commit ec7ba45348fed6617a6f4c254d78e7417f1e909f
parent fb29c72e98a4c75e3a9e851e0b47b6e16393fe93
Author: David Awogbemila <awogbemila@chromium.org>
Date: Mon, 27 Oct 2025 10:01:54 +0000
Bug 1995783 [wpt PR 55593] - [animation-trigger] Fix crash when trigger source has ::selection style, a=testonly
Automatic update from web-platform-tests
[animation-trigger] Fix crash when trigger source has ::selection style
In the linked clusterfuzz bug, Blink would perform
blink::Element::RecalcHighlightStyles which ended up invoking
blink::CSSAnimations::UpdateNamedTriggers again, except without
CSSAnimationData, i.e. StyleBuilder().Animations() is null, even though
in an earlier pass while styling the same element it was not.
This resulted in clobbering the trigger that had already been correctly
created, replacing it with a null pointer.
Bug: 451477493, 390314945
Change-Id: Ib192410e0b408e6af8fe38fcfa54923d3ebf2151
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/7063693
Reviewed-by: Rune Lillesveen <futhark@chromium.org>
Commit-Queue: David Awogbemila <awogbemila@chromium.org>
Cr-Commit-Position: refs/heads/main@{#1533669}
--
wpt-commits: 4f26de067e0a83751bf0102f3a944ebb492b095b
wpt-pr: 55593
Diffstat:
1 file changed, 23 insertions(+), 0 deletions(-)
diff --git a/testing/web-platform/tests/scroll-animations/animation-trigger/crashtests/selection-pseudo-crash.html b/testing/web-platform/tests/scroll-animations/animation-trigger/crashtests/selection-pseudo-crash.html
@@ -0,0 +1,23 @@
+<!DOCTYPE html>
+<html>
+ <body>
+ <style>
+ @keyframes myAnim {}
+
+ .target {
+ animation: myAnim linear 0.5s forwards
+ }
+
+ #scroll_target {
+ animation-trigger: --scrolltrigger play-once;
+ timeline-trigger: --scrolltrigger scroll() 150px 200px
+ }
+
+ .subject,
+ .target::selection {
+ height: 50px;
+ }
+ </style>
+ <div id=scroll_target class="subject target" 0></div>
+ </body>
+</html>
