[Webkit-unassigned] [Bug 246890] New: ASAN_SEGV | WebCore::RenderLayerCompositor::updateScrollingNodeForViewportConstrainedRole; WebCore::RenderLayerCompositor::updateScrollCoordinationForLayer; WebCore::RenderLayerCompositor::updateBackingAndHierarchy

bugzilla-daemon at webkit.org bugzilla-daemon at webkit.org
Fri Oct 21 16:03:14 PDT 2022 

https://bugs.webkit.org/show_bug.cgi?id=246890

            Bug ID: 246890
           Summary: ASAN_SEGV |
                    WebCore::RenderLayerCompositor::updateScrollingNodeFor
                    ViewportConstrainedRole;
                    WebCore::RenderLayerCompositor::updateScrollCoordinati
                    onForLayer;
                    WebCore::RenderLayerCompositor::updateBackingAndHierar
                    chy
           Product: WebKit
           Version: WebKit Local Build
          Hardware: Unspecified
                OS: Unspecified
            Status: NEW
          Severity: Normal
          Priority: P2
         Component: Layout and Rendering
          Assignee: webkit-unassigned at lists.webkit.org
          Reporter: arunsundar_kannan at apple.com
                CC: bfulgham at webkit.org, simon.fraser at apple.com,
                    zalan at apple.com

Test case: 

<!DOCTYPE html>
<style>
  body {
    rotate: y 1turn;
  }
</style>
<script>
  onload = () => {
    document.body.offsetTop;
    document.body.style.position = 'sticky';
    scrollBy(0, 0);
  };
</script> 



ASSERTION FAILED: layer.backing()->viewportAnchorLayer()
rendering/RenderLayerCompositor.cpp(4770) : WebCore::ScrollingNodeID WebCore::RenderLayerCompositor::updateScrollingNodeForViewportConstrainedRole(WebCore::RenderLayer &, WebCore::ScrollingTreeState &, OptionSet<WebCore::RenderLayerCompositor::ScrollingNodeChangeFlags>)
1   0x280007be0 WTFCrash
2   0x2b7e5d668 WebCore::JSANGLEInstancedArrays::createPrototype(JSC::VM&, WebCore::JSDOMGlobalObject&)
3   0x2c45ce860 WebCore::RenderLayerCompositor::updateScrollingNodeForViewportConstrainedRole(WebCore::RenderLayer&, WebCore::ScrollingTreeState&, WTF::OptionSet<WebCore::RenderLayerCompositor::ScrollingNodeChangeFlags>)
4   0x2c45ac2f4 WebCore::RenderLayerCompositor::updateScrollCoordinationForLayer(WebCore::RenderLayer&, WebCore::RenderLayer const*, WebCore::ScrollingTreeState&, WTF::OptionSet<WebCore::RenderLayerCompositor::ScrollingNodeChangeFlags>)
5   0x2c45a0ca4 WebCore::RenderLayerCompositor::updateBackingAndHierarchy(WebCore::RenderLayer&, WTF::Vector<WTF::Ref<WebCore::GraphicsLayer, WTF::RawPtrTraits<WebCore::GraphicsLayer> >, 0ul, WTF::CrashOnOverflow, 16ul, WTF::FastMalloc>&, WebCore::RenderLayerCompositor::UpdateBackingTraversalState&, WebCore::ScrollingTreeState&, WTF::OptionSet<WebCore::RenderLayerCompositor::UpdateLevel>)
6   0x2c45a15d4 WebCore::RenderLayerCompositor::updateBackingAndHierarchy(WebCore::RenderLayer&, WTF::Vector<WTF::Ref<WebCore::GraphicsLayer, WTF::RawPtrTraits<WebCore::GraphicsLayer> >, 0ul, WTF::CrashOnOverflow, 16ul, WTF::FastMalloc>&, WebCore::RenderLayerCompositor::UpdateBackingTraversalState&, WebCore::ScrollingTreeState&, WTF::OptionSet<WebCore::RenderLayerCompositor::UpdateLevel>)
7   0x2c45a15d4 WebCore::RenderLayerCompositor::updateBackingAndHierarchy(WebCore::RenderLayer&, WTF::Vector<WTF::Ref<WebCore::GraphicsLayer, WTF::RawPtrTraits<WebCore::GraphicsLayer> >, 0ul, WTF::CrashOnOverflow, 16ul, WTF::FastMalloc>&, WebCore::RenderLayerCompositor::UpdateBackingTraversalState&, WebCore::ScrollingTreeState&, WTF::OptionSet<WebCore::RenderLayerCompositor::UpdateLevel>)
8   0x2c459844c WebCore::RenderLayerCompositor::updateCompositingLayers(WebCore::CompositingUpdateType, WebCore::RenderLayer*)
9   0x2c266e998 WebCore::FrameView::updateCompositingLayersAfterLayout()
10  0x2c2679628 WebCore::FrameView::didLayout(WTF::WeakPtr<WebCore::RenderElement, WTF::DefaultWeakPtrImpl>)
11  0x2c272483c WebCore::FrameViewLayoutContext::performLayout()
12  0x2c27235b0 WebCore::FrameViewLayoutContext::layout()
13  0x2c0367c90 WebCore::Document::updateLayout()
14  0x2c036b810 WebCore::Document::updateLayoutIgnorePendingStylesheets(WebCore::Document::RunPostLayoutTasks)
15  0x2c253921c WebCore::DOMWindow::scrollBy(WebCore::ScrollToOptions const&) const
16  0x2c2538fa4 WebCore::DOMWindow::scrollBy(double, double) const
17  0x2b8bee430 WebCore::jsDOMWindowInstanceFunction_scrollBy2Body(JSC::JSGlobalObject*, JSC::CallFrame*, WebCore::JSDOMWindow*)::'lambda'()::operator()() const
18  0x2b8bee200 JSC::JSValue WebCore::toJS<WebCore::IDLUndefined, WebCore::jsDOMWindowInstanceFunction_scrollBy2Body(JSC::JSGlobalObject*, JSC::CallFrame*, WebCore::JSDOMWindow*)::'lambda'()>(JSC::JSGlobalObject&, JSC::ThrowScope&, WebCore::jsDOMWindowInstanceFunction_scrollBy2Body(JSC::JSGlobalObject*, JSC::CallFrame*, WebCore::JSDOMWindow*)::'lambda'()&&)
19  0x2b8bedc2c WebCore::jsDOMWindowInstanceFunction_scrollBy2Body(JSC::JSGlobalObject*, JSC::CallFrame*, WebCore::JSDOMWindow*)
20  0x2b8becc24 WebCore::jsDOMWindowInstanceFunction_scrollByOverloadDispatcher(JSC::JSGlobalObject*, JSC::CallFrame*, WebCore::JSDOMWindow*)
21  0x2b8bec6a0 long long WebCore::IDLOperation<WebCore::JSDOMWindow>::call<&(WebCore::jsDOMWindowInstanceFunction_scrollByOverloadDispatcher(JSC::JSGlobalObject*, JSC::CallFrame*, WebCore::JSDOMWindow*)), (WebCore::CastedThisErrorBehavior)0>(JSC::JSGlobalObject&, JSC::CallFrame&, char const*)
22  0x2b8bc0018 WebCore::jsDOMWindowInstanceFunction_scrollBy(JSC::JSGlobalObject*, JSC::CallFrame*)
23  0x13cf78044 (null)
24  0x13cf68248 (null)
25  0x13cf68848 (null)
26  0x288e9f154 JSC::JITCode::execute(JSC::VM*, JSC::ProtoCallFrame*)
27  0x2876d348c JSC::Interpreter::executeCall(JSC::JSGlobalObject*, JSC::JSObject*, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&)
28  0x288229dc4 JSC::call(JSC::JSGlobalObject*, JSC::JSValue, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&)
29  0x28822a27c JSC::call(JSC::JSGlobalObject*, JSC::JSValue, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&, WTF::NakedPtr<JSC::Exception>&)
30  0x28822ad50 JSC::profiledCall(JSC::JSGlobalObject*, JSC::ProfilingReason, JSC::JSValue, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&, WTF::NakedPtr<JSC::Exception>&)
31  0x2bee0fb00 WebCore::JSExecState::profiledCall(JSC::JSGlobalObject*, JSC::ProfilingReason, JSC::JSValue, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&, WTF::NakedPtr<JSC::Exception>&)

-- 
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20221021/5f48f427/attachment.htm>

More information about the webkit-unassigned mailing list