210270 – Crash in RemoteLayerTreePropertyApplier::updateChildren

Bug 210270 - Crash in RemoteLayerTreePropertyApplier::updateChildren

Summary: Crash in RemoteLayerTreePropertyApplier::updateChildren

Status:	NEW

Alias:	None

Product:	WebKit
Classification:	Unclassified
Component:	Layout and Rendering (show other bugs)
Version:	WebKit Nightly Build
Hardware:	Unspecified Unspecified

Importance:	P2 Normal
Assignee:	Nobody

URL:
Keywords:	InRadar

Depends on:
Blocks:

Reported:	2020-04-09 06:36 PDT by Ali Juma
Modified:	2020-06-03 20:22 PDT (History)
CC List:	6 users (show)

See Also:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Ali Juma 2020-04-09 06:36:19 PDT

Chrome for iOS is getting a large number of crash reports on https://www.tgju.org/currency and on https://www.craftpassion.com/face-mask-sewing-pattern/, in RemoteLayerTreePropertyApplier::updateChildren. The crashes affect multiple versions of iOS, including 13.4 but also going all the way back to 12.0.

We haven't yet found steps to reproduce.

The crash stack is:
(CoreFoundation + 0x00003150 )	-[__NSArrayM insertObject:atIndex:]
=(UIKitCore + 0x00f21254 )	-[UIView(Hierarchy) subviews]
(WebKit + 0x0000bfc8 )		-[UIView(WKUIViewUtilities) _web_setSubviews:]
(WebKit + 0x001a347c )		WebKit::RemoteLayerTreePropertyApplier::updateChildren(WebKit::RemoteLayerTreeNode&, WebKit::RemoteLayerTreeTransaction::LayerProperties const&, WTF::HashMap<unsigned long long, std::__1::unique_ptr<WebKit::RemoteLayerTreeNode, std::__1::default_delete<WebKit::RemoteLayerTreeNode> >, WTF::IntHash<unsigned long long>, WTF::HashTraits<unsigned long long>, WTF::HashTraits<std::__1::unique_ptr<WebKit::RemoteLayerTreeNode, std::__1::default_delete<WebKit::RemoteLayerTreeNode> > > > const&)
(WebKit + 0x001a32f4 )		WebKit::RemoteLayerTreePropertyApplier::applyProperties(WebKit::RemoteLayerTreeNode&, WebKit::RemoteLayerTreeHost*, WebKit::RemoteLayerTreeTransaction::LayerProperties const&, WTF::HashMap<unsigned long long, std::__1::unique_ptr<WebKit::RemoteLayerTreeNode, std::__1::default_delete<WebKit::RemoteLayerTreeNode> >, WTF::IntHash<unsigned long long>, WTF::HashTraits<unsigned long long>, WTF::HashTraits<std::__1::unique_ptr<WebKit::RemoteLayerTreeNode, std::__1::default_delete<WebKit::RemoteLayerTreeNode> > > > const&, WebKit::RemoteLayerBackingStore::LayerContentsType)
(WebKit + 0x002ffd74 )		WebKit::RemoteLayerTreeHost::updateLayerTree(WebKit::RemoteLayerTreeTransaction const&, float)
(WebKit + 0x002ff7d4 )		WebKit::RemoteLayerTreeDrawingAreaProxy::commitLayerTree(WebKit::RemoteLayerTreeTransaction const&, WebKit::RemoteScrollingCoordinatorTransaction const&)
(WebKit + 0x0008d2d0 )		void IPC::handleMessage<Messages::RemoteLayerTreeDrawingAreaProxy::CommitLayerTree, WebKit::RemoteLayerTreeDrawingAreaProxy, void (WebKit::RemoteLayerTreeDrawingAreaProxy::*)(WebKit::RemoteLayerTreeTransaction const&, WebKit::RemoteScrollingCoordinatorTransaction const&)>(IPC::Decoder&, WebKit::RemoteLayerTreeDrawingAreaProxy*, void (WebKit::RemoteLayerTreeDrawingAreaProxy::*)(WebKit::RemoteLayerTreeTransaction const&, WebKit::RemoteScrollingCoordinatorTransaction const&))
(WebKit + 0x00045d34 )		IPC::MessageReceiverMap::dispatchMessage(IPC::Connection&, IPC::Decoder&)
(WebKit + 0x002ea2b0 )		WebKit::WebProcessProxy::didReceiveMessage(IPC::Connection&, IPC::Decoder&)
(WebKit + 0x00032778 )		IPC::Connection::dispatchMessage(std::__1::unique_ptr<IPC::Decoder, std::__1::default_delete<IPC::Decoder> >)
(WebKit + 0x00031da4 )		IPC::Connection::dispatchIncomingMessages()
(JavaScriptCore + 0x0003a3b4 )	WTF::RunLoop::performWork()

Bug 193897 looks similar, but was fixed a year ago.

Comment 1 Tim Horton 2020-04-09 11:49:18 PDT

What are the crash/exception details?

Comment 2 Ali Juma 2020-04-09 12:13:22 PDT

(In reply to Tim Horton from comment #1)
> What are the crash/exception details?

It's EXC_BAD_ACCESS / KERN_INVALID_ADDRESS @ 0x001a0410

Comment 3 Simon Fraser (smfr) 2020-04-09 15:55:21 PDT

Please attach a full crash log.

Comment 4 Radar WebKit Bug Importer 2020-04-09 15:55:43 PDT

<rdar://problem/61546405>

Comment 5 Simon Fraser (smfr) 2020-06-01 14:25:21 PDT

Ali, do you have any more data that might help us track this down?

Comment 6 Ali Juma 2020-06-02 11:47:07 PDT

We're seeing another big spike in hang reports with this stack over the past couple days, coming mostly from
https://www.forbes.com/sites/jasonbrett/2020/05/30/second-round-of-stimulus-checks-would-be-paper-or-direct-deposit-again/amp/

I can reliably reproduce a hang on that page in Safari as well (on an iPhone XS running iOS 13.5):
1) Load that URL
2) Start scrolling down quickly as the page loads

The browser then hangs for several seconds before scrolling reaches the bottom, and sometimes eventually crashes.

Comment 7 Simon Fraser (smfr) 2020-06-03 20:11:52 PDT

The <iframe src="https://drive.google.com/viewerng/viewer?url=https%3A//www.congress.gov/116/bills/hr6800/BILLS-116hr6800eh.pdf&embedded=true"> on that page triggers some pathological compositing creating 1860 composited elements and about twice that many CALayers because of "clip for scroller" layers.

Comment 8 Simon Fraser (smfr) 2020-06-03 20:22:49 PDT

https://www.craftpassion.com/face-mask-sewing-pattern/ has high layer count (~800) too.