Bug 305494

Summary: Crash in Node::invalidateNodeListAndCollectionCachesInAncestors via ContainerNode::removeAllChildrenWithScriptAssertion
Product: WebKit Reporter: Ryosuke Niwa <rniwa>
Component: New BugsAssignee: Ryosuke Niwa <rniwa>
Status: RESOLVED FIXED    
Severity: Normal Keywords: InRadar
Priority: P2    
Version: WebKit Nightly Build   
Hardware: Unspecified   
OS: Unspecified   

Ryosuke Niwa
Reported 2026-01-14 11:43:15 PST
e.g. #0 0x0003007252b4 in WTF::CanMakeCheckedPtrBase<WTF::SingleThreadIntegralWrapper<unsigned int>, unsigned int, bool, (WTF::CheckedPtrDeleteCheckException)0>::crashDueToCheckedPtrToDeadObject()+0x10 (WebCore:arm64e+0x7252b4) #1 0x0003094917a4 in WebCore::CachedHTMLCollection<WebCore::HTMLOptionsCollection, (WebCore::CollectionTraversalType)0>::invalidateCacheForDocument(WebCore::Document&)+0x458 (WebCore:arm64e+0x94917a4) #2 0x0003089b9f1c in WebCore::Node::invalidateNodeListAndCollectionCachesInAncestors()+0x888 (WebCore:arm64e+0x89b9f1c) #3 0x0003084c6384 in WebCore::ContainerNode::childrenChanged(WebCore::ContainerNode::ChildChange const&)+0x228 (WebCore:arm64e+0x84c6384) #4 0x0003087d93f8 in WebCore::Element::childrenChanged(WebCore::ContainerNode::ChildChange const&)+0x44 (WebCore:arm64e+0x87d93f8) #5 0x0003094c1978 in WebCore::HTMLSelectElement::childrenChanged(WebCore::ContainerNode::ChildChange const&)+0xa8 (WebCore:arm64e+0x94c1978) #6 0x0003084bd264 in WebCore::ContainerNode::replaceAll(WebCore::Node*)+0x2274 (WebCore:arm64e+0x84bd264) #7 0x0003084c1c6c in WebCore::ContainerNode::stringReplaceAll(WTF::String&&)+0x1b4 (WebCore:arm64e+0x84c1c6c) #8 0x0003091f4cf0 in WebCore::HTMLElement::setInnerText(WTF::String&&)+0x1e4 (WebCore:arm64e+0x91f4cf0) #9 0x000302ccbe70 in WebCore::setJSHTMLElement_innerTextSetter(JSC::JSGlobalObject&, WebCore::JSHTMLElement&, JSC::JSValue)+0x3c8 (WebCore:arm64e+0x2ccbe70)
Attachments
Add attachment proposed patch, testcase, etc.
Ryosuke Niwa
Comment 1 2026-01-14 11:43:37 PST
<rdar://167370309>
Ryosuke Niwa
Comment 2 2026-01-14 13:15:59 PST
Pull request: https://github.com/WebKit/WebKit/pull/56585
EWS
Comment 3 2026-01-15 09:58:32 PST
Committed 305651@main (a9934374583d): <https://commits.webkit.org/305651@main> Reviewed commits have been landed. Closing PR #56585 and removing active labels.
Note You need to log in before you can comment on or make changes to this bug.