305494 – Crash in Node::invalidateNodeListAndCollectionCachesInAncestors via ContainerNode::removeAllChildrenWithScriptAssertion

RESOLVED FIXED305494

Crash in Node::invalidateNodeListAndCollectionCachesInAncestors via ContainerNode::removeAllChildrenWithScriptAssertion

https://bugs.webkit.org/show_bug.cgi?id=305494

Summary Crash in Node::invalidateNodeListAndCollectionCachesInAncestors via Container...

Ryosuke Niwa

Reported 2026-01-14 11:43:15 PST

e.g. #0 0x0003007252b4 in WTF::CanMakeCheckedPtrBase<WTF::SingleThreadIntegralWrapper<unsigned int>, unsigned int, bool, (WTF::CheckedPtrDeleteCheckException)0>::crashDueToCheckedPtrToDeadObject()+0x10 (WebCore:arm64e+0x7252b4) #1 0x0003094917a4 in WebCore::CachedHTMLCollection<WebCore::HTMLOptionsCollection, (WebCore::CollectionTraversalType)0>::invalidateCacheForDocument(WebCore::Document&)+0x458 (WebCore:arm64e+0x94917a4) #2 0x0003089b9f1c in WebCore::Node::invalidateNodeListAndCollectionCachesInAncestors()+0x888 (WebCore:arm64e+0x89b9f1c) #3 0x0003084c6384 in WebCore::ContainerNode::childrenChanged(WebCore::ContainerNode::ChildChange const&)+0x228 (WebCore:arm64e+0x84c6384) #4 0x0003087d93f8 in WebCore::Element::childrenChanged(WebCore::ContainerNode::ChildChange const&)+0x44 (WebCore:arm64e+0x87d93f8) #5 0x0003094c1978 in WebCore::HTMLSelectElement::childrenChanged(WebCore::ContainerNode::ChildChange const&)+0xa8 (WebCore:arm64e+0x94c1978) #6 0x0003084bd264 in WebCore::ContainerNode::replaceAll(WebCore::Node*)+0x2274 (WebCore:arm64e+0x84bd264) #7 0x0003084c1c6c in WebCore::ContainerNode::stringReplaceAll(WTF::String&&)+0x1b4 (WebCore:arm64e+0x84c1c6c) #8 0x0003091f4cf0 in WebCore::HTMLElement::setInnerText(WTF::String&&)+0x1e4 (WebCore:arm64e+0x91f4cf0) #9 0x000302ccbe70 in WebCore::setJSHTMLElement_innerTextSetter(JSC::JSGlobalObject&, WebCore::JSHTMLElement&, JSC::JSValue)+0x3c8 (WebCore:arm64e+0x2ccbe70)

Attachments
Add attachment proposed patch, testcase, etc.

Ryosuke Niwa

Comment 1 2026-01-14 11:43:37 PST

<rdar://167370309>

Ryosuke Niwa

Comment 2 2026-01-14 13:15:59 PST

Pull request: https://github.com/WebKit/WebKit/pull/56585

EWS

Comment 3 2026-01-15 09:58:32 PST

Committed 305651@main (a9934374583d): <https://commits.webkit.org/305651@main> Reviewed commits have been landed. Closing PR #56585 and removing active labels.

Note You need to log in before you can comment on or make changes to this bug.

Status RESOLVED

Resolution FIXED

Priority P2

Severity Normal

Classification Unclassified

Version WebKit Nightly Build

Hardware Unspecified

OS Unspecified

Product WebKit

Component New Bugs

Assignee

Ryosuke Niwa

Reported

2026-01-14 11:43 PST

Modified

2026-01-15 09:58 PST History

CC List

0 users

URL

Keywords InRadar

Depends on

Blocks