299001 – Crash in EventTarget::innerInvokeEventListeners

RESOLVED FIXED299001

Crash in EventTarget::innerInvokeEventListeners

https://bugs.webkit.org/show_bug.cgi?id=299001

Summary Crash in EventTarget::innerInvokeEventListeners

Ryosuke Niwa

Reported 2025-09-16 23:54:21 PDT

e.g. #0 0x000159898398 in WebCore::ScriptExecutionContext::ref()+0x50 (WebCore:arm64e+0x836c398) #1 0x0001596bab28 in WebCore::EventTarget::innerInvokeEventListeners(WebCore::Event&, WTF::Vector<WTF::RefPtr<WebCore::RegisteredEventListener, WTF::RawPtrTraits<WebCore::RegisteredEventListener>, WTF::DefaultRefDerefTraits<WebCore::RegisteredEventListener>>, 1ul, WTF::CrashOnOverflow, 2ul, WTF::FastMalloc>, WebCore::EventTarget::EventInvokePhase)+0x194 (WebCore:arm64e+0x818eb28) #2 0x000159682398 in WebCore::EventTarget::fireEventListeners(WebCore::Event&, WebCore::EventTarget::EventInvokePhase)+0x414 (WebCore:arm64e+0x8156398) #3 0x0001596b9d1c in WebCore::EventTarget::dispatchEvent(WebCore::Event&)+0x37c (WebCore:arm64e+0x818dd1c) #4 0x00015a88987c in WTF::Detail::CallableWrapper<void WebCore::ActiveDOMObject::queueTaskKeepingObjectAlive<WebCore::TrackListBase, WebCore::TrackListBase::scheduleChangeEvent()::$_0>(WebCore::TrackListBase&, WebCore::TaskSource, WebCore::TrackListBase::scheduleChangeEvent()::$_0&&)::'lambda'(), void>::call()+0x1ec (WebCore:arm64e+0x935d87c) #5 0x000159696580 in WebCore::EventLoop::run(std::__1::optional<WTF::ApproximateTime>)+0x4c4 (WebCore:arm64e+0x816a580) #6 0x0001599c3b00 in WebCore::WindowEventLoop::didReachTimeToRun()+0x13c (WebCore:arm64e+0x8497b00) #7 0x0001599ca2b8 in WTF::Detail::CallableWrapper<WebCore::Timer::Timer<WebCore::WindowEventLoop, WebCore::WindowEventLoop>(WebCore::WindowEventLoop&, void (WebCore::WindowEventLoop::*)())::'lambda'(), void>::call()+0x1d4 (WebCore:arm64e+0x849e2b8) #8 0x000151555034 in WebCore::ThreadTimers::sharedTimerFiredInternal()+0x3f8 (WebCore:arm64e+0x29034) #9 0x000151554c00 in WebCore::timerFired(__CFRunLoopTimer*, void*)+0x8c (WebCore:arm64e+0x28c00) <rdar://160598447>

Attachments
Add attachment proposed patch, testcase, etc.

Ryosuke Niwa

Comment 1 2025-09-17 00:28:06 PDT

Pull request: https://github.com/WebKit/WebKit/pull/50843

Ryosuke Niwa

Comment 2 2025-09-17 09:18:21 PDT

Pull request: https://github.com/WebKit/WebKit/pull/50864

EWS

Comment 3 2025-09-17 12:36:01 PDT

Committed 300099@main (d370fee5140c): <https://commits.webkit.org/300099@main> Reviewed commits have been landed. Closing PR #50864 and removing active labels.

Note You need to log in before you can comment on or make changes to this bug.

Status RESOLVED

Resolution FIXED

Priority P2

Severity Normal

Classification Unclassified

Version Safari Technology Preview

Hardware Unspecified

OS Unspecified

Product WebKit

Component New Bugs

Assignee

Ryosuke Niwa

Reported

2025-09-16 23:54 PDT

Modified

2025-09-17 12:36 PDT History

CC List

0 users

URL

Keywords InRadar

Depends on

Blocks