Branch: refs/heads/main
Home: https://github.com/WebKit/WebKit
Commit: 1eecf74ee36e0c13573d3ee047f178860c331d7a
https://github.com/WebKit/WebKit/commit/1eecf74ee36e0c13573d3ee047f178860c331d7a
Author: Charlie Wolfe <[email protected]>
Date: 2026-02-24 (Tue, 24 Feb 2026)
Changed paths:
M Source/WebCore/page/scrolling/mac/ScrollerMac.mm
Log Message:
-----------
Crash during `ScrollerMac` destruction
https://bugs.webkit.org/show_bug.cgi?id=308577
rdar://166098932
Reviewed by Simon Fraser.
This crash happens with the following sequence:
1. ScrollerMac is destroyed.
2. Its RetainPtr<WebScrollerImpDelegateMac> member is released.
3. The WebScrollbarPartAnimationMac objects on WebScrollerImpDelegateMac are
autoreleased, so their
dealloc can run after ScrollerMac is already destroyed.
4. dealloc runs and destroys the CheckedPtr<ScrollerMac> ivar, calling
~CheckedPtr() on the
already-dead ScrollerMac.
Call [m_scrollerImpDelegate invalidate] in ~ScrollerMac to null out the
CheckedPtr references in
both the delegate and its animations.
* Source/WebCore/page/scrolling/mac/ScrollerMac.mm:
(WebCore::ScrollerMac::~ScrollerMac):
Canonical link: https://commits.webkit.org/308177@main
To unsubscribe from these emails, change your notification settings at
https://github.com/WebKit/WebKit/settings/notifications
