Branch: refs/heads/main
Home: https://github.com/WebKit/WebKit
Commit: a926a679cffa70eddd05e6eedaed7347c3066665
https://github.com/WebKit/WebKit/commit/a926a679cffa70eddd05e6eedaed7347c3066665
Author: David Kilzer <[email protected]>
Date: 2026-05-28 (Thu, 28 May 2026)
Changed paths:
M Source/WebCore/page/scrolling/mac/ScrollerMac.h
M Source/WebCore/page/scrolling/mac/ScrollerMac.mm
M Source/WebCore/page/scrolling/mac/ScrollerPairMac.h
M Source/WebCore/page/scrolling/mac/ScrollerPairMac.mm
M Source/WebCore/page/scrolling/mac/ScrollingTreeScrollingNodeDelegateMac.mm
Log Message:
-----------
Crash in -[WebScrollbarPartAnimationMac setCurrentProgress:]
<https://bugs.webkit.org/show_bug.cgi?id=310238>
<rdar://162407650>
Reviewed by Chris Dumez.
A cross-thread crash occurs in
`-[WebScrollbarPartAnimationMac setCurrentProgress:]` on the
"WebCore: Scrolling" thread when an in-flight `NSAnimation`
display-link callback accesses a `ScrollerMac` object that has
already been destroyed on the main thread by the
`ScrollerPairMac` destructor.
Make `ScrollerMac` thread-safe ref-counted to fix the crash. This allows
`WebScrollbarPartAnimationMac` and `WebScrollerImpDelegateMac` to
hold `ThreadSafeWeakPtr<ScrollerMac>` instead of `CheckedPtr<ScrollerMac>`.
Use `WTF::DestructionThread::Main` to ensure `ScrollerMac` is always
destroyed on the main thread, and remove the now-unnecessary
`takeScrollerImp()` captures from `~ScrollerPairMac()`'s
`ensureOnMainThread` block.
Add null guards for `m_pair` in `lastKnownMousePositionInScrollbar()`,
`visibilityChanged()`, and `updateMinimumKnobLength()` since a
`RefPtr` from an in-flight callback can briefly keep `ScrollerMac`
alive after `ScrollerPairMac` drops its `Ref`.
Covered by existing scrollbar tests.
* Source/WebCore/page/scrolling/mac/ScrollerMac.h:
(WebCore::ScrollerMac): Use `WTF::DestructionThread::Main`.
(WebCore::ScrollerMac::create): Add.
* Source/WebCore/page/scrolling/mac/ScrollerMac.mm:
(WebCore::ScrollerMac::~ScrollerMac):
- Add `ASSERT(isMainThread())`.
(-[WebScrollbarPartAnimationMac startAnimation]):
(-[WebScrollbarPartAnimationMac setCurrentProgress:]):
(-[WebScrollerImpDelegateMac mouseLocationInScrollerForScrollerImp:]):
(-[WebScrollerImpDelegateMac effectiveAppearanceForScrollerImp:]):
(-[WebScrollerImpDelegateMac
setUpAlphaAnimation:featureToAnimate:animateAlphaTo:duration:]):
(-[WebScrollerImpDelegateMac scrollerImp:animateKnobAlphaTo:duration:]):
(-[WebScrollerImpDelegateMac scrollerImp:animateTrackAlphaTo:duration:]):
(-[WebScrollerImpDelegateMac
scrollerImp:animateUIStateTransitionWithDuration:]):
(-[WebScrollerImpDelegateMac
scrollerImp:animateExpansionTransitionWithDuration:]):
(-[WebScrollerImpDelegateMac invalidate]):
(WebCore::ScrollerMac::create): Add.
(WebCore::ScrollerMac::lastKnownMousePositionInScrollbar const):
(WebCore::ScrollerMac::visibilityChanged):
(WebCore::ScrollerMac::updateMinimumKnobLength):
* Source/WebCore/page/scrolling/mac/ScrollerPairMac.h:
* Source/WebCore/page/scrolling/mac/ScrollerPairMac.mm:
(-[WebScrollerImpPairDelegateMac
scrollerImpPair:convertContentPoint:toScrollerImp:]):
- Hold `ScrollerMac` as `Ref<ScrollerMac>` per SaferCPP guidelines.
(WebCore::ScrollerPairMac::~ScrollerPairMac):
- Simplify `ensureOnMainThread` block to only capture `m_scrollerImpPair`.
(WebCore::ScrollerPairMac::ScrollerPairMac):
* Source/WebCore/page/scrolling/mac/ScrollingTreeScrollingNodeDelegateMac.mm:
(WebCore::ScrollingTreeScrollingNodeDelegateMac::updateFromStateNode):
Originally-landed-as: 305413.553@rapid/safari-7624.2.5.110-branch
(6ef1f5a9c30e). rdar://176061766
Canonical link: https://commits.webkit.org/314087@main
To unsubscribe from these emails, change your notification settings at
https://github.com/WebKit/WebKit/settings/notifications
