RESOLVED FIXED304126
CheckedPtr crash when LBSE is enabled 
https://bugs.webkit.org/show_bug.cgi?id=304126
Summary CheckedPtr crash when LBSE is enabled
Simon Fraser (smfr)
Reported 2025-12-13 10:58:01 PST
When LBSE is enabled, any filter test crashes here: * frame #0: 0x000000012c556a50 JavaScriptCore`::WTFCrash() at Assertions.cpp:377:5 frame #1: 0x000000012c556ab8 JavaScriptCore`::WTFCrashWithSecurityImplication() at Assertions.cpp:409:5 frame #2: 0x000000030004c030 WebCore`WTF::CanMakeCheckedPtrBase<WTF::SingleThreadIntegralWrapper<unsigned int>, unsigned int, bool, (WTF::CheckedPtrDeleteCheckException)0>::~CanMakeCheckedPtrBase(this=0x00000001143c4158) at CheckedRef.h:292:9 frame #3: 0x0000000307f0a164 WebCore`WTF::CanMakeCheckedPtr<WebCore::RenderObject, (WTF::DefaultedOperatorEqual)0, (WTF::CheckedPtrDeleteCheckException)0>::~CanMakeCheckedPtr(this=0x00000001143c4158) at CheckedRef.h:335:5 frame #4: 0x0000000307f0a044 WebCore`WebCore::RenderObject::~RenderObject(this=0x00000001143c4140) at RenderObject.cpp:174:1 frame #5: 0x0000000307d53750 WebCore`WebCore::RenderElement::~RenderElement(this=0x00000001143c4140) at RenderElement.cpp:171:1 frame #6: 0x0000000307e92efc WebCore`WebCore::RenderLayerModelObject::~RenderLayerModelObject(this=0x00000001143c4140) at RenderLayerModelObject.cpp:89:49 frame #7: 0x0000000308138be8 WebCore`WebCore::RenderSVGModelObject::~RenderSVGModelObject(this=0x00000001143c4140) at RenderSVGModelObject.cpp:71:45 frame #8: 0x0000000308130a5c WebCore`WebCore::RenderSVGContainer::~RenderSVGContainer(this=0x00000001143c4140) at RenderSVGContainer.cpp:58:41 frame #9: 0x00000003081384e8 WebCore`WebCore::RenderSVGHiddenContainer::~RenderSVGHiddenContainer(this=0x00000001143c4140) at RenderSVGHiddenContainer.cpp:39:53 frame #10: 0x0000000308154c34 WebCore`WebCore::RenderSVGResourceFilterPrimitive::~RenderSVGResourceFilterPrimitive(this=0x00000001143c4140) at RenderSVGResourceFilterPrimitive.h:36:7 frame #11: 0x000000030815094c WebCore`WebCore::RenderSVGResourceFilterPrimitive::~RenderSVGResourceFilterPrimitive(this=0x00000001143c4140) at RenderSVGResourceFilterPrimitive.h:36:7 frame #12: 0x000000030815097c WebCore`WebCore::RenderSVGResourceFilterPrimitive::~RenderSVGResourceFilterPrimitive(this=0x00000001143c4140) at RenderSVGResourceFilterPrimitive.h:36:7 frame #13: 0x0000000307f09c08 WebCore`WebCore::RenderObject::destroy(this=0x00000001143c4140) at RenderObject.cpp:1817:5
Attachments
Add attachment proposed patch, testcase, etc.
Radar WebKit Bug Importer
Comment 1 2025-12-13 10:58:07 PST
<rdar://problem/166451135>
Simon Fraser (smfr)
Comment 2 2025-12-13 11:00:33 PST
Pull request: https://github.com/WebKit/WebKit/pull/55365
EWS
Comment 3 2025-12-13 13:48:12 PST
Committed 304432@main (c0e7b7504cf2): <https://commits.webkit.org/304432@main> Reviewed commits have been landed. Closing PR #55365 and removing active labels.
Note You need to log in before you can comment on or make changes to this bug.