120625 – ASSERTION FAILED: commonScope in WebCore::comparePositions

RESOLVED WORKSFORME 120625

ASSERTION FAILED: commonScope in WebCore::comparePositions

https://bugs.webkit.org/show_bug.cgi?id=120625

Summary ASSERTION FAILED: commonScope in WebCore::comparePositions

Renata Hodovan

Reported 2013-09-03 02:36:01 PDT

Created attachment 210340 [details] Test case If you load the attached test you will get the assertion failure above (it's possible you have to force a refresh too). This test is a part of LayoutTests/editing/selection/selection-in-iframe-removed-crash.html what was introduced in r144400 as the test case of a security bug. Nevertheless the null check in the next line defends us from serious problems hopefully. <html> <script> var docElement = document.documentElement; function crash() { iframe1 = document.createElementNS("http://www.w3.org/1999/xhtml", "iframe"); iframe1.setAttribute("srcdoc", "ABC"); docElement.appendChild(iframe1); document1 = document.implementation.createDocument("", null); iframe1.addEventListener("DOMFocusOut", function () { document1.adoptNode(iframe1); }, false); iframe1.focus(); setTimeout("finish();", 0); } function finish() { document.designMode = "on"; range1 = document.createRange(); range1.selectNodeContents(iframe1.contentDocument); window.getSelection().addRange(range1); } document.addEventListener("DOMContentLoaded", crash, false); </script> </html> The backtrace: Program received signal SIGSEGV, Segmentation fault. 0x00007ffff56dafad in WTFCrash () at /home/reni/Data/REPOS/webkit_sec/Source/WTF/wtf/Assertions.cpp:342 342 *(int *)(uintptr_t)0xbbadbeef = 0; (gdb) bt #0 0x00007ffff56dafad in WTFCrash () at /home/reni/Data/REPOS/webkit_sec/Source/WTF/wtf/Assertions.cpp:342 #1 0x00007ffff42dfe4a in WebCore::comparePositions (a=..., b=...) at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/editing/htmlediting.cpp:79 #2 0x00007ffff4322ad6 in WebCore::VisibleSelection::toNormalizedRange (this=0x7cfab8) at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/editing/VisibleSelection.cpp:173 #3 0x00007ffff3b6868f in WebCore::FrameSelection::toNormalizedRange (this=0x7cfa90) at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/editing/FrameSelection.h:205 #4 0x00007ffff3b6fe85 in WebCore::EditorClientQt::respondToChangedSelection (this=0x765660, frame=0x7d14b0) at /home/reni/Data/REPOS/webkit_sec/Source/WebKit/qt/WebCoreSupport/EditorClientQt.cpp:207 #5 0x00007ffff42bf2c5 in WebCore::Editor::notifyComponentsOnChangedSelection (this=0x7cf930, oldSelection=..., options=6) at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/editing/Editor.cpp:533 #6 0x00007ffff42cbdea in WebCore::Editor::respondToChangedSelection (this=0x7cf930, oldSelection=..., options=6) at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/editing/Editor.cpp:3042 #7 0x00007ffff42d7ef7 in WebCore::FrameSelection::setSelection (this=0x7cfa90, newSelection=..., options=6, align=WebCore::FrameSelection::AlignCursorOnScrollIfNeeded, granularity=WebCore::CharacterGranularity) at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/editing/FrameSelection.cpp:329 #8 0x00007ffff42ddce3 in WebCore::FrameSelection::selectFrameElementInParentIfFullySelected (this=0x8b41f0) at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/editing/FrameSelection.cpp:1630 #9 0x00007ffff42d7eb8 in WebCore::FrameSelection::setSelection (this=0x8b41f0, newSelection=..., options=6, align=WebCore::FrameSelection::AlignCursorOnScrollIfNeeded, granularity=WebCore::CharacterGranularity) at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/editing/FrameSelection.cpp:327 #10 0x00007ffff42d7ce7 in WebCore::FrameSelection::setSelection (this=0x7cfa90, newSelection=..., options=6, align=WebCore::FrameSelection::AlignCursorOnScrollIfNeeded, granularity=WebCore::CharacterGranularity) at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/editing/FrameSelection.cpp:283 #11 0x00007ffff4622357 in WebCore::DOMSelection::addRange (this=0x922150, r=0x9488a0) at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/page/DOMSelection.cpp:395 #12 0x00007ffff502f2b2 in WebCore::jsDOMSelectionPrototypeFunctionAddRange (exec=0x7fff941e20e8) at generated/JSDOMSelection.cpp:439 #13 0x00007fff9ffff0e5 in ?? () #14 0x00007fffffffbfa0 in ?? () #15 0x00007ffff679ffa2 in llint_op_call () from /home/reni/Data/REPOS/webkit_sec/WebKitBuild/Debug/lib/libQt5WebKit.so.5 #16 0x00007fff941e2058 in ?? () #17 0x00000000007d0e98 in ?? () #18 0x00007fffffffbf60 in ?? () #19 0x00007ffff5506ba3 in JSC::JSStack::installTrapsAfterFrame (this=0x0, frame=0x0) at /home/reni/Data/REPOS/webkit_sec/Source/JavaScriptCore/interpreter/JSStackInlines.h:212 #20 0x00007ffff551752c in JSC::JITCode::execute (this=0x932510, stack=0x7d0e98, callFrame=0x7fff941e2058, vm=0x815ab0) at /home/reni/Data/REPOS/webkit_sec/Source/JavaScriptCore/jit/JITCode.cpp:46 #21 0x00007ffff5503419 in JSC::Interpreter::execute (this=0x7d0e80, program=0x7fff9c03fe70, callFrame=0x7fffe407efe0, thisObj=0x7fffe40bffd8) at /home/reni/Data/REPOS/webkit_sec/Source/JavaScriptCore/interpreter/Interpreter.cpp:766 #22 0x00007ffff55e1e92 in JSC::evaluate (exec=0x7fffe407efe0, source=..., thisValue=..., returnedException=0x7fffffffcc90) at /home/reni/Data/REPOS/webkit_sec/Source/JavaScriptCore/runtime/Completion.cpp:83 #23 0x00007ffff3f4f00d in WebCore::JSMainThreadExecState::evaluate (exec=0x7fffe407efe0, source=..., thisValue=..., exception=0x7fffffffcc90) at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/bindings/js/JSMainThreadExecState.h:74 #24 0x00007ffff3f6da56 in WebCore::ScriptController::evaluateInWorld (this=0x7cf840, sourceCode=..., world=0x78a8b0) at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/bindings/js/ScriptController.cpp:142 #25 0x00007ffff3f6eef5 in WebCore::ScriptController::executeScriptInWorld (this=0x7cf840, world=0x78a8b0, script=..., forceUserGesture=false) at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/bindings/js/ScriptController.cpp:466 #26 0x00007ffff3f66ffe in WebCore::ScheduledAction::execute (this=0x935680, document=0x958860) at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/bindings/js/ScheduledAction.cpp:134 #27 0x00007ffff3f66b7b in WebCore::ScheduledAction::execute (this=0x935680, context=0x958910) at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/bindings/js/ScheduledAction.cpp:80 #28 0x00007ffff462380c in WebCore::DOMTimer::fired (this=0x8ec900) at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/page/DOMTimer.cpp:141 #29 0x00007ffff47a4a06 in WebCore::ThreadTimers::sharedTimerFiredInternal (this=0x6ef760) at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/platform/ThreadTimers.cpp:129 ---Type <return> to continue, or q <return> to quit--- #30 0x00007ffff47a48f3 in WebCore::ThreadTimers::sharedTimerFired () at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/platform/ThreadTimers.cpp:105 #31 0x00007ffff4aabd3e in WebCore::SharedTimerQt::timerEvent (this=0x6ef7b0, ev=0x7fffffffd5b0) at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/platform/qt/SharedTimerQt.cpp:113 #32 0x00007ffff21e766c in QObject::event(QEvent*) () from /usr/local/Trolltech/Qt5/Qt-5.0.0-r40/lib/libQt5Core.so.5 #33 0x00007ffff302ddbc in QApplicationPrivate::notify_helper(QObject*, QEvent*) () from /usr/local/Trolltech/Qt5/Qt-5.0.0-r40/lib/libQt5Widgets.so.5 #34 0x00007ffff3031075 in QApplication::notify(QObject*, QEvent*) () from /usr/local/Trolltech/Qt5/Qt-5.0.0-r40/lib/libQt5Widgets.so.5 #35 0x00007ffff21c1dbe in QCoreApplication::notifyInternal(QObject*, QEvent*) () from /usr/local/Trolltech/Qt5/Qt-5.0.0-r40/lib/libQt5Core.so.5 #36 0x00007ffff220875c in QTimerInfoList::activateTimers() () from /usr/local/Trolltech/Qt5/Qt-5.0.0-r40/lib/libQt5Core.so.5 #37 0x00007ffff2209094 in ?? () from /usr/local/Trolltech/Qt5/Qt-5.0.0-r40/lib/libQt5Core.so.5 #38 0x00007fffee34a2d6 in g_main_dispatch (context=0x6632f0) at /build/buildd/glib2.0-2.37.6/./glib/gmain.c:3065 #39 g_main_context_dispatch (context=context@entry=0x6632f0) at /build/buildd/glib2.0-2.37.6/./glib/gmain.c:3641 #40 0x00007fffee34a628 in g_main_context_iterate (context=context@entry=0x6632f0, block=block@entry=1, dispatch=dispatch@entry=1, self=<optimized out>) at /build/buildd/glib2.0-2.37.6/./glib/gmain.c:3712 #41 0x00007fffee34a6cc in g_main_context_iteration (context=0x6632f0, may_block=1) at /build/buildd/glib2.0-2.37.6/./glib/gmain.c:3773 #42 0x00007ffff22094bc in QEventDispatcherGlib::processEvents(QFlags<QEventLoop::ProcessEventsFlag>) () from /usr/local/Trolltech/Qt5/Qt-5.0.0-r40/lib/libQt5Core.so.5 #43 0x00007ffff21c0d3b in QEventLoop::exec(QFlags<QEventLoop::ProcessEventsFlag>) () from /usr/local/Trolltech/Qt5/Qt-5.0.0-r40/lib/libQt5Core.so.5 #44 0x00007ffff21c4120 in QCoreApplication::exec() () from /usr/local/Trolltech/Qt5/Qt-5.0.0-r40/lib/libQt5Core.so.5 #45 0x0000000000421ba0 in launcherMain (app=...) at /home/reni/Data/REPOS/webkit_sec/Tools/QtTestBrowser/qttestbrowser.cpp:49 #46 0x0000000000423680 in main (argc=2, argv=0x7fffffffdb18) at /home/reni/Data/REPOS/webkit_sec/Tools/QtTestBrowser/qttestbrowser.cpp:318

Attachments
Test case (759 bytes, text/html) 2013-09-03 02:36 PDT, Renata Hodovan	no flags	Details
View All Add attachment proposed patch, testcase, etc.

Brent Fulgham

Comment 1 2016-08-03 12:36:31 PDT

I am unable to reproduce this problem under r204037 under GuardMalloc or ASAN. If you believe this is still an issue, could you please reopen the bug with a revised test case?

Note You need to log in before you can comment on or make changes to this bug.

Status RESOLVED

Resolution WORKSFORME

Priority P2

Severity Normal

Classification Unclassified

Version 528+ (Nightly build)

Hardware Unspecified

OS Unspecified

Product WebKit

Component HTML Editing

Assignee

Nobody

Reported

2013-09-03 02:36 PDT

Modified

2016-08-03 12:36 PDT History

CC List

4 users Show

URL

Keywords

Depends on

Blocks

116980

Dependencies

tree graph