[Webkit-unassigned] [Bug 236615] New: REGRESSION(r289216): Crash in DocumentTimeline::animationCanBeRemoved

bugzilla-daemon at webkit.org bugzilla-daemon at webkit.org
Mon Feb 14 15:41:30 PST 2022 

https://bugs.webkit.org/show_bug.cgi?id=236615

            Bug ID: 236615
           Summary: REGRESSION(r289216): Crash in
                    DocumentTimeline::animationCanBeRemoved
           Product: WebKit
           Version: WebKit Nightly Build
          Hardware: PC
                OS: Linux
            Status: NEW
          Severity: Normal
          Priority: P2
         Component: Animations
          Assignee: webkit-unassigned at lists.webkit.org
          Reporter: mcatanzaro at gnome.org
                CC: dino at apple.com, graouts at apple.com

I'm seeing a crash when scrolling a Glint survey. Turns out it was introduced in r289216 "[css-logical] [web-animations] Add support for logical properties in JS-originated animations".

The backtrace looks like this:

(gdb) bt
#0  WebCore::RenderStyle::direction (this=<optimized out>)
    at /home/mcatanzaro/Projects/WebKit/Source/WebCore/rendering/style/RenderStyle.h:398
#1  WebCore::DocumentTimeline::animationCanBeRemoved (this=<optimized out>, animation=...)
    at /home/mcatanzaro/Projects/WebKit/Source/WebCore/animation/DocumentTimeline.cpp:243
#2  0x00007efc7895916a in WebCore::DocumentTimeline::animationCanBeRemoved (animation=..., this=0x7efb2c4fcf18)
    at /home/mcatanzaro/Projects/WebKit/Source/WebCore/animation/WebAnimation.h:90
#3  WebCore::DocumentTimeline::removeReplacedAnimations (this=0x7efb2c4fcf18)
    at /home/mcatanzaro/Projects/WebKit/Source/WebCore/animation/DocumentTimeline.cpp:282
#4  0x00007efc78959855 in WebCore::DocumentTimelinesController::updateAnimationsAndSendEvents (this=<optimized out>, 
    timestamp=...) at /home/mcatanzaro/Projects/WebKit/Source/WebCore/animation/DocumentTimelinesController.cpp:133
#5  0x00007efc7921c8d8 in WTF::Function<void (WebCore::Document&)>::operator()(WebCore::Document&) const (in#0=..., 
    this=0x7fffeb080ab0) at /home/mcatanzaro/Projects/WebKit/WebKitBuild/GNOME/WTF/Headers/wtf/Function.h:82
#6  WebCore::Page::forEachDocumentFromMainFrame(WebCore::Frame const&, WTF::Function<void (WebCore::Document&)> const&) (mainFrame=..., functor=...) at /home/mcatanzaro/Projects/WebKit/Source/WebCore/page/Page.cpp:3433
#7  0x00007efc7921c989 in WebCore::Page::forEachDocument(WTF::Function<void (WebCore::Document&)> const&) const (
    this=<optimized out>, functor=...) at /home/mcatanzaro/Projects/WebKit/Source/WebCore/page/Page.cpp:3438
#8  0x00007efc7922d956 in operator() (perDocumentFunction=..., step=WebCore::RenderingUpdateStep::Animations, 
    __closure=<synthetic pointer>) at /home/mcatanzaro/Projects/WebKit/Source/WebCore/page/Page.cpp:1597
#9  WebCore::Page::updateRendering (this=0x7efc60f81000)
    at /home/mcatanzaro/Projects/WebKit/Source/WebCore/page/Page.cpp:1617
#10 0x00007efc77fc85d9 in WebKit::WebPage::updateRendering (this=<optimized out>)
    at /home/mcatanzaro/Projects/WebKit/Source/WebKit/WebProcess/WebPage/WebPage.cpp:4275
#11 0x00007efc77ff9e0c in WebKit::CompositingCoordinator::flushPendingLayerChanges (this=this at entry=0x7efc60f44108, 
    flags=...)
    at /home/mcatanzaro/Projects/WebKit/Source/WebKit/WebProcess/WebPage/CoordinatedGraphics/CompositingCoordinator.cpp:124
#12 0x00007efc77fffa16 in WebKit::LayerTreeHost::layerFlushTimerFired (this=0x7efc60f44000)
    at /home/mcatanzaro/Projects/WebKit/Source/WebKit/WebProcess/WebPage/CoordinatedGraphics/LayerTreeHost.cpp:157
#13 WebKit::LayerTreeHost::layerFlushTimerFired (this=0x7efc60f44000)
    at /home/mcatanzaro/Projects/WebKit/Source/WebKit/WebProcess/WebPage/CoordinatedGraphics/LayerTreeHost.cpp:136
#14 0x00007efc75f9ec95 in operator() (__closure=0x0, userData=userData at entry=0x7efc60f440d8)
    at /home/mcatanzaro/Projects/WebKit/Source/WTF/wtf/glib/RunLoopGLib.cpp:177
#15 _FUN () at /home/mcatanzaro/Projects/WebKit/Source/WTF/wtf/glib/RunLoopGLib.cpp:181
#16 0x00007efc75f9f0df in operator() (__closure=0x0, userData=0x7efc60f440d8, 
    callback=0x7efc75f9ec20 <_FUN(gpointer)>, source=0xb7c190)
    at /home/mcatanzaro/Projects/WebKit/Source/WTF/wtf/glib/RunLoopGLib.cpp:53
#17 _FUN () at /home/mcatanzaro/Projects/WebKit/Source/WTF/wtf/glib/RunLoopGLib.cpp:56
#18 0x00007efc728ae26d in g_main_dispatch (context=0x797b80) at ../../../../Projects/glib/glib/gmain.c:3413
#19 0x00007efc728af1c0 in g_main_context_dispatch (context=0x797b80) at ../../../../Projects/glib/glib/gmain.c:4131
#20 0x00007efc728af3ac in g_main_context_iterate (context=0x797b80, block=1, dispatch=1, self=0x77b350)
    at ../../../../Projects/glib/glib/gmain.c:4207
#21 0x00007efc728af849 in g_main_loop_run (loop=0x7b4d60) at ../../../../Projects/glib/glib/gmain.c:4405
#22 0x00007efc75f9f200 in WTF::RunLoop::run ()
    at /home/mcatanzaro/Projects/WebKit/Source/WTF/wtf/glib/RunLoopGLib.cpp:108
#23 0x00007efc7800ca1f in WebKit::AuxiliaryProcessMainBase<WebKit::WebProcess, true>::run (argc=3, 
    argv=0x7fffeb080f68, this=0x7fffeb080dc0)
    at /home/mcatanzaro/Projects/WebKit/Source/WebKit/Shared/AuxiliaryProcessMain.h:70
#24 WebKit::AuxiliaryProcessMainBase<WebKit::WebProcess, true>::run (argv=0x7fffeb080f68, argc=3, this=0x7fffeb080dc0)
    at /home/mcatanzaro/Projects/WebKit/Source/WebKit/Shared/AuxiliaryProcessMain.h:57
#25 WebKit::AuxiliaryProcessMain<WebKit::WebProcessMainGtk> (argc=3, argv=0x7fffeb080f68)
    at /home/mcatanzaro/Projects/WebKit/Source/WebKit/Shared/AuxiliaryProcessMain.h:96
#26 0x00007efc72286560 in __libc_start_call_main (main=main at entry=0x401040 <main(int, char**)>, argc=argc at entry=3, 
    argv=argv at entry=0x7fffeb080f68) at ../sysdeps/nptl/libc_start_call_main.h:58
#27 0x00007efc7228660c in __libc_start_main_impl (main=0x401040 <main(int, char**)>, argc=3, argv=0x7fffeb080f68, init=<optimized out>, fini=<optimized out>, rtld_fini=<optimized out>, stack_end=0x7fffeb080f58) at ../csu/libc-start.c:409
#28 0x0000000000401075 in _start ()

Poking at it, the problem is that target->render() is nullptr. The ASSERT(target->renderer()) would be failing in a debug build.

The complication here is that the web content I have that triggers this crash cannot be made public, and I have no experience with trying to build minimal reproducers. I'm just gonna hope that this is enough info to solve the problem. If you need more, I'm happy to test changes.

-- 
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20220214/c1ed175d/attachment-0001.htm>

More information about the webkit-unassigned mailing list