[webkit-changes] [WebKit/WebKit] 0a0cd3: ASAN_ILL | WebCore::ElementAnimationRareData::setL...

Fri, 15 Aug 2025 02:55:55 -0700 

  Branch: refs/heads/main
  Home:   https://github.com/WebKit/WebKit
  Commit: 0a0cd3fd2cc0cc7d6a8589d5524bae1687440eb3
      
https://github.com/WebKit/WebKit/commit/0a0cd3fd2cc0cc7d6a8589d5524bae1687440eb3
  Author: Claudio Saavedra <[email protected]>
  Date:   2025-08-15 (Fri, 15 Aug 2025)

  Changed paths:
    A 
LayoutTests/webanimations/reparent-element-with-animation-crash-expected.txt
    A LayoutTests/webanimations/reparent-element-with-animation-crash.html
    M Source/WebCore/animation/ElementAnimationRareData.cpp

  Log Message:
  -----------
  ASAN_ILL | WebCore::ElementAnimationRareData::setLastStyleChangeEventStyle; 
Style::TreeResolver::createAnimatedElementUpdate; 
Style::TreeResolver::resolveElement
https://bugs.webkit.org/show_bug.cgi?id=293018

Reviewed by Antoine Quint.

When an element with an animation and keyframe effect associated is reparented,
style originated animations are cancelled for its styleable. This causes the
animation rare data's animations to be destroyed, which in turn also destroys
the keyframe effects for those animations that have them. The issue is that
keyframe effects are also weak referenced from animation rare data's keyframe
effect stack, and these weak references become null and are at risk of being
null-dereferenced later on.

This can be fixed by removing keyframe effects for every animation created by
markup from the keyframe stack, before removing the animations.

A similar fix was landed in https://commits.webkit.org/292328@main, but that 
only
addressed the case when an animation is removed from a timeline.

* LayoutTests/webanimations/reparent-element-with-animation-crash-expected.txt: 
Added.
* LayoutTests/webanimations/reparent-element-with-animation-crash.html: Added.
* Source/WebCore/animation/ElementAnimationRareData.cpp:
(WebCore::ElementAnimationRareData::setAnimationsCreatedByMarkup):

Originally-landed-as: [email protected] (d79e4c2037ff). 
rdar://157788971
Canonical link: https://commits.webkit.org/298748@main



To unsubscribe from these emails, change your notification settings at 
https://github.com/WebKit/WebKit/settings/notifications
_______________________________________________
webkit-changes mailing list
[email protected]
https://lists.webkit.org/mailman/listinfo/webkit-changes

Reply via email to