[webkit-changes] [WebKit/WebKit] d7dc87: CrashTracer: Safari at com.apple.WebKit: WebKit::R...

Vitor Roriz noreply at github.com
Fri Jul 7 13:57:37 PDT 2023 

  Branch: refs/heads/main
  Home:   https://github.com/WebKit/WebKit
  Commit: d7dc87868c78621c97034a644084cdbe65c61f53
      https://github.com/WebKit/WebKit/commit/d7dc87868c78621c97034a644084cdbe65c61f53
  Author: Vitor Roriz <vitor.roriz at apple.com>
  Date:   2023-07-07 (Fri, 07 Jul 2023)

  Changed paths:
    M Source/WebKit/UIProcess/RemoteLayerTree/mac/RemoteLayerTreeEventDispatcher.cpp

  Log Message:
  -----------
  CrashTracer: Safari at com.apple.WebKit: WebKit::RemoteLayerTreeDrawingAreaProxyMac::displayLink
https://bugs.webkit.org/show_bug.cgi?id=258976
rdar://111348720

Reviewed by Simon Fraser.

At WebPageProxy::resetState() we are setting the drawing area
to nullptr with WebPageProxyArea::setDrawingArea(nullptr).

setDrawingArea(...) will delete m_scrollingCordinatorProxy, which destructor
is ~RemoteScrollingCoordinatorProxyMac(). This function will then try to
invalidate the wheel event dispatcher (m_wheelEventDispatcher->invalidate()). This is actually RemoteLayerTreeEventDispatcher::invalidate().

invalidate() calls stopDisplayLinkObserver() which needs to get a handle
of the the associated displayLink for doing that.

RemoteLayerTreeEventDispatcher::displayLink() returns early
if there is no m_scrollingCordinator, but we are exactly in the process
of deleting it. It then continues and tries to get the displayLink from the drawingArea (RemoteLayerTreeDrawingAreaProxyMac::displayLink()),
which will crash if there is no m_displayID set to the area.

I'm not sure why, at this point, we don't have a m_displayID set to the
drawing area (it is set by windowScreenDidChange(id)). But, in any case,
I believe stopDisplayLinkObserver() should use existingDisplayLink()
instead of displayLink() because we shouldn`t need to stop observers
for a non existent displayLink.

Even better, in invalidate() we can replace stopDisplayLinkObserver() by
removeDisplayLinkClient(): Since we want to delete the displayLinkClient
at the end of invalidate() we can remove this client from the displayLink
map (removing all its observers in the process), which should happen
because the displayLinkClient is being deleted.

* Source/WebKit/UIProcess/RemoteLayerTree/mac/RemoteLayerTreeEventDispatcher.cpp:
(WebKit::RemoteLayerTreeEventDispatcher::invalidate):
(WebKit::RemoteLayerTreeEventDispatcher::stopDisplayLinkObserver):

Canonical link: https://commits.webkit.org/265862@main

More information about the webkit-changes mailing list