<rdar://problem/107161569>

I was able to reproduce the crash at iOS 16 Release ToT running the test as follows: run-api-tests --no-build --iOS-simulator TestWebKitAPI.ProcessSwap.ResizeWebViewDuringCrossSiteProvisionalNavigation With said reproduction case I was able to get a little more information about the crash itself: Thread 0 Crashed:: Dispatch queue: com.apple.main-thread 0 WebKit 0x105b12658 unwrap + 0 (RawPtrTraits.h:44) [inlined] 1 WebKit 0x105b12658 operator-> + 0 (RefPtr.h:84) [inlined] 2 WebKit 0x105b12658 WebKit::RemoteScrollingCoordinatorProxy::viewSizeDidChange() + 0 (RemoteScrollingCoordinatorProxy.cpp:395) 3 WebKit 0x10593a694 WebKit::RemoteLayerTreeDrawingAreaProxy::sizeDidChange() + 40 (RemoteLayerTreeDrawingAreaProxy.mm:95) 4 WebKit 0x1059cafa4 WebKit::DrawingAreaProxy::setSize(WebCore::IntSize const&, WebCore::IntSize const&) + 108 (DrawingAreaProxy.cpp:76) 5 WebKit 0x105a4f958 WebKit::WebPageProxy::setDrawingArea(std::__1::unique_ptr<WebKit::DrawingAreaProxy, std::__1::default_delete<WebKit::DrawingAreaProxy>>&&) + 144 (WebPageProxy.cpp:1160) 6 WebKit 0x105a4f7ac WebKit::WebPageProxy::swapToProvisionalPage(std::__1::unique_ptr<WebKit::ProvisionalPageProxy, std::__1::default_delete<WebKit::ProvisionalPageProxy>>) + 376 (WebPageProxy.cpp:1003) 7 WebKit 0x105a5a904 WebKit::WebPageProxy::commitProvisionalPage(WebCore::ProcessQualified<WTF::ObjectIdentifier<WebCore::FrameIdentifierType>>, WebKit::FrameInfoData&&, WebCore::ResourceRequest&&, unsigned long long, WTF::String const&, bool, WebCore::FrameLoadType, WebCore::CertificateInfo const&, bool, bool, bool, WebCore::HasInsecureContent, WebCore::MouseEventPolicy, WebKit::UserData const&) + 480 (WebPageProxy.cpp:3811) 8 WebKit 0x1059e0cf8 WebKit::ProvisionalPageProxy::didCommitLoadForFrame(WebCore::ProcessQualified<WTF::ObjectIdentifier<WebCore::FrameIdentifierType>>, WebKit::FrameInfoData&&, WebCore::ResourceRequest&&, unsigned long long, WTF::String const&, bool, WebCore::FrameLoadType, WebCore::CertificateInfo const&, bool, bool, bool, WebCore::HasInsecureContent, WebCore::MouseEventPolicy, WebKit::UserData const&) + 560 (ProvisionalPageProxy.cpp:323) 9 WebKit 0x1059eb394 operator()<WebCore::ProcessQualified<WTF::ObjectIdentifier<WebCore::FrameIdentifierType> >, WebKit::FrameInfoData, WebCore::ResourceRequest, unsigned long long, WTF::String, bool, WebCore::FrameLoadType, WebCore::CertificateInfo, bool, bool, bool, WebCore::HasInsecureContent, WebCore::MouseEventPolicy, WebKit::UserData> + 52 (HandleMessage.h:136) [inlined] 10 WebKit 0x1059eb394 */HandleMessage.h:135:9), WebCore::ProcessQualified<WTF::ObjectIdentifier<WebCore::FrameIdentifierType> >, WebKit::FrameInfoData, WebCore::ResourceRequest, unsigned long long, WTF::String, bool, WebCore::FrameLoadType, WebCore::CertificateInfo, bool, bool, bool, WebCore::HasInsecureContent, WebCore::MouseEventPolicy, WebKit::UserData> + 52 (type_traits:3924) [inlined] 11 WebKit 0x1059eb394 */HandleMessage.h:135:9), std::__1::tuple<WebCore::ProcessQualified<WTF::ObjectIdentifier<WebCore::FrameIdentifierType> >, WebKit::FrameInfoData, WebCore::ResourceRequest, unsigned long long, WTF::String, bool, WebCore::FrameLoadType, WebCore::CertificateInfo, bool, bool, bool, WebCore::HasInsecureContent, WebCore::MouseEventPolicy, WebKit::UserData>, 0UL, 1UL, 2UL, 3UL, 4UL, 5UL, 6UL, 7UL, 8UL, 9UL, 10UL, 11UL, 12UL, 13UL> + 92 (tuple:1536) [inlined] 12 WebKit 0x1059eb394 */HandleMessage.h:135:9), std::__1::tuple<WebCore::ProcessQualified<WTF::ObjectIdentifier<WebCore::FrameIdentifierType> >, WebKit::FrameInfoData, WebCore::ResourceRequest, unsigned long long, WTF::String, bool, WebCore::FrameLoadType, WebCore::CertificateInfo, bool, bool, bool, WebCore::HasInsecureContent, WebCore::MouseEventPolicy, WebKit::UserData> > + 92 (tuple:1545) [inlined] 13 WebKit 0x1059eb394 void IPC::callMemberFunction<WebKit::ProvisionalPageProxy, WebKit::ProvisionalPageProxy, void (WebCore::ProcessQualified<WTF::ObjectIdentifier<WebCore::FrameIdentifierType>>, WebKit::FrameInfoData&&, WebCore::ResourceRequest&&, unsigned long long, WTF::String const&, bool, WebCore::FrameLoadType, WebCore::CertificateInfo const&, bool, bool, bool, WebCore::HasInsecureContent, WebCore::MouseEventPolicy, WebKit::UserData const&), std::__1::tuple<WebCore::ProcessQualified<WTF::ObjectIdentifier<WebCore::FrameIdentifierType>>, WebKit::FrameInfoData, WebCore::ResourceRequest, unsigned long long, WTF::String, bool, WebCore::FrameLoadType, WebCore::CertificateInfo, bool, bool, bool, WebCore::HasInsecureContent, WebCore::MouseEventPolicy, WebKit::UserData>>(WebKit::ProvisionalPageProxy*, void (WebKit::ProvisionalPageProxy::*)(WebCore::ProcessQualified<WTF::ObjectIdentifier<WebCore::FrameIdentifierType>>, WebKit::FrameInfoData&&, WebCore::ResourceRequest&&, unsigned long long, WTF::String const&, bool, WebCore::FrameLoadType, WebCore::CertificateInfo const&, bool, bool, bool, WebCore::HasInsecureContent, WebCore::MouseEventPolicy, WebKit::UserData const&), std::__1::tuple<WebCore::ProcessQualified<WTF::ObjectIdentifier<WebCore::FrameIdentifierType>>, WebKit::FrameInfoData, WebCore::ResourceRequest, unsigned long long, WTF::String, bool, WebCore::FrameLoadType, WebCore::CertificateInfo, bool, bool, bool, WebCore::HasInsecureContent, WebCore::MouseEventPolicy, WebKit::UserData>&&) + 108 (HandleMessage.h:134) 14 WebKit 0x1059e2724 void IPC::handleMessage<Messages::WebPageProxy::DidCommitLoadForFrame, WebKit::ProvisionalPageProxy, WebKit::ProvisionalPageProxy, void (WebCore::ProcessQualified<WTF::ObjectIdentifier<WebCore::FrameIdentifierType>>, WebKit::FrameInfoData&&, WebCore::ResourceRequest&&, unsigned long long, WTF::String const&, bool, WebCore::FrameLoadType, WebCore::CertificateInfo const&, bool, bool, bool, WebCore::HasInsecureContent, WebCore::MouseEventPolicy, WebKit::UserData const&)>(IPC::Connection&, IPC::Decoder&, WebKit::ProvisionalPageProxy*, void (WebKit::ProvisionalPageProxy::*)(WebCore::ProcessQualified<WTF::ObjectIdentifier<WebCore::FrameIdentifierType>>, WebKit::FrameInfoData&&, WebCore::ResourceRequest&&, unsigned long long, WTF::String const&, bool, WebCore::FrameLoadType, WebCore::CertificateInfo const&, bool, bool, bool, WebCore::HasInsecureContent, WebCore::MouseEventPolicy, WebKit::UserData const&)) + 96 (HandleMessage.h:236) 15 WebKit 0x105e82db4 IPC::MessageReceiverMap::dispatchMessage(IPC::Connection&, IPC::Decoder&) + 272 (MessageReceiverMap.cpp:129) 16 WebKit 0x105aa23ec WebKit::WebProcessProxy::didReceiveMessage(IPC::Connection&, IPC::Decoder&) + 32 (WebProcessProxy.cpp:987) 17 WebKit 0x105e7e9fc IPC::Connection::dispatchMessage(std::__1::unique_ptr<IPC::Decoder, std::__1::default_delete<IPC::Decoder>>) + 312 (Connection.cpp:1245) 18 WebKit 0x105e7edcc IPC::Connection::dispatchIncomingMessages() + 456 (Connection.cpp:1355) 19 JavaScriptCore 0x109892458 operator() + 16 (Function.h:82) [inlined] 20 JavaScriptCore 0x109892458 WTF::RunLoop::performWork() + 168 (RunLoop.cpp:147) 21 JavaScriptCore 0x109892f68 WTF::RunLoop::performWork(void*) + 36 (RunLoopCF.cpp:46) 22 CoreFoundation 0x10f16d070 __CFRUNLOOP_IS_CALLING_OUT_TO_A_SOURCE0_PERFORM_FUNCTION__ + 24 23 CoreFoundation 0x10f16cfb8 __CFRunLoopDoSource0 + 172 24 CoreFoundation 0x10f16c728 __CFRunLoopDoSources0 + 232 25 CoreFoundation 0x10f166e68 __CFRunLoopRun + 756 26 CoreFoundation 0x10f16675c CFRunLoopRunSpecific + 584 27 Foundation 0x11184400c -[NSRunLoop(NSRunLoop) runMode:beforeDate:] + 208 28 TestWebKitAPI 0x102e192c4 TestWebKitAPI::Util::run(bool*) + 88 (UtilitiesCocoa.mm:35) 29 TestWebKitAPI 0x102b5409c ProcessSwap_ResizeWebViewDuringCrossSiteProvisionalNavigation_Test::TestBody() + 740 (ProcessSwapOnNavigation.mm:7224) 30 TestWebKitAPI 0x102e59570 void testing::internal::HandleExceptionsInMethodIfSupported<testing::Test, void>(testing::Test*, void (testing::Test::*)(), char const*) + 100 31 TestWebKitAPI 0x102e594b4 testing::Test::Run() + 188 32 TestWebKitAPI 0x102e5a24c testing::TestInfo::Run() + 236 33 TestWebKitAPI 0x102e5aad4 testing::TestSuite::Run() + 304 34 TestWebKitAPI 0x102e65008 testing::internal::UnitTestImpl::RunAllTests() + 828 35 TestWebKitAPI 0x102e64ba8 bool testing::internal::HandleExceptionsInMethodIfSupported<testing::internal::UnitTestImpl, bool>(testing::internal::UnitTestImpl*, bool (testing::internal::UnitTestImpl::*)(), char const*) + 100 36 TestWebKitAPI 0x102e64b10 testing::UnitTest::Run() + 124 37 TestWebKitAPI 0x102926698 RUN_ALL_TESTS() + 16 (gtest.h:2471) 38 TestWebKitAPI 0x102926654 TestWebKitAPI::TestsController::run(int, char**) + 108 (TestsController.cpp:89) 39 TestWebKitAPI 0x102e3d2bc main + 220 (mainIOS.mm:56) 40 dyld_sim 0x1052bdfa0 start_sim + 20 41 dyld 0x1053bdf28 start + 2236 Full crash log attached to this bug.

Created attachment 465561 [details] Crash log from reproduction.

I have bisected the regression point to 261977@main. I'm able to reproduce the crash at that commit, but not at 261976@main. Starting on Nikos who introduced https://commits.webkit.org/261977@main that appears to have caused this crash.

Pull request: https://github.com/WebKit/WebKit/pull/11900

Committed 262099@main (b0a888801632): <https://commits.webkit.org/262099@main> Reviewed commits have been landed. Closing PR #11900 and removing active labels.