Bug 121503

Summary: ASSERTION FAILED: !block || is<HTMLElement>(*block) in WebCore::ApplyStyleCommand::applyBlockStyle
Product: WebKit Reporter: Renata Hodovan <rhodovan.u-szeged>
Component: HTML EditingAssignee: Nobody <webkit-unassigned>
Status: RESOLVED CONFIGURATION CHANGED    
Severity: Normal CC: ahmad.saleem792, ap, bfulgham, deepak.deepakmittal, rniwa, shinyak, webkit-bug-importer, yosin
Priority: P2 Keywords: InRadar
Version: 528+ (Nightly build)   
Hardware: PC   
OS: Linux   
Bug Depends on:    
Bug Blocks: 116980    
Attachments:
Description Flags
Test case none

Description Renata Hodovan 2013-09-17 10:21:29 PDT 
Created attachment 211921 [details]
Test case

Failing test:

<svg>
<foreignobject>
    <br>
    <br>
</foreignobject>
<script onload="document.designMode=&apos;on&apos;;     document.execCommand(&apos;selectall&apos;);    document.execCommand(&apos;RemoveFormat&apos;);     document.execCommand(&apos;inserthtml&apos;, false); " ></script>
</script>
</svg>


Backtrace:

Program received signal SIGSEGV, Segmentation fault.
0x00007ffff56dafad in WTFCrash () at /home/reni/Data/REPOS/webkit_sec/Source/WTF/wtf/Assertions.cpp:342
342	    *(int *)(uintptr_t)0xbbadbeef = 0;
(gdb) bt
#0  0x00007ffff56dafad in WTFCrash () at /home/reni/Data/REPOS/webkit_sec/Source/WTF/wtf/Assertions.cpp:342
#1  0x00007ffff428eda8 in WebCore::ApplyStyleCommand::applyBlockStyle (this=0x8e5540, style=0x8ecb60)
    at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/editing/ApplyStyleCommand.cpp:286
#2  0x00007ffff428e614 in WebCore::ApplyStyleCommand::doApply (this=0x8e5540)
    at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/editing/ApplyStyleCommand.cpp:223
#3  0x00007ffff429e0fe in WebCore::CompositeEditCommand::applyCommandToComposite (this=0x8e4760, prpCommand=...)
    at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/editing/CompositeEditCommand.cpp:267
#4  0x00007ffff42fc83d in WebCore::RemoveFormatCommand::doApply (this=0x8e4760)
    at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/editing/RemoveFormatCommand.cpp:96
#5  0x00007ffff429dec6 in WebCore::CompositeEditCommand::apply (this=0x8e4760)
    at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/editing/CompositeEditCommand.cpp:216
#6  0x00007ffff429dc4e in WebCore::applyCommand (command=...) at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/editing/CompositeEditCommand.cpp:172
#7  0x00007ffff42bf96c in WebCore::Editor::removeFormattingAndStyle (this=0x7cf770) at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/editing/Editor.cpp:684
#8  0x00007ffff42d1792 in WebCore::executeRemoveFormat (frame=...) at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/editing/EditorCommand.cpp:974
#9  0x00007ffff42d32d2 in WebCore::Editor::Command::execute (this=0x7fffffffbcd0, parameter=..., triggeringEvent=0x0)
    at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/editing/EditorCommand.cpp:1709
#10 0x00007ffff41a1ed6 in WebCore::Document::execCommand (this=0x8a00f0, commandName=..., userInterface=false, value=...)
    at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/dom/Document.cpp:4172
#11 0x00007ffff4ebfb12 in WebCore::jsDocumentPrototypeFunctionExecCommand (exec=0x7fff941e20a8) at generated/JSDocument.cpp:2763
#12 0x00007fff9ffff0e5 in ?? ()
#13 0x00007fffffffbe70 in ?? ()
#14 0x00007ffff679ffa2 in llint_op_call () from /home/reni/Data/REPOS/webkit_sec/WebKitBuild/Debug/lib/libQt5WebKit.so.5
#15 0x00007fff941e2060 in ?? ()
#16 0x00000000007d0358 in ?? ()
#17 0x00007fffffffbe30 in ?? ()
#18 0x00007ffff5506ba3 in JSC::JSStack::installTrapsAfterFrame (this=0x0, frame=0x0)
    at /home/reni/Data/REPOS/webkit_sec/Source/JavaScriptCore/interpreter/JSStackInlines.h:212
#19 0x00007ffff551752c in JSC::JITCode::execute (this=0x8b9890, stack=0x7d0358, callFrame=0x7fff941e2060, vm=0x8159a0)
    at /home/reni/Data/REPOS/webkit_sec/Source/JavaScriptCore/jit/JITCode.cpp:46
#20 0x00007ffff5503a02 in JSC::Interpreter::executeCall (this=0x7d0340, callFrame=0x7fffe407f9e0, function=0x7fff9c08e5f0, callType=JSC::CallTypeJS, 
    callData=..., thisValue=..., args=...) at /home/reni/Data/REPOS/webkit_sec/Source/JavaScriptCore/interpreter/Interpreter.cpp:841
#21 0x00007ffff55d58b7 in JSC::call (exec=0x7fffe407f9e0, functionObject=..., callType=JSC::CallTypeJS, callData=..., thisValue=..., args=...)
    at /home/reni/Data/REPOS/webkit_sec/Source/JavaScriptCore/runtime/CallData.cpp:39
#22 0x00007ffff3f118bf in WebCore::JSMainThreadExecState::call (exec=0x7fffe407f9e0, functionObject=..., callType=JSC::CallTypeJS, callData=..., 
    thisValue=..., args=...) at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/bindings/js/JSMainThreadExecState.h:53
#23 0x00007ffff3f40c6d in WebCore::JSEventListener::handleEvent (this=0x8f01b0, scriptExecutionContext=0x8a01a0, event=0x8efe90)
    at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/bindings/js/JSEventListener.cpp:130
#24 0x00007ffff420f7aa in WebCore::EventTarget::fireEventListeners (this=0x8ef7c0, event=0x8efe90, d=0x8f0220, entry=...)
    at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/dom/EventTarget.cpp:271
#25 0x00007ffff420f4c7 in WebCore::EventTarget::fireEventListeners (this=0x8ef7c0, event=0x8efe90)
    at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/dom/EventTarget.cpp:227
#26 0x00007ffff423b79b in WebCore::Node::handleLocalEvents (this=0x8ef7c0, event=0x8efe90)
    at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/dom/Node.cpp:2097
#27 0x00007ffff4201d54 in WebCore::EventContext::handleLocalEvents (this=0x8be050, event=0x8efe90)
    at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/dom/EventContext.cpp:58
#28 0x00007ffff4203c33 in WebCore::EventDispatcher::dispatchEventAtTarget (this=0x7fffffffc4b0)
    at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/dom/EventDispatcher.cpp:161
#29 0x00007ffff42038f0 in WebCore::EventDispatcher::dispatch (this=0x7fffffffc4b0)
    at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/dom/EventDispatcher.cpp:118
#30 0x00007ffff4202715 in WebCore::EventDispatchMediator::dispatchEvent (this=0x8d2080, dispatcher=0x7fffffffc4b0)
    at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/dom/EventDispatchMediator.cpp:54
#31 0x00007ffff4202e9d in WebCore::EventDispatcher::dispatchEvent (node=0x8ef7c0, mediator=...)
    at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/dom/EventDispatcher.cpp:52
#32 0x00007ffff423b9b0 in WebCore::Node::dispatchEvent (this=0x8ef7c0, event=...) at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/dom/Node.cpp:2118
---Type <return> to continue, or q <return> to quit---
#33 0x00007ffff4c7096e in WebCore::SVGElement::sendSVGLoadEventIfPossible (this=0x8ef7c0, sendParentLoadEvents=false)
    at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/svg/SVGElement.cpp:585
#34 0x00007ffff4c70bbd in WebCore::SVGElement::finishParsingChildren (this=0x8ef7c0) at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/svg/SVGElement.cpp:630
#35 0x00007ffff4d035c8 in WebCore::SVGScriptElement::finishParsingChildren (this=0x8ef7c0)
    at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/svg/SVGScriptElement.cpp:143
#36 0x00007ffff4403510 in WebCore::HTMLElementStack::popCommon (this=0x78fad8)
    at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/html/parser/HTMLElementStack.cpp:583
#37 0x00007ffff4401f62 in WebCore::HTMLElementStack::pop (this=0x78fad8)
    at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/html/parser/HTMLElementStack.cpp:219
#38 0x00007ffff442a6cf in WebCore::HTMLTreeBuilder::processTokenInForeignContent (this=0x78faa0, token=0x7fffffffc7f0)
    at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/html/parser/HTMLTreeBuilder.cpp:2862
#39 0x00007ffff441e5a5 in WebCore::HTMLTreeBuilder::constructTree (this=0x78faa0, token=0x7fffffffc7f0)
    at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/html/parser/HTMLTreeBuilder.cpp:354
#40 0x00007ffff43fd322 in WebCore::HTMLDocumentParser::constructTreeFromHTMLToken (this=0x7d0f60, rawToken=...)
    at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/html/parser/HTMLDocumentParser.cpp:597
#41 0x00007ffff43fcf57 in WebCore::HTMLDocumentParser::pumpTokenizer (this=0x7d0f60, mode=WebCore::HTMLDocumentParser::AllowYield)
    at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/html/parser/HTMLDocumentParser.cpp:551
#42 0x00007ffff43fc71f in WebCore::HTMLDocumentParser::pumpTokenizerIfPossible (this=0x7d0f60, mode=WebCore::HTMLDocumentParser::AllowYield)
    at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/html/parser/HTMLDocumentParser.cpp:235
#43 0x00007ffff43fd8be in WebCore::HTMLDocumentParser::append (this=0x7d0f60, inputSource=...)
    at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/html/parser/HTMLDocumentParser.cpp:747
#44 0x00007ffff418dc07 in WebCore::DecodedDataDocumentParser::flush (this=0x7d0f60, writer=0x694230)
    at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/dom/DecodedDataDocumentParser.cpp:60
#45 0x00007ffff4598071 in WebCore::DocumentWriter::end (this=0x694230) at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/loader/DocumentWriter.cpp:241
#46 0x00007ffff458ab61 in WebCore::DocumentLoader::finishedLoading (this=0x694190, finishTime=0)
    at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/loader/DocumentLoader.cpp:407
#47 0x00007ffff458a8ca in WebCore::DocumentLoader::notifyFinished (this=0x694190, resource=0x7b2bf0)
    at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/loader/DocumentLoader.cpp:344
#48 0x00007ffff4571afe in WebCore::CachedResource::checkNotify (this=0x7b2bf0)
    at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/loader/cache/CachedResource.cpp:369
#49 0x00007ffff4571bd4 in WebCore::CachedResource::finishLoading (this=0x7b2bf0)
    at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/loader/cache/CachedResource.cpp:385
#50 0x00007ffff456e326 in WebCore::CachedRawResource::finishLoading (this=0x7b2bf0, data=0x7b8340)
    at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/loader/cache/CachedRawResource.cpp:94
#51 0x00007ffff45d4a15 in WebCore::SubresourceLoader::didFinishLoading (this=0x75d780, finishTime=0)
    at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/loader/SubresourceLoader.cpp:282
#52 0x00007ffff45cb33b in WebCore::ResourceLoader::didFinishLoading (this=0x75d780, finishTime=0)
    at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/loader/ResourceLoader.cpp:488
#53 0x00007ffff4a86713 in WebCore::QNetworkReplyHandler::finish (this=0x7b4b90)
    at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/platform/network/qt/QNetworkReplyHandler.cpp:516
#54 0x00007ffff4a85432 in WebCore::QNetworkReplyHandlerCallQueue::flush (this=0x7b4bc8)
    at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/platform/network/qt/QNetworkReplyHandler.cpp:250
#55 0x00007ffff4a8512f in WebCore::QNetworkReplyHandlerCallQueue::push (this=0x7b4bc8, 
    method=(void (WebCore::QNetworkReplyHandler::*)(WebCore::QNetworkReplyHandler * const)) 0x7ffff4a86558 <WebCore::QNetworkReplyHandler::finish()>)
    at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/platform/network/qt/QNetworkReplyHandler.cpp:216
#56 0x00007ffff4a8607c in WebCore::QNetworkReplyWrapper::didReceiveFinished (this=0x7b7ba0)
    at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/platform/network/qt/QNetworkReplyHandler.cpp:409
#57 0x00007ffff4a88a0e in WebCore::QNetworkReplyWrapper::qt_static_metacall (_o=0x7b7ba0, _c=QMetaObject::InvokeMetaMethod, _id=1, _a=0x7fffffffce40)
    at .moc/release-shared/moc_QNetworkReplyHandler.cpp:176
#58 0x00007ffff21e65cb in QMetaObject::activate(QObject*, int, int, void**) () from /usr/local/Trolltech/Qt5/Qt-5.0.0-r40/lib/libQt5Core.so.5
#59 0x00007ffff21e784e in QObject::event(QEvent*) () from /usr/local/Trolltech/Qt5/Qt-5.0.0-r40/lib/libQt5Core.so.5
#60 0x00007ffff302ddbc in QApplicationPrivate::notify_helper(QObject*, QEvent*) () from /usr/local/Trolltech/Qt5/Qt-5.0.0-r40/lib/libQt5Widgets.so.5
#61 0x00007ffff3031075 in QApplication::notify(QObject*, QEvent*) () from /usr/local/Trolltech/Qt5/Qt-5.0.0-r40/lib/libQt5Widgets.so.5
#62 0x00007ffff21c1dbe in QCoreApplication::notifyInternal(QObject*, QEvent*) () from /usr/local/Trolltech/Qt5/Qt-5.0.0-r40/lib/libQt5Core.so.5
---Type <return> to continue, or q <return> to quit---
#63 0x00007ffff21c3a76 in QCoreApplicationPrivate::sendPostedEvents(QObject*, int, QThreadData*) ()
   from /usr/local/Trolltech/Qt5/Qt-5.0.0-r40/lib/libQt5Core.so.5
#64 0x00007ffff2209333 in ?? () from /usr/local/Trolltech/Qt5/Qt-5.0.0-r40/lib/libQt5Core.so.5
#65 0x00007fffee34a3c6 in g_main_dispatch (context=0x6632f0) at /build/buildd/glib2.0-2.37.7/./glib/gmain.c:3065
#66 g_main_context_dispatch (context=context@entry=0x6632f0) at /build/buildd/glib2.0-2.37.7/./glib/gmain.c:3641
#67 0x00007fffee34a718 in g_main_context_iterate (context=context@entry=0x6632f0, block=block@entry=1, dispatch=dispatch@entry=1, self=<optimized out>)
    at /build/buildd/glib2.0-2.37.7/./glib/gmain.c:3712
#68 0x00007fffee34a7bc in g_main_context_iteration (context=0x6632f0, may_block=1) at /build/buildd/glib2.0-2.37.7/./glib/gmain.c:3773
#69 0x00007ffff22094bc in QEventDispatcherGlib::processEvents(QFlags<QEventLoop::ProcessEventsFlag>) ()
   from /usr/local/Trolltech/Qt5/Qt-5.0.0-r40/lib/libQt5Core.so.5
#70 0x00007ffff21c0d3b in QEventLoop::exec(QFlags<QEventLoop::ProcessEventsFlag>) () from /usr/local/Trolltech/Qt5/Qt-5.0.0-r40/lib/libQt5Core.so.5
#71 0x00007ffff21c4120 in QCoreApplication::exec() () from /usr/local/Trolltech/Qt5/Qt-5.0.0-r40/lib/libQt5Core.so.5
#72 0x0000000000421ba0 in launcherMain (app=...) at /home/reni/Data/REPOS/webkit_sec/Tools/QtTestBrowser/qttestbrowser.cpp:49
#73 0x0000000000423680 in main (argc=2, argv=0x7fffffffdb18) at /home/reni/Data/REPOS/webkit_sec/Tools/QtTestBrowser/qttestbrowser.cpp:318
Comment 1 Renata Hodovan 2015-01-29 06:28:03 PST 
This might be similar to crbug.com/387750 what is fixed already.
Comment 2 Brent Fulgham 2016-08-03 12:46:02 PDT 
This still occurs under r204037.
Comment 3 Radar WebKit Bug Importer 2016-08-03 12:46:34 PDT 
<rdar://problem/27683733>
Comment 4 Brent Fulgham 2016-08-03 12:46:42 PDT 
We should consider merging <https://src.chromium.org/viewvc/blink?view=revision&revision=177283> to resolve the issue.
Comment 5 Ahmad Saleem 2022-08-02 16:48:18 PDT 
Based on comment 04 and looking into Chromium patch, this assert has not been added to Webkit:

https://github.com/WebKit/WebKit/blob/50d7e0b0b808afca93e5ede9cd7c0d44b1ed8130/Source/WebCore/editing/ApplyStyleCommand.cpp#L268

Appreciate if someone can confirm whether it needs to be added or this can be closed? Thanks!
Comment 6 Ryosuke Niwa 2022-08-02 21:05:21 PDT 
We don't hit the assertion anymore with the attached test case.