Bug 316441

Created attachment 479989 [details] repro ## Description A `popover` whose `::after` pseudo-element inherits **both** `position-anchor` and `position-area` from an anchor-positioned host crashes the render process. Showing it (`showPopover()`) is fine; **hiding** it (`hidePopover()`) crashes on the next layout. Removing either inherited property avoids the crash. ## Steps to reproduce 1. Open the test case in Safari Technology Preview (or a WebKit nightly). 2. Hover "Trigger" — the popover appears (fine). 3. Move the mouse back out (`hidePopover()`) — the render process crashes. ## Test case ```html <!DOCTYPE html> <style> .trigger { anchor-name: --tooltip; } .tooltip { position: absolute; inset: 0; margin: 0; position-anchor: --tooltip; position-area: bottom; &::after { content: ''; inline-size: 10px; block-size: 10px; background-color: blue; position: fixed; position-anchor: inherit; /* both inherits together... */ position-area: inherit; /* ...are required to crash */ } } </style> <div class="trigger">Trigger</div> <div class="tooltip" popover="manual">Tooltip</div> <script> const trigger = document.querySelector('.trigger'); const tooltip = document.querySelector('.tooltip'); trigger.addEventListener('mouseover', () => tooltip.showPopover()); trigger.addEventListener('mouseout', () => tooltip.hidePopover()); </script> ``` ## Regression range Introduced between `309613@main` (good) and `312360@main` (bad): https://github.com/WebKit/WebKit/compare/c5cdc14...92693c2 Not bisected to a single commit yet; likely in the `position-area`/anchor-positioning churn there (e.g. 310398@main "Accommodate pseudo-elements when sorting anchor elements by tree order"). Reproduces in shipping STP/nightly; not in released Safari. Originally reported against Playwright: https://github.com/microsoft/playwright/issues/41159