WebKit Bugzilla
New
Browse
Search+
Log In
×
Sign in with GitHub
or
Remember my login
Create Account
·
Forgot Password
Forgotten password account recovery
RESOLVED FIXED
308214
Nullptr crash accessing settings when tearing down render tree
https://bugs.webkit.org/show_bug.cgi?id=308214
Summary
Nullptr crash accessing settings when tearing down render tree
Antti Koivisto
Reported
2026-02-19 03:23:32 PST
Thread 0 Crashed:: Dispatch queue: com.apple.main-thread: 0 WebCore 0x1ac2295e4 WebCore::Page::WeakValueType* WTF::WeakPtrImplBase<WTF::DefaultWeakPtrImpl>::get<WebCore::Page>() + 0 (/AppleInternal/Library/BuildRoots/4~CIZWugBYXeZLeWH4t2eGm4-6SY8vc0gCKXJcSRU/Applications/Xcode.app/Contents/Developer/Platforms/iPhoneOS.platform/Developer/SDKs/iPhoneOS26.4.Internal.sdk/usr/local/include/wtf/WeakPtrImpl.h:46) [inlined] 1 WebCore 0x1ac2295e4 WTF::WeakPtr<WebCore::Page, WTF::DefaultWeakPtrImpl, WTF::RawPtrTraits<WTF::DefaultWeakPtrImpl>>::get() const + 4 (/AppleInternal/Library/BuildRoots/4~CIZWugBYXeZLeWH4t2eGm4-6SY8vc0gCKXJcSRU/Applications/Xcode.app/Contents/Developer/Platforms/iPhoneOS.platform/Developer/SDKs/iPhoneOS26.4.Internal.sdk/usr/local/include/wtf/WeakPtr.h:118) [inlined] 2 WebCore 0x1ac2295e4 WebCore::Frame::page() const + 4 (/Library/Caches/com.apple.xbs/AF95AA3D-C0F5-4E77-A831-8BBF0C398EB5/TemporaryDirectory.8rjDBy/Sources/WebCore/Source/WebCore/dom/DocumentPage.h:36) [inlined] 3 WebCore 0x1ac2295e4 WebCore::RenderObject::page() const + 32 (/Library/Caches/com.apple.xbs/AF95AA3D-C0F5-4E77-A831-8BBF0C398EB5/TemporaryDirectory.8rjDBy/Sources/WebCore/Source/WebCore/rendering/RenderObjectInlines.h:72) [inlined] 4 WebCore 0x1ac2295e4 WebCore::RenderObject::settings() const + 32 (/Library/Caches/com.apple.xbs/AF95AA3D-C0F5-4E77-A831-8BBF0C398EB5/TemporaryDirectory.8rjDBy/Sources/WebCore/Source/WebCore/rendering/RenderObjectInlines.h:82) [inlined] 5 WebCore 0x1ac2295e4 WebCore::RenderTreeBuilder::Inline::Inline(WebCore::RenderTreeBuilder&) + 40 (/Library/Caches/com.apple.xbs/AF95AA3D-C0F5-4E77-A831-8BBF0C398EB5/TemporaryDirectory.8rjDBy/Sources/WebCore/Source/WebCore/rendering/updating/RenderTreeBuilderInline.cpp:110) [inlined] 6 WebCore 0x1ac2295e4 WebCore::RenderTreeBuilder::Inline::Inline(WebCore::RenderTreeBuilder&) + 40 (/Library/Caches/com.apple.xbs/AF95AA3D-C0F5-4E77-A831-8BBF0C398EB5/TemporaryDirectory.8rjDBy/Sources/WebCore/Source/WebCore/rendering/updating/RenderTreeBuilderInline.cpp:111) [inlined] 7 WebCore 0x1ac2295e4 WTF::UniqueRef<WebCore::RenderTreeBuilder::Inline> WTF::makeUniqueRefWithoutFastMallocCheck<WebCore::RenderTreeBuilder::Inline, WebCore::RenderTreeBuilder&>(WebCore::RenderTreeBuilder&) + 56 (/AppleInternal/Library/BuildRoots/4~CIZWugBYXeZLeWH4t2eGm4-6SY8vc0gCKXJcSRU/Applications/Xcode.app/Contents/Developer/Platforms/iPhoneOS.platform/Developer/SDKs/iPhoneOS26.4.Internal.sdk/usr/local/include/wtf/UniqueRef.h:42) [inlined] 8 WebCore 0x1ac2295e4 WTF::UniqueRef<WebCore::RenderTreeBuilder::Inline> WTF::makeUniqueRef<WebCore::RenderTreeBuilder::Inline, WebCore::RenderTreeBuilder&>(WebCore::RenderTreeBuilder&) + 56 (/AppleInternal/Library/BuildRoots/4~CIZWugBYXeZLeWH4t2eGm4-6SY8vc0gCKXJcSRU/Applications/Xcode.app/Contents/Developer/Platforms/iPhoneOS.platform/Developer/SDKs/iPhoneOS26.4.Internal.sdk/usr/local/include/wtf/UniqueRef.h:57) [inlined] 9 WebCore 0x1ac2295e4 WebCore::RenderTreeBuilder::RenderTreeBuilder(WebCore::RenderView&) + 292 (/Library/Caches/com.apple.xbs/AF95AA3D-C0F5-4E77-A831-8BBF0C398EB5/TemporaryDirectory.8rjDBy/Sources/WebCore/Source/WebCore/rendering/updating/RenderTreeBuilder.cpp:184) 10 WebCore 0x1ac24c9cc WebCore::RenderTreeBuilder::RenderTreeBuilder(WebCore::RenderView&) + 8 (/Library/Caches/com.apple.xbs/AF95AA3D-C0F5-4E77-A831-8BBF0C398EB5/TemporaryDirectory.8rjDBy/Sources/WebCore/Source/WebCore/rendering/updating/RenderTreeBuilder.cpp:190) [inlined] 11 WebCore 0x1ac24c9cc WebCore::RenderTreeUpdater::tearDownRenderers(WebCore::Element&, WebCore::RenderTreeUpdater::TeardownType) + 84 (/Library/Caches/com.apple.xbs/AF95AA3D-C0F5-4E77-A831-8BBF0C398EB5/TemporaryDirectory.8rjDBy/Sources/WebCore/Source/WebCore/rendering/updating/RenderTreeUpdater.cpp:719) 12 WebCore 0x1ab029d78 WebCore::RenderTreeUpdater::tearDownRenderers(WebCore::Element&) + 12 (/Library/Caches/com.apple.xbs/AF95AA3D-C0F5-4E77-A831-8BBF0C398EB5/TemporaryDirectory.8rjDBy/Sources/WebCore/Source/WebCore/rendering/updating/RenderTreeUpdater.cpp:726) [inlined] 13 WebCore 0x1ab029d78 WebCore::Document::destroyRenderTree() + 324 (/Library/Caches/com.apple.xbs/AF95AA3D-C0F5-4E77-A831-8BBF0C398EB5/TemporaryDirectory.8rjDBy/Sources/WebCore/Source/WebCore/dom/Document.cpp:3622) 14 WebCore 0x1ab02a384 WebCore::Document::willBeRemovedFromFrame() + 628 (/Library/Caches/c
Attachments
Add attachment
proposed patch, testcase, etc.
Antti Koivisto
Comment 1
2026-02-19 03:23:48 PST
rdar://117839253
Antti Koivisto
Comment 2
2026-02-19 05:43:13 PST
Pull request:
https://github.com/WebKit/WebKit/pull/59004
EWS
Comment 3
2026-02-19 08:06:56 PST
Committed
307833@main
(0ce1f258ce6e): <
https://commits.webkit.org/307833@main
> Reviewed commits have been landed. Closing PR #59004 and removing active labels.
EWS
Comment 4
2026-02-19 15:38:23 PST
Committed
305413.321@safari-7624-branch
(74f911b7e16f): <
https://commits.webkit.org/305413.321@safari-7624-branch
> Reviewed commits have been landed. Closing PR #4513 and removing active labels.
Note
You need to
log in
before you can comment on or make changes to this bug.
Top of Page
Format For Printing
XML
Clone This Bug