[Webkit-unassigned] [Bug 195629] New: Crash when reloading test with async overflow scrolling

Tue Mar 12 10:52:27 PDT 2019

https://bugs.webkit.org/show_bug.cgi?id=195629

            Bug ID: 195629
           Summary: Crash when reloading test with async overflow
                    scrolling
           Product: WebKit
           Version: WebKit Nightly Build
          Hardware: Unspecified
                OS: Unspecified
            Status: NEW
          Severity: Normal
          Priority: P2
         Component: Scrolling
          Assignee: webkit-unassigned at lists.webkit.org
          Reporter: simon.fraser at apple.com

Created attachment 364406

  --> https://bugs.webkit.org/attachment.cgi?id=364406&action=review

Testcase

Attached testcase can crash in the simulator on reload, accessing a deleted layer:

* thread #1, queue = 'com.apple.main-thread', stop reason = EXC_BAD_ACCESS (code=EXC_I386_GPFLT)
    frame #0: 0x00000001ac8a5f6c WebCore`WebCore::RenderLayer::isStackingContext(this=0xfbf95304000004f9) const at RenderLayer.h:167:45
    frame #1: 0x00000001ac8a5eb4 WebCore`WebCore::RenderLayer::stackingContext(this=0x00000001c8a98690) const at RenderLayer.cpp:614:29
    frame #2: 0x00000001ac8a6a92 WebCore`WebCore::RenderLayer::paintOrderParent(this=0x00000001c8a98690) const at RenderLayer.h:1313:44
    frame #3: 0x00000001ac8a4ba8 WebCore`WebCore::RenderLayer::setAncestorsHaveCompositingDirtyFlag(this=0x00000001c8a98690, flag=HasDescendantNeedingBackingOrHierarchyTraversal) at RenderLayer.cpp:739:24
    frame #4: 0x00000001ac8f650a WebCore`void WebCore::RenderLayer::setBackingAndHierarchyTraversalDirtyBit<(WebCore::RenderLayer::Compositing)256>(this=0x00000001c8a98690) at RenderLayer.h:269:9
    frame #5: 0x00000001ac8e0445 WebCore`WebCore::RenderLayer::setNeedsScrollingTreeUpdate(this=0x00000001c8a98690) at RenderLayer.h:275:42
  * frame #6: 0x00000001ac8eb658 WebCore`WebCore::RenderLayerCompositor::detachScrollCoordinatedLayerWithRole(this=0x00000001c8a77000, layer=0x00000001c8a98540, scrollingCoordinator=0x00000001c8a9b160, role=Scrolling) at RenderLayerCompositor.cpp:3872:20
    frame #7: 0x00000001ac8ea856 WebCore`WebCore::RenderLayerCompositor::detachScrollCoordinatedLayer(this=0x00000001c8a77000, layer=0x00000001c8a98540, roles={ size = 0 }) at RenderLayerCompositor.cpp:3887:9
    frame #8: 0x00000001ac8cf0f1 WebCore`WebCore::RenderLayerCompositor::removeFromScrollCoordinatedLayers(this=0x00000001c8a77000, layer=0x00000001c8a98540) at RenderLayerCompositor.cpp:3740:5
    frame #9: 0x00000001ac8c7542 WebCore`WebCore::RenderLayerBacking::willBeDestroyed(this=0x00000001c8add3e8) at RenderLayerBacking.cpp:259:18
    frame #10: 0x00000001ac8a3e73 WebCore`WebCore::RenderLayer::clearBacking(this=0x00000001c8a98540, layerBeingDestroyed=true) at RenderLayer.cpp:5932:16
    frame #11: 0x00000001ac8a38e1 WebCore`WebCore::RenderLayer::~RenderLayer(this=0x00000001c8a98540) at RenderLayer.cpp:371:5
    frame #12: 0x00000001ac8a3fa5 WebCore`WebCore::RenderLayer::~RenderLayer(this=0x00000001c8a98540) at RenderLayer.cpp:339:1
    frame #13: 0x00000001ac8a3fc9 WebCore`WebCore::RenderLayer::~RenderLayer(this=0x00000001c8a98540) at RenderLayer.cpp:339:1

Deleted layers are being left in m_scrollingNodeToLayerMap.

-- 
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20190312/fb7fe40f/attachment-0001.html>