Bug 202909
| Summary: | Chromium test-case asserts with ASSERTION FAILED: startOffset <= endOffset | ||
|---|---|---|---|
| Product: | WebKit | Reporter: | Emilio Cobos Álvarez (:emilio) <emilio> |
| Component: | HTML Editing | Assignee: | Nobody <webkit-unassigned> |
| Status: | RESOLVED CONFIGURATION CHANGED | ||
| Severity: | Normal | CC: | ahmad.saleem792, ap, bfulgham, rniwa, webkit-bug-importer, wenson_hsieh |
| Priority: | P2 | Keywords: | InRadar |
| Version: | WebKit Nightly Build | ||
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
Emilio Cobos Álvarez (:emilio)
On master (247b0314320d499ae788b6ea993aa1d98e2d607e / r250962), WebKitGTK build.
Running this test-case: https://cs.chromium.org/chromium/src/third_party/blink/web_tests/fast/dom/Range/range-extract-contents-after-move-to-another-document-crash.html?rcl=753caf715d8f30f0c673f1b4b36dadfc75c3201f
Asserts like:
ASSERTION FAILED: startOffset <= endOffset
../../Source/WebCore/dom/Range.cpp(686) : WebCore::ExceptionOr<WTF::RefPtr<WebCore::Node> > WebCore::processContentsBetweenOffsets(WebCore::Range::ActionType, WTF::RefPtr<WebCore::DocumentFragment>, WTF::RefPtr<WebCore::Node>, unsigned int, unsigned int)
1 0x7fee8256f3d3 /home/emilio/src/WebKit/WebKitBuild/Debug/lib/libjavascriptcoregtk-4.0.so.18(WTFCrash+0x9) [0x7fee8256f3d3]
2 0x7fee8e2185f2 /home/emilio/src/WebKit/WebKitBuild/Debug/lib/libwebkit2gtk-4.0.so.37(_ZN3WTF15CrashOnOverflow10overflowedEv+0) [0x7fee8e2185f2]
3 0x7fee90711bc7 /home/emilio/src/WebKit/WebKitBuild/Debug/lib/libwebkit2gtk-4.0.so.37(+0xcad4bc7) [0x7fee90711bc7]
4 0x7fee90710e2b /home/emilio/src/WebKit/WebKitBuild/Debug/lib/libwebkit2gtk-4.0.so.37(_ZN7WebCore5Range15processContentsENS0_10ActionTypeE+0x1b5) [0x7fee90710e2b]
5 0x7fee90712fe4 /home/emilio/src/WebKit/WebKitBuild/Debug/lib/libwebkit2gtk-4.0.so.37(_ZN7WebCore5Range15extractContentsEv+0x28) [0x7fee90712fe4]
6 0x7fee8f7ac807 /home/emilio/src/WebKit/WebKitBuild/Debug/lib/libwebkit2gtk-4.0.so.37(+0xbb6f807) [0x7fee8f7ac807]
7 0x7fee8f7b1e74 /home/emilio/src/WebKit/WebKitBuild/Debug/lib/libwebkit2gtk-4.0.so.37(+0xbb74e74) [0x7fee8f7b1e74]
8 0x7fee8f7ac87b /home/emilio/src/WebKit/WebKitBuild/Debug/lib/libwebkit2gtk-4.0.so.37(_ZN7WebCore39jsRangePrototypeFunctionExtractContentsEPN3JSC14JSGlobalObjectEPNS0_9CallFrameE+0x23) [0x7fee8f7ac87b]
9 0x7fee2cafa16b [0x7fee2cafa16b]
Seems like it's handled safely so not filing as security sensitive.
| Attachments | ||
|---|---|---|
| Add attachment proposed patch, testcase, etc. |
Radar WebKit Bug Importer
<rdar://problem/56271256>
Ahmad Saleem
@ap - Is it something related to Webkit or this was specific to Chromium port? Thanks!
Alexey Proskuryakov
This was filed against the Gtk port, and long after Chromium forked. So, not Chromium related, it's just reproducible with their test case.
Ahmad Saleem
It does not reproduce this assert in WebKit Minibrowser (WK2 - Debug - 277105@main)
https://jsfiddle.net/9tj0f6L4/
Alexey Proskuryakov
Cannot reproduce in run-webkit-tests either, WebKit1 or WebKit2. And this is cross-platform code, so unlikely to have been Gtk only.
It may be nice to land this test, as I couldn't find a specific fix. But realistically, seems not worth tracking that, and we may well have one anyway.