121791 – ASSERTION FAILED: comparePositions(newEnd, newStart) >= 0 in WebCore::ApplyStyleCommand::updateStartEnd

Bug 121791 - ASSERTION FAILED: comparePositions(newEnd, newStart) >= 0 in WebCore::ApplyStyleCommand::updateStartEnd

Summary: ASSERTION FAILED: comparePositions(newEnd, newStart) >= 0 in WebCore::ApplySt...

Status:	RESOLVED FIXED

Alias:	None

Product:	WebKit
Classification:	Unclassified
Component:	HTML Editing (show other bugs)
Version:	528+ (Nightly build)
Hardware:	Unspecified Unspecified

Importance:	P2 Normal
Assignee:	Renata Hodovan

URL:
Keywords:

Depends on:
Blocks:	116980
	Show dependency tree / graph

Reported:	2013-09-23 09:35 PDT by Renata Hodovan
Modified:	2014-02-14 09:36 PST (History)
CC List:	12 users (show)

See Also:

Attachments
Test case (260 bytes, text/html) 2013-09-23 09:35 PDT, Renata Hodovan	no flags	Details
Proposed patch (4.91 KB, patch) 2013-10-01 02:04 PDT, Renata Hodovan	kling: review- rhodovan.u-szeged: commit-queue-	Details \| Formatted Diff \| Diff
Proposed patch (4.80 KB, patch) 2014-02-11 02:26 PST, Renata Hodovan	darin: review- darin: commit-queue-	Details \| Formatted Diff \| Diff
Proposed patch (4.79 KB, patch) 2014-02-12 09:57 PST, Renata Hodovan	no flags	Details \| Formatted Diff \| Diff
Archive of layout-test-results from webkit-ews-13 for mac-mountainlion-wk2 (685.55 KB, application/zip) 2014-02-12 11:44 PST, Build Bot	no flags	Details
Proposed patch (5.07 KB, patch) 2014-02-13 05:53 PST, Renata Hodovan	no flags	Details \| Formatted Diff \| Diff
Proposed patch (5.54 KB, patch) 2014-02-13 16:17 PST, Renata Hodovan	no flags	Details \| Formatted Diff \| Diff
Show Obsolete (5) View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Renata Hodovan 2013-09-23 09:35:57 PDT

Created attachment 212356 [details]
Test case

The failing test:

<button>
    <iframe onload="{     document.designMode=&apos;on&apos;;
                          document.execCommand(&apos;selectall&apos;);
                          document.execCommand(&apos;RemoveFormat&apos;);
                    } "></iframe>
</button>


The backtrace:

Program received signal SIGSEGV, Segmentation fault.
0x00007ffff56dafad in WTFCrash () at /home/reni/Data/REPOS/webkit_sec/Source/WTF/wtf/Assertions.cpp:342
342	    *(int *)(uintptr_t)0xbbadbeef = 0;
(gdb) bt
#0  0x00007ffff56dafad in WTFCrash () at /home/reni/Data/REPOS/webkit_sec/Source/WTF/wtf/Assertions.cpp:342
#1  0x00007ffff428e365 in WebCore::ApplyStyleCommand::updateStartEnd (this=0x8efe00, newStart=..., newEnd=...)
    at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/editing/ApplyStyleCommand.cpp:189
#2  0x00007ffff428f0f1 in WebCore::ApplyStyleCommand::applyBlockStyle (this=0x8efe00, style=0x8ef900)
    at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/editing/ApplyStyleCommand.cpp:304
#3  0x00007ffff428e614 in WebCore::ApplyStyleCommand::doApply (this=0x8efe00)
    at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/editing/ApplyStyleCommand.cpp:223
#4  0x00007ffff429e0fe in WebCore::CompositeEditCommand::applyCommandToComposite (this=0x8ce680, prpCommand=...)
    at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/editing/CompositeEditCommand.cpp:267
#5  0x00007ffff42fc83d in WebCore::RemoveFormatCommand::doApply (this=0x8ce680)
    at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/editing/RemoveFormatCommand.cpp:96
#6  0x00007ffff429dec6 in WebCore::CompositeEditCommand::apply (this=0x8ce680)
    at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/editing/CompositeEditCommand.cpp:216
#7  0x00007ffff429dc4e in WebCore::applyCommand (command=...) at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/editing/CompositeEditCommand.cpp:172
#8  0x00007ffff42bf96c in WebCore::Editor::removeFormattingAndStyle (this=0x7e4d00) at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/editing/Editor.cpp:684
#9  0x00007ffff42d1792 in WebCore::executeRemoveFormat (frame=...) at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/editing/EditorCommand.cpp:974
#10 0x00007ffff42d32d2 in WebCore::Editor::Command::execute (this=0x7fffffffa240, parameter=..., triggeringEvent=0x0)
    at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/editing/EditorCommand.cpp:1709
#11 0x00007ffff41a1ed6 in WebCore::Document::execCommand (this=0x8b5930, commandName=..., userInterface=false, value=...)
    at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/dom/Document.cpp:4172
#12 0x00007ffff4ebfb12 in WebCore::jsDocumentPrototypeFunctionExecCommand (exec=0x7fff8abfe0a8) at generated/JSDocument.cpp:2763
#13 0x00007fff9ffff0e5 in ?? ()
#14 0x00007fffffffa3e0 in ?? ()
#15 0x00007ffff679ffa2 in llint_op_call () from /home/reni/Data/REPOS/webkit_sec/WebKitBuild/Debug/lib/libQt5WebKit.so.5
#16 0x00007fff8abfe060 in ?? ()
#17 0x00000000007aa108 in ?? ()
#18 0x00007fffffffa3a0 in ?? ()
#19 0x00007ffff5506ba3 in JSC::JSStack::installTrapsAfterFrame (this=0x0, frame=0x0)
    at /home/reni/Data/REPOS/webkit_sec/Source/JavaScriptCore/interpreter/JSStackInlines.h:212
#20 0x00007ffff551752c in JSC::JITCode::execute (this=0x8f5370, stack=0x7aa108, callFrame=0x7fff8abfe060, vm=0x82afe0)
    at /home/reni/Data/REPOS/webkit_sec/Source/JavaScriptCore/jit/JITCode.cpp:46
#21 0x00007ffff5503a02 in JSC::Interpreter::executeCall (this=0x7aa0f0, callFrame=0x7fff9c0df9e0, function=0x7fff9c03e5f0, callType=JSC::CallTypeJS, 
    callData=..., thisValue=..., args=...) at /home/reni/Data/REPOS/webkit_sec/Source/JavaScriptCore/interpreter/Interpreter.cpp:841
#22 0x00007ffff55d58b7 in JSC::call (exec=0x7fff9c0df9e0, functionObject=..., callType=JSC::CallTypeJS, callData=..., thisValue=..., args=...)
    at /home/reni/Data/REPOS/webkit_sec/Source/JavaScriptCore/runtime/CallData.cpp:39
#23 0x00007ffff3f118bf in WebCore::JSMainThreadExecState::call (exec=0x7fff9c0df9e0, functionObject=..., callType=JSC::CallTypeJS, callData=..., 
    thisValue=..., args=...) at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/bindings/js/JSMainThreadExecState.h:53
#24 0x00007ffff3f40c6d in WebCore::JSEventListener::handleEvent (this=0x8ee610, scriptExecutionContext=0x8b59e0, event=0x8e8cb0)
    at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/bindings/js/JSEventListener.cpp:130
#25 0x00007ffff420f7aa in WebCore::EventTarget::fireEventListeners (this=0x8e3fe0, event=0x8e8cb0, d=0x8f17c0, entry=...)
    at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/dom/EventTarget.cpp:271
#26 0x00007ffff420f4c7 in WebCore::EventTarget::fireEventListeners (this=0x8e3fe0, event=0x8e8cb0)
    at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/dom/EventTarget.cpp:227
#27 0x00007ffff423b79b in WebCore::Node::handleLocalEvents (this=0x8e3fe0, event=0x8e8cb0)
    at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/dom/Node.cpp:2097
#28 0x00007ffff4201d54 in WebCore::EventContext::handleLocalEvents (this=0x8e8730, event=0x8e8cb0)
    at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/dom/EventContext.cpp:58
#29 0x00007ffff4203c33 in WebCore::EventDispatcher::dispatchEventAtTarget (this=0x7fffffffaa20)
    at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/dom/EventDispatcher.cpp:161
#30 0x00007ffff42038f0 in WebCore::EventDispatcher::dispatch (this=0x7fffffffaa20)
    at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/dom/EventDispatcher.cpp:118
#31 0x00007ffff4202715 in WebCore::EventDispatchMediator::dispatchEvent (this=0x8cd300, dispatcher=0x7fffffffaa20)
    at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/dom/EventDispatchMediator.cpp:54
---Type <return> to continue, or q <return> to quit---
#32 0x00007ffff4202e9d in WebCore::EventDispatcher::dispatchEvent (node=0x8e3fe0, mediator=...)
    at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/dom/EventDispatcher.cpp:52
#33 0x00007ffff423b9b0 in WebCore::Node::dispatchEvent (this=0x8e3fe0, event=...) at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/dom/Node.cpp:2118
#34 0x00007ffff462bc41 in WebCore::DOMWindow::dispatchLoadEvent (this=0x8cb4d0) at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/page/DOMWindow.cpp:1714
#35 0x00007ffff41a03c0 in WebCore::Document::dispatchWindowLoadEvent (this=0x9237e0) at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/dom/Document.cpp:3639
#36 0x00007ffff419ba6b in WebCore::Document::implicitClose (this=0x9237e0) at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/dom/Document.cpp:2419
#37 0x00007ffff45a08af in WebCore::FrameLoader::checkCallImplicitClose (this=0x782710)
    at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/loader/FrameLoader.cpp:848
#38 0x00007ffff45a0620 in WebCore::FrameLoader::checkCompleted (this=0x782710) at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/loader/FrameLoader.cpp:791
#39 0x00007ffff45a0355 in WebCore::FrameLoader::finishedParsing (this=0x782710) at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/loader/FrameLoader.cpp:724
#40 0x00007ffff41a2c9b in WebCore::Document::finishedParsing (this=0x9237e0) at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/dom/Document.cpp:4437
#41 0x00007ffff43f6273 in WebCore::HTMLConstructionSite::finishedParsing (this=0x921ca8)
    at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/html/parser/HTMLConstructionSite.cpp:352
#42 0x00007ffff442a989 in WebCore::HTMLTreeBuilder::finished (this=0x921c90)
    at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/html/parser/HTMLTreeBuilder.cpp:2912
#43 0x00007ffff43fd99e in WebCore::HTMLDocumentParser::end (this=0x910fa0)
    at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/html/parser/HTMLDocumentParser.cpp:763
#44 0x00007ffff43fda89 in WebCore::HTMLDocumentParser::attemptToRunDeferredScriptsAndEnd (this=0x910fa0)
    at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/html/parser/HTMLDocumentParser.cpp:774
#45 0x00007ffff43fc5f8 in WebCore::HTMLDocumentParser::prepareToStopParsing (this=0x910fa0)
    at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/html/parser/HTMLDocumentParser.cpp:211
#46 0x00007ffff43fdace in WebCore::HTMLDocumentParser::attemptToEnd (this=0x910fa0)
    at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/html/parser/HTMLDocumentParser.cpp:786
#47 0x00007ffff43fdb87 in WebCore::HTMLDocumentParser::finish (this=0x910fa0)
    at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/html/parser/HTMLDocumentParser.cpp:835
#48 0x00007ffff45980ab in WebCore::DocumentWriter::end (this=0x910470) at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/loader/DocumentWriter.cpp:244
#49 0x00007ffff458ab61 in WebCore::DocumentLoader::finishedLoading (this=0x9103d0, finishTime=380473.38665969402)
    at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/loader/DocumentLoader.cpp:407
#50 0x00007ffff458e738 in WebCore::DocumentLoader::maybeLoadEmpty (this=0x9103d0)
    at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/loader/DocumentLoader.cpp:1348
#51 0x00007ffff458e857 in WebCore::DocumentLoader::startLoadingMainResource (this=0x9103d0)
    at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/loader/DocumentLoader.cpp:1360
#52 0x00007ffff45a6c86 in WebCore::FrameLoader::continueLoadAfterWillSubmitForm (this=0x782710)
    at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/loader/FrameLoader.cpp:2229
#53 0x00007ffff45a98de in WebCore::FrameLoader::continueLoadAfterNavigationPolicy (this=0x782710, formState=..., shouldContinue=true)
    at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/loader/FrameLoader.cpp:2883
#54 0x00007ffff45a8df7 in WebCore::FrameLoader::callContinueLoadAfterNavigationPolicy (argument=0x782710, request=..., formState=..., shouldContinue=true)
    at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/loader/FrameLoader.cpp:2713
#55 0x00007ffff45c220b in WebCore::PolicyCallback::call (this=0x7fffffffb670, shouldContinue=true)
    at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/loader/PolicyCallback.cpp:103
#56 0x00007ffff45c33a2 in WebCore::PolicyChecker::continueAfterNavigationPolicy (this=0x82ab30, policy=WebCore::PolicyUse)
    at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/loader/PolicyChecker.cpp:180
#57 0x00007ffff3b764b4 in WebCore::FrameLoaderClientQt::callPolicyFunction (this=0x8ce050, function=
    (void (WebCore::PolicyChecker::*)(WebCore::PolicyChecker * const, WebCore::PolicyAction)) 0x7ffff45c3138 <WebCore::PolicyChecker::continueAfterNavigationPolicy(WebCore::PolicyAction)>, action=WebCore::PolicyUse) at /home/reni/Data/REPOS/webkit_sec/Source/WebKit/qt/WebCoreSupport/FrameLoaderClientQt.cpp:246
#58 0x00007ffff3b7c3c6 in WebCore::FrameLoaderClientQt::dispatchDecidePolicyForNavigationAction (this=0x8ce050, function=
    (void (WebCore::PolicyChecker::*)(WebCore::PolicyChecker * const, WebCore::PolicyAction)) 0x7ffff45c3138 <WebCore::PolicyChecker::continueAfterNavigationPolicy(WebCore::PolicyAction)>, action=..., request=...) at /home/reni/Data/REPOS/webkit_sec/Source/WebKit/qt/WebCoreSupport/FrameLoaderClientQt.cpp:1282
#59 0x00007ffff45c2c7d in WebCore::PolicyChecker::checkNavigationPolicy (this=0x82ab30, request=..., loader=0x9103d0, formState=..., 
    function=0x7ffff45a8da8 <WebCore::FrameLoader::callContinueLoadAfterNavigationPolicy(void*, WebCore::ResourceRequest const&, WTF::PassRefPtr<WebCore::FormState>, bool)>, argument=0x782710) at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/loader/PolicyChecker.cpp:99
#60 0x00007ffff45a36ce in WebCore::FrameLoader::loadWithDocumentLoader (this=0x782710, loader=0x9103d0, 
    type=WebCore::FrameLoadTypeRedirectWithLockedBackForwardList, prpFormState=...)
---Type <return> to continue, or q <return> to quit---
    at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/loader/FrameLoader.cpp:1421
#61 0x00007ffff45a2f4f in WebCore::FrameLoader::loadWithNavigationAction (this=0x782710, request=..., action=..., lockHistory=false, 
    type=WebCore::FrameLoadTypeRedirectWithLockedBackForwardList, formState=...)
    at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/loader/FrameLoader.cpp:1325
#62 0x00007ffff45a251d in WebCore::FrameLoader::loadURL (this=0x782710, newURL=..., referrer=..., frameName=..., lockHistory=false, 
    newLoadType=WebCore::FrameLoadTypeRedirectWithLockedBackForwardList, event=..., prpFormState=...)
    at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/loader/FrameLoader.cpp:1260
#63 0x00007ffff45a0b42 in WebCore::FrameLoader::loadURLIntoChildFrame (this=0x7e5250, url=..., referer=..., childFrame=0x782680)
    at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/loader/FrameLoader.cpp:876
#64 0x00007ffff3b7c834 in WebCore::FrameLoaderClientQt::createFrame (this=0x776fa0, url=..., name=..., ownerElement=0x8e3fe0, referrer=..., 
    allowsScrolling=true, marginWidth=-1, marginHeight=-1) at /home/reni/Data/REPOS/webkit_sec/Source/WebKit/qt/WebCoreSupport/FrameLoaderClientQt.cpp:1327
#65 0x00007ffff45d2e59 in WebCore::SubframeLoader::loadSubframe (this=0x7e5278, ownerElement=0x8e3fe0, url=..., name=..., referrer=...)
    at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/loader/SubframeLoader.cpp:361
#66 0x00007ffff45d2c0d in WebCore::SubframeLoader::loadOrRedirectSubframe (this=0x7e5278, ownerElement=0x8e3fe0, url=..., frameName=..., lockHistory=true, 
    lockBackForwardList=true) at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/loader/SubframeLoader.cpp:335
#67 0x00007ffff45d18be in WebCore::SubframeLoader::requestFrame (this=0x7e5278, ownerElement=0x8e3fe0, urlString=..., frameName=..., lockHistory=true, 
    lockBackForwardList=true) at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/loader/SubframeLoader.cpp:89
#68 0x00007ffff438d38e in WebCore::HTMLFrameElementBase::openURL (this=0x8e3fe0, lockHistory=true, lockBackForwardList=true)
    at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/html/HTMLFrameElementBase.cpp:89
#69 0x00007ffff438d888 in WebCore::HTMLFrameElementBase::setNameAndOpenURL (this=0x8e3fe0)
    at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/html/HTMLFrameElementBase.cpp:142
#70 0x00007ffff438d953 in WebCore::HTMLFrameElementBase::didNotifySubtreeInsertions (this=0x8e3fe0)
    at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/html/HTMLFrameElementBase.cpp:173
#71 0x00007ffff41848e0 in WebCore::ChildNodeInsertionNotifier::notify (this=0x7fffffffc6b0, node=0x8e3fe0)
    at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/dom/ContainerNodeAlgorithms.h:233
#72 0x00007ffff4187833 in WebCore::ContainerNode::parserAppendChild (this=0x7acf10, newChild=...)
    at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/dom/ContainerNode.cpp:730
#73 0x00007ffff43f4e10 in WebCore::executeTask (task=...) at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/html/parser/HTMLConstructionSite.cpp:97
#74 0x00007ffff43f5249 in WebCore::HTMLConstructionSite::executeQueuedTasks (this=0x7e29e8)
    at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/html/parser/HTMLConstructionSite.cpp:150
#75 0x00007ffff441e6d0 in WebCore::HTMLTreeBuilder::constructTree (this=0x7e29d0, token=0x7fffffffc7e0)
    at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/html/parser/HTMLTreeBuilder.cpp:368
#76 0x00007ffff43fd322 in WebCore::HTMLDocumentParser::constructTreeFromHTMLToken (this=0x7ab310, rawToken=...)
    at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/html/parser/HTMLDocumentParser.cpp:597
#77 0x00007ffff43fcf57 in WebCore::HTMLDocumentParser::pumpTokenizer (this=0x7ab310, mode=WebCore::HTMLDocumentParser::AllowYield)
    at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/html/parser/HTMLDocumentParser.cpp:551
#78 0x00007ffff43fc71f in WebCore::HTMLDocumentParser::pumpTokenizerIfPossible (this=0x7ab310, mode=WebCore::HTMLDocumentParser::AllowYield)
    at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/html/parser/HTMLDocumentParser.cpp:235
#79 0x00007ffff43fd8be in WebCore::HTMLDocumentParser::append (this=0x7ab310, inputSource=...)
    at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/html/parser/HTMLDocumentParser.cpp:747
#80 0x00007ffff418dc07 in WebCore::DecodedDataDocumentParser::flush (this=0x7ab310, writer=0x699490)
    at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/dom/DecodedDataDocumentParser.cpp:60
#81 0x00007ffff4598071 in WebCore::DocumentWriter::end (this=0x699490) at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/loader/DocumentWriter.cpp:241
#82 0x00007ffff458ab61 in WebCore::DocumentLoader::finishedLoading (this=0x6993f0, finishTime=0)
    at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/loader/DocumentLoader.cpp:407
#83 0x00007ffff458a8ca in WebCore::DocumentLoader::notifyFinished (this=0x6993f0, resource=0x7c82a0)
    at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/loader/DocumentLoader.cpp:344
#84 0x00007ffff4571afe in WebCore::CachedResource::checkNotify (this=0x7c82a0)
    at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/loader/cache/CachedResource.cpp:369
#85 0x00007ffff4571bd4 in WebCore::CachedResource::finishLoading (this=0x7c82a0)
    at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/loader/cache/CachedResource.cpp:385
#86 0x00007ffff456e326 in WebCore::CachedRawResource::finishLoading (this=0x7c82a0, data=0x7ce470)
    at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/loader/cache/CachedRawResource.cpp:94
---Type <return> to continue, or q <return> to quit---
#87 0x00007ffff45d4a15 in WebCore::SubresourceLoader::didFinishLoading (this=0x772d40, finishTime=0)
    at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/loader/SubresourceLoader.cpp:282
#88 0x00007ffff45cb33b in WebCore::ResourceLoader::didFinishLoading (this=0x772d40, finishTime=0)
    at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/loader/ResourceLoader.cpp:488
#89 0x00007ffff4a86713 in WebCore::QNetworkReplyHandler::finish (this=0x7ca2d0)
    at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/platform/network/qt/QNetworkReplyHandler.cpp:516
#90 0x00007ffff4a85432 in WebCore::QNetworkReplyHandlerCallQueue::flush (this=0x7ca308)
    at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/platform/network/qt/QNetworkReplyHandler.cpp:250
#91 0x00007ffff4a8512f in WebCore::QNetworkReplyHandlerCallQueue::push (this=0x7ca308, 
    method=(void (WebCore::QNetworkReplyHandler::*)(WebCore::QNetworkReplyHandler * const)) 0x7ffff4a86558 <WebCore::QNetworkReplyHandler::finish()>)
    at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/platform/network/qt/QNetworkReplyHandler.cpp:216
#92 0x00007ffff4a8607c in WebCore::QNetworkReplyWrapper::didReceiveFinished (this=0x7dc550)
    at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/platform/network/qt/QNetworkReplyHandler.cpp:409
#93 0x00007ffff4a88a0e in WebCore::QNetworkReplyWrapper::qt_static_metacall (_o=0x7dc550, _c=QMetaObject::InvokeMetaMethod, _id=1, _a=0x7fffffffce30)
    at .moc/release-shared/moc_QNetworkReplyHandler.cpp:176
#94 0x00007ffff21e65cb in QMetaObject::activate(QObject*, int, int, void**) () from /usr/local/Trolltech/Qt5/Qt-5.0.0-r40/lib/libQt5Core.so.5
#95 0x00007ffff21e784e in QObject::event(QEvent*) () from /usr/local/Trolltech/Qt5/Qt-5.0.0-r40/lib/libQt5Core.so.5
#96 0x00007ffff302ddbc in QApplicationPrivate::notify_helper(QObject*, QEvent*) () from /usr/local/Trolltech/Qt5/Qt-5.0.0-r40/lib/libQt5Widgets.so.5
#97 0x00007ffff3031075 in QApplication::notify(QObject*, QEvent*) () from /usr/local/Trolltech/Qt5/Qt-5.0.0-r40/lib/libQt5Widgets.so.5
#98 0x00007ffff21c1dbe in QCoreApplication::notifyInternal(QObject*, QEvent*) () from /usr/local/Trolltech/Qt5/Qt-5.0.0-r40/lib/libQt5Core.so.5
#99 0x00007ffff21c3a76 in QCoreApplicationPrivate::sendPostedEvents(QObject*, int, QThreadData*) ()
   from /usr/local/Trolltech/Qt5/Qt-5.0.0-r40/lib/libQt5Core.so.5
#100 0x00007ffff2209333 in ?? () from /usr/local/Trolltech/Qt5/Qt-5.0.0-r40/lib/libQt5Core.so.5
#101 0x00007fffee34a3c6 in g_main_dispatch (context=0x6632f0) at /build/buildd/glib2.0-2.37.7/./glib/gmain.c:3065
#102 g_main_context_dispatch (context=context@entry=0x6632f0) at /build/buildd/glib2.0-2.37.7/./glib/gmain.c:3641
#103 0x00007fffee34a718 in g_main_context_iterate (context=context@entry=0x6632f0, block=block@entry=1, dispatch=dispatch@entry=1, self=<optimized out>)
    at /build/buildd/glib2.0-2.37.7/./glib/gmain.c:3712
#104 0x00007fffee34a7bc in g_main_context_iteration (context=0x6632f0, may_block=1) at /build/buildd/glib2.0-2.37.7/./glib/gmain.c:3773
#105 0x00007ffff22094bc in QEventDispatcherGlib::processEvents(QFlags<QEventLoop::ProcessEventsFlag>) ()
   from /usr/local/Trolltech/Qt5/Qt-5.0.0-r40/lib/libQt5Core.so.5
#106 0x00007ffff21c0d3b in QEventLoop::exec(QFlags<QEventLoop::ProcessEventsFlag>) () from /usr/local/Trolltech/Qt5/Qt-5.0.0-r40/lib/libQt5Core.so.5
#107 0x00007ffff21c4120 in QCoreApplication::exec() () from /usr/local/Trolltech/Qt5/Qt-5.0.0-r40/lib/libQt5Core.so.5
#108 0x0000000000421ba0 in launcherMain (app=...) at /home/reni/Data/REPOS/webkit_sec/Tools/QtTestBrowser/qttestbrowser.cpp:49
#109 0x0000000000423680 in main (argc=2, argv=0x7fffffffdb08) at /home/reni/Data/REPOS/webkit_sec/Tools/QtTestBrowser/qttestbrowser.cpp:318

Comment 1 Renata Hodovan 2013-10-01 02:04:42 PDT

Created attachment 213064 [details]
Proposed patch

I do not have a well enough understanding of what is going on here to be sure the fix is correct, but it seems that TextIterator::handleReplacedElement() emitts an ',' character in TextIterator::handleReplacedElement() (because of the button element) and due to this the endRange of selection will be determined as endContainer + endOffset instead of startContainer + startOffset, what causes that the of startPosition of endRange will be bigger at the assertion than the startPostion of startRange.

Comment 2 Renata Hodovan 2013-10-25 02:51:04 PDT

Could anybody take a look at this, please?

Comment 3 Renata Hodovan 2013-11-08 05:26:21 PST

Could anybody take a look at this, please?

Comment 4 Renata Hodovan 2013-12-02 01:22:15 PST

Anybody? :)

Comment 5 Andreas Kling 2014-02-05 17:46:05 PST

Comment on attachment 213064 [details]
Proposed patch

View in context: https://bugs.webkit.org/attachment.cgi?id=213064&action=review

> LayoutTests/ChangeLog:8
> +        * editing/execCommand/remove-formatting-from-iframe-in-button.html: Added.

This should be a dumpAsText test.

> LayoutTests/ChangeLog:9
> +        * platform/qt/editing/execCommand/remove-formatting-from-iframe-in-button-expected.txt: Added.

There is no Qt port anymore.

> Source/WebCore/editing/TextIterator.cpp:2433
>              // FIXME: This is a workaround for the fact that the end of a run is often at the wrong
>              // position for emitted '\n's.
> -            if (len == 1 && it.characterAt(0) == '\n') {
> +            if (len == 1 && (it.characterAt(0) == '\n' || it.characterAt(0) == ',')) {

I don't know this code well enough to tell if the change is correct, but it looks to me like you are bringing the code out of sync with the preceding FIXME.

Comment 6 Renata Hodovan 2014-02-11 02:26:18 PST

Created attachment 223831 [details]
Proposed patch

Updating the previous patch according to Andreas review.

Comment 7 Darin Adler 2014-02-11 07:49:47 PST

Comment on attachment 223831 [details]
Proposed patch

It is not right to check for a comma. It could be an actual comma.

Comment 8 Renata Hodovan 2014-02-11 08:11:02 PST

(In reply to comment #7)
> (From update of attachment 223831 [details])
> It is not right to check for a comma. It could be an actual comma.

Even if there is only one character in the given range? If so, can you give me some hints how to fix this issue?

Comment 9 Darin Adler 2014-02-11 08:51:47 PST

(In reply to comment #8)
> (In reply to comment #7)
> > It is not right to check for a comma. It could be an actual comma.
> 
> Even if there is only one character in the given range?

Sure. If you have this <span>,</span> then you’ll get a range with 1 character that is a coma.

> If so, can you give me some hints how to fix this issue?

The real problem here is the very strange TextIteratorEmitsCharactersBetweenAllVisiblePositions, which emits characters that are not real characters. At some point someone needs to think through how that really can work. It was supposed to be a temporary workaround and it’s getting harder and harder to ever remove it!

I worry a bit that this we are piling one hack on top of another and making TextIterator harder and harder to maintain.

However, if we do want to correctly code this patch, then to properly detect that the text is placeholder text from a replaced element, a correct way to do that would be to get the node by calling TextIterator::node(), then check that the node is a replaced element. To match how the TextIterator already does it, we’d call isRendererReplacedElement on the node.

Another alternative would be to add a function to TextIterator itself to indicate that the current text simply extra text for the “emit characters between all visible positions” feature. That would be pretty ugly but might be slightly more efficient since it avoids repeating the logic that defines what a replaced element is.

Comment 10 Darin Adler 2014-02-11 08:52:09 PST

Comment on attachment 223831 [details]
Proposed patch

Test case is OK, but bug fix is wrong.

Comment 11 Renata Hodovan 2014-02-12 09:57:12 PST

Created attachment 223977 [details]
Proposed patch

Updated fix according to the first suggestion of Darin.

Comment 12 Build Bot 2014-02-12 11:44:29 PST

Comment on attachment 223977 [details]
Proposed patch

Attachment 223977 [details] did not pass mac-wk2-ews (mac-wk2):
Output: http://webkit-queues.appspot.com/results/4534601976381440

New failing tests:
editing/execCommand/5481523.html
editing/execCommand/5658933-1.html
editing/execCommand/indent-right-after-table.html
editing/execCommand/format-block-at-root.html
editing/style/table-selection.html
editing/execCommand/format-block-table.html

Comment 13 Build Bot 2014-02-12 11:44:32 PST

Created attachment 223986 [details]
Archive of layout-test-results from webkit-ews-13 for mac-mountainlion-wk2

The attached test failures were seen while running run-webkit-tests on the mac-wk2-ews.
Bot: webkit-ews-13  Port: mac-mountainlion-wk2  Platform: Mac OS X 10.8.5

Comment 14 Darin Adler 2014-02-12 16:13:14 PST

Comment on attachment 223977 [details]
Proposed patch

View in context: https://bugs.webkit.org/attachment.cgi?id=223977&action=review

> Source/WebCore/editing/TextIterator.cpp:2482
> +            // position for emitted '\n's and ','s (in case of the replaced elements).

Comment should not mention "," specifically.

Comment 15 Renata Hodovan 2014-02-13 05:53:10 PST

Created attachment 224061 [details]
Proposed patch

Fixing the crashes caused by the previous version.

Comment 16 Darin Adler 2014-02-13 09:56:08 PST

Comment on attachment 224061 [details]
Proposed patch

View in context: https://bugs.webkit.org/attachment.cgi?id=224061&action=review

> Source/WebCore/editing/TextIterator.cpp:2489
> +            // position for emitted '\n's or if the renderer of the current node is a replaced element.
> +            bool isReplacedElement = false;
> +            Node* node = it.node();
> +            if (node) {
> +                RenderObject* renderer = node->renderer();
> +                if (renderer)
> +                    isReplacedElement = isRendererReplacedElement(renderer);
> +            }

It seems a shame to do this work when len is not 1. I suggest making an inline helper function to do this so the code only runs when needed. Maybe like this:

    static inline bool isInsideReplacedElement(TextIterator& iterator)
    {
        ASSERT(!iterator.atEnd());
        ASSERT(iterator.length() == 1);
        Node* node = iterator.node();
        if (!node)
            return false;
        auto* renderer = node->renderer();
        return renderer & isRendererReplacedElement(*renderer);
    }

Then:

    if (len == 1 && (it.characterAt(0) == '\n' || isInsideReplacedElement(it)))

Comment 17 Renata Hodovan 2014-02-13 16:17:28 PST

Created attachment 224126 [details]
Proposed patch

Comment 18 WebKit Commit Bot 2014-02-14 09:35:56 PST

Comment on attachment 224126 [details]
Proposed patch

Clearing flags on attachment: 224126

Committed r164104: <http://trac.webkit.org/changeset/164104>

Comment 19 WebKit Commit Bot 2014-02-14 09:36:01 PST

All reviewed patches have been landed.  Closing bug.