Bug 304084

Summary:	[css-grid-3] Clear m_itemOffsets in initializeMasonry to fix crash with stale WeakRef keys
Product:	WebKit	Reporter:	Brandon <brandonstewart>
Component:	CSS	Assignee:	Brandon <brandonstewart>
Status:	RESOLVED FIXED
Severity:	Normal	CC:	koivisto, webkit-bug-importer
Priority:	P2	Keywords:	InRadar
Version:	Other
Hardware:	Unspecified
OS:	Unspecified

Brandon

Reported 2025-12-12 12:26:07 PST

The m_itemOffsets HashMap uses SingleThreadWeakRef<const RenderBox> as keys. When RenderBox objects are destroyed between masonry layout phases, the WeakRef keys become stale (null pointers). When inserting a new item via set(), the HashMap comparison logic may compare against these stale entries, triggering an assertion failure in WeakRef::ptr(). Fix by clearing m_itemOffsets at the start of each masonry placement run, along with the other state variables that are already being reset.

Attachments
Add attachment proposed patch, testcase, etc.

Radar WebKit Bug Importer

Comment 1 2025-12-12 12:26:14 PST

<rdar://problem/166404830>

Brandon

Comment 2 2025-12-12 12:27:45 PST

Pull request: https://github.com/WebKit/WebKit/pull/55326

EWS

Comment 3 2025-12-12 15:20:09 PST

Committed 304384@main (19b49e75dba6): <https://commits.webkit.org/304384@main> Reviewed commits have been landed. Closing PR #55326 and removing active labels.

Note You need to log in before you can comment on or make changes to this bug.