RESOLVED FIXED315034
Occasional crash in CollectionIndexCache::~CollectionIndexCache while running moveBefore tests. 
https://bugs.webkit.org/show_bug.cgi?id=315034
Summary Occasional crash in CollectionIndexCache::~CollectionIndexCache while running...
Ryosuke Niwa
Reported 2026-05-18 12:13:31 PDT
We occasionally see a CheckedPtr crash in CollectionIndexCache while running moveBefore tests: e.g. Thread 0 Crashed:: Dispatch queue: com.apple.main-thread 0 JavaScriptCore 0x12f796350 WTFCrash + 0 1 WebCore 0x30033d61c WTF::CanMakeCheckedPtrBase<WTF::SingleThreadIntegralWrapper<unsigned int>, unsigned int, bool, (WTF::CheckedPtrDeleteCheckException)0>::crashDueToCheckedPtrToDeadObject() + 16 2 WebCore 0x30033d5f8 WTF::CanMakeCheckedPtrBase<WTF::SingleThreadIntegralWrapper<unsigned int>, unsigned int, bool, (WTF::CheckedPtrDeleteCheckException)0>::decrementCheckedPtrCount() const + 44 3 WebCore 0x3005cfaec WTF::CheckedPtr<WebCore::Element, WTF::RawPtrTraits<WebCore::Element>>::derefIfNotNull() + 56 4 WebCore 0x3005cfaa4 WTF::CheckedPtr<WebCore::Element, WTF::RawPtrTraits<WebCore::Element>>::~CheckedPtr() + 32 5 WebCore 0x3005cf7e4 WTF::CheckedPtr<WebCore::Element, WTF::RawPtrTraits<WebCore::Element>>::~CheckedPtr() + 32 6 WebCore 0x300ef0b20 WebCore::ElementIterator<WebCore::Element>::~ElementIterator() + 48 7 WebCore 0x301d0978c WebCore::ElementChildIterator<WebCore::Element>::~ElementChildIterator() + 32 8 WebCore 0x301c3f42c WebCore::ElementChildIterator<WebCore::Element>::~ElementChildIterator() + 32 9 WebCore 0x3076985e8 WebCore::CollectionIndexCache<WebCore::GenericCachedHTMLCollection<(WebCore::CollectionType)11>, WebCore::ElementChildIterator<WebCore::Element>>::~CollectionIndexCache() + 44 10 WebCore 0x3076985ac WebCore::CollectionIndexCache<WebCore::GenericCachedHTMLCollection<(WebCore::CollectionType)11>, WebCore::ElementChildIterator<WebCore::Element>>::~CollectionIndexCache() + 32 11 WebCore 0x307687010 WebCore::CachedHTMLCollection<WebCore::GenericCachedHTMLCollection<(WebCore::CollectionType)11>>::~CachedHTMLCollection() + 116 12 WebCore 0x307686f8c WebCore::GenericCachedHTMLCollection<(WebCore::CollectionType)11>::~GenericCachedHTMLCollection() + 32 13 WebCore 0x307687048 WebCore::GenericCachedHTMLCollection<(WebCore::CollectionType)11>::~GenericCachedHTMLCollection() + 32 14 WebCore 0x307687078 WebCore::GenericCachedHTMLCollection<(WebCore::CollectionType)11>::~GenericCachedHTMLCollection() + 32 15 WebCore 0x301081de8 WTF::RefCounted<JSC::EmbedderArrayLike>::deref() const + 100 16 WebCore 0x301081d48 WTF::DefaultRefDerefTraits<WebCore::HTMLCollection>::derefIfNotNull(WebCore::HTMLCollection*) + 44 17 WebCore 0x301081cd8 WTF::Ref<WebCore::HTMLCollection, WTF::RawPtrTraits<WebCore::HTMLCollection>, WTF::DefaultRefDerefTraits<WebCore::HTMLCollection>>::~Ref() + 64 18 WebCore 0x301008cd0 WTF::Ref<WebCore::HTMLCollection, WTF::RawPtrTraits<WebCore::HTMLCollection>, WTF::DefaultRefDerefTraits<WebCore::HTMLCollection>>::~Ref() + 32 19 WebCore 0x302697988 WebCore::JSDOMWrapper<WebCore::HTMLCollection, WTF::RawPtrTraits<WebCore::HTMLCollection>>::~JSDOMWrapper() + 36 20 WebCore 0x302697954 WebCore::JSHTMLCollection::~JSHTMLCollection() + 32 21 WebCore 0x3025ec904 WebCore::JSHTMLCollection::~JSHTMLCollection() + 32 22 WebCore 0x3001008d4 WebCore::JSHTMLCollection::destroy(JSC::JSCell*) + 36 <rdar://177337493><
Attachments
Add attachment proposed patch, testcase, etc.
Ryosuke Niwa
Comment 1 2026-05-18 12:22:08 PDT
Pull request: https://github.com/WebKit/WebKit/pull/65120
Chris Dumez
Comment 2 2026-05-18 15:03:42 PDT
rdar://177337493
EWS
Comment 3 2026-05-18 15:04:37 PDT
Committed 313444@main (958ef3d92e6e): <https://commits.webkit.org/313444@main> Reviewed commits have been landed. Closing PR #65120 and removing active labels.
Alexey Proskuryakov
Comment 4 2026-05-19 11:30:00 PDT
*** Bug 315048 has been marked as a duplicate of this bug. ***
Alexey Proskuryakov
Comment 5 2026-05-19 11:51:28 PDT
*** Bug 315031 has been marked as a duplicate of this bug. ***
Note You need to log in before you can comment on or make changes to this bug.