Bug 222219

Summary: REGRESSION (r272928): ASSERT NOT REACHED in WebCore::FrameSelection::setSelectionWithoutUpdatingAppearance
Product: WebKit Reporter: Ryan Haddad <ryanhaddad>
Component: New BugsAssignee: Ryosuke Niwa <rniwa>
Status: RESOLVED FIXED    
Severity: Normal CC: cdumez, ews-watchlist, japhet, mifenton, rniwa, webkit-bot-watchers-bugzilla, webkit-bug-importer, wenson_hsieh
Priority: P2 Keywords: InRadar
Version: Other   
Hardware: Unspecified   
OS: Unspecified   
See Also: https://bugs.webkit.org/show_bug.cgi?id=221942
Attachments:
Description Flags
crash log
none
Fixes the bug wenson_hsieh: review+

Ryan Haddad
Reported 2021-02-19 20:20:04 PST
Created attachment 421074 [details] crash log Seeing the following assert on iOS debug bots with editing/input/set-value-on-input-and-delete.html SHOULD NEVER BE REACHED ./editing/FrameSelection.cpp(361) : bool WebCore::FrameSelection::setSelectionWithoutUpdatingAppearance(const WebCore::VisibleSelection &, OptionSet<WebCore::FrameSelection::SetSelectionOption>, WebCore::FrameSelection::CursorAlignOnScroll, WebCore::TextGranularity) 1 0x44a27aaa9 WTFCrash 2 0x4524c556b WTFCrashWithInfo(int, char const*, char const*, int) 3 0x4554532be WebCore::FrameSelection::setSelectionWithoutUpdatingAppearance(WebCore::VisibleSelection const&, WTF::OptionSet<WebCore::FrameSelection::SetSelectionOption>, WebCore::FrameSelection::CursorAlignOnScroll, WebCore::TextGranularity) 4 0x4554368b1 WebCore::FrameSelection::setSelection(WebCore::VisibleSelection const&, WTF::OptionSet<WebCore::FrameSelection::SetSelectionOption>, WebCore::AXTextStateChangeIntent, WebCore::FrameSelection::CursorAlignOnScroll, WebCore::TextGranularity) 5 0x455441990 WebCore::Editor::selectComposition() 6 0x455441d3b WebCore::Editor::setComposition(WTF::String const&, WebCore::Editor::SetCompositionMode) 7 0x455441be4 WebCore::Editor::confirmComposition() 8 0x455441f26 WebCore::Editor::confirmCompositionAndNotifyClient() 9 0x455e24b1e WebCore::FrameLoader::commitProvisionalLoad() 10 0x455d96eac WebCore::DocumentLoader::commitIfReady() 11 0x455d97670 WebCore::DocumentLoader::finishedLoading() 12 0x455da31f1 WebCore::DocumentLoader::maybeLoadEmpty() 13 0x455da3375 WebCore::DocumentLoader::startLoadingMainResource() 14 0x455e52e4c WebCore::FrameLoader::continueLoadAfterNavigationPolicy(WebCore::ResourceRequest const&, WebCore::FormState*, WebCore::NavigationPolicyDecision, WebCore::AllowNavigationToInvalidURL)::$_11::operator()() 15 0x455e5275e WTF::Detail::CallableWrapper<WebCore::FrameLoader::continueLoadAfterNavigationPolicy(WebCore::ResourceRequest const&, WebCore::FormState*, WebCore::NavigationPolicyDecision, WebCore::AllowNavigationToInvalidURL)::$_11, void>::call() 16 0x4524dba02 WTF::Function<void ()>::operator()() const 17 0x452566ab5 WTF::CompletionHandler<void ()>::operator()() 18 0x455e21def WebCore::FrameLoader::continueLoadAfterNavigationPolicy(WebCore::ResourceRequest const&, WebCore::FormState*, WebCore::NavigationPolicyDecision, WebCore::AllowNavigationToInvalidURL) 19 0x455e4fbe0 WebCore::FrameLoader::loadWithDocumentLoader(WebCore::DocumentLoader*, WebCore::FrameLoadType, WTF::RefPtr<WebCore::FormState, WTF::RawPtrTraits<WebCore::FormState>, WTF::DefaultRefDerefTraits<WebCore::FormState> >&&, WebCore::AllowNavigationToInvalidURL, WTF::CompletionHandler<void ()>&&)::$_8::operator()(WebCore::ResourceRequest const&, WTF::WeakPtr<WebCore::FormState, WTF::EmptyCounter>&&, WebCore::NavigationPolicyDecision) 20 0x455e4fa9c WTF::Detail::CallableWrapper<WebCore::FrameLoader::loadWithDocumentLoader(WebCore::DocumentLoader*, WebCore::FrameLoadType, WTF::RefPtr<WebCore::FormState, WTF::RawPtrTraits<WebCore::FormState>, WTF::DefaultRefDerefTraits<WebCore::FormState> >&&, WebCore::AllowNavigationToInvalidURL, WTF::CompletionHandler<void ()>&&)::$_8, void, WebCore::ResourceRequest&&, WTF::WeakPtr<WebCore::FormState, WTF::EmptyCounter>&&, WebCore::NavigationPolicyDecision>::call(WebCore::ResourceRequest&&, WTF::WeakPtr<WebCore::FormState, WTF::EmptyCounter>&&, WebCore::NavigationPolicyDecision) 21 0x455e863b1 WTF::Function<void (WebCore::ResourceRequest&&, WTF::WeakPtr<WebCore::FormState, WTF::EmptyCounter>&&, WebCore::NavigationPolicyDecision)>::operator()(WebCore::ResourceRequest&&, WTF::WeakPtr<WebCore::FormState, WTF::EmptyCounter>&&, WebCore::NavigationPolicyDecision) const 22 0x455e7a297 WTF::CompletionHandler<void (WebCore::ResourceRequest&&, WTF::WeakPtr<WebCore::FormState, WTF::EmptyCounter>&&, WebCore::NavigationPolicyDecision)>::operator()(WebCore::ResourceRequest&&, WTF::WeakPtr<WebCore::FormState, WTF::EmptyCounter>&&, WebCore::NavigationPolicyDecision) 23 0x455e89c2e WebCore::FrameLoader::PolicyChecker::checkNavigationPolicy(WebCore::ResourceRequest&&, WebCore::ResourceResponse const&, WebCore::DocumentLoader*, WTF::RefPtr<WebCore::FormState, WTF::RawPtrTraits<WebCore::FormState>, WTF::DefaultRefDerefTraits<WebCore::FormState> >&&, WTF::CompletionHandler<void (WebCore::ResourceRequest&&, WTF::WeakPtr<WebCore::FormState, WTF::EmptyCounter>&&, WebCore::NavigationPolicyDecision)>&&, WebCore::PolicyDecisionMode)::$_3::operator()(WebCore::PolicyAction, WebCore::PolicyCheckIdentifier) 24 0x455e88a37 WTF::Detail::CallableWrapper<WebCore::FrameLoader::PolicyChecker::checkNavigationPolicy(WebCore::ResourceRequest&&, WebCore::ResourceResponse const&, WebCore::DocumentLoader*, WTF::RefPtr<WebCore::FormState, WTF::RawPtrTraits<WebCore::FormState>, WTF::DefaultRefDerefTraits<WebCore::FormState> >&&, WTF::CompletionHandler<void (WebCore::ResourceRequest&&, WTF::WeakPtr<WebCore::FormState, WTF::EmptyCounter>&&, WebCore::NavigationPolicyDecision)>&&, WebCore::PolicyDecisionMode)::$_3, void, WebCore::PolicyAction, WebCore::PolicyCheckIdentifier>::call(WebCore::PolicyAction, WebCore::PolicyCheckIdentifier) 25 0x431cf6528 WTF::Function<void (WebCore::PolicyAction, WebCore::PolicyCheckIdentifier)>::operator()(WebCore::PolicyAction, WebCore::PolicyCheckIdentifier) const 26 0x431cf7777 WebKit::WebFrameLoaderClient::dispatchDecidePolicyForNavigationAction(WebCore::NavigationAction const&, WebCore::ResourceRequest const&, WebCore::ResourceResponse const&, WebCore::FormState*, WebCore::PolicyDecisionMode, WebCore::PolicyCheckIdentifier, WTF::Function<void (WebCore::PolicyAction, WebCore::PolicyCheckIdentifier)>&&) 27 0x455e79df9 WebCore::FrameLoader::PolicyChecker::checkNavigationPolicy(WebCore::ResourceRequest&&, WebCore::ResourceResponse const&, WebCore::DocumentLoader*, WTF::RefPtr<WebCore::FormState, WTF::RawPtrTraits<WebCore::FormState>, WTF::DefaultRefDerefTraits<WebCore::FormState> >&&, WTF::CompletionHandler<void (WebCore::ResourceRequest&&, WTF::WeakPtr<WebCore::FormState, WTF::EmptyCounter>&&, WebCore::NavigationPolicyDecision)>&&, WebCore::PolicyDecisionMode) 28 0x455e20c44 WebCore::FrameLoader::loadWithDocumentLoader(WebCore::DocumentLoader*, WebCore::FrameLoadType, WTF::RefPtr<WebCore::FormState, WTF::RawPtrTraits<WebCore::FormState>, WTF::DefaultRefDerefTraits<WebCore::FormState> >&&, WebCore::AllowNavigationToInvalidURL, WTF::CompletionHandler<void ()>&&) 29 0x455e1b601 WebCore::FrameLoader::load(WebCore::DocumentLoader&) 30 0x455e1f713 WebCore::FrameLoader::load(WebCore::FrameLoadRequest&&) 31 0x456ded988 WebCore::UserInputBridge::loadRequest(WebCore::FrameLoadRequest&&, WebCore::InputSource) LEAK: 2 WebPageProxy https://results.webkit.org/?suite=layout-tests&test=editing%2Finput%2Fset-value-on-input-and-delete.html
Attachments
crash log (139.69 KB, text/plain)
2021-02-19 20:20 PST, Ryan Haddad 		no flags
Details
Fixes the bug (4.50 KB, patch)
2021-02-22 15:34 PST, Ryosuke Niwa 		wenson_hsieh: review+
DetailsFormatted DiffDiff
View All Add attachment proposed patch, testcase, etc.
Radar WebKit Bug Importer
Comment 1 2021-02-19 20:20:20 PST
<rdar://problem/74548257>
Ryan Haddad
Comment 2 2021-02-19 20:21:12 PST
Test history suggests that this may have started after https://trac.webkit.org/changeset/272928/webkit
Ryosuke Niwa
Comment 3 2021-02-22 14:03:46 PST
I can reproduce this crash with the following command: ./Tools/Scripts/run-webkit-tests --ios-simulator --debug --no-build --no-retry editing/input/select-all-clear-input-method.html editing/input/set-value-on-input-and-delete.html --force It looks like the issue is that we're not canceling the composition in time when we're navigating to a new document.
Ryosuke Niwa
Comment 4 2021-02-22 15:34:50 PST
Created attachment 421250 [details] Fixes the bug
Wenson Hsieh
Comment 5 2021-02-22 15:53:51 PST
Comment on attachment 421250 [details] Fixes the bug View in context: https://bugs.webkit.org/attachment.cgi?id=421250&action=review > Source/WebCore/ChangeLog:10 > + committing the composition even though the composition node had been removed from the docuemnt. Nit - docuemnt => document.
Ryosuke Niwa
Comment 6 2021-02-22 16:26:55 PST
Waiting for EWS...
Ryosuke Niwa
Comment 7 2021-02-22 19:50:07 PST
(In reply to Wenson Hsieh from comment #5) > Comment on attachment 421250 [details] > Fixes the bug > > View in context: > https://bugs.webkit.org/attachment.cgi?id=421250&action=review > > > Source/WebCore/ChangeLog:10 > > + committing the composition even though the composition node had been removed from the docuemnt. > > Nit - docuemnt => document. Fixed. Thanks for the review!
Ryosuke Niwa
Comment 8 2021-02-22 19:52:46 PST
Committed r273298 (234458@main): <https://commits.webkit.org/234458@main>
Note You need to log in before you can comment on or make changes to this bug.