[Webkit-unassigned] [Bug 222021] New: Crash under RenderLayerBacking::updateGeometry()
bugzilla-daemon at webkit.org
bugzilla-daemon at webkit.org
Tue Feb 16 19:53:10 PST 2021
https://bugs.webkit.org/show_bug.cgi?id=222021
Bug ID: 222021
Summary: Crash under RenderLayerBacking::updateGeometry()
Product: WebKit
Version: Safari Technology Preview
Hardware: Unspecified
OS: Unspecified
Status: NEW
Severity: Normal
Priority: P2
Component: Compositing
Assignee: webkit-unassigned at lists.webkit.org
Reporter: simon.fraser at apple.com
CC: simon.fraser at apple.com
Exception Type: EXC_BAD_ACCESS (SIGSEGV)
Exception Codes: KERN_INVALID_ADDRESS at 0x0000000000000000
Exception Note: EXC_CORPSE_NOTIFY
Termination Signal: Segmentation fault: 11
Termination Reason: Namespace SIGNAL, Code 0xb
Terminating Process: exc handler [6031]
Getting symbols for 3C6465D7-E536-34D1-87CE-D9AE5FF42453 /Applications/Safari Technology Preview.app/Contents/Frameworks/JavaScriptCore.framework/Versions/A/JavaScriptCore... ok
Thread[0] EXC_BAD_ACCESS (SIGSEGV) (KERN_INVALID_ADDRESS at 0x0000000000000000)
[ 0] 0x00000006d31d2c32 WebCore`WebCore::RenderLayerBacking::updateGeometry(WebCore::RenderLayer const*) [inlined] WebCore::ScrollableArea::scrollOffset() const at ScrollableArea.cpp:671:37
667 }
668
669 ScrollOffset ScrollableArea::scrollOffset() const
670 {
-> 671 return scrollOffsetFromPosition(scrollPosition());
672 }
673
674 ScrollPosition ScrollableArea::minimumScrollPosition() const
675 {
0x00000006d31d2c1a: leaq -0x190(%rbp), %rsi
0x00000006d31d2c21: callq *0xa0(%rax)
0x00000006d31d2c27: movq 0x10(%r15), %rax
0x00000006d31d2c2b: movq 0xe0(%rax), %r12
-> 0x00000006d31d2c32: movq (%r12), %rax
0x00000006d31d2c36: movq %r12, %rdi
0x00000006d31d2c39: callq *0x100(%rax)
0x00000006d31d2c3f: movl 0x28(%r12), %edx
0x00000006d31d2c44: movl 0x2c(%r12), %ecx
[ 0] 0x00000006d31d2c32 WebCore`WebCore::RenderLayerBacking::updateGeometry(WebCore::RenderLayer const*) + 8066 at RenderLayerBacking.cpp:1379
1375
1376 auto* scrollableArea = m_owningLayer.scrollableArea();
1377 ASSERT(scrollableArea);
1378
-> 1379 ScrollOffset scrollOffset = scrollableArea->scrollOffset();
1380 updateScrollOffset(scrollOffset);
1381
1382 FloatSize oldScrollingLayerOffset = m_scrollContainerLayer->offsetFromRenderer();
1383 m_scrollContainerLayer->setOffsetFromRenderer(toFloatSize(scrollContainerBox.location()));
[ 1] 0x00000006d31ddd64 WebCore`WebCore::RenderLayerCompositor::updateBackingAndHierarchy(WebCore::RenderLayer&, WTF::Vector<WTF::Ref<WebCore::GraphicsLayer, WTF::RawPtrTraits<WebCore::GraphicsLayer> >, 0ul, WTF::CrashOnOverflow, 16ul, WTF::FastMalloc>&, WebCore::RenderLayerCompositor::UpdateBackingTraversalState&, WebCore::ScrollingTreeState&, WTF::OptionSet<WebCore::RenderLayerCompositor::UpdateLevel>) + 772 at RenderLayerCompositor.cpp:1302:27
1298 }
1299
1300 OptionSet<ScrollingNodeChangeFlags> scrollingNodeChanges = { ScrollingNodeChangeFlags::Layer };
1301 if (layerNeedsUpdate || layer.needsCompositingGeometryUpdate()) {
-> 1302 layerBacking->updateGeometry(traversalState.compositingAncestor);
1303 scrollingNodeChanges.add(ScrollingNodeChangeFlags::LayerGeometry);
1304 } else if (layer.needsScrollingTreeUpdate())
1305 scrollingNodeChanges.add(ScrollingNodeChangeFlags::LayerGeometry);
1306
[ 2] 0x00000006d31df30c WebCore`WebCore::RenderLayerCompositor::updateBackingAndHierarchy(WebCore::RenderLayer&, WTF::Vector<WTF::Ref<WebCore::GraphicsLayer, WTF::RawPtrTraits<WebCore::GraphicsLayer> >, 0ul, WTF::CrashOnOverflow, 16ul, WTF::FastMalloc>&, WebCore::RenderLayerCompositor::UpdateBackingTraversalState&, WebCore::ScrollingTreeState&, WTF::OptionSet<WebCore::RenderLayerCompositor::UpdateLevel>) + 6316 at RenderLayerCompositor.cpp:1367:13
1363 for (auto* renderLayer : layer.normalFlowLayers())
1364 updateBackingAndHierarchy(*renderLayer, childList, traversalStateForDescendants, scrollingStateForDescendants, updateLevel);
1365
1366 for (auto* renderLayer : layer.positiveZOrderLayers())
-> 1367 updateBackingAndHierarchy(*renderLayer, childList, traversalStateForDescendants, scrollingStateForDescendants, updateLevel);
1368
1369 // Pass needSynchronousScrollingReasonsUpdate back up.
1370 scrollingTreeState.needSynchronousScrollingReasonsUpdate |= scrollingStateForDescendants.needSynchronousScrollingReasonsUpdate;
1371 if (scrollingTreeState.parentNodeID == scrollingStateForDescendants.parentNodeID)
[ 3] 0x00000006d31df30c WebCore`WebCore::RenderLayerCompositor::updateBackingAndHierarchy(WebCore::RenderLayer&, WTF::Vector<WTF::Ref<WebCore::GraphicsLayer, WTF::RawPtrTraits<WebCore::GraphicsLayer> >, 0ul, WTF::CrashOnOverflow, 16ul, WTF::FastMalloc>&, WebCore::RenderLayerCompositor::UpdateBackingTraversalState&, WebCore::ScrollingTreeState&, WTF::OptionSet<WebCore::RenderLayerCompositor::UpdateLevel>) + 6316 at RenderLayerCompositor.cpp:1367:13
[ 4] 0x00000006d133028d WebCore`WebCore::RenderLayerCompositor::updateCompositingLayers(WebCore::CompositingUpdateType, WebCore::RenderLayer*) + 2317 at RenderLayerCompositor.cpp:867:9
--
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20210217/0b094c33/attachment.htm>
More information about the webkit-unassigned
mailing list