[webkit-changes] [WebKit/WebKit] 3147f5: Crash in MomentumEventDispatcher::displayDidRefresh()

[Simon Fraser]

  Branch: refs/heads/main
  Home:   https://github.com/WebKit/WebKit
  Commit: 3147f52e6d8d6c9b1ee8039f2541bf38a113eb5a
      https://github.com/WebKit/WebKit/commit/3147f52e6d8d6c9b1ee8039f2541bf38a113eb5a
  Author: Simon Fraser <simon.fraser at apple.com>
  Date:   2023-04-24 (Mon, 24 Apr 2023)

  Changed paths:
    M Source/WebKit/UIProcess/RemoteLayerTree/mac/RemoteLayerTreeEventDispatcher.cpp

  Log Message:
  -----------
  Crash in MomentumEventDispatcher::displayDidRefresh()
https://bugs.webkit.org/show_bug.cgi?id=255831
rdar://108105416

Reviewed by Tim Horton.

The fix done in 261404 at main isn't quite right; it's possible to enter RemoteLayerTreeEventDispatcher::didRefreshDisplay()
after m_momentumEventDispatcher has been nulled out, because we cleared the m_momentumEventDispatcher before calling
stopDisplayLinkObserver().

Rather than adding a lock to use around accesses to m_momentumEventDispatcher and adding null checks, fix the
teardown order to ensure that m_momentumEventDispatcher is always non-null in the scrolling thread
code. We have to take care to consider the dispatch between the thread that `displayLinkFired()` is called
on (the CVDisplayLink thread), and the scrolling thread.

To do this, first invalidate the RemoteLayerTreeEventDispatcherDisplayLinkClient. This ensures that
if `displayLinkFired()` is called, it will early return. Then stop the display link observer.
Then we can null out the m_momentumEventDispatcher, adding a check in RemoteLayerTreeEventDispatcher::stopDisplayDidRefreshCallbacks()
to ensure that this never tries to re-start the display link. Finally we can null out the m_displayLinkClient.

* Source/WebKit/UIProcess/RemoteLayerTree/mac/RemoteLayerTreeEventDispatcher.cpp:
(WebKit::RemoteLayerTreeEventDispatcher::invalidate):
(WebKit::RemoteLayerTreeEventDispatcher::stopDisplayDidRefreshCallbacks):

Canonical link: https://commits.webkit.org/263321@main