Summary: | ASSERTION FAILED: !selectionToDelete.isNone() in TypingCommand::forwardDeleteKeyPressed when deleting a UserSelect::None element. | ||||||
---|---|---|---|---|---|---|---|
Product: | WebKit | Reporter: | Jack <shihchieh_lee> | ||||
Component: | HTML Editing | Assignee: | Jack <shihchieh_lee> | ||||
Status: | RESOLVED FIXED | ||||||
Severity: | Normal | CC: | ews-watchlist, ggaren, megan_gardner, mifenton, wenson_hsieh | ||||
Priority: | P2 | Keywords: | InRadar | ||||
Version: | WebKit Nightly Build | ||||||
Hardware: | All | ||||||
OS: | All | ||||||
Attachments: |
|
Description
Jack
2020-04-14 21:23:54 PDT
In processing command "forwardDelete", we first validate and modify the selection by calling FrameSelection::modify. In this case, the original selection is div, the innerText of input. However, since div is UserSelect::Node, it fails the isCandidate check, and there is no other candidate found, FrameSelection::modify returns empty selection and triggers the assertion crash. <body><input id=input required draggable="true"> <script> input.focus(); document.execCommand("forwardDelete", false); </script> BODY 0x60c000104f80 (renderer 0x612000067840) INPUT 0x612000061fc0 (renderer 0x6120000679c0) #document-fragment 0x612000062140 (renderer 0x0) (needs style recalc) (child needs style recalc) * DIV 0x60c000105040 (renderer 0x612000067b40) #text 0x608000143520 "\n" SCRIPT 0x61000004b440 (renderer 0x0) #text 0x608000143620 "\n input.focus();\n document.execCommand("forwardDelete", false);\n" Created attachment 396502 [details]
Patch
Comment on attachment 396502 [details]
Patch
r=me
Committed r260153: <https://trac.webkit.org/changeset/260153> All reviewed patches have been landed. Closing bug and clearing flags on attachment 396502 [details]. |