Bug 253543

Summary: [UI-side compositing] Crash in displaylink::addObserver()
Product: WebKit Reporter: Simon Fraser (smfr) <simon.fraser>
Component: WebKit Process ModelAssignee: Simon Fraser (smfr) <simon.fraser>
Status: RESOLVED FIXED    
Severity: Normal CC: simon.fraser, webkit-bug-importer
Priority: P2 Keywords: InRadar
Version: WebKit Nightly Build   
Hardware: Unspecified   
OS: Unspecified   
See Also: https://bugs.webkit.org/show_bug.cgi?id=255800

Description Simon Fraser (smfr) 2023-03-07 16:34:12 PST 
If you close a window soon after a scroll gesture, you can hit this crash:

#0	0x0000000115512f84 in unsigned int std::__1::__cxx_atomic_fetch_add[abi:v15006]<unsigned int>(std::__1::__cxx_atomic_base_impl<unsigned int>*, unsigned int, std::__1::memory_order) at /Applications/Xcode.app/Contents/Developer/Platforms/MacOSX.platform/Developer/SDKs/MacOSX13.3.Internal.sdk/usr/include/c++/v1/atomic:1009
#1	0x00000001154c5bec in std::__1::__atomic_base<unsigned int, true>::fetch_add[abi:v15006](unsigned int, std::__1::memory_order) at /Applications/Xcode.app/Contents/Developer/Platforms/MacOSX.platform/Developer/SDKs/MacOSX13.3.Internal.sdk/usr/include/c++/v1/atomic:1659
#2	0x0000000115a41774 in std::__1::__atomic_base<unsigned int, true>::operator++[abi:v15006]() at /Applications/Xcode.app/Contents/Developer/Platforms/MacOSX.platform/Developer/SDKs/MacOSX13.3.Internal.sdk/usr/include/c++/v1/atomic:1696
#3	0x0000000116eea7f0 in WTF::CanMakeCheckedPtrBase<std::__1::atomic<unsigned int>, unsigned int>::incrementPtrCount() const at /Volumes/Data/WebKit/OpenSource/WebKitBuild/Debug/usr/local/include/wtf/CheckedRef.h:233
#4	0x0000000116eea7c4 in WTF::CheckedRef<WebKit::DisplayLink::Client, WTF::RawPtrTraits<WebKit::DisplayLink::Client> >::CheckedRef(WebKit::DisplayLink::Client&) at /Volumes/Data/WebKit/OpenSource/WebKitBuild/Debug/usr/local/include/wtf/CheckedRef.h:54
#5	0x0000000116e91dd0 in WTF::CheckedRef<WebKit::DisplayLink::Client, WTF::RawPtrTraits<WebKit::DisplayLink::Client> >::CheckedRef(WebKit::DisplayLink::Client&) at /Volumes/Data/WebKit/OpenSource/WebKitBuild/Debug/usr/local/include/wtf/CheckedRef.h:53
#6	0x0000000116e91b20 in WebKit::DisplayLink::addObserver(WebKit::DisplayLink::Client&, WTF::ObjectIdentifier<WebKit::DisplayLinkObserverIDType>, unsigned int) at /Volumes/Data/WebKit/OpenSource/Source/WebKit/UIProcess/mac/DisplayLink.cpp:97
#7	0x0000000116e2b79c in WebKit::RemoteLayerTreeEventDispatcher::startDisplayLinkObserver() at /Volumes/Data/WebKit/OpenSource/Source/WebKit/UIProcess/RemoteLayerTree/mac/RemoteLayerTreeEventDispatcher.cpp:310
#8	0x0000000116e2b4c0 in WebKit::RemoteLayerTreeEventDispatcher::startOrStopDisplayLinkOnMainThread() at /Volumes/Data/WebKit/OpenSource/Source/WebKit/UIProcess/RemoteLayerTree/mac/RemoteLayerTreeEventDispatcher.cpp:292
#9	0x0000000116e2a358 in WebKit::RemoteLayerTreeEventDispatcher::startOrStopDisplayLink() at /Volumes/Data/WebKit/OpenSource/Source/WebKit/UIProcess/RemoteLayerTree/mac/RemoteLayerTreeEventDispatcher.cpp:266
#10	0x0000000116e2bc20 in WebKit::RemoteLayerTreeEventDispatcher::stopDisplayDidRefreshCallbacks(unsigned int) at /Volumes/Data/WebKit/OpenSource/Source/WebKit/UIProcess/RemoteLayerTree/mac/RemoteLayerTreeEventDispatcher.cpp:383
#11	0x00000001174f6fd0 in WebKit::MomentumEventDispatcher::stopDisplayLink() at /Volumes/Data/WebKit/OpenSource/Source/WebKit/WebProcess/WebPage/MomentumEventDispatcher.cpp:306
#12	0x00000001174f6e48 in WebKit::MomentumEventDispatcher::~MomentumEventDispatcher() at /Volumes/Data/WebKit/OpenSource/Source/WebKit/WebProcess/WebPage/MomentumEventDispatcher.cpp:49
#13	0x00000001174f70e4 in WebKit::MomentumEventDispatcher::~MomentumEventDispatcher() at /Volumes/Data/WebKit/OpenSource/Source/WebKit/WebProcess/WebPage/MomentumEventDispatcher.cpp:48
#14	0x0000000116e4114c in std::__1::default_delete<WebKit::MomentumEventDispatcher>::operator()[abi:v15006](WebKit::MomentumEventDispatcher*) const at /Applications/Xcode.app/Contents/Developer/Platforms/MacOSX.platform/Developer/SDKs/MacOSX13.3.Internal.sdk/usr/include/c++/v1/__memory/unique_ptr.h:48
#15	0x0000000116e410b4 in std::__1::unique_ptr<WebKit::MomentumEventDispatcher, std::__1::default_delete<WebKit::MomentumEventDispatcher> >::reset[abi:v15006](WebKit::MomentumEventDispatcher*) at /Applications/Xcode.app/Contents/Developer/Platforms/MacOSX.platform/Developer/SDKs/MacOSX13.3.Internal.sdk/usr/include/c++/v1/__memory/unique_ptr.h:305
#16	0x0000000116e41038 in std::__1::unique_ptr<WebKit::MomentumEventDispatcher, std::__1::default_delete<WebKit::MomentumEventDispatcher> >::~unique_ptr[abi:v15006]() at /Applications/Xcode.app/Contents/Developer/Platforms/MacOSX.platform/Developer/SDKs/MacOSX13.3.Internal.sdk/usr/include/c++/v1/__memory/unique_ptr.h:259
#17	0x0000000116e29ccc in std::__1::unique_ptr<WebKit::MomentumEventDispatcher, std::__1::default_delete<WebKit::MomentumEventDispatcher> >::~unique_ptr[abi:v15006]() at /Applications/Xcode.app/Contents/Developer/Platforms/MacOSX.platform/Developer/SDKs/MacOSX13.3.Internal.sdk/usr/include/c++/v1/__memory/unique_ptr.h:259
#18	0x0000000116e29c40 in WebKit::RemoteLayerTreeEventDispatcher::~RemoteLayerTreeEventDispatcher() at /Volumes/Data/WebKit/OpenSource/Source/WebKit/UIProcess/RemoteLayerTree/mac/RemoteLayerTreeEventDispatcher.cpp:104
#19	0x0000000116e29e00 in WebKit::RemoteLayerTreeEventDispatcher::~RemoteLayerTreeEventDispatcher() at /Volumes/Data/WebKit/OpenSource/Source/WebKit/UIProcess/RemoteLayerTree/mac/RemoteLayerTreeEventDispatcher.cpp:104
#20	0x0000000116e29e30 in WebKit::RemoteLayerTreeEventDispatcher::~RemoteLayerTreeEventDispatcher() at /Volumes/Data/WebKit/OpenSource/Source/WebKit/UIProcess/RemoteLayerTree/mac/RemoteLayerTreeEventDispatcher.cpp:104
#21	0x0000000116698514 in WTF::ThreadSafeRefCounted<WebKit::RemoteLayerTreeEventDispatcher, (WTF::DestructionThread)0>::deref() const::'lambda'()::operator()() const at /Volumes/Data/WebKit/OpenSource/WebKitBuild/Debug/usr/local/include/wtf/ThreadSafeRefCounted.h:115
#22	0x0000000116698470 in WTF::ThreadSafeRefCounted<WebKit::RemoteLayerTreeEventDispatcher, (WTF::DestructionThread)0>::deref() const at /Volumes/Data/WebKit/OpenSource/WebKitBuild/Debug/usr/local/include/wtf/ThreadSafeRefCounted.h:127
#23	0x000000011669867c in WTF::DefaultRefDerefTraits<WebKit::RemoteLayerTreeEventDispatcher>::derefIfNotNull(WebKit::RemoteLayerTreeEventDispatcher*) at /Volumes/Data/WebKit/OpenSource/WebKitBuild/Debug/usr/local/include/wtf/RefPtr.h:42
#24	0x0000000116698638 in WTF::RefPtr<WebKit::RemoteLayerTreeEventDispatcher, WTF::RawPtrTraits<WebKit::RemoteLayerTreeEventDispatcher>, WTF::DefaultRefDerefTraits<WebKit::RemoteLayerTreeEventDispatcher> >::~RefPtr() at /Volumes/Data/WebKit/OpenSource/WebKitBuild/Debug/usr/local/include/wtf/RefPtr.h:74
#25	0x000000011667d52c in WTF::RefPtr<WebKit::RemoteLayerTreeEventDispatcher, WTF::RawPtrTraits<WebKit::RemoteLayerTreeEventDispatcher>, WTF::DefaultRefDerefTraits<WebKit::RemoteLayerTreeEventDispatcher> >::~RefPtr() at /Volumes/Data/WebKit/OpenSource/WebKitBuild/Debug/usr/local/include/wtf/RefPtr.h:74
#26	0x000000011667d5b8 in WebKit::RemoteScrollingCoordinatorProxyMac::~RemoteScrollingCoordinatorProxyMac() at /Volumes/Data/WebKit/OpenSource/Source/WebKit/UIProcess/RemoteLayerTree/mac/RemoteScrollingCoordinatorProxyMac.mm:62
#27	0x000000011667d61c in WebKit::RemoteScrollingCoordinatorProxyMac::~RemoteScrollingCoordinatorProxyMac() at /Volumes/Data/WebKit/OpenSource/Source/WebKit/UIProcess/RemoteLayerTree/mac/RemoteScrollingCoordinatorProxyMac.mm:58
#28	0x000000011667d64c in WebKit::RemoteScrollingCoordinatorProxyMac::~RemoteScrollingCoordinatorProxyMac() at /Volumes/Data/WebKit/OpenSource/Source/WebKit/UIProcess/RemoteLayerTree/mac/RemoteScrollingCoordinatorProxyMac.mm:58
#29	0x0000000116b27d1c in std::__1::default_delete<WebKit::RemoteScrollingCoordinatorProxy>::operator()[abi:v15006](WebKit::RemoteScrollingCoordinatorProxy*) const at /Applications/Xcode.app/Contents/Developer/Platforms/MacOSX.platform/Developer/SDKs/MacOSX13.3.Internal.sdk/usr/include/c++/v1/__memory/unique_ptr.h:48
#30	0x0000000116b27c60 in std::__1::unique_ptr<WebKit::RemoteScrollingCoordinatorProxy, std::__1::default_delete<WebKit::RemoteScrollingCoordinatorProxy> >::reset[abi:v15006](WebKit::RemoteScrollingCoordinatorProxy*) at /Applications/Xcode.app/Contents/Developer/Platforms/MacOSX.platform/Developer/SDKs/MacOSX13.3.Internal.sdk/usr/include/c++/v1/__memory/unique_ptr.h:305
#31	0x0000000116aa8944 in std::__1::unique_ptr<WebKit::RemoteScrollingCoordinatorProxy, std::__1::default_delete<WebKit::RemoteScrollingCoordinatorProxy> >::operator=[abi:v15006](std::nullptr_t) at /Applications/Xcode.app/Contents/Developer/Platforms/MacOSX.platform/Developer/SDKs/MacOSX13.3.Internal.sdk/usr/include/c++/v1/__memory/unique_ptr.h:263
#32	0x0000000116aa7518 in WebKit::WebPageProxy::setDrawingArea(std::__1::unique_ptr<WebKit::DrawingAreaProxy, std::__1::default_delete<WebKit::DrawingAreaProxy> >&&) at /Volumes/Data/WebKit/OpenSource/Source/WebKit/UIProcess/WebPageProxy.cpp:1148
#33	0x0000000116aaa408 in WebKit::WebPageProxy::resetState(WebKit::WebPageProxy::ResetStateReason) at /Volumes/Data/WebKit/OpenSource/Source/WebKit/UIProcess/WebPageProxy.cpp:8392
#34	0x0000000116aa2798 in WebKit::WebPageProxy::close() at /Volumes/Data/WebKit/OpenSource/Source/WebKit/UIProcess/WebPageProxy.cpp:1257
#35	0x000000011605038c in -[WKWebView dealloc] at /Volumes/Data/WebKit/OpenSource/Source/WebKit/UIProcess/API/Cocoa/WKWebView.mm:663
Comment 1 Simon Fraser (smfr) 2023-03-07 16:34:31 PST 
<rdar://59960084>
Comment 2 Simon Fraser (smfr) 2023-03-07 16:47:30 PST 
Pull request: https://github.com/WebKit/WebKit/pull/11202
Comment 3 EWS 2023-03-08 22:19:42 PST 
Committed 261404@main (355ad2b87eea): <https://commits.webkit.org/261404@main>

Reviewed commits have been landed. Closing PR #11202 and removing active labels.