Branch: refs/heads/main
Home: https://github.com/WebKit/WebKit
Commit: 19b49e75dba6391d469c7d1a0a81bf085020e3d5
https://github.com/WebKit/WebKit/commit/19b49e75dba6391d469c7d1a0a81bf085020e3d5
Author: Brandon Stewart <[email protected]>
Date: 2025-12-12 (Fri, 12 Dec 2025)
Changed paths:
M Source/WebCore/rendering/GridMasonryLayout.cpp
Log Message:
-----------
[css-grid-3] Clear m_itemOffsets in initializeMasonry to fix crash with stale
WeakRef keys
https://bugs.webkit.org/show_bug.cgi?id=304084
rdar://problem/166404830
Reviewed by Sammy Gill.
The m_itemOffsets HashMap uses SingleThreadWeakRef<const RenderBox> as keys.
When RenderBox objects are destroyed between masonry layout phases, the WeakRef
keys become stale (null pointers). When inserting a new item via set(), the
HashMap comparison logic may compare against these stale entries, triggering
an assertion failure in WeakRef::ptr().
Fix by clearing m_itemOffsets at the start of each masonry placement run,
along with the other state variables that are already being reset.
* Source/WebCore/rendering/GridMasonryLayout.cpp:
(WebCore::GridMasonryLayout::initializeMasonry):
Canonical link: https://commits.webkit.org/304384@main
To unsubscribe from these emails, change your notification settings at
https://github.com/WebKit/WebKit/settings/notifications
