The crash may happen when creating many ImageBuffers consecutively. So WebProcess sends many RemoteRenderingBackend::CreateImageBuffer messages to WebProcess. While the GPUProcess is busy creating the backends and sending the messages RemoteRenderingBackendProxy::DidCreateImageBufferBackend back to WebProcess, the WebProcess is busy drawing to the new ImageBuffers by appending DisplayList items to their DrawingContexts. RemoteRenderingBackendProxy::didAppendData() is called back with every DisplayList item appended to any ImageBuffer DisplayList. The problem happens when appending DisplayList item to a backend-less RemoteImageBufferProxy. Here is an example which may cause this crash: WebProcess: 1. RemoteRenderingBackend::CreateImageBuffer is sent for RemoteImageBufferProxy 'A'. 2. RemoteRenderingBackend::DidCreateImageBufferBackend is received for RemoteImageBufferProxy 'A'. 3. DisplayList items are appended to the context of a RemoteImageBufferProxy 'A'. 4. RemoteRenderingBackend::CreateImageBuffer is sent for RemoteImageBufferProxy 'B'. 5. DisplayList items are appended to the context of a backend-less RemoteImageBufferProxy 'B'. 6. RemoteRenderingBackendProxy::didAppendData() sends RemoteRenderingBackend::WakeUpAndApplyDisplayList message = { 'A', GPUProcessWakeupReason::ItemCountHysteresisExceeded, ... } 7. RemoteRenderingBackend::CreateImageBuffer is sent for RemoteImageBufferProxy 'C'. 8. DisplayList items are appended to the context of a backend-less RemoteImageBufferProxy 'C'. 9. m_parameters.resumeDisplayListSemaphore is signaled with resumeReadingInfo { 'C', ... } GPUProcess: 1. RemoteRenderingBackend::nextDestinationImageBufferAfterApplyingDisplayLists() replays the DisplayList items to the backend of 'A' 2. RemoteRenderingBackend::nextDestinationImageBufferAfterApplyingDisplayLists() sets m_pendingWakeupInfo to { 'B', GPUProcessWakeupReason::ItemCountHysteresisExceeded } 3. RemoteRenderingBackend::createImageBuffer() is called to create the RemoteImageBuffer 'B'. 4. RemoteRenderingBackend::createImageBuffer() voluntarily calls wakeUpAndApplyDisplayList() because m_pendingWakeupInfo matches 'B' 5. RemoteRenderingBackend::nextDestinationImageBufferAfterApplyingDisplayLists() replays the DisplayList items to the backend of 'B' 6. Trying to find the next ImageBuffer, nextDestinationImageBufferAfterApplyingDisplayLists sees the reason = GPUProcessWakeupReason::ItemCountHysteresisExceeded so it looks at the resumeReadingInfo 7. It finds the resumeReadingInfo->destination = 'C' but it does not find in its cache because it has not been created yet. Here is the call stack: Requesting termination of web process 23 for reason: "Missing image buffer destination when resuming display list processing" Thread 2 Crashed:: WebKit::RemoteRenderingBackend::nextDestinationImageBufferAfterApplyingDisplayLists(WebCore::ImageBuffer&, unsigned long, WebKit::DisplayListReaderHandle&, WebKit::GPUProcessWakeupReason) + 2364 WebKit::RemoteRenderingBackend::wakeUpAndApplyDisplayList(WebKit::GPUProcessWakeupMessageArguments const&) + 180 WebKit::RemoteRenderingBackend::createImageBuffer(WebCore::FloatSize const&, WebCore::RenderingMode, float, WebCore::DestinationColorSpace const&, WebCore::PixelFormat, WTF::ObjectIdentifier<WebCore::RenderingResourceIdentifierType>) + 1352 WebKit::RemoteRenderingBackend::didReceiveMessage(IPC::Connection&, IPC::Decoder&) + 2044 WTF::dispatchWorkItem<WTF::(anonymous namespace)::DispatchWorkItem>(void*) + 60