259723 – After iOS 15.4, setting the overflow property to scroll or auto and quickly creating and releasing webviews can cause crashes.

NEW 259723

After iOS 15.4, setting the overflow property to scroll or auto and quickly creating and releasing webviews can cause crashes.

https://bugs.webkit.org/show_bug.cgi?id=259723

Summary After iOS 15.4, setting the overflow property to scroll or auto and quickly c...

CassielX

Reported 2023-08-01 23:29:26 PDT

After iOS 15.4, I found that when using the CSS overflow:scroll property, there would be a crash when quickly creating and destroying webviews. Recently, this issue has occurred on iOS 16.4, iOS 16.4.1, iOS 16.5, iOS 16.5.1, and iOS 16.6. The crash stack trace is as follows: ---------------------------------------------------------------------------- WebCore/WebCore::ScrollingTreeScrollingNode::wasScrolledByDelegatedScrolling(WebCore::FloatPoint const&, std::__1::optional<WebCore::FloatRect>, WebCore::ScrollingLayerPositionAction) + 328 OS Version: iOS 16.6 (20G75) Report Version: 104 Monitor Type: Mach Exception Exception Type: EXC_BAD_ACCESS (SIGSEGV) Exception Codes: KERN_INVALID_ADDRESS at 0x0000000000000000 Crashed Thread: 0 Pthread id: 2934709 Thread 0 Crashed: 0 WebKit WebKit::RemoteScrollingTree::scrollingTreeNodeDidScroll(WebCore::ScrollingTreeScrollingNode&, WebCore::ScrollingLayerPositionAction) + 180 1 WebKit WebKit::RemoteScrollingTree::scrollingTreeNodeDidScroll(WebCore::ScrollingTreeScrollingNode&, WebCore::ScrollingLayerPositionAction) + 140 2 WebCore WebCore::ScrollingTreeScrollingNode::wasScrolledByDelegatedScrolling(WebCore::FloatPoint const&, std::__1::optional<WebCore::FloatRect>, WebCore::ScrollingLayerPositionAction) + 328 3 WebKit WebKit::ScrollingTreeScrollingNodeDelegateIOS::scrollViewDidScroll(WebCore::FloatPoint const&, bool) + 112 4 WebKit -[WKScrollingNodeScrollViewDelegate scrollViewDidScroll:] + 68 5 UIKitCore -[UIScrollView _notifyDidScroll] + 72 6 UIKitCore -[UIScrollView setContentOffset:] + 1032 7 UIKitCore -[UIScrollViewScrollAnimation setProgress:] + 276 8 UIKitCore -[UIAnimator _advanceAnimationsOnScreenWithIdentifier:withTimestamp:] + 184 9 UIKitCore _UIUpdateSequenceRun + 84 10 UIKitCore schedulerStepScheduledMainSection + 144 11 UIKitCore runloopSourceCallback + 92 12 CoreFoundation __CFRUNLOOP_IS_CALLING_OUT_TO_A_SOURCE0_PERFORM_FUNCTION__ + 28 13 CoreFoundation __CFRunLoopDoSource0 + 176 14 CoreFoundation __CFRunLoopDoSources0 + 244 15 CoreFoundation __CFRunLoopRun + 828 16 CoreFoundation CFRunLoopRunSpecific + 612 17 GraphicsServices GSEventRunModal + 164 18 UIKitCore -[UIApplication _run] + 888 19 UIKitCore UIApplicationMain + 340 20 imeituan main (main.m:41) 21 (null) 0x00000001e7718dec 0x0 + 8177946092 ---------------------------------------------------------------------------- On iOS 15.4 and iOS 15.4.1, the crash stack trace is as follows: ---------------------------------------------------------------------------- WebCore/WebCore::ScrollingTreeScrollingNode::wasScrolledByDelegatedScrolling(WebCore::FloatPoint const&, std::__1::optional<WebCore::FloatRect>, WebCore::ScrollingLayerPositionAction) + 308 OS Version: iOS 15.4.1 (19E258) Report Version: 104 Monitor Type: Mach Exception Exception Type: EXC_BAD_ACCESS (SIGSEGV) Exception Codes: KERN_INVALID_ADDRESS at 0x0000000000000000 Crashed Thread: 0 Pthread id: 3104660 Thread 0 Crashed: 0 WebKit WebKit::RemoteScrollingTree::scrollingTreeNodeDidScroll(WebCore::ScrollingTreeScrollingNode&, WebCore::ScrollingLayerPositionAction) + 104 1 WebCore WebCore::ScrollingTreeScrollingNode::wasScrolledByDelegatedScrolling(WebCore::FloatPoint const&, std::__1::optional<WebCore::FloatRect>, WebCore::ScrollingLayerPositionAction) + 308 2 WebCore WebCore::ScrollingTreeScrollingNode::wasScrolledByDelegatedScrolling(WebCore::FloatPoint const&, std::__1::optional<WebCore::FloatRect>, WebCore::ScrollingLayerPositionAction) + 308 3 WebKit WebKit::ScrollingTreeScrollingNodeDelegateIOS::scrollViewDidScroll(WebCore::FloatPoint const&, bool) + 112 4 WebKit -[WKScrollingNodeScrollViewDelegate scrollViewDidScroll:] + 76 5 UIKitCore -[UIScrollView _notifyDidScroll] + 80 6 UIKitCore -[UIScrollView setContentOffset:] + 1224 7 UIKitCore -[UIScrollViewScrollAnimation setProgress:] + 320 8 UIKitCore -[UIAnimator _advanceAnimationsOfType:withTimestamp:] + 280 9 QuartzCore CA::Display::DisplayLink::dispatch_items(unsigned long long, unsigned long long, unsigned long long) + 748 10 QuartzCore display_timer_callback(__CFMachPort*, void*, long, void*) + 372 11 CoreFoundation __CFMachPortPerform + 176 12 CoreFoundation __CFRUNLOOP_IS_CALLING_OUT_TO_A_SOURCE1_PERFORM_FUNCTION__ + 60 13 CoreFoundation __CFRunLoopDoSource1 + 604 14 CoreFoundation __CFRunLoopRun + 2372 15 CoreFoundation CFRunLoopRunSpecific + 600 16 GraphicsServices GSEventRunModal + 164 17 UIKitCore -[UIApplication _run] + 1100 18 UIKitCore UIApplicationMain + 364 19 imeituan main (main.m:41) 20 (null) 0x000000010ace9ce4 0x0 + 4476280036 ---------------------------------------------------------------------------- I'm having trouble reproducing the issue myself, but there are related crashes happening on the production environment. Could you please take a look at the stack trace and see if there is any relevant information? The issue seems to occur when the overflow property is set to scroll or auto.

Attachments
Add attachment proposed patch, testcase, etc.

Radar WebKit Bug Importer

Comment 1 2023-08-02 08:29:18 PDT

<rdar://problem/113271182>

Simon Fraser (smfr)

Comment 2 2024-09-25 13:50:15 PDT

Does this still reproduce in iOS 18?

Note You need to log in before you can comment on or make changes to this bug.

Status NEW

Resolution

Priority P2

Severity Normal

Classification Unclassified

Version Safari 16

Hardware iPhone / iPad

OS iOS 16

Product WebKit

Component CSS

Assignee

Nobody

Reported

2023-08-01 23:29 PDT

Modified

2024-09-25 13:50 PDT History

CC List

2 users Show

URL

Keywords GoodFirstBug, InRadar

Depends on

Blocks