309632 – Fix iterator invalidation crash in StyleOriginatedTimelinesController::styleableWasRemoved

RESOLVED FIXED309632

Fix iterator invalidation crash in StyleOriginatedTimelinesController::styleableWasRemoved

https://bugs.webkit.org/show_bug.cgi?id=309632

Summary Fix iterator invalidation crash in StyleOriginatedTimelinesController::stylea...

pascoe@apple.com

Reported 2026-03-10 18:46:08 PDT

attachAnimation() calls setTimeline() → setTimelineInternal() → removeAnimation(*this), which mutates the ListHashSet being iterated, invalidating the iterator and causing EXC_BAD_ACCESS when copying the next Ref.

Attachments
Add attachment proposed patch, testcase, etc.

pascoe@apple.com

Comment 1 2026-03-10 18:46:16 PDT

rdar://170564381

pascoe@apple.com

Comment 2 2026-03-10 18:56:32 PDT

Pull request: https://github.com/WebKit/WebKit/pull/60329

pascoe@apple.com

Comment 3 2026-03-10 19:00:18 PDT

rdar://172219384

EWS

Comment 4 2026-03-11 08:46:39 PDT

Committed 309061@main (55ffc93c06b7): <https://commits.webkit.org/309061@main> Reviewed commits have been landed. Closing PR #60329 and removing active labels.

EWS

Comment 5 2026-03-16 15:16:48 PDT

Committed 305413.493@safari-7624-branch (12ad8ff7bb1a): <https://commits.webkit.org/305413.493@safari-7624-branch> Reviewed commits have been landed. Closing PR #4670 and removing active labels.

Note You need to log in before you can comment on or make changes to this bug.

Status RESOLVED

Resolution FIXED

Priority P2

Severity Normal

Classification Unclassified

Version WebKit Nightly Build

Hardware Unspecified

OS Unspecified

Product WebKit

Component Animations

Assignee

pascoe@apple.com

Reported

2026-03-10 18:46 PDT

Modified

2026-03-16 15:16 PDT History

CC List

2 users Show

URL

Keywords InRadar

Depends on

Blocks