Bug 150969

Summary: [GTK]ASSERTION FAILED: m_offset + m_count <= m_node->length() in WebCore::DeleteFromTextNodeCommand::DeleteFromTextNodeCommand
Product: WebKit Reporter: Renata Hodovan <rhodovan.u-szeged>
Component: HTML EditingAssignee: Nobody <webkit-unassigned>
Status: REOPENED ---    
Severity: Normal CC: bfulgham, darin, mcatanzaro
Priority: P2    
Version: WebKit Local Build   
Hardware: Unspecified   
OS: Unspecified   
Bug Depends on:    
Bug Blocks: 116980    
Attachments:
Description Flags
Test none

Description Renata Hodovan 2015-11-06 02:20:03 PST
Created attachment 264922 [details]
Test

Load the attached test with debug MiniBrowser:

<script>
function f_0() {
    document.execCommand("selectAll", false);
    document.execCommand("fontname", true);
    document.execCommand("undo", false);
    document.execCommand("insertText", false,"a");
    document.execCommand("redo", false);
    document.execCommand("forwardDelete",false);
}
</script>
<body onload="f_0()">
    <textarea autofocus>g </textarea>
</body>

OS: Ubuntu 15.04 x86_64
Checked build: debug EFL
Checked version: babd346


Backtrace:

ASSERTION FAILED: m_offset + m_count <= m_node->length()
../../Source/WebCore/editing/DeleteFromTextNodeCommand.cpp(44) : WebCore::DeleteFromTextNodeCommand::DeleteFromTextNodeCommand(WTF::RefPtr<WebCore::Text>&&, unsigned int, unsigned int, WebCore::EditAction)
1   0x7fd301198bb5 WTFCrash
2   0x7fd308556ac1 WebCore::DeleteFromTextNodeCommand::DeleteFromTextNodeCommand(WTF::RefPtr<WebCore::Text>&&, unsigned int, unsigned int, WebCore::EditAction)
3   0x7fd30855176c WebCore::DeleteFromTextNodeCommand::create(WTF::RefPtr<WebCore::Text>&&, unsigned int, unsigned int, WebCore::EditAction)
4   0x7fd308548c18 WebCore::CompositeEditCommand::deleteTextFromNode(WTF::PassRefPtr<WebCore::Text>, unsigned int, unsigned int)
5   0x7fd30855a541 WebCore::DeleteSelectionCommand::deleteTextFromNode(WTF::PassRefPtr<WebCore::Text>, unsigned int, unsigned int)
6   0x7fd30855ac38 WebCore::DeleteSelectionCommand::handleGeneralDelete()
7   0x7fd30855db36 WebCore::DeleteSelectionCommand::doApply()
8   0x7fd3085460f6 WebCore::CompositeEditCommand::applyCommandToComposite(WTF::PassRefPtr<WebCore::EditCommand>)
9   0x7fd308549b0b WebCore::CompositeEditCommand::deleteSelection(WebCore::VisibleSelection const&, bool, bool, bool, bool, bool)
10  0x7fd307409bef WebCore::TypingCommand::forwardDeleteKeyPressed(WebCore::TextGranularity, bool)
11  0x7fd30740732c WebCore::TypingCommand::doApply()
12  0x7fd308545e22 WebCore::CompositeEditCommand::apply()
13  0x7fd3074063ae WebCore::TypingCommand::forwardDeleteKeyPressed(WebCore::Document&, unsigned int, WebCore::TextGranularity)
14  0x7fd3073be2e7
15  0x7fd3073c25dc WebCore::Editor::Command::execute(WTF::String const&, WebCore::Event*) const
16  0x7fd307268107 WebCore::Document::execCommand(WTF::String const&, bool, WTF::String const&)
17  0x7fd308983467 WebCore::jsDocumentPrototypeFunctionExecCommand(JSC::ExecState*)
18  0x7fd2a3fff0c8
Aborted (core dumped)

Program terminated with signal SIGSEGV, Segmentation fault.
#0  0x00007fd301198bba in WTFCrash () at ../../Source/WTF/wtf/Assertions.cpp:321
321     *(int *)(uintptr_t)0xbbadbeef = 0;
#0  0x00007fd301198bba in WTFCrash () at ../../Source/WTF/wtf/Assertions.cpp:321
#1  0x00007fd308556ac1 in WebCore::DeleteFromTextNodeCommand::DeleteFromTextNodeCommand(WTF::RefPtr<WebCore::Text>&&, unsigned int, unsigned int, WebCore::EditAction) (this=0x7fd2e87c0d20, node=<unknown type in webkit/WebKitBuild/Debug/lib/libewebkit2.so.1, CU 0x49fc0089, DIE 0x49fe21e1>, offset=0, count=334, editingAction=WebCore::EditActionDelete) at ../../Source/WebCore/editing/DeleteFromTextNodeCommand.cpp:44
#2  0x00007fd30855176c in WebCore::DeleteFromTextNodeCommand::create(WTF::RefPtr<WebCore::Text>&&, unsigned int, unsigned int, WebCore::EditAction) (node=<unknown type in webkit/WebKitBuild/Debug/lib/libewebkit2.so.1, CU 0x49eae53d, DIE 0x49f89ac7>, offset=0, count=334, editingAction=WebCore::EditActionDelete) at ../../Source/WebCore/editing/DeleteFromTextNodeCommand.h:39
#3  0x00007fd308548c18 in WebCore::CompositeEditCommand::deleteTextFromNode (this=0x7fd2e8696bd0, node=..., offset=0, count=334) at ../../Source/WebCore/editing/CompositeEditCommand.cpp:555
#4  0x00007fd30855a541 in WebCore::DeleteSelectionCommand::deleteTextFromNode (this=0x7fd2e8696bd0, node=..., offset=0, count=334) at ../../Source/WebCore/editing/DeleteSelectionCommand.cpp:423
#5  0x00007fd30855ac38 in WebCore::DeleteSelectionCommand::handleGeneralDelete (this=0x7fd2e8696bd0) at ../../Source/WebCore/editing/DeleteSelectionCommand.cpp:482
#6  0x00007fd30855db36 in WebCore::DeleteSelectionCommand::doApply (this=0x7fd2e8696bd0) at ../../Source/WebCore/editing/DeleteSelectionCommand.cpp:842
#7  0x00007fd3085460f6 in WebCore::CompositeEditCommand::applyCommandToComposite (this=0x7fd2e86ad318, prpCommand=...) at ../../Source/WebCore/editing/CompositeEditCommand.cpp:278
#8  0x00007fd308549b0b in WebCore::CompositeEditCommand::deleteSelection (this=0x7fd2e86ad318, selection=..., smartDelete=false, mergeBlocksAfterDelete=true, replace=false, expandForSpecialElements=true, sanitizeMarkup=true) at ../../Source/WebCore/editing/CompositeEditCommand.cpp:650
#9  0x00007fd307409bef in WebCore::TypingCommand::forwardDeleteKeyPressed (this=0x7fd2e86ad318, granularity=WebCore::CharacterGranularity, killRing=false) at ../../Source/WebCore/editing/TypingCommand.cpp:635
#10 0x00007fd30740732c in WebCore::TypingCommand::doApply (this=0x7fd2e86ad318) at ../../Source/WebCore/editing/TypingCommand.cpp:269
#11 0x00007fd308545e22 in WebCore::CompositeEditCommand::apply (this=0x7fd2e86ad318) at ../../Source/WebCore/editing/CompositeEditCommand.cpp:227
#12 0x00007fd3074063ae in WebCore::TypingCommand::forwardDeleteKeyPressed (document=..., options=0, granularity=WebCore::CharacterGranularity) at ../../Source/WebCore/editing/TypingCommand.cpp:138
#13 0x00007fd3073be2e7 in WebCore::executeForwardDelete (frame=..., source=WebCore::CommandFromDOM) at ../../Source/WebCore/editing/EditorCommand.cpp:440
#14 0x00007fd3073c25dc in WebCore::Editor::Command::execute (this=0x7fff38f75640, parameter=..., triggeringEvent=0x0) at ../../Source/WebCore/editing/EditorCommand.cpp:1703
#15 0x00007fd307268107 in WebCore::Document::execCommand (this=0x7fd2e8436000, commandName=..., userInterface=false, value=...) at ../../Source/WebCore/dom/Document.cpp:4657
#16 0x00007fd308983467 in WebCore::jsDocumentPrototypeFunctionExecCommand (state=0x7fff38f75710) at DerivedSources/WebCore/JSDocument.cpp:5066
#17 0x00007fd2a3fff0c8 in ?? ()
#18 0x00007fff38f757a0 in ?? ()
#19 0x00007fd301141351 in llint_entry () from webkit/WebKitBuild/Debug/lib/libjavascriptcore_efl.so.1
Comment 1 Brent Fulgham 2016-08-04 17:28:15 PDT
This problem does not reproduce under r204037. If you believe there is still a problem, please reopen this bug and provide a revised test case.
Comment 2 Renata Hodovan 2016-08-05 10:20:38 PDT
Using the attached test case the issue still seems valid in r204165 with debug EFL and GTK builds.
Comment 3 Darin Adler 2016-08-05 23:01:25 PDT
Seems peculiar that this would be platform dependent. When someone finds a fix I would like to understand why the platform difference exists.