Created attachment 477516 [details] Full backtrace Using Epiphany Tech Preview and WebKitGTK 2.51.2, my UI process crashed due to bug #303057. Then two of my web processes crashed simultaneously, both with the following stack trace: #0 __pthread_kill_implementation (threadid=<optimized out>, signo=signo@entry=6, no_tid=no_tid@entry=0) at pthread_kill.c:44 #1 0x00007f8e7649d5e3 in __pthread_kill_internal (threadid=<optimized out>, signo=6) at pthread_kill.c:89 #2 0x00007f8e764433be in __GI_raise (sig=sig@entry=6) at ../sysdeps/posix/raise.c:26 #3 0x00007f8e7642a8ed in __GI_abort () at abort.c:77 #4 0x00007f8e731ec58f in WTFCrashWithInfo () at /usr/lib/debug/source/sdk/webkitgtk-6.0.bst/Source/WTF/wtf/Assertions.h:985 #5 0x00007f8e748b273a in WTF::CanMakeCheckedPtrBase<std::atomic<unsigned int>, unsigned int, std::atomic<bool>, (WTF::CheckedPtrDeleteCheckException)0>::decrementCheckedPtrCount (this=0x4) at /usr/lib/debug/source/sdk/webkitgtk-6.0.bst/Source/WTF/wtf/CheckedRef.h:302 #6 WTF::CheckedRef<WTF::WorkerPool, WTF::RawPtrTraits<WTF::WorkerPool> >::~CheckedRef (this=0x7f8e6010c570) at /usr/lib/debug/source/sdk/webkitgtk-6.0.bst/Source/WTF/wtf/CheckedRef.h:56 #7 WTF::WorkerPool::Worker::~Worker (this=0x7f8e6010c540) at /usr/lib/debug/source/sdk/webkitgtk-6.0.bst/Source/WTF/wtf/WorkerPool.cpp:35 #8 WTF::WorkerPool::Worker::operator delete (object=0x7f8e6010c540, size=<optimized out>) at /usr/lib/debug/source/sdk/webkitgtk-6.0.bst/Source/WTF/wtf/WorkerPool.cpp:37 #9 0x00007f8e747ec027 in WTF::ThreadSafeRefCounted<WTF::AutomaticThread, (WTF::DestructionThread)0>::deref (this=<optimized out>) at /usr/lib/debug/source/sdk/webkitgtk-6.0.bst/Source/WTF/wtf/ThreadSafeRefCounted.h:139 #10 WTF::DefaultRefDerefTraits<WTF::AutomaticThread>::derefIfNotNull (ptr=<optimized out>) at /usr/lib/debug/source/sdk/webkitgtk-6.0.bst/Source/WTF/wtf/Ref.h:64 #11 WTF::RefPtr<WTF::AutomaticThread, WTF::RawPtrTraits<WTF::AutomaticThread>, WTF::DefaultRefDerefTraits<WTF::AutomaticThread> >::~RefPtr (this=<optimized out>) at /usr/lib/debug/source/sdk/webkitgtk-6.0.bst/Source/WTF/wtf/RefPtr.h:62 #12 WTF::AutomaticThread::start(WTF::AbstractLocker const&)::$_0::~$_0() (this=<optimized out>) at /usr/lib/debug/source/sdk/webkitgtk-6.0.bst/Source/WTF/wtf/AutomaticThread.cpp:172 #13 WTF::Detail::CallableWrapper<WTF::AutomaticThread::start(WTF::AbstractLocker const&)::$_0, void>::~CallableWrapper (this=<optimized out>) at /usr/lib/debug/source/sdk/webkitgtk-6.0.bst/Source/WTF/wtf/Function.h:53 #14 WTF::Detail::CallableWrapper<WTF::AutomaticThread::start(WTF::AbstractLocker const&)::$_0, void>::~CallableWrapper (this=<optimized out>) at /usr/lib/debug/source/sdk/webkitgtk-6.0.bst/Source/WTF/wtf/Function.h:53 #15 0x00007f8e7487bef7 in std::default_delete<WTF::Detail::CallableWrapperBase<void> >::operator() (__ptr=0x7f8e60214b00, this=<optimized out>) at /usr/bin/../lib/gcc/x86_64-unknown-linux-gnu/15.2.0/../../../../include/c++/15.2.0/bits/unique_ptr.h:93 #16 std::unique_ptr<WTF::Detail::CallableWrapperBase<void>, std::default_delete<WTF::Detail::CallableWrapperBase<void> > >::~unique_ptr (this=<optimized out>) at /usr/bin/../lib/gcc/x86_64-unknown-linux-gnu/15.2.0/../../../../include/c++/15.2.0/bits/unique_ptr.h:399 #17 WTF::Function<void()>::~Function (this=<optimized out>) at /usr/lib/debug/source/sdk/webkitgtk-6.0.bst/Source/WTF/wtf/Forward.h:126 #18 WTF::Thread::entryPoint (newThreadContext=0x7f8e603bc4f0) at /usr/lib/debug/source/sdk/webkitgtk-6.0.bst/Source/WTF/wtf/Threading.cpp:269 #19 0x00007f8e748e978d in WTF::wtfThreadEntryPoint (context=0x2) at /usr/lib/debug/source/sdk/webkitgtk-6.0.bst/Source/WTF/wtf/posix/ThreadingPOSIX.cpp:245 #20 0x00007f8e7649b56a in start_thread (arg=<optimized out>) at pthread_create.c:448 #21 0x00007f8e7651ee54 in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:100 The WorkerPool::Worker's member variable CheckedPtr<WorkerPool> m_pool is invalid, so CheckedPtr is doing its job, converting a use after free vulnerability into a harmless crash. Thanks, CheckedPtr. I've attached a full all-threads stack trace, although it looks like none of the other threads are using WorkerPool.