Bug 210270

Summary:	Crash in RemoteLayerTreePropertyApplier::updateChildren
Product:	WebKit	Reporter:	Ali Juma <ajuma>
Component:	Layout and Rendering	Assignee:	Nobody <webkit-unassigned>
Status:	NEW
Severity:	Normal	CC:	bfulgham, koivisto, simon.fraser, thorton, webkit-bug-importer, zalan
Priority:	P2	Keywords:	InRadar
Version:	WebKit Nightly Build
Hardware:	Unspecified
OS:	Unspecified

Ali Juma

Reported 2020-04-09 06:36:19 PDT

Chrome for iOS is getting a large number of crash reports on https://www.tgju.org/currency and on https://www.craftpassion.com/face-mask-sewing-pattern/, in RemoteLayerTreePropertyApplier::updateChildren. The crashes affect multiple versions of iOS, including 13.4 but also going all the way back to 12.0. We haven't yet found steps to reproduce. The crash stack is: (CoreFoundation + 0x00003150 ) -[__NSArrayM insertObject:atIndex:] =(UIKitCore + 0x00f21254 ) -[UIView(Hierarchy) subviews] (WebKit + 0x0000bfc8 ) -[UIView(WKUIViewUtilities) _web_setSubviews:] (WebKit + 0x001a347c ) WebKit::RemoteLayerTreePropertyApplier::updateChildren(WebKit::RemoteLayerTreeNode&, WebKit::RemoteLayerTreeTransaction::LayerProperties const&, WTF::HashMap<unsigned long long, std::__1::unique_ptr<WebKit::RemoteLayerTreeNode, std::__1::default_delete<WebKit::RemoteLayerTreeNode> >, WTF::IntHash<unsigned long long>, WTF::HashTraits<unsigned long long>, WTF::HashTraits<std::__1::unique_ptr<WebKit::RemoteLayerTreeNode, std::__1::default_delete<WebKit::RemoteLayerTreeNode> > > > const&) (WebKit + 0x001a32f4 ) WebKit::RemoteLayerTreePropertyApplier::applyProperties(WebKit::RemoteLayerTreeNode&, WebKit::RemoteLayerTreeHost*, WebKit::RemoteLayerTreeTransaction::LayerProperties const&, WTF::HashMap<unsigned long long, std::__1::unique_ptr<WebKit::RemoteLayerTreeNode, std::__1::default_delete<WebKit::RemoteLayerTreeNode> >, WTF::IntHash<unsigned long long>, WTF::HashTraits<unsigned long long>, WTF::HashTraits<std::__1::unique_ptr<WebKit::RemoteLayerTreeNode, std::__1::default_delete<WebKit::RemoteLayerTreeNode> > > > const&, WebKit::RemoteLayerBackingStore::LayerContentsType) (WebKit + 0x002ffd74 ) WebKit::RemoteLayerTreeHost::updateLayerTree(WebKit::RemoteLayerTreeTransaction const&, float) (WebKit + 0x002ff7d4 ) WebKit::RemoteLayerTreeDrawingAreaProxy::commitLayerTree(WebKit::RemoteLayerTreeTransaction const&, WebKit::RemoteScrollingCoordinatorTransaction const&) (WebKit + 0x0008d2d0 ) void IPC::handleMessage<Messages::RemoteLayerTreeDrawingAreaProxy::CommitLayerTree, WebKit::RemoteLayerTreeDrawingAreaProxy, void (WebKit::RemoteLayerTreeDrawingAreaProxy::*)(WebKit::RemoteLayerTreeTransaction const&, WebKit::RemoteScrollingCoordinatorTransaction const&)>(IPC::Decoder&, WebKit::RemoteLayerTreeDrawingAreaProxy*, void (WebKit::RemoteLayerTreeDrawingAreaProxy::*)(WebKit::RemoteLayerTreeTransaction const&, WebKit::RemoteScrollingCoordinatorTransaction const&)) (WebKit + 0x00045d34 ) IPC::MessageReceiverMap::dispatchMessage(IPC::Connection&, IPC::Decoder&) (WebKit + 0x002ea2b0 ) WebKit::WebProcessProxy::didReceiveMessage(IPC::Connection&, IPC::Decoder&) (WebKit + 0x00032778 ) IPC::Connection::dispatchMessage(std::__1::unique_ptr<IPC::Decoder, std::__1::default_delete<IPC::Decoder> >) (WebKit + 0x00031da4 ) IPC::Connection::dispatchIncomingMessages() (JavaScriptCore + 0x0003a3b4 ) WTF::RunLoop::performWork() Bug 193897 looks similar, but was fixed a year ago.

Attachments
Add attachment proposed patch, testcase, etc.

Tim Horton

Comment 1 2020-04-09 11:49:18 PDT

What are the crash/exception details?

Ali Juma

Comment 2 2020-04-09 12:13:22 PDT

(In reply to Tim Horton from comment #1) > What are the crash/exception details? It's EXC_BAD_ACCESS / KERN_INVALID_ADDRESS @ 0x001a0410

Simon Fraser (smfr)

Comment 3 2020-04-09 15:55:21 PDT

Please attach a full crash log.

Radar WebKit Bug Importer

Comment 4 2020-04-09 15:55:43 PDT

<rdar://problem/61546405>

Simon Fraser (smfr)

Comment 5 2020-06-01 14:25:21 PDT

Ali, do you have any more data that might help us track this down?

Ali Juma

Comment 6 2020-06-02 11:47:07 PDT

We're seeing another big spike in hang reports with this stack over the past couple days, coming mostly from https://www.forbes.com/sites/jasonbrett/2020/05/30/second-round-of-stimulus-checks-would-be-paper-or-direct-deposit-again/amp/ I can reliably reproduce a hang on that page in Safari as well (on an iPhone XS running iOS 13.5): 1) Load that URL 2) Start scrolling down quickly as the page loads The browser then hangs for several seconds before scrolling reaches the bottom, and sometimes eventually crashes.

Simon Fraser (smfr)

Comment 7 2020-06-03 20:11:52 PDT

The <iframe src="https://drive.google.com/viewerng/viewer?url=https%3A//www.congress.gov/116/bills/hr6800/BILLS-116hr6800eh.pdf&embedded=true"> on that page triggers some pathological compositing creating 1860 composited elements and about twice that many CALayers because of "clip for scroller" layers.

Simon Fraser (smfr)

Comment 8 2020-06-03 20:22:49 PDT

https://www.craftpassion.com/face-mask-sewing-pattern/ has high layer count (~800) too.

Note You need to log in before you can comment on or make changes to this bug.