Created attachment 222330 [details] Test case The failing test: <body onload=" if (document.counter) document.counter++; else document.counter = 1; if (document.counter <= 1) { document.designMode='on'; document.execCommand('selectall'); document.execCommand('RemoveFormat'); document.execCommand('inserthtml', false); }" > <hr> <canvas> </canvas> </body> The error message: ASSERTION FAILED: insertionBlock != currentRoot /home/martin/Data/WebKit/Source/WebCore/editing/ReplaceSelectionCommand.cpp(1016) : virtual void WebCore::ReplaceSelectionCommand::doApply() 1 0x7ffff5c19441 WTFCrash 2 0x7ffff0b2985f WebCore::ReplaceSelectionCommand::doApply() 3 0x7ffff0ac67a8 WebCore::CompositeEditCommand::apply() 4 0x7ffff0ac65a0 WebCore::applyCommand(WTF::PassRefPtr<WebCore::CompositeEditCommand>) 5 0x7ffff0afb00b 6 0x7ffff0afc683 7 0x7ffff0affa76 WebCore::Editor::Command::execute(WTF::String const&, WebCore::Event*) const 8 0x7ffff09c523e WebCore::Document::execCommand(WTF::String const&, bool, WTF::String const&) 9 0x7ffff185aa58 WebCore::jsDocumentPrototypeFunctionExecCommand(JSC::ExecState*) 10 0x7fff9b9be0e5 Program received signal SIGSEGV, Segmentation fault. 0x00007ffff5c19446 in WTFCrash () at /home/martin/Data/WebKit/Source/WTF/wtf/Assertions.cpp:333 333 *(int *)(uintptr_t)0xbbadbeef = 0; The backtrace: #1 0x00007ffff0b2985f in WebCore::ReplaceSelectionCommand::doApply (this=0xa3fde0) at /home/martin/Data/WebKit/Source/WebCore/editing/ReplaceSelectionCommand.cpp:1016 #2 0x00007ffff0ac67a8 in WebCore::CompositeEditCommand::apply (this=0xa3fde0) at /home/martin/Data/WebKit/Source/WebCore/editing/CompositeEditCommand.cpp:227 #3 0x00007ffff0ac65a0 in WebCore::applyCommand (command=...) at /home/martin/Data/WebKit/Source/WebCore/editing/CompositeEditCommand.cpp:182 #4 0x00007ffff0afb00b in WebCore::executeInsertFragment (frame=..., fragment=...) at /home/martin/Data/WebKit/Source/WebCore/editing/EditorCommand.cpp:195 #5 0x00007ffff0afc683 in WebCore::executeInsertHTML (frame=..., value=...) at /home/martin/Data/WebKit/Source/WebCore/editing/EditorCommand.cpp:508 #6 0x00007ffff0affa76 in WebCore::Editor::Command::execute (this=0x7fffffffbac0, parameter=..., triggeringEvent=0x0) at /home/martin/Data/WebKit/Source/WebCore/editing/EditorCommand.cpp:1740 #7 0x00007ffff09c523e in WebCore::Document::execCommand (this=0x808ab0, commandName=..., userInterface=false, value=...) at /home/martin/Data/WebKit/Source/WebCore/dom/Document.cpp:4220 #8 0x00007ffff185aa58 in WebCore::jsDocumentPrototypeFunctionExecCommand (exec=0x7fff8f071f40) at /home/martin/Data/WebKit/WebKitBuild/Debug/DerivedSources/WebCore/JSDocument.cpp:3369 #9 0x00007fff9b9be0e5 in ?? () #10 0x00007fff8f071f90 in ?? () #11 0x00007ffff5c075c1 in llint_op_call () from /home/martin/Data/WebKit/WebKitBuild/Debug/lib/libjavascriptcore_efl.so.0 #12 0x00007fff9b9be900 in ?? () #13 0x00000000009ee4e0 in ?? () #14 0x00007fff800078b0 in ?? () #15 0x00007fff800064a0 in ?? () #16 0x000000000073cd50 in ?? () #17 0x0000000000000000 in ?? ()
This still occurs under r204037.
<rdar://problem/27685262>
I am still able to reproduce this assert failed using attached test case in MiniBrowser WK2 Debug Build based of 259136@main and it gets this: ASSERTION FAILED: insertionBlock != currentRoot editing/ReplaceSelectionCommand.cpp(1230) : virtual void WebCore::ReplaceSelectionCommand::doApply() 1 0x138346d84 WTFCrash 2 0x280832730 WTFCrashWithInfo(int, char const*, char const*, int) 3 0x283e7b3b8 WebCore::ReplaceSelectionCommand::doApply() 4 0x283dac198 WebCore::CompositeEditCommand::apply() 5 0x283e43438 WebCore::executeInsertFragment(WebCore::Frame&, WTF::Ref<WebCore::DocumentFragment, WTF::RawPtrTraits<WebCore::DocumentFragment> >&&) 6 0x283e3d604 WebCore::executeInsertHTML(WebCore::Frame&, WebCore::Event*, WebCore::EditorCommandSource, WTF::String const&) 7 0x283e12a30 WebCore::Editor::Command::execute(WTF::String const&, WebCore::Event*) const 8 0x283a99ef0 WebCore::Document::execCommand(WTF::String const&, bool, WTF::String const&) 9 0x280be2e5c WebCore::jsDocumentPrototypeFunction_execCommandBody(JSC::JSGlobalObject*, JSC::CallFrame*, WebCore::JSDocument*) 10 0x280be2944 long long WebCore::IDLOperation<WebCore::JSDocument>::call<&(WebCore::jsDocumentPrototypeFunction_execCommandBody(JSC::JSGlobalObject*, JSC::CallFrame*, WebCore::JSDocument*)), (WebCore::CastedThisErrorBehavior)0>(JSC::JSGlobalObject&, JSC::CallFrame&, char const*) 11 0x280bcda00 WebCore::jsDocumentPrototypeFunction_execCommand(JSC::JSGlobalObject*, JSC::CallFrame*) 12 0x2a4e5403c (null) 13 0x138a6e990 llint_entry 14 0x138a48eec vmEntryToJavaScript 15 0x139aa7a5c JSC::JITCode::execute(JSC::VM*, JSC::ProtoCallFrame*) 16 0x139aa8138 JSC::Interpreter::executeCall(JSC::JSGlobalObject*, JSC::JSObject*, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&) 17 0x139ed4878 JSC::call(JSC::JSGlobalObject*, JSC::JSValue, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&) 18 0x139ed493c JSC::call(JSC::JSGlobalObject*, JSC::JSValue, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&, WTF::NakedPtr<JSC::Exception>&) 19 0x139ed4c10 JSC::profiledCall(JSC::JSGlobalObject*, JSC::ProfilingReason, JSC::JSValue, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&, WTF::NakedPtr<JSC::Exception>&) 20 0x28323e6b8 WebCore::JSExecState::profiledCall(JSC::JSGlobalObject*, JSC::ProfilingReason, JSC::JSValue, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&, WTF::NakedPtr<JSC::Exception>&) 21 0x283163f10 WebCore::JSEventListener::handleEvent(WebCore::ScriptExecutionContext&, WebCore::Event&) 22 0x283bc8f44 WebCore::EventTarget::innerInvokeEventListeners(WebCore::Event&, WTF::Vector<WTF::RefPtr<WebCore::RegisteredEventListener, WTF::RawPtrTraits<WebCore::RegisteredEventListener>, WTF::DefaultRefDerefTraits<WebCore::RegisteredEventListener> >, 1ul, WTF::CrashOnOverflow, 2ul, WTF::FastMalloc>, WebCore::EventTarget::EventInvokePhase) 23 0x283bbdf30 WebCore::EventTarget::fireEventListeners(WebCore::Event&, WebCore::EventTarget::EventInvokePhase) 24 0x284a5507c WebCore::DOMWindow::dispatchEvent(WebCore::Event&, WebCore::EventTarget*) 25 0x284a5fda0 WebCore::DOMWindow::dispatchLoadEvent() 26 0x283a872a4 WebCore::Document::dispatchWindowLoadEvent() 27 0x283a86efc WebCore::Document::implicitClose() 28 0x284848ba0 WebCore::FrameLoader::checkCallImplicitClose() 29 0x284848544 WebCore::FrameLoader::checkCompleted() 30 0x284846950 WebCore::FrameLoader::finishedParsing() 31 0x283a9c2bc WebCore::Document::finishedParsing() 2023-01-20 18:39:56.245 MiniBrowser[65827:23966084] WebContent process crashed; reloading
Committed 277291@main (cb8d258708a5): <https://commits.webkit.org/277291@main> Reviewed commits have been landed. Closing PR #26896 and removing active labels.