RESOLVED FIXED308128
[scroll-animations] crash under `StyleOriginatedTimelinesController::unregisterNamedTimeline()` 
https://bugs.webkit.org/show_bug.cgi?id=308128
Summary [scroll-animations] crash under `StyleOriginatedTimelinesController::unregist...
Antoine Quint
Reported 2026-02-18 06:11:48 PST
We have gotten reports of a crash under `StyleOriginatedTimelinesController::unregisterNamedTimeline()`. Trimmed crash signature: 10 WTF::RefCountedBase::ref() const (WebCore) 10 WebCore::WebAnimation::ref() const (WebCore) 10 WTF::DefaultRefDerefTraits<WebCore::WebAnimation>::ref(WebCore::WebAnimation&) (WebCore) 10 WTF::Ref<WebCore::WebAnimation, WTF::RawPtrTraits<WebCore::WebAnimation>, WTF::DefaultRefDerefTraits<WebCore::WebAnimation>>::Ref(WTF::Ref<WebCore::WebAnimation, WTF::RawPtrTraits<WebCore::WebAnimation>, WTF::DefaultRefDerefTraits<WebCore::WebAnimation>> const&) (WebCore) 10 WTF::Ref<WebCore::WebAnimation, WTF::RawPtrTraits<WebCore::WebAnimation>, WTF::DefaultRefDerefTraits<WebCore::WebAnimation>>::Ref(WTF::Ref<WebCore::WebAnimation, WTF::RawPtrTraits<WebCore::WebAnimation>, WTF::DefaultRefDerefTraits<WebCore::WebAnimation>> const&) (WebCore) ==> 10 WebCore::StyleOriginatedTimelinesController::unregisterNamedTimeline(WTF::AtomString const&, WebCore::Styleable const&) (WebCore) <== 10 WebCore::Styleable::updateCSSViewTimelines(WebCore::RenderStyle const*, WebCore::RenderStyle const&) const::$_1::operator()() const (WebCore) 10 WebCore::Styleable::updateCSSViewTimelines(WebCore::RenderStyle const*, WebCore::RenderStyle const&) const (WebCore) 10 WebCore::Style::TreeResolver::createAnimatedElementUpdate(WebCore::Style::ResolvedStyle&&, WebCore::Styleable const&, WTF::OptionSet<WebCore::Style::Change, (WTF::ConcurrencyTag)0>, WebCore::Style::ResolutionContext const&, WebCore::Style::IsInDisplayNoneTree)::$_1::operator()() const (WebCore) 10 WebCore::Style::TreeResolver::createAnimatedElementUpdate(WebCore::Style::ResolvedStyle&&, WebCore::Styleable const&, WTF::OptionSet<WebCore::Style::Change, (WTF::ConcurrencyTag)0>, WebCore::Style::ResolutionContext const&, WebCore::Style::IsInDisplayNoneTree) (WebCore) 10 WebCore::Style::TreeResolver::resolveElement(WebCore::Element&, WebCore::RenderStyle const*, WebCore::Style::TreeResolver::ResolutionType) (WebCore) 10 WebCore::Style::TreeResolver::resolveComposedTree() (WebCore) 10 WebCore::Style::TreeResolver::resolve() (WebCore) 10 WebCore::Document::resolveStyle(WebCore::Document::ResolveStyleType) (WebCore) 10 WebCore::Document::updateStyleIfNeeded() (WebCore) 6 WebCore::Document::updateLayout(WTF::OptionSet<WebCore::LayoutOptions, (WTF::ConcurrencyTag)0>, WebCore::Element const*) (WebCore) | 5 WebCore::LocalFrameView::updateLayoutAndStyleIfNeededRecursive(WTF::OptionSet<WebCore::LayoutOptions, (WTF::ConcurrencyTag)0>) (WebCore) | | 5 WebCore::Page::layoutIfNeeded(WTF::OptionSet<WebCore::LayoutOptions, (WTF::ConcurrencyTag)0>) (WebCore) | | 5 WebCore::Page::updateRendering() (WebCore) | | 5 WebKit::WebPage::updateRendering() (WebKit)
Attachments
Add attachment proposed patch, testcase, etc.
Antoine Quint
Comment 1 2026-02-18 06:11:57 PST
rdar://170552068
Antoine Quint
Comment 2 2026-02-18 06:17:10 PST
Pull request: https://github.com/WebKit/WebKit/pull/58926
EWS
Comment 3 2026-02-18 09:53:21 PST
Committed 307765@main (941c6f6db964): <https://commits.webkit.org/307765@main> Reviewed commits have been landed. Closing PR #58926 and removing active labels.
EWS
Comment 4 2026-02-18 18:17:58 PST
Committed 305413.315@safari-7624-branch (a9e9e8b52537): <https://commits.webkit.org/305413.315@safari-7624-branch> Reviewed commits have been landed. Closing PR #4508 and removing active labels.
Note You need to log in before you can comment on or make changes to this bug.