Bug 222219

Summary: REGRESSION (r272928): ASSERT NOT REACHED in WebCore::FrameSelection::setSelectionWithoutUpdatingAppearance
Product: WebKit Reporter: Ryan Haddad <ryanhaddad>
Component: New BugsAssignee: Ryosuke Niwa <rniwa>
Status: RESOLVED FIXED    
Severity: Normal CC: cdumez, ews-watchlist, japhet, mifenton, rniwa, webkit-bot-watchers-bugzilla, webkit-bug-importer, wenson_hsieh
Priority: P2 Keywords: InRadar
Version: Other   
Hardware: Unspecified   
OS: Unspecified   
See Also: https://bugs.webkit.org/show_bug.cgi?id=221942
Attachments:
Description Flags
crash log
none
Fixes the bug wenson_hsieh: review+

Description Ryan Haddad 2021-02-19 20:20:04 PST
Created attachment 421074 [details]
crash log

Seeing the following assert on iOS debug bots with editing/input/set-value-on-input-and-delete.html

SHOULD NEVER BE REACHED
./editing/FrameSelection.cpp(361) : bool WebCore::FrameSelection::setSelectionWithoutUpdatingAppearance(const WebCore::VisibleSelection &, OptionSet<WebCore::FrameSelection::SetSelectionOption>, WebCore::FrameSelection::CursorAlignOnScroll, WebCore::TextGranularity)
1   0x44a27aaa9 WTFCrash
2   0x4524c556b WTFCrashWithInfo(int, char const*, char const*, int)
3   0x4554532be WebCore::FrameSelection::setSelectionWithoutUpdatingAppearance(WebCore::VisibleSelection const&, WTF::OptionSet<WebCore::FrameSelection::SetSelectionOption>, WebCore::FrameSelection::CursorAlignOnScroll, WebCore::TextGranularity)
4   0x4554368b1 WebCore::FrameSelection::setSelection(WebCore::VisibleSelection const&, WTF::OptionSet<WebCore::FrameSelection::SetSelectionOption>, WebCore::AXTextStateChangeIntent, WebCore::FrameSelection::CursorAlignOnScroll, WebCore::TextGranularity)
5   0x455441990 WebCore::Editor::selectComposition()
6   0x455441d3b WebCore::Editor::setComposition(WTF::String const&, WebCore::Editor::SetCompositionMode)
7   0x455441be4 WebCore::Editor::confirmComposition()
8   0x455441f26 WebCore::Editor::confirmCompositionAndNotifyClient()
9   0x455e24b1e WebCore::FrameLoader::commitProvisionalLoad()
10  0x455d96eac WebCore::DocumentLoader::commitIfReady()
11  0x455d97670 WebCore::DocumentLoader::finishedLoading()
12  0x455da31f1 WebCore::DocumentLoader::maybeLoadEmpty()
13  0x455da3375 WebCore::DocumentLoader::startLoadingMainResource()
14  0x455e52e4c WebCore::FrameLoader::continueLoadAfterNavigationPolicy(WebCore::ResourceRequest const&, WebCore::FormState*, WebCore::NavigationPolicyDecision, WebCore::AllowNavigationToInvalidURL)::$_11::operator()()
15  0x455e5275e WTF::Detail::CallableWrapper<WebCore::FrameLoader::continueLoadAfterNavigationPolicy(WebCore::ResourceRequest const&, WebCore::FormState*, WebCore::NavigationPolicyDecision, WebCore::AllowNavigationToInvalidURL)::$_11, void>::call()
16  0x4524dba02 WTF::Function<void ()>::operator()() const
17  0x452566ab5 WTF::CompletionHandler<void ()>::operator()()
18  0x455e21def WebCore::FrameLoader::continueLoadAfterNavigationPolicy(WebCore::ResourceRequest const&, WebCore::FormState*, WebCore::NavigationPolicyDecision, WebCore::AllowNavigationToInvalidURL)
19  0x455e4fbe0 WebCore::FrameLoader::loadWithDocumentLoader(WebCore::DocumentLoader*, WebCore::FrameLoadType, WTF::RefPtr<WebCore::FormState, WTF::RawPtrTraits<WebCore::FormState>, WTF::DefaultRefDerefTraits<WebCore::FormState> >&&, WebCore::AllowNavigationToInvalidURL, WTF::CompletionHandler<void ()>&&)::$_8::operator()(WebCore::ResourceRequest const&, WTF::WeakPtr<WebCore::FormState, WTF::EmptyCounter>&&, WebCore::NavigationPolicyDecision)
20  0x455e4fa9c WTF::Detail::CallableWrapper<WebCore::FrameLoader::loadWithDocumentLoader(WebCore::DocumentLoader*, WebCore::FrameLoadType, WTF::RefPtr<WebCore::FormState, WTF::RawPtrTraits<WebCore::FormState>, WTF::DefaultRefDerefTraits<WebCore::FormState> >&&, WebCore::AllowNavigationToInvalidURL, WTF::CompletionHandler<void ()>&&)::$_8, void, WebCore::ResourceRequest&&, WTF::WeakPtr<WebCore::FormState, WTF::EmptyCounter>&&, WebCore::NavigationPolicyDecision>::call(WebCore::ResourceRequest&&, WTF::WeakPtr<WebCore::FormState, WTF::EmptyCounter>&&, WebCore::NavigationPolicyDecision)
21  0x455e863b1 WTF::Function<void (WebCore::ResourceRequest&&, WTF::WeakPtr<WebCore::FormState, WTF::EmptyCounter>&&, WebCore::NavigationPolicyDecision)>::operator()(WebCore::ResourceRequest&&, WTF::WeakPtr<WebCore::FormState, WTF::EmptyCounter>&&, WebCore::NavigationPolicyDecision) const
22  0x455e7a297 WTF::CompletionHandler<void (WebCore::ResourceRequest&&, WTF::WeakPtr<WebCore::FormState, WTF::EmptyCounter>&&, WebCore::NavigationPolicyDecision)>::operator()(WebCore::ResourceRequest&&, WTF::WeakPtr<WebCore::FormState, WTF::EmptyCounter>&&, WebCore::NavigationPolicyDecision)
23  0x455e89c2e WebCore::FrameLoader::PolicyChecker::checkNavigationPolicy(WebCore::ResourceRequest&&, WebCore::ResourceResponse const&, WebCore::DocumentLoader*, WTF::RefPtr<WebCore::FormState, WTF::RawPtrTraits<WebCore::FormState>, WTF::DefaultRefDerefTraits<WebCore::FormState> >&&, WTF::CompletionHandler<void (WebCore::ResourceRequest&&, WTF::WeakPtr<WebCore::FormState, WTF::EmptyCounter>&&, WebCore::NavigationPolicyDecision)>&&, WebCore::PolicyDecisionMode)::$_3::operator()(WebCore::PolicyAction, WebCore::PolicyCheckIdentifier)
24  0x455e88a37 WTF::Detail::CallableWrapper<WebCore::FrameLoader::PolicyChecker::checkNavigationPolicy(WebCore::ResourceRequest&&, WebCore::ResourceResponse const&, WebCore::DocumentLoader*, WTF::RefPtr<WebCore::FormState, WTF::RawPtrTraits<WebCore::FormState>, WTF::DefaultRefDerefTraits<WebCore::FormState> >&&, WTF::CompletionHandler<void (WebCore::ResourceRequest&&, WTF::WeakPtr<WebCore::FormState, WTF::EmptyCounter>&&, WebCore::NavigationPolicyDecision)>&&, WebCore::PolicyDecisionMode)::$_3, void, WebCore::PolicyAction, WebCore::PolicyCheckIdentifier>::call(WebCore::PolicyAction, WebCore::PolicyCheckIdentifier)
25  0x431cf6528 WTF::Function<void (WebCore::PolicyAction, WebCore::PolicyCheckIdentifier)>::operator()(WebCore::PolicyAction, WebCore::PolicyCheckIdentifier) const
26  0x431cf7777 WebKit::WebFrameLoaderClient::dispatchDecidePolicyForNavigationAction(WebCore::NavigationAction const&, WebCore::ResourceRequest const&, WebCore::ResourceResponse const&, WebCore::FormState*, WebCore::PolicyDecisionMode, WebCore::PolicyCheckIdentifier, WTF::Function<void (WebCore::PolicyAction, WebCore::PolicyCheckIdentifier)>&&)
27  0x455e79df9 WebCore::FrameLoader::PolicyChecker::checkNavigationPolicy(WebCore::ResourceRequest&&, WebCore::ResourceResponse const&, WebCore::DocumentLoader*, WTF::RefPtr<WebCore::FormState, WTF::RawPtrTraits<WebCore::FormState>, WTF::DefaultRefDerefTraits<WebCore::FormState> >&&, WTF::CompletionHandler<void (WebCore::ResourceRequest&&, WTF::WeakPtr<WebCore::FormState, WTF::EmptyCounter>&&, WebCore::NavigationPolicyDecision)>&&, WebCore::PolicyDecisionMode)
28  0x455e20c44 WebCore::FrameLoader::loadWithDocumentLoader(WebCore::DocumentLoader*, WebCore::FrameLoadType, WTF::RefPtr<WebCore::FormState, WTF::RawPtrTraits<WebCore::FormState>, WTF::DefaultRefDerefTraits<WebCore::FormState> >&&, WebCore::AllowNavigationToInvalidURL, WTF::CompletionHandler<void ()>&&)
29  0x455e1b601 WebCore::FrameLoader::load(WebCore::DocumentLoader&)
30  0x455e1f713 WebCore::FrameLoader::load(WebCore::FrameLoadRequest&&)
31  0x456ded988 WebCore::UserInputBridge::loadRequest(WebCore::FrameLoadRequest&&, WebCore::InputSource)
LEAK: 2 WebPageProxy

https://results.webkit.org/?suite=layout-tests&test=editing%2Finput%2Fset-value-on-input-and-delete.html
Comment 1 Radar WebKit Bug Importer 2021-02-19 20:20:20 PST
<rdar://problem/74548257>
Comment 2 Ryan Haddad 2021-02-19 20:21:12 PST
Test history suggests that this may have started after https://trac.webkit.org/changeset/272928/webkit
Comment 3 Ryosuke Niwa 2021-02-22 14:03:46 PST
I can reproduce this crash with the following command:
./Tools/Scripts/run-webkit-tests --ios-simulator --debug --no-build --no-retry editing/input/select-all-clear-input-method.html editing/input/set-value-on-input-and-delete.html --force

It looks like the issue is that we're not canceling the composition in time when we're navigating to a new document.
Comment 4 Ryosuke Niwa 2021-02-22 15:34:50 PST
Created attachment 421250 [details]
Fixes the bug
Comment 5 Wenson Hsieh 2021-02-22 15:53:51 PST
Comment on attachment 421250 [details]
Fixes the bug

View in context: https://bugs.webkit.org/attachment.cgi?id=421250&action=review

> Source/WebCore/ChangeLog:10
> +        committing the composition even though the composition node had been removed from the docuemnt.

Nit - docuemnt => document.
Comment 6 Ryosuke Niwa 2021-02-22 16:26:55 PST
Waiting for EWS...
Comment 7 Ryosuke Niwa 2021-02-22 19:50:07 PST
(In reply to Wenson Hsieh from comment #5)
> Comment on attachment 421250 [details]
> Fixes the bug
> 
> View in context:
> https://bugs.webkit.org/attachment.cgi?id=421250&action=review
> 
> > Source/WebCore/ChangeLog:10
> > +        committing the composition even though the composition node had been removed from the docuemnt.
> 
> Nit - docuemnt => document.

Fixed. Thanks for the review!
Comment 8 Ryosuke Niwa 2021-02-22 19:52:46 PST
Committed r273298 (234458@main): <https://commits.webkit.org/234458@main>