RESOLVED FIXED Bug 121791
ASSERTION FAILED: comparePositions(newEnd, newStart) >= 0 in WebCore::ApplyStyleCommand::updateStartEnd
https://bugs.webkit.org/show_bug.cgi?id=121791
Summary ASSERTION FAILED: comparePositions(newEnd, newStart) >= 0 in WebCore::ApplySt...
Renata Hodovan
Reported 2013-09-23 09:35:57 PDT
Created attachment 212356 [details] Test case The failing test: <button> <iframe onload="{ document.designMode=&apos;on&apos;; document.execCommand(&apos;selectall&apos;); document.execCommand(&apos;RemoveFormat&apos;); } "></iframe> </button> The backtrace: Program received signal SIGSEGV, Segmentation fault. 0x00007ffff56dafad in WTFCrash () at /home/reni/Data/REPOS/webkit_sec/Source/WTF/wtf/Assertions.cpp:342 342 *(int *)(uintptr_t)0xbbadbeef = 0; (gdb) bt #0 0x00007ffff56dafad in WTFCrash () at /home/reni/Data/REPOS/webkit_sec/Source/WTF/wtf/Assertions.cpp:342 #1 0x00007ffff428e365 in WebCore::ApplyStyleCommand::updateStartEnd (this=0x8efe00, newStart=..., newEnd=...) at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/editing/ApplyStyleCommand.cpp:189 #2 0x00007ffff428f0f1 in WebCore::ApplyStyleCommand::applyBlockStyle (this=0x8efe00, style=0x8ef900) at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/editing/ApplyStyleCommand.cpp:304 #3 0x00007ffff428e614 in WebCore::ApplyStyleCommand::doApply (this=0x8efe00) at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/editing/ApplyStyleCommand.cpp:223 #4 0x00007ffff429e0fe in WebCore::CompositeEditCommand::applyCommandToComposite (this=0x8ce680, prpCommand=...) at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/editing/CompositeEditCommand.cpp:267 #5 0x00007ffff42fc83d in WebCore::RemoveFormatCommand::doApply (this=0x8ce680) at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/editing/RemoveFormatCommand.cpp:96 #6 0x00007ffff429dec6 in WebCore::CompositeEditCommand::apply (this=0x8ce680) at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/editing/CompositeEditCommand.cpp:216 #7 0x00007ffff429dc4e in WebCore::applyCommand (command=...) at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/editing/CompositeEditCommand.cpp:172 #8 0x00007ffff42bf96c in WebCore::Editor::removeFormattingAndStyle (this=0x7e4d00) at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/editing/Editor.cpp:684 #9 0x00007ffff42d1792 in WebCore::executeRemoveFormat (frame=...) at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/editing/EditorCommand.cpp:974 #10 0x00007ffff42d32d2 in WebCore::Editor::Command::execute (this=0x7fffffffa240, parameter=..., triggeringEvent=0x0) at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/editing/EditorCommand.cpp:1709 #11 0x00007ffff41a1ed6 in WebCore::Document::execCommand (this=0x8b5930, commandName=..., userInterface=false, value=...) at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/dom/Document.cpp:4172 #12 0x00007ffff4ebfb12 in WebCore::jsDocumentPrototypeFunctionExecCommand (exec=0x7fff8abfe0a8) at generated/JSDocument.cpp:2763 #13 0x00007fff9ffff0e5 in ?? () #14 0x00007fffffffa3e0 in ?? () #15 0x00007ffff679ffa2 in llint_op_call () from /home/reni/Data/REPOS/webkit_sec/WebKitBuild/Debug/lib/libQt5WebKit.so.5 #16 0x00007fff8abfe060 in ?? () #17 0x00000000007aa108 in ?? () #18 0x00007fffffffa3a0 in ?? () #19 0x00007ffff5506ba3 in JSC::JSStack::installTrapsAfterFrame (this=0x0, frame=0x0) at /home/reni/Data/REPOS/webkit_sec/Source/JavaScriptCore/interpreter/JSStackInlines.h:212 #20 0x00007ffff551752c in JSC::JITCode::execute (this=0x8f5370, stack=0x7aa108, callFrame=0x7fff8abfe060, vm=0x82afe0) at /home/reni/Data/REPOS/webkit_sec/Source/JavaScriptCore/jit/JITCode.cpp:46 #21 0x00007ffff5503a02 in JSC::Interpreter::executeCall (this=0x7aa0f0, callFrame=0x7fff9c0df9e0, function=0x7fff9c03e5f0, callType=JSC::CallTypeJS, callData=..., thisValue=..., args=...) at /home/reni/Data/REPOS/webkit_sec/Source/JavaScriptCore/interpreter/Interpreter.cpp:841 #22 0x00007ffff55d58b7 in JSC::call (exec=0x7fff9c0df9e0, functionObject=..., callType=JSC::CallTypeJS, callData=..., thisValue=..., args=...) at /home/reni/Data/REPOS/webkit_sec/Source/JavaScriptCore/runtime/CallData.cpp:39 #23 0x00007ffff3f118bf in WebCore::JSMainThreadExecState::call (exec=0x7fff9c0df9e0, functionObject=..., callType=JSC::CallTypeJS, callData=..., thisValue=..., args=...) at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/bindings/js/JSMainThreadExecState.h:53 #24 0x00007ffff3f40c6d in WebCore::JSEventListener::handleEvent (this=0x8ee610, scriptExecutionContext=0x8b59e0, event=0x8e8cb0) at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/bindings/js/JSEventListener.cpp:130 #25 0x00007ffff420f7aa in WebCore::EventTarget::fireEventListeners (this=0x8e3fe0, event=0x8e8cb0, d=0x8f17c0, entry=...) at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/dom/EventTarget.cpp:271 #26 0x00007ffff420f4c7 in WebCore::EventTarget::fireEventListeners (this=0x8e3fe0, event=0x8e8cb0) at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/dom/EventTarget.cpp:227 #27 0x00007ffff423b79b in WebCore::Node::handleLocalEvents (this=0x8e3fe0, event=0x8e8cb0) at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/dom/Node.cpp:2097 #28 0x00007ffff4201d54 in WebCore::EventContext::handleLocalEvents (this=0x8e8730, event=0x8e8cb0) at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/dom/EventContext.cpp:58 #29 0x00007ffff4203c33 in WebCore::EventDispatcher::dispatchEventAtTarget (this=0x7fffffffaa20) at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/dom/EventDispatcher.cpp:161 #30 0x00007ffff42038f0 in WebCore::EventDispatcher::dispatch (this=0x7fffffffaa20) at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/dom/EventDispatcher.cpp:118 #31 0x00007ffff4202715 in WebCore::EventDispatchMediator::dispatchEvent (this=0x8cd300, dispatcher=0x7fffffffaa20) at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/dom/EventDispatchMediator.cpp:54 ---Type <return> to continue, or q <return> to quit--- #32 0x00007ffff4202e9d in WebCore::EventDispatcher::dispatchEvent (node=0x8e3fe0, mediator=...) at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/dom/EventDispatcher.cpp:52 #33 0x00007ffff423b9b0 in WebCore::Node::dispatchEvent (this=0x8e3fe0, event=...) at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/dom/Node.cpp:2118 #34 0x00007ffff462bc41 in WebCore::DOMWindow::dispatchLoadEvent (this=0x8cb4d0) at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/page/DOMWindow.cpp:1714 #35 0x00007ffff41a03c0 in WebCore::Document::dispatchWindowLoadEvent (this=0x9237e0) at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/dom/Document.cpp:3639 #36 0x00007ffff419ba6b in WebCore::Document::implicitClose (this=0x9237e0) at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/dom/Document.cpp:2419 #37 0x00007ffff45a08af in WebCore::FrameLoader::checkCallImplicitClose (this=0x782710) at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/loader/FrameLoader.cpp:848 #38 0x00007ffff45a0620 in WebCore::FrameLoader::checkCompleted (this=0x782710) at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/loader/FrameLoader.cpp:791 #39 0x00007ffff45a0355 in WebCore::FrameLoader::finishedParsing (this=0x782710) at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/loader/FrameLoader.cpp:724 #40 0x00007ffff41a2c9b in WebCore::Document::finishedParsing (this=0x9237e0) at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/dom/Document.cpp:4437 #41 0x00007ffff43f6273 in WebCore::HTMLConstructionSite::finishedParsing (this=0x921ca8) at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/html/parser/HTMLConstructionSite.cpp:352 #42 0x00007ffff442a989 in WebCore::HTMLTreeBuilder::finished (this=0x921c90) at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/html/parser/HTMLTreeBuilder.cpp:2912 #43 0x00007ffff43fd99e in WebCore::HTMLDocumentParser::end (this=0x910fa0) at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/html/parser/HTMLDocumentParser.cpp:763 #44 0x00007ffff43fda89 in WebCore::HTMLDocumentParser::attemptToRunDeferredScriptsAndEnd (this=0x910fa0) at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/html/parser/HTMLDocumentParser.cpp:774 #45 0x00007ffff43fc5f8 in WebCore::HTMLDocumentParser::prepareToStopParsing (this=0x910fa0) at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/html/parser/HTMLDocumentParser.cpp:211 #46 0x00007ffff43fdace in WebCore::HTMLDocumentParser::attemptToEnd (this=0x910fa0) at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/html/parser/HTMLDocumentParser.cpp:786 #47 0x00007ffff43fdb87 in WebCore::HTMLDocumentParser::finish (this=0x910fa0) at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/html/parser/HTMLDocumentParser.cpp:835 #48 0x00007ffff45980ab in WebCore::DocumentWriter::end (this=0x910470) at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/loader/DocumentWriter.cpp:244 #49 0x00007ffff458ab61 in WebCore::DocumentLoader::finishedLoading (this=0x9103d0, finishTime=380473.38665969402) at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/loader/DocumentLoader.cpp:407 #50 0x00007ffff458e738 in WebCore::DocumentLoader::maybeLoadEmpty (this=0x9103d0) at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/loader/DocumentLoader.cpp:1348 #51 0x00007ffff458e857 in WebCore::DocumentLoader::startLoadingMainResource (this=0x9103d0) at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/loader/DocumentLoader.cpp:1360 #52 0x00007ffff45a6c86 in WebCore::FrameLoader::continueLoadAfterWillSubmitForm (this=0x782710) at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/loader/FrameLoader.cpp:2229 #53 0x00007ffff45a98de in WebCore::FrameLoader::continueLoadAfterNavigationPolicy (this=0x782710, formState=..., shouldContinue=true) at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/loader/FrameLoader.cpp:2883 #54 0x00007ffff45a8df7 in WebCore::FrameLoader::callContinueLoadAfterNavigationPolicy (argument=0x782710, request=..., formState=..., shouldContinue=true) at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/loader/FrameLoader.cpp:2713 #55 0x00007ffff45c220b in WebCore::PolicyCallback::call (this=0x7fffffffb670, shouldContinue=true) at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/loader/PolicyCallback.cpp:103 #56 0x00007ffff45c33a2 in WebCore::PolicyChecker::continueAfterNavigationPolicy (this=0x82ab30, policy=WebCore::PolicyUse) at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/loader/PolicyChecker.cpp:180 #57 0x00007ffff3b764b4 in WebCore::FrameLoaderClientQt::callPolicyFunction (this=0x8ce050, function= (void (WebCore::PolicyChecker::*)(WebCore::PolicyChecker * const, WebCore::PolicyAction)) 0x7ffff45c3138 <WebCore::PolicyChecker::continueAfterNavigationPolicy(WebCore::PolicyAction)>, action=WebCore::PolicyUse) at /home/reni/Data/REPOS/webkit_sec/Source/WebKit/qt/WebCoreSupport/FrameLoaderClientQt.cpp:246 #58 0x00007ffff3b7c3c6 in WebCore::FrameLoaderClientQt::dispatchDecidePolicyForNavigationAction (this=0x8ce050, function= (void (WebCore::PolicyChecker::*)(WebCore::PolicyChecker * const, WebCore::PolicyAction)) 0x7ffff45c3138 <WebCore::PolicyChecker::continueAfterNavigationPolicy(WebCore::PolicyAction)>, action=..., request=...) at /home/reni/Data/REPOS/webkit_sec/Source/WebKit/qt/WebCoreSupport/FrameLoaderClientQt.cpp:1282 #59 0x00007ffff45c2c7d in WebCore::PolicyChecker::checkNavigationPolicy (this=0x82ab30, request=..., loader=0x9103d0, formState=..., function=0x7ffff45a8da8 <WebCore::FrameLoader::callContinueLoadAfterNavigationPolicy(void*, WebCore::ResourceRequest const&, WTF::PassRefPtr<WebCore::FormState>, bool)>, argument=0x782710) at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/loader/PolicyChecker.cpp:99 #60 0x00007ffff45a36ce in WebCore::FrameLoader::loadWithDocumentLoader (this=0x782710, loader=0x9103d0, type=WebCore::FrameLoadTypeRedirectWithLockedBackForwardList, prpFormState=...) ---Type <return> to continue, or q <return> to quit--- at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/loader/FrameLoader.cpp:1421 #61 0x00007ffff45a2f4f in WebCore::FrameLoader::loadWithNavigationAction (this=0x782710, request=..., action=..., lockHistory=false, type=WebCore::FrameLoadTypeRedirectWithLockedBackForwardList, formState=...) at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/loader/FrameLoader.cpp:1325 #62 0x00007ffff45a251d in WebCore::FrameLoader::loadURL (this=0x782710, newURL=..., referrer=..., frameName=..., lockHistory=false, newLoadType=WebCore::FrameLoadTypeRedirectWithLockedBackForwardList, event=..., prpFormState=...) at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/loader/FrameLoader.cpp:1260 #63 0x00007ffff45a0b42 in WebCore::FrameLoader::loadURLIntoChildFrame (this=0x7e5250, url=..., referer=..., childFrame=0x782680) at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/loader/FrameLoader.cpp:876 #64 0x00007ffff3b7c834 in WebCore::FrameLoaderClientQt::createFrame (this=0x776fa0, url=..., name=..., ownerElement=0x8e3fe0, referrer=..., allowsScrolling=true, marginWidth=-1, marginHeight=-1) at /home/reni/Data/REPOS/webkit_sec/Source/WebKit/qt/WebCoreSupport/FrameLoaderClientQt.cpp:1327 #65 0x00007ffff45d2e59 in WebCore::SubframeLoader::loadSubframe (this=0x7e5278, ownerElement=0x8e3fe0, url=..., name=..., referrer=...) at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/loader/SubframeLoader.cpp:361 #66 0x00007ffff45d2c0d in WebCore::SubframeLoader::loadOrRedirectSubframe (this=0x7e5278, ownerElement=0x8e3fe0, url=..., frameName=..., lockHistory=true, lockBackForwardList=true) at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/loader/SubframeLoader.cpp:335 #67 0x00007ffff45d18be in WebCore::SubframeLoader::requestFrame (this=0x7e5278, ownerElement=0x8e3fe0, urlString=..., frameName=..., lockHistory=true, lockBackForwardList=true) at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/loader/SubframeLoader.cpp:89 #68 0x00007ffff438d38e in WebCore::HTMLFrameElementBase::openURL (this=0x8e3fe0, lockHistory=true, lockBackForwardList=true) at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/html/HTMLFrameElementBase.cpp:89 #69 0x00007ffff438d888 in WebCore::HTMLFrameElementBase::setNameAndOpenURL (this=0x8e3fe0) at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/html/HTMLFrameElementBase.cpp:142 #70 0x00007ffff438d953 in WebCore::HTMLFrameElementBase::didNotifySubtreeInsertions (this=0x8e3fe0) at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/html/HTMLFrameElementBase.cpp:173 #71 0x00007ffff41848e0 in WebCore::ChildNodeInsertionNotifier::notify (this=0x7fffffffc6b0, node=0x8e3fe0) at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/dom/ContainerNodeAlgorithms.h:233 #72 0x00007ffff4187833 in WebCore::ContainerNode::parserAppendChild (this=0x7acf10, newChild=...) at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/dom/ContainerNode.cpp:730 #73 0x00007ffff43f4e10 in WebCore::executeTask (task=...) at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/html/parser/HTMLConstructionSite.cpp:97 #74 0x00007ffff43f5249 in WebCore::HTMLConstructionSite::executeQueuedTasks (this=0x7e29e8) at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/html/parser/HTMLConstructionSite.cpp:150 #75 0x00007ffff441e6d0 in WebCore::HTMLTreeBuilder::constructTree (this=0x7e29d0, token=0x7fffffffc7e0) at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/html/parser/HTMLTreeBuilder.cpp:368 #76 0x00007ffff43fd322 in WebCore::HTMLDocumentParser::constructTreeFromHTMLToken (this=0x7ab310, rawToken=...) at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/html/parser/HTMLDocumentParser.cpp:597 #77 0x00007ffff43fcf57 in WebCore::HTMLDocumentParser::pumpTokenizer (this=0x7ab310, mode=WebCore::HTMLDocumentParser::AllowYield) at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/html/parser/HTMLDocumentParser.cpp:551 #78 0x00007ffff43fc71f in WebCore::HTMLDocumentParser::pumpTokenizerIfPossible (this=0x7ab310, mode=WebCore::HTMLDocumentParser::AllowYield) at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/html/parser/HTMLDocumentParser.cpp:235 #79 0x00007ffff43fd8be in WebCore::HTMLDocumentParser::append (this=0x7ab310, inputSource=...) at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/html/parser/HTMLDocumentParser.cpp:747 #80 0x00007ffff418dc07 in WebCore::DecodedDataDocumentParser::flush (this=0x7ab310, writer=0x699490) at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/dom/DecodedDataDocumentParser.cpp:60 #81 0x00007ffff4598071 in WebCore::DocumentWriter::end (this=0x699490) at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/loader/DocumentWriter.cpp:241 #82 0x00007ffff458ab61 in WebCore::DocumentLoader::finishedLoading (this=0x6993f0, finishTime=0) at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/loader/DocumentLoader.cpp:407 #83 0x00007ffff458a8ca in WebCore::DocumentLoader::notifyFinished (this=0x6993f0, resource=0x7c82a0) at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/loader/DocumentLoader.cpp:344 #84 0x00007ffff4571afe in WebCore::CachedResource::checkNotify (this=0x7c82a0) at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/loader/cache/CachedResource.cpp:369 #85 0x00007ffff4571bd4 in WebCore::CachedResource::finishLoading (this=0x7c82a0) at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/loader/cache/CachedResource.cpp:385 #86 0x00007ffff456e326 in WebCore::CachedRawResource::finishLoading (this=0x7c82a0, data=0x7ce470) at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/loader/cache/CachedRawResource.cpp:94 ---Type <return> to continue, or q <return> to quit--- #87 0x00007ffff45d4a15 in WebCore::SubresourceLoader::didFinishLoading (this=0x772d40, finishTime=0) at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/loader/SubresourceLoader.cpp:282 #88 0x00007ffff45cb33b in WebCore::ResourceLoader::didFinishLoading (this=0x772d40, finishTime=0) at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/loader/ResourceLoader.cpp:488 #89 0x00007ffff4a86713 in WebCore::QNetworkReplyHandler::finish (this=0x7ca2d0) at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/platform/network/qt/QNetworkReplyHandler.cpp:516 #90 0x00007ffff4a85432 in WebCore::QNetworkReplyHandlerCallQueue::flush (this=0x7ca308) at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/platform/network/qt/QNetworkReplyHandler.cpp:250 #91 0x00007ffff4a8512f in WebCore::QNetworkReplyHandlerCallQueue::push (this=0x7ca308, method=(void (WebCore::QNetworkReplyHandler::*)(WebCore::QNetworkReplyHandler * const)) 0x7ffff4a86558 <WebCore::QNetworkReplyHandler::finish()>) at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/platform/network/qt/QNetworkReplyHandler.cpp:216 #92 0x00007ffff4a8607c in WebCore::QNetworkReplyWrapper::didReceiveFinished (this=0x7dc550) at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/platform/network/qt/QNetworkReplyHandler.cpp:409 #93 0x00007ffff4a88a0e in WebCore::QNetworkReplyWrapper::qt_static_metacall (_o=0x7dc550, _c=QMetaObject::InvokeMetaMethod, _id=1, _a=0x7fffffffce30) at .moc/release-shared/moc_QNetworkReplyHandler.cpp:176 #94 0x00007ffff21e65cb in QMetaObject::activate(QObject*, int, int, void**) () from /usr/local/Trolltech/Qt5/Qt-5.0.0-r40/lib/libQt5Core.so.5 #95 0x00007ffff21e784e in QObject::event(QEvent*) () from /usr/local/Trolltech/Qt5/Qt-5.0.0-r40/lib/libQt5Core.so.5 #96 0x00007ffff302ddbc in QApplicationPrivate::notify_helper(QObject*, QEvent*) () from /usr/local/Trolltech/Qt5/Qt-5.0.0-r40/lib/libQt5Widgets.so.5 #97 0x00007ffff3031075 in QApplication::notify(QObject*, QEvent*) () from /usr/local/Trolltech/Qt5/Qt-5.0.0-r40/lib/libQt5Widgets.so.5 #98 0x00007ffff21c1dbe in QCoreApplication::notifyInternal(QObject*, QEvent*) () from /usr/local/Trolltech/Qt5/Qt-5.0.0-r40/lib/libQt5Core.so.5 #99 0x00007ffff21c3a76 in QCoreApplicationPrivate::sendPostedEvents(QObject*, int, QThreadData*) () from /usr/local/Trolltech/Qt5/Qt-5.0.0-r40/lib/libQt5Core.so.5 #100 0x00007ffff2209333 in ?? () from /usr/local/Trolltech/Qt5/Qt-5.0.0-r40/lib/libQt5Core.so.5 #101 0x00007fffee34a3c6 in g_main_dispatch (context=0x6632f0) at /build/buildd/glib2.0-2.37.7/./glib/gmain.c:3065 #102 g_main_context_dispatch (context=context@entry=0x6632f0) at /build/buildd/glib2.0-2.37.7/./glib/gmain.c:3641 #103 0x00007fffee34a718 in g_main_context_iterate (context=context@entry=0x6632f0, block=block@entry=1, dispatch=dispatch@entry=1, self=<optimized out>) at /build/buildd/glib2.0-2.37.7/./glib/gmain.c:3712 #104 0x00007fffee34a7bc in g_main_context_iteration (context=0x6632f0, may_block=1) at /build/buildd/glib2.0-2.37.7/./glib/gmain.c:3773 #105 0x00007ffff22094bc in QEventDispatcherGlib::processEvents(QFlags<QEventLoop::ProcessEventsFlag>) () from /usr/local/Trolltech/Qt5/Qt-5.0.0-r40/lib/libQt5Core.so.5 #106 0x00007ffff21c0d3b in QEventLoop::exec(QFlags<QEventLoop::ProcessEventsFlag>) () from /usr/local/Trolltech/Qt5/Qt-5.0.0-r40/lib/libQt5Core.so.5 #107 0x00007ffff21c4120 in QCoreApplication::exec() () from /usr/local/Trolltech/Qt5/Qt-5.0.0-r40/lib/libQt5Core.so.5 #108 0x0000000000421ba0 in launcherMain (app=...) at /home/reni/Data/REPOS/webkit_sec/Tools/QtTestBrowser/qttestbrowser.cpp:49 #109 0x0000000000423680 in main (argc=2, argv=0x7fffffffdb08) at /home/reni/Data/REPOS/webkit_sec/Tools/QtTestBrowser/qttestbrowser.cpp:318
Attachments
Test case (260 bytes, text/html)
2013-09-23 09:35 PDT, Renata Hodovan
no flags
Proposed patch (4.91 KB, patch)
2013-10-01 02:04 PDT, Renata Hodovan
kling: review-
rhodovan.u-szeged: commit-queue-
Proposed patch (4.80 KB, patch)
2014-02-11 02:26 PST, Renata Hodovan
darin: review-
darin: commit-queue-
Proposed patch (4.79 KB, patch)
2014-02-12 09:57 PST, Renata Hodovan
no flags
Archive of layout-test-results from webkit-ews-13 for mac-mountainlion-wk2 (685.55 KB, application/zip)
2014-02-12 11:44 PST, Build Bot
no flags
Proposed patch (5.07 KB, patch)
2014-02-13 05:53 PST, Renata Hodovan
no flags
Proposed patch (5.54 KB, patch)
2014-02-13 16:17 PST, Renata Hodovan
no flags
Renata Hodovan
Comment 1 2013-10-01 02:04:42 PDT
Created attachment 213064 [details] Proposed patch I do not have a well enough understanding of what is going on here to be sure the fix is correct, but it seems that TextIterator::handleReplacedElement() emitts an ',' character in TextIterator::handleReplacedElement() (because of the button element) and due to this the endRange of selection will be determined as endContainer + endOffset instead of startContainer + startOffset, what causes that the of startPosition of endRange will be bigger at the assertion than the startPostion of startRange.
Renata Hodovan
Comment 2 2013-10-25 02:51:04 PDT
Could anybody take a look at this, please?
Renata Hodovan
Comment 3 2013-11-08 05:26:21 PST
Could anybody take a look at this, please?
Renata Hodovan
Comment 4 2013-12-02 01:22:15 PST
Anybody? :)
Andreas Kling
Comment 5 2014-02-05 17:46:05 PST
Comment on attachment 213064 [details] Proposed patch View in context: https://bugs.webkit.org/attachment.cgi?id=213064&action=review > LayoutTests/ChangeLog:8 > + * editing/execCommand/remove-formatting-from-iframe-in-button.html: Added. This should be a dumpAsText test. > LayoutTests/ChangeLog:9 > + * platform/qt/editing/execCommand/remove-formatting-from-iframe-in-button-expected.txt: Added. There is no Qt port anymore. > Source/WebCore/editing/TextIterator.cpp:2433 > // FIXME: This is a workaround for the fact that the end of a run is often at the wrong > // position for emitted '\n's. > - if (len == 1 && it.characterAt(0) == '\n') { > + if (len == 1 && (it.characterAt(0) == '\n' || it.characterAt(0) == ',')) { I don't know this code well enough to tell if the change is correct, but it looks to me like you are bringing the code out of sync with the preceding FIXME.
Renata Hodovan
Comment 6 2014-02-11 02:26:18 PST
Created attachment 223831 [details] Proposed patch Updating the previous patch according to Andreas review.
Darin Adler
Comment 7 2014-02-11 07:49:47 PST
Comment on attachment 223831 [details] Proposed patch It is not right to check for a comma. It could be an actual comma.
Renata Hodovan
Comment 8 2014-02-11 08:11:02 PST
(In reply to comment #7) > (From update of attachment 223831 [details]) > It is not right to check for a comma. It could be an actual comma. Even if there is only one character in the given range? If so, can you give me some hints how to fix this issue?
Darin Adler
Comment 9 2014-02-11 08:51:47 PST
(In reply to comment #8) > (In reply to comment #7) > > It is not right to check for a comma. It could be an actual comma. > > Even if there is only one character in the given range? Sure. If you have this <span>,</span> then you’ll get a range with 1 character that is a coma. > If so, can you give me some hints how to fix this issue? The real problem here is the very strange TextIteratorEmitsCharactersBetweenAllVisiblePositions, which emits characters that are not real characters. At some point someone needs to think through how that really can work. It was supposed to be a temporary workaround and it’s getting harder and harder to ever remove it! I worry a bit that this we are piling one hack on top of another and making TextIterator harder and harder to maintain. However, if we do want to correctly code this patch, then to properly detect that the text is placeholder text from a replaced element, a correct way to do that would be to get the node by calling TextIterator::node(), then check that the node is a replaced element. To match how the TextIterator already does it, we’d call isRendererReplacedElement on the node. Another alternative would be to add a function to TextIterator itself to indicate that the current text simply extra text for the “emit characters between all visible positions” feature. That would be pretty ugly but might be slightly more efficient since it avoids repeating the logic that defines what a replaced element is.
Darin Adler
Comment 10 2014-02-11 08:52:09 PST
Comment on attachment 223831 [details] Proposed patch Test case is OK, but bug fix is wrong.
Renata Hodovan
Comment 11 2014-02-12 09:57:12 PST
Created attachment 223977 [details] Proposed patch Updated fix according to the first suggestion of Darin.
Build Bot
Comment 12 2014-02-12 11:44:29 PST
Comment on attachment 223977 [details] Proposed patch Attachment 223977 [details] did not pass mac-wk2-ews (mac-wk2): Output: http://webkit-queues.appspot.com/results/4534601976381440 New failing tests: editing/execCommand/5481523.html editing/execCommand/5658933-1.html editing/execCommand/indent-right-after-table.html editing/execCommand/format-block-at-root.html editing/style/table-selection.html editing/execCommand/format-block-table.html
Build Bot
Comment 13 2014-02-12 11:44:32 PST
Created attachment 223986 [details] Archive of layout-test-results from webkit-ews-13 for mac-mountainlion-wk2 The attached test failures were seen while running run-webkit-tests on the mac-wk2-ews. Bot: webkit-ews-13 Port: mac-mountainlion-wk2 Platform: Mac OS X 10.8.5
Darin Adler
Comment 14 2014-02-12 16:13:14 PST
Comment on attachment 223977 [details] Proposed patch View in context: https://bugs.webkit.org/attachment.cgi?id=223977&action=review > Source/WebCore/editing/TextIterator.cpp:2482 > + // position for emitted '\n's and ','s (in case of the replaced elements). Comment should not mention "," specifically.
Renata Hodovan
Comment 15 2014-02-13 05:53:10 PST
Created attachment 224061 [details] Proposed patch Fixing the crashes caused by the previous version.
Darin Adler
Comment 16 2014-02-13 09:56:08 PST
Comment on attachment 224061 [details] Proposed patch View in context: https://bugs.webkit.org/attachment.cgi?id=224061&action=review > Source/WebCore/editing/TextIterator.cpp:2489 > + // position for emitted '\n's or if the renderer of the current node is a replaced element. > + bool isReplacedElement = false; > + Node* node = it.node(); > + if (node) { > + RenderObject* renderer = node->renderer(); > + if (renderer) > + isReplacedElement = isRendererReplacedElement(renderer); > + } It seems a shame to do this work when len is not 1. I suggest making an inline helper function to do this so the code only runs when needed. Maybe like this: static inline bool isInsideReplacedElement(TextIterator& iterator) { ASSERT(!iterator.atEnd()); ASSERT(iterator.length() == 1); Node* node = iterator.node(); if (!node) return false; auto* renderer = node->renderer(); return renderer & isRendererReplacedElement(*renderer); } Then: if (len == 1 && (it.characterAt(0) == '\n' || isInsideReplacedElement(it)))
Renata Hodovan
Comment 17 2014-02-13 16:17:28 PST
Created attachment 224126 [details] Proposed patch
WebKit Commit Bot
Comment 18 2014-02-14 09:35:56 PST
Comment on attachment 224126 [details] Proposed patch Clearing flags on attachment: 224126 Committed r164104: <http://trac.webkit.org/changeset/164104>
WebKit Commit Bot
Comment 19 2014-02-14 09:36:01 PST
All reviewed patches have been landed. Closing bug.
Note You need to log in before you can comment on or make changes to this bug.