309749 – Crash in TreeScopeOrderedMap::getElementById via ReferencedSVGResources::~ReferencedSVGResources

RESOLVED FIXED309749

Crash in TreeScopeOrderedMap::getElementById via ReferencedSVGResources::~ReferencedSVGResources

https://bugs.webkit.org/show_bug.cgi?id=309749

Summary Crash in TreeScopeOrderedMap::getElementById via ReferencedSVGResources::~Ref...

Ryosuke Niwa

Reported 2026-03-11 20:59:01 PDT

e.g. 0 WebCore 0x1a96a0bd8 WTFCrashWithInfo(int, char const*, char const*, int) + 24 [inlined] 1 WebCore 0x1a96a0bd8 WTF::RefPtr<WebCore::Element, WTF::RawPtrTraits<WebCore::Element>, WTF::DefaultRefDerefTraits<WebCore::Element>> WebCore::TreeScopeOrderedMap::get<WebCore::TreeScopeOrderedMap::getElementById(WTF::AtomString const&, WebCore::TreeScope const&) const::$_0>(WTF::AtomString const&, WebCore::TreeScope const&, WebCore::TreeScopeOrderedMap::getElementById(WTF::AtomString const&, WebCore::TreeScope const&) const::$_0 const&) const + 892 [inlined] 2 WebCore 0x1a96a0bd8 WebCore::TreeScopeOrderedMap::getElementById(WTF::AtomString const&, WebCore::TreeScope const&) const + 1080 3 WebCore 0x1aa3abdb4 WebCore::TreeScope::getElementById(WTF::AtomString const&) const + 36 [inlined] 4 WebCore 0x1aa3abdb4 WebCore::ReferencedSVGResources::removeClientForTarget(WebCore::TreeScope&, WTF::AtomString const&) + 408 5 WebCore 0x1aa3ab99c WebCore::ReferencedSVGResources::~ReferencedSVGResources() + 328 6 WebCore 0x1aa52a47c WebCore::ReferencedSVGResources::~ReferencedSVGResources() + 8 [inlined] 7 WebCore 0x1aa52a47c std::__1::default_delete<WebCore::ReferencedSVGResources>::operator()[abi:sqn210106](WebCore::ReferencedSVGResources*) const + 8 [inlined] 8 WebCore 0x1aa52a47c std::__1::unique_ptr<WebCore::ReferencedSVGResources, std::__1::default_delete<WebCore::ReferencedSVGResources>>::reset[abi:sqn210106](WebCore::ReferencedSVGResources*) + 8 [inlined] 9 WebCore 0x1aa52a47c std::__1::unique_ptr<WebCore::ReferencedSVGResources, std::__1::default_delete<WebCore::ReferencedSVGResources>>::~unique_ptr[abi:sqn210106]() + 8 [inlined] 10 WebCore 0x1aa52a47c std::__1::unique_ptr<WebCore::ReferencedSVGResources, std::__1::default_delete<WebCore::ReferencedSVGResources>>::~unique_ptr[abi:sqn210106]() + 8 [inlined] 11 WebCore 0x1aa52a47c WebCore::RenderObject::RenderObjectRareData::~RenderObjectRareData() + 8 [inlined] 12 WebCore 0x1aa52a47c WebCore::RenderObject::RenderObjectRareData::~RenderObjectRareData() + 76 <rdar://172309380>

Attachments
Add attachment proposed patch, testcase, etc.

Ryosuke Niwa

Comment 1 2026-03-11 21:10:00 PDT

Pull request: https://github.com/WebKit/WebKit/pull/60422

EWS

Comment 2 2026-03-12 03:55:45 PDT

Committed 309133@main (11b230b2d621): <https://commits.webkit.org/309133@main> Reviewed commits have been landed. Closing PR #60422 and removing active labels.

Note You need to log in before you can comment on or make changes to this bug.

Status RESOLVED

Resolution FIXED

Priority P2

Severity Normal

Classification Unclassified

Version WebKit Nightly Build

Hardware Unspecified

OS Unspecified

Product WebKit

Component New Bugs

Assignee

Ryosuke Niwa

Reported

2026-03-11 20:59 PDT

Modified

2026-03-12 03:55 PDT History

CC List

1 user Show

URL

Keywords InRadar

Depends on

Blocks