[Webkit-unassigned] [Bug 210270] New: Crash in RemoteLayerTreePropertyApplier::updateChildren
bugzilla-daemon at webkit.org
bugzilla-daemon at webkit.org
Thu Apr 9 06:36:19 PDT 2020
https://bugs.webkit.org/show_bug.cgi?id=210270
Bug ID: 210270
Summary: Crash in
RemoteLayerTreePropertyApplier::updateChildren
Product: WebKit
Version: WebKit Nightly Build
Hardware: Unspecified
OS: Unspecified
Status: NEW
Severity: Normal
Priority: P2
Component: Layout and Rendering
Assignee: webkit-unassigned at lists.webkit.org
Reporter: ajuma at chromium.org
CC: bfulgham at webkit.org, koivisto at iki.fi,
simon.fraser at apple.com, thorton at apple.com,
zalan at apple.com
Chrome for iOS is getting a large number of crash reports on https://www.tgju.org/currency and on https://www.craftpassion.com/face-mask-sewing-pattern/, in RemoteLayerTreePropertyApplier::updateChildren. The crashes affect multiple versions of iOS, including 13.4 but also going all the way back to 12.0.
We haven't yet found steps to reproduce.
The crash stack is:
(CoreFoundation + 0x00003150 ) -[__NSArrayM insertObject:atIndex:]
=(UIKitCore + 0x00f21254 ) -[UIView(Hierarchy) subviews]
(WebKit + 0x0000bfc8 ) -[UIView(WKUIViewUtilities) _web_setSubviews:]
(WebKit + 0x001a347c ) WebKit::RemoteLayerTreePropertyApplier::updateChildren(WebKit::RemoteLayerTreeNode&, WebKit::RemoteLayerTreeTransaction::LayerProperties const&, WTF::HashMap<unsigned long long, std::__1::unique_ptr<WebKit::RemoteLayerTreeNode, std::__1::default_delete<WebKit::RemoteLayerTreeNode> >, WTF::IntHash<unsigned long long>, WTF::HashTraits<unsigned long long>, WTF::HashTraits<std::__1::unique_ptr<WebKit::RemoteLayerTreeNode, std::__1::default_delete<WebKit::RemoteLayerTreeNode> > > > const&)
(WebKit + 0x001a32f4 ) WebKit::RemoteLayerTreePropertyApplier::applyProperties(WebKit::RemoteLayerTreeNode&, WebKit::RemoteLayerTreeHost*, WebKit::RemoteLayerTreeTransaction::LayerProperties const&, WTF::HashMap<unsigned long long, std::__1::unique_ptr<WebKit::RemoteLayerTreeNode, std::__1::default_delete<WebKit::RemoteLayerTreeNode> >, WTF::IntHash<unsigned long long>, WTF::HashTraits<unsigned long long>, WTF::HashTraits<std::__1::unique_ptr<WebKit::RemoteLayerTreeNode, std::__1::default_delete<WebKit::RemoteLayerTreeNode> > > > const&, WebKit::RemoteLayerBackingStore::LayerContentsType)
(WebKit + 0x002ffd74 ) WebKit::RemoteLayerTreeHost::updateLayerTree(WebKit::RemoteLayerTreeTransaction const&, float)
(WebKit + 0x002ff7d4 ) WebKit::RemoteLayerTreeDrawingAreaProxy::commitLayerTree(WebKit::RemoteLayerTreeTransaction const&, WebKit::RemoteScrollingCoordinatorTransaction const&)
(WebKit + 0x0008d2d0 ) void IPC::handleMessage<Messages::RemoteLayerTreeDrawingAreaProxy::CommitLayerTree, WebKit::RemoteLayerTreeDrawingAreaProxy, void (WebKit::RemoteLayerTreeDrawingAreaProxy::*)(WebKit::RemoteLayerTreeTransaction const&, WebKit::RemoteScrollingCoordinatorTransaction const&)>(IPC::Decoder&, WebKit::RemoteLayerTreeDrawingAreaProxy*, void (WebKit::RemoteLayerTreeDrawingAreaProxy::*)(WebKit::RemoteLayerTreeTransaction const&, WebKit::RemoteScrollingCoordinatorTransaction const&))
(WebKit + 0x00045d34 ) IPC::MessageReceiverMap::dispatchMessage(IPC::Connection&, IPC::Decoder&)
(WebKit + 0x002ea2b0 ) WebKit::WebProcessProxy::didReceiveMessage(IPC::Connection&, IPC::Decoder&)
(WebKit + 0x00032778 ) IPC::Connection::dispatchMessage(std::__1::unique_ptr<IPC::Decoder, std::__1::default_delete<IPC::Decoder> >)
(WebKit + 0x00031da4 ) IPC::Connection::dispatchIncomingMessages()
(JavaScriptCore + 0x0003a3b4 ) WTF::RunLoop::performWork()
Bug 193897 looks similar, but was fixed a year ago.
--
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20200409/5d7ecf24/attachment-0001.htm>
More information about the webkit-unassigned
mailing list