Bug 121503

Summary: ASSERTION FAILED: !block || is<HTMLElement>(*block) in WebCore::ApplyStyleCommand::applyBlockStyle
Product: WebKit Reporter: Renata Hodovan <rhodovan.u-szeged>
Component: HTML EditingAssignee: Nobody <webkit-unassigned>
Status: RESOLVED CONFIGURATION CHANGED    
Severity: Normal CC: ahmad.saleem792, ap, bfulgham, deepak.deepakmittal, rniwa, shinyak, webkit-bug-importer, yosin
Priority: P2 Keywords: InRadar
Version: 528+ (Nightly build)   
Hardware: PC   
OS: Linux   
Bug Depends on:    
Bug Blocks: 116980    
Attachments:
Description Flags
Test case none

Renata Hodovan
Reported 2013-09-17 10:21:29 PDT
Created attachment 211921 [details] Test case Failing test: <svg> <foreignobject> <br> <br> </foreignobject> <script onload="document.designMode=&apos;on&apos;; document.execCommand(&apos;selectall&apos;); document.execCommand(&apos;RemoveFormat&apos;); document.execCommand(&apos;inserthtml&apos;, false); " ></script> </script> </svg> Backtrace: Program received signal SIGSEGV, Segmentation fault. 0x00007ffff56dafad in WTFCrash () at /home/reni/Data/REPOS/webkit_sec/Source/WTF/wtf/Assertions.cpp:342 342 *(int *)(uintptr_t)0xbbadbeef = 0; (gdb) bt #0 0x00007ffff56dafad in WTFCrash () at /home/reni/Data/REPOS/webkit_sec/Source/WTF/wtf/Assertions.cpp:342 #1 0x00007ffff428eda8 in WebCore::ApplyStyleCommand::applyBlockStyle (this=0x8e5540, style=0x8ecb60) at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/editing/ApplyStyleCommand.cpp:286 #2 0x00007ffff428e614 in WebCore::ApplyStyleCommand::doApply (this=0x8e5540) at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/editing/ApplyStyleCommand.cpp:223 #3 0x00007ffff429e0fe in WebCore::CompositeEditCommand::applyCommandToComposite (this=0x8e4760, prpCommand=...) at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/editing/CompositeEditCommand.cpp:267 #4 0x00007ffff42fc83d in WebCore::RemoveFormatCommand::doApply (this=0x8e4760) at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/editing/RemoveFormatCommand.cpp:96 #5 0x00007ffff429dec6 in WebCore::CompositeEditCommand::apply (this=0x8e4760) at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/editing/CompositeEditCommand.cpp:216 #6 0x00007ffff429dc4e in WebCore::applyCommand (command=...) at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/editing/CompositeEditCommand.cpp:172 #7 0x00007ffff42bf96c in WebCore::Editor::removeFormattingAndStyle (this=0x7cf770) at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/editing/Editor.cpp:684 #8 0x00007ffff42d1792 in WebCore::executeRemoveFormat (frame=...) at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/editing/EditorCommand.cpp:974 #9 0x00007ffff42d32d2 in WebCore::Editor::Command::execute (this=0x7fffffffbcd0, parameter=..., triggeringEvent=0x0) at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/editing/EditorCommand.cpp:1709 #10 0x00007ffff41a1ed6 in WebCore::Document::execCommand (this=0x8a00f0, commandName=..., userInterface=false, value=...) at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/dom/Document.cpp:4172 #11 0x00007ffff4ebfb12 in WebCore::jsDocumentPrototypeFunctionExecCommand (exec=0x7fff941e20a8) at generated/JSDocument.cpp:2763 #12 0x00007fff9ffff0e5 in ?? () #13 0x00007fffffffbe70 in ?? () #14 0x00007ffff679ffa2 in llint_op_call () from /home/reni/Data/REPOS/webkit_sec/WebKitBuild/Debug/lib/libQt5WebKit.so.5 #15 0x00007fff941e2060 in ?? () #16 0x00000000007d0358 in ?? () #17 0x00007fffffffbe30 in ?? () #18 0x00007ffff5506ba3 in JSC::JSStack::installTrapsAfterFrame (this=0x0, frame=0x0) at /home/reni/Data/REPOS/webkit_sec/Source/JavaScriptCore/interpreter/JSStackInlines.h:212 #19 0x00007ffff551752c in JSC::JITCode::execute (this=0x8b9890, stack=0x7d0358, callFrame=0x7fff941e2060, vm=0x8159a0) at /home/reni/Data/REPOS/webkit_sec/Source/JavaScriptCore/jit/JITCode.cpp:46 #20 0x00007ffff5503a02 in JSC::Interpreter::executeCall (this=0x7d0340, callFrame=0x7fffe407f9e0, function=0x7fff9c08e5f0, callType=JSC::CallTypeJS, callData=..., thisValue=..., args=...) at /home/reni/Data/REPOS/webkit_sec/Source/JavaScriptCore/interpreter/Interpreter.cpp:841 #21 0x00007ffff55d58b7 in JSC::call (exec=0x7fffe407f9e0, functionObject=..., callType=JSC::CallTypeJS, callData=..., thisValue=..., args=...) at /home/reni/Data/REPOS/webkit_sec/Source/JavaScriptCore/runtime/CallData.cpp:39 #22 0x00007ffff3f118bf in WebCore::JSMainThreadExecState::call (exec=0x7fffe407f9e0, functionObject=..., callType=JSC::CallTypeJS, callData=..., thisValue=..., args=...) at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/bindings/js/JSMainThreadExecState.h:53 #23 0x00007ffff3f40c6d in WebCore::JSEventListener::handleEvent (this=0x8f01b0, scriptExecutionContext=0x8a01a0, event=0x8efe90) at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/bindings/js/JSEventListener.cpp:130 #24 0x00007ffff420f7aa in WebCore::EventTarget::fireEventListeners (this=0x8ef7c0, event=0x8efe90, d=0x8f0220, entry=...) at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/dom/EventTarget.cpp:271 #25 0x00007ffff420f4c7 in WebCore::EventTarget::fireEventListeners (this=0x8ef7c0, event=0x8efe90) at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/dom/EventTarget.cpp:227 #26 0x00007ffff423b79b in WebCore::Node::handleLocalEvents (this=0x8ef7c0, event=0x8efe90) at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/dom/Node.cpp:2097 #27 0x00007ffff4201d54 in WebCore::EventContext::handleLocalEvents (this=0x8be050, event=0x8efe90) at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/dom/EventContext.cpp:58 #28 0x00007ffff4203c33 in WebCore::EventDispatcher::dispatchEventAtTarget (this=0x7fffffffc4b0) at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/dom/EventDispatcher.cpp:161 #29 0x00007ffff42038f0 in WebCore::EventDispatcher::dispatch (this=0x7fffffffc4b0) at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/dom/EventDispatcher.cpp:118 #30 0x00007ffff4202715 in WebCore::EventDispatchMediator::dispatchEvent (this=0x8d2080, dispatcher=0x7fffffffc4b0) at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/dom/EventDispatchMediator.cpp:54 #31 0x00007ffff4202e9d in WebCore::EventDispatcher::dispatchEvent (node=0x8ef7c0, mediator=...) at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/dom/EventDispatcher.cpp:52 #32 0x00007ffff423b9b0 in WebCore::Node::dispatchEvent (this=0x8ef7c0, event=...) at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/dom/Node.cpp:2118 ---Type <return> to continue, or q <return> to quit--- #33 0x00007ffff4c7096e in WebCore::SVGElement::sendSVGLoadEventIfPossible (this=0x8ef7c0, sendParentLoadEvents=false) at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/svg/SVGElement.cpp:585 #34 0x00007ffff4c70bbd in WebCore::SVGElement::finishParsingChildren (this=0x8ef7c0) at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/svg/SVGElement.cpp:630 #35 0x00007ffff4d035c8 in WebCore::SVGScriptElement::finishParsingChildren (this=0x8ef7c0) at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/svg/SVGScriptElement.cpp:143 #36 0x00007ffff4403510 in WebCore::HTMLElementStack::popCommon (this=0x78fad8) at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/html/parser/HTMLElementStack.cpp:583 #37 0x00007ffff4401f62 in WebCore::HTMLElementStack::pop (this=0x78fad8) at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/html/parser/HTMLElementStack.cpp:219 #38 0x00007ffff442a6cf in WebCore::HTMLTreeBuilder::processTokenInForeignContent (this=0x78faa0, token=0x7fffffffc7f0) at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/html/parser/HTMLTreeBuilder.cpp:2862 #39 0x00007ffff441e5a5 in WebCore::HTMLTreeBuilder::constructTree (this=0x78faa0, token=0x7fffffffc7f0) at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/html/parser/HTMLTreeBuilder.cpp:354 #40 0x00007ffff43fd322 in WebCore::HTMLDocumentParser::constructTreeFromHTMLToken (this=0x7d0f60, rawToken=...) at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/html/parser/HTMLDocumentParser.cpp:597 #41 0x00007ffff43fcf57 in WebCore::HTMLDocumentParser::pumpTokenizer (this=0x7d0f60, mode=WebCore::HTMLDocumentParser::AllowYield) at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/html/parser/HTMLDocumentParser.cpp:551 #42 0x00007ffff43fc71f in WebCore::HTMLDocumentParser::pumpTokenizerIfPossible (this=0x7d0f60, mode=WebCore::HTMLDocumentParser::AllowYield) at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/html/parser/HTMLDocumentParser.cpp:235 #43 0x00007ffff43fd8be in WebCore::HTMLDocumentParser::append (this=0x7d0f60, inputSource=...) at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/html/parser/HTMLDocumentParser.cpp:747 #44 0x00007ffff418dc07 in WebCore::DecodedDataDocumentParser::flush (this=0x7d0f60, writer=0x694230) at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/dom/DecodedDataDocumentParser.cpp:60 #45 0x00007ffff4598071 in WebCore::DocumentWriter::end (this=0x694230) at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/loader/DocumentWriter.cpp:241 #46 0x00007ffff458ab61 in WebCore::DocumentLoader::finishedLoading (this=0x694190, finishTime=0) at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/loader/DocumentLoader.cpp:407 #47 0x00007ffff458a8ca in WebCore::DocumentLoader::notifyFinished (this=0x694190, resource=0x7b2bf0) at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/loader/DocumentLoader.cpp:344 #48 0x00007ffff4571afe in WebCore::CachedResource::checkNotify (this=0x7b2bf0) at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/loader/cache/CachedResource.cpp:369 #49 0x00007ffff4571bd4 in WebCore::CachedResource::finishLoading (this=0x7b2bf0) at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/loader/cache/CachedResource.cpp:385 #50 0x00007ffff456e326 in WebCore::CachedRawResource::finishLoading (this=0x7b2bf0, data=0x7b8340) at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/loader/cache/CachedRawResource.cpp:94 #51 0x00007ffff45d4a15 in WebCore::SubresourceLoader::didFinishLoading (this=0x75d780, finishTime=0) at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/loader/SubresourceLoader.cpp:282 #52 0x00007ffff45cb33b in WebCore::ResourceLoader::didFinishLoading (this=0x75d780, finishTime=0) at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/loader/ResourceLoader.cpp:488 #53 0x00007ffff4a86713 in WebCore::QNetworkReplyHandler::finish (this=0x7b4b90) at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/platform/network/qt/QNetworkReplyHandler.cpp:516 #54 0x00007ffff4a85432 in WebCore::QNetworkReplyHandlerCallQueue::flush (this=0x7b4bc8) at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/platform/network/qt/QNetworkReplyHandler.cpp:250 #55 0x00007ffff4a8512f in WebCore::QNetworkReplyHandlerCallQueue::push (this=0x7b4bc8, method=(void (WebCore::QNetworkReplyHandler::*)(WebCore::QNetworkReplyHandler * const)) 0x7ffff4a86558 <WebCore::QNetworkReplyHandler::finish()>) at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/platform/network/qt/QNetworkReplyHandler.cpp:216 #56 0x00007ffff4a8607c in WebCore::QNetworkReplyWrapper::didReceiveFinished (this=0x7b7ba0) at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/platform/network/qt/QNetworkReplyHandler.cpp:409 #57 0x00007ffff4a88a0e in WebCore::QNetworkReplyWrapper::qt_static_metacall (_o=0x7b7ba0, _c=QMetaObject::InvokeMetaMethod, _id=1, _a=0x7fffffffce40) at .moc/release-shared/moc_QNetworkReplyHandler.cpp:176 #58 0x00007ffff21e65cb in QMetaObject::activate(QObject*, int, int, void**) () from /usr/local/Trolltech/Qt5/Qt-5.0.0-r40/lib/libQt5Core.so.5 #59 0x00007ffff21e784e in QObject::event(QEvent*) () from /usr/local/Trolltech/Qt5/Qt-5.0.0-r40/lib/libQt5Core.so.5 #60 0x00007ffff302ddbc in QApplicationPrivate::notify_helper(QObject*, QEvent*) () from /usr/local/Trolltech/Qt5/Qt-5.0.0-r40/lib/libQt5Widgets.so.5 #61 0x00007ffff3031075 in QApplication::notify(QObject*, QEvent*) () from /usr/local/Trolltech/Qt5/Qt-5.0.0-r40/lib/libQt5Widgets.so.5 #62 0x00007ffff21c1dbe in QCoreApplication::notifyInternal(QObject*, QEvent*) () from /usr/local/Trolltech/Qt5/Qt-5.0.0-r40/lib/libQt5Core.so.5 ---Type <return> to continue, or q <return> to quit--- #63 0x00007ffff21c3a76 in QCoreApplicationPrivate::sendPostedEvents(QObject*, int, QThreadData*) () from /usr/local/Trolltech/Qt5/Qt-5.0.0-r40/lib/libQt5Core.so.5 #64 0x00007ffff2209333 in ?? () from /usr/local/Trolltech/Qt5/Qt-5.0.0-r40/lib/libQt5Core.so.5 #65 0x00007fffee34a3c6 in g_main_dispatch (context=0x6632f0) at /build/buildd/glib2.0-2.37.7/./glib/gmain.c:3065 #66 g_main_context_dispatch (context=context@entry=0x6632f0) at /build/buildd/glib2.0-2.37.7/./glib/gmain.c:3641 #67 0x00007fffee34a718 in g_main_context_iterate (context=context@entry=0x6632f0, block=block@entry=1, dispatch=dispatch@entry=1, self=<optimized out>) at /build/buildd/glib2.0-2.37.7/./glib/gmain.c:3712 #68 0x00007fffee34a7bc in g_main_context_iteration (context=0x6632f0, may_block=1) at /build/buildd/glib2.0-2.37.7/./glib/gmain.c:3773 #69 0x00007ffff22094bc in QEventDispatcherGlib::processEvents(QFlags<QEventLoop::ProcessEventsFlag>) () from /usr/local/Trolltech/Qt5/Qt-5.0.0-r40/lib/libQt5Core.so.5 #70 0x00007ffff21c0d3b in QEventLoop::exec(QFlags<QEventLoop::ProcessEventsFlag>) () from /usr/local/Trolltech/Qt5/Qt-5.0.0-r40/lib/libQt5Core.so.5 #71 0x00007ffff21c4120 in QCoreApplication::exec() () from /usr/local/Trolltech/Qt5/Qt-5.0.0-r40/lib/libQt5Core.so.5 #72 0x0000000000421ba0 in launcherMain (app=...) at /home/reni/Data/REPOS/webkit_sec/Tools/QtTestBrowser/qttestbrowser.cpp:49 #73 0x0000000000423680 in main (argc=2, argv=0x7fffffffdb18) at /home/reni/Data/REPOS/webkit_sec/Tools/QtTestBrowser/qttestbrowser.cpp:318
Attachments
Test case (296 bytes, text/html)
2013-09-17 10:21 PDT, Renata Hodovan 		no flags
Details
View All Add attachment proposed patch, testcase, etc.
Renata Hodovan
Comment 1 2015-01-29 06:28:03 PST
This might be similar to crbug.com/387750 what is fixed already.
Brent Fulgham
Comment 2 2016-08-03 12:46:02 PDT
This still occurs under r204037.
Radar WebKit Bug Importer
Comment 3 2016-08-03 12:46:34 PDT
<rdar://problem/27683733>
Brent Fulgham
Comment 4 2016-08-03 12:46:42 PDT
We should consider merging <https://src.chromium.org/viewvc/blink?view=revision&revision=177283> to resolve the issue.
Ahmad Saleem
Comment 5 2022-08-02 16:48:18 PDT
Based on comment 04 and looking into Chromium patch, this assert has not been added to Webkit: https://github.com/WebKit/WebKit/blob/50d7e0b0b808afca93e5ede9cd7c0d44b1ed8130/Source/WebCore/editing/ApplyStyleCommand.cpp#L268 Appreciate if someone can confirm whether it needs to be added or this can be closed? Thanks!
Ryosuke Niwa
Comment 6 2022-08-02 21:05:21 PDT
We don't hit the assertion anymore with the attached test case.
Note You need to log in before you can comment on or make changes to this bug.