RESOLVED FIXED 246890
Fix assertion failure due to viewport anchor layer not being updated when updating style 
https://bugs.webkit.org/show_bug.cgi?id=246890
Summary Fix assertion failure due to viewport anchor layer not being updated when upd...
Arunsundar Kannan
Reported 2022-10-21 16:03:14 PDT
Test case: <!DOCTYPE html> <style> body { rotate: y 1turn; } </style> <script> onload = () => { document.body.offsetTop; document.body.style.position = 'sticky'; scrollBy(0, 0); }; </script> ASSERTION FAILED: layer.backing()->viewportAnchorLayer() rendering/RenderLayerCompositor.cpp(4770) : WebCore::ScrollingNodeID WebCore::RenderLayerCompositor::updateScrollingNodeForViewportConstrainedRole(WebCore::RenderLayer &, WebCore::ScrollingTreeState &, OptionSet<WebCore::RenderLayerCompositor::ScrollingNodeChangeFlags>) 1 0x280007be0 WTFCrash 2 0x2b7e5d668 WebCore::JSANGLEInstancedArrays::createPrototype(JSC::VM&, WebCore::JSDOMGlobalObject&) 3 0x2c45ce860 WebCore::RenderLayerCompositor::updateScrollingNodeForViewportConstrainedRole(WebCore::RenderLayer&, WebCore::ScrollingTreeState&, WTF::OptionSet<WebCore::RenderLayerCompositor::ScrollingNodeChangeFlags>) 4 0x2c45ac2f4 WebCore::RenderLayerCompositor::updateScrollCoordinationForLayer(WebCore::RenderLayer&, WebCore::RenderLayer const*, WebCore::ScrollingTreeState&, WTF::OptionSet<WebCore::RenderLayerCompositor::ScrollingNodeChangeFlags>) 5 0x2c45a0ca4 WebCore::RenderLayerCompositor::updateBackingAndHierarchy(WebCore::RenderLayer&, WTF::Vector<WTF::Ref<WebCore::GraphicsLayer, WTF::RawPtrTraits<WebCore::GraphicsLayer> >, 0ul, WTF::CrashOnOverflow, 16ul, WTF::FastMalloc>&, WebCore::RenderLayerCompositor::UpdateBackingTraversalState&, WebCore::ScrollingTreeState&, WTF::OptionSet<WebCore::RenderLayerCompositor::UpdateLevel>) 6 0x2c45a15d4 WebCore::RenderLayerCompositor::updateBackingAndHierarchy(WebCore::RenderLayer&, WTF::Vector<WTF::Ref<WebCore::GraphicsLayer, WTF::RawPtrTraits<WebCore::GraphicsLayer> >, 0ul, WTF::CrashOnOverflow, 16ul, WTF::FastMalloc>&, WebCore::RenderLayerCompositor::UpdateBackingTraversalState&, WebCore::ScrollingTreeState&, WTF::OptionSet<WebCore::RenderLayerCompositor::UpdateLevel>) 7 0x2c45a15d4 WebCore::RenderLayerCompositor::updateBackingAndHierarchy(WebCore::RenderLayer&, WTF::Vector<WTF::Ref<WebCore::GraphicsLayer, WTF::RawPtrTraits<WebCore::GraphicsLayer> >, 0ul, WTF::CrashOnOverflow, 16ul, WTF::FastMalloc>&, WebCore::RenderLayerCompositor::UpdateBackingTraversalState&, WebCore::ScrollingTreeState&, WTF::OptionSet<WebCore::RenderLayerCompositor::UpdateLevel>) 8 0x2c459844c WebCore::RenderLayerCompositor::updateCompositingLayers(WebCore::CompositingUpdateType, WebCore::RenderLayer*) 9 0x2c266e998 WebCore::FrameView::updateCompositingLayersAfterLayout() 10 0x2c2679628 WebCore::FrameView::didLayout(WTF::WeakPtr<WebCore::RenderElement, WTF::DefaultWeakPtrImpl>) 11 0x2c272483c WebCore::FrameViewLayoutContext::performLayout() 12 0x2c27235b0 WebCore::FrameViewLayoutContext::layout() 13 0x2c0367c90 WebCore::Document::updateLayout() 14 0x2c036b810 WebCore::Document::updateLayoutIgnorePendingStylesheets(WebCore::Document::RunPostLayoutTasks) 15 0x2c253921c WebCore::DOMWindow::scrollBy(WebCore::ScrollToOptions const&) const 16 0x2c2538fa4 WebCore::DOMWindow::scrollBy(double, double) const 17 0x2b8bee430 WebCore::jsDOMWindowInstanceFunction_scrollBy2Body(JSC::JSGlobalObject*, JSC::CallFrame*, WebCore::JSDOMWindow*)::'lambda'()::operator()() const 18 0x2b8bee200 JSC::JSValue WebCore::toJS<WebCore::IDLUndefined, WebCore::jsDOMWindowInstanceFunction_scrollBy2Body(JSC::JSGlobalObject*, JSC::CallFrame*, WebCore::JSDOMWindow*)::'lambda'()>(JSC::JSGlobalObject&, JSC::ThrowScope&, WebCore::jsDOMWindowInstanceFunction_scrollBy2Body(JSC::JSGlobalObject*, JSC::CallFrame*, WebCore::JSDOMWindow*)::'lambda'()&&) 19 0x2b8bedc2c WebCore::jsDOMWindowInstanceFunction_scrollBy2Body(JSC::JSGlobalObject*, JSC::CallFrame*, WebCore::JSDOMWindow*) 20 0x2b8becc24 WebCore::jsDOMWindowInstanceFunction_scrollByOverloadDispatcher(JSC::JSGlobalObject*, JSC::CallFrame*, WebCore::JSDOMWindow*) 21 0x2b8bec6a0 long long WebCore::IDLOperation<WebCore::JSDOMWindow>::call<&(WebCore::jsDOMWindowInstanceFunction_scrollByOverloadDispatcher(JSC::JSGlobalObject*, JSC::CallFrame*, WebCore::JSDOMWindow*)), (WebCore::CastedThisErrorBehavior)0>(JSC::JSGlobalObject&, JSC::CallFrame&, char const*) 22 0x2b8bc0018 WebCore::jsDOMWindowInstanceFunction_scrollBy(JSC::JSGlobalObject*, JSC::CallFrame*) 23 0x13cf78044 (null) 24 0x13cf68248 (null) 25 0x13cf68848 (null) 26 0x288e9f154 JSC::JITCode::execute(JSC::VM*, JSC::ProtoCallFrame*) 27 0x2876d348c JSC::Interpreter::executeCall(JSC::JSGlobalObject*, JSC::JSObject*, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&) 28 0x288229dc4 JSC::call(JSC::JSGlobalObject*, JSC::JSValue, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&) 29 0x28822a27c JSC::call(JSC::JSGlobalObject*, JSC::JSValue, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&, WTF::NakedPtr<JSC::Exception>&) 30 0x28822ad50 JSC::profiledCall(JSC::JSGlobalObject*, JSC::ProfilingReason, JSC::JSValue, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&, WTF::NakedPtr<JSC::Exception>&) 31 0x2bee0fb00 WebCore::JSExecState::profiledCall(JSC::JSGlobalObject*, JSC::ProfilingReason, JSC::JSValue, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&, WTF::NakedPtr<JSC::Exception>&)
Attachments
Add attachment proposed patch, testcase, etc.
Arunsundar Kannan
Comment 1 2022-10-21 16:09:34 PDT
<rdar://problem/99568474>
Arunsundar Kannan
Comment 2 2022-10-21 16:09:51 PDT
Pull request: https://github.com/WebKit/WebKit/pull/5658
EWS
Comment 3 2022-10-26 10:24:43 PDT
Committed 256025@main (67c0ccbbabbd): <https://commits.webkit.org/256025@main> Reviewed commits have been landed. Closing PR #5658 and removing active labels.
Note You need to log in before you can comment on or make changes to this bug.