Bug 312263

Summary: [scroll-animations] null deref under `WebAnimation::range()` when a scroll-driven animation has no effect target
Product: WebKit Reporter: Antoine Quint <graouts>
Component: AnimationsAssignee: Antoine Quint <graouts>
Status: RESOLVED FIXED    
Severity: Normal CC: graouts, heg1090, webkit-bug-importer
Priority: P2 Keywords: InRadar
Version: WebKit Nightly Build   
Hardware: Unspecified   
OS: Unspecified   
See Also: https://github.com/web-platform-tests/wpt/pull/59209

Antoine Quint
Reported 2026-04-14 06:01:19 PDT
If a scroll-driven animation has its effect target set to nullptr, a null deref will happen in ` Style::deprecatedLengthConversionCreateCSSToLengthConversionData(RefPtr<Element>)` because we pass a null value from `WebAnimation::range()`. Here's a stack trace: #0 0x00014f80e424 in WebCore::Style::deprecatedLengthConversionCreateCSSToLengthConversionData(WTF::RefPtr<WebCore::Element, WTF::RawPtrTraits<WebCore::Element>, WTF::DefaultRefDerefTraits<WebCore::Element>>) #1 0x00014f5d928c in WebCore::Style::DeprecatedCSSValueConversion<WebCore::Style::SingleAnimationRangeLength>::operator()(WTF::RefPtr<WebCore::Element, WTF::RawPtrTraits<WebCore::Element>, WTF::DefaultRefDerefTraits<WebCore::Element>> const&, WebCore::CSSPrimitiveValue const&)::'lambda'()::operator()() #2 0x00014f5d0118 in WebCore::Style::DeprecatedCSSValueConversion<WebCore::Style::SingleAnimationRangeStart>::operator()(WTF::RefPtr<WebCore::Element, WTF::RawPtrTraits<WebCore::Element>, WTF::DefaultRefDerefTraits<WebCore::Element>> const&, WebCore::CSSValue const&) #3 0x000149444f6c in WebCore::WebAnimation::range() #4 0x0001494445c4 in WebCore::WebAnimation::autoAlignStartTime() #5 0x0001493ec2b8 in WebCore::WebAnimation::tick() #6 0x0001492f1c28 in WebCore::AnimationTimelinesController::updateAnimationsAndSendEvents(WTF::Seconds) #7 0x00014a8f535c in WebCore::Document::updateAnimationsAndSendEvents() #8 0x00014d0f6680 in WebCore::Page::forEachRenderableDocument(WTF::Function<void (WebCore::Document&)> const&) const #9 0x0001420ceebc in WebCore::Page::updateRendering() #10 0x00011ebc6e20 in WebKit::WebPage::updateRendering() #11 0x00011905a6d4 in WebKit::RemoteLayerTreeDrawingArea::updateRendering()
Attachments
Add attachment proposed patch, testcase, etc.
Radar WebKit Bug Importer
Comment 1 2026-04-14 06:01:33 PDT
<rdar://problem/174738722>
Antoine Quint
Comment 2 2026-04-14 06:26:17 PDT
Pull request: https://github.com/WebKit/WebKit/pull/62728
Antoine Quint
Comment 3 2026-04-14 06:49:34 PDT
Submitted web-platform-tests pull request: https://github.com/web-platform-tests/wpt/pull/59209
EWS
Comment 4 2026-04-14 22:48:11 PDT
Committed 311262@main (9cc00aab3dc8): <https://commits.webkit.org/311262@main> Reviewed commits have been landed. Closing PR #62728 and removing active labels.
heg1090
Comment 5 2026-04-15 04:13:27 PDT
(In reply to Antoine Quint from comment #0) > If a scroll-driven animation has its effect target set to nullptr, a null > deref will happen in ` > Style:: > deprecatedLengthConversionCreateCSSToLengthConversionData(RefPtr<Element>)` > because we pass a null value from `WebAnimation::range()`. Here's a stack > trace: > > #0 0x00014f80e424 in > WebCore::Style:: > deprecatedLengthConversionCreateCSSToLengthConversionData(WTF:: > RefPtr<WebCore::Element, WTF::RawPtrTraits<WebCore::Element>, > WTF::DefaultRefDerefTraits<WebCore::Element>>) > #1 0x00014f5d928c in > WebCore::Style::DeprecatedCSSValueConversion<WebCore::Style:: > SingleAnimationRangeLength>::operator()(WTF::RefPtr<WebCore::Element, > WTF::RawPtrTraits<WebCore::Element>, > WTF::DefaultRefDerefTraits<WebCore::Element>> const&, > WebCore::CSSPrimitiveValue const&)::'lambda'()::operator()() > #2 0x00014f5d0118 in > WebCore::Style::DeprecatedCSSValueConversion<WebCore::Style:: > SingleAnimationRangeStart>::operator()(WTF::RefPtr<WebCore::Element, > WTF::RawPtrTraits<WebCore::Element>, > WTF::DefaultRefDerefTraits<WebCore::Element>> const&, WebCore::CSSValue > const&) > #3 0x000149444f6c in WebCore::WebAnimation::range() > #4 0x0001494445c4 in WebCore::WebAnimation::autoAlignStartTime() > #5 0x0001493ec2b8 in WebCore::WebAnimation::tick() > #6 0x0001492f1c28 in > WebCore::AnimationTimelinesController::updateAnimationsAndSendEvents(WTF:: > Seconds) > #7 0x00014a8f535c in WebCore::Document::updateAnimationsAndSendEvents() > #8 0x00014d0f6680 in > WebCore::Page::forEachRenderableDocument(WTF::Function<void > (WebCore::Document&)> const&) const > #9 0x0001420ceebc in WebCore::Page::updateRendering() > #10 0x00011ebc6e20 in WebKit::WebPage::updateRendering() > #11 0x00011905a6d4 in WebKit::RemoteLayerTreeDrawingArea::updateRendering()
Note You need to log in before you can comment on or make changes to this bug.