Bug 210270

Summary: Crash in RemoteLayerTreePropertyApplier::updateChildren
Product: WebKit Reporter: Ali Juma <ajuma>
Component: Layout and RenderingAssignee: Nobody <webkit-unassigned>
Status: NEW ---    
Severity: Normal CC: bfulgham, koivisto, simon.fraser, thorton, webkit-bug-importer, zalan
Priority: P2 Keywords: InRadar
Version: WebKit Nightly Build   
Hardware: Unspecified   
OS: Unspecified   

Description Ali Juma 2020-04-09 06:36:19 PDT 
Chrome for iOS is getting a large number of crash reports on https://www.tgju.org/currency and on https://www.craftpassion.com/face-mask-sewing-pattern/, in RemoteLayerTreePropertyApplier::updateChildren. The crashes affect multiple versions of iOS, including 13.4 but also going all the way back to 12.0.

We haven't yet found steps to reproduce.

The crash stack is:
(CoreFoundation + 0x00003150 )	-[__NSArrayM insertObject:atIndex:]
=(UIKitCore + 0x00f21254 )	-[UIView(Hierarchy) subviews]
(WebKit + 0x0000bfc8 )		-[UIView(WKUIViewUtilities) _web_setSubviews:]
(WebKit + 0x001a347c )		WebKit::RemoteLayerTreePropertyApplier::updateChildren(WebKit::RemoteLayerTreeNode&, WebKit::RemoteLayerTreeTransaction::LayerProperties const&, WTF::HashMap<unsigned long long, std::__1::unique_ptr<WebKit::RemoteLayerTreeNode, std::__1::default_delete<WebKit::RemoteLayerTreeNode> >, WTF::IntHash<unsigned long long>, WTF::HashTraits<unsigned long long>, WTF::HashTraits<std::__1::unique_ptr<WebKit::RemoteLayerTreeNode, std::__1::default_delete<WebKit::RemoteLayerTreeNode> > > > const&)
(WebKit + 0x001a32f4 )		WebKit::RemoteLayerTreePropertyApplier::applyProperties(WebKit::RemoteLayerTreeNode&, WebKit::RemoteLayerTreeHost*, WebKit::RemoteLayerTreeTransaction::LayerProperties const&, WTF::HashMap<unsigned long long, std::__1::unique_ptr<WebKit::RemoteLayerTreeNode, std::__1::default_delete<WebKit::RemoteLayerTreeNode> >, WTF::IntHash<unsigned long long>, WTF::HashTraits<unsigned long long>, WTF::HashTraits<std::__1::unique_ptr<WebKit::RemoteLayerTreeNode, std::__1::default_delete<WebKit::RemoteLayerTreeNode> > > > const&, WebKit::RemoteLayerBackingStore::LayerContentsType)
(WebKit + 0x002ffd74 )		WebKit::RemoteLayerTreeHost::updateLayerTree(WebKit::RemoteLayerTreeTransaction const&, float)
(WebKit + 0x002ff7d4 )		WebKit::RemoteLayerTreeDrawingAreaProxy::commitLayerTree(WebKit::RemoteLayerTreeTransaction const&, WebKit::RemoteScrollingCoordinatorTransaction const&)
(WebKit + 0x0008d2d0 )		void IPC::handleMessage<Messages::RemoteLayerTreeDrawingAreaProxy::CommitLayerTree, WebKit::RemoteLayerTreeDrawingAreaProxy, void (WebKit::RemoteLayerTreeDrawingAreaProxy::*)(WebKit::RemoteLayerTreeTransaction const&, WebKit::RemoteScrollingCoordinatorTransaction const&)>(IPC::Decoder&, WebKit::RemoteLayerTreeDrawingAreaProxy*, void (WebKit::RemoteLayerTreeDrawingAreaProxy::*)(WebKit::RemoteLayerTreeTransaction const&, WebKit::RemoteScrollingCoordinatorTransaction const&))
(WebKit + 0x00045d34 )		IPC::MessageReceiverMap::dispatchMessage(IPC::Connection&, IPC::Decoder&)
(WebKit + 0x002ea2b0 )		WebKit::WebProcessProxy::didReceiveMessage(IPC::Connection&, IPC::Decoder&)
(WebKit + 0x00032778 )		IPC::Connection::dispatchMessage(std::__1::unique_ptr<IPC::Decoder, std::__1::default_delete<IPC::Decoder> >)
(WebKit + 0x00031da4 )		IPC::Connection::dispatchIncomingMessages()
(JavaScriptCore + 0x0003a3b4 )	WTF::RunLoop::performWork()

Bug 193897 looks similar, but was fixed a year ago.
Comment 1 Tim Horton 2020-04-09 11:49:18 PDT 
What are the crash/exception details?
Comment 2 Ali Juma 2020-04-09 12:13:22 PDT 
(In reply to Tim Horton from comment #1)
> What are the crash/exception details?

It's EXC_BAD_ACCESS / KERN_INVALID_ADDRESS @ 0x001a0410
Comment 3 Simon Fraser (smfr) 2020-04-09 15:55:21 PDT 
Please attach a full crash log.
Comment 4 Radar WebKit Bug Importer 2020-04-09 15:55:43 PDT 
<rdar://problem/61546405>
Comment 5 Simon Fraser (smfr) 2020-06-01 14:25:21 PDT 
Ali, do you have any more data that might help us track this down?
Comment 6 Ali Juma 2020-06-02 11:47:07 PDT 
We're seeing another big spike in hang reports with this stack over the past couple days, coming mostly from
https://www.forbes.com/sites/jasonbrett/2020/05/30/second-round-of-stimulus-checks-would-be-paper-or-direct-deposit-again/amp/

I can reliably reproduce a hang on that page in Safari as well (on an iPhone XS running iOS 13.5):
1) Load that URL
2) Start scrolling down quickly as the page loads

The browser then hangs for several seconds before scrolling reaches the bottom, and sometimes eventually crashes.
Comment 7 Simon Fraser (smfr) 2020-06-03 20:11:52 PDT 
The <iframe src="https://drive.google.com/viewerng/viewer?url=https%3A//www.congress.gov/116/bills/hr6800/BILLS-116hr6800eh.pdf&embedded=true"> on that page triggers some pathological compositing creating 1860 composited elements and about twice that many CALayers because of "clip for scroller" layers.
Comment 8 Simon Fraser (smfr) 2020-06-03 20:22:49 PDT 
https://www.craftpassion.com/face-mask-sewing-pattern/ has high layer count (~800) too.