Bug 302703

Summary: [scroll-animations-1] Tab crashes when an element containing a scoped scroll-driven animation from an inner pseudo-element repeatedly changes display while depending on cqw
Product: WebKit Reporter: Roman Komarov <kizmarh>
Component: AnimationsAssignee: Nobody <webkit-unassigned>
Status: NEW    
Severity: Normal CC: graouts, karlcow, simon.fraser, webkit-bug-importer
Priority: P2 Keywords: InRadar
Version: Safari 26   
Hardware: Unspecified   
OS: Unspecified   
Attachments:
Description Flags
A saved codepen example with the minimal reproduction none

Roman Komarov
Reported 2025-11-18 02:09:10 PST
Created attachment 477419 [details] A saved codepen example with the minimal reproduction To reproduce, open https://codepen.io/kizu/pen/QwNgKdz?editors=1100 or the attached saved .html from it, and then repeatedly open/close the details. This happened in a much more involved use case while I was writing a new article, but I think I managed to remove anything non-related to have a minimally-reproducible example. For me, this happens both in stable Safari Version 26.1 (20622.2.11.119.1), and in STP Release 232 (WebKit 20624.1.2.19.2)
Attachments
A saved codepen example with the minimal reproduction (1.31 KB, text/html)
2025-11-18 02:09 PST, Roman Komarov 		no flags
Details
View All Add attachment proposed patch, testcase, etc.
Radar WebKit Bug Importer
Comment 1 2025-11-18 10:34:11 PST
<rdar://problem/164979494>
Simon Fraser (smfr)
Comment 2 2025-11-18 10:34:44 PST
Crash in: Thread 0 Crashed:: Dispatch queue: com.apple.main-thread 0 WebCore 0x11dd6a9cc WebCore::compareCSSAnimations(WebCore::CSSAnimation const&, WebCore::CSSAnimation const&) + 448 1 WebCore 0x11dd4fae8 void std::__1::__stable_sort<std::__1::_RangeAlgPolicy, std::__1::_ProjectedPred<bool (*)(WebCore::WebAnimation const&, WebCore::WebAnimation const&), WebCore::KeyframeEffectStack::ensureEffectsAreSorted()::$_0>&, WTF::WeakPtr<WebCore::KeyframeEffect, WTF::DefaultWeakPtrImpl, WTF::RawPtrTraits<WTF::DefaultWeakPtrImpl>>*>(WTF::WeakPtr<WebCore::KeyframeEffect, WTF::DefaultWeakPtrImpl, WTF::RawPtrTraits<WTF::DefaultWeakPtrImpl>>*, WTF::WeakPtr<WebCore::KeyframeEffect, WTF::DefaultWeakPtrImpl, WTF::RawPtrTraits<WTF::DefaultWeakPtrImpl>>*, std::__1::_ProjectedPred<bool (*)(WebCore::WebAnimation const&, WebCore::WebAnimation const&), WebCore::KeyframeEffectStack::ensureEffectsAreSorted()::$_0>&, std::__1::iterator_traits<WTF::WeakPtr<WebCore::KeyframeEffect, WTF::DefaultWeakPtrImpl, WTF::RawPtrTraits<WTF::DefaultWeakPtrImpl>>*>::difference_type, std::__1::iterator_traits<WTF::WeakPtr<WebCore::KeyframeEffect, WTF::DefaultWeakPtrImpl, WTF::RawPtrTraits<WTF::DefaultWeakPtrImpl>>*>::value_type*, long) + 124 2 WebCore 0x11dd3d634 WebCore::KeyframeEffectStack::ensureEffectsAreSorted() + 184 3 WebCore 0x11dd3d888 WebCore::KeyframeEffectStack::applyKeyframeEffects(WebCore::RenderStyle&, WTF::HashSet<mpark::variant<WebCore::CSSPropertyID, WTF::AtomString>, WTF::DefaultHash<mpark::variant<WebCore::CSSPropertyID, WTF::AtomString>>, WTF::HashTraits<mpark::variant<WebCore::CSSPropertyID, WTF::AtomString>>, WTF::HashTableTraits, (WTF::ShouldValidateKey)1>&, WebCore::RenderStyle const*, WebCore::Style::ResolutionContext const&) + 384 4 WebCore 0x11f3a6c6c WebCore::Style::TreeResolver::createAnimatedElementUpdate(WebCore::Style::ResolvedStyle&&, WebCore::Styleable const&, WTF::OptionSet<WebCore::Style::Change, (WTF::ConcurrencyTag)0>, WebCore::Style::ResolutionContext const&, WebCore::Style::IsInDisplayNoneTree) + 9556 5 WebCore 0x11f39f38c WebCore::Style::TreeResolver::resolveElement(WebCore::Element&, WebCore::RenderStyle const*, WebCore::Style::TreeResolver::ResolutionType) + 2592
Note You need to log in before you can comment on or make changes to this bug.