Bug 263783

Summary: REGRESSION (Sonoma): ASSERT(m_scrollingStateTree) on fast/scrolling/scroll-snap-crash.html
Product: WebKit Reporter: Chris Dumez <cdumez>
Component: WebKit2Assignee: Nikos Mouchtaris <nmouchtaris>
Status: NEW ---    
Severity: Normal CC: ap, ben_schwartz, kkinnunen, simon.fraser, webkit-bug-importer, wenson_hsieh
Priority: P2 Keywords: InRadar
Version: WebKit Nightly Build   
Hardware: Unspecified   
OS: Unspecified   
See Also: https://bugs.webkit.org/show_bug.cgi?id=264419

Description Chris Dumez 2023-10-27 08:30:53 PDT 
fast/scrolling/scroll-snap-crash.html is crashing consistently on my machine with a debug build like so:
run-webkit-tests --debug --no-build --repeat-each=3 fast/scrolling/scroll-snap-crash.html

Crash:
```
Thread 0 Crashed::  Dispatch queue: com.apple.main-thread
0   JavaScriptCore                	       0x10bd37c44 WTFCrash + 24 (Assertions.cpp:333)
1   WebCore                       	       0x282d67ccc WTFCrashWithInfo(int, char const*, char const*, int) + 36 (Assertions.h:778)
2   WebCore                       	       0x284e407e0 WebCore::ScrollingStateNode::scrollingStateTree() const + 124 (ScrollingStateNode.h:305)
3   WebCore                       	       0x284e4a728 WebCore::ScrollingStateScrollingNode::~ScrollingStateScrollingNode() + 64 (ScrollingStateScrollingNode.cpp:89)
4   WebCore                       	       0x284e3ef44 WebCore::ScrollingStateFrameScrollingNode::~ScrollingStateFrameScrollingNode() + 116 (ScrollingStateFrameScrollingNode.cpp:96)
5   WebCore                       	       0x284e3ef74 WebCore::ScrollingStateFrameScrollingNode::~ScrollingStateFrameScrollingNode() + 32 (ScrollingStateFrameScrollingNode.cpp:96)
6   WebCore                       	       0x284e3efa4 WebCore::ScrollingStateFrameScrollingNode::~ScrollingStateFrameScrollingNode() + 32 (ScrollingStateFrameScrollingNode.cpp:96)
7   WebKit                        	       0x12c5b7210 void WTF::ThreadSafeWeakPtrControlBlock::strongDeref<WebCore::ScrollingStateNode, (WTF::DestructionThread)0>() const::'lambda'()::operator()() const + 104 (ThreadSafeWeakPtr.h:101)
8   WebKit                        	       0x12c5b7190 void WTF::ThreadSafeWeakPtrControlBlock::strongDeref<WebCore::ScrollingStateNode, (WTF::DestructionThread)0>() const + 328 (ThreadSafeWeakPtr.h:107)
9   WebKit                        	       0x12c5b703c WTF::ThreadSafeRefCountedAndCanMakeThreadSafeWeakPtr<WebCore::ScrollingStateNode, (WTF::DestructionThread)0>::deref() const + 32 (ThreadSafeWeakPtr.h:170)
10  WebKit                        	       0x12c5b7008 WTF::Ref<WebCore::ScrollingStateFrameScrollingNode, WTF::RawPtrTraits<WebCore::ScrollingStateFrameScrollingNode>>::~Ref() + 80 (Ref.h:61)
11  WebKit                        	       0x12c5b6fa8 WTF::Ref<WebCore::ScrollingStateFrameScrollingNode, WTF::RawPtrTraits<WebCore::ScrollingStateFrameScrollingNode>>::~Ref() + 32 (Ref.h:55)
12  WebKit                        	       0x12dd7ebcc IPC::ArgumentCoder<WebCore::ScrollingStateFrameScrollingNode, void>::decode(IPC::Decoder&) + 2520 (RemoteScrollingCoordinatorTransaction.cpp:367)
13  WebKit                        	       0x12c79f75c std::__1::optional<WTF::RefPtr<WebCore::ScrollingStateFrameScrollingNode, WTF::RawPtrTraits<WebCore::ScrollingStateFrameScrollingNode>, WTF::DefaultRefDerefTraits<WebCore::ScrollingStateFrameScrollingNode>>> IPC::ArgumentCoder<WTF::RefPtr<WebCore::ScrollingStateFrameScrollingNode, WTF::RawPtrTraits<WebCore::ScrollingStateFrameScrollingNode>, WTF::DefaultRefDerefTraits<WebCore::ScrollingStateFrameScrollingNode>>, void>::decode<IPC::Decoder, WebCore::ScrollingStateFrameScrollingNode>(IPC::Decoder&) + 172 (ArgumentCoders.h:294)
14  WebKit                        	       0x12c4bd240 std::__1::optional<WTF::RefPtr<WebCore::ScrollingStateFrameScrollingNode, WTF::RawPtrTraits<WebCore::ScrollingStateFrameScrollingNode>, WTF::DefaultRefDerefTraits<WebCore::ScrollingStateFrameScrollingNode>>> IPC::Decoder::decode<WTF::RefPtr<WebCore::ScrollingStateFrameScrollingNode, WTF::RawPtrTraits<WebCore::ScrollingStateFrameScrollingNode>, WTF::DefaultRefDerefTraits<WebCore::ScrollingStateFrameScrollingNode>>>() + 60 (Decoder.h:137)
15  WebKit                        	       0x12c4bd14c IPC::ArgumentCoder<WebCore::ScrollingStateTree, void>::decode(IPC::Decoder&) + 64 (GeneratedSerializers.mm:41721)
16  WebKit                        	       0x12c79e808 std::__1::optional<WebCore::ScrollingStateTree> IPC::Decoder::decode<WebCore::ScrollingStateTree>() + 60 (Decoder.h:137)
17  WebKit                        	       0x12c79e6b4 std::__1::optional<std::__1::unique_ptr<WebCore::ScrollingStateTree, std::__1::default_delete<WebCore::ScrollingStateTree>>> IPC::ArgumentCoder<std::__1::unique_ptr<WebCore::ScrollingStateTree, std::__1::default_delete<WebCore::ScrollingStateTree>>, void>::decode<IPC::Decoder>(IPC::Decoder&) + 128 (ArgumentCoders.h:336)
18  WebKit                        	       0x12c4bce18 std::__1::optional<std::__1::unique_ptr<WebCore::ScrollingStateTree, std::__1::default_delete<WebCore::ScrollingStateTree>>> IPC::Decoder::decode<std::__1::unique_ptr<WebCore::ScrollingStateTree, std::__1::default_delete<WebCore::ScrollingStateTree>>>() + 60 (Decoder.h:137)
19  WebKit                        	       0x12c4bccec IPC::ArgumentCoder<WebKit::RemoteScrollingCoordinatorTransaction, void>::decode(IPC::Decoder&) + 40 (GeneratedSerializers.mm:41694)
20  WebKit                        	       0x12cc2dd34 std::__1::optional<WebKit::RemoteScrollingCoordinatorTransaction> IPC::Decoder::decode<WebKit::RemoteScrollingCoordinatorTransaction>() + 60 (Decoder.h:137)

```
Comment 1 Chris Dumez 2023-10-27 08:32:23 PDT 
```
CheckedPtr<ScrollingStateTree> m_scrollingStateTree; // Only null between deserialization and attachAfterDeserialization.
```

We crash during destruction because m_scrollingStateTree is null.

The crash does occur during IPC deserialization so it seems it is expected for `m_scrollingStateTree` to be null.

Seems like there may be 2 bugs:
1. IPC deserialization fails
2. The ScrollingStateScrollingNode doesn't support getting destroyed during IPC deserialization and crashes
Comment 2 Chris Dumez 2023-10-27 08:40:45 PDT 
For me, it looks like it fails IPC decoding for ScrollingStateNodeProperty::SnapOffsetsInfo
Comment 3 Chris Dumez 2023-10-27 08:46:07 PDT 
(In reply to Chris Dumez from comment #2)
> For me, it looks like it fails IPC decoding for
> ScrollingStateNodeProperty::SnapOffsetsInfo

In particular, horizontalSnapOffsets inside FloatScrollSnapOffsetsInfo.
Comment 4 Chris Dumez 2023-10-27 08:50:07 PDT 
(In reply to Chris Dumez from comment #3)
> (In reply to Chris Dumez from comment #2)
> > For me, it looks like it fails IPC decoding for
> > ScrollingStateNodeProperty::SnapOffsetsInfo
> 
> In particular, horizontalSnapOffsets inside FloatScrollSnapOffsetsInfo.

In particular, the snapTargetID of FloatSnapOffset fails decoding.
Comment 5 Alexey Proskuryakov 2023-10-30 13:29:01 PDT 
Also frequently crashes on macOS Sonoma bots, but not on older OS versions.
Comment 6 Radar WebKit Bug Importer 2023-10-30 13:29:33 PDT 
<rdar://problem/117702748>
Comment 7 Ben Schwartz 2023-11-08 09:33:51 PST 
I have related this bug to bug #264419, which is an umbrella bug tracking layout test regressions in macOS Sonoma 14.1.