Today I hit four crashes within two minutes when browsing github.com with 2.36.3. It's a null pointer dereference: (gdb) bt #0 WebCore::ContainerNode::firstChild() const (this=0x0) at /usr/lib/debug/source/sdk/webkit2gtk-4.1.bst/Source/WebCore/dom/ContainerNode.h:43 #1 WebCore::RenderFileUploadControl::uploadButton() const (this=<optimized out>) at /usr/lib/debug/source/sdk/webkit2gtk-4.1.bst/Source/WebCore/rendering/RenderFileUploadControl.cpp:246 #2 0x00007f37cc758304 in WebCore::RenderFileUploadControl::updateFromElement() (this=0x7f37401dac80) at /usr/lib/debug/source/sdk/webkit2gtk-4.1.bst/Source/WebCore/rendering/RenderFileUploadControl.cpp:78 #3 0x00007f37cbf50206 in WebCore::HTMLInputElement::didAttachRenderers() (this=0x7f36b825b020) at /usr/lib/debug/source/sdk/webkit2gtk-4.1.bst/Source/WebCore/html/HTMLInputElement.cpp:875 #4 0x00007f37cc97b947 in WebCore::RenderTreeUpdater::popParent() (this=0x7ffc02234600) at /usr/lib/debug/source/sdk/webkit2gtk-4.1.bst/Source/WebCore/rendering/updating/RenderTreeUpdater.cpp:237 #5 0x00007f37cc97c778 in WebCore::RenderTreeUpdater::popParentsToDepth(unsigned int) (depth=<optimized out>, this=<optimized out>) at /usr/lib/debug/source/sdk/webkit2gtk-4.1.bst/Source/WebCore/rendering/updating/RenderTreeUpdater.cpp:250 #6 WebCore::RenderTreeUpdater::updateRenderTree(WebCore::ContainerNode&) (this=0x7ffc02234600, root=<optimized out>) at /usr/lib/debug/source/sdk/webkit2gtk-4.1.bst/Source/WebCore/rendering/updating/RenderTreeUpdater.cpp:158 #7 0x00007f37cc97cf1b in WebCore::RenderTreeUpdater::commit(std::unique_ptr<WebCore::Style::Update const, std::default_delete<WebCore::Style::Update const> >) (Python Exception <class 'gdb.error'>: Request for member '_M_head_impl' is ambiguous in type 'std::tuple<WebCore::Style::Update const*, std::default_delete<WebCore::Style::Update const> >'. Candidates are: 'std::default_delete<WebCore::Style::Update const> std::_Head_base<1, std::default_delete<WebCore::Style::Update const>, true>::_M_head_impl' (std::tuple<WebCore::Style::Update const*, std::default_delete<WebCore::Style::Update const> > -> std::_Tuple_impl<0, WebCore::Style::Update const*, std::default_delete<WebCore::Style::Update const> > -> std::_Tuple_impl<1, std::default_delete<WebCore::Style::Update const> > -> std::_Head_base<1, std::default_delete<WebCore::Style::Update const>, true>) '<unnamed type> std::_Head_base<0, WebCore::Style::Update const*, false>::_M_head_impl' (std::tuple<WebCore::Style::Update const*, std::default_delete<WebCore::Style::Update const> > -> std::_Tuple_impl<0, WebCore::Style::Update const*, std::default_delete<WebCore::Style::Update const> > -> std::_Head_base<0, WebCore::Style::Update const*, false>) this=0x7ffc02234600, styleUpdate=...) at /usr/lib/debug/source/sdk/webkit2gtk-4.1.bst/Source/WebCore/rendering/updating/RenderTreeUpdater.cpp:125 #8 0x00007f37cbccde2c in WebCore::Document::updateRenderTree(std::unique_ptr<WebCore::Style::Update const, std::default_delete<WebCore::Style::Update const> >) (this=this@entry=Python Exception <class 'gdb.error'>: Request for member '_M_head_impl' is ambiguous in type 'std::tuple<WebCore::Style::Update const*, std::default_delete<WebCore::Style::Update const> >'. Candidates are: 'std::default_delete<WebCore::Style::Update const> std::_Head_base<1, std::default_delete<WebCore::Style::Update const>, true>::_M_head_impl' (std::tuple<WebCore::Style::Update const*, std::default_delete<WebCore::Style::Update const> > -> std::_Tuple_impl<0, WebCore::Style::Update const*, std::default_delete<WebCore::Style::Update const> > -> std::_Tuple_impl<1, std::default_delete<WebCore::Style::Update const> > -> std::_Head_base<1, std::default_delete<WebCore::Style::Update const>, true>) '<unnamed type> std::_Head_base<0, WebCore::Style::Update const*, false>::_M_head_impl' (std::tuple<WebCore::Style::Update const*, std::default_delete<WebCore::Style::Update const> > -> std::_Tuple_impl<0, WebCore::Style::Update const*, std::default_delete<WebCore::Style::Update const> > -> std::_Head_base<0, WebCore::Style::Update const*, false>) 0x7f37c1eadcb0, styleUpdate=...) at /usr/include/c++/11.2.0/bits/unique_ptr.h:172 #9 0x00007f37cbce78cd in WebCore::Document::resolveStyle(WebCore::Document::ResolveStyleType) (this=this@entry=0x7f37c1eadcb0, type=<optimized out>, type@entry=WebCore::Document::ResolveStyleType::Normal) at /usr/include/c++/11.2.0/bits/move.h:77 #10 0x00007f37cbce7f1f in WebCore::Document::updateStyleIfNeeded() (this=0x7f37c1eadcb0) at /usr/lib/debug/source/sdk/webkit2gtk-4.1.bst/Source/WebCore/dom/Document.cpp:2182 #11 0x00007f37cbce921e in WebCore::Document::updateLayoutIfDimensionsOutOfDate(WebCore::Element&, WebCore::DimensionsCheck) (this=0x7f37c1eadcb0, element=..., dimensionsCheck=dimensionsCheck@entry=WebCore::HeightDimensionsCheck) at /usr/lib/debug/source/sdk/webkit2gtk-4.1.bst/Source/WebCore/dom/Document.cpp:2287 #12 0x00007f37cbd0b853 in WebCore::Element::offsetHeight() (this=0x7f36785a6d00) at /usr/lib/debug/source/sdk/webkit2gtk-4.1.bst/Source/WebCore/dom/Element.cpp:1302 #13 0x00007f37cb15c511 in WebCore::jsHTMLElement_offsetHeightGetter (thisObject=<optimized out>, lexicalGlobalObject=<optimized out>) at /usr/lib/debug/source/sdk/webkit2gtk-4.1.bst/_builddir/WebCore/DerivedSources/JSHTMLElement.cpp:4157 #14 WebCore::IDLAttribute<WebCore::JSHTMLElement>::get<WebCore::jsHTMLElement_offsetHeightGetter, (WebCore::CastedThisErrorBehavior)3> (attributeName=..., thisValue=<optimized out>, lexicalGlobalObject=<optimized out>) at /usr/lib/debug/source/sdk/webkit2gtk-4.1.bst/Source/WebCore/bindings/js/JSDOMAttribute.h:88 #15 WebCore::jsHTMLElement_offsetHeight(JSC::JSGlobalObject*, JSC::EncodedJSValue, JSC::PropertyName) (lexicalGlobalObject=<optimized out>, thisValue=<optimized out>, attributeName=...) at /usr/lib/debug/source/sdk/webkit2gtk-4.1.bst/_builddir/WebCore/DerivedSources/JSHTMLElement.cpp:4162 #16 0x00007f37c919f715 in JSC::PropertySlot::customGetter(JSC::VM&, JSC::PropertyName) const (this=this@entry=0x7ffc02234e10, vm=<optimized out>, propertyName=..., propertyName@entry=...) at /usr/lib/debug/source/sdk/webkit2gtk-4.1.bst/Source/JavaScriptCore/runtime/PropertySlot.cpp:47 #17 0x00007f37c8de06f3 in JSC::PropertySlot::getValue(JSC::JSGlobalObject*, JSC::PropertyName) const (propertyName=..., globalObject=0x7f37c1525068, this=0x7ffc02234e10) at /usr/lib/debug/source/sdk/webkit2gtk-4.1.bst/Source/JavaScriptCore/runtime/PropertySlot.h:408 #18 JSC::JSValue::get(JSC::JSGlobalObject*, JSC::PropertyName, JSC::PropertySlot&) const (slot=..., propertyName=..., globalObject=<optimized out>, this=0x7ffc02234dc8) at /usr/lib/debug/source/sdk/webkit2gtk-4.1.bst/Source/JavaScriptCore/runtime/JSCJSValueInlines.h:1021 #19 JSC::LLInt::performLLIntGetByID(JSC::Instruction const*, JSC::CodeBlock*, JSC::JSGlobalObject*, JSC::JSValue, JSC::Identifier const&, JSC::GetByIdModeMetadata&) (pc=0x7f361820db05, codeBlock=0x7f35c8eac400, globalObject=<optimized out>, baseValue=..., ident=..., metadata=...) at /usr/lib/debug/source/sdk/webkit2gtk-4.1.bst/Source/JavaScriptCore/llint/LLIntSlowPaths.cpp:814 #20 0x00007f37c8de11d9 in JSC::LLInt::llint_slow_path_get_by_id(JSC::CallFrame*, JSC::Instruction const*) (callFrame=0x7ffc02235090, pc=0x7f361820db05) at /usr/lib/debug/source/sdk/webkit2gtk-4.1.bst/Source/JavaScriptCore/llint/LLIntSlowPaths.cpp:888 #21 0x00007f37c82deb4d in llint_op_get_by_id () at /usr/lib/debug/source/sdk/webkit2gtk-4.1.bst/Source/JavaScriptCore/llint/LowLevelInterpreter64.asm:102 #22 0x0000000000000000 in ()