150969 – [GTK]ASSERTION FAILED: m_offset + m_count <= m_node->length() in WebCore::DeleteFromTextNodeCommand::DeleteFromTextNodeCommand

RESOLVED FIXED 150969

[GTK]ASSERTION FAILED: m_offset + m_count <= m_node->length() in WebCore::DeleteFromTextNodeCommand::DeleteFromTextNodeCommand

https://bugs.webkit.org/show_bug.cgi?id=150969

Summary [GTK]ASSERTION FAILED: m_offset + m_count <= m_node->length() in WebCore::Del...

Renata Hodovan

Reported 2015-11-06 02:20:03 PST

Created attachment 264922 [details] Test Load the attached test with debug MiniBrowser: <script> function f_0() { document.execCommand("selectAll", false); document.execCommand("fontname", true); document.execCommand("undo", false); document.execCommand("insertText", false,"a"); document.execCommand("redo", false); document.execCommand("forwardDelete",false); } </script> <body onload="f_0()"> <textarea autofocus>g </textarea> </body> OS: Ubuntu 15.04 x86_64 Checked build: debug EFL Checked version: babd346 Backtrace: ASSERTION FAILED: m_offset + m_count <= m_node->length() ../../Source/WebCore/editing/DeleteFromTextNodeCommand.cpp(44) : WebCore::DeleteFromTextNodeCommand::DeleteFromTextNodeCommand(WTF::RefPtr<WebCore::Text>&&, unsigned int, unsigned int, WebCore::EditAction) 1 0x7fd301198bb5 WTFCrash 2 0x7fd308556ac1 WebCore::DeleteFromTextNodeCommand::DeleteFromTextNodeCommand(WTF::RefPtr<WebCore::Text>&&, unsigned int, unsigned int, WebCore::EditAction) 3 0x7fd30855176c WebCore::DeleteFromTextNodeCommand::create(WTF::RefPtr<WebCore::Text>&&, unsigned int, unsigned int, WebCore::EditAction) 4 0x7fd308548c18 WebCore::CompositeEditCommand::deleteTextFromNode(WTF::PassRefPtr<WebCore::Text>, unsigned int, unsigned int) 5 0x7fd30855a541 WebCore::DeleteSelectionCommand::deleteTextFromNode(WTF::PassRefPtr<WebCore::Text>, unsigned int, unsigned int) 6 0x7fd30855ac38 WebCore::DeleteSelectionCommand::handleGeneralDelete() 7 0x7fd30855db36 WebCore::DeleteSelectionCommand::doApply() 8 0x7fd3085460f6 WebCore::CompositeEditCommand::applyCommandToComposite(WTF::PassRefPtr<WebCore::EditCommand>) 9 0x7fd308549b0b WebCore::CompositeEditCommand::deleteSelection(WebCore::VisibleSelection const&, bool, bool, bool, bool, bool) 10 0x7fd307409bef WebCore::TypingCommand::forwardDeleteKeyPressed(WebCore::TextGranularity, bool) 11 0x7fd30740732c WebCore::TypingCommand::doApply() 12 0x7fd308545e22 WebCore::CompositeEditCommand::apply() 13 0x7fd3074063ae WebCore::TypingCommand::forwardDeleteKeyPressed(WebCore::Document&, unsigned int, WebCore::TextGranularity) 14 0x7fd3073be2e7 15 0x7fd3073c25dc WebCore::Editor::Command::execute(WTF::String const&, WebCore::Event*) const 16 0x7fd307268107 WebCore::Document::execCommand(WTF::String const&, bool, WTF::String const&) 17 0x7fd308983467 WebCore::jsDocumentPrototypeFunctionExecCommand(JSC::ExecState*) 18 0x7fd2a3fff0c8 Aborted (core dumped) Program terminated with signal SIGSEGV, Segmentation fault. #0 0x00007fd301198bba in WTFCrash () at ../../Source/WTF/wtf/Assertions.cpp:321 321 *(int *)(uintptr_t)0xbbadbeef = 0; #0 0x00007fd301198bba in WTFCrash () at ../../Source/WTF/wtf/Assertions.cpp:321 #1 0x00007fd308556ac1 in WebCore::DeleteFromTextNodeCommand::DeleteFromTextNodeCommand(WTF::RefPtr<WebCore::Text>&&, unsigned int, unsigned int, WebCore::EditAction) (this=0x7fd2e87c0d20, node=<unknown type in webkit/WebKitBuild/Debug/lib/libewebkit2.so.1, CU 0x49fc0089, DIE 0x49fe21e1>, offset=0, count=334, editingAction=WebCore::EditActionDelete) at ../../Source/WebCore/editing/DeleteFromTextNodeCommand.cpp:44 #2 0x00007fd30855176c in WebCore::DeleteFromTextNodeCommand::create(WTF::RefPtr<WebCore::Text>&&, unsigned int, unsigned int, WebCore::EditAction) (node=<unknown type in webkit/WebKitBuild/Debug/lib/libewebkit2.so.1, CU 0x49eae53d, DIE 0x49f89ac7>, offset=0, count=334, editingAction=WebCore::EditActionDelete) at ../../Source/WebCore/editing/DeleteFromTextNodeCommand.h:39 #3 0x00007fd308548c18 in WebCore::CompositeEditCommand::deleteTextFromNode (this=0x7fd2e8696bd0, node=..., offset=0, count=334) at ../../Source/WebCore/editing/CompositeEditCommand.cpp:555 #4 0x00007fd30855a541 in WebCore::DeleteSelectionCommand::deleteTextFromNode (this=0x7fd2e8696bd0, node=..., offset=0, count=334) at ../../Source/WebCore/editing/DeleteSelectionCommand.cpp:423 #5 0x00007fd30855ac38 in WebCore::DeleteSelectionCommand::handleGeneralDelete (this=0x7fd2e8696bd0) at ../../Source/WebCore/editing/DeleteSelectionCommand.cpp:482 #6 0x00007fd30855db36 in WebCore::DeleteSelectionCommand::doApply (this=0x7fd2e8696bd0) at ../../Source/WebCore/editing/DeleteSelectionCommand.cpp:842 #7 0x00007fd3085460f6 in WebCore::CompositeEditCommand::applyCommandToComposite (this=0x7fd2e86ad318, prpCommand=...) at ../../Source/WebCore/editing/CompositeEditCommand.cpp:278 #8 0x00007fd308549b0b in WebCore::CompositeEditCommand::deleteSelection (this=0x7fd2e86ad318, selection=..., smartDelete=false, mergeBlocksAfterDelete=true, replace=false, expandForSpecialElements=true, sanitizeMarkup=true) at ../../Source/WebCore/editing/CompositeEditCommand.cpp:650 #9 0x00007fd307409bef in WebCore::TypingCommand::forwardDeleteKeyPressed (this=0x7fd2e86ad318, granularity=WebCore::CharacterGranularity, killRing=false) at ../../Source/WebCore/editing/TypingCommand.cpp:635 #10 0x00007fd30740732c in WebCore::TypingCommand::doApply (this=0x7fd2e86ad318) at ../../Source/WebCore/editing/TypingCommand.cpp:269 #11 0x00007fd308545e22 in WebCore::CompositeEditCommand::apply (this=0x7fd2e86ad318) at ../../Source/WebCore/editing/CompositeEditCommand.cpp:227 #12 0x00007fd3074063ae in WebCore::TypingCommand::forwardDeleteKeyPressed (document=..., options=0, granularity=WebCore::CharacterGranularity) at ../../Source/WebCore/editing/TypingCommand.cpp:138 #13 0x00007fd3073be2e7 in WebCore::executeForwardDelete (frame=..., source=WebCore::CommandFromDOM) at ../../Source/WebCore/editing/EditorCommand.cpp:440 #14 0x00007fd3073c25dc in WebCore::Editor::Command::execute (this=0x7fff38f75640, parameter=..., triggeringEvent=0x0) at ../../Source/WebCore/editing/EditorCommand.cpp:1703 #15 0x00007fd307268107 in WebCore::Document::execCommand (this=0x7fd2e8436000, commandName=..., userInterface=false, value=...) at ../../Source/WebCore/dom/Document.cpp:4657 #16 0x00007fd308983467 in WebCore::jsDocumentPrototypeFunctionExecCommand (state=0x7fff38f75710) at DerivedSources/WebCore/JSDocument.cpp:5066 #17 0x00007fd2a3fff0c8 in ?? () #18 0x00007fff38f757a0 in ?? () #19 0x00007fd301141351 in llint_entry () from webkit/WebKitBuild/Debug/lib/libjavascriptcore_efl.so.1

Attachments
Test (377 bytes, text/html) 2015-11-06 02:20 PST, Renata Hodovan	no flags	Details
View All Add attachment proposed patch, testcase, etc.

Brent Fulgham

Comment 1 2016-08-04 17:28:15 PDT

This problem does not reproduce under r204037. If you believe there is still a problem, please reopen this bug and provide a revised test case.

Renata Hodovan

Comment 2 2016-08-05 10:20:38 PDT

Using the attached test case the issue still seems valid in r204165 with debug EFL and GTK builds.

Darin Adler

Comment 3 2016-08-05 23:01:25 PDT

Seems peculiar that this would be platform dependent. When someone finds a fix I would like to understand why the platform difference exists.

zsun

Comment 4 2024-09-17 06:16:52 PDT

https://github.com/WebKit/WebKit/pull/32826

EWS

Comment 5 2024-09-27 02:14:29 PDT

Committed 284343@main (4672c550c929): <https://commits.webkit.org/284343@main> Reviewed commits have been landed. Closing PR #32826 and removing active labels.

Radar WebKit Bug Importer

Comment 6 2024-09-27 02:15:18 PDT

<rdar://problem/136817121>

Note You need to log in before you can comment on or make changes to this bug.

Status RESOLVED

Resolution FIXED

Priority P2

Severity Normal

Classification Unclassified

Version WebKit Local Build

Hardware Unspecified

OS Unspecified

Product WebKit

Component HTML Editing

Assignee

Nobody

Reported

2015-11-06 02:20 PST

Modified

2024-09-27 02:15 PDT History

CC List

5 users Show

URL

Keywords InRadar

Depends on

Blocks

116980

Dependencies

tree graph