Created attachment 215650 [details] Test case ASSERTION fail happens if we try to modify the read-only <hr> tag. The test: <hr style="-webkit-user-modify: read-only" > <body onload="document.designMode='on'; document.execCommand('selectall'); document.execCommand('inserthtml', false);"> </body> Backtrace: Program received signal SIGSEGV, Segmentation fault. 0x00007ffff5d23529 in WTFCrash () at /home/reni/Data/REPOS/webkit_sec/Source/WTF/wtf/Assertions.cpp:342 342 *(int *)(uintptr_t)0xbbadbeef = 0; (gdb) bt #0 0x00007ffff5d23529 in WTFCrash () at /home/reni/Data/REPOS/webkit_sec/Source/WTF/wtf/Assertions.cpp:342 #1 0x00007ffff146ab1e in WebCore::Position::leadingWhitespacePosition (this=0x11d8b48, affinity=WebCore::DOWNSTREAM, considerNonCollapsibleWhitespace=false) at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/dom/Position.cpp:1059 #2 0x00007ffff14d28b9 in WebCore::DeleteSelectionCommand::initializePositionData (this=0x11d8a10) at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/editing/DeleteSelectionCommand.cpp:229 #3 0x00007ffff14d6b47 in WebCore::DeleteSelectionCommand::doApply (this=0x11d8a10) at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/editing/DeleteSelectionCommand.cpp:832 #4 0x00007ffff14c297c in WebCore::CompositeEditCommand::applyCommandToComposite (this=0x1213920, prpCommand=...) at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/editing/CompositeEditCommand.cpp:264 #5 0x00007ffff14c4dfc in WebCore::CompositeEditCommand::deleteSelection (this=0x1213920, smartDelete=false, mergeBlocksAfterDelete=true, replace=true, expandForSpecialElements=false, sanitizeMarkup=true) at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/editing/CompositeEditCommand.cpp:582 #6 0x00007ffff152526c in WebCore::ReplaceSelectionCommand::doApply (this=0x1213920) at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/editing/ReplaceSelectionCommand.cpp:949 #7 0x00007ffff14c273c in WebCore::CompositeEditCommand::apply (this=0x1213920) at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/editing/CompositeEditCommand.cpp:213 #8 0x00007ffff14c2534 in WebCore::applyCommand (command=...) at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/editing/CompositeEditCommand.cpp:172 #9 0x00007ffff14f75a3 in WebCore::executeInsertFragment (frame=..., fragment=...) at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/editing/EditorCommand.cpp:197 #10 0x00007ffff14f8c97 in WebCore::executeInsertHTML (frame=..., value=...) at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/editing/EditorCommand.cpp:504 #11 0x00007ffff14fc0a1 in WebCore::Editor::Command::execute (this=0x7fffffffbaf0, parameter=..., triggeringEvent=0x0) at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/editing/EditorCommand.cpp:1717 #12 0x00007ffff13c2c50 in WebCore::Document::execCommand (this=0x11f10d0, commandName=..., userInterface=false, value=...) at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/dom/Document.cpp:4110 #13 0x00007ffff21c14a3 in WebCore::jsDocumentPrototypeFunctionExecCommand (exec=0x7fff945edf48) at /home/reni/Data/REPOS/webkit_sec/WebKitBuild/Debug/DerivedSources/WebCore/JSDocument.cpp:2762 #14 0x00007fff9e53d105 in ?? () #15 0x00007fffffffbc30 in ?? () #16 0x00007ffff5d2255b in llint_op_call () from /home/reni/Data/REPOS/webkit_sec/WebKitBuild/Debug/lib/libjavascriptcore_efl.so.0 #17 0x00007fff9e53d940 in ?? () #18 0x0000000001175918 in ?? () #19 0x000000000117ee70 in ?? () #20 0x00007fffee3779a0 in thread_context_stack () from /home/reni/Data/REPOS/webkit_sec/WebKitBuild/Dependencies/Root/lib64/libglib-2.0.so.0 #21 0x0000000000614470 in ?? () #22 0x00007ffff1852ac6 in WebCore::ResourceLoader::didReceiveBuffer (this=0x7fffffffbc30, buffer=..., encodedDataLength=0) at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/loader/ResourceLoader.cpp:483 #23 0x00007fffffffbc80 in ?? () #24 0x00007ffff5b143be in JSC::JITCode::execute (this=0x48ff5b670be8c789, stack=0x48e0458d48d4ff41, callFrame=0xc78948da89480000, vm=0x1b9c8458b48e0) at /home/reni/Data/REPOS/webkit_sec/Source/JavaScriptCore/jit/JITCode.cpp:46 Backtrace stopped: previous frame inner to this frame (corrupt stack?)
Created attachment 219842 [details] patch
Comment on attachment 219842 [details] patch View in context: https://bugs.webkit.org/attachment.cgi?id=219842&action=review > Source/WebCore/editing/EditorCommand.cpp:196 > + if (!frame.selection().isContentEditable()) > + return false; r-. This is not the right place to check this condition. enabledInEditableText should already be checking this condition.
his issue no longer occurs under GuardMalloc or ASAN. If you believe there is still a bug, please reopen this issue with a revised test case.