Bug 224388

Summary: UI process can assert in DisplayLink::decrementFullSpeedRequestClientCount()
Product: WebKit Reporter: Simon Fraser (smfr) <simon.fraser>
Component: WebKit2Assignee: Simon Fraser (smfr) <simon.fraser>
Status: RESOLVED FIXED    
Severity: Normal CC: kkinnunen, simon.fraser, thorton, webkit-bug-importer
Priority: P2 Keywords: InRadar
Version: Safari Technology Preview   
Hardware: Unspecified   
OS: Unspecified   
Attachments:
Description Flags
Patch none

Simon Fraser (smfr)
Reported 2021-04-09 13:38:00 PDT
This can happen when we have a process swap between m_wheelEventActivityHysteresis start and stop. To reproduce: 1. Load a page 2. Scroll 3. Load another page that immediately triggers a rendering update 4. Wait a few seconds. 0 com.apple.JavaScriptCore 0x0000000143c9d1be WTFCrash + 14 (Assertions.cpp:305) 1 com.apple.WebKit 0x000000011a5f681b WTFCrashWithInfo(int, char const*, char const*, int) + 27 (Assertions.h:671) 2 com.apple.WebKit 0x000000011c0dbb52 WebKit::DisplayLink::decrementFullSpeedRequestClientCount(IPC::Connection&) + 290 (DisplayLink.cpp:177) 3 com.apple.WebKit 0x000000011b92894a WebKit::WebProcessPool::setDisplayLinkForDisplayWantsFullSpeedUpdates(IPC::Connection&, unsigned int, bool) + 170 (WebProcessPoolCocoa.mm:831) 4 com.apple.WebKit 0x000000011bb63c36 WebKit::WebPageProxy::wheelEventHysteresisUpdated(PAL::HysteresisState) + 214 (WebPageProxy.cpp:2712) 5 com.apple.WebKit 0x000000011bbc238e WebKit::WebPageProxy::WebPageProxy(WebKit::PageClient&, WebKit::WebProcessProxy&, WTF::Ref<API::PageConfiguration, WTF::RawPtrTraits<API::PageConfiguration> >&&)::$_6::operator()(PAL::HysteresisState) const + 30 (WebPageProxy.cpp:486) 6 com.apple.WebKit 0x000000011bbc2321 WTF::Detail::CallableWrapper<WebKit::WebPageProxy::WebPageProxy(WebKit::PageClient&, WebKit::WebProcessProxy&, WTF::Ref<API::PageConfiguration, WTF::RawPtrTraits<API::PageConfiguration> >&&)::$_6, void, PAL::HysteresisState>::call(PAL::HysteresisState) + 49 (Function.h:52) 7 com.apple.WebKit 0x000000011a5fc9c8 WTF::Function<void (PAL::HysteresisState)>::operator()(PAL::HysteresisState) const + 152 (Function.h:83) 8 com.apple.WebKit 0x000000011b6273a4 PAL::HysteresisActivity::hysteresisTimerFired() + 52 (HysteresisActivity.h:88) 9 com.apple.WebKit 0x000000011b627d37 decltype(*(std::__1::forward<PAL::HysteresisActivity*&>(fp0)).*fp()) std::__1::__invoke<void (PAL::HysteresisActivity::*&)(), PAL::HysteresisActivity*&, void>(void (PAL::HysteresisActivity::*&)(), PAL::HysteresisActivity*&) + 119 (type_traits:3688) 10 com.apple.WebKit 0x000000011b627cb0 std::__1::__bind_return<void (PAL::HysteresisActivity::*)(), std::__1::tuple<PAL::HysteresisActivity*>, std::__1::tuple<>, __is_valid_bind_return<void (PAL::HysteresisActivity::*)(), std::__1::tuple<PAL::HysteresisActivity*>, std::__1::tuple<> >::value>::type std::__1::__apply_functor<void (PAL::HysteresisActivity::*)(), std::__1::tuple<PAL::HysteresisActivity*>, 0ul, std::__1::tuple<> >(void (PAL::HysteresisActivity::*&)(), std::__1::tuple<PAL::HysteresisActivity*>&, std::__1::__tuple_indices<0ul>, std::__1::tuple<>&&) + 64 (functional:2852) 11 com.apple.WebKit 0x000000011b627c69 std::__1::__bind_return<void (PAL::HysteresisActivity::*)(), std::__1::tuple<PAL::HysteresisActivity*>, std::__1::tuple<>, __is_valid_bind_return<void (PAL::HysteresisActivity::*)(), std::__1::tuple<PAL::HysteresisActivity*>, std::__1::tuple<> >::value>::type std::__1::__bind<void (PAL::HysteresisActivity::*&)(), PAL::HysteresisActivity*&>::operator()<>() + 41 (functional:2885) 12 com.apple.WebKit 0x000000011b627bee WTF::Detail::CallableWrapper<std::__1::__bind<void (PAL::HysteresisActivity::*&)(), PAL::HysteresisActivity*&>, void>::call() + 30 (Function.h:52) 13 com.apple.WebKit 0x000000011a63dc32 WTF::Function<void ()>::operator()() const + 130 (Function.h:83) 14 com.apple.WebKit 0x000000011a63db7e WTF::RunLoop::Timer<PAL::HysteresisActivity>::fired() + 30 (RunLoop.h:187) 15 com.apple.JavaScriptCore 0x0000000143d5442c WTF::RunLoop::TimerBase::start(WTF::Seconds, bool)::$_1::operator()(__CFRunLoopTimer*, void*) const + 76 (RunLoopCF.cpp:126) 16 com.apple.JavaScriptCore 0x0000000143d543cd WTF::RunLoop::TimerBase::start(WTF::Seconds, bool)::$_1::__invoke(__CFRunLoopTimer*, void*) + 29 (RunLoopCF.cpp:119) 17 com.apple.CoreFoundation 0x00007fff204813c9 __CFRUNLOOP_IS_CALLING_OUT_TO_A_TIMER_CALLBACK_FUNCTION__ + 20
Attachments
Patch (4.70 KB, patch)
2021-04-09 14:00 PDT, Simon Fraser (smfr) 		no flags
DetailsFormatted DiffDiff
View All Add attachment proposed patch, testcase, etc.
Simon Fraser (smfr)
Comment 1 2021-04-09 14:00:19 PDT
Created attachment 425648 [details] Patch
EWS
Comment 2 2021-04-15 11:37:10 PDT
Committed r276036 (236580@main): <https://commits.webkit.org/236580@main> All reviewed patches have been landed. Closing bug and clearing flags on attachment 425648 [details].
Radar WebKit Bug Importer
Comment 3 2021-04-15 11:38:14 PDT
<rdar://problem/76714742>
Note You need to log in before you can comment on or make changes to this bug.