The crash may happen when creating many ImageBuffers consecutively. So WebProcess sends many RemoteRenderingBackend::CreateImageBuffer messages to WebProcess. While the GPUProcess is busy creating the backends and sending the messages RemoteRenderingBackendProxy::DidCreateImageBufferBackend back to WebProcess, the WebProcess is busy drawing to the new ImageBuffers by appending DisplayList items to their DrawingContexts.

RemoteRenderingBackendProxy::didAppendData() is called back with every DisplayList item appended to any ImageBuffer DisplayList. The problem happens when appending DisplayList item to a backend-less RemoteImageBufferProxy. Here is an example which may cause this crash:

WebProcess:

1. RemoteRenderingBackend::CreateImageBuffer is sent for RemoteImageBufferProxy 'A'.
2. RemoteRenderingBackend::DidCreateImageBufferBackend is received for RemoteImageBufferProxy 'A'.
3. DisplayList items are appended to the context of a RemoteImageBufferProxy 'A'.
4. RemoteRenderingBackend::CreateImageBuffer is sent for RemoteImageBufferProxy 'B'.
5. DisplayList items are appended to the context of a backend-less RemoteImageBufferProxy 'B'.
6. RemoteRenderingBackendProxy::didAppendData() sends RemoteRenderingBackend::WakeUpAndApplyDisplayList message = { 'A', GPUProcessWakeupReason::ItemCountHysteresisExceeded, ... }
7. RemoteRenderingBackend::CreateImageBuffer is sent for RemoteImageBufferProxy 'C'.
8. DisplayList items are appended to the context of a backend-less RemoteImageBufferProxy 'C'.
9. m_parameters.resumeDisplayListSemaphore is signaled with resumeReadingInfo { 'C', ... }

GPUProcess:

1. RemoteRenderingBackend::nextDestinationImageBufferAfterApplyingDisplayLists() replays the DisplayList items to the backend of 'A'
2. RemoteRenderingBackend::nextDestinationImageBufferAfterApplyingDisplayLists() sets m_pendingWakeupInfo to { 'B', GPUProcessWakeupReason::ItemCountHysteresisExceeded }
3. RemoteRenderingBackend::createImageBuffer() is called to create the RemoteImageBuffer 'B'.
4. RemoteRenderingBackend::createImageBuffer() voluntarily calls wakeUpAndApplyDisplayList() because m_pendingWakeupInfo matches 'B'
5. RemoteRenderingBackend::nextDestinationImageBufferAfterApplyingDisplayLists() replays the DisplayList items to the backend of 'B'
6. Trying to find the next ImageBuffer, nextDestinationImageBufferAfterApplyingDisplayLists sees the reason = GPUProcessWakeupReason::ItemCountHysteresisExceeded so it looks at the resumeReadingInfo
7. It finds the resumeReadingInfo->destination = 'C' but it does not find in its cache because it has not been created yet.

Here is the call stack:


Requesting termination of web process 23 for reason: "Missing image buffer destination when resuming display list processing"

Thread 2 Crashed::  
WebKit::RemoteRenderingBackend::nextDestinationImageBufferAfterApplyingDisplayLists(WebCore::ImageBuffer&, unsigned long, WebKit::DisplayListReaderHandle&, WebKit::GPUProcessWakeupReason) + 2364
WebKit::RemoteRenderingBackend::wakeUpAndApplyDisplayList(WebKit::GPUProcessWakeupMessageArguments const&) + 180
WebKit::RemoteRenderingBackend::createImageBuffer(WebCore::FloatSize const&, WebCore::RenderingMode, float, WebCore::DestinationColorSpace const&, WebCore::PixelFormat, WTF::ObjectIdentifier<WebCore::RenderingResourceIdentifierType>) + 1352 
WebKit::RemoteRenderingBackend::didReceiveMessage(IPC::Connection&, IPC::Decoder&) + 2044
WTF::dispatchWorkItem<WTF::(anonymous namespace)::DispatchWorkItem>(void*) + 60