Bug 210530

Summary: ASSERTION FAILED: !selectionToDelete.isNone() in TypingCommand::forwardDeleteKeyPressed when deleting a UserSelect::None element.
Product: WebKit Reporter: Jack <shihchieh_lee>
Component: HTML EditingAssignee: Jack <shihchieh_lee>
Status: RESOLVED FIXED    
Severity: Normal CC: ews-watchlist, ggaren, megan_gardner, mifenton, wenson_hsieh
Priority: P2 Keywords: InRadar
Version: WebKit Nightly Build   
Hardware: All   
OS: All   
Attachments:
Description Flags
Patch none

Description Jack 2020-04-14 21:23:54 PDT 
<rdar://58591480>

ASSERTION FAILED: !selectionToDelete.isNone()
./editing/TypingCommand.cpp(853) : void WebCore::TypingCommand::forwardDeleteKeyPressed(WebCore::TextGranularity, bool)
1   0x108235b79 WTFCrash
2   0x12d255f30 PAL::SOAuthorizationHintsFunction()
3   0x1341c43a0 WebCore::TypingCommand::forwardDeleteKeyPressed(WebCore::TextGranularity, bool)
4   0x1341c7012 WebCore::TypingCommand::doApply()
5   0x133f968fb WebCore::CompositeEditCommand::apply()
6   0x1341c289f WebCore::TypingCommand::forwardDeleteKeyPressed(WebCore::Document&, unsigned int, WebCore::TextGranularity)
7   0x1340bd46a WebCore::executeForwardDelete(WebCore::Frame&, WebCore::Event*, WebCore::EditorCommandSource, WTF::String const&)
8   0x134052c65 WebCore::Editor::Command::execute(WTF::String const&, WebCore::Event*) const
9   0x1339c6faa WebCore::Document::execCommand(WTF::String const&, bool, WTF::String const&)
10  0x12e8ea402 WebCore::jsDocumentPrototypeFunctionExecCommandBody(JSC::JSGlobalObject*, JSC::CallFrame*, WebCore::JSDocument*, JSC::ThrowScope&)
Comment 1 Jack 2020-04-14 22:38:18 PDT 
In processing command "forwardDelete", we first validate and modify the selection by calling FrameSelection::modify. In this case, the original selection is div, the innerText of input. However, since div is UserSelect::Node, it fails the isCandidate check, and there is no other candidate found, FrameSelection::modify returns empty selection and triggers the assertion crash.

<body><input id=input required draggable="true">
<script>
    input.focus();
    document.execCommand("forwardDelete", false);
</script>

BODY	0x60c000104f80 (renderer 0x612000067840) 
	INPUT	0x612000061fc0 (renderer 0x6120000679c0) 
		#document-fragment	0x612000062140 (renderer 0x0)  (needs style recalc) (child needs style recalc)
*			DIV	0x60c000105040 (renderer 0x612000067b40) 
	#text	0x608000143520 "\n"
	SCRIPT	0x61000004b440 (renderer 0x0) 
		#text	0x608000143620 "\n    input.focus();\n    document.execCommand("forwardDelete", false);\n"
Comment 2 Jack 2020-04-14 23:02:16 PDT 
Created attachment 396502 [details]
Patch
Comment 3 Geoffrey Garen 2020-04-15 14:40:11 PDT 
Comment on attachment 396502 [details]
Patch

r=me
Comment 4 EWS 2020-04-15 14:57:28 PDT 
Committed r260153: <https://trac.webkit.org/changeset/260153>

All reviewed patches have been landed. Closing bug and clearing flags on attachment 396502 [details].