294855 – Crash under RenderLayerCompositor::updateSynchronousScrollingNodes()

RESOLVED FIXED294855

Crash under RenderLayerCompositor::updateSynchronousScrollingNodes()

https://bugs.webkit.org/show_bug.cgi?id=294855

Summary Crash under RenderLayerCompositor::updateSynchronousScrollingNodes()

Simon Fraser (smfr)

Reported 2025-06-23 10:55:11 PDT

Crash data suggest an unset std::optional deref here: Thread 0 Crashed:: : 0 com.apple.WebCore 0x1afe0f24c __clang_trap_msg$libc++$Xcode.app/Contents/Developer/Platforms/MacOSX.platform/Developer/SDKs/MacOSX16.0.Internal.sdk/usr/include/c++/v1/optional:813: assertion this->has_value() failed: optional operator* called on a disengaged value + 0 (Xcode.app/Contents/Developer/Platforms/MacOSX.platform/Developer/SDKs/MacOSX16.0.Internal.sdk/usr/include/c++/v1/optional:0) [inlined] 1 com.apple.WebCore 0x1afe0f24c std::__1::optional<WebCore::ProcessQualified<WTF::ObjectIdentifierGeneric<WebCore::ScrollingNodeIDType, WTF::ObjectIdentifierMainThreadAccessTraits<unsigned long long>, unsigned long long>>>::operator*[abi:sn200100]() & + 0 (Xcode.app/Contents/Developer/Platforms/MacOSX.platform/Developer/SDKs/MacOSX16.0.Internal.sdk/usr/include/c++/v1/optional:813) [inlined] 2 com.apple.WebCore 0x1afe0f24c WebCore::RenderLayerCompositor::updateSynchronousScrollingNodes()::$_2::operator()(bool) const + 0 (Sources/WebCore/Source/WebCore/rendering/RenderLayerCompositor.cpp:0) [inlined] 3 com.apple.WebCore 0x1afe0f24c WebCore::RenderLayerCompositor::updateSynchronousScrollingNodes() + 0 (Sources/WebCore/Source/WebCore/rendering/RenderLayerCompositor.cpp:5913) [inlined] 4 com.apple.WebCore 0x1afe0f24c WebCore::RenderLayerCompositor::updateCompositingLayers(WebCore::CompositingUpdateType, WebCore::RenderLayer*) + 5064 (Sources/WebCore/Source/WebCore/rendering/RenderLayerCompositor.cpp:1155) 5 com.apple.WebCore 0x1b2421708 WebCore::LocalFrameViewLayoutContext::updateCompositingLayersAfterLayout() + 80 (Sources/WebCore/Source/WebCore/page/LocalFrameViewLayoutContext.cpp:398) [inlined]

Attachments
Add attachment proposed patch, testcase, etc.

Simon Fraser (smfr)

Comment 1 2025-06-23 10:55:25 PDT

<rdar://75139287>

Simon Fraser (smfr)

Comment 2 2025-06-23 10:58:15 PDT

Pull request: https://github.com/WebKit/WebKit/pull/47075

EWS

Comment 3 2025-06-24 09:45:24 PDT

Committed 296573@main (1e994c6cdd3c): <https://commits.webkit.org/296573@main> Reviewed commits have been landed. Closing PR #47075 and removing active labels.

EWS

Comment 4 2025-06-24 23:48:02 PDT

Committed 289651.584@safari-7621-branch (662b30d9453f): <https://commits.webkit.org/289651.584@safari-7621-branch> Reviewed commits have been landed. Closing PR #3176 and removing active labels.

Note You need to log in before you can comment on or make changes to this bug.

Status RESOLVED

Resolution FIXED

Priority P2

Severity Normal

Classification Unclassified

Version WebKit Nightly Build

Hardware Unspecified

OS Unspecified

Product WebKit

Component Scrolling

Assignee

Simon Fraser (smfr)

Reported

2025-06-23 10:55 PDT

Modified

2025-06-24 23:48 PDT History

CC List

2 users Show

URL

Keywords InRadar

Depends on

Blocks