 WebCore::ScrollView::handleDeferredScrollUpdateAfterContentSizeChange() 11 0x7f9468a482b2 WebCore::FrameView::didLayout(WTF::WeakPtr<WebCore::RenderElement, WTF::EmptyCounter>) 12 0x7f9468a7ce21 WebCore::FrameViewLayoutContext::layout() 13 0x7f9468a7e458 WebCore::FrameViewLayoutContext::layoutTimerFired() 14 0x7f9468ade7d8 void std::__invoke_impl<void, void (WebCore::FrameViewLayoutContext::*&)(), WebCore::FrameViewLayoutContext*&>(std::__invoke_memfun_deref, void (WebCore::FrameViewLayoutContext::*&)(), WebCore::FrameViewLayoutContext*&) 15 0x7f9468ade4ab std::__invoke_result<void (WebCore::FrameViewLayoutContext::*&)(), WebCore::FrameViewLayoutContext*&>::type std::__invoke<void (WebCore::FrameViewLayoutContext::*&)(), WebCore::FrameViewLayoutContext*&>(void (WebCore::FrameViewLayoutContext::*&)(), WebCore::FrameViewLayoutContext*&) 16 0x7f9468adcd0d void std::_Bind<void (WebCore::FrameViewLayoutContext::*(WebCore::FrameViewLayoutContext*))()>::__call<void, , 0ul>(std::tuple<>&&, std::_Index_tuple<0ul>) 17 0x7f9468adb944 void std::_Bind<void (WebCore::FrameViewLayoutContext::*(WebCore::FrameViewLayoutContext*))()>::operator()<, void>() 18 0x7f9468ada50c WTF::Detail::CallableWrapper<std::_Bind<void (WebCore::FrameViewLayoutContext::*(WebCore::FrameViewLayoutContext*))()>, void>::call() 19 0x7f946036ce95 WTF::Function<void ()>::operator()() const 20 0x7f946131201e WebCore::Timer::fired() 21 0x7f9468f100d4 WebCore::ThreadTimers::sharedTimerFiredInternal() 22 0x7f9468f0efdd /home/lxc/fuzz/webkit/WebKit/WebKitBuild/Debug/lib/libwebkit2gtk-4.0.so.37(+0x1d2fdfdd) [0x7f9468f0efdd] 23 0x7f9468f15800 /home/lxc/fuzz/webkit/WebKit/WebKitBuild/Debug/lib/libwebkit2gtk-4.0.so.37(+0x1d304800) [0x7f9468f15800] 24 0x7f946036ce95 WTF::Function<void ()>::operator()() const 25 0x7f9468e79457 WebCore::MainThreadSharedTimer::fired() 26 0x7f9468e93ef6 void std::__invoke_impl<void, void (WebCore::MainThreadSharedTimer::*&)(), WebCore::MainThreadSharedTimer*&>(std::__invoke_memfun_deref, void (WebCore::MainThreadSharedTimer::*&)(), WebCore::MainThreadSharedTimer*&) 27 0x7f9468e93d73 std::__invoke_result<void (WebCore::MainThreadSharedTimer::*&)(), WebCore::MainThreadSharedTimer*&>::type std::__invoke<void (WebCore::MainThreadSharedTimer::*&)(), WebCore::MainThreadSharedTimer*&>(void (WebCore::MainThreadSharedTimer::*&)(), WebCore::MainThreadSharedTimer*&) 28 0x7f9468e93c9f void std::_Bind<void (WebCore::MainThreadSharedTimer::*(WebCore::MainThreadSharedTimer*))()>::__call<void, , 0ul>(std::tuple<>&&, std::_Index_tuple<0ul>) 29 0x7f9468e93b72 void std::_Bind<void (WebCore::MainThreadSharedTimer::*(WebCore::MainThreadSharedTimer*))()>::operator()<, void>() 30 0x7f9468e93aa0 WTF::Detail::CallableWrapper<std::_Bind<void (WebCore::MainThreadSharedTimer::*(WebCore::MainThreadSharedTimer*))()>, void>::call() 31 0x7f946036ce95 WTF::Function<void ()>::operator()() const ** (MiniBrowser:917450): WARNING **: 17:21:37.584: WebProcess CRASHED
<rdar://problem/88321915>
Created attachment 463218 [details] Minimized testcase Attached is a minimized testcase obtained from the original one of bug 244580 (which apparently is generated by the same fuzzing framework). Reproduced at https://commits.webkit.org/255418@main with gtk debug build. Cannot reproduce with macos.
It is reproducible on macOS WebKit TOT (debug build - 267826@main) and also on 'ProPakistani.pk' website.