[Webkit-unassigned] [Bug 238568] New: [iOS 15] Crash in WKChildScrollView's gesture recognizer

bugzilla-daemon at webkit.org bugzilla-daemon at webkit.org
Wed Mar 30 12:17:53 PDT 2022 

https://bugs.webkit.org/show_bug.cgi?id=238568

            Bug ID: 238568
           Summary: [iOS 15] Crash in WKChildScrollView's gesture
                    recognizer
           Product: WebKit
           Version: WebKit Nightly Build
          Hardware: Unspecified
                OS: Unspecified
            Status: NEW
          Severity: Normal
          Priority: P2
         Component: Layout and Rendering
          Assignee: webkit-unassigned at lists.webkit.org
          Reporter: ajuma at chromium.org
                CC: bfulgham at webkit.org, graouts at webkit.org,
                    simon.fraser at apple.com, zalan at apple.com

Chrome for iOS is getting crashes in WKChildScrollView's gesture recognizer.

The crash is an exception: CALayer bounds contains NaN: [#.# #.#; #.# #.#]. Layer: <CALayer:0x#; name = "scroll container"; position = CGPoint (# #); bounds = CGRect (# #; # #); delegate = <WKChildScrollView: 0x#; baseClass = UIScrollView

We don't have steps to reproduce, but more than 1/3 of these crashes are on a sniffies.com profile pages, and this is only happening on iOS 15+ (including 15.4).

The call stack is:

0x0000000180da305c (CoreFoundation + 0x0009905c)        __exceptionPreprocess
0x00000001992bdf50 (libobjc.A.dylib + 0x00015f50)       objc_exception_throw
0x0000000180dfa18c (CoreFoundation + 0x000f018c)        +[NSException raise:format:]
0x0000000184a7eb38 (QuartzCore + 0x00022b38)    CA::Layer::set_bounds(CA::Rect const&, bool)
0x0000000184b226c0 (QuartzCore + 0x000c66c0)    -[CALayer setBounds:]
0x000000018332179c (UIKitCore + 0x0016d79c)     -[UIView(Geometry) setBounds:]
0x000000018332e5bc (UIKitCore + 0x0017a5bc)     -[UIScrollView setBounds:]
0x0000000183332550 (UIKitCore + 0x0017e550)     -[UIScrollView setContentOffset:]
0x00000001833aba9c (UIKitCore + 0x001f7a9c)     -[UIScrollView _updatePanGesture]
0x0000000183394524 (UIKitCore + 0x001e0524)     -[UIGestureRecognizerTarget _sendActionWithGestureRecognizer:]
0x000000018335d170 (UIKitCore + 0x001a9170)     _UIGestureRecognizerSendTargetActions
0x0000000183325ffc (UIKitCore + 0x00171ffc)     _UIGestureRecognizerSendActions
0x000000018335f4e8 (UIKitCore + 0x001ab4e8)     -[UIGestureRecognizer _updateGestureForActiveEvents]
0x000000018331769c (UIKitCore + 0x0016369c)     _UIGestureEnvironmentUpdate
0x000000018334b658 (UIKitCore + 0x00197658)     -[UIGestureEnvironment _updateForEvent:window:]
0x0000000183358678 (UIKitCore + 0x001a4678)     -[UIWindow sendEvent:]
0x0000000183509404 (UIKitCore + 0x00355404)     -[UIApplication sendEvent:]
0x000000018332b9cc (UIKitCore + 0x001779cc)     __dispatchPreprocessedEventFromEventQueue
0x0000000183320608 (UIKitCore + 0x0016c608)     __processEventQueue
0x0000000183325c64 (UIKitCore + 0x00171c64)     __eventFetcherSourceCallback
0x0000000180dc502c (CoreFoundation + 0x000bb02c)        __CFRUNLOOP_IS_CALLING_OUT_TO_A_SOURCE0_PERFORM_FUNCTION__
0x0000000180dd5cec (CoreFoundation + 0x000cbcec)        __CFRunLoopDoSource0
0x0000000180d0fff4 (CoreFoundation + 0x00005ff4)        __CFRunLoopDoSources0
0x0000000180d15800 (CoreFoundation + 0x0000b800)        __CFRunLoopRun
0x0000000180d293c4 (CoreFoundation + 0x0001f3c4)        CFRunLoopRunSpecific
0x000000019c53a388 (GraphicsServices + 0x00001388)      GSEventRunModal
0x00000001836cf05c (UIKitCore + 0x0051b05c)     -[UIApplication _run]
0x000000018344cb88 (UIKitCore + 0x00298b88)     UIApplicationMain
0x0000000102d8826c (Chrome - chrome_exe_main.mm: 65)    main

-- 
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20220330/d3109a98/attachment.htm>

More information about the webkit-unassigned mailing list