During HTML fuzzing I've got the following assertion problem: Program received signal SIGSEGV, Segmentation fault. 0x00007ffff42aa1e1 in WebCore::CompositeEditCommand::moveParagraphs (this=0x872050, startOfParagraphToMove=..., endOfParagraphToMove=..., destination=..., preserveSelection=false, preserveStyle=true) at /home/reni/Data/REPOS/webkit/Source/WebCore/editing/CompositeEditCommand.cpp:1213 1213 ASSERT(destination.deepEquivalent().anchorNode()->inDocument()); The test was: <html> <head> <style type="text/css"> p {height: 30px;} p {display: inline-block;} </style> </head> <body> <ul></ul> <p> <img> <script> document.designMode = "on"; document.execCommand("SelectAll"); document.execCommand("JustifyCenter"); document.body.innerText = "This tests for a crash when performing JustifyCenter. It should not crash."; </script> </html>
Created attachment 227477 [details] Test case
Complete backtrace: ASSERTION FAILED: destination.deepEquivalent().anchorNode()->inDocument() /home/reni2/data/REPOS/webkit_sec/Source/WebCore/editing/CompositeEditCommand.cpp(1286) : void WebCore::CompositeEditCommand::moveParagraphs(const WebCore::VisiblePosition&, const WebCore::VisiblePosition&, const WebCore::VisiblePosition&, bool, bool) 1 0x7ffff5edad95 WTFCrash 2 0x7ffff106791b WebCore::CompositeEditCommand::moveParagraphs(WebCore::VisiblePosition const&, WebCore::VisiblePosition const&, WebCore::VisiblePosition const&, bool, bool) 3 0x7ffff1065df7 WebCore::CompositeEditCommand::moveParagraphContentsToNewBlockIfNecessary(WebCore::Position const&) 4 0x7ffff1052cf3 WebCore::ApplyStyleCommand::applyBlockStyle(WebCore::EditingStyle*) 5 0x7ffff1052710 WebCore::ApplyStyleCommand::doApply() 6 0x7ffff10617bb WebCore::CompositeEditCommand::apply() 7 0x7ffff10615af WebCore::applyCommand(WTF::PassRefPtr<WebCore::CompositeEditCommand>) 8 0x7ffff1086803 WebCore::Editor::applyParagraphStyle(WebCore::StyleProperties*, WebCore::EditAction) 9 0x7ffff1098bf3 10 0x7ffff109a849 11 0x7ffff109d732 WebCore::Editor::Command::execute(WTF::String const&, WebCore::Event*) const 12 0x7ffff0f57b5c WebCore::Document::execCommand(WTF::String const&, bool, WTF::String const&) 13 0x7ffff1f2d8df WebCore::jsDocumentPrototypeFunctionExecCommand(JSC::ExecState*) 14 0x7fff9b6ce0b4 ERR<14753>:eet eet_lib.c:668 eet_shutdown() File '/home/reni2/.cache/efreet/icon_themes_reni2.eet' is still open ! Program received signal SIGSEGV, Segmentation fault. 0x00007ffff5edad9a in WTFCrash () at /home/reni2/data/REPOS/webkit_sec/Source/WTF/wtf/Assertions.cpp:333 333 *(int *)(uintptr_t)0xbbadbeef = 0; (gdb) bt #0 0x00007ffff5edad9a in WTFCrash () at /home/reni2/data/REPOS/webkit_sec/Source/WTF/wtf/Assertions.cpp:333 #1 0x00007ffff106791b in WebCore::CompositeEditCommand::moveParagraphs (this=0xfc3f40, startOfParagraphToMove=..., endOfParagraphToMove=..., destination=..., preserveSelection=false, preserveStyle=true) at /home/reni2/data/REPOS/webkit_sec/Source/WebCore/editing/CompositeEditCommand.cpp:1286 #2 0x00007ffff1065df7 in WebCore::CompositeEditCommand::moveParagraphContentsToNewBlockIfNecessary (this=0xfc3f40, pos=...) at /home/reni2/data/REPOS/webkit_sec/Source/WebCore/editing/CompositeEditCommand.cpp:1029 #3 0x00007ffff1052cf3 in WebCore::ApplyStyleCommand::applyBlockStyle (this=0xfc3f40, style=0x7a5da0) at /home/reni2/data/REPOS/webkit_sec/Source/WebCore/editing/ApplyStyleCommand.cpp:283 #4 0x00007ffff1052710 in WebCore::ApplyStyleCommand::doApply (this=0xfc3f40) at /home/reni2/data/REPOS/webkit_sec/Source/WebCore/editing/ApplyStyleCommand.cpp:224 #5 0x00007ffff10617bb in WebCore::CompositeEditCommand::apply (this=0xfc3f40) at /home/reni2/data/REPOS/webkit_sec/Source/WebCore/editing/CompositeEditCommand.cpp:227 #6 0x00007ffff10615af in WebCore::applyCommand (command=...) at /home/reni2/data/REPOS/webkit_sec/Source/WebCore/editing/CompositeEditCommand.cpp:182 #7 0x00007ffff1086803 in WebCore::Editor::applyParagraphStyle (this=0x757a00, style=0x86b770, editingAction=WebCore::EditActionUnspecified) at /home/reni2/data/REPOS/webkit_sec/Source/WebCore/editing/Editor.cpp:985 #8 0x00007ffff1098bf3 in WebCore::executeApplyParagraphStyle (frame=..., source=WebCore::CommandFromDOM, action=WebCore::EditActionCenter, propertyID=WebCore::CSSPropertyTextAlign, propertyValue=...) at /home/reni2/data/REPOS/webkit_sec/Source/WebCore/editing/EditorCommand.cpp:185 #9 0x00007ffff109a849 in WebCore::executeJustifyCenter (frame=..., source=WebCore::CommandFromDOM) at /home/reni2/data/REPOS/webkit_sec/Source/WebCore/editing/EditorCommand.cpp:581 #10 0x00007ffff109d732 in WebCore::Editor::Command::execute (this=0x7fffffffadb0, parameter=..., triggeringEvent=0x0) at /home/reni2/data/REPOS/webkit_sec/Source/WebCore/editing/EditorCommand.cpp:1741 #11 0x00007ffff0f57b5c in WebCore::Document::execCommand (this=0x9d4d80, commandName=..., userInterface=false, value=...) at /home/reni2/data/REPOS/webkit_sec/Source/WebCore/dom/Document.cpp:4217 #12 0x00007ffff1f2d8df in WebCore::jsDocumentPrototypeFunctionExecCommand (exec=0x7fffffffaeb0) at /home/reni2/data/REPOS/webkit_sec/WebKitBuild/Debug/DerivedSources/WebCore/JSDocument.cpp:4736 #13 0x00007fff9b6ce0b4 in ?? () #14 0x00007fffffffaf00 in ?? () #15 0x00007ffff5ec5f95 in llint_op_call () from /home/reni2/data/REPOS/webkit_sec/WebKitBuild/Debug/lib/libjavascriptcore_efl.so.0 #16 0x0000000000000000 in ?? ()
<rdar://problem/27681533>
Assumption that the anchor node is in a document is invalid. @Ryosuke: You added this assertion for a reason. What is the ramification that this invariant is violated?
There is no security bug here. It's just a logic error.
(In reply to Ryosuke Niwa from comment #5) > There is no security bug here. It's just a logic error. Should we move it out of the Security component, then?
(In reply to Brent Fulgham from comment #6) > (In reply to Ryosuke Niwa from comment #5) > > There is no security bug here. It's just a logic error. > > Should we move it out of the Security component, then? Yes. I apparently don't have the privilege to do it.
This is not a security issue, so moving back to the Forms component.
Maybe this is a duplicate of https://bugs.webkit.org/show_bug.cgi?id=209999?