304084 – [css-grid-3] Clear m_itemOffsets in initializeMasonry to fix crash with stale WeakRef keys

RESOLVED FIXED304084

[css-grid-3] Clear m_itemOffsets in initializeMasonry to fix crash with stale WeakRef keys

https://bugs.webkit.org/show_bug.cgi?id=304084

Summary [css-grid-3] Clear m_itemOffsets in initializeMasonry to fix crash with stale...

Brandon

Reported 2025-12-12 12:26:07 PST

The m_itemOffsets HashMap uses SingleThreadWeakRef<const RenderBox> as keys. When RenderBox objects are destroyed between masonry layout phases, the WeakRef keys become stale (null pointers). When inserting a new item via set(), the HashMap comparison logic may compare against these stale entries, triggering an assertion failure in WeakRef::ptr(). Fix by clearing m_itemOffsets at the start of each masonry placement run, along with the other state variables that are already being reset.

Attachments
Add attachment proposed patch, testcase, etc.

Radar WebKit Bug Importer

Comment 1 2025-12-12 12:26:14 PST

<rdar://problem/166404830>

Brandon

Comment 2 2025-12-12 12:27:45 PST

Pull request: https://github.com/WebKit/WebKit/pull/55326

EWS

Comment 3 2025-12-12 15:20:09 PST

Committed 304384@main (19b49e75dba6): <https://commits.webkit.org/304384@main> Reviewed commits have been landed. Closing PR #55326 and removing active labels.

Note You need to log in before you can comment on or make changes to this bug.

Status RESOLVED

Resolution FIXED

Priority P2

Severity Normal

Classification Unclassified

Version Other

Hardware Unspecified

OS Unspecified

Product WebKit

Component CSS

Assignee

Brandon

Reported

2025-12-12 12:26 PST

Modified

2025-12-12 15:20 PST History

CC List

2 users Show

URL

Keywords InRadar

Depends on

Blocks