RESOLVED CONFIGURATION CHANGED 282945
REGRESSION(iOS 18.2 beta): Crash in RemoteScrollingCoordinatorProxyIOS::establishLayerTreeScrollingRelations 
https://bugs.webkit.org/show_bug.cgi?id=282945
Summary REGRESSION(iOS 18.2 beta): Crash in RemoteScrollingCoordinatorProxyIOS::estab...
Ali Juma
Reported 2024-11-11 11:20:09 PST
Created attachment 473194 [details] Crash log Chrome on iOS is getting a large number of reports of a new crash in iOS 18.2 beta, in RemoteScrollingCoordinatorProxyIOS::establishLayerTreeScrollingRelations. For context, this is Chrome's #4 top crash on 18.2. I've attached a crash log. Here's the crash stack: Exception Type: EXC_BREAKPOINT (SIGTRAP) Exception Codes: 0x0000000000000001, 0x00000001b6058a74 Termination Reason: SIGNAL 5 Trace/BPT trap: 5 Terminating Process: exc handler [30669] Triggered by Thread: 0 Thread 0 Crashed: 0 WebKit 0x00000001b6058a74 WebKit::RemoteScrollingCoordinatorProxyIOS::establishLayerTreeScrollingRelations(WebKit::RemoteLayerTreeHost const&) + 1472 (RemoteScrollingCoordinatorProxyIOS.mm:259) 1 WebKit 0x00000001b6058354 WebKit::RemoteScrollingCoordinatorProxy::commitScrollingTreeState(IPC::Connection&, WebKit::RemoteScrollingCoordinatorTransaction const&, std::__1::optional<WTF::ObjectIdentifierGeneric<WebCore::La... + 344 (RemoteScrollingCoordinatorProxy.cpp:112) 2 WebKit 0x00000001b6057bb4 WebKit::RemoteLayerTreeDrawingAreaProxy::commitLayerTree(IPC::Connection&, WTF::Vector<std::__1::pair<WebKit::RemoteLayerTreeTransaction, WebKit::RemoteScrollingCoordinatorTransaction>, 0ul, WTF::C... + 1788 (RemoteLayerTreeDrawingAreaProxy.mm:231) 3 WebKit 0x00000001b60548f4 WebKit::RemoteLayerTreeDrawingAreaProxy::didReceiveMessage(IPC::Connection&, IPC::Decoder&) + 2324 (RemoteLayerTreeDrawingAreaProxyMessageReceiver.cpp:61) 4 WebKit 0x00000001b601d874 IPC::MessageReceiverMap::dispatchMessage(IPC::Connection&, IPC::Decoder&) + 272 (MessageReceiverMap.cpp:129) 5 WebKit 0x00000001b601db08 WebKit::WebProcessProxy::didReceiveMessage(IPC::Connection&, IPC::Decoder&) + 44 (WebProcessProxy.cpp:1202) 6 WebKit 0x00000001b601cc34 IPC::Connection::dispatchMessage(WTF::UniqueRef<IPC::Decoder>) + 252 (Connection.cpp:1451) 7 WebKit 0x00000001b601c7a4 IPC::Connection::dispatchIncomingMessages() + 580 (Connection.cpp:1563) 8 JavaScriptCore 0x00000001b736805c WTF::RunLoop::performWork() + 204 (RunLoop.cpp:147) 9 JavaScriptCore 0x00000001b7367f70 WTF::RunLoop::performWork(void*) + 36 (RunLoopCF.cpp:46) 10 CoreFoundation 0x000000019fb2a36c __CFRUNLOOP_IS_CALLING_OUT_TO_A_SOURCE0_PERFORM_FUNCTION__ + 28 (CFRunLoop.c:1970) 11 CoreFoundation 0x000000019fb2a300 __CFRunLoopDoSource0 + 176 (CFRunLoop.c:2014) 12 CoreFoundation 0x000000019fb2cf60 __CFRunLoopDoSources0 + 244 (CFRunLoop.c:2051) 13 CoreFoundation 0x000000019fb2c15c __CFRunLoopRun + 840 (CFRunLoop.c:2969) 14 CoreFoundation 0x000000019fb7e664 CFRunLoopRunSpecific + 588 (CFRunLoop.c:3434) 15 GraphicsServices 0x00000001eda014c0 GSEventRunModal + 164 (GSEvent.c:2196) 16 UIKitCore 0x00000001a26cb7a0 0x1a22dc000 + 4126624 (UIApplication.m:3853) 17 UIKitCore 0x00000001a22f16a4 UIApplicationMain + 340 (UIApplication.m:5510) 18 Chrome 0x00000001024e0260 0x1024dc000 + 16992 19 dyld 0x00000001c6a5ede8 start + 2724 (dyldMain.cpp:1338)
Attachments
Crash log (33.28 KB, text/plain)
2024-11-11 11:20 PST, Ali Juma 		no flags
Details
View All Add attachment proposed patch, testcase, etc.
Radar WebKit Bug Importer
Comment 1 2024-11-11 13:42:32 PST
<rdar://problem/139671603>
Matt Woodrow
Comment 2 2025-01-09 13:43:15 PST
Do you have a test case that reproduces this, or any further information that would help narrow this down?
michaeldo
Comment 3 2025-01-30 20:46:09 PST
Hi Matt, unfortunately we don't have a test case or any further info. However, this continues to be a top crasher for users on iOS 18.2
Rick Byers
Comment 4 2025-04-15 11:32:10 PDT
Note that this has grown to be our top crash issue accounting for nearly half of all Crashes in Chrome on iOS. Normally for Chrome (eg. on Android) this level of crash would be an emergency for which we would aim to push out a revert within 24 hours (eg. by identifying any CL in the regressing version which touched the relevant code and speculatively reverting it). Luckily it looks like this is not occurring in iOS 18.4 so we believe the problem to have been eventually fixed. Is there anything you can share about what you have learned? Normally I would initiate a thorough post-mortem review for an incident of this scale in Chrome, but lacking visibility into WebKit I'm not sure that is possible here? Searching I see there has been some work related to this crash in other bugs, eg. bug 286459.
Simon Fraser (smfr)
Comment 5 2025-04-15 13:13:29 PDT
https://bugs.webkit.org/show_bug.cgi?id=286459 fixed one aspect of this (it should no longer crash the main process), and is in 18.4, so it appears to have fixed this. We never found a way to reproduce this; it would have been helpful to know about which sites triggered it.
Rick Byers
Comment 6 2025-04-15 13:48:18 PDT
Thanks Simon! Yeah we also struggled with not being able to get a reproduction for this issue. To me the crashes look fairly well distributed across websites by popularity with the top hit being on about://newtab/, and other top hits being on the most popular website sites (eg. google.com), but with a long tail of hits on a wide variety of websites. So perhaps the most telling thing there is that it occurs on about://newtab - meaning it's really not dependent on the site content at all? It definitely looks new (or much worse) in 18.2 though, effectively zero crash reports from 18.1. Does that help at all? Were there a lot of changes related to this code between 18.1 and 18.2? Did you get reports of crashes in other WebKit products too, or was this crash specific to Chrome?
Simon Fraser (smfr)
Comment 7 2025-04-15 13:53:09 PDT
We did get a crash signal here too, but it seemed to be lower frequency than in Chrome.
Note You need to log in before you can comment on or make changes to this bug.