[webkit-changes] [WebKit/WebKit] ce5c27: REGRESSION(309376@main): Crash in ResizeObserver::...

Tue, 24 Mar 2026 16:26:54 -0700 

  Branch: refs/heads/main
  Home:   https://github.com/WebKit/WebKit
  Commit: ce5c270171963802294b8050b40bf05d6f874eef
      
https://github.com/WebKit/WebKit/commit/ce5c270171963802294b8050b40bf05d6f874eef
  Author: Ryosuke Niwa <[email protected]>
  Date:   2026-03-24 (Tue, 24 Mar 2026)

  Changed paths:
    A LayoutTests/resize-observer/resize-observer-observe-twice-expected.txt
    A LayoutTests/resize-observer/resize-observer-observe-twice.html
    M Source/WebCore/page/ResizeObserver.cpp

  Log Message:
  -----------
  REGRESSION(309376@main): Crash in ResizeObserver::observeInternal
https://bugs.webkit.org/show_bug.cgi?id=310608
rdar://173145739

Reviewed by Anne van Kesteren.

The bug was caused by ResizeObserver::observeInternal calling 
ResizeObserver::unobserve,
which removes the entry from ListHashSet and invalidates the ListHashSet 
iterator.
Fixed the crash by storing the value in a local variable and avoid accessing it 
via
the invalidated iterator.

Test: resize-observer/resize-observer-observe-twice.html

* LayoutTests/resize-observer/resize-observer-observe-twice-expected.txt: Added.
* LayoutTests/resize-observer/resize-observer-observe-twice.html: Added.
* Source/WebCore/page/ResizeObserver.cpp:
(WebCore::ResizeObserver::observeInternal):

Canonical link: https://commits.webkit.org/309875@main



To unsubscribe from these emails, change your notification settings at 
https://github.com/WebKit/WebKit/settings/notifications

Reply via email to