224388 – UI process can assert in DisplayLink::decrementFullSpeedRequestClientCount()

Bug 224388 - UI process can assert in DisplayLink::decrementFullSpeedRequestClientCount()

Summary: UI process can assert in DisplayLink::decrementFullSpeedRequestClientCount()

Status:	RESOLVED FIXED

Alias:	None

Product:	WebKit
Classification:	Unclassified
Component:	WebKit2 (show other bugs)
Version:	Safari Technology Preview
Hardware:	Unspecified Unspecified

Importance:	P2 Normal
Assignee:	Simon Fraser (smfr)

URL:
Keywords:	InRadar

Depends on:
Blocks:

Reported:	2021-04-09 13:38 PDT by Simon Fraser (smfr)
Modified:	2021-04-15 11:38 PDT (History)
CC List:	4 users (show)

See Also:

Attachments
Patch (4.70 KB, patch) 2021-04-09 14:00 PDT, Simon Fraser (smfr)	no flags	Details \| Formatted Diff \| Diff
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Simon Fraser (smfr) 2021-04-09 13:38:00 PDT

This can happen when we have a process swap between m_wheelEventActivityHysteresis start and stop. To reproduce:

1. Load a page
2. Scroll
3. Load another page that immediately triggers a rendering update
4. Wait a few seconds.

0   com.apple.JavaScriptCore      	0x0000000143c9d1be WTFCrash + 14 (Assertions.cpp:305)
1   com.apple.WebKit              	0x000000011a5f681b WTFCrashWithInfo(int, char const*, char const*, int) + 27 (Assertions.h:671)
2   com.apple.WebKit              	0x000000011c0dbb52 WebKit::DisplayLink::decrementFullSpeedRequestClientCount(IPC::Connection&) + 290 (DisplayLink.cpp:177)
3   com.apple.WebKit              	0x000000011b92894a WebKit::WebProcessPool::setDisplayLinkForDisplayWantsFullSpeedUpdates(IPC::Connection&, unsigned int, bool) + 170 (WebProcessPoolCocoa.mm:831)
4   com.apple.WebKit              	0x000000011bb63c36 WebKit::WebPageProxy::wheelEventHysteresisUpdated(PAL::HysteresisState) + 214 (WebPageProxy.cpp:2712)
5   com.apple.WebKit              	0x000000011bbc238e WebKit::WebPageProxy::WebPageProxy(WebKit::PageClient&, WebKit::WebProcessProxy&, WTF::Ref<API::PageConfiguration, WTF::RawPtrTraits<API::PageConfiguration> >&&)::$_6::operator()(PAL::HysteresisState) const + 30 (WebPageProxy.cpp:486)
6   com.apple.WebKit              	0x000000011bbc2321 WTF::Detail::CallableWrapper<WebKit::WebPageProxy::WebPageProxy(WebKit::PageClient&, WebKit::WebProcessProxy&, WTF::Ref<API::PageConfiguration, WTF::RawPtrTraits<API::PageConfiguration> >&&)::$_6, void, PAL::HysteresisState>::call(PAL::HysteresisState) + 49 (Function.h:52)
7   com.apple.WebKit              	0x000000011a5fc9c8 WTF::Function<void (PAL::HysteresisState)>::operator()(PAL::HysteresisState) const + 152 (Function.h:83)
8   com.apple.WebKit              	0x000000011b6273a4 PAL::HysteresisActivity::hysteresisTimerFired() + 52 (HysteresisActivity.h:88)
9   com.apple.WebKit              	0x000000011b627d37 decltype(*(std::__1::forward<PAL::HysteresisActivity*&>(fp0)).*fp()) std::__1::__invoke<void (PAL::HysteresisActivity::*&)(), PAL::HysteresisActivity*&, void>(void (PAL::HysteresisActivity::*&)(), PAL::HysteresisActivity*&) + 119 (type_traits:3688)
10  com.apple.WebKit              	0x000000011b627cb0 std::__1::__bind_return<void (PAL::HysteresisActivity::*)(), std::__1::tuple<PAL::HysteresisActivity*>, std::__1::tuple<>, __is_valid_bind_return<void (PAL::HysteresisActivity::*)(), std::__1::tuple<PAL::HysteresisActivity*>, std::__1::tuple<> >::value>::type std::__1::__apply_functor<void (PAL::HysteresisActivity::*)(), std::__1::tuple<PAL::HysteresisActivity*>, 0ul, std::__1::tuple<> >(void (PAL::HysteresisActivity::*&)(), std::__1::tuple<PAL::HysteresisActivity*>&, std::__1::__tuple_indices<0ul>, std::__1::tuple<>&&) + 64 (functional:2852)
11  com.apple.WebKit              	0x000000011b627c69 std::__1::__bind_return<void (PAL::HysteresisActivity::*)(), std::__1::tuple<PAL::HysteresisActivity*>, std::__1::tuple<>, __is_valid_bind_return<void (PAL::HysteresisActivity::*)(), std::__1::tuple<PAL::HysteresisActivity*>, std::__1::tuple<> >::value>::type std::__1::__bind<void (PAL::HysteresisActivity::*&)(), PAL::HysteresisActivity*&>::operator()<>() + 41 (functional:2885)
12  com.apple.WebKit              	0x000000011b627bee WTF::Detail::CallableWrapper<std::__1::__bind<void (PAL::HysteresisActivity::*&)(), PAL::HysteresisActivity*&>, void>::call() + 30 (Function.h:52)
13  com.apple.WebKit              	0x000000011a63dc32 WTF::Function<void ()>::operator()() const + 130 (Function.h:83)
14  com.apple.WebKit              	0x000000011a63db7e WTF::RunLoop::Timer<PAL::HysteresisActivity>::fired() + 30 (RunLoop.h:187)
15  com.apple.JavaScriptCore      	0x0000000143d5442c WTF::RunLoop::TimerBase::start(WTF::Seconds, bool)::$_1::operator()(__CFRunLoopTimer*, void*) const + 76 (RunLoopCF.cpp:126)
16  com.apple.JavaScriptCore      	0x0000000143d543cd WTF::RunLoop::TimerBase::start(WTF::Seconds, bool)::$_1::__invoke(__CFRunLoopTimer*, void*) + 29 (RunLoopCF.cpp:119)
17  com.apple.CoreFoundation      	0x00007fff204813c9 __CFRUNLOOP_IS_CALLING_OUT_TO_A_TIMER_CALLBACK_FUNCTION__ + 20

Comment 1 Simon Fraser (smfr) 2021-04-09 14:00:19 PDT

Created attachment 425648 [details]
Patch

Comment 2 EWS 2021-04-15 11:37:10 PDT

Committed r276036 (236580@main): <https://commits.webkit.org/236580@main>

All reviewed patches have been landed. Closing bug and clearing flags on attachment 425648 [details].

Comment 3 Radar WebKit Bug Importer 2021-04-15 11:38:14 PDT

<rdar://problem/76714742>