RESOLVED FIXED 269322
Crash under ~RenderMenuList due to CheckedPtr usage 
https://bugs.webkit.org/show_bug.cgi?id=269322
Summary Crash under ~RenderMenuList due to CheckedPtr usage
Chris Dumez
Reported 2024-02-13 14:32:13 PST
Crash under ~RenderMenuList due to CheckedPtr usage: ``` Thread 0 Crashed:: Dispatch queue: com.apple.main-thread 0 WebCore 0x1102c25d0 WTFCrashWithInfo(int, char const*, char const*, int) + 20 1 WebCore 0x11014882c WebCore::RenderLayerModelObject::~RenderLayerModelObject() + 604 2 WebCore 0x110280864 WebCore::RenderMenuList::~RenderMenuList() + 16 3 WebCore 0x1127bed30 WebCore::RenderTreeBuilder::destroy(WebCore::RenderObject&, WebCore::RenderTreeBuilder::CanCollapseAnonymousBlock) + 964 4 WebCore 0x1127c9c1c WebCore::RenderTreeBuilder::destroyAndCleanUpAnonymousWrappers(WebCore::RenderObject&) + 344 5 WebCore 0x1127d7bc8 WebCore::RenderTreeUpdater::tearDownRenderers(WebCore::Element&, WebCore::RenderTreeUpdater::TeardownType, WebCore::RenderTreeBuilder&) + 1460 6 WebCore 0x1127d8de8 WebCore::RenderTreeUpdater::tearDownRenderers(WebCore::Element&) + 84 7 WebCore 0x11198a924 WebCore::ContainerNode::removeBetween(WebCore::Node*, WebCore::Node*, WebCore::Node&) + 312 8 WebCore 0x111986530 WebCore::ContainerNode::removeChild(WebCore::Node&) + 552 9 WebCore 0x110bae9b0 WebCore::jsNodePrototypeFunction_removeChild(JSC::JSGlobalObject*, JSC::CallFrame*) + 504 ```
Attachments
Add attachment proposed patch, testcase, etc.
Chris Dumez
Comment 1 2024-02-13 14:32:21 PST
<rdar://119790256>
Chris Dumez
Comment 2 2024-02-13 14:37:14 PST
Pull request: https://github.com/WebKit/WebKit/pull/24372
EWS
Comment 3 2024-02-13 15:25:12 PST
Committed 274586@main (35318b4d5407): <https://commits.webkit.org/274586@main> Reviewed commits have been landed. Closing PR #24372 and removing active labels.
Note You need to log in before you can comment on or make changes to this bug.