[webkit-changes] [WebKit/WebKit] c17394: Cherry-pick 298748@main (0a0cd3fd2cc0). https://bu...

Fri, 15 Aug 2025 05:52:59 -0700 

  Branch: refs/heads/webkitglib/2.50
  Home:   https://github.com/WebKit/WebKit
  Commit: c17394a04248c5f829517ac14147685829072cb0
      
https://github.com/WebKit/WebKit/commit/c17394a04248c5f829517ac14147685829072cb0
  Author: Claudio Saavedra <[email protected]>
  Date:   2025-08-15 (Fri, 15 Aug 2025)

  Changed paths:
    A 
LayoutTests/webanimations/reparent-element-with-animation-crash-expected.txt
    A LayoutTests/webanimations/reparent-element-with-animation-crash.html
    M Source/WebCore/animation/ElementAnimationRareData.cpp

  Log Message:
  -----------
  Cherry-pick 298748@main (0a0cd3fd2cc0). 
https://bugs.webkit.org/show_bug.cgi?id=293018

    ASAN_ILL | WebCore::ElementAnimationRareData::setLastStyleChangeEventStyle; 
Style::TreeResolver::createAnimatedElementUpdate; 
Style::TreeResolver::resolveElement
    https://bugs.webkit.org/show_bug.cgi?id=293018

    Reviewed by Antoine Quint.

    When an element with an animation and keyframe effect associated is 
reparented,
    style originated animations are cancelled for its styleable. This causes the
    animation rare data's animations to be destroyed, which in turn also 
destroys
    the keyframe effects for those animations that have them. The issue is that
    keyframe effects are also weak referenced from animation rare data's 
keyframe
    effect stack, and these weak references become null and are at risk of being
    null-dereferenced later on.

    This can be fixed by removing keyframe effects for every animation created 
by
    markup from the keyframe stack, before removing the animations.

    A similar fix was landed in https://commits.webkit.org/292328@main, but 
that only
    addressed the case when an animation is removed from a timeline.

    * 
LayoutTests/webanimations/reparent-element-with-animation-crash-expected.txt: 
Added.
    * LayoutTests/webanimations/reparent-element-with-animation-crash.html: 
Added.
    * Source/WebCore/animation/ElementAnimationRareData.cpp:
    (WebCore::ElementAnimationRareData::setAnimationsCreatedByMarkup):

    Originally-landed-as: [email protected] (d79e4c2037ff). 
rdar://157788971
    Canonical link: https://commits.webkit.org/298748@main

Canonical link: https://commits.webkit.org/298234.18@webkitglib/2.50



To unsubscribe from these emails, change your notification settings at 
https://github.com/WebKit/WebKit/settings/notifications
_______________________________________________
webkit-changes mailing list
[email protected]
https://lists.webkit.org/mailman/listinfo/webkit-changes

Reply via email to