RESOLVED FIXED298646
Anchoring a pseudo element to a slotted element in a Shadow DOM causes browser crash 
https://bugs.webkit.org/show_bug.cgi?id=298646
Summary Anchoring a pseudo element to a slotted element in a Shadow DOM causes browse...
Zacky Ma
Reported 2025-09-10 00:20:08 PDT
In a Shadow DOM, using CSS Anchor Positioning to anchor a pseudo element to a slotted element (with `::slotted(..)`) causes Safari TP 227 to crash. Codepen to reproduce: https://codepen.io/marchbox/pen/gbayRPK
Attachments
Add attachment proposed patch, testcase, etc.
Radar WebKit Bug Importer
Comment 1 2025-09-10 08:42:22 PDT
<rdar://problem/160291579>
Simon Fraser (smfr)
Comment 2 2025-09-10 08:42:50 PDT
Thread 0 Crashed: 0 WebCore 0x1c71dbb5c WebCore::Style::AnchorPositionEvaluator::defaultAnchorForBox(WebCore::RenderBox const&) + 968 1 WebCore 0x1c71dd83c WebCore::Style::AnchorPositionEvaluator::evaluate(WebCore::Style::BuilderState&, std::__1::optional<WebCore::Style::ScopedName>, mpark::variant<WebCore::CSSValueID, double>) + 320 2 WebCore 0x1c5f0f378 WebCore::CSSCalc::evaluateWithoutFallback(WebCore::CSSCalc::Anchor const&, WebCore::CSSCalc::EvaluationOptions const&) + 180 3 WebCore 0x1c5f1cdb8 _ZZN7WebCore7CSSCalcL8evaluateERKNS0_5ChildERKNS0_17EvaluationOptionsEENK3$_0clINS0_12IndirectNodeINS0_6AnchorEEEEEDaRKT_ + 56 4 WebCore 0x1c5f0f2ac WebCore::CSSCalc::evaluate(WebCore::CSSCalc::Child const&, WebCore::CSSCalc::EvaluationOptions const&) + 1104 5 WebCore 0x1c5f1b3e8 WebCore::CSSCalcValue::computeLengthPx(WebCore::CSSToLengthConversionData const&, WebCore::CSSCalcSymbolTable const&) const + 132 6 WebCore 0x1c5e93630 double WebCore::CSSPrimitiveValue::resolveAsLength<double>(WebCore::CSSToLengthConversionData const&) const + 236 7 WebCore 0x1c55c9890 WebCore::Style::CSSValueConversion<WebCore::Style::InsetEdge>::operator()(WebCore::Style::BuilderState&, WebCore::CSSValue const&) + 184 8 WebCore 0x1c5506fa8 WebCore::Style::BuilderGenerated::applyProperty(WebCore::CSSPropertyID, WebCore::Style::BuilderState&, WebCore::CSSValue&, WebCore::Style::ApplyValueType) + 26608 9 WebCore 0x1c721efec WebCore::Style::Builder::applyProperty(WebCore::CSSPropertyID, WebCore::CSSValue&, WebCore::SelectorChecker::LinkMatchMask, WebCore::Style::CascadeLevel) + 356 10 WebCore 0x1c7242408 WebCore::Style::Resolver::applyMatchedProperties(WebCore::Style::Resolver::State&, WebCore::Style::MatchResult const&, WebCore::Style::PropertyCascade::IncludedProperties&&) + 1808 11 WebCore 0x1c7247d18 WebCore::Style::Resolver::styleForPseudoElement(WebCore::Element&, WebCore::Style::PseudoElementRequest const&, WebCore::Style::ResolutionContext const&) + 1096 12 WebCore 0x1c7266688 WebCore::Style::TreeResolver::resolvePseudoElement(WebCore::Element&, WebCore::Style::PseudoElementIdentifier const&, WebCore::Style::ElementUpdate const&, WebCore::Style::IsInDisplayNoneTree) + 772 13 WebCore 0x1c725d804 WebCore::Style::TreeResolver::resolveElement(WebCore::Element&, WebCore::RenderStyle const*, WebCore::Style::TreeResolver::ResolutionType) + 2232 14 WebCore 0x1c726a670 WebCore::Style::TreeResolver::resolve() + 3204
Antti Koivisto
Comment 3 2025-09-17 02:12:33 PDT
Pull request: https://github.com/WebKit/WebKit/pull/50850
Antti Koivisto
Comment 4 2025-09-17 08:51:55 PDT
Thanks for the reduced test case!
EWS
Comment 5 2025-09-17 08:54:51 PDT
Committed 300086@main (ec6791966b1e): <https://commits.webkit.org/300086@main> Reviewed commits have been landed. Closing PR #50850 and removing active labels.
Antti Koivisto
Comment 6 2025-09-17 10:59:33 PDT
Submitted web-platform-tests pull request: https://github.com/web-platform-tests/wpt/pull/54905
EWS
Comment 7 2025-09-18 18:58:22 PDT
Committed 297297.436@safari-7622-branch (fc59452adedb): <https://commits.webkit.org/297297.436@safari-7622-branch> Reviewed commits have been landed. Closing PR #3667 and removing active labels.
Note You need to log in before you can comment on or make changes to this bug.