Branch: refs/heads/main
Home: https://github.com/WebKit/WebKit
Commit: 941c6f6db964c2d3dd5eba28ce0a8511796f2fa4
https://github.com/WebKit/WebKit/commit/941c6f6db964c2d3dd5eba28ce0a8511796f2fa4
Author: Antoine Quint <[email protected]>
Date: 2026-02-18 (Wed, 18 Feb 2026)
Changed paths:
M Source/WebCore/animation/StyleOriginatedTimelinesController.cpp
Log Message:
-----------
[scroll-animations] crash under
`StyleOriginatedTimelinesController::unregisterNamedTimeline()`
https://bugs.webkit.org/show_bug.cgi?id=308128
rdar://170552068
Reviewed by Sam Weinig.
The `StyleOriginatedTimelinesController` class has the following member:
HashMap<AtomString, Vector<Ref<ScrollTimeline>>> m_nameToTimelineMap;
In that class's `unregisterNamedTimeline()` method we do a lookup to land on
one of the timelines held in this map and then proceed to do the following:
auto timeline = timelines.at(i);
// Make sure to remove the named timeline from our name-to-timelines map
first,
// such that re-syncing any CSS Animation previously registered with it
resolves
// their `animation-timeline` properly.
timelines.removeAt(i);
Since `Vector::at(size_t)` returns a `T&`, we're getting a `Ref&` for
`timeline`, and thus
the following call to `timelines.removeAt(i)` will remove that reference from
the map. We must
make sure to create a new counted reference to not fall into a case where that
map held the
last reference to that timeline.
This is a tentative crash fix and I do not have a test case to go with it.
* Source/WebCore/animation/StyleOriginatedTimelinesController.cpp:
(WebCore::StyleOriginatedTimelinesController::unregisterNamedTimeline):
Canonical link: https://commits.webkit.org/307765@main
To unsubscribe from these emails, change your notification settings at
https://github.com/WebKit/WebKit/settings/notifications
