RESOLVED FIXED314105
[threaded-animations] animating `offset-path` between `margin-box` and `stroke-box` yields a crash under `AcceleratedEffectValues::AcceleratedEffectValues(WebCore::RenderStyle const&, WebCore::IntRect const&, WebCore::RenderLayerModelObject const*)` 
https://bugs.webkit.org/show_bug.cgi?id=314105
Summary [threaded-animations] animating `offset-path` between `margin-box` and `strok...
Antoine Quint
Reported 2026-05-05 10:26:54 PDT
Creating this simple animation: const animation = document.getElementById("target").animate( { transform: "translateX(100px)", offsetPath: ["margin-box", "stroke-box"] }, 1000 ); … yields a crash under `AcceleratedEffectValues::AcceleratedEffectValues(WebCore::RenderStyle const&, WebCore::IntRect const&, WebCore::RenderLayerModelObject const*)`.
Attachments
Test (622 bytes, text/html)
2026-05-05 10:27 PDT, Antoine Quint 		no flags
Details
Fix (2.19 KB, patch)
2026-05-05 14:32 PDT, Sam Weinig 		no flags
DetailsFormatted DiffDiff
View All Add attachment proposed patch, testcase, etc.
Antoine Quint
Comment 1 2026-05-05 10:27:14 PDT
rdar://176159562
Antoine Quint
Comment 2 2026-05-05 10:27:58 PDT
Created attachment 479479 [details] Test Attaching a test that reproduces the issue and is ready to use as a layout test.
Antoine Quint
Comment 3 2026-05-05 10:29:40 PDT
This was caused by 310214@main.
Sam Weinig
Comment 4 2026-05-05 14:14:16 PDT
Is this really a security issue? It's accessing an std::optional when it's not engaged. Doesn't that cleanly abort?
Sam Weinig
Comment 5 2026-05-05 14:32:06 PDT
Created attachment 479483 [details] Fix Attaching fix.
Sam Weinig
Comment 6 2026-05-07 18:40:14 PDT
Pull request: https://github.com/WebKit/WebKit/pull/64516
EWS
Comment 7 2026-05-08 07:18:43 PDT
Committed 312881@main (1b01b6d32c39): <https://commits.webkit.org/312881@main> Reviewed commits have been landed. Closing PR #64516 and removing active labels.
Note You need to log in before you can comment on or make changes to this bug.