RESOLVED FIXED303917
REGRESSION (iOS 26.1): Frequent UI process crashes in WebCore::ElementContext::isSameElement under WKSelectPicker 
https://bugs.webkit.org/show_bug.cgi?id=303917
Summary REGRESSION (iOS 26.1): Frequent UI process crashes in WebCore::ElementContext...
fedegermi
Reported 2025-12-10 05:16:19 PST
We started receiving a lot of these crashes on version 26.1 (and it's still happening on version 26.2). We don't have repro steps for this crash. We noticed a change that landed ~3 months ago in that area of code that may be causing the crash: https://github.com/WebKit/WebKit/commit/02f7a612039f3c91d767af54ee0212db38436c19 The crashes we're receiving have the following Stack trace: (WebKit + 0x00656a90) WebCore::ElementContext::isSameElement(WebCore::ElementContext const&) const (WebKit + 0x0096d9dc) __74-[WKSelectPicker contextMenuInteraction:willEndForConfiguration:animator:]_block_invoke (UIKitCore + 0x0034f930) -[_UIContextMenuAnimator performAllCompletions] (UIKitCore + 0x007f26b0) block_destroy_helper.72 (UIKitCore + 0x007f41f4) objectdestroy.36Tm (UIKitCore + 0x007a7d78) objectdestroy.3Tm (UIKitCore + 0x005be1b8) __swift_memcpy192_8 (UIKitCore + 0x00021910) block_copy_helper.374 (UIKitCore + 0x001dc844) -[_UIGroupCompletion _performAllCompletions] (UIKitCore + 0x0035d888) -[_UIGravityWellEffectBody .cxx_destruct] (UIKitCore + 0x00215694) -[UIScrollView _contentLayoutGuideIfExists] (UIKitCore + 0x000949ec) NSStringFromUIEdgeInsets (UIKitCore + 0x00094950) NSStringFromUIEdgeInsets (UIKitCore + 0x0008fbb4) __UIVIEW_IS_EXECUTING_ANIMATION_COMPLETION_BLOCK__ (UIKitCore + 0x0198bd64) -[UIViewAnimationBlockDelegate _sendDeferredCompletion:] (libdispatch.dylib + 0x00001ad8) _dispatch_call_block_and_release (libdispatch.dylib + 0x0001b7e8) _dispatch_client_callout (libdispatch.dylib + 0x00038b20) _dispatch_main_queue_drain.cold.5 (libdispatch.dylib + 0x00010ec4) _dispatch_main_queue_drain (libdispatch.dylib + 0x00010e00) _dispatch_main_queue_callback_4CF (CoreFoundation + 0x0006a2c4) __CFRUNLOOP_IS_SERVICING_THE_MAIN_DISPATCH_QUEUE__ (CoreFoundation + 0x0001db38) __CFRunLoopRun (CoreFoundation + 0x0001ca68) _CFRunLoopRunSpecificWithOptions (GraphicsServices + 0x00001494) GSEventRunModal (UIKitCore + 0x0009e4b4) -[UIApplication _run] (UIKitCore + 0x00046b8c) UIApplicationMain Please let us know if you need additional information.
Attachments
Add attachment proposed patch, testcase, etc.
Radar WebKit Bug Importer
Comment 1 2025-12-10 12:48:06 PST
<rdar://problem/166246076>
Alexey Proskuryakov
Comment 2 2025-12-10 12:52:07 PST
<rdar://problem/163148093>
Wenson Hsieh
Comment 3 2025-12-11 11:29:43 PST
Pull request: https://github.com/WebKit/WebKit/pull/55260
EWS
Comment 4 2025-12-11 14:21:21 PST
Committed 304320@main (41b65165bb54): <https://commits.webkit.org/304320@main> Reviewed commits have been landed. Closing PR #55260 and removing active labels.
fedegermi
Comment 5 2025-12-30 08:17:53 PST
Thanks for taking a look. We're still collecting crashes on iOS 26.3 (26.3.0 23D5089e), so it's possible this issue is not completely fixed. Please let us know if you need additional details.
Alexey Proskuryakov
Comment 6 2026-01-14 11:22:12 PST
Thank you for the followup. Yes, this fix is not in any released or beta versions yet.
Alexey Proskuryakov
Comment 7 2026-01-14 11:23:40 PST
*** Bug 305457 has been marked as a duplicate of this bug. ***
marek.kubov
Comment 8 2026-03-04 22:55:47 PST
Hello, was fix already released or when is release planned ?
Aditya Keerthi
Comment 9 2026-03-04 23:51:48 PST
The fix is in iOS 26.4 betas.
Note You need to log in before you can comment on or make changes to this bug.