Bug 210530

Summary: ASSERTION FAILED: !selectionToDelete.isNone() in TypingCommand::forwardDeleteKeyPressed when deleting a UserSelect::None element.
Product: WebKit Reporter: Jack <shihchieh_lee>
Component: HTML EditingAssignee: Jack <shihchieh_lee>
Status: RESOLVED FIXED    
Severity: Normal CC: ews-watchlist, ggaren, megan_gardner, mifenton, wenson_hsieh
Priority: P2 Keywords: InRadar
Version: WebKit Nightly Build   
Hardware: All   
OS: All   
Attachments:
Description Flags
Patch none

Jack
Reported 2020-04-14 21:23:54 PDT
<rdar://58591480> ASSERTION FAILED: !selectionToDelete.isNone() ./editing/TypingCommand.cpp(853) : void WebCore::TypingCommand::forwardDeleteKeyPressed(WebCore::TextGranularity, bool) 1 0x108235b79 WTFCrash 2 0x12d255f30 PAL::SOAuthorizationHintsFunction() 3 0x1341c43a0 WebCore::TypingCommand::forwardDeleteKeyPressed(WebCore::TextGranularity, bool) 4 0x1341c7012 WebCore::TypingCommand::doApply() 5 0x133f968fb WebCore::CompositeEditCommand::apply() 6 0x1341c289f WebCore::TypingCommand::forwardDeleteKeyPressed(WebCore::Document&, unsigned int, WebCore::TextGranularity) 7 0x1340bd46a WebCore::executeForwardDelete(WebCore::Frame&, WebCore::Event*, WebCore::EditorCommandSource, WTF::String const&) 8 0x134052c65 WebCore::Editor::Command::execute(WTF::String const&, WebCore::Event*) const 9 0x1339c6faa WebCore::Document::execCommand(WTF::String const&, bool, WTF::String const&) 10 0x12e8ea402 WebCore::jsDocumentPrototypeFunctionExecCommandBody(JSC::JSGlobalObject*, JSC::CallFrame*, WebCore::JSDocument*, JSC::ThrowScope&)
Attachments
Patch (3.90 KB, patch)
2020-04-14 23:02 PDT, Jack 		no flags
DetailsFormatted DiffDiff
View All Add attachment proposed patch, testcase, etc.
Jack
Comment 1 2020-04-14 22:38:18 PDT
In processing command "forwardDelete", we first validate and modify the selection by calling FrameSelection::modify. In this case, the original selection is div, the innerText of input. However, since div is UserSelect::Node, it fails the isCandidate check, and there is no other candidate found, FrameSelection::modify returns empty selection and triggers the assertion crash. <body><input id=input required draggable="true"> <script> input.focus(); document.execCommand("forwardDelete", false); </script> BODY 0x60c000104f80 (renderer 0x612000067840) INPUT 0x612000061fc0 (renderer 0x6120000679c0) #document-fragment 0x612000062140 (renderer 0x0) (needs style recalc) (child needs style recalc) * DIV 0x60c000105040 (renderer 0x612000067b40) #text 0x608000143520 "\n" SCRIPT 0x61000004b440 (renderer 0x0) #text 0x608000143620 "\n input.focus();\n document.execCommand("forwardDelete", false);\n"
Jack
Comment 2 2020-04-14 23:02:16 PDT
Created attachment 396502 [details] Patch
Geoffrey Garen
Comment 3 2020-04-15 14:40:11 PDT
Comment on attachment 396502 [details] Patch r=me
EWS
Comment 4 2020-04-15 14:57:28 PDT
Committed r260153: <https://trac.webkit.org/changeset/260153> All reviewed patches have been landed. Closing bug and clearing flags on attachment 396502 [details].
Note You need to log in before you can comment on or make changes to this bug.