WebKit Bugzilla
New
Browse
Search+
Log In
×
Sign in with GitHub
or
Remember my login
Create Account
·
Forgot Password
Forgotten password account recovery
RESOLVED FIXED
311060
Null deref crash under RenderLayerBacking::updateAncestorClipping()
https://bugs.webkit.org/show_bug.cgi?id=311060
Summary
Null deref crash under RenderLayerBacking::updateAncestorClipping()
David Kilzer (:ddkilzer)
Reported
2026-03-29 19:53:36 PDT
Null pointer dereference in `RenderLayerBacking::updateAncestorClipping()` when the render tree is torn down during Back/Forward Cache eviction. The `RenderLayerBacking` destructor calls `updateAncestorClipping(false, nullptr)`. When `m_ancestorClippingStack` is non-null, the `else if` branch calls `m_owningLayer.page().scrollingCoordinator()`, which dereferences a null `Page` pointer. The frame's page has already been detached by `CachedFrame::destroy()` before the render tree is torn down. This is the same class of bug as
Bug 308230
(
307858@main
), which fixed the identical pattern in `updateOverflowControlsLayers()`. Crash stack: ``` 0 WebCore: WeakPtrImplBase::get<Page>() 1 WebCore: WeakPtr<Page>::get() 2 WebCore: Frame::page() 3 WebCore: RenderObject::page() 4 WebCore: RenderLayer::page() 5 WebCore: RenderLayerBacking::updateAncestorClipping() 6 WebCore: RenderLayerBacking::~RenderLayerBacking() 7 WebCore: RenderLayer::clearBacking() 8 WebCore: RenderLayer::~RenderLayer() [...] 36 WebCore: Document::destroyRenderTree() 37 WebCore: Document::willBeRemovedFromFrame() 38 WebCore: LocalFrame::setView() 39 WebCore: FrameLoader::detachFromParent() 40 WebCore: FrameLoader::frameDetached() 41 WebCore: HTMLFrameOwnerElement::disconnectContentFrame() 42 WebCore: disconnectSubframes() 43 WebCore: Document::willBeRemovedFromFrame() 46 WebCore: CachedFrame::destroy() [...] 51 WebCore: CachedPage::~CachedPage() [...] 58 WebCore: BackForwardCache::addIfCacheable() 59 WebCore: FrameLoader::commitProvisionalLoad() ``` All 5 crash logs show EXC_BAD_ACCESS (SIGSEGV) at address 0x8 (null + offset) on the main thread. <
rdar://150587917
>
Attachments
Add attachment
proposed patch, testcase, etc.
David Kilzer (:ddkilzer)
Comment 1
2026-03-29 20:25:07 PDT
Pull request:
https://github.com/WebKit/WebKit/pull/61654
EWS
Comment 2
2026-03-30 20:07:22 PDT
Committed
310278@main
(f19f83b2829c): <
https://commits.webkit.org/310278@main
> Reviewed commits have been landed. Closing PR #61654 and removing active labels.
Note
You need to
log in
before you can comment on or make changes to this bug.
Top of Page
Format For Printing
XML
Clone This Bug