312263 2026-04-14 06:01:19 -0700 [scroll-animations] null deref under `WebAnimation::range()` when a scroll-driven animation has no effect target 2026-04-15 04:13:27 -0700 1 1 1 Unclassified WebKit Animations WebKit Nightly Build Unspecified Unspecified RESOLVED FIXED https://github.com/web-platform-tests/wpt/pull/59209 InRadar P2 Normal --- 1 graouts graouts graouts heg1090 webkit-bug-importer oldest_to_newest 2200168 0 graouts 2026-04-14 06:01:19 -0700 If a scroll-driven animation has its effect target set to nullptr, a null deref will happen in ` Style::deprecatedLengthConversionCreateCSSToLengthConversionData(RefPtr<Element>)` because we pass a null value from `WebAnimation::range()`. Here's a stack trace: #0 0x00014f80e424 in WebCore::Style::deprecatedLengthConversionCreateCSSToLengthConversionData(WTF::RefPtr<WebCore::Element, WTF::RawPtrTraits<WebCore::Element>, WTF::DefaultRefDerefTraits<WebCore::Element>>) #1 0x00014f5d928c in WebCore::Style::DeprecatedCSSValueConversion<WebCore::Style::SingleAnimationRangeLength>::operator()(WTF::RefPtr<WebCore::Element, WTF::RawPtrTraits<WebCore::Element>, WTF::DefaultRefDerefTraits<WebCore::Element>> const&, WebCore::CSSPrimitiveValue const&)::'lambda'()::operator()() #2 0x00014f5d0118 in WebCore::Style::DeprecatedCSSValueConversion<WebCore::Style::SingleAnimationRangeStart>::operator()(WTF::RefPtr<WebCore::Element, WTF::RawPtrTraits<WebCore::Element>, WTF::DefaultRefDerefTraits<WebCore::Element>> const&, WebCore::CSSValue const&) #3 0x000149444f6c in WebCore::WebAnimation::range() #4 0x0001494445c4 in WebCore::WebAnimation::autoAlignStartTime() #5 0x0001493ec2b8 in WebCore::WebAnimation::tick() #6 0x0001492f1c28 in WebCore::AnimationTimelinesController::updateAnimationsAndSendEvents(WTF::Seconds) #7 0x00014a8f535c in WebCore::Document::updateAnimationsAndSendEvents() #8 0x00014d0f6680 in WebCore::Page::forEachRenderableDocument(WTF::Function<void (WebCore::Document&)> const&) const #9 0x0001420ceebc in WebCore::Page::updateRendering() #10 0x00011ebc6e20 in WebKit::WebPage::updateRendering() #11 0x00011905a6d4 in WebKit::RemoteLayerTreeDrawingArea::updateRendering() 2200169 1 webkit-bug-importer 2026-04-14 06:01:33 -0700 <rdar://problem/174738722> 2200173 2 graouts 2026-04-14 06:26:17 -0700 Pull request: https://github.com/WebKit/WebKit/pull/62728 2200180 3 graouts 2026-04-14 06:49:34 -0700 Submitted web-platform-tests pull request: https://github.com/web-platform-tests/wpt/pull/59209 2200507 4 ews-feeder 2026-04-14 22:48:11 -0700 Committed 311262@main (9cc00aab3dc8): <https://commits.webkit.org/311262@main> Reviewed commits have been landed. Closing PR #62728 and removing active labels. 2200589 5 heg1090 2026-04-15 04:13:27 -0700 (In reply to Antoine Quint from comment #0) > If a scroll-driven animation has its effect target set to nullptr, a null > deref will happen in ` > Style:: > deprecatedLengthConversionCreateCSSToLengthConversionData(RefPtr<Element>)` > because we pass a null value from `WebAnimation::range()`. Here's a stack > trace: > > #0 0x00014f80e424 in > WebCore::Style:: > deprecatedLengthConversionCreateCSSToLengthConversionData(WTF:: > RefPtr<WebCore::Element, WTF::RawPtrTraits<WebCore::Element>, > WTF::DefaultRefDerefTraits<WebCore::Element>>) > #1 0x00014f5d928c in > WebCore::Style::DeprecatedCSSValueConversion<WebCore::Style:: > SingleAnimationRangeLength>::operator()(WTF::RefPtr<WebCore::Element, > WTF::RawPtrTraits<WebCore::Element>, > WTF::DefaultRefDerefTraits<WebCore::Element>> const&, > WebCore::CSSPrimitiveValue const&)::'lambda'()::operator()() > #2 0x00014f5d0118 in > WebCore::Style::DeprecatedCSSValueConversion<WebCore::Style:: > SingleAnimationRangeStart>::operator()(WTF::RefPtr<WebCore::Element, > WTF::RawPtrTraits<WebCore::Element>, > WTF::DefaultRefDerefTraits<WebCore::Element>> const&, WebCore::CSSValue > const&) > #3 0x000149444f6c in WebCore::WebAnimation::range() > #4 0x0001494445c4 in WebCore::WebAnimation::autoAlignStartTime() > #5 0x0001493ec2b8 in WebCore::WebAnimation::tick() > #6 0x0001492f1c28 in > WebCore::AnimationTimelinesController::updateAnimationsAndSendEvents(WTF:: > Seconds) > #7 0x00014a8f535c in WebCore::Document::updateAnimationsAndSendEvents() > #8 0x00014d0f6680 in > WebCore::Page::forEachRenderableDocument(WTF::Function<void > (WebCore::Document&)> const&) const > #9 0x0001420ceebc in WebCore::Page::updateRendering() > #10 0x00011ebc6e20 in WebKit::WebPage::updateRendering() > #11 0x00011905a6d4 in WebKit::RemoteLayerTreeDrawingArea::updateRendering()