302703 – [scroll-animations-1] Tab crashes when an element containing a scoped scroll-driven animation from an inner pseudo-element repeatedly changes display while depending on cqw

NEW302703

[scroll-animations-1] Tab crashes when an element containing a scoped scroll-driven animation from an inner pseudo-element repeatedly changes display while depending on cqw

https://bugs.webkit.org/show_bug.cgi?id=302703

Summary [scroll-animations-1] Tab crashes when an element containing a scoped scroll-...

Roman Komarov

Reported 2025-11-18 02:09:10 PST

Created attachment 477419 [details] A saved codepen example with the minimal reproduction To reproduce, open https://codepen.io/kizu/pen/QwNgKdz?editors=1100 or the attached saved .html from it, and then repeatedly open/close the details. This happened in a much more involved use case while I was writing a new article, but I think I managed to remove anything non-related to have a minimally-reproducible example. For me, this happens both in stable Safari Version 26.1 (20622.2.11.119.1), and in STP Release 232 (WebKit 20624.1.2.19.2)

Attachments
A saved codepen example with the minimal reproduction (1.31 KB, text/html) 2025-11-18 02:09 PST, Roman Komarov	no flags	Details
View All Add attachment proposed patch, testcase, etc.

Radar WebKit Bug Importer

Comment 1 2025-11-18 10:34:11 PST

<rdar://problem/164979494>

Simon Fraser (smfr)

Comment 2 2025-11-18 10:34:44 PST

Crash in: Thread 0 Crashed:: Dispatch queue: com.apple.main-thread 0 WebCore 0x11dd6a9cc WebCore::compareCSSAnimations(WebCore::CSSAnimation const&, WebCore::CSSAnimation const&) + 448 1 WebCore 0x11dd4fae8 void std::__1::__stable_sort<std::__1::_RangeAlgPolicy, std::__1::_ProjectedPred<bool (*)(WebCore::WebAnimation const&, WebCore::WebAnimation const&), WebCore::KeyframeEffectStack::ensureEffectsAreSorted()::$_0>&, WTF::WeakPtr<WebCore::KeyframeEffect, WTF::DefaultWeakPtrImpl, WTF::RawPtrTraits<WTF::DefaultWeakPtrImpl>>*>(WTF::WeakPtr<WebCore::KeyframeEffect, WTF::DefaultWeakPtrImpl, WTF::RawPtrTraits<WTF::DefaultWeakPtrImpl>>*, WTF::WeakPtr<WebCore::KeyframeEffect, WTF::DefaultWeakPtrImpl, WTF::RawPtrTraits<WTF::DefaultWeakPtrImpl>>*, std::__1::_ProjectedPred<bool (*)(WebCore::WebAnimation const&, WebCore::WebAnimation const&), WebCore::KeyframeEffectStack::ensureEffectsAreSorted()::$_0>&, std::__1::iterator_traits<WTF::WeakPtr<WebCore::KeyframeEffect, WTF::DefaultWeakPtrImpl, WTF::RawPtrTraits<WTF::DefaultWeakPtrImpl>>*>::difference_type, std::__1::iterator_traits<WTF::WeakPtr<WebCore::KeyframeEffect, WTF::DefaultWeakPtrImpl, WTF::RawPtrTraits<WTF::DefaultWeakPtrImpl>>*>::value_type*, long) + 124 2 WebCore 0x11dd3d634 WebCore::KeyframeEffectStack::ensureEffectsAreSorted() + 184 3 WebCore 0x11dd3d888 WebCore::KeyframeEffectStack::applyKeyframeEffects(WebCore::RenderStyle&, WTF::HashSet<mpark::variant<WebCore::CSSPropertyID, WTF::AtomString>, WTF::DefaultHash<mpark::variant<WebCore::CSSPropertyID, WTF::AtomString>>, WTF::HashTraits<mpark::variant<WebCore::CSSPropertyID, WTF::AtomString>>, WTF::HashTableTraits, (WTF::ShouldValidateKey)1>&, WebCore::RenderStyle const*, WebCore::Style::ResolutionContext const&) + 384 4 WebCore 0x11f3a6c6c WebCore::Style::TreeResolver::createAnimatedElementUpdate(WebCore::Style::ResolvedStyle&&, WebCore::Styleable const&, WTF::OptionSet<WebCore::Style::Change, (WTF::ConcurrencyTag)0>, WebCore::Style::ResolutionContext const&, WebCore::Style::IsInDisplayNoneTree) + 9556 5 WebCore 0x11f39f38c WebCore::Style::TreeResolver::resolveElement(WebCore::Element&, WebCore::RenderStyle const*, WebCore::Style::TreeResolver::ResolutionType) + 2592

Note You need to log in before you can comment on or make changes to this bug.

Status NEW

Resolution

Priority P2

Severity Normal

Classification Unclassified

Version Safari 26

Hardware Unspecified

OS Unspecified

Product WebKit

Component Animations

Assignee

Nobody

Reported

2025-11-18 02:09 PST

Modified

2026-01-12 09:02 PST History

CC List

4 users Show

URL

Keywords InRadar

Depends on

Blocks