I'm seeing a crash when scrolling a Glint survey. Turns out it was introduced in r289216 "[css-logical] [web-animations] Add support for logical properties in JS-originated animations".

The backtrace looks like this:

(gdb) bt
#0  WebCore::RenderStyle::direction (this=<optimized out>)
    at /home/mcatanzaro/Projects/WebKit/Source/WebCore/rendering/style/RenderStyle.h:398
#1  WebCore::DocumentTimeline::animationCanBeRemoved (this=<optimized out>, animation=...)
    at /home/mcatanzaro/Projects/WebKit/Source/WebCore/animation/DocumentTimeline.cpp:243
#2  0x00007efc7895916a in WebCore::DocumentTimeline::animationCanBeRemoved (animation=..., this=0x7efb2c4fcf18)
    at /home/mcatanzaro/Projects/WebKit/Source/WebCore/animation/WebAnimation.h:90
#3  WebCore::DocumentTimeline::removeReplacedAnimations (this=0x7efb2c4fcf18)
    at /home/mcatanzaro/Projects/WebKit/Source/WebCore/animation/DocumentTimeline.cpp:282
#4  0x00007efc78959855 in WebCore::DocumentTimelinesController::updateAnimationsAndSendEvents (this=<optimized out>, 
    timestamp=...) at /home/mcatanzaro/Projects/WebKit/Source/WebCore/animation/DocumentTimelinesController.cpp:133
#5  0x00007efc7921c8d8 in WTF::Function<void (WebCore::Document&)>::operator()(WebCore::Document&) const (in#0=..., 
    this=0x7fffeb080ab0) at /home/mcatanzaro/Projects/WebKit/WebKitBuild/GNOME/WTF/Headers/wtf/Function.h:82
#6  WebCore::Page::forEachDocumentFromMainFrame(WebCore::Frame const&, WTF::Function<void (WebCore::Document&)> const&) (mainFrame=..., functor=...) at /home/mcatanzaro/Projects/WebKit/Source/WebCore/page/Page.cpp:3433
#7  0x00007efc7921c989 in WebCore::Page::forEachDocument(WTF::Function<void (WebCore::Document&)> const&) const (
    this=<optimized out>, functor=...) at /home/mcatanzaro/Projects/WebKit/Source/WebCore/page/Page.cpp:3438
#8  0x00007efc7922d956 in operator() (perDocumentFunction=..., step=WebCore::RenderingUpdateStep::Animations, 
    __closure=<synthetic pointer>) at /home/mcatanzaro/Projects/WebKit/Source/WebCore/page/Page.cpp:1597
#9  WebCore::Page::updateRendering (this=0x7efc60f81000)
    at /home/mcatanzaro/Projects/WebKit/Source/WebCore/page/Page.cpp:1617
#10 0x00007efc77fc85d9 in WebKit::WebPage::updateRendering (this=<optimized out>)
    at /home/mcatanzaro/Projects/WebKit/Source/WebKit/WebProcess/WebPage/WebPage.cpp:4275
#11 0x00007efc77ff9e0c in WebKit::CompositingCoordinator::flushPendingLayerChanges (this=this@entry=0x7efc60f44108, 
    flags=...)
    at /home/mcatanzaro/Projects/WebKit/Source/WebKit/WebProcess/WebPage/CoordinatedGraphics/CompositingCoordinator.cpp:124
#12 0x00007efc77fffa16 in WebKit::LayerTreeHost::layerFlushTimerFired (this=0x7efc60f44000)
    at /home/mcatanzaro/Projects/WebKit/Source/WebKit/WebProcess/WebPage/CoordinatedGraphics/LayerTreeHost.cpp:157
#13 WebKit::LayerTreeHost::layerFlushTimerFired (this=0x7efc60f44000)
    at /home/mcatanzaro/Projects/WebKit/Source/WebKit/WebProcess/WebPage/CoordinatedGraphics/LayerTreeHost.cpp:136
#14 0x00007efc75f9ec95 in operator() (__closure=0x0, userData=userData@entry=0x7efc60f440d8)
    at /home/mcatanzaro/Projects/WebKit/Source/WTF/wtf/glib/RunLoopGLib.cpp:177
#15 _FUN () at /home/mcatanzaro/Projects/WebKit/Source/WTF/wtf/glib/RunLoopGLib.cpp:181
#16 0x00007efc75f9f0df in operator() (__closure=0x0, userData=0x7efc60f440d8, 
    callback=0x7efc75f9ec20 <_FUN(gpointer)>, source=0xb7c190)
    at /home/mcatanzaro/Projects/WebKit/Source/WTF/wtf/glib/RunLoopGLib.cpp:53
#17 _FUN () at /home/mcatanzaro/Projects/WebKit/Source/WTF/wtf/glib/RunLoopGLib.cpp:56
#18 0x00007efc728ae26d in g_main_dispatch (context=0x797b80) at ../../../../Projects/glib/glib/gmain.c:3413
#19 0x00007efc728af1c0 in g_main_context_dispatch (context=0x797b80) at ../../../../Projects/glib/glib/gmain.c:4131
#20 0x00007efc728af3ac in g_main_context_iterate (context=0x797b80, block=1, dispatch=1, self=0x77b350)
    at ../../../../Projects/glib/glib/gmain.c:4207
#21 0x00007efc728af849 in g_main_loop_run (loop=0x7b4d60) at ../../../../Projects/glib/glib/gmain.c:4405
#22 0x00007efc75f9f200 in WTF::RunLoop::run ()
    at /home/mcatanzaro/Projects/WebKit/Source/WTF/wtf/glib/RunLoopGLib.cpp:108
#23 0x00007efc7800ca1f in WebKit::AuxiliaryProcessMainBase<WebKit::WebProcess, true>::run (argc=3, 
    argv=0x7fffeb080f68, this=0x7fffeb080dc0)
    at /home/mcatanzaro/Projects/WebKit/Source/WebKit/Shared/AuxiliaryProcessMain.h:70
#24 WebKit::AuxiliaryProcessMainBase<WebKit::WebProcess, true>::run (argv=0x7fffeb080f68, argc=3, this=0x7fffeb080dc0)
    at /home/mcatanzaro/Projects/WebKit/Source/WebKit/Shared/AuxiliaryProcessMain.h:57
#25 WebKit::AuxiliaryProcessMain<WebKit::WebProcessMainGtk> (argc=3, argv=0x7fffeb080f68)
    at /home/mcatanzaro/Projects/WebKit/Source/WebKit/Shared/AuxiliaryProcessMain.h:96
#26 0x00007efc72286560 in __libc_start_call_main (main=main@entry=0x401040 <main(int, char**)>, argc=argc@entry=3, 
    argv=argv@entry=0x7fffeb080f68) at ../sysdeps/nptl/libc_start_call_main.h:58
#27 0x00007efc7228660c in __libc_start_main_impl (main=0x401040 <main(int, char**)>, argc=3, argv=0x7fffeb080f68, init=<optimized out>, fini=<optimized out>, rtld_fini=<optimized out>, stack_end=0x7fffeb080f58) at ../csu/libc-start.c:409
#28 0x0000000000401075 in _start ()

Poking at it, the problem is that target->render() is nullptr. The ASSERT(target->renderer()) would be failing in a debug build.

The complication here is that the web content I have that triggers this crash cannot be made public, and I have no experience with trying to build minimal reproducers. I'm just gonna hope that this is enough info to solve the problem. If you need more, I'm happy to test changes.