NEW263783
REGRESSION (Sonoma): ASSERT(m_scrollingStateTree) on fast/scrolling/scroll-snap-crash.html 
https://bugs.webkit.org/show_bug.cgi?id=263783
Summary REGRESSION (Sonoma): ASSERT(m_scrollingStateTree) on fast/scrolling/scroll-sn...
Chris Dumez
Reported 2023-10-27 08:30:53 PDT
fast/scrolling/scroll-snap-crash.html is crashing consistently on my machine with a debug build like so: run-webkit-tests --debug --no-build --repeat-each=3 fast/scrolling/scroll-snap-crash.html Crash: ``` Thread 0 Crashed:: Dispatch queue: com.apple.main-thread 0 JavaScriptCore 0x10bd37c44 WTFCrash + 24 (Assertions.cpp:333) 1 WebCore 0x282d67ccc WTFCrashWithInfo(int, char const*, char const*, int) + 36 (Assertions.h:778) 2 WebCore 0x284e407e0 WebCore::ScrollingStateNode::scrollingStateTree() const + 124 (ScrollingStateNode.h:305) 3 WebCore 0x284e4a728 WebCore::ScrollingStateScrollingNode::~ScrollingStateScrollingNode() + 64 (ScrollingStateScrollingNode.cpp:89) 4 WebCore 0x284e3ef44 WebCore::ScrollingStateFrameScrollingNode::~ScrollingStateFrameScrollingNode() + 116 (ScrollingStateFrameScrollingNode.cpp:96) 5 WebCore 0x284e3ef74 WebCore::ScrollingStateFrameScrollingNode::~ScrollingStateFrameScrollingNode() + 32 (ScrollingStateFrameScrollingNode.cpp:96) 6 WebCore 0x284e3efa4 WebCore::ScrollingStateFrameScrollingNode::~ScrollingStateFrameScrollingNode() + 32 (ScrollingStateFrameScrollingNode.cpp:96) 7 WebKit 0x12c5b7210 void WTF::ThreadSafeWeakPtrControlBlock::strongDeref<WebCore::ScrollingStateNode, (WTF::DestructionThread)0>() const::'lambda'()::operator()() const + 104 (ThreadSafeWeakPtr.h:101) 8 WebKit 0x12c5b7190 void WTF::ThreadSafeWeakPtrControlBlock::strongDeref<WebCore::ScrollingStateNode, (WTF::DestructionThread)0>() const + 328 (ThreadSafeWeakPtr.h:107) 9 WebKit 0x12c5b703c WTF::ThreadSafeRefCountedAndCanMakeThreadSafeWeakPtr<WebCore::ScrollingStateNode, (WTF::DestructionThread)0>::deref() const + 32 (ThreadSafeWeakPtr.h:170) 10 WebKit 0x12c5b7008 WTF::Ref<WebCore::ScrollingStateFrameScrollingNode, WTF::RawPtrTraits<WebCore::ScrollingStateFrameScrollingNode>>::~Ref() + 80 (Ref.h:61) 11 WebKit 0x12c5b6fa8 WTF::Ref<WebCore::ScrollingStateFrameScrollingNode, WTF::RawPtrTraits<WebCore::ScrollingStateFrameScrollingNode>>::~Ref() + 32 (Ref.h:55) 12 WebKit 0x12dd7ebcc IPC::ArgumentCoder<WebCore::ScrollingStateFrameScrollingNode, void>::decode(IPC::Decoder&) + 2520 (RemoteScrollingCoordinatorTransaction.cpp:367) 13 WebKit 0x12c79f75c std::__1::optional<WTF::RefPtr<WebCore::ScrollingStateFrameScrollingNode, WTF::RawPtrTraits<WebCore::ScrollingStateFrameScrollingNode>, WTF::DefaultRefDerefTraits<WebCore::ScrollingStateFrameScrollingNode>>> IPC::ArgumentCoder<WTF::RefPtr<WebCore::ScrollingStateFrameScrollingNode, WTF::RawPtrTraits<WebCore::ScrollingStateFrameScrollingNode>, WTF::DefaultRefDerefTraits<WebCore::ScrollingStateFrameScrollingNode>>, void>::decode<IPC::Decoder, WebCore::ScrollingStateFrameScrollingNode>(IPC::Decoder&) + 172 (ArgumentCoders.h:294) 14 WebKit 0x12c4bd240 std::__1::optional<WTF::RefPtr<WebCore::ScrollingStateFrameScrollingNode, WTF::RawPtrTraits<WebCore::ScrollingStateFrameScrollingNode>, WTF::DefaultRefDerefTraits<WebCore::ScrollingStateFrameScrollingNode>>> IPC::Decoder::decode<WTF::RefPtr<WebCore::ScrollingStateFrameScrollingNode, WTF::RawPtrTraits<WebCore::ScrollingStateFrameScrollingNode>, WTF::DefaultRefDerefTraits<WebCore::ScrollingStateFrameScrollingNode>>>() + 60 (Decoder.h:137) 15 WebKit 0x12c4bd14c IPC::ArgumentCoder<WebCore::ScrollingStateTree, void>::decode(IPC::Decoder&) + 64 (GeneratedSerializers.mm:41721) 16 WebKit 0x12c79e808 std::__1::optional<WebCore::ScrollingStateTree> IPC::Decoder::decode<WebCore::ScrollingStateTree>() + 60 (Decoder.h:137) 17 WebKit 0x12c79e6b4 std::__1::optional<std::__1::unique_ptr<WebCore::ScrollingStateTree, std::__1::default_delete<WebCore::ScrollingStateTree>>> IPC::ArgumentCoder<std::__1::unique_ptr<WebCore::ScrollingStateTree, std::__1::default_delete<WebCore::ScrollingStateTree>>, void>::decode<IPC::Decoder>(IPC::Decoder&) + 128 (ArgumentCoders.h:336) 18 WebKit 0x12c4bce18 std::__1::optional<std::__1::unique_ptr<WebCore::ScrollingStateTree, std::__1::default_delete<WebCore::ScrollingStateTree>>> IPC::Decoder::decode<std::__1::unique_ptr<WebCore::ScrollingStateTree, std::__1::default_delete<WebCore::ScrollingStateTree>>>() + 60 (Decoder.h:137) 19 WebKit 0x12c4bccec IPC::ArgumentCoder<WebKit::RemoteScrollingCoordinatorTransaction, void>::decode(IPC::Decoder&) + 40 (GeneratedSerializers.mm:41694) 20 WebKit 0x12cc2dd34 std::__1::optional<WebKit::RemoteScrollingCoordinatorTransaction> IPC::Decoder::decode<WebKit::RemoteScrollingCoordinatorTransaction>() + 60 (Decoder.h:137) ```
Attachments
Add attachment proposed patch, testcase, etc.
Chris Dumez
Comment 1 2023-10-27 08:32:23 PDT
``` CheckedPtr<ScrollingStateTree> m_scrollingStateTree; // Only null between deserialization and attachAfterDeserialization. ``` We crash during destruction because m_scrollingStateTree is null. The crash does occur during IPC deserialization so it seems it is expected for `m_scrollingStateTree` to be null. Seems like there may be 2 bugs: 1. IPC deserialization fails 2. The ScrollingStateScrollingNode doesn't support getting destroyed during IPC deserialization and crashes
Chris Dumez
Comment 2 2023-10-27 08:40:45 PDT
For me, it looks like it fails IPC decoding for ScrollingStateNodeProperty::SnapOffsetsInfo
Chris Dumez
Comment 3 2023-10-27 08:46:07 PDT
(In reply to Chris Dumez from comment #2) > For me, it looks like it fails IPC decoding for > ScrollingStateNodeProperty::SnapOffsetsInfo In particular, horizontalSnapOffsets inside FloatScrollSnapOffsetsInfo.
Chris Dumez
Comment 4 2023-10-27 08:50:07 PDT
(In reply to Chris Dumez from comment #3) > (In reply to Chris Dumez from comment #2) > > For me, it looks like it fails IPC decoding for > > ScrollingStateNodeProperty::SnapOffsetsInfo > > In particular, horizontalSnapOffsets inside FloatScrollSnapOffsetsInfo. In particular, the snapTargetID of FloatSnapOffset fails decoding.
Alexey Proskuryakov
Comment 5 2023-10-30 13:29:01 PDT
Also frequently crashes on macOS Sonoma bots, but not on older OS versions.
Radar WebKit Bug Importer
Comment 6 2023-10-30 13:29:33 PDT
<rdar://problem/117702748>
Ben Schwartz
Comment 7 2023-11-08 09:33:51 PST
I have related this bug to bug #264419, which is an umbrella bug tracking layout test regressions in macOS Sonoma 14.1.
Note You need to log in before you can comment on or make changes to this bug.