123567 – ASSERTION FAILED: isEditablePosition(*this) in WebCore::Position::leadingWhitespacePosition

RESOLVED WORKSFORME 123567

ASSERTION FAILED: isEditablePosition(*this) in WebCore::Position::leadingWhitespacePosition

https://bugs.webkit.org/show_bug.cgi?id=123567

Summary ASSERTION FAILED: isEditablePosition(*this) in WebCore::Position::leadingWhit...

Renata Hodovan

Reported 2013-10-31 06:54:17 PDT

Created attachment 215650 [details] Test case ASSERTION fail happens if we try to modify the read-only <hr> tag. The test: <hr style="-webkit-user-modify: read-only" > <body onload="document.designMode='on'; document.execCommand('selectall'); document.execCommand('inserthtml', false);"> </body> Backtrace: Program received signal SIGSEGV, Segmentation fault. 0x00007ffff5d23529 in WTFCrash () at /home/reni/Data/REPOS/webkit_sec/Source/WTF/wtf/Assertions.cpp:342 342 *(int *)(uintptr_t)0xbbadbeef = 0; (gdb) bt #0 0x00007ffff5d23529 in WTFCrash () at /home/reni/Data/REPOS/webkit_sec/Source/WTF/wtf/Assertions.cpp:342 #1 0x00007ffff146ab1e in WebCore::Position::leadingWhitespacePosition (this=0x11d8b48, affinity=WebCore::DOWNSTREAM, considerNonCollapsibleWhitespace=false) at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/dom/Position.cpp:1059 #2 0x00007ffff14d28b9 in WebCore::DeleteSelectionCommand::initializePositionData (this=0x11d8a10) at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/editing/DeleteSelectionCommand.cpp:229 #3 0x00007ffff14d6b47 in WebCore::DeleteSelectionCommand::doApply (this=0x11d8a10) at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/editing/DeleteSelectionCommand.cpp:832 #4 0x00007ffff14c297c in WebCore::CompositeEditCommand::applyCommandToComposite (this=0x1213920, prpCommand=...) at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/editing/CompositeEditCommand.cpp:264 #5 0x00007ffff14c4dfc in WebCore::CompositeEditCommand::deleteSelection (this=0x1213920, smartDelete=false, mergeBlocksAfterDelete=true, replace=true, expandForSpecialElements=false, sanitizeMarkup=true) at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/editing/CompositeEditCommand.cpp:582 #6 0x00007ffff152526c in WebCore::ReplaceSelectionCommand::doApply (this=0x1213920) at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/editing/ReplaceSelectionCommand.cpp:949 #7 0x00007ffff14c273c in WebCore::CompositeEditCommand::apply (this=0x1213920) at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/editing/CompositeEditCommand.cpp:213 #8 0x00007ffff14c2534 in WebCore::applyCommand (command=...) at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/editing/CompositeEditCommand.cpp:172 #9 0x00007ffff14f75a3 in WebCore::executeInsertFragment (frame=..., fragment=...) at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/editing/EditorCommand.cpp:197 #10 0x00007ffff14f8c97 in WebCore::executeInsertHTML (frame=..., value=...) at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/editing/EditorCommand.cpp:504 #11 0x00007ffff14fc0a1 in WebCore::Editor::Command::execute (this=0x7fffffffbaf0, parameter=..., triggeringEvent=0x0) at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/editing/EditorCommand.cpp:1717 #12 0x00007ffff13c2c50 in WebCore::Document::execCommand (this=0x11f10d0, commandName=..., userInterface=false, value=...) at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/dom/Document.cpp:4110 #13 0x00007ffff21c14a3 in WebCore::jsDocumentPrototypeFunctionExecCommand (exec=0x7fff945edf48) at /home/reni/Data/REPOS/webkit_sec/WebKitBuild/Debug/DerivedSources/WebCore/JSDocument.cpp:2762 #14 0x00007fff9e53d105 in ?? () #15 0x00007fffffffbc30 in ?? () #16 0x00007ffff5d2255b in llint_op_call () from /home/reni/Data/REPOS/webkit_sec/WebKitBuild/Debug/lib/libjavascriptcore_efl.so.0 #17 0x00007fff9e53d940 in ?? () #18 0x0000000001175918 in ?? () #19 0x000000000117ee70 in ?? () #20 0x00007fffee3779a0 in thread_context_stack () from /home/reni/Data/REPOS/webkit_sec/WebKitBuild/Dependencies/Root/lib64/libglib-2.0.so.0 #21 0x0000000000614470 in ?? () #22 0x00007ffff1852ac6 in WebCore::ResourceLoader::didReceiveBuffer (this=0x7fffffffbc30, buffer=..., encodedDataLength=0) at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/loader/ResourceLoader.cpp:483 #23 0x00007fffffffbc80 in ?? () #24 0x00007ffff5b143be in JSC::JITCode::execute (this=0x48ff5b670be8c789, stack=0x48e0458d48d4ff41, callFrame=0xc78948da89480000, vm=0x1b9c8458b48e0) at /home/reni/Data/REPOS/webkit_sec/Source/JavaScriptCore/jit/JITCode.cpp:46 Backtrace stopped: previous frame inner to this frame (corrupt stack?)

Attachments
Test case (226 bytes, text/html) 2013-10-31 06:54 PDT, Renata Hodovan	no flags	Details
patch (1.32 KB, patch) 2013-12-21 02:11 PST, Gergő Balogh	rniwa: review- rniwa: commit-queue-	Details Formatted Diff Diff
View All Add attachment proposed patch, testcase, etc.

Gergő Balogh

Comment 1 2013-12-21 02:11:38 PST

Created attachment 219842 [details] patch

Ryosuke Niwa

Comment 2 2013-12-21 23:11:17 PST

Comment on attachment 219842 [details] patch View in context: https://bugs.webkit.org/attachment.cgi?id=219842&action=review > Source/WebCore/editing/EditorCommand.cpp:196 > + if (!frame.selection().isContentEditable()) > + return false; r-. This is not the right place to check this condition. enabledInEditableText should already be checking this condition.

Brent Fulgham

Comment 3 2016-08-03 13:12:59 PDT

his issue no longer occurs under GuardMalloc or ASAN. If you believe there is still a bug, please reopen this issue with a revised test case.

Note You need to log in before you can comment on or make changes to this bug.

Status RESOLVED

Resolution WORKSFORME

Priority P2

Severity Normal

Classification Unclassified

Version 528+ (Nightly build)

Hardware Unspecified

OS Unspecified

Product WebKit

Component HTML Editing

Assignee

Nobody

Reported

2013-10-31 06:54 PDT

Modified

2016-08-03 13:12 PDT History

CC List

5 users Show

URL

Keywords

Depends on

Blocks

116980

Dependencies

tree graph