[webkit-changes] [WebKit/WebKit] 63ac45: REGRESSION(310189@main): Occasional UI process cra...

Thu, 21 May 2026 18:22:19 -0700 

  Branch: refs/heads/main
  Home:   https://github.com/WebKit/WebKit
  Commit: 63ac45d3bc31b8703a439422e2070ff5d7ec57c5
      
https://github.com/WebKit/WebKit/commit/63ac45d3bc31b8703a439422e2070ff5d7ec57c5
  Author: Abrar Rahman Protyasha <[email protected]>
  Date:   2026-05-21 (Thu, 21 May 2026)

  Changed paths:
    M Source/WebKit/UIProcess/mac/SwipeProgressTrackerMac.h
    M Source/WebKit/UIProcess/mac/SwipeProgressTrackerMac.mm

  Log Message:
  -----------
  REGRESSION(310189@main): Occasional UI process crash under DisplayLink 
callbacks (SwipeProgressTracker can fail to deregister from DisplayLink)
https://bugs.webkit.org/show_bug.cgi?id=315317
rdar://177623797

Reviewed by Tim Horton.

Each DisplayLink::Client is responsible for removing its own entry from
the DisplayLinkCollection map before destruction. Ohterwise, subsequent
CVDisplayLink callbacks will perform a UAF on these stale client objects.

SwipeProgressTracker::stopDisplayLinkObserver previously called
stopDisplayLink (keyed by display ID). Some code analysis suggests there
are two paths where we don't actually remove this client from the map:

1. The WebPageProxy weak ref deref'd to null.
2. The window crossed displays between start and end of the display link
   observer. existingDisplayLinkForDisplay returns a different (or null)
   DisplayLink, then.

In this patch, we take inspiration from WebProcessProxy, and cache the
WebProcessPool weakly at SwipeProgressTracker construction, so that
deregistration does not depend on WebPageProxy still being alive, and
swithces stopDisplayLinkObserver to the stopDisplayLinks, instead, which
walks every DisplayLink and removes the client unconditionally.

No new tests, unfortunately, since the existing swipe testing helpers
bypass startAnimation, so never register a DisplayLink::Client. We
should write a follow-up patch that adds the necessary harness and a
regression test.

* Source/WebKit/UIProcess/mac/SwipeProgressTrackerMac.h:
* Source/WebKit/UIProcess/mac/SwipeProgressTrackerMac.mm:
(WebKit::SwipeProgressTracker::SwipeProgressTracker):
(WebKit::SwipeProgressTracker::stopDisplayLinkObserver):

Canonical link: https://commits.webkit.org/313698@main



To unsubscribe from these emails, change your notification settings at 
https://github.com/WebKit/WebKit/settings/notifications

Reply via email to