Created attachment 474813 [details] crashreport

Created attachment 474814 [details] Crash log I can confirm this issue: - Eclipse 2024-12 (4.34) or 2024-06 (4.32) - OpenJDK 64-Bit Server VM Temurin-21.0.6+7 - macOS 15.4 Sequoia (not crashing on Sonoma 14.7.4) - WebKit 20621.1.15.11.10 - Mac Mini M4

Steps to reproduce are in: https://github.com/eclipse-platform/eclipse.platform.swt/issues/1978#issuecomment-2772065032 https://github.com/eclipse-platform/eclipse.platform.swt/issues/1978#issuecomment-2772210044

*** Bug 290984 has been marked as a duplicate of this bug. ***

<rdar://problem/148564650>

Pull request: https://github.com/apple/WebKit/pull/2963

Was there a background update that fixed this? The crash was still happening after the macOS 15.4.1 release last week, but today I can no longer reproduce the crash however hard I try.

Created attachment 475206 [details] Crash log in macOS 15.5 Apparently this is fixed in macOS 15.5. See https://nvd.nist.gov/vuln/detail/CVE-2025-31257 See https://support.apple.com/en-us/122716 However, the crash can still occur in Eclipse if an app's .plist file contains this: <key>WebKitCacheModelPreferenceKey</key> <integer>1</integer> See https://github.com/eclipse-platform/eclipse.platform.swt/issues/1978#issuecomment-2873766402 Crash log attached.

I see it's crashing in WebCore::BackForwardCache::markPagesForContentsSizeChanged both before and after the fix. :(

The fix was landed in https://commits.webkit.org/289651.396@safari-7621-branch. Sounds like the fix maybe didn't work. Following-up with folks.

I haven't been able to reproduce this yet. The code change associated with this bug was a speculative fix for a potential use-after-free that seemed like it could have caused a crash matching this stack trace. If the crash still occurs in macOS 15.5, then apparently that isn’t the case.

In the case of the crash in Eclipse when it uses WebKit to render, the crash occurs when the following key pair is present in Eclipse's *.plist file in ~/Library/Preferences/<appid>.plist: <key>WebKitCacheModelPreferenceKey</key> <integer>1</integer> If that is not present the crash does not occur.

(In reply to Phil Beauvoir from comment #13) > In the case of the crash in Eclipse when it uses WebKit to render, the crash > occurs when the following key pair is present in Eclipse's *.plist file in > ~/Library/Preferences/<appid>.plist: > > <key>WebKitCacheModelPreferenceKey</key> > <integer>1</integer> > > If that is not present the crash does not occur. That preference is enabled. I've been trying to reproduce the crash using the steps provided in the linked GitHub issue for quite some time now, but I haven't been able to. How consistently are you getting this crash? Could you please provide a screen recording showing the exact steps needed to crash Eclipse? You can either attach it here or email it to me at charliew@apple.com.

For now, I’ll land another change that I expect should prevent this crash from happening. Making that change in https://bugs.webkit.org/show_bug.cgi?id=292956

(In reply to Charlie Wolfe from comment #14) > That preference is enabled. I've been trying to reproduce the crash using > the steps provided in the linked GitHub issue for quite some time now, but I > haven't been able to. How consistently are you getting this crash? Could you > please provide a screen recording showing the exact steps needed to crash > Eclipse? You can either attach it here or email it to me at > charliew@apple.com. Basically it's these steps: 1. Ensure Eclipse's Javadoc View is closed 2. In a Java Editor hover over code so that the Javadoc displays in a popup, and ensure to move the mouse into the Javadoc popup so that it gets focus and scrollbars are shown in the popup. 3. Open the Javadoc View 4. Now click into the Java Editor so that the JavaDoc View is updated. You may need to do this a few times. I'll work on a screen recording soon.

Created attachment 475219 [details] Screen Recording of Crash Attached is a screen recording of the crash. I'm following the steps in my previous comment.

<rdar://problem/151712931>

Pull request: https://github.com/WebKit/WebKit/pull/46079

A fix has landed in macOS 15.6 beta 1. Please verify that the crash no longer occurs there.

A user of Eclipse is reporting a crash with 15.6 beta 3: https://github.com/eclipse-platform/eclipse.platform.swt/issues/1978#issuecomment-3022643158 Date/Time: 2025-07-01 09:46:42.7596 +0200 OS Version: macOS 15.6 (24G5065c) Report Version: 12 Anonymous UUID: 8794E885-785D-FE3B-6C3F-4542E188CA41 Sleep/Wake UUID: E418DA16-58E5-474D-8C94-AC32FF85B5FE Time Awake Since Boot: 2800 seconds System Integrity Protection: enabled Notes: RIP register does not match crashing frame (0x0 vs 0x7FF89564AAE0) Crashed Thread: 0 Dispatch queue: com.apple.main-thread Exception Type: EXC_BAD_ACCESS (SIGABRT) Exception Codes: KERN_INVALID_ADDRESS at 0x0000000000000018 Exception Codes: 0x0000000000000001, 0x0000000000000018 Termination Reason: Namespace SIGNAL, Code 6 Abort trap: 6 Terminating Process: eclipse [5002] VM Region Info: 0x18 is not in any region. Bytes before following region: 77463528 REGION TYPE START - END [ VSIZE] PRT/MAX SHRMOD REGION DETAIL UNUSED SPACE AT START ---> __TEXT 49e0000-49e4000 [ 16K] r-x/r-x SM=COW /Applications/2023-12.app/Contents/MacOS/eclipse Application Specific Information: abort() called Error Formulating Crash Report: RIP register does not match crashing frame (0x0 vs 0x7FF89564AAE0) Thread 0 Crashed:: Dispatch queue: com.apple.main-thread 0 ??? 0x7ff89564aae0 ??? 1 libsystem_kernel.dylib 0x7ff808a8e846 __pthread_kill + 10 2 libsystem_pthread.dylib 0x7ff808ac9b66 pthread_kill + 259 3 libsystem_c.dylib 0x7ff8089e85e6 abort + 126 4 libjvm.dylib 0xcc27a91 os::abort(bool, void*, void const*) + 49 5 libjvm.dylib 0xce7d0ac VMError::report_and_die(int, char const*, char const*, __va_list_tag*, Thread*, unsigned char*, void*, void*, char const*, int, unsigned long) + 2924 6 libjvm.dylib 0xce7c515 VMError::report_and_die(Thread*, unsigned int, unsigned char*, void*, void*, char const*, ...) + 149 7 libjvm.dylib 0xce7d141 VMError::report_and_die(Thread*, unsigned int, unsigned char*, void*, void*) + 33 8 libjvm.dylib 0xcd4496e JVM_handle_bsd_signal + 270 9 libsystem_platform.dylib 0x7ff808b0231d _sigtramp + 29 10 CoreFoundation 0x7ff808b3e444 CFBasicHashFindBucket + 76 11 ??? 0x0 ??? 12 WebCore 0x7ff90e53c1ad WebCore::LocalFrameView::setContentsSize(WebCore::IntSize const&) + 381 13 WebCore 0x7ff90e53cb06 WebCore::LocalFrameView::adjustViewSize() + 118 14 WebCore 0x7ff90e559481 WebCore::LocalFrameViewLayoutContext::performLayout(bool) + 3889 15 WebCore 0x7ff90e53f6d2 WebCore::LocalFrameViewLayoutContext::layout(bool) + 50 16 WebKitLegacy 0x7ff8269010b4 -[WebHTMLView layoutToMinimumPageWidth:height:originalPageWidth:originalPageHeight:maximumShrinkRatio:adjustingViewSize:] + 324 17 WebKitLegacy 0x7ff8268fcd82 -[WebDynamicScrollBarsView(WebInternal) updateScrollers] + 130 18 WebCore 0x7ff90d41347b WebCore::ScrollView::platformSetScrollbarModes() + 43 19 WebCore 0x7ff90c17d29e WebCore::ScrollView::setScrollbarModes(WebCore::ScrollbarMode, WebCore::ScrollbarMode, bool, bool) + 206 20 WebCore 0x7ff90e559842 WebCore::LocalFrameViewLayoutContext::performLayout(bool) + 4850 21 WebCore 0x7ff90e53f6d2 WebCore::LocalFrameViewLayoutContext::layout(bool) + 50 22 WebKitLegacy 0x7ff8269010b4 -[WebHTMLView layoutToMinimumPageWidth:height:originalPageWidth:originalPageHeight:maximumShrinkRatio:adjustingViewSize:] + 324 23 WebKitLegacy 0x7ff8268fd283 -[WebDynamicScrollBarsView(WebInternal) updateScrollers] + 1411 24 WebCore 0x7ff90d41347b WebCore::ScrollView::platformSetScrollbarModes() + 43 25 WebCore 0x7ff90c17d29e WebCore::ScrollView::setScrollbarModes(WebCore::ScrollbarMode, WebCore::ScrollbarMode, bool, bool) + 206 26 WebCore 0x7ff90e53aeff WebCore::LocalFrameView::~LocalFrameView() + 95 27 WebCore 0x7ff90e53bcfe WebCore::LocalFrameView::~LocalFrameView() + 14 28 WebCore 0x7ff90c2a057a WebCore::CachedFrame::clear() + 346 29 WebCore 0x7ff90c2a0264 WebCore::CachedFrame::destroy() + 436 30 WebCore 0x7ff90c29ffec WebCore::CachedPage::~CachedPage() + 28 31 WebCore 0x7ff90df8f994 decltype(auto)

Created attachment 476213 [details] Crash log This is NOT fixed in 15.6 released today. Attached is the crash log. Will this bug be re-opened or do I have to create a new one?

As the request to re-open this bug has been ignored I opened a new one: https://bugs.webkit.org/show_bug.cgi?id=296693

*** Bug 296693 has been marked as a duplicate of this bug. ***

Reopening.

Does this bug still need to be classed as "Security"? There are Eclipse people on the Eclipse bug (https://github.com/eclipse-platform/eclipse.platform.swt/issues/1978) who would like to comment and or view progress here.

I’ve looked into this further and don’t believe it’s a security issue. I’ll remove the security classification.

I still have not been able to reproduce this locally, but I think I see an issue that could be causing it. I’ll upload another speculative fix soon.

Pull request: https://github.com/WebKit/WebKit/pull/50087

(In reply to Charlie Wolfe from comment #27) > I’ve looked into this further and don’t believe it’s a security issue. I’ll > remove the security classification. Thanks! (In reply to Charlie Wolfe from comment #29) > I still have not been able to reproduce this locally, but I think I see an > issue that could be causing it. I’ll upload another speculative fix soon. Is the screen recording helpful? https://bug-290985-attachments.webkit.org/attachment.cgi?id=475219

Committed 299363@main (3b9e70010b83): <https://commits.webkit.org/299363@main> Reviewed commits have been landed. Closing PR #50087 and removing active labels.

(In reply to Phil Beauvoir from comment #31) > Is the screen recording helpful? > https://bug-290985-attachments.webkit.org/attachment.cgi?id=475219 These are the steps I followed when trying to reproduce, but I wasn't able to.

Hi, as of macOS Sequoia 15.7.1 and maOS Tahoe 26.0.1 the crash is still occurring.

Hello, this issue occurs endlessly, about every 20 minutes, in the following environment. Spring Tools for Eclipse (Version: 4.32.0.RELEASE / Build ID: 202509051843) macOS Tahoe 26.0.1 (25A362)

Hi, I tested on macOS 26.1 RC (25B77) and the issue seems to be fixed. Thanks!

This bug report has now received a second CVE, CVE-2025-43458, in addition to the original CVE-2025-31257.

Created attachment 477287 [details] Crash log on macOS 15.7.2 (In reply to Michael Catanzaro from comment #37) > This bug report has now received a second CVE, CVE-2025-43458, in addition > to the original CVE-2025-31257. When I check on the status of that CVE, reports say "This issue is fixed in Safari 26.1". I have Safari version 26.1 (20622.2.11.119.1) on macOS 15.7.2 (24G325) and it still crashes (log attached).

> I have Safari version 26.1 (20622.2.11.119.1) on macOS 15.7.2 (24G325) and it still crashes (log attached). On macOS Tahoe 26.1 (25B78), where this is fixed, it has a different version of Safari - version 26.1 (21622.2.11.11.9)

I'm not familiar with Apple platforms, but WebKit is a system dependency, so I presume the Safari version does not actually matter.

(In reply to Michael Catanzaro from comment #40) > I'm not familiar with Apple platforms, but WebKit is a system dependency, so I presume the Safari version does not actually matter. Perhaps the the different Safari versions use different WebKit builds.