Occasional crash in CollectionIndexCache::~CollectionIndexCache while running moveBefore tests. by rniwa · Pull Request #65120 · WebKit/WebKit

rniwa · 2026-05-18T19:22:04Z

`958ef3d`

Occasional crash in CollectionIndexCache::~CollectionIndexCache while running moveBefore tests.
https://bugs.webkit.org/show_bug.cgi?id=315034
rdar://177337493

Reviewed by Simon Fraser.

Notify the parent nodes for a child move so that things like HTMLCollectionCache gets invalidated.

No new tests since existing tests cover this scenario.

More tests progress with this change except script-move-before.html which regresses.

* LayoutTests/imported/w3c/web-platform-tests/dom/nodes/moveBefore/Node-moveBefore-expected.txt:
* LayoutTests/imported/w3c/web-platform-tests/dom/nodes/moveBefore/iframe-document-preserve.window-expected.txt:
* LayoutTests/imported/w3c/web-platform-tests/dom/nodes/moveBefore/moveBefore-name-map-expected.txt:
* LayoutTests/imported/w3c/web-platform-tests/dom/nodes/moveBefore/script-move-before-expected.txt:
* LayoutTests/imported/w3c/web-platform-tests/dom/nodes/moveBefore/slotchange-events-expected.txt:
* Source/WebCore/dom/ContainerNode.cpp:
(WebCore::ContainerNode::moveBefore):

Canonical link: https://commits.webkit.org/313444@main

a789fd4

Misc	iOS, visionOS, tvOS & watchOS	macOS	Linux	Windows	Apple Internal
✅ 🧪 style	✅ 🛠 ios	✅ 🛠 mac	✅ 🛠 wpe	✅ 🛠 win	✅ 🛠 ios-apple
✅ 🧪 bindings	✅ 🛠 ios-sim	✅ 🛠 mac-AS-debug	✅ 🧪 wpe-wk2	✅ 🧪 win-tests	✅ 🛠 mac-apple
✅ 🧪 webkitperl	~~🧪 ios-wk2~~	✅ 🧪 api-mac	✅ 🧪 api-wpe		❌ 🛠 vision-apple
	~~🧪 ios-wk2-wpt~~	✅ 🧪 api-mac-debug	✅ 🛠 gtk3-libwebrtc
	✅ 🧪 api-ios	✅ 🧪 mac-wk1	✅ 🛠 gtk
	✅ 🛠 ios-safer-cpp	✅ 🧪 mac-wk2	✅ 🧪 gtk-wk2
	✅ 🛠 vision	✅ 🧪 mac-AS-debug-wk2	✅ 🧪 api-gtk
	✅ 🛠 vision-sim	✅ 🧪 mac-wk2-stress	✅ 🛠 playstation
✅ 🛠 🧪 unsafe-merge	✅ 🧪 vision-wk2	✅ 🧪 mac-intel-wk2
	✅ 🛠 tv	✅ 🛠 mac-safer-cpp
	✅ 🛠 tv-sim	✅ 🧪 mac-site-isolation
	✅ 🛠 watch
	✅ 🛠 watch-sim

webkit-early-warning-system · 2026-05-18T19:22:11Z

EWS run on current version of this PR (hash a789fd4)

Details

Misc	iOS, visionOS, tvOS & watchOS	macOS	Linux	Windows	Apple Internal
✅ 🧪 style	✅ 🛠 ios	✅ 🛠 mac	✅ 🛠 wpe	✅ 🛠 win	✅ 🛠 ios-apple
✅ 🧪 bindings	✅ 🛠 ios-sim	✅ 🛠 mac-AS-debug	✅ 🧪 wpe-wk2	✅ 🧪 win-tests	✅ 🛠 mac-apple
✅ 🧪 webkitperl	~~🧪 ios-wk2~~	✅ 🧪 api-mac	✅ 🧪 api-wpe		❌ 🛠 vision-apple
	~~🧪 ios-wk2-wpt~~	✅ 🧪 api-mac-debug	✅ 🛠 gtk3-libwebrtc
	✅ 🧪 api-ios	✅ 🧪 mac-wk1	✅ 🛠 gtk
	✅ 🛠 ios-safer-cpp	✅ 🧪 mac-wk2	✅ 🧪 gtk-wk2
	✅ 🛠 vision	✅ 🧪 mac-AS-debug-wk2	✅ 🧪 api-gtk
	✅ 🛠 vision-sim	✅ 🧪 mac-wk2-stress	✅ 🛠 playstation
✅ 🛠 🧪 unsafe-merge	✅ 🧪 vision-wk2	✅ 🧪 mac-intel-wk2
	✅ 🛠 tv	✅ 🛠 mac-safer-cpp
	✅ 🛠 tv-sim	✅ 🧪 mac-site-isolation
	✅ 🛠 watch
	✅ 🛠 watch-sim

lukewarlow · 2026-05-18T19:34:01Z

Do you happen to know the iteration count that triggers this crash?

Either way this looks fine as a temporary fix I suspect in the end we don't want to call this and will handle it another way. (I might be wrong on that but the spec never fires these steps from my reading of it)

rniwa · 2026-05-18T19:35:21Z

Do you happen to know the iteration count that triggers this crash?

Either way this looks fine as a temporary fix I suspect in the end we don't want to call this and will handle it another way. (I might be wrong on that but the spec never fires these steps from my reading of it)

./Tools/Scripts/run-webkit-tests --debug --no-build --no-show-results --no-retry --exit-after-n-crashes-or-timeout 1 imported/w3c/web-platform-tests/dom/nodes/moveBefore/ --iterations 100

rniwa · 2026-05-18T19:54:10Z

Either way this looks fine as a temporary fix I suspect in the end we don't want to call this and will handle it another way. (I might be wrong on that but the spec never fires these steps from my reading of it)

The spec doesn't mention it because there is no equivalent step / concept in the spec. childrenChanged must be called on each parent whose child list has changed. We might want to add a new type for "move" but we absolutely must call it.

lukewarlow · 2026-05-18T19:57:03Z

Ah okay, I thought they were the same as https://dom.spec.whatwg.org/#concept-node-children-changed-ext

rniwa · 2026-05-18T20:00:13Z

Ah okay, I thought they were the same as https://dom.spec.whatwg.org/#concept-node-children-changed-ext

Oh, that's very confusing. We should probably rename childrenChanged to avoid confusion.

smfr · 2026-05-18T21:39:48Z

@@ -1,4 +1,4 @@

-PASS Synchronous script execution in HTMLScriptElement during moveBefore should be blocked
-PASS Synchronous script execution in SVGScriptElement during moveBefore should be blocked
+FAIL Synchronous script execution in HTMLScriptElement during moveBefore should be blocked assert_false: <html:script> does not define moving steps which allow script execution. expected false got true


Is it OK that this PASS changes to a FAIL?

Yes, we'd just need to follow up.

… running moveBefore tests. https://bugs.webkit.org/show_bug.cgi?id=315034 rdar://177337493 Reviewed by Simon Fraser. Notify the parent nodes for a child move so that things like HTMLCollectionCache gets invalidated. No new tests since existing tests cover this scenario. More tests progress with this change except script-move-before.html which regresses. * LayoutTests/imported/w3c/web-platform-tests/dom/nodes/moveBefore/Node-moveBefore-expected.txt: * LayoutTests/imported/w3c/web-platform-tests/dom/nodes/moveBefore/iframe-document-preserve.window-expected.txt: * LayoutTests/imported/w3c/web-platform-tests/dom/nodes/moveBefore/moveBefore-name-map-expected.txt: * LayoutTests/imported/w3c/web-platform-tests/dom/nodes/moveBefore/script-move-before-expected.txt: * LayoutTests/imported/w3c/web-platform-tests/dom/nodes/moveBefore/slotchange-events-expected.txt: * Source/WebCore/dom/ContainerNode.cpp: (WebCore::ContainerNode::moveBefore): Canonical link: https://commits.webkit.org/313444@main

webkit-commit-queue · 2026-05-18T22:04:36Z

Committed 313444@main (958ef3d): https://commits.webkit.org/313444@main

Reviewed commits have been landed. Closing PR #65120 and removing active labels.

rniwa requested a review from cdumez as a code owner May 18, 2026 19:22

rniwa self-assigned this May 18, 2026

rniwa added the New Bugs Unclassified bugs are placed in this component until the correct component can be determined. label May 18, 2026

rniwa requested review from annevk and lukewarlow May 18, 2026 19:25

smfr approved these changes May 18, 2026

View reviewed changes

rniwa added the unsafe-merge-queue Applied to send a pull request to merge-queue, but skip building and testing label May 18, 2026

webkit-commit-queue force-pushed the fix315034-moveBefore-collection-crash branch from a789fd4 to 958ef3d Compare May 18, 2026 22:04

webkit-commit-queue merged commit 958ef3d into WebKit:main May 18, 2026

webkit-commit-queue removed the unsafe-merge-queue Applied to send a pull request to merge-queue, but skip building and testing label May 18, 2026

rniwa deleted the fix315034-moveBefore-collection-crash branch May 19, 2026 05:58

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Occasional crash in CollectionIndexCache::~CollectionIndexCache while running moveBefore tests.#65120

Occasional crash in CollectionIndexCache::~CollectionIndexCache while running moveBefore tests.#65120
webkit-commit-queue merged 1 commit into
WebKit:mainfrom
rniwa:fix315034-moveBefore-collection-crash

rniwa commented May 18, 2026 •

edited by webkit-early-warning-system

Loading

Uh oh!

webkit-early-warning-system commented May 18, 2026 •

edited

Loading

Uh oh!

lukewarlow commented May 18, 2026 •

edited

Loading

Uh oh!

rniwa commented May 18, 2026

Uh oh!

rniwa commented May 18, 2026

Uh oh!

lukewarlow commented May 18, 2026

Uh oh!

rniwa commented May 18, 2026

Uh oh!

smfr May 18, 2026

Uh oh!

rniwa May 18, 2026

Uh oh!

webkit-commit-queue commented May 18, 2026

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

5 participants

Conversation

rniwa commented May 18, 2026 • edited by webkit-early-warning-system Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

958ef3d

Uh oh!

webkit-early-warning-system commented May 18, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

lukewarlow commented May 18, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

rniwa commented May 18, 2026

Uh oh!

rniwa commented May 18, 2026

Uh oh!

lukewarlow commented May 18, 2026

Uh oh!

rniwa commented May 18, 2026

Uh oh!

smfr May 18, 2026

Choose a reason for hiding this comment

Uh oh!

rniwa May 18, 2026

Choose a reason for hiding this comment

Uh oh!

webkit-commit-queue commented May 18, 2026

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

5 participants

rniwa commented May 18, 2026 •

edited by webkit-early-warning-system

Loading

`958ef3d`

webkit-early-warning-system commented May 18, 2026 •

edited

Loading

lukewarlow commented May 18, 2026 •

edited

Loading