Bug 311243

Summary: REGRESSION(309388@main): Crash in core DOM code due to malformed DOM tree
Product: WebKit Reporter: Ryosuke Niwa <rniwa>
Component: New BugsAssignee: Ryosuke Niwa <rniwa>
Status: RESOLVED FIXED    
Severity: Normal CC: webkit-bug-importer
Priority: P2 Keywords: InRadar
Version: WebKit Nightly Build   
Hardware: Unspecified   
OS: Unspecified   
See Also: https://bugs.webkit.org/show_bug.cgi?id=311810

Ryosuke Niwa
Reported 2026-03-31 23:00:17 PDT
#0 0x0003007a8040 in WTFCrashWithInfo(int, char const*, char const*)+0x60 (WebCore:arm64e+0x7a8040) #1 0x00030925b798 in WebCore::TreeScopeOrderedMap::remove(WTF::AtomString const&, WebCore::Element&)+0x8d8 (WebCore:arm64e+0x925b798) #2 0x00030923d798 in WebCore::TreeScope::removeElementById(WTF::AtomString const&, WebCore::Element&, bool)+0x5c (WebCore:arm64e+0x923d798) #3 0x000308e6ccc8 in WebCore::Element::removingSteps(WebCore::Node::RemovalType, WebCore::ContainerNode&)+0xd2c (WebCore:arm64e+0x8e6ccc8) #4 0x000308b5f56c in WebCore::notifyNodeRemovedFromDocument(WebCore::ContainerNode&, WebCore::TreeScopeChange, WebCore::Node&)+0x104 (WebCore:arm64e+0x8b5f56c) #5 0x000308b2d1ac in WebCore::ContainerNode::removeChild(WebCore::Node&)+0xcc4 (WebCore:arm64e+0x8b2d1ac) #6 0x000308b2af04 in WebCore::ContainerNode::removeSelfOrChildNodesForInsertion(WebCore::Node&, WTF::Vector<WTF::Ref<WebCore::Node, WTF::RawPtrTraits<WebCore::Node>, WTF::DefaultRefDerefTraits<WebCore::Node>>, 11ul, WTF::CrashOnOverflow, 16ul, WTF::FastMalloc>&)+0x13d8 (WebCore:arm64e+0x8b2af04) #7 0x000308b32b88 in WebCore::ContainerNode::appendChildWithoutPreInsertionValidityCheck(WebCore::Node&)+0x19c (WebCore:arm64e+0x8b32b88) #8 0x000308b41890 in WebCore::ContainerNode::appendChild(WebCore::Node&)+0x168 (WebCore:arm64e+0x8b41890) #9 0x0003090736f0 in WebCore::Node::appendChild(WebCore::Node&)+0x120 (WebCore:arm64e+0x90736f0) #10 0x000303892b4c in WebCore::jsNodePrototypeFunction_appendChild(JSC::JSGlobalObject*, JSC::CallFrame*)+0x588 (WebCore:arm64e+0x3892b4c) <rdar://173397633>
Attachments
Add attachment proposed patch, testcase, etc.
Ryosuke Niwa
Comment 1 2026-03-31 23:36:32 PDT
Pull request: https://github.com/WebKit/WebKit/pull/61811
EWS
Comment 2 2026-04-06 13:37:54 PDT
Committed 310666@main (18f7c49e6bdb): <https://commits.webkit.org/310666@main> Reviewed commits have been landed. Closing PR #61811 and removing active labels.
Note You need to log in before you can comment on or make changes to this bug.