Bug 301333

Summary:	REGRESSION(296781@main) Crash under RemoteLayerTreeDrawingAreaProxy::commitLayerTree()
Product:	WebKit	Reporter:	Chris Dumez <cdumez>
Component:	WebKit2	Assignee:	Chris Dumez <cdumez>
Status:	RESOLVED FIXED
Severity:	Normal	CC:	kkinnunen, webkit-bug-importer
Priority:	P2	Keywords:	InRadar
Version:	WebKit Nightly Build
Hardware:	Unspecified
OS:	Unspecified

Chris Dumez

Reported 2025-10-23 02:23:58 PDT

Crash under RemoteLayerTreeDrawingAreaProxy::commitLayerTree() due to CheckedPtr adoption: ``` Thread 0 Crashed:: Dispatch queue: com.apple.main-thread: 0 com.apple.WebKit 0x1bb144ce4 WTFCrashWithInfo(int, char const*, char const*, int) + 24 1 com.apple.WebKit 0x1bb144ce4 WTF::CanMakeCheckedPtrBase<WTF::SingleThreadIntegralWrapper<unsigned int>, unsigned int>::decrementCheckedPtrCount() const + 24 2 com.apple.WebKit 0x1bb144ce4 WTF::CheckedRef<WebKit::RemoteScrollingCoordinatorProxy, WTF::RawPtrTraits<WebKit::RemoteScrollingCoordinatorProxy>>::~CheckedRef() + 24 3 com.apple.WebKit 0x1bb144ce4 WTF::CheckedRef<WebKit::RemoteScrollingCoordinatorProxy, WTF::RawPtrTraits<WebKit::RemoteScrollingCoordinatorProxy>>::~CheckedRef() + 24 4 com.apple.WebKit 0x1bb144ce4 WebKit::RemoteLayerTreeDrawingAreaProxy::commitLayerTreeTransaction(IPC::Connection&, WebKit::RemoteLayerTreeTransaction const&, WebKit::RemoteScrollingCoordinatorTransaction const&) + 24 5 com.apple.WebKit 0x1bb144ce4 WebKit::RemoteLayerTreeDrawingAreaProxy::commitLayerTree(IPC::Connection&, WTF::Vector<std::__1::pair<WebKit::RemoteLayerTreeTransaction, WebKit::RemoteScrollingCoordinatorTransaction>, 0ul, WTF::CrashOnOverflow, 16ul, WTF::FastMalloc> const&, WTF::HashMap<WTF::ObjectIdentifierGeneric<WebKit::ImageBufferSetIdentifierType, WTF::ObjectIdentifierMainThreadAccessTraits<unsigned long long>, unsigned long long>, std::__1::unique_ptr<WebKit::BufferSetBackendHandle, std::__1::default_delete<WebKit::BufferSetBackendHandle>>, WTF::DefaultHash<WTF::ObjectIdentifierGeneric<WebKit::ImageBufferSetIdentifierType, WTF::ObjectIdentifierMainThreadAccessTraits<unsigned long long>, unsigned long long>>, WTF::HashTraits<WTF::ObjectIdentifierGeneric<WebKit::ImageBufferSetIdentifierType, WTF::ObjectIdentifierMainThreadAccessTraits<unsigned long long>, unsigned long long>>, WTF::HashTraits<std::__1::unique_ptr<WebKit::BufferSetBackendHandle, std::__1::default_delete<WebKit::BufferSetBackendHandle>>>, WTF::HashTableTraits, (WTF::ShouldValidateKey)1, WTF::FastMalloc>&&) + 4136 (/AppleInternal/Library/BuildRoots/4~CAXSugAE-UsELDDEuozmTyYy4wlt8GQEFnn_NLI/Library/Caches/com.apple.xbs/Sources/WebKit/Source/WebKit/UIProcess/RemoteLayerTree/RemoteLayerTreeDrawingAreaProxy.mm:315) 6 com.apple.WebKit 0x1bb1446ec WebKit::RemoteLayerTreeDrawingAreaProxy::commitLayerTreeTransaction(IPC::Connection&, WebKit::RemoteLayerTreeTransaction const&, WebKit::RemoteScrollingCoordinatorTransaction const&) + 176 7 com.apple.WebKit 0x1bb1446ec WebKit::RemoteLayerTreeDrawingAreaProxy::commitLayerTree(IPC::Connection&, WTF::Vector<std::__1::pair<WebKit::RemoteLayerTreeTransaction, WebKit::RemoteScrollingCoordinatorTransaction>, 0ul, WTF::CrashOnOverflow, 16ul, WTF::FastMalloc> const&, WTF::HashMap<WTF::ObjectIdentifierGeneric<WebKit::ImageBufferSetIdentifierType, WTF::ObjectIdentifierMainThreadAccessTraits<unsigned long long>, unsigned long long>, std::__1::unique_ptr<WebKit::BufferSetBackendHandle, std::__1::default_delete<WebKit::BufferSetBackendHandle>>, WTF::DefaultHash<WTF::ObjectIdentifierGeneric<WebKit::ImageBufferSetIdentifierType, WTF::ObjectIdentifierMainThreadAccessTraits<unsigned long long>, unsigned long long>>, WTF::HashTraits<WTF::ObjectIdentifierGeneric<WebKit::ImageBufferSetIdentifierType, WTF::ObjectIdentifierMainThreadAccessTraits<unsigned long long>, unsigned long long>>, WTF::HashTraits<std::__1::unique_ptr<WebKit::BufferSetBackendHandle, std::__1::default_delete<WebKit::BufferSetBackendHandle>>>, WTF::HashTableTraits, (WTF::ShouldValidateKey)1, WTF::FastMalloc>&&) + 2608 8 com.apple.WebKit 0x1bad94040 auto void IPC::callMemberFunction<WebKit::RemoteLayerTreeDrawingAreaProxy, WebKit::RemoteLayerTreeDrawingAreaProxy, void (IPC::Connection&, WTF::Vector<std::__1::pair<WebKit::RemoteLayerTreeTransaction, WebKit::RemoteScrollingCoordinatorTransaction>, 0ul, WTF::CrashOnOverflow, 16ul, WTF::FastMalloc> const&, WTF::HashMap<WTF::ObjectIdentifierGeneric<WebKit::ImageBufferSetIdentifierType, WTF::ObjectIdentifierMainThreadAccessTraits<unsigned long long>, unsigned long long>, std::__1::unique_ptr<WebKit::BufferSetBackendHandle, std::__1::default_delete<WebKit::BufferSetBackendHandle>>, WTF::DefaultHash<WTF::ObjectIdentifierGeneric<WebKit::ImageBufferSetIdentifierType, WTF::ObjectIdentifierMainThreadAccessTraits<unsigned long long>, unsigned long long>>, WTF::HashTraits<WTF::ObjectIdentifierGeneric<WebKit::ImageBufferSetIdentifierType, WTF::ObjectIdentifierMainThreadAccessTraits<unsigned long long>, unsigned long long>>, WTF::HashTraits<std::__1::unique_ptr<WebKit::BufferSetBackendHandle, std::__1::default_delete<WebKit::BufferSetBackendHandle>>>, WTF::HashTableTraits, (WTF::ShouldValidateKey)1, WTF::FastMalloc>&&), std::__1::tuple<WTF::Vector<std::__1::pair<WebKit::RemoteLayerTreeTransaction, WebKit::RemoteScrollingCoordinatorTransaction>, 0ul, WTF::CrashOnOverflow, 16ul, WTF::FastMalloc>, WTF::HashMap<WTF::ObjectIdentifierGeneric<WebKit::ImageBufferSetIdentifierType, WTF::ObjectIdentifierMainThreadAccessTraits<unsigned long long>, unsigned long long>, std::__1::unique_ptr<WebKit::BufferSetBackendHandle, std::__1::default_delete<WebKit::BufferSetBackendHandle>>, WTF::DefaultHash<WTF::ObjectIdentifierGeneric<WebKit::ImageBufferSetIdentifierType, WTF::ObjectIdentifierMainThreadAccessTraits<unsigned long long>, unsigned long long>>, WTF::HashTraits<WTF::ObjectIdentifierGeneric<WebKit::ImageBufferSetIdentifierType, WTF::ObjectIdentifierMainThreadAccessTraits<unsigned long long>, unsigned long long>>, WTF::HashTraits<std::__1::unique_ptr<WebKit::BufferSetBackendHandle, std::__1::default_delete<WebKit::BufferSetBackendHandle>>>, WTF::HashTableTraits, (WTF::ShouldValidateKey)1, WTF::FastMalloc>>>(WebKit::RemoteLayerTreeDrawingAreaProxy*, void (WebKit::RemoteLayerTreeDrawingAreaProxy::*)(IPC::Connection&, WTF::Vector<std::__1::pair<WebKit::RemoteLayerTreeTransaction, WebKit::RemoteScrollingCoordinatorTransaction>, 0ul, WTF::CrashOnOverflow, 16ul, WTF::FastMalloc> const&, WTF::HashMap<WTF::ObjectIdentifierGeneric<WebKit::ImageBufferSetIdentifierType, WTF::ObjectIdentifierMainThreadAccessTraits<unsigned long long>, unsigned long long>, std::__1::unique_ptr<WebKit::BufferSetBackendHandle, std::__1::default_delete<WebKit::BufferSetBackendHandle>>, WTF::DefaultHash<WTF::ObjectIdentifierGeneric<WebKit::ImageBufferSetIdentifierType, WTF::ObjectIdentifierMainThreadAccessTraits<unsigned long long>, unsigned long long>>, WTF::HashTraits<WTF::ObjectIdentifierGeneric<WebKit::ImageBufferSetIdentifierType, WTF::ObjectIdentifierMainThreadAccessTraits<unsigned long long>, unsigned long long>>, WTF::HashTraits<std::__1::unique_ptr<WebKit::BufferSetBackendHandle, std::__1::default_delete<WebKit::BufferSetBackendHandle>>>, WTF::HashTableTraits, (WTF::ShouldValidateKey)1, WTF::FastMalloc>&&), IPC::Connection&, std::__1::tuple<WTF::Vector<std::__1::pair<WebKit::RemoteLayerTreeTransaction, WebKit::RemoteScrollingCoordinatorTransaction>, 0ul, WTF::CrashOnOverflow, 16ul, WTF::FastMalloc>, WTF::HashMap<WTF::ObjectIdentifierGeneric<WebKit::ImageBufferSetIdentifierType, WTF::ObjectIdentifierMainThreadAccessTraits<unsigned long long>, unsigned long long>, std::__1::unique_ptr<WebKit::BufferSetBackendHandle, std::__1::default_delete<WebKit::BufferSetBackendHandle>>, WTF::DefaultHash<WTF::ObjectIdentifierGeneric<WebKit::ImageBufferSetIdentifierType, WTF::ObjectIdentifierMainThreadAccessTraits<unsigned long long>, unsigned long long>>, WTF::HashTraits<WTF::ObjectIdentifierGeneric<WebKit::ImageBufferSetIdentifierType, WTF::ObjectIdentifierMainThreadAccessTraits<unsigned long long>, unsigned long long>>, WTF::HashTraits<std::__1::unique_ptr<WebKit::BufferSetBackendHa + 12 ```

Attachments
Add attachment proposed patch, testcase, etc.

Chris Dumez

Comment 1 2025-10-23 02:24:11 PDT

<rdar://163116334>

Chris Dumez

Comment 2 2025-10-23 02:27:02 PDT

Pull request: https://github.com/WebKit/WebKit/pull/52870

EWS

Comment 3 2025-10-23 04:52:18 PDT

Committed 302020@main (4570314ba9fe): <https://commits.webkit.org/302020@main> Reviewed commits have been landed. Closing PR #52870 and removing active labels.

Note You need to log in before you can comment on or make changes to this bug.