Branch: refs/heads/main
Home: https://github.com/WebKit/WebKit
Commit: 3b9e70010b835f477b09ae4125ca352d301365c7
https://github.com/WebKit/WebKit/commit/3b9e70010b835f477b09ae4125ca352d301365c7
Author: Charlie Wolfe <charl...@apple.com>
Date: 2025-08-30 (Sat, 30 Aug 2025)
Changed paths:
M Source/WebCore/history/BackForwardCache.cpp
M Tools/TestWebKitAPI/Tests/WTF/HashMap.cpp
Log Message:
-----------
REGRESSION (macOS 15.4): Eclipse crashes in
BackForwardCache::markPagesForContentsSizeChanged
https://bugs.webkit.org/show_bug.cgi?id=290985
rdar://157132323
Reviewed by Michael Catanzaro.
In WebKitLegacy, m_cachedPageMap can be iterated while cached pages are being
pruned. When this happens,
the std::unique_ptr<CachedPage> remains in the map during ~CachedPage, but the
unique_ptr is nulled,
which can lead to a crash in the CachedPage destructor. We can avoid this by
ensuring that the CachedPage
is removed from the HashMap before its destructor is executed, which this
change does.
I’ve had trouble creating a layout test that hit this crash, but I have added
tests that shows the
HashMap behavior that leads to it.
* Source/WebCore/history/BackForwardCache.cpp:
(WebCore::BackForwardCache::prune):
* Tools/TestWebKitAPI/Tests/WTF/HashMap.cpp:
(TestWebKitAPI::TEST(WTF_HashMap, Set_Reenter)):
(TestWebKitAPI::TEST(WTF_HashMap, Take_Set_Reenter)):
Canonical link: https://commits.webkit.org/299363@main
To unsubscribe from these emails, change your notification settings at
https://github.com/WebKit/WebKit/settings/notifications
_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-changes
