If the GPU Process is terminated while the Web Process is still alive, the destructor of RemoteImageBufferProxy will fail to flushDrawingContext() because m_remoteRenderingBackendProxy will be nullptr. So when the destructor of the base class DisplayList::ImageBuffer is called, the m_drawingContext.m_displayList will have elements. DisplayList::DrawingContext::replayDisplayList() will be called to replay these items. This may also lead to the following crash if any of these DisplayList items were encoded for GPU Process. Thread 0 Crashed:: Dispatch queue: com.apple.main-thread 0 com.apple.CoreFoundation 0x0000000195832744 CFGetTypeID + 92 1 com.apple.CoreGraphics 0x000000019aa38fa0 CGPathIsEmpty + 28 2 com.apple.WebCore 0x000000010d49dfc8 WebCore::GraphicsContext::drawPath(WebCore::Path const&) + 64 3 com.apple.WebCore 0x000000010f1808a0 WebCore::DisplayList::Replayer::replay(WebCore::FloatRect const&, bool) + 5584 4 com.apple.WebCore 0x000000010f16f230 WebCore::DisplayList::DrawingContext::replayDisplayList(WebCore::GraphicsContext&) + 176 5 com.apple.WebKit 0x0000000105a5053c WebCore::DisplayList::ImageBuffer<WebKit::ImageBufferShareableMappedIOSurfaceBackend>::~ImageBuffer() + 60 6 com.apple.WebKit 0x0000000105a4f5c8 WebKit::RemoteImageBufferProxy<WebKit::ImageBufferShareableMappedIOSurfaceBackend>::~RemoteImageBufferProxy() + 16 7 com.apple.WebCore 0x000000010d555c8c WebCore::HTMLCanvasElement::~HTMLCanvasElement() + 912 8 com.apple.WebCore 0x000000010d5558e4 WebCore::HTMLCanvasElement::~HTMLCanvasElement() + 16 9 com.apple.JavaScriptCore 0x000000010454b1c4 JSC::PreciseAllocation::sweep() + 76 10 com.apple.JavaScriptCore 0x00000001045433b8 JSC::MarkedSpace::sweepPreciseAllocations() + 104 11 com.apple.JavaScriptCore 0x0000000104522194 JSC::Heap::finalize() + 104
<rdar://75852494>
Created attachment 424318 [details] Patch
Committed r275157: <https://commits.webkit.org/r275157> All reviewed patches have been landed. Closing bug and clearing flags on attachment 424318 [details].