[webkit-changes] [WebKit/WebKit] 986173: Safari use-after-free crash at com.apple.AppKit: ...

Sat, 16 Aug 2025 10:35:25 -0700 

  Branch: refs/heads/main
  Home:   https://github.com/WebKit/WebKit
  Commit: 9861733b659d85270bcecdf43e5544a104dfc07e
      
https://github.com/WebKit/WebKit/commit/9861733b659d85270bcecdf43e5544a104dfc07e
  Author: Nikolaos Mouchtaris <nmouchta...@apple.com>
  Date:   2025-08-16 (Sat, 16 Aug 2025)

  Changed paths:
    M Source/WebCore/page/scrolling/mac/ScrollerMac.h
    M Source/WebCore/page/scrolling/mac/ScrollerMac.mm
    M Source/WebCore/page/scrolling/mac/ScrollerPairMac.h
    M Source/WebCore/page/scrolling/mac/ScrollerPairMac.mm

  Log Message:
  -----------
  Safari use-after-free crash at com.apple.AppKit:  -[NSScrollerImp knobLayer]
https://bugs.webkit.org/show_bug.cgi?id=293144
rdar://148851492

Reviewed by Simon Fraser.

The stack trace in rdar://148851492 makes this look like the scroller imp being
used on the scrolling thread is being destructed in the main thread, so add a 
lock
around the scroller imp to prevent this from happening.

Combined changes:
* Source/WebCore/page/scrolling/mac/ScrollerMac.h:
* Source/WebCore/page/scrolling/mac/ScrollerMac.mm:
(-[WebScrollbarPartAnimationMac setCurrentProgress:]):
(-[WebScrollerImpDelegateMac mouseLocationInScrollerForScrollerImp:]):
(-[WebScrollerImpDelegateMac 
setUpAlphaAnimation:featureToAnimate:animateAlphaTo:duration:]):
(-[WebScrollerImpDelegateMac scrollerImp:animateKnobAlphaTo:duration:]):
(-[WebScrollerImpDelegateMac scrollerImp:animateTrackAlphaTo:duration:]):
(-[WebScrollerImpDelegateMac 
scrollerImp:animateUIStateTransitionWithDuration:]):
(-[WebScrollerImpDelegateMac 
scrollerImp:animateExpansionTransitionWithDuration:]):
(WebCore::ScrollerMac::attach):
(WebCore::ScrollerMac::detach):
(WebCore::ScrollerMac::setHostLayer):
(WebCore::ScrollerMac::setHiddenByStyle):
(WebCore::ScrollerMac::updateValues):
(WebCore::ScrollerMac::updateScrollbarStyle):
(WebCore::ScrollerMac::setScrollerImp):
(WebCore::ScrollerMac::setScrollbarLayoutDirection):
(WebCore::ScrollerMac::setNeedsDisplay):
(WebCore::ScrollerMac::takeScrollerImp):
(WebCore::ScrollerMac::setUsePresentationValue):
(WebCore::ScrollerMac::updateProgress):
(WebCore::ScrollerMac::isScroller):
(WebCore::ScrollerMac::knobAlpha):
(WebCore::ScrollerMac::trackAlpha):
(WebCore::ScrollerMac::hasScrollerImp):
(WebCore::ScrollerMac::scrollbarState const):
* Source/WebCore/page/scrolling/mac/ScrollerPairMac.h:
(WebCore::ScrollerPairMac::scrollerImpHorizontal): Deleted.
(WebCore::ScrollerPairMac::scrollerImpVertical): Deleted.
* Source/WebCore/page/scrolling/mac/ScrollerPairMac.mm:
(-[WebScrollerImpPairDelegateMac 
scrollerImpPair:convertContentPoint:toScrollerImp:]):
(WebCore::ScrollerPairMac::setUsePresentationValues):
(WebCore::ScrollerPairMac::setHorizontalScrollbarPresentationValue):
(WebCore::ScrollerPairMac::setVerticalScrollbarPresentationValue):
(WebCore::ScrollerPairMac::hasScrollerImp):

Originally-landed-as: 289651.583@safari-7621-branch (e2f4cdc8895f). 
rdar://157789309
Canonical link: https://commits.webkit.org/298807@main



To unsubscribe from these emails, change your notification settings at 
https://github.com/WebKit/WebKit/settings/notifications
_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-changes

Reply via email to