Bug 216778

Summary: [GTK] REGRESSION(r267329): imported/blink/editing/undo/crash-redo-with-iframes.html is crashing
Product: WebKit Reporter: Diego Pino <dpino>
Component: New BugsAssignee: Lauro Moura <lmoura>
Status: RESOLVED FIXED    
Severity: Normal CC: bugs-noreply, darin, ews-watchlist, lmoura, mifenton, webkit-bug-importer
Priority: P2 Keywords: InRadar
Version: WebKit Nightly Build   
Hardware: Unspecified   
OS: Unspecified   
Bug Depends on:    
Bug Blocks: 216739    
Attachments:
Description Flags
Debug crash log
none
Patch none

Diego Pino
Reported 2020-09-21 07:02:05 PDT
The test started crashing in r267329. The test is passing in WPE though. https://results.webkit.org/?suite=layout-tests&test=imported%2Fblink%2Fediting%2Fundo%2Fcrash-redo-with-iframes.html&platform=GTK&platform=WPE&platform=ios&platform=mac Crash-log: https://build.webkit.org/results/GTK%20Linux%2064-bit%20Release%20(Tests)/r267339%20(15944)/imported/blink/editing/undo/crash-redo-with-iframes-crash-log.txt Thread 1 (Thread 0x7fc99b7749c0 (LWP 129780)): #0 0x00007fc9a5b578c6 in WebCore::StyledMarkupAccumulator::traverseNodesForSerialization(WebCore::Node*, WebCore::Node*, WebCore::StyledMarkupAccumulator::NodeTraversalMode) () at /app/webkit/WebKitBuild/Release/lib/libwebkit2gtk-4.0.so.37 #1 0x00007fc9a5b57727 in WebCore::StyledMarkupAccumulator::serializeNodes(WebCore::Position const&, WebCore::Position const&) () at /app/webkit/WebKitBuild/Release/lib/libwebkit2gtk-4.0.so.37 #2 0x00007fc9a5b5945a in WebCore::serializePreservingVisualAppearanceInternal(WebCore::Position const&, WebCore::Position const&, WTF::Vector<WebCore::Node*, 0ul, WTF::CrashOnOverflow, 16ul, WTF::FastMalloc>*, WebCore::ResolveURLs, WebCore::SerializeComposedTree, WebCore::AnnotateForInterchange, WebCore::ConvertBlocksToInlines, WebCore::StandardFontFamilySerializationMode, WebCore::MSOListMode) () at /app/webkit/WebKitBuild/Release/lib/libwebkit2gtk-4.0.so.37 #3 0x00007fc9a5b59ea2 in WebCore::serializePreservingVisualAppearance(WebCore::VisibleSelection const&, WebCore::ResolveURLs, WebCore::SerializeComposedTree, WTF::Vector<WebCore::Node*, 0ul, WTF::CrashOnOverflow, 16ul, WTF::FastMalloc>*) () at /app/webkit/WebKitBuild/Release/lib/libwebkit2gtk-4.0.so.37 #4 0x00007fc9a4cc7e18 in WebKit::WebEditorClient::updateGlobalSelection(WebCore::Frame*) () at /app/webkit/WebKitBuild/Release/lib/libwebkit2gtk-4.0.so.37 #5 0x00007fc9a4ca9f4e in WebKit::WebEditorClient::respondToChangedSelection(WebCore::Frame*) () at /app/webkit/WebKitBuild/Release/lib/libwebkit2gtk-4.0.so.37 #6 0x00007fc9a5ae46e7 in WebCore::Editor::respondToChangedSelection(WebCore::VisibleSelection const&, WTF::OptionSet<WebCore::FrameSelection::SetSelectionOption>) () at /app/webkit/WebKitBuild/Release/lib/libwebkit2gtk-4.0.so.37 #7 0x00007fc9a5aea220 in WebCore::FrameSelection::setSelectionWithoutUpdatingAppearance(WebCore::VisibleSelection const&, WTF::OptionSet<WebCore::FrameSelection::SetSelectionOption>, WebCore::FrameSelection::CursorAlignOnScroll, WebCore::TextGranularity) () at /app/webkit/WebKitBuild/Release/lib/libwebkit2gtk-4.0.so.37 #8 0x00007fc9a5acea15 in WebCore::FrameSelection::setSelection(WebCore::VisibleSelection const&, WTF::OptionSet<WebCore::FrameSelection::SetSelectionOption>, WebCore::AXTextStateChangeIntent, WebCore::FrameSelection::CursorAlignOnScroll, WebCore::TextGranularity) () at /app/webkit/WebKitBuild/Release/lib/libwebkit2gtk-4.0.so.37 #9 0x00007fc9a5ace666 in WebCore::FrameSelection::selectAll() () at /app/webkit/WebKitBuild/Release/lib/libwebkit2gtk-4.0.so.37 #10 0x00007fc9a5af8d54 in WebCore::executeSelectAll(WebCore::Frame&, WebCore::Event*, WebCore::EditorCommandSource, WTF::String const&) () at /app/webkit/WebKitBuild/Release/lib/libwebkit2gtk-4.0.so.37 #11 0x00007fc9a59d3416 in WebCore::Document::execCommand(WTF::String const&, bool, WTF::String const&) () at /app/webkit/WebKitBuild/Release/lib/libwebkit2gtk-4.0.so.37 #12 0x00007fc9a4f5e0c4 in WebCore::jsDocumentPrototypeFunctionExecCommand(JSC::JSGlobalObject*, JSC::CallFrame*) () at /app/webkit/WebKitBuild/Release/lib/libwebkit2gtk-4.0.so.37 #13 0x00007fc95aaff178 in () #14 0x00007ffd2b48d8b0 in () #15 0x00007fc9a1112ff0 in llint_op_call () at /app/webkit/WebKitBuild/Release/lib/libjavascriptcoregtk-4.0.so.18 #16 0x0000000000000000 in ()
Attachments
Debug crash log (28.58 KB, text/plain)
2020-09-21 14:06 PDT, Lauro Moura 		no flags
Details
Patch (1.56 KB, patch)
2020-09-21 20:25 PDT, Lauro Moura 		no flags
DetailsFormatted DiffDiff
View All Add attachment proposed patch, testcase, etc.
Darin Adler
Comment 1 2020-09-21 12:01:30 PDT
What kind of crash is this? A null pointer dereference?
Darin Adler
Comment 2 2020-09-21 12:32:55 PDT
This global selection feature is a GTK-only feature related to the feature of Unix window systems, so it’s not surprising that the crash is GTK-only. I’d like to help with this; to help I will need some more information. What kind of crash is it? Most likely we just have to add some checks of some kind to serializePreservingVisualAppearanceInternal, but to understand what I need to know what kind of crash this is.
Lauro Moura
Comment 3 2020-09-21 14:06:04 PDT
Created attachment 409318 [details] Debug crash log Here's the stack trace from the debug log. It fails the assertion at the start of serializeNodes: Top of the stack: Thread 1 (Thread 0x7ff19326e9c0 (LWP 115)): #0 WTFCrash() () at ../../Source/WTF/wtf/Assertions.cpp:295 #1 0x00007ff1aa6fc197 in CRASH_WITH_INFO(...) () at DerivedSources/ForwardingHeaders/wtf/Assertions.h:713 #2 0x00007ff1ad8bb03f in WebCore::StyledMarkupAccumulator::serializeNodes(WebCore::Position const&, WebCore::Position const&) (this=0x7ffe2f683570, start=..., end=...) at ../../Source/WebCore/editing/markup.cpp:587 #3 0x00007ff1ad8bccf9 in WebCore::serializePreservingVisualAppearanceInternal(WebCore::Position const&, WebCore::Position const&, WTF::Vector<WebCore::Node*, 0, WTF::CrashOnOverflow, 16, WTF::FastMalloc>*, WebCore::ResolveURLs, WebCore::SerializeComposedTree, WebCore::AnnotateForInterchange, WebCore::ConvertBlocksToInlines, WebCore::StandardFontFamilySerializationMode, WebCore::MSOListMode) (start=..., end=..., nodes=0x0, resolveURLs=WebCore::ResolveURLs::YesExcludingLocalFileURLsForPrivacy, serializeComposedTree=WebCore::SerializeComposedTree::No, annotate=WebCore::AnnotateForInterchange::Yes, convertBlocksToInlines=WebCore::ConvertBlocksToInlines::No, standardFontFamilySerializationMode=WebCore::StandardFontFamilySerializationMode::Keep, msoListMode=WebCore::MSOListMode::DoNotPreserve) at ../../Source/WebCore/editing/markup.cpp:878 #4 0x00007ff1ad8bd478 in WebCore::serializePreservingVisualAppearance(WebCore::VisibleSelection const&, WebCore::ResolveURLs, WebCore::SerializeComposedTree, WTF::Vector<WebCore::Node*, 0ul, WTF::CrashOnOverflow, 16ul, WTF::FastMalloc>*) (selection=..., resolveURLs=WebCore::ResolveURLs::YesExcludingLocalFileURLsForPrivacy, serializeComposedTree=WebCore::SerializeComposedTree::No, nodes=0x0) at ../../Source/WebCore/editing/markup.cpp:946 #5 0x00007ff1abaa15ad in WebKit::WebEditorClient::updateGlobalSelection(WebCore::Frame*) (this=0x7ff1929f62b8, frame=0x7ff1929a4100) at ../../Source/WebKit/WebProcess/WebCoreSupport/gtk/WebEditorClientGtk.cpp:147 #6 0x00007ff1aba4daca in WebKit::WebEditorClient::respondToChangedSelection(WebCore::Frame*) (this=0x7ff1929f62b8, frame=0x7ff1929a4100) at ../../Source/WebKit/WebProcess/WebCoreSupport/WebEditorClient.cpp:229 #7 0x00007ff1ad81c583 in WebCore::Editor::respondToChangedSelection(WebCore::VisibleSelection const&, WTF::OptionSet<WebCore::FrameSelection::SetSelectionOption>) (this=0x7ff1929784e0, options=...) at ../../Source/WebCore/editing/Editor.cpp:3630 #8 0x00007ff1ad829170 in WebCore::FrameSelection::setSelectionWithoutUpdatingAppearance(WebCore::VisibleSelection const&, WTF::OptionSet<WebCore::FrameSelection::SetSelectionOption>, WebCore::FrameSelection::CursorAlignOnScroll, WebCore::TextGranularity) (this=0x7ff19297aa80, newSelectionPossiblyWithoutDirection=..., options=..., align=WebCore::FrameSelection::AlignCursorOnScrollIfNeeded, granularity=WebCore::TextGranularity::CharacterGranularity) at ../../Source/WebCore/editing/FrameSelection.cpp:395 #9 0x00007ff1ad82937d in WebCore::FrameSelection::setSelection(WebCore::VisibleSelection const&, WTF::OptionSet<WebCore::FrameSelection::SetSelectionOption>, WebCore::AXTextStateChangeIntent, WebCore::FrameSelection::CursorAlignOnScroll, WebCore::TextGranularity) (this=0x7ff19297aa80, selection=..., options=..., intent=..., align=WebCore::FrameSelection::AlignCursorOnScrollIfNeeded, granularity=WebCore::TextGranularity::CharacterGranularity) at ../../Source/WebCore/editing/FrameSelection.cpp:408
Darin Adler
Comment 4 2020-09-21 14:21:12 PDT
Can work around this for now by changing serializePreservingVisualAppearanceInternal to use < instead of == at the top: if (!(start < end)) return emptyString();
Darin Adler
Comment 5 2020-09-21 14:21:38 PDT
I suggest putting that in for now.
Lauro Moura
Comment 6 2020-09-21 20:25:08 PDT
Created attachment 409347 [details] Patch
EWS
Comment 7 2020-09-22 20:36:18 PDT
Committed r267457: <https://trac.webkit.org/changeset/267457> All reviewed patches have been landed. Closing bug and clearing flags on attachment 409347 [details].
Radar WebKit Bug Importer
Comment 8 2020-09-22 20:37:17 PDT
<rdar://problem/69410389>
Note You need to log in before you can comment on or make changes to this bug.