109802 – ASSERT(destination.deepEquivalent().anchorNode()->inDocument()) in CompositeEditCommand::moveParagraphs

NEW 109802

ASSERT(destination.deepEquivalent().anchorNode()->inDocument()) in CompositeEditCommand::moveParagraphs

https://bugs.webkit.org/show_bug.cgi?id=109802

Summary ASSERT(destination.deepEquivalent().anchorNode()->inDocument()) in CompositeE...

Renata Hodovan

Reported 2013-02-14 02:34:58 PST

During HTML fuzzing I've got the following assertion problem: Program received signal SIGSEGV, Segmentation fault. 0x00007ffff42aa1e1 in WebCore::CompositeEditCommand::moveParagraphs (this=0x872050, startOfParagraphToMove=..., endOfParagraphToMove=..., destination=..., preserveSelection=false, preserveStyle=true) at /home/reni/Data/REPOS/webkit/Source/WebCore/editing/CompositeEditCommand.cpp:1213 1213 ASSERT(destination.deepEquivalent().anchorNode()->inDocument()); The test was: <html> <head> <style type="text/css"> p {height: 30px;} p {display: inline-block;} </style> </head> <body> <ul></ul> <p> <img> <script> document.designMode = "on"; document.execCommand("SelectAll"); document.execCommand("JustifyCenter"); document.body.innerText = "This tests for a crash when performing JustifyCenter. It should not crash."; </script> </html>

Attachments
Test case (307 bytes, text/html) 2014-03-21 13:08 PDT, Renata Hodovan	no flags	Details
View All Add attachment proposed patch, testcase, etc.

Renata Hodovan

Comment 1 2014-03-21 13:08:36 PDT

Created attachment 227477 [details] Test case

Renata Hodovan

Comment 2 2014-03-21 13:11:26 PDT

Complete backtrace: ASSERTION FAILED: destination.deepEquivalent().anchorNode()->inDocument() /home/reni2/data/REPOS/webkit_sec/Source/WebCore/editing/CompositeEditCommand.cpp(1286) : void WebCore::CompositeEditCommand::moveParagraphs(const WebCore::VisiblePosition&, const WebCore::VisiblePosition&, const WebCore::VisiblePosition&, bool, bool) 1 0x7ffff5edad95 WTFCrash 2 0x7ffff106791b WebCore::CompositeEditCommand::moveParagraphs(WebCore::VisiblePosition const&, WebCore::VisiblePosition const&, WebCore::VisiblePosition const&, bool, bool) 3 0x7ffff1065df7 WebCore::CompositeEditCommand::moveParagraphContentsToNewBlockIfNecessary(WebCore::Position const&) 4 0x7ffff1052cf3 WebCore::ApplyStyleCommand::applyBlockStyle(WebCore::EditingStyle*) 5 0x7ffff1052710 WebCore::ApplyStyleCommand::doApply() 6 0x7ffff10617bb WebCore::CompositeEditCommand::apply() 7 0x7ffff10615af WebCore::applyCommand(WTF::PassRefPtr<WebCore::CompositeEditCommand>) 8 0x7ffff1086803 WebCore::Editor::applyParagraphStyle(WebCore::StyleProperties*, WebCore::EditAction) 9 0x7ffff1098bf3 10 0x7ffff109a849 11 0x7ffff109d732 WebCore::Editor::Command::execute(WTF::String const&, WebCore::Event*) const 12 0x7ffff0f57b5c WebCore::Document::execCommand(WTF::String const&, bool, WTF::String const&) 13 0x7ffff1f2d8df WebCore::jsDocumentPrototypeFunctionExecCommand(JSC::ExecState*) 14 0x7fff9b6ce0b4 ERR<14753>:eet eet_lib.c:668 eet_shutdown() File '/home/reni2/.cache/efreet/icon_themes_reni2.eet' is still open ! Program received signal SIGSEGV, Segmentation fault. 0x00007ffff5edad9a in WTFCrash () at /home/reni2/data/REPOS/webkit_sec/Source/WTF/wtf/Assertions.cpp:333 333 *(int *)(uintptr_t)0xbbadbeef = 0; (gdb) bt #0 0x00007ffff5edad9a in WTFCrash () at /home/reni2/data/REPOS/webkit_sec/Source/WTF/wtf/Assertions.cpp:333 #1 0x00007ffff106791b in WebCore::CompositeEditCommand::moveParagraphs (this=0xfc3f40, startOfParagraphToMove=..., endOfParagraphToMove=..., destination=..., preserveSelection=false, preserveStyle=true) at /home/reni2/data/REPOS/webkit_sec/Source/WebCore/editing/CompositeEditCommand.cpp:1286 #2 0x00007ffff1065df7 in WebCore::CompositeEditCommand::moveParagraphContentsToNewBlockIfNecessary (this=0xfc3f40, pos=...) at /home/reni2/data/REPOS/webkit_sec/Source/WebCore/editing/CompositeEditCommand.cpp:1029 #3 0x00007ffff1052cf3 in WebCore::ApplyStyleCommand::applyBlockStyle (this=0xfc3f40, style=0x7a5da0) at /home/reni2/data/REPOS/webkit_sec/Source/WebCore/editing/ApplyStyleCommand.cpp:283 #4 0x00007ffff1052710 in WebCore::ApplyStyleCommand::doApply (this=0xfc3f40) at /home/reni2/data/REPOS/webkit_sec/Source/WebCore/editing/ApplyStyleCommand.cpp:224 #5 0x00007ffff10617bb in WebCore::CompositeEditCommand::apply (this=0xfc3f40) at /home/reni2/data/REPOS/webkit_sec/Source/WebCore/editing/CompositeEditCommand.cpp:227 #6 0x00007ffff10615af in WebCore::applyCommand (command=...) at /home/reni2/data/REPOS/webkit_sec/Source/WebCore/editing/CompositeEditCommand.cpp:182 #7 0x00007ffff1086803 in WebCore::Editor::applyParagraphStyle (this=0x757a00, style=0x86b770, editingAction=WebCore::EditActionUnspecified) at /home/reni2/data/REPOS/webkit_sec/Source/WebCore/editing/Editor.cpp:985 #8 0x00007ffff1098bf3 in WebCore::executeApplyParagraphStyle (frame=..., source=WebCore::CommandFromDOM, action=WebCore::EditActionCenter, propertyID=WebCore::CSSPropertyTextAlign, propertyValue=...) at /home/reni2/data/REPOS/webkit_sec/Source/WebCore/editing/EditorCommand.cpp:185 #9 0x00007ffff109a849 in WebCore::executeJustifyCenter (frame=..., source=WebCore::CommandFromDOM) at /home/reni2/data/REPOS/webkit_sec/Source/WebCore/editing/EditorCommand.cpp:581 #10 0x00007ffff109d732 in WebCore::Editor::Command::execute (this=0x7fffffffadb0, parameter=..., triggeringEvent=0x0) at /home/reni2/data/REPOS/webkit_sec/Source/WebCore/editing/EditorCommand.cpp:1741 #11 0x00007ffff0f57b5c in WebCore::Document::execCommand (this=0x9d4d80, commandName=..., userInterface=false, value=...) at /home/reni2/data/REPOS/webkit_sec/Source/WebCore/dom/Document.cpp:4217 #12 0x00007ffff1f2d8df in WebCore::jsDocumentPrototypeFunctionExecCommand (exec=0x7fffffffaeb0) at /home/reni2/data/REPOS/webkit_sec/WebKitBuild/Debug/DerivedSources/WebCore/JSDocument.cpp:4736 #13 0x00007fff9b6ce0b4 in ?? () #14 0x00007fffffffaf00 in ?? () #15 0x00007ffff5ec5f95 in llint_op_call () from /home/reni2/data/REPOS/webkit_sec/WebKitBuild/Debug/lib/libjavascriptcore_efl.so.0 #16 0x0000000000000000 in ?? ()

Radar WebKit Bug Importer

Comment 3 2016-08-03 10:59:45 PDT

<rdar://problem/27681533>

Brent Fulgham

Comment 4 2016-08-03 11:00:16 PDT

Assumption that the anchor node is in a document is invalid. @Ryosuke: You added this assertion for a reason. What is the ramification that this invariant is violated?

Ryosuke Niwa

Comment 5 2017-11-14 23:09:09 PST

There is no security bug here. It's just a logic error.

Brent Fulgham

Comment 6 2017-11-15 08:51:16 PST

(In reply to Ryosuke Niwa from comment #5) > There is no security bug here. It's just a logic error. Should we move it out of the Security component, then?

Ryosuke Niwa

Comment 7 2017-11-15 13:36:35 PST

(In reply to Brent Fulgham from comment #6) > (In reply to Ryosuke Niwa from comment #5) > > There is no security bug here. It's just a logic error. > > Should we move it out of the Security component, then? Yes. I apparently don't have the privilege to do it.

Brent Fulgham

Comment 8 2017-11-15 13:40:37 PST

This is not a security issue, so moving back to the Forms component.

Ryosuke Niwa

Comment 9 2020-07-31 00:28:05 PDT

Maybe this is a duplicate of https://bugs.webkit.org/show_bug.cgi?id=209999?

Note You need to log in before you can comment on or make changes to this bug.

Status NEW

Resolution

Priority P2

Severity Normal

Classification Unclassified

Version WebKit Nightly Build

Hardware Unspecified

OS Unspecified

Product WebKit

Component Forms

Assignee

Nobody

Reported

2013-02-14 02:34 PST

Modified

2020-07-31 00:28 PDT History

CC List

8 users Show

URL

Keywords InRadar

Depends on

Blocks

116980

Dependencies

tree graph