[webkit-changes] [WebKit/WebKit] a7e075: Speculative fix for crashes underneath StyleLength...

Thu, 05 Feb 2026 20:12:37 -0800 

  Branch: refs/heads/main
  Home:   https://github.com/WebKit/WebKit
  Commit: a7e0750c30773838d1fd76787cc3d86dda56bc8c
      
https://github.com/WebKit/WebKit/commit/a7e0750c30773838d1fd76787cc3d86dda56bc8c
  Author: Sammy Gill <[email protected]>
  Date:   2026-02-05 (Thu, 05 Feb 2026)

  Changed paths:
    M Source/WebCore/css/CSSToLengthConversionData.cpp
    M Source/WebCore/style/values/primitives/StyleLengthResolution.cpp

  Log Message:
  -----------
  Speculative fix for crashes underneath 
StyleLengthResolution::adjustValueForPageZoom
https://bugs.webkit.org/show_bug.cgi?id=306989
rdar://168722605

Reviewed by Brent Fulgham.

Stability data seems to suggest that it is possible to hit some crashes
underneath StyleLengthResolution::adjustValueForPageZoom. These crashes
seem to be coming from the fact that we attempt to access the page zoom
factor via the RenderView on CSSToLengthConversionData.

It is not very clear how we can get into this state since code
inspection seems to indicate that we try very hard to make sure that
cleanup between these two objects is handled properly. An investigation
to attempt to reproduce this crash has also not been very fruitful since
it seems at least some of those who experienced this crash were not
aware that it happened, could not remember it occurring, or were not
able to get it to reproduce either by navigating through history.

In order to increase stability, and also hopefully be able to obtain
more actionable bug reports, we attempt a speculative fix for
addressing this crash. The main change is that in the constructor for
CSSToLengthConversionData, we use a new helper function to figure out
what we should use for the RenderView field. Since we cannot directly
check the existence of the LocalFrameView on the RenderView, we
look at the Document, which is the sole owner of the RenderView, to see
if it is still there. If the Document no longer has its LocalFrameView,
then we will return nullptr for the RenderView. Much of the other code
in CSSToLengthConversionData already performs a nullptr check for
RenderView, so we also need to start doing the same in
adjustValueForPageZoom since there is no guarantee that this pointer is
always non-null.

Canonical link: https://commits.webkit.org/306918@main



To unsubscribe from these emails, change your notification settings at 
https://github.com/WebKit/WebKit/settings/notifications

Reply via email to