Bug 309781

Summary:	WebCoreTestSupport::resetInternalsObject() crashes when Document::frame() returns nullptr
Product:	WebKit	Reporter:	David Kilzer (:ddkilzer) <ddkilzer>
Component:	Tools / Tests	Assignee:	David Kilzer (:ddkilzer) <ddkilzer>
Status:	RESOLVED FIXED
Severity:	Normal	CC:	jbedard, webkit-bug-importer
Priority:	P2	Keywords:	InRadar
Version:	WebKit Nightly Build
Hardware:	Unspecified
OS:	Unspecified

David Kilzer (:ddkilzer)

Reported 2026-03-12 05:04:30 PDT

`WebCoreTestSupport::resetInternalsObject()` calls `document->frame()->page()` without checking whether `frame()` returns nullptr. `Document` should always have a valid `Page` during `resetInternalsObject()` teardown. If it does not, `Document` is in an unexpected state that should be caught explicitly rather than by crashing with an uninformative nullptr dereference. The current code also bypasses the safe accessor `Document::page()` (in `DocumentPage.h`) by calling `frame()` and `page()` as separate chained operations. <rdar://63019644>

Attachments
Add attachment proposed patch, testcase, etc.

David Kilzer (:ddkilzer)

Comment 1 2026-03-12 05:21:13 PDT

Pull request: https://github.com/WebKit/WebKit/pull/60451

Alexey Proskuryakov

Comment 2 2026-03-12 08:24:09 PDT

Is this the same as bug 221304?

EWS

Comment 3 2026-03-12 13:10:39 PDT

Committed 309158@main (5aee90b4e66e): <https://commits.webkit.org/309158@main> Reviewed commits have been landed. Closing PR #60451 and removing active labels.

David Kilzer (:ddkilzer)

Comment 4 2026-03-12 19:56:39 PDT

*** Bug 221304 has been marked as a duplicate of this bug. ***

David Kilzer (:ddkilzer)

Comment 5 2026-03-12 19:57:30 PDT

(In reply to Alexey Proskuryakov from comment #2) > Is this the same as bug 221304? Yes

Note You need to log in before you can comment on or make changes to this bug.