RESOLVED FIXED253543
[UI-side compositing] Crash in displaylink::addObserver() 
https://bugs.webkit.org/show_bug.cgi?id=253543
Summary [UI-side compositing] Crash in displaylink::addObserver()
Simon Fraser (smfr)
Reported 2023-03-07 16:34:12 PST
If you close a window soon after a scroll gesture, you can hit this crash: #0 0x0000000115512f84 in unsigned int std::__1::__cxx_atomic_fetch_add[abi:v15006]<unsigned int>(std::__1::__cxx_atomic_base_impl<unsigned int>*, unsigned int, std::__1::memory_order) at /Applications/Xcode.app/Contents/Developer/Platforms/MacOSX.platform/Developer/SDKs/MacOSX13.3.Internal.sdk/usr/include/c++/v1/atomic:1009 #1 0x00000001154c5bec in std::__1::__atomic_base<unsigned int, true>::fetch_add[abi:v15006](unsigned int, std::__1::memory_order) at /Applications/Xcode.app/Contents/Developer/Platforms/MacOSX.platform/Developer/SDKs/MacOSX13.3.Internal.sdk/usr/include/c++/v1/atomic:1659 #2 0x0000000115a41774 in std::__1::__atomic_base<unsigned int, true>::operator++[abi:v15006]() at /Applications/Xcode.app/Contents/Developer/Platforms/MacOSX.platform/Developer/SDKs/MacOSX13.3.Internal.sdk/usr/include/c++/v1/atomic:1696 #3 0x0000000116eea7f0 in WTF::CanMakeCheckedPtrBase<std::__1::atomic<unsigned int>, unsigned int>::incrementPtrCount() const at /Volumes/Data/WebKit/OpenSource/WebKitBuild/Debug/usr/local/include/wtf/CheckedRef.h:233 #4 0x0000000116eea7c4 in WTF::CheckedRef<WebKit::DisplayLink::Client, WTF::RawPtrTraits<WebKit::DisplayLink::Client> >::CheckedRef(WebKit::DisplayLink::Client&) at /Volumes/Data/WebKit/OpenSource/WebKitBuild/Debug/usr/local/include/wtf/CheckedRef.h:54 #5 0x0000000116e91dd0 in WTF::CheckedRef<WebKit::DisplayLink::Client, WTF::RawPtrTraits<WebKit::DisplayLink::Client> >::CheckedRef(WebKit::DisplayLink::Client&) at /Volumes/Data/WebKit/OpenSource/WebKitBuild/Debug/usr/local/include/wtf/CheckedRef.h:53 #6 0x0000000116e91b20 in WebKit::DisplayLink::addObserver(WebKit::DisplayLink::Client&, WTF::ObjectIdentifier<WebKit::DisplayLinkObserverIDType>, unsigned int) at /Volumes/Data/WebKit/OpenSource/Source/WebKit/UIProcess/mac/DisplayLink.cpp:97 #7 0x0000000116e2b79c in WebKit::RemoteLayerTreeEventDispatcher::startDisplayLinkObserver() at /Volumes/Data/WebKit/OpenSource/Source/WebKit/UIProcess/RemoteLayerTree/mac/RemoteLayerTreeEventDispatcher.cpp:310 #8 0x0000000116e2b4c0 in WebKit::RemoteLayerTreeEventDispatcher::startOrStopDisplayLinkOnMainThread() at /Volumes/Data/WebKit/OpenSource/Source/WebKit/UIProcess/RemoteLayerTree/mac/RemoteLayerTreeEventDispatcher.cpp:292 #9 0x0000000116e2a358 in WebKit::RemoteLayerTreeEventDispatcher::startOrStopDisplayLink() at /Volumes/Data/WebKit/OpenSource/Source/WebKit/UIProcess/RemoteLayerTree/mac/RemoteLayerTreeEventDispatcher.cpp:266 #10 0x0000000116e2bc20 in WebKit::RemoteLayerTreeEventDispatcher::stopDisplayDidRefreshCallbacks(unsigned int) at /Volumes/Data/WebKit/OpenSource/Source/WebKit/UIProcess/RemoteLayerTree/mac/RemoteLayerTreeEventDispatcher.cpp:383 #11 0x00000001174f6fd0 in WebKit::MomentumEventDispatcher::stopDisplayLink() at /Volumes/Data/WebKit/OpenSource/Source/WebKit/WebProcess/WebPage/MomentumEventDispatcher.cpp:306 #12 0x00000001174f6e48 in WebKit::MomentumEventDispatcher::~MomentumEventDispatcher() at /Volumes/Data/WebKit/OpenSource/Source/WebKit/WebProcess/WebPage/MomentumEventDispatcher.cpp:49 #13 0x00000001174f70e4 in WebKit::MomentumEventDispatcher::~MomentumEventDispatcher() at /Volumes/Data/WebKit/OpenSource/Source/WebKit/WebProcess/WebPage/MomentumEventDispatcher.cpp:48 #14 0x0000000116e4114c in std::__1::default_delete<WebKit::MomentumEventDispatcher>::operator()[abi:v15006](WebKit::MomentumEventDispatcher*) const at /Applications/Xcode.app/Contents/Developer/Platforms/MacOSX.platform/Developer/SDKs/MacOSX13.3.Internal.sdk/usr/include/c++/v1/__memory/unique_ptr.h:48 #15 0x0000000116e410b4 in std::__1::unique_ptr<WebKit::MomentumEventDispatcher, std::__1::default_delete<WebKit::MomentumEventDispatcher> >::reset[abi:v15006](WebKit::MomentumEventDispatcher*) at /Applications/Xcode.app/Contents/Developer/Platforms/MacOSX.platform/Developer/SDKs/MacOSX13.3.Internal.sdk/usr/include/c++/v1/__memory/unique_ptr.h:305 #16 0x0000000116e41038 in std::__1::unique_ptr<WebKit::MomentumEventDispatcher, std::__1::default_delete<WebKit::MomentumEventDispatcher> >::~unique_ptr[abi:v15006]() at /Applications/Xcode.app/Contents/Developer/Platforms/MacOSX.platform/Developer/SDKs/MacOSX13.3.Internal.sdk/usr/include/c++/v1/__memory/unique_ptr.h:259 #17 0x0000000116e29ccc in std::__1::unique_ptr<WebKit::MomentumEventDispatcher, std::__1::default_delete<WebKit::MomentumEventDispatcher> >::~unique_ptr[abi:v15006]() at /Applications/Xcode.app/Contents/Developer/Platforms/MacOSX.platform/Developer/SDKs/MacOSX13.3.Internal.sdk/usr/include/c++/v1/__memory/unique_ptr.h:259 #18 0x0000000116e29c40 in WebKit::RemoteLayerTreeEventDispatcher::~RemoteLayerTreeEventDispatcher() at /Volumes/Data/WebKit/OpenSource/Source/WebKit/UIProcess/RemoteLayerTree/mac/RemoteLayerTreeEventDispatcher.cpp:104 #19 0x0000000116e29e00 in WebKit::RemoteLayerTreeEventDispatcher::~RemoteLayerTreeEventDispatcher() at /Volumes/Data/WebKit/OpenSource/Source/WebKit/UIProcess/RemoteLayerTree/mac/RemoteLayerTreeEventDispatcher.cpp:104 #20 0x0000000116e29e30 in WebKit::RemoteLayerTreeEventDispatcher::~RemoteLayerTreeEventDispatcher() at /Volumes/Data/WebKit/OpenSource/Source/WebKit/UIProcess/RemoteLayerTree/mac/RemoteLayerTreeEventDispatcher.cpp:104 #21 0x0000000116698514 in WTF::ThreadSafeRefCounted<WebKit::RemoteLayerTreeEventDispatcher, (WTF::DestructionThread)0>::deref() const::'lambda'()::operator()() const at /Volumes/Data/WebKit/OpenSource/WebKitBuild/Debug/usr/local/include/wtf/ThreadSafeRefCounted.h:115 #22 0x0000000116698470 in WTF::ThreadSafeRefCounted<WebKit::RemoteLayerTreeEventDispatcher, (WTF::DestructionThread)0>::deref() const at /Volumes/Data/WebKit/OpenSource/WebKitBuild/Debug/usr/local/include/wtf/ThreadSafeRefCounted.h:127 #23 0x000000011669867c in WTF::DefaultRefDerefTraits<WebKit::RemoteLayerTreeEventDispatcher>::derefIfNotNull(WebKit::RemoteLayerTreeEventDispatcher*) at /Volumes/Data/WebKit/OpenSource/WebKitBuild/Debug/usr/local/include/wtf/RefPtr.h:42 #24 0x0000000116698638 in WTF::RefPtr<WebKit::RemoteLayerTreeEventDispatcher, WTF::RawPtrTraits<WebKit::RemoteLayerTreeEventDispatcher>, WTF::DefaultRefDerefTraits<WebKit::RemoteLayerTreeEventDispatcher> >::~RefPtr() at /Volumes/Data/WebKit/OpenSource/WebKitBuild/Debug/usr/local/include/wtf/RefPtr.h:74 #25 0x000000011667d52c in WTF::RefPtr<WebKit::RemoteLayerTreeEventDispatcher, WTF::RawPtrTraits<WebKit::RemoteLayerTreeEventDispatcher>, WTF::DefaultRefDerefTraits<WebKit::RemoteLayerTreeEventDispatcher> >::~RefPtr() at /Volumes/Data/WebKit/OpenSource/WebKitBuild/Debug/usr/local/include/wtf/RefPtr.h:74 #26 0x000000011667d5b8 in WebKit::RemoteScrollingCoordinatorProxyMac::~RemoteScrollingCoordinatorProxyMac() at /Volumes/Data/WebKit/OpenSource/Source/WebKit/UIProcess/RemoteLayerTree/mac/RemoteScrollingCoordinatorProxyMac.mm:62 #27 0x000000011667d61c in WebKit::RemoteScrollingCoordinatorProxyMac::~RemoteScrollingCoordinatorProxyMac() at /Volumes/Data/WebKit/OpenSource/Source/WebKit/UIProcess/RemoteLayerTree/mac/RemoteScrollingCoordinatorProxyMac.mm:58 #28 0x000000011667d64c in WebKit::RemoteScrollingCoordinatorProxyMac::~RemoteScrollingCoordinatorProxyMac() at /Volumes/Data/WebKit/OpenSource/Source/WebKit/UIProcess/RemoteLayerTree/mac/RemoteScrollingCoordinatorProxyMac.mm:58 #29 0x0000000116b27d1c in std::__1::default_delete<WebKit::RemoteScrollingCoordinatorProxy>::operator()[abi:v15006](WebKit::RemoteScrollingCoordinatorProxy*) const at /Applications/Xcode.app/Contents/Developer/Platforms/MacOSX.platform/Developer/SDKs/MacOSX13.3.Internal.sdk/usr/include/c++/v1/__memory/unique_ptr.h:48 #30 0x0000000116b27c60 in std::__1::unique_ptr<WebKit::RemoteScrollingCoordinatorProxy, std::__1::default_delete<WebKit::RemoteScrollingCoordinatorProxy> >::reset[abi:v15006](WebKit::RemoteScrollingCoordinatorProxy*) at /Applications/Xcode.app/Contents/Developer/Platforms/MacOSX.platform/Developer/SDKs/MacOSX13.3.Internal.sdk/usr/include/c++/v1/__memory/unique_ptr.h:305 #31 0x0000000116aa8944 in std::__1::unique_ptr<WebKit::RemoteScrollingCoordinatorProxy, std::__1::default_delete<WebKit::RemoteScrollingCoordinatorProxy> >::operator=[abi:v15006](std::nullptr_t) at /Applications/Xcode.app/Contents/Developer/Platforms/MacOSX.platform/Developer/SDKs/MacOSX13.3.Internal.sdk/usr/include/c++/v1/__memory/unique_ptr.h:263 #32 0x0000000116aa7518 in WebKit::WebPageProxy::setDrawingArea(std::__1::unique_ptr<WebKit::DrawingAreaProxy, std::__1::default_delete<WebKit::DrawingAreaProxy> >&&) at /Volumes/Data/WebKit/OpenSource/Source/WebKit/UIProcess/WebPageProxy.cpp:1148 #33 0x0000000116aaa408 in WebKit::WebPageProxy::resetState(WebKit::WebPageProxy::ResetStateReason) at /Volumes/Data/WebKit/OpenSource/Source/WebKit/UIProcess/WebPageProxy.cpp:8392 #34 0x0000000116aa2798 in WebKit::WebPageProxy::close() at /Volumes/Data/WebKit/OpenSource/Source/WebKit/UIProcess/WebPageProxy.cpp:1257 #35 0x000000011605038c in -[WKWebView dealloc] at /Volumes/Data/WebKit/OpenSource/Source/WebKit/UIProcess/API/Cocoa/WKWebView.mm:663
Attachments
Add attachment proposed patch, testcase, etc.
Simon Fraser (smfr)
Comment 1 2023-03-07 16:34:31 PST
<rdar://59960084>
Simon Fraser (smfr)
Comment 2 2023-03-07 16:47:30 PST
Pull request: https://github.com/WebKit/WebKit/pull/11202
EWS
Comment 3 2023-03-08 22:19:42 PST
Committed 261404@main (355ad2b87eea): <https://commits.webkit.org/261404@main> Reviewed commits have been landed. Closing PR #11202 and removing active labels.
Note You need to log in before you can comment on or make changes to this bug.