286534 – REGRESSION(274481@main): crash when trying to open web inspector, `RELEASE_ASSERT(!m_inStyleRecalc)` hit under `Document::resolveStyle()`

RESOLVED FIXED286534

REGRESSION(274481@main): crash when trying to open web inspector, `RELEASE_ASSERT(!m_inStyleRecalc)` hit under `Document::resolveStyle()`

https://bugs.webkit.org/show_bug.cgi?id=286534

Summary REGRESSION(274481@main): crash when trying to open web inspector, `RELEASE_AS...

Roman Komarov

Reported 2025-01-25 09:17:39 PST

Created attachment 474005 [details] An html page with the reproducible example saved from the CodePen To reproduce: open https://codepen.io/kizu/pen/RNbqeEV?editors=1100 or the attached html file, then try to open the web inspector. For me, the page crashes both for regular Safari and for Technology Preview. The page itself works, but after the crash the web inspector does not, making it impossible to debug the page.

Attachments
An html page with the reproducible example saved from the CodePen (1.57 KB, text/html) 2025-01-25 09:17 PST, Roman Komarov	no flags	Details
View All Add attachment proposed patch, testcase, etc.

Radar WebKit Bug Importer

Comment 1 2025-01-28 10:42:21 PST

<rdar://problem/143769557>

Razvan Caliman

Comment 2 2025-01-28 10:43:38 PST

Thanks for filing! This looks like a crash in the WebContent process. Starting on Animations component for a look at the crash log.

Razvan Caliman

Comment 3 2025-01-28 10:55:53 PST

Potentially related https://bugs.webkit.org/show_bug.cgi?id=283981

Antoine Quint

Comment 4 2025-02-04 01:53:01 PST

This regressed with 274481@main when `CSSStyleQueriesEnabled` was enabled by default.

Antti Koivisto

Comment 5 2025-02-04 11:04:11 PST

We are re-entering style resolution via InspectorInstrumentation::didChangeWebAnimationEffectTiming (lldb) bt 20 * thread #1, queue = 'com.apple.main-thread', stop reason = EXC_BAD_ACCESS (code=1, address=0x12fc29930) Note: Possible pointer authentication failure detected. Found value that failed to authenticate at address=0x12fc29930. frame #0: 0x00000003000030e0 WebCore`WTFCrashWithInfo(line=2636, file="/Users/antti/webkit/OpenSource/Source/WebCore/dom/Document.cpp", function="void WebCore::Document::resolveStyle(ResolveStyleType)", counter=4985) at Assertions.h:920:5 * frame #1: 0x0000000304e09eec WebCore`WebCore::Document::resolveStyle(this=0x00000001130c5200, type=Normal) at Document.cpp:2636:9 frame #2: 0x0000000304e0b070 WebCore`WebCore::Document::updateStyleIfNeeded(this=0x00000001130c5200) at Document.cpp:2825:5 frame #3: 0x000000030460613c WebCore`WebCore::ComputedStyleExtractor::updateStyleIfNeededForProperty(element=0x00000003244b98a0, propertyID=CSSPropertyCustom) at ComputedStyleExtractor.cpp:2936:14 frame #4: 0x0000000304606350 WebCore`WebCore::ComputedStyleExtractor::customPropertyValue(this=0x000000016fc19770, propertyName=0x000000016fc196a8) const at ComputedStyleExtractor.cpp:3250:5 frame #5: 0x0000000305a14634 WebCore`WebCore::buildObjectForKeyframes(WebCore::KeyframeEffect&)::$_1::operator()(this=0x000000016fc19528, customProperty=0x000000016fc196a8) const at InspectorAnimationAgent.cpp:168:65 frame #6: 0x0000000305a1435c WebCore`decltype(auto) WTF::visitOneVariant<0ul, WTF::Visitor<WebCore::buildObjectForKeyframes(WebCore::KeyframeEffect&)::$_0, WebCore::buildObjectForKeyframes(WebCore::KeyframeEffect&)::$_1>, std::__1::variant<WebCore::CSSPropertyID, WTF::AtomString>&>(f=0x000000016fc19508, v= Active Type = WTF::AtomString ) at StdLibExtras.h:609:5 frame #7: 0x0000000305a13c44 WebCore`decltype(visitOneVariant(makeVisitor(std::forward<WebCore::buildObjectForKeyframes(WebCore::KeyframeEffect&)::$_0>(fp0), std::forward<WebCore::buildObjectForKeyframes(WebCore::KeyframeEffect&)::$_1>(fp0)), asVariant(std::forward<std::__1::variant<WebCore::CSSPropertyID, WTF::AtomString>&>(fp)))) WTF::switchOn<std::__1::variant<WebCore::CSSPropertyID, WTF::AtomString>&, WebCore::buildObjectForKeyframes(WebCore::KeyframeEffect&)::$_0, WebCore::buildObjectForKeyframes(WebCore::KeyframeEffect&)::$_1>(v= Active Type = WTF::AtomString , f=0x000000016fc19688, f=0x000000016fc19678) at StdLibExtras.h:617:12 frame #8: 0x0000000305a129b4 WebCore`WebCore::buildObjectForKeyframes(keyframeEffect=0x00000001140df280) at InspectorAnimationAgent.cpp:160:17 frame #9: 0x00000003059da27c WebCore`WebCore::buildObjectForEffect(effect=0x00000001140df280) at InspectorAnimationAgent.cpp:238:37 frame #10: 0x00000003059d9dd0 WebCore`WebCore::InspectorAnimationAgent::didChangeWebAnimationEffectTiming(this=0x0000000324514b80, animation=0x00000001140df100) at InspectorAnimationAgent.cpp:486:58 frame #11: 0x000000030593d7e8 WebCore`WebCore::InspectorInstrumentation::didChangeWebAnimationEffectTimingImpl(instrumentingAgents=0x0000000114005ff0, animation=0x00000001140df100) at InspectorInstrumentation.cpp:1214:25 frame #12: 0x0000000303ffd9e4 WebCore`WebCore::InspectorInstrumentation::didChangeWebAnimationEffectTiming(animation=0x00000001140df100) at InspectorInstrumentation.h:1556:9 frame #13: 0x0000000303ffd828 WebCore`WebCore::WebAnimation::effectTimingDidChange(this=0x00000001140df100) at WebAnimation.cpp:156:5 frame #14: 0x0000000303ee5eb4 WebCore`WebCore::CSSAnimation::syncPropertiesWithBackingAnimation(this=0x00000001140df100) at CSSAnimation.cpp:132:5 frame #15: 0x0000000303ff5570 WebCore`WebCore::StyleOriginatedAnimation::setBackingAnimation(this=0x00000001140df100, backingAnimation=0x0000000112864540) at StyleOriginatedAnimation.cpp:103:5 frame #16: 0x00000003075890b0 WebCore`WebCore::Styleable::updateCSSAnimations(this=0x000000016fc1a678, currentStyle=0x0000000114061d58, newStyle=0x0000000112262a70, resolutionContext=0x000000016fc1a698, newStyleOriginatedAnimations=0x000000016fc1a278, isInDisplayNoneTree=No) const at Styleable.cpp:398:40 frame #17: 0x0000000307581c34 WebCore`WebCore::Style::TreeResolver::createAnimatedElementUpdate(WebCore::Style::ResolvedStyle&&, WebCore::Styleable const&, WebCore::Style::Change, WebCore::Style::ResolutionContext const&, WebCore::Style::IsInDisplayNoneTree)::$_1::operator()(this=0x000000016fc1a238) const at StyleTreeResolver.cpp:691:23 frame #18: 0x000000030757f4f8 WebCore`WebCore::Style::TreeResolver::createAnimatedElementUpdate(this=0x000000016fc1d4d8, resolvedStyle=0x000000016fc1a648, styleable=0x000000016fc1a678, parentChange=Inherited, resolutionContext=0x000000016fc1a698, isInDisplayNoneTree=No) at StyleTreeResolver.cpp:737:5 frame #19: 0x000000030757eaa8 WebCore`WebCore::Style::TreeResolver::resolveElement(this=0x000000016fc1d4d8, element=0x00000003244b98a0, existingStyle=0x0000000114061d58, resolutionType=Full) at StyleTreeResolver.cpp:277:19

Devin Rousso

Comment 6 2025-03-18 10:12:13 PDT

Pull request: https://github.com/WebKit/WebKit/pull/42629

EWS

Comment 7 2025-03-19 18:46:07 PDT

Committed 292391@main (0683db19e202): <https://commits.webkit.org/292391@main> Reviewed commits have been landed. Closing PR #42629 and removing active labels.

EWS

Comment 8 2025-04-02 15:37:36 PDT

Committed 289651.391@safari-7621-branch (6baf01d95ed3): <https://commits.webkit.org/289651.391@safari-7621-branch> Reviewed commits have been landed. Closing PR #2949 and removing active labels.

Note You need to log in before you can comment on or make changes to this bug.

Status RESOLVED

Resolution FIXED

Priority P2

Severity Normal

Classification Unclassified

Version Safari 18

Hardware All

OS All

Product WebKit

Component CSS

Assignee

Devin Rousso

Reported

2025-01-25 09:17 PST

Modified

2025-04-02 15:37 PDT History

CC List

7 users Show

URL

Keywords InRadar

Depends on

Blocks