302703 2025-11-18 02:09:10 -0800 [scroll-animations-1] Tab crashes when an element containing a scoped scroll-driven animation from an inner pseudo-element repeatedly changes display while depending on cqw 2026-01-12 09:02:05 -0800 1 1 1 Unclassified WebKit Animations Safari 26 Unspecified Unspecified NEW InRadar P2 Normal --- 1 kizmarh webkit-unassigned graouts karlcow simon.fraser webkit-bug-importer oldest_to_newest 2159545 0 477419 kizmarh 2025-11-18 02:09:10 -0800 Created attachment 477419 A saved codepen example with the minimal reproduction To reproduce, open https://codepen.io/kizu/pen/QwNgKdz?editors=1100 or the attached saved .html from it, and then repeatedly open/close the details. This happened in a much more involved use case while I was writing a new article, but I think I managed to remove anything non-related to have a minimally-reproducible example. For me, this happens both in stable Safari Version 26.1 (20622.2.11.119.1), and in STP Release 232 (WebKit 20624.1.2.19.2) 2159636 1 webkit-bug-importer 2025-11-18 10:34:11 -0800 <rdar://problem/164979494> 2159637 2 simon.fraser 2025-11-18 10:34:44 -0800 Crash in: Thread 0 Crashed:: Dispatch queue: com.apple.main-thread 0 WebCore 0x11dd6a9cc WebCore::compareCSSAnimations(WebCore::CSSAnimation const&, WebCore::CSSAnimation const&) + 448 1 WebCore 0x11dd4fae8 void std::__1::__stable_sort<std::__1::_RangeAlgPolicy, std::__1::_ProjectedPred<bool (*)(WebCore::WebAnimation const&, WebCore::WebAnimation const&), WebCore::KeyframeEffectStack::ensureEffectsAreSorted()::$_0>&, WTF::WeakPtr<WebCore::KeyframeEffect, WTF::DefaultWeakPtrImpl, WTF::RawPtrTraits<WTF::DefaultWeakPtrImpl>>*>(WTF::WeakPtr<WebCore::KeyframeEffect, WTF::DefaultWeakPtrImpl, WTF::RawPtrTraits<WTF::DefaultWeakPtrImpl>>*, WTF::WeakPtr<WebCore::KeyframeEffect, WTF::DefaultWeakPtrImpl, WTF::RawPtrTraits<WTF::DefaultWeakPtrImpl>>*, std::__1::_ProjectedPred<bool (*)(WebCore::WebAnimation const&, WebCore::WebAnimation const&), WebCore::KeyframeEffectStack::ensureEffectsAreSorted()::$_0>&, std::__1::iterator_traits<WTF::WeakPtr<WebCore::KeyframeEffect, WTF::DefaultWeakPtrImpl, WTF::RawPtrTraits<WTF::DefaultWeakPtrImpl>>*>::difference_type, std::__1::iterator_traits<WTF::WeakPtr<WebCore::KeyframeEffect, WTF::DefaultWeakPtrImpl, WTF::RawPtrTraits<WTF::DefaultWeakPtrImpl>>*>::value_type*, long) + 124 2 WebCore 0x11dd3d634 WebCore::KeyframeEffectStack::ensureEffectsAreSorted() + 184 3 WebCore 0x11dd3d888 WebCore::KeyframeEffectStack::applyKeyframeEffects(WebCore::RenderStyle&, WTF::HashSet<mpark::variant<WebCore::CSSPropertyID, WTF::AtomString>, WTF::DefaultHash<mpark::variant<WebCore::CSSPropertyID, WTF::AtomString>>, WTF::HashTraits<mpark::variant<WebCore::CSSPropertyID, WTF::AtomString>>, WTF::HashTableTraits, (WTF::ShouldValidateKey)1>&, WebCore::RenderStyle const*, WebCore::Style::ResolutionContext const&) + 384 4 WebCore 0x11f3a6c6c WebCore::Style::TreeResolver::createAnimatedElementUpdate(WebCore::Style::ResolvedStyle&&, WebCore::Styleable const&, WTF::OptionSet<WebCore::Style::Change, (WTF::ConcurrencyTag)0>, WebCore::Style::ResolutionContext const&, WebCore::Style::IsInDisplayNoneTree) + 9556 5 WebCore 0x11f39f38c WebCore::Style::TreeResolver::resolveElement(WebCore::Element&, WebCore::RenderStyle const*, WebCore::Style::TreeResolver::ResolutionType) + 2592 477419 2025-11-18 02:09:10 -0800 2025-11-18 02:09:10 -0800 A saved codepen example with the minimal reproduction Safari Crash repro.html text/html 1344 kizmarh PCFET0NUWVBFIGh0bWw+CjwhLS0gc2F2ZWQgZnJvbSB1cmw9KDAwNjYpaHR0cHM6Ly9jZHBuLmlv L3Blbi9kZWJ1Zy9Rd05nS2R6P2F1dGhlbnRpY2F0aW9uX2hhc2g9RHFBRGROZHh5ZE9BIC0tPgo8 aHRtbCBsYW5nPSJlbiI+PGhlYWQ+PG1ldGEgaHR0cC1lcXVpdj0iQ29udGVudC1UeXBlIiBjb250 ZW50PSJ0ZXh0L2h0bWw7IGNoYXJzZXQ9VVRGLTgiPgogIAogIAogIAogIAoKICA8dGl0bGU+U2Fm YXJpIENyYXNoIHJlcHJvPC90aXRsZT4KCiAgICA8bGluayByZWw9ImNhbm9uaWNhbCIgaHJlZj0i aHR0cHM6Ly9jb2RlcGVuLmlvL2tpenUvcGVuL1F3TmdLZHoiPgogIAogIAogIAogIAo8c3R5bGU+ Ci8qIFRoZSBjb250ZW50IHNob3VsZCBiZSBoaWRkZW4gdmlhIGRpc3BsYXk6IG5vbmUsIG5vdCBu ZWNlc3NhcmlseSB2aWEgZGV0YWlscy9kZXRhaWxzLWNvbnRlbnQuICovCmRldGFpbHM6bm90KFtv cGVuXSk6OmRldGFpbHMtY29udGVudCB7CiAgZGlzcGxheTogbm9uZTsKfQoKLmZvbyB7CiAgLyog SXQgbmVlZHMgdG8gYmUgYSBzY3JvbGwtZHJpdmVuIGFuaW1hdGlvbiBsaWZ0ZWQgdXAgdmlhIHRp bWVsaW5lLXNjb3BlLiAqLwogIGFuaW1hdGlvbjogLS1mb287CiAgYW5pbWF0aW9uLXRpbWVsaW5l OiAtLWZvbzsKICB0aW1lbGluZS1zY29wZTogLS1mb287CiAgLyogRXhhY3QgdmFsdWUgZG9lc24n dCBtYXR0ZXIsIHdoYXQgbWF0dGVycyBpcyB0aGF0IGl0IGlzIGluIGNxdy4gKi8KICBpbmxpbmUt c2l6ZTogNTBjcXc7Cn0KCi8qIE11c3QgYmUgYSBwc2V1ZG8tZWxlbWVudCBvbiBgLmJhcmAuIFNh bWUgb24gYC5mb29gIG9yIGFuIGFjdHVhbCBlbGVtZW50IGluc2lkZSBgLmJhcmAgd29uJ3QgdHJp Z2dlciB0aGlzLiAqLwouYmFyOjpiZWZvcmUgewogIGNvbnRlbnQ6ICcnOwogIC8qIEVpdGhlciBg dmlldy10aW1lbGluZWAgYW5kIGBzY3JvbGwtdGltZWxpbmVgIGFyZSBuZWVkZWQgdG8gcmVwcm9k dWNlICovCiAgc2Nyb2xsLXRpbWVsaW5lOiAtLWZvbzsKfQoKLyogS2V5ZnJhbWVzIGp1c3QgbmVl ZCB0byBiZSBwcmVzZW50LCBjb3VsZCBjb250YWluIGFueXRoaW5nICovCkBrZXlmcmFtZXMgLS1m b28ge30KPC9zdHlsZT4KCiAgCiAgCiAgCjwvaGVhZD4KCjxib2R5PgogIDxkZXRhaWxzPgogIDxz dW1tYXJ5PkV4cGFuZC9jb2xsYXBzZSBtZSBhIGZldyB0aW1lIGluIGEgcXVpY2sgc3VjY2Vzc2lv bjwvc3VtbWFyeT4KICA8ZGl2IGNsYXNzPSJmb28iPjxkaXYgY2xhc3M9ImJhciI+PC9kaXY+PC9k aXY+CiAgPGRpdiBjbGFzcz0iZm9vIj48ZGl2IGNsYXNzPSJiYXIiPjwvZGl2PjwvZGl2Pgo8L2Rl dGFpbHM+CiAgCiAgCiAgCgoKCjwvYm9keT48L2h0bWw+