Bug 123570 - ASSERTION FAILED: !refChild->hasTagName(bodyTag) in WebCore::CompositeEditCommand::insertNodeBefore
Summary: ASSERTION FAILED: !refChild->hasTagName(bodyTag) in WebCore::CompositeEditCom...
Status: RESOLVED WORKSFORME
Alias: None
Product: WebKit
Classification: Unclassified
Component: HTML Editing (show other bugs)
Version: 528+ (Nightly build)
Hardware: Unspecified Unspecified
: P2 Normal
Assignee: Nobody
URL:
Keywords:
Depends on:
Blocks: 116980
  Show dependency treegraph
 
Reported: 2013-10-31 07:47 PDT by Renata Hodovan
Modified: 2016-08-03 13:13 PDT (History)
5 users (show)

See Also:


Attachments
Test case (267 bytes, text/html)
2013-10-31 07:47 PDT, Renata Hodovan
no flags Details

Note You need to log in before you can comment on or make changes to this bug.
Description Renata Hodovan 2013-10-31 07:47:13 PDT
Created attachment 215652 [details]
Test case

The test causing the assertion fail:

<style type="text/css"></style> 
<body style="display: inline-table;">  
	<iframe onload="  
		document.designMode=&apos;on&apos;;     
		document.execCommand(&apos;selectall&apos;);     
		document.execCommand(&apos;inserthtml&apos;, false);" >
	</iframe> 
</body> 


The backtrace:

Program received signal SIGSEGV, Segmentation fault.
0x00007ffff5d23529 in WTFCrash () at /home/reni/Data/REPOS/webkit_sec/Source/WTF/wtf/Assertions.cpp:342
342	    *(int *)(uintptr_t)0xbbadbeef = 0;
(gdb) bt
#0  0x00007ffff5d23529 in WTFCrash () at /home/reni/Data/REPOS/webkit_sec/Source/WTF/wtf/Assertions.cpp:342
#1  0x00007ffff14c2f1b in WebCore::CompositeEditCommand::insertNodeBefore (this=0x1214230, insertChild=..., refChild=..., 
    shouldAssumeContentIsAlwaysEditable=WebCore::DoNotAssumeContentIsAlwaysEditable)
    at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/editing/CompositeEditCommand.cpp:330
#2  0x00007ffff14c3367 in WebCore::CompositeEditCommand::insertNodeAt (this=0x1214230, insertChild=..., editingPosition=...)
    at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/editing/CompositeEditCommand.cpp:364
#3  0x00007ffff14d6d4e in WebCore::DeleteSelectionCommand::doApply (this=0x1214230)
    at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/editing/DeleteSelectionCommand.cpp:862
#4  0x00007ffff14c297c in WebCore::CompositeEditCommand::applyCommandToComposite (this=0x1258dd0, prpCommand=...)
    at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/editing/CompositeEditCommand.cpp:264
#5  0x00007ffff14c4dfc in WebCore::CompositeEditCommand::deleteSelection (this=0x1258dd0, smartDelete=false, mergeBlocksAfterDelete=true, replace=true, 
    expandForSpecialElements=false, sanitizeMarkup=true) at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/editing/CompositeEditCommand.cpp:582
#6  0x00007ffff152526c in WebCore::ReplaceSelectionCommand::doApply (this=0x1258dd0)
    at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/editing/ReplaceSelectionCommand.cpp:949
#7  0x00007ffff14c273c in WebCore::CompositeEditCommand::apply (this=0x1258dd0)
    at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/editing/CompositeEditCommand.cpp:213
#8  0x00007ffff14c2534 in WebCore::applyCommand (command=...) at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/editing/CompositeEditCommand.cpp:172
#9  0x00007ffff14f75a3 in WebCore::executeInsertFragment (frame=..., fragment=...)
    at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/editing/EditorCommand.cpp:197
#10 0x00007ffff14f8c97 in WebCore::executeInsertHTML (frame=..., value=...) at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/editing/EditorCommand.cpp:504
#11 0x00007ffff14fc0a1 in WebCore::Editor::Command::execute (this=0x7fffffff9480, parameter=..., triggeringEvent=0x0)
    at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/editing/EditorCommand.cpp:1717
#12 0x00007ffff13c2c50 in WebCore::Document::execCommand (this=0x11ef000, commandName=..., userInterface=false, value=...)
    at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/dom/Document.cpp:4110
#13 0x00007ffff21c14a3 in WebCore::jsDocumentPrototypeFunctionExecCommand (exec=0x7fff945edf48)
    at /home/reni/Data/REPOS/webkit_sec/WebKitBuild/Debug/DerivedSources/WebCore/JSDocument.cpp:2762
#14 0x00007fff9e53d105 in ?? ()
#15 0x00007fffffff95c0 in ?? ()
#16 0x00007ffff5d2255b in llint_op_call () from /home/reni/Data/REPOS/webkit_sec/WebKitBuild/Debug/lib/libjavascriptcore_efl.so.0
#17 0x00007fff9e53d940 in ?? ()
#18 0x0000000001175b18 in ?? ()
#19 0x0000000000000001 in ?? ()
#20 0x0000000000000001 in ?? ()
#21 0x00000000011e3110 in ?? ()
#22 0x0000000000000000 in ?? ()
Comment 1 Brent Fulgham 2016-08-03 13:13:48 PDT
his issue no longer occurs under GuardMalloc or ASAN. If you believe there is still a bug, please reopen this issue with a revised test case.