RESOLVED FIXED309672
[scroll-animations] crash under `StyleOriginatedTimelinesController::unregisterNamedTimeline()` due to iterator mutation 
https://bugs.webkit.org/show_bug.cgi?id=309672
Summary [scroll-animations] crash under `StyleOriginatedTimelinesController::unregist...
Antoine Quint
Reported 2026-03-11 07:02:03 PDT
Consider this part of `StyleOriginatedTimelinesController::unregisterNamedTimeline()`: ``` for (Ref animation : timeline->relevantAnimations()) { if (RefPtr cssAnimation = dynamicDowncast<CSSAnimation>(animation)) { if (cssAnimation->owningElement()) cssAnimation->syncStyleOriginatedTimeline(); } } ``` The call to CSSAnimation::syncStyleOriginatedTimeline() may call `WebAnimation::setTimeline()` which may modify the content of `timeline->relevantAnimations()` that we're iterating on. To address this, we should make a copy of the animation list like we do in `AnimationTimelinesController::updateAnimationsAndSendEvents()`. Note that a similar bug is being fixed in bug 309632 and an earlier of this crash was made in bug 308128.
Attachments
Add attachment proposed patch, testcase, etc.
Antoine Quint
Comment 1 2026-03-11 07:02:13 PDT
rdar://172271230
Antoine Quint
Comment 2 2026-03-11 07:04:47 PDT
Pull request: https://github.com/WebKit/WebKit/pull/60360
EWS
Comment 3 2026-03-11 08:36:31 PDT
Committed 309059@main (f355fb943c1d): <https://commits.webkit.org/309059@main> Reviewed commits have been landed. Closing PR #60360 and removing active labels.
EWS
Comment 4 2026-03-16 12:22:20 PDT
Committed 305413.487@safari-7624-branch (366a4134c635): <https://commits.webkit.org/305413.487@safari-7624-branch> Reviewed commits have been landed. Closing PR #4674 and removing active labels.
Note You need to log in before you can comment on or make changes to this bug.