RESOLVED FIXED286356
REGRESSION (iPadOS 18): RemoteScrollingCoordinatorProxyIOS Invalid message dispatched virtual void WebKit::RemoteScrollingCoordinatorProxyIOS::establishLayerTreeScrollingRelations 
https://bugs.webkit.org/show_bug.cgi?id=286356
Summary REGRESSION (iPadOS 18): RemoteScrollingCoordinatorProxyIOS Invalid message di...
Adam
Reported 2025-01-22 06:35:56 PST
After upgrade to iPAD OS 18 and all subsequent versions (18.1 - 18.3) there seems to be a quite specific bug that crashes the Safari browser (does not happen within Chrome on same device) and in-app webkit instance, seems to be only affecting iPAD OS devices. Bug reproduced on devices: M1 iPad Air 5th GEN (MM9E3FD/A) - iOS 18.3 (22D5040d) / iOS 18.3 (22D60) [Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/18.3 Safari/605.1.15] The error message printed in the Xcode console: ``` Library/Caches/com.apple.xbs/Sources/WebKit_Sim/Source/WebKit/UIProcess/RemoteLayerTree/ios/RemoteScrollingCoordinatorProxyIOS.mm 272: Invalid message dispatched virtual void WebKit::RemoteScrollingCoordinatorProxyIOS::establishLayerTreeScrollingRelations(const RemoteLayerTreeHost &)

Received an invalid message 'RemoteLayerTreeDrawingAreaProxy_CommitLayerTree' from the WebContent process with PID 22404 ``` HTML that reproduces the crash: ``` <!DOCTYPE html> <html lang="en"> <head> <meta charset="UTF-8"> <meta name="viewport" content="width=device-width, initial-scale=1.0"> <title>Crash iOS</title> <style> .element { position: relative; } .container { width: 0; } .container-2 { overflow-y: auto; transition: 0.3s; } .container-3 { overflow-y: auto; } .container-4 { position: relative; } </style> </head> <body> <button id="aa_click" style="margin-top: 200px;">click123</button> <div id="test" class="container"> <div class="container-4"> <div class="container-3"> <div class="container-2"> <div class="element"> test </div> </div> </div> </div> </div> <script> document.getElementById("aa_click").onclick = function () { let a = document.getElementById("test"); let b = a.style.visibility if (b == 'hidden') { a.style.visibility = "visible"; } else { a.style.visibility = "hidden"; } }; </script> </body> ``` How to reproduce: 1. Create webpage with HTML posted above and visit it via Safari. 2. Click the button 2-3 times. 3. Safari / Webkit should crash.
Attachments
Testcase (1.20 KB, text/html)
2025-01-23 22:18 PST, Matt Woodrow 		no flags
Details
View All Add attachment proposed patch, testcase, etc.
Radar WebKit Bug Importer
Comment 1 2025-01-22 16:37:16 PST
<rdar://problem/143435840>
Matt Woodrow
Comment 2 2025-01-23 22:18:38 PST
Created attachment 473996 [details] Testcase
Matt Woodrow
Comment 3 2025-01-23 23:12:03 PST
Just to clarify, is this crashing Safari itself, or crashing the contents of the tab?
Adam
Comment 4 2025-01-23 23:39:26 PST
It crashes the tab only.
Matt Woodrow
Comment 5 2025-01-25 16:28:35 PST
Great, thanks for confirming, I can reproduce. Thanks for the reduced test case!
Matt Woodrow
Comment 6 2025-01-25 16:35:04 PST
Pull request: https://github.com/WebKit/WebKit/pull/39563
EWS
Comment 7 2025-01-29 15:46:20 PST
Committed 289527@main (79c73a5e0996): <https://commits.webkit.org/289527@main> Reviewed commits have been landed. Closing PR #39563 and removing active labels.
Adam
Comment 8 2025-02-12 03:49:59 PST
Any updates when the fix will be released? It's still breaking in 18.3.1
Note You need to log in before you can comment on or make changes to this bug.