127342 – ASSERTION FAILED: node == end.deprecatedNode() || !node->contains(end.deprecatedNode()) in WebCore::ApplyStyleCommand::removeInlineStyle

Bug 127342 - ASSERTION FAILED: node == end.deprecatedNode() || !node->contains(end.deprecatedNode()) in WebCore::ApplyStyleCommand::removeInlineStyle

Summary: ASSERTION FAILED: node == end.deprecatedNode() || !node->contains(end.depreca...

Status:	NEW

Alias:	None

Product:	WebKit
Classification:	Unclassified
Component:	HTML Editing (show other bugs)
Version:	528+ (Nightly build)
Hardware:	PC Linux

Importance:	P2 Normal
Assignee:	Nobody

URL:
Keywords:	InRadar

Depends on:
Blocks:	116980
	Show dependency tree / graph

Reported:	2014-01-21 05:50 PST by Renata Hodovan
Modified:	2023-01-20 10:42 PST (History)
CC List:	6 users (show)

See Also:

Attachments
Test case (292 bytes, text/html) 2014-01-21 05:50 PST, Renata Hodovan	no flags	Details
Test (176 bytes, text/html) 2015-11-25 05:44 PST, Renata Hodovan	no flags	Details
Show Obsolete (1) View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Renata Hodovan 2014-01-21 05:50:36 PST

Created attachment 221737 [details]
Test case

The test:

<applet code="applet1.class">foo
	<small>
	<iframe onload="document.designMode=&apos;on&apos;;     
					document.execCommand(&apos;selectall&apos;);     
					document.execCommand(&apos;italic&apos;);     
					document.execCommand(&apos;RemoveFormat&apos;);"
			seamless></iframe>
</applet>


The backtrace:

ASSERTION FAILED: node == end.deprecatedNode() || !node->contains(end.deprecatedNode())
/home/reni/Data/REPOS/webkit_sec/Source/WebCore/editing/ApplyStyleCommand.cpp(1126) : void WebCore::ApplyStyleCommand::removeInlineStyle(WebCore::EditingStyle*, const WebCore::Position&, const WebCore::Position&)
1   0x7ffff5c172a1 WTFCrash
2   0x7ffff0a6f36c WebCore::ApplyStyleCommand::removeInlineStyle(WebCore::EditingStyle*, WebCore::Position const&, WebCore::Position const&)
3   0x7ffff0a6c4ca WebCore::ApplyStyleCommand::applyInlineStyle(WebCore::EditingStyle*)
4   0x7ffff0a69a37 WebCore::ApplyStyleCommand::doApply()
5   0x7ffff0a78e94 WebCore::CompositeEditCommand::applyCommandToComposite(WTF::PassRefPtr<WebCore::EditCommand>)
6   0x7ffff0ad42c5 WebCore::RemoveFormatCommand::doApply()
7   0x7ffff0a78c54 WebCore::CompositeEditCommand::apply()
8   0x7ffff0a78a4c WebCore::applyCommand(WTF::PassRefPtr<WebCore::CompositeEditCommand>)
9   0x7ffff0a9c041 WebCore::Editor::removeFormattingAndStyle()
10  0x7ffff0ab03db
11  0x7ffff0ab1f22 WebCore::Editor::Command::execute(WTF::String const&, WebCore::Event*) const
12  0x7ffff0976ab2 WebCore::Document::execCommand(WTF::String const&, bool, WTF::String const&)
13  0x7ffff1812910 WebCore::jsDocumentPrototypeFunctionExecCommand(JSC::ExecState*)
14  0x7fff9d5640e5

Program received signal SIGSEGV, Segmentation fault.
0x00007ffff5c172a6 in WTFCrash () at /home/reni/Data/REPOS/webkit_sec/Source/WTF/wtf/Assertions.cpp:333
333	    *(int *)(uintptr_t)0xbbadbeef = 0;
(gdb) bt
#0  0x00007ffff5c172a6 in WTFCrash () at /home/reni/Data/REPOS/webkit_sec/Source/WTF/wtf/Assertions.cpp:333
#1  0x00007ffff0a6f36c in WebCore::ApplyStyleCommand::removeInlineStyle (this=0x12000a0, style=0x12230f0, start=..., end=...)
    at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/editing/ApplyStyleCommand.cpp:1126
#2  0x00007ffff0a6c4ca in WebCore::ApplyStyleCommand::applyInlineStyle (this=0x12000a0, style=0x12230f0)
    at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/editing/ApplyStyleCommand.cpp:637
#3  0x00007ffff0a69a37 in WebCore::ApplyStyleCommand::doApply (this=0x12000a0)
    at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/editing/ApplyStyleCommand.cpp:220
#4  0x00007ffff0a78e94 in WebCore::CompositeEditCommand::applyCommandToComposite (this=0x1200b90, prpCommand=...)
    at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/editing/CompositeEditCommand.cpp:278
#5  0x00007ffff0ad42c5 in WebCore::RemoveFormatCommand::doApply (this=0x1200b90)
    at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/editing/RemoveFormatCommand.cpp:92
#6  0x00007ffff0a78c54 in WebCore::CompositeEditCommand::apply (this=0x1200b90)
    at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/editing/CompositeEditCommand.cpp:227
#7  0x00007ffff0a78a4c in WebCore::applyCommand (command=...) at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/editing/CompositeEditCommand.cpp:182
#8  0x00007ffff0a9c041 in WebCore::Editor::removeFormattingAndStyle (this=0x750200) at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/editing/Editor.cpp:914
#9  0x00007ffff0ab03db in WebCore::executeRemoveFormat (frame=...) at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/editing/EditorCommand.cpp:985
#10 0x00007ffff0ab1f22 in WebCore::Editor::Command::execute (this=0x7fffffff9ad0, parameter=..., triggeringEvent=0x0)
    at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/editing/EditorCommand.cpp:1740
#11 0x00007ffff0976ab2 in WebCore::Document::execCommand (this=0x11c8ad0, commandName=..., userInterface=false, value=...)
    at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/dom/Document.cpp:4220
#12 0x00007ffff1812910 in WebCore::jsDocumentPrototypeFunctionExecCommand (exec=0x7fff93d8bf40)
    at /home/reni/Data/REPOS/webkit_sec/WebKitBuild/Debug/DerivedSources/WebCore/JSDocument.cpp:3369
#13 0x00007fff9d5640e5 in ?? ()
#14 0x00007fff93d8bf90 in ?? ()
#15 0x00007ffff5c05421 in llint_op_call () from /home/reni/Data/REPOS/webkit_sec/WebKitBuild/Debug/lib/libjavascriptcore_efl.so.0
#16 0x00007fff9d564900 in ?? ()
#17 0x0000000001141e20 in ?? ()
#18 0x0000000000000001 in ?? ()
#19 0x0000000000000001 in ?? ()
#20 0x00000000011596b0 in ?? ()
#21 0x0000000000000000 in ?? ()

Comment 1 Renata Hodovan 2015-11-25 05:44:09 PST

Created attachment 266153 [details]
Test

New test case since the old one doesn't repro anymore.

Comment 2 Brent Fulgham 2016-08-03 13:53:40 PDT

This still reproduces under r204037.

Comment 3 Radar WebKit Bug Importer 2016-08-03 13:55:19 PDT

<rdar://problem/27685108>

Comment 4 Ahmad Saleem 2023-01-20 10:42:55 PST

I am able to reproduce this assert failed using MiniBrowser WK2 Debug Build based of 259136@main and I get this:

ASSERTION FAILED: node == end.deprecatedNode() || !node->contains(end.deprecatedNode())
editing/ApplyStyleCommand.cpp(1133) : void WebCore::ApplyStyleCommand::removeInlineStyle(WebCore::EditingStyle &, const WebCore::Position &, const WebCore::Position &)
1   0x13a6c6d84 WTFCrash
2   0x280832730 WTFCrashWithInfo(int, char const*, char const*, int)
3   0x283db5a28 WebCore::ApplyStyleCommand::removeInlineStyle(WebCore::EditingStyle&, WebCore::Position const&, WebCore::Position const&)
4   0x283db21d8 WebCore::ApplyStyleCommand::applyInlineStyle(WebCore::EditingStyle&)
5   0x283db0604 WebCore::ApplyStyleCommand::doApply()
6   0x283dac198 WebCore::CompositeEditCommand::apply()
7   0x283e0c730 WebCore::Editor::applyStyle(WTF::RefPtr<WebCore::EditingStyle, WTF::RawPtrTraits<WebCore::EditingStyle>, WTF::DefaultRefDerefTraits<WebCore::EditingStyle> >&&, WebCore::EditAction, WebCore::Editor::ColorFilterMode)
8   0x283e41250 WebCore::applyCommandToFrame(WebCore::Frame&, WebCore::EditorCommandSource, WebCore::EditAction, WTF::Ref<WebCore::EditingStyle, WTF::RawPtrTraits<WebCore::EditingStyle> >&&)
9   0x283e413d8 WebCore::executeToggleStyle(WebCore::Frame&, WebCore::EditorCommandSource, WebCore::EditAction, WebCore::CSSPropertyID, WTF::ASCIILiteral, WTF::ASCIILiteral)
10  0x283e3de9c WebCore::executeToggleItalic(WebCore::Frame&, WebCore::Event*, WebCore::EditorCommandSource, WTF::String const&)
11  0x283e12a30 WebCore::Editor::Command::execute(WTF::String const&, WebCore::Event*) const
12  0x283a99ef0 WebCore::Document::execCommand(WTF::String const&, bool, WTF::String const&)
13  0x280be2e5c WebCore::jsDocumentPrototypeFunction_execCommandBody(JSC::JSGlobalObject*, JSC::CallFrame*, WebCore::JSDocument*)
14  0x280be2944 long long WebCore::IDLOperation<WebCore::JSDocument>::call<&(WebCore::jsDocumentPrototypeFunction_execCommandBody(JSC::JSGlobalObject*, JSC::CallFrame*, WebCore::JSDocument*)), (WebCore::CastedThisErrorBehavior)0>(JSC::JSGlobalObject&, JSC::CallFrame&, char const*)
15  0x280bcda00 WebCore::jsDocumentPrototypeFunction_execCommand(JSC::JSGlobalObject*, JSC::CallFrame*)
16  0x2a4e5403c (null)
17  0x13adee990 llint_entry
18  0x13adc8eec vmEntryToJavaScript
19  0x13be27a5c JSC::JITCode::execute(JSC::VM*, JSC::ProtoCallFrame*)
20  0x13be26ff8 JSC::Interpreter::executeProgram(JSC::SourceCode const&, JSC::JSGlobalObject*, JSC::JSObject*)
21  0x13c290110 JSC::evaluate(JSC::JSGlobalObject*, JSC::SourceCode const&, JSC::JSValue, WTF::NakedPtr<JSC::Exception>&)
22  0x13c290254 JSC::profiledEvaluate(JSC::JSGlobalObject*, JSC::ProfilingReason, JSC::SourceCode const&, JSC::JSValue, WTF::NakedPtr<JSC::Exception>&)
23  0x283240254 WebCore::JSExecState::profiledEvaluate(JSC::JSGlobalObject*, JSC::ProfilingReason, JSC::SourceCode const&, JSC::JSValue, WTF::NakedPtr<JSC::Exception>&)
24  0x28323fd28 WebCore::ScriptController::evaluateInWorld(WebCore::ScriptSourceCode const&, WebCore::DOMWrapperWorld&)
25  0x28323fb5c WebCore::ScriptController::evaluateInWorldIgnoringException(WebCore::ScriptSourceCode const&, WebCore::DOMWrapperWorld&)
26  0x28324050c WebCore::ScriptController::evaluateIgnoringException(WebCore::ScriptSourceCode const&)
27  0x283cbd164 WebCore::ScriptElement::executeClassicScript(WebCore::ScriptSourceCode const&)
28  0x283cbb2e8 WebCore::ScriptElement::prepareScript(WTF::TextPosition const&, WebCore::ScriptElement::LegacyTypeSupport)
29  0x284323810 WebCore::HTMLScriptRunner::runScript(WebCore::ScriptElement&, WTF::TextPosition const&)
30  0x28432363c WebCore::HTMLScriptRunner::execute(WTF::Ref<WebCore::ScriptElement, WTF::RawPtrTraits<WebCore::ScriptElement> >&&, WTF::TextPosition const&)
31  0x2842fb1f4 WebCore::HTMLDocumentParser::runScriptsForPausedTreeBuilder()