301333 – REGRESSION(296781@main) Crash under RemoteLayerTreeDrawingAreaProxy::commitLayerTree()

RESOLVED FIXED301333

REGRESSION(296781@main) Crash under RemoteLayerTreeDrawingAreaProxy::commitLayerTree()

https://bugs.webkit.org/show_bug.cgi?id=301333

Summary REGRESSION(296781@main) Crash under RemoteLayerTreeDrawingAreaProxy::commitLa...

Chris Dumez

Reported 2025-10-23 02:23:58 PDT

Crash under RemoteLayerTreeDrawingAreaProxy::commitLayerTree() due to CheckedPtr adoption: ``` Thread 0 Crashed:: Dispatch queue: com.apple.main-thread: 0 com.apple.WebKit 0x1bb144ce4 WTFCrashWithInfo(int, char const*, char const*, int) + 24 1 com.apple.WebKit 0x1bb144ce4 WTF::CanMakeCheckedPtrBase<WTF::SingleThreadIntegralWrapper<unsigned int>, unsigned int>::decrementCheckedPtrCount() const + 24 2 com.apple.WebKit 0x1bb144ce4 WTF::CheckedRef<WebKit::RemoteScrollingCoordinatorProxy, WTF::RawPtrTraits<WebKit::RemoteScrollingCoordinatorProxy>>::~CheckedRef() + 24 3 com.apple.WebKit 0x1bb144ce4 WTF::CheckedRef<WebKit::RemoteScrollingCoordinatorProxy, WTF::RawPtrTraits<WebKit::RemoteScrollingCoordinatorProxy>>::~CheckedRef() + 24 4 com.apple.WebKit 0x1bb144ce4 WebKit::RemoteLayerTreeDrawingAreaProxy::commitLayerTreeTransaction(IPC::Connection&, WebKit::RemoteLayerTreeTransaction const&, WebKit::RemoteScrollingCoordinatorTransaction const&) + 24 5 com.apple.WebKit 0x1bb144ce4 WebKit::RemoteLayerTreeDrawingAreaProxy::commitLayerTree(IPC::Connection&, WTF::Vector<std::__1::pair<WebKit::RemoteLayerTreeTransaction, WebKit::RemoteScrollingCoordinatorTransaction>, 0ul, WTF::CrashOnOverflow, 16ul, WTF::FastMalloc> const&, WTF::HashMap<WTF::ObjectIdentifierGeneric<WebKit::ImageBufferSetIdentifierType, WTF::ObjectIdentifierMainThreadAccessTraits<unsigned long long>, unsigned long long>, std::__1::unique_ptr<WebKit::BufferSetBackendHandle, std::__1::default_delete<WebKit::BufferSetBackendHandle>>, WTF::DefaultHash<WTF::ObjectIdentifierGeneric<WebKit::ImageBufferSetIdentifierType, WTF::ObjectIdentifierMainThreadAccessTraits<unsigned long long>, unsigned long long>>, WTF::HashTraits<WTF::ObjectIdentifierGeneric<WebKit::ImageBufferSetIdentifierType, WTF::ObjectIdentifierMainThreadAccessTraits<unsigned long long>, unsigned long long>>, WTF::HashTraits<std::__1::unique_ptr<WebKit::BufferSetBackendHandle, std::__1::default_delete<WebKit::BufferSetBackendHandle>>>, WTF::HashTableTraits, (WTF::ShouldValidateKey)1, WTF::FastMalloc>&&) + 4136 (/AppleInternal/Library/BuildRoots/4~CAXSugAE-UsELDDEuozmTyYy4wlt8GQEFnn_NLI/Library/Caches/com.apple.xbs/Sources/WebKit/Source/WebKit/UIProcess/RemoteLayerTree/RemoteLayerTreeDrawingAreaProxy.mm:315) 6 com.apple.WebKit 0x1bb1446ec WebKit::RemoteLayerTreeDrawingAreaProxy::commitLayerTreeTransaction(IPC::Connection&, WebKit::RemoteLayerTreeTransaction const&, WebKit::RemoteScrollingCoordinatorTransaction const&) + 176 7 com.apple.WebKit 0x1bb1446ec WebKit::RemoteLayerTreeDrawingAreaProxy::commitLayerTree(IPC::Connection&, WTF::Vector<std::__1::pair<WebKit::RemoteLayerTreeTransaction, WebKit::RemoteScrollingCoordinatorTransaction>, 0ul, WTF::CrashOnOverflow, 16ul, WTF::FastMalloc> const&, WTF::HashMap<WTF::ObjectIdentifierGeneric<WebKit::ImageBufferSetIdentifierType, WTF::ObjectIdentifierMainThreadAccessTraits<unsigned long long>, unsigned long long>, std::__1::unique_ptr<WebKit::BufferSetBackendHandle, std::__1::default_delete<WebKit::BufferSetBackendHandle>>, WTF::DefaultHash<WTF::ObjectIdentifierGeneric<WebKit::ImageBufferSetIdentifierType, WTF::ObjectIdentifierMainThreadAccessTraits<unsigned long long>, unsigned long long>>, WTF::HashTraits<WTF::ObjectIdentifierGeneric<WebKit::ImageBufferSetIdentifierType, WTF::ObjectIdentifierMainThreadAccessTraits<unsigned long long>, unsigned long long>>, WTF::HashTraits<std::__1::unique_ptr<WebKit::BufferSetBackendHandle, std::__1::default_delete<WebKit::BufferSetBackendHandle>>>, WTF::HashTableTraits, (WTF::ShouldValidateKey)1, WTF::FastMalloc>&&) + 2608 8 com.apple.WebKit 0x1bad94040 auto void IPC::callMemberFunction<WebKit::RemoteLayerTreeDrawingAreaProxy, WebKit::RemoteLayerTreeDrawingAreaProxy, void (IPC::Connection&, WTF::Vector<std::__1::pair<WebKit::RemoteLayerTreeTransaction, WebKit::RemoteScrollingCoordinatorTransaction>, 0ul, WTF::CrashOnOverflow, 16ul, WTF::FastMalloc> const&, WTF::HashMap<WTF::ObjectIdentifierGeneric<WebKit::ImageBufferSetIdentifierType, WTF::ObjectIdentifierMainThreadAccessTraits<unsigned long long>, unsigned long long>, std::__1::unique_ptr<WebKit::BufferSetBackendHandle, std::__1::default_delete<WebKit::BufferSetBackendHandle>>, WTF::DefaultHash<WTF::ObjectIdentifierGeneric<WebKit::ImageBufferSetIdentifierType, WTF::ObjectIdentifierMainThreadAccessTraits<unsigned long long>, unsigned long long>>, WTF::HashTraits<WTF::ObjectIdentifierGeneric<WebKit::ImageBufferSetIdentifierType, WTF::ObjectIdentifierMainThreadAccessTraits<unsigned long long>, unsigned long long>>, WTF::HashTraits<std::__1::unique_ptr<WebKit::BufferSetBackendHandle, std::__1::default_delete<WebKit::BufferSetBackendHandle>>>, WTF::HashTableTraits, (WTF::ShouldValidateKey)1, WTF::FastMalloc>&&), std::__1::tuple<WTF::Vector<std::__1::pair<WebKit::RemoteLayerTreeTransaction, WebKit::RemoteScrollingCoordinatorTransaction>, 0ul, WTF::CrashOnOverflow, 16ul, WTF::FastMalloc>, WTF::HashMap<WTF::ObjectIdentifierGeneric<WebKit::ImageBufferSetIdentifierType, WTF::ObjectIdentifierMainThreadAccessTraits<unsigned long long>, unsigned long long>, std::__1::unique_ptr<WebKit::BufferSetBackendHandle, std::__1::default_delete<WebKit::BufferSetBackendHandle>>, WTF::DefaultHash<WTF::ObjectIdentifierGeneric<WebKit::ImageBufferSetIdentifierType, WTF::ObjectIdentifierMainThreadAccessTraits<unsigned long long>, unsigned long long>>, WTF::HashTraits<WTF::ObjectIdentifierGeneric<WebKit::ImageBufferSetIdentifierType, WTF::ObjectIdentifierMainThreadAccessTraits<unsigned long long>, unsigned long long>>, WTF::HashTraits<std::__1::unique_ptr<WebKit::BufferSetBackendHandle, std::__1::default_delete<WebKit::BufferSetBackendHandle>>>, WTF::HashTableTraits, (WTF::ShouldValidateKey)1, WTF::FastMalloc>>>(WebKit::RemoteLayerTreeDrawingAreaProxy*, void (WebKit::RemoteLayerTreeDrawingAreaProxy::*)(IPC::Connection&, WTF::Vector<std::__1::pair<WebKit::RemoteLayerTreeTransaction, WebKit::RemoteScrollingCoordinatorTransaction>, 0ul, WTF::CrashOnOverflow, 16ul, WTF::FastMalloc> const&, WTF::HashMap<WTF::ObjectIdentifierGeneric<WebKit::ImageBufferSetIdentifierType, WTF::ObjectIdentifierMainThreadAccessTraits<unsigned long long>, unsigned long long>, std::__1::unique_ptr<WebKit::BufferSetBackendHandle, std::__1::default_delete<WebKit::BufferSetBackendHandle>>, WTF::DefaultHash<WTF::ObjectIdentifierGeneric<WebKit::ImageBufferSetIdentifierType, WTF::ObjectIdentifierMainThreadAccessTraits<unsigned long long>, unsigned long long>>, WTF::HashTraits<WTF::ObjectIdentifierGeneric<WebKit::ImageBufferSetIdentifierType, WTF::ObjectIdentifierMainThreadAccessTraits<unsigned long long>, unsigned long long>>, WTF::HashTraits<std::__1::unique_ptr<WebKit::BufferSetBackendHandle, std::__1::default_delete<WebKit::BufferSetBackendHandle>>>, WTF::HashTableTraits, (WTF::ShouldValidateKey)1, WTF::FastMalloc>&&), IPC::Connection&, std::__1::tuple<WTF::Vector<std::__1::pair<WebKit::RemoteLayerTreeTransaction, WebKit::RemoteScrollingCoordinatorTransaction>, 0ul, WTF::CrashOnOverflow, 16ul, WTF::FastMalloc>, WTF::HashMap<WTF::ObjectIdentifierGeneric<WebKit::ImageBufferSetIdentifierType, WTF::ObjectIdentifierMainThreadAccessTraits<unsigned long long>, unsigned long long>, std::__1::unique_ptr<WebKit::BufferSetBackendHandle, std::__1::default_delete<WebKit::BufferSetBackendHandle>>, WTF::DefaultHash<WTF::ObjectIdentifierGeneric<WebKit::ImageBufferSetIdentifierType, WTF::ObjectIdentifierMainThreadAccessTraits<unsigned long long>, unsigned long long>>, WTF::HashTraits<WTF::ObjectIdentifierGeneric<WebKit::ImageBufferSetIdentifierType, WTF::ObjectIdentifierMainThreadAccessTraits<unsigned long long>, unsigned long long>>, WTF::HashTraits<std::__1::unique_ptr<WebKit::BufferSetBackendHa + 12 ```

Attachments
Add attachment proposed patch, testcase, etc.

Chris Dumez

Comment 1 2025-10-23 02:24:11 PDT

<rdar://163116334>

Chris Dumez

Comment 2 2025-10-23 02:27:02 PDT

Pull request: https://github.com/WebKit/WebKit/pull/52870

EWS

Comment 3 2025-10-23 04:52:18 PDT

Committed 302020@main (4570314ba9fe): <https://commits.webkit.org/302020@main> Reviewed commits have been landed. Closing PR #52870 and removing active labels.

Note You need to log in before you can comment on or make changes to this bug.

Status RESOLVED

Resolution FIXED

Priority P2

Severity Normal

Classification Unclassified

Version WebKit Nightly Build

Hardware Unspecified

OS Unspecified

Product WebKit

Component WebKit2

Assignee

Chris Dumez

Reported

2025-10-23 02:23 PDT

Modified

2025-10-23 04:52 PDT History

CC List

2 users Show

URL

Keywords InRadar

Depends on

Blocks