Bug 301057

Summary: REGRESSION (300909@main): Closing a transitioned popover with "position-try" can crash the browser window
Product: WebKit Reporter: Ehren <arrow_actions.7g>
Component: Layout and RenderingAssignee: Kiet Ho <kiet.ho>
Status: RESOLVED FIXED    
Severity: Normal CC: bfulgham, kiet.ho, simon.fraser, webkit-bug-importer, zalan
Priority: P2 Keywords: InRadar
Version: Safari Technology Preview   
Hardware: Unspecified   
OS: Unspecified   
Attachments:
Description Flags
Screen recording of Safari crashing when a popover is dismissed none

Ehren
Reported 2025-10-19 03:40:39 PDT
Created attachment 477130 [details] Screen recording of Safari crashing when a popover is dismissed Affected browers: Safari 26.0 and Safari TP 230 Demo: https://codepen.io/eharber/pen/raxpqBw?editors=1100 Closing a popover with the following styles will crash the browser tab if the toggle button is positioned near the top of the page: [popover] { margin: 0; position-area: top; position-try: flip-block, flip-inline, flip-block flip-inline; transition-property: display, overlay, opacity, translate; transition-behavior: allow-discrete; transition-duration: .3s; opacity: 0; &:popover-open { opacity: 1; @starting-style { & { opacity: 0; } } } }
Attachments
Screen recording of Safari crashing when a popover is dismissed (272.23 KB, video/quicktime)
2025-10-19 03:40 PDT, Ehren 		no flags
Details
View All Add attachment proposed patch, testcase, etc.
Ehren
Comment 1 2025-10-19 03:52:27 PDT
My apologies, Safari 26.0 doesn't actually display the popover at all. But in Safari TP 230, the browser tab crashes when the popover is closed.
Alexey Proskuryakov
Comment 2 2025-10-20 16:21:26 PDT
0 com.apple.WebCore 0x1b9592f90 WTF::CrashOnOverflow::crash() + 0 wtf/CheckedArithmetic.h:110 [inlined] 1 com.apple.WebCore 0x1b9592f90 WTF::CrashOnOverflow::overflowed() + 0 wtf/CheckedArithmetic.h:103 [inlined] 2 com.apple.WebCore 0x1b9592f90 WTF::Vector<WebCore::Style::TreeResolver::PositionOption, 0ul, WTF::CrashOnOverflow, 16ul, WTF::FastMalloc>::at(unsigned long) + 0 wtf/Vector.h:734 [inlined] 3 com.apple.WebCore 0x1b9592f90 WTF::Vector<WebCore::Style::TreeResolver::PositionOption, 0ul, WTF::CrashOnOverflow, 16ul, WTF::FastMalloc>::operator[](unsigned long) + 0 wtf/Vector.h:744 [inlined] 4 com.apple.WebCore 0x1b9592f90 WebCore::Style::TreeResolver::sortPositionOptionsIfNeeded(WebCore::Style::TreeResolver::PositionOptions&, WebCore::Styleable const&) + 2596 Sources/WebCore/Source/WebCore/style/StyleTreeResolver.cpp:1668
Radar WebKit Bug Importer
Comment 3 2025-10-20 16:21:31 PDT
<rdar://problem/163072798>
Kiet Ho
Comment 4 2025-10-20 16:47:59 PDT
Besides the crash, there's also this thing where the popover "jumps" to a different position when it's dismissing. This is tracked in a different issue (rdar://160639948)
Kiet Ho
Comment 5 2025-10-21 16:26:04 PDT
Pull request: https://github.com/WebKit/WebKit/pull/52775
Kiet Ho
Comment 6 2025-10-21 16:41:27 PDT
The issue of the popover jumping around when dismissing is also tracked here: https://bugs.webkit.org/show_bug.cgi?id=301070
EWS
Comment 7 2025-10-22 13:32:09 PDT
Committed 301966@main (1f488a95e2fc): <https://commits.webkit.org/301966@main> Reviewed commits have been landed. Closing PR #52775 and removing active labels.
Note You need to log in before you can comment on or make changes to this bug.