Bug 303917

Summary:	REGRESSION (iOS 26.1): Frequent UI process crashes in WebCore::ElementContext::isSameElement under WKSelectPicker
Product:	WebKit	Reporter:	fedegermi
Component:	Forms	Assignee:	Wenson Hsieh <wenson_hsieh>
Status:	RESOLVED FIXED
Severity:	Major	CC:	akeerthi, cdumez, fedegermi, rhythmkay, thorton, webkit-bug-importer, wenson_hsieh
Priority:	P2	Keywords:	InRadar
Version:	WebKit Nightly Build
Hardware:	iPhone / iPad
OS:	iOS 26

fedegermi

Reported 2025-12-10 05:16:19 PST

We started receiving a lot of these crashes on version 26.1 (and it's still happening on version 26.2). We don't have repro steps for this crash. We noticed a change that landed ~3 months ago in that area of code that may be causing the crash: https://github.com/WebKit/WebKit/commit/02f7a612039f3c91d767af54ee0212db38436c19 The crashes we're receiving have the following Stack trace: (WebKit + 0x00656a90) WebCore::ElementContext::isSameElement(WebCore::ElementContext const&) const (WebKit + 0x0096d9dc) __74-[WKSelectPicker contextMenuInteraction:willEndForConfiguration:animator:]_block_invoke (UIKitCore + 0x0034f930) -[_UIContextMenuAnimator performAllCompletions] (UIKitCore + 0x007f26b0) block_destroy_helper.72 (UIKitCore + 0x007f41f4) objectdestroy.36Tm (UIKitCore + 0x007a7d78) objectdestroy.3Tm (UIKitCore + 0x005be1b8) __swift_memcpy192_8 (UIKitCore + 0x00021910) block_copy_helper.374 (UIKitCore + 0x001dc844) -[_UIGroupCompletion _performAllCompletions] (UIKitCore + 0x0035d888) -[_UIGravityWellEffectBody .cxx_destruct] (UIKitCore + 0x00215694) -[UIScrollView _contentLayoutGuideIfExists] (UIKitCore + 0x000949ec) NSStringFromUIEdgeInsets (UIKitCore + 0x00094950) NSStringFromUIEdgeInsets (UIKitCore + 0x0008fbb4) __UIVIEW_IS_EXECUTING_ANIMATION_COMPLETION_BLOCK__ (UIKitCore + 0x0198bd64) -[UIViewAnimationBlockDelegate _sendDeferredCompletion:] (libdispatch.dylib + 0x00001ad8) _dispatch_call_block_and_release (libdispatch.dylib + 0x0001b7e8) _dispatch_client_callout (libdispatch.dylib + 0x00038b20) _dispatch_main_queue_drain.cold.5 (libdispatch.dylib + 0x00010ec4) _dispatch_main_queue_drain (libdispatch.dylib + 0x00010e00) _dispatch_main_queue_callback_4CF (CoreFoundation + 0x0006a2c4) __CFRUNLOOP_IS_SERVICING_THE_MAIN_DISPATCH_QUEUE__ (CoreFoundation + 0x0001db38) __CFRunLoopRun (CoreFoundation + 0x0001ca68) _CFRunLoopRunSpecificWithOptions (GraphicsServices + 0x00001494) GSEventRunModal (UIKitCore + 0x0009e4b4) -[UIApplication _run] (UIKitCore + 0x00046b8c) UIApplicationMain Please let us know if you need additional information.

Attachments
Add attachment proposed patch, testcase, etc.

Radar WebKit Bug Importer

Comment 1 2025-12-10 12:48:06 PST

<rdar://problem/166246076>

Alexey Proskuryakov

Comment 2 2025-12-10 12:52:07 PST

<rdar://problem/163148093>

Wenson Hsieh

Comment 3 2025-12-11 11:29:43 PST

Pull request: https://github.com/WebKit/WebKit/pull/55260

EWS

Comment 4 2025-12-11 14:21:21 PST

Committed 304320@main (41b65165bb54): <https://commits.webkit.org/304320@main> Reviewed commits have been landed. Closing PR #55260 and removing active labels.

fedegermi

Comment 5 2025-12-30 08:17:53 PST

Thanks for taking a look. We're still collecting crashes on iOS 26.3 (26.3.0 23D5089e), so it's possible this issue is not completely fixed. Please let us know if you need additional details.

Alexey Proskuryakov

Comment 6 2026-01-14 11:22:12 PST

Thank you for the followup. Yes, this fix is not in any released or beta versions yet.

Alexey Proskuryakov

Comment 7 2026-01-14 11:23:40 PST

*** Bug 305457 has been marked as a duplicate of this bug. ***

Note You need to log in before you can comment on or make changes to this bug.