174359 – ASSERTION FAILED: !simpleLineLayout() in WebCore::RenderText::containsRenderedCharacterOffset

Bug 174359 - ASSERTION FAILED: !simpleLineLayout() in WebCore::RenderText::containsRenderedCharacterOffset

Summary: ASSERTION FAILED: !simpleLineLayout() in WebCore::RenderText::containsRendere...

Status:	NEW

Alias:	None

Product:	WebKit
Classification:	Unclassified
Component:	Layout and Rendering (show other bugs)
Version:	WebKit Local Build
Hardware:	Unspecified Unspecified

Importance:	P2 Normal
Assignee:	Nobody

URL:
Keywords:

Depends on:
Blocks:	116980
	Show dependency tree / graph

Reported:	2017-07-11 05:37 PDT by Renata Hodovan
Modified:	2017-07-11 05:37 PDT (History)
CC List:	3 users (show)

See Also:

Attachments
Test (411 bytes, text/html) 2017-07-11 05:37 PDT, Renata Hodovan	no flags	Details
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Renata Hodovan 2017-07-11 05:37:14 PDT

Created attachment 315097 [details]
Test

Load the attached test with debug WebKitTestRunner:

Checked version: 6700d3c
OS: macOS Sierra (10.12.5)

<a>
    <script>
    document.designMode = 'on'
    document.execCommand ('SelectAll')
    document.execCommand ("InsertHTML",0,"<ul>")
    document.execCommand ("Indent")
    document.execCommand ("InsertHTML",true,"<p><table><tbody><tr><td>stats</td></tr></tbody></table></p>")
    document.execCommand ("InsertText",true,true)
    document.execCommand ("JustifyCenter")
    document.execCommand ("inserthorizontalrule")
    </script>
</a>

Backtrace:

ASSERTION FAILED: !simpleLineLayout()
WebKit/Source/WebCore/rendering/RenderText.cpp(1513) : bool WebCore::RenderText::containsRenderedCharacterOffset(unsigned int) const
1   0x12f412d11 WTFCrash
2   0x1168d5783 WebCore::RenderText::containsRenderedCharacterOffset(unsigned int) const
3   0x115e69cdd WebCore::Position::isRenderedCharacter() const
4   0x112f3bb18 WebCore::InsertParagraphSeparatorCommand::doApply()
5   0x111002d06 WebCore::CompositeEditCommand::applyCommandToComposite(WTF::Ref<WebCore::EditCommand>&&)
6   0x111004093 WebCore::CompositeEditCommand::insertParagraphSeparator(bool, bool)
7   0x116a1156f WebCore::ReplaceSelectionCommand::doApply()
8   0x111001d0a WebCore::CompositeEditCommand::apply()
9   0x111d5c831 WebCore::executeInsertFragment(WebCore::Frame&, WTF::Ref<WebCore::DocumentFragment>&&)
10  0x111d5cb42 WebCore::executeInsertNode(WebCore::Frame&, WTF::Ref<WebCore::Node>&&)
11  0x111d53cdc WebCore::executeInsertHorizontalRule(WebCore::Frame&, WebCore::Event*, WebCore::EditorCommandSource, WTF::String const&)
12  0x111d4f64c WebCore::Editor::Command::execute(WTF::String const&, WebCore::Event*) const
13  0x1119b07b2 WebCore::Document::execCommand(WTF::String const&, bool, WTF::String const&)
14  0x1136b2c19 WebCore::jsDocumentPrototypeFunctionExecCommandBody(JSC::ExecState*, WebCore::JSDocument*, JSC::ThrowScope&)
15  0x1136668ca long long WebCore::IDLOperation<WebCore::JSDocument>::call<&(WebCore::jsDocumentPrototypeFunctionExecCommandBody(JSC::ExecState*, WebCore::JSDocument*, JSC::ThrowScope&)), (WebCore::CastedThisErrorBehavior)0>(JSC::ExecState&, char const*)
16  0x1136664dc WebCore::jsDocumentPrototypeFunctionExecCommand(JSC::ExecState*)
17  0x5c18a3a01028
18  0x12e7cccf3 llint_entry
19  0x12e7c5357 vmEntryToJavaScript
20  0x12e1d2510 JSC::JITCode::execute(JSC::VM*, JSC::ProtoCallFrame*)
21  0x12e0df58b JSC::Interpreter::executeProgram(JSC::SourceCode const&, JSC::ExecState*, JSC::JSObject*)
22  0x12cb78c29 JSC::evaluate(JSC::ExecState*, JSC::SourceCode const&, JSC::JSValue, WTF::NakedPtr<JSC::Exception>&)
23  0x12cb79141 JSC::profiledEvaluate(JSC::ExecState*, JSC::ProfilingReason, JSC::SourceCode const&, JSC::JSValue, WTF::NakedPtr<JSC::Exception>&)
24  0x116bb6b96 WebCore::JSMainThreadExecState::profiledEvaluate(JSC::ExecState*, JSC::ProfilingReason, JSC::SourceCode const&, JSC::JSValue, WTF::NakedPtr<JSC::Exception>&)
25  0x116bb640a WebCore::ScriptController::evaluateInWorld(WebCore::ScriptSourceCode const&, WebCore::DOMWrapperWorld&, WebCore::ExceptionDetails*)
26  0x116bb6e3a WebCore::ScriptController::evaluate(WebCore::ScriptSourceCode const&, WebCore::ExceptionDetails*)
27  0x116bf01b6 WebCore::ScriptElement::executeClassicScript(WebCore::ScriptSourceCode const&)
28  0x116bebcf9 WebCore::ScriptElement::prepareScript(WTF::TextPosition const&, WebCore::ScriptElement::LegacyTypeSupport)
29  0x1129cda71 WebCore::HTMLScriptRunner::runScript(WebCore::ScriptElement&, WTF::TextPosition const&)
30  0x1129cd4a5 WebCore::HTMLScriptRunner::execute(WTF::Ref<WebCore::ScriptElement>&&, WTF::TextPosition const&)
31  0x1127d44fd WebCore::HTMLDocumentParser::runScriptsForPausedTreeBuilder()
ASAN:DEADLYSIGNAL
=================================================================
==68908==ERROR: AddressSanitizer: SEGV on unknown address 0x0000bbadbeef (pc 0x00012f412d49 bp 0x7fff58242b90 sp 0x7fff58242b80 T0)
    #0 0x12f412d48 in WTFCrash (WebKit/WebKitBuild/Debug/JavaScriptCore.framework/Versions/A/JavaScriptCore+0x3540d48)
    #1 0x1168d5782 in WebCore::RenderText::containsRenderedCharacterOffset(unsigned int) const (WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x6186782)
    #2 0x115e69cdc in WebCore::Position::isRenderedCharacter() const (WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x571acdc)
    #3 0x112f3bb17 in WebCore::InsertParagraphSeparatorCommand::doApply() (WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x27ecb17)
    #4 0x111002d05 in WebCore::CompositeEditCommand::applyCommandToComposite(WTF::Ref<WebCore::EditCommand>&&) (WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x8b3d05)
    #5 0x111004092 in WebCore::CompositeEditCommand::insertParagraphSeparator(bool, bool) (WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x8b5092)
    #6 0x116a1156e in WebCore::ReplaceSelectionCommand::doApply() (WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x62c256e)
    #7 0x111001d09 in WebCore::CompositeEditCommand::apply() (WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x8b2d09)
    #8 0x111d5c830 in WebCore::executeInsertFragment(WebCore::Frame&, WTF::Ref<WebCore::DocumentFragment>&&) (WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x160d830)
    #9 0x111d5cb41 in WebCore::executeInsertNode(WebCore::Frame&, WTF::Ref<WebCore::Node>&&) (WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x160db41)
    #10 0x111d53cdb in WebCore::executeInsertHorizontalRule(WebCore::Frame&, WebCore::Event*, WebCore::EditorCommandSource, WTF::String const&) (WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x1604cdb)
    #11 0x111d4f64b in WebCore::Editor::Command::execute(WTF::String const&, WebCore::Event*) const (WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x160064b)
    #12 0x1119b07b1 in WebCore::Document::execCommand(WTF::String const&, bool, WTF::String const&) (WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x12617b1)
    #13 0x1136b2c18 in WebCore::jsDocumentPrototypeFunctionExecCommandBody(JSC::ExecState*, WebCore::JSDocument*, JSC::ThrowScope&) (WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x2f63c18)
    #14 0x1136668c9 in long long WebCore::IDLOperation<WebCore::JSDocument>::call<&(WebCore::jsDocumentPrototypeFunctionExecCommandBody(JSC::ExecState*, WebCore::JSDocument*, JSC::ThrowScope&)), (WebCore::CastedThisErrorBehavior)0>(JSC::ExecState&, char const*) (WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x2f178c9)
    #15 0x1136664db in WebCore::jsDocumentPrototypeFunctionExecCommand(JSC::ExecState*) (WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x2f174db)
    #16 0x5c18a3a01027  (<unknown module>)
    #17 0x12e7cccf2 in llint_entry (WebKit/WebKitBuild/Debug/JavaScriptCore.framework/Versions/A/JavaScriptCore+0x28facf2)
    #18 0x12e7c5356 in vmEntryToJavaScript (WebKit/WebKitBuild/Debug/JavaScriptCore.framework/Versions/A/JavaScriptCore+0x28f3356)
    #19 0x12e1d250f in JSC::JITCode::execute(JSC::VM*, JSC::ProtoCallFrame*) (WebKit/WebKitBuild/Debug/JavaScriptCore.framework/Versions/A/JavaScriptCore+0x230050f)
    #20 0x12e0df58a in JSC::Interpreter::executeProgram(JSC::SourceCode const&, JSC::ExecState*, JSC::JSObject*) (WebKit/WebKitBuild/Debug/JavaScriptCore.framework/Versions/A/JavaScriptCore+0x220d58a)
    #21 0x12cb78c28 in JSC::evaluate(JSC::ExecState*, JSC::SourceCode const&, JSC::JSValue, WTF::NakedPtr<JSC::Exception>&) (WebKit/WebKitBuild/Debug/JavaScriptCore.framework/Versions/A/JavaScriptCore+0xca6c28)
    #22 0x12cb79140 in JSC::profiledEvaluate(JSC::ExecState*, JSC::ProfilingReason, JSC::SourceCode const&, JSC::JSValue, WTF::NakedPtr<JSC::Exception>&) (WebKit/WebKitBuild/Debug/JavaScriptCore.framework/Versions/A/JavaScriptCore+0xca7140)
    #23 0x116bb6b95 in WebCore::JSMainThreadExecState::profiledEvaluate(JSC::ExecState*, JSC::ProfilingReason, JSC::SourceCode const&, JSC::JSValue, WTF::NakedPtr<JSC::Exception>&) (WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x6467b95)
    #24 0x116bb6409 in WebCore::ScriptController::evaluateInWorld(WebCore::ScriptSourceCode const&, WebCore::DOMWrapperWorld&, WebCore::ExceptionDetails*) (WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x6467409)
    #25 0x116bb6e39 in WebCore::ScriptController::evaluate(WebCore::ScriptSourceCode const&, WebCore::ExceptionDetails*) (WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x6467e39)
    #26 0x116bf01b5 in WebCore::ScriptElement::executeClassicScript(WebCore::ScriptSourceCode const&) (WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x64a11b5)
    #27 0x116bebcf8 in WebCore::ScriptElement::prepareScript(WTF::TextPosition const&, WebCore::ScriptElement::LegacyTypeSupport) (WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x649ccf8)
    #28 0x1129cda70 in WebCore::HTMLScriptRunner::runScript(WebCore::ScriptElement&, WTF::TextPosition const&) (WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x227ea70)
    #29 0x1129cd4a4 in WebCore::HTMLScriptRunner::execute(WTF::Ref<WebCore::ScriptElement>&&, WTF::TextPosition const&) (WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x227e4a4)
    #30 0x1127d44fc in WebCore::HTMLDocumentParser::runScriptsForPausedTreeBuilder() (WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x20854fc)
    #31 0x1127d54be in WebCore::HTMLDocumentParser::pumpTokenizerLoop(WebCore::HTMLDocumentParser::SynchronousMode, bool, WebCore::PumpSession&) (WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x20864be)
    #32 0x1127d299a in WebCore::HTMLDocumentParser::pumpTokenizer(WebCore::HTMLDocumentParser::SynchronousMode) (WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x208399a)
    #33 0x1127d216f in WebCore::HTMLDocumentParser::pumpTokenizerIfPossible(WebCore::HTMLDocumentParser::SynchronousMode) (WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x208316f)
    #34 0x1127d7a2f in WebCore::HTMLDocumentParser::append(WTF::RefPtr<WTF::StringImpl>&&) (WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x2088a2f)
    #35 0x11185d521 in WebCore::DecodedDataDocumentParser::flush(WebCore::DocumentWriter&) (WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x110e521)
    #36 0x111b8b4f3 in WebCore::DocumentWriter::end() (WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x143c4f3)
    #37 0x111ad5756 in WebCore::DocumentLoader::finishedLoading() (WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x1386756)
    #38 0x111ad5152 in WebCore::DocumentLoader::notifyFinished(WebCore::CachedResource&) (WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x1386152)
    #39 0x110d8d1e3 in WebCore::CachedResource::checkNotify() (WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x63e1e3)
    #40 0x110d8d873 in WebCore::CachedResource::finishLoading(WebCore::SharedBuffer*) (WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x63e873)
    #41 0x110d7e301 in WebCore::CachedRawResource::finishLoading(WebCore::SharedBuffer*) (WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x62f301)
    #42 0x1173b2211 in WebCore::SubresourceLoader::didFinishLoading(WebCore::NetworkLoadMetrics const&) (WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x6c63211)
    #43 0x1098fe3fb in WebKit::WebResourceLoader::didFinishResourceLoad(WebCore::NetworkLoadMetrics const&) (WebKit/WebKitBuild/Debug/WebKit.framework/Versions/A/WebKit+0x1f383fb)
    #44 0x10990b149 in void IPC::callMemberFunctionImpl<WebKit::WebResourceLoader, void (WebKit::WebResourceLoader::*)(WebCore::NetworkLoadMetrics const&), std::__1::tuple<WebCore::NetworkLoadMetrics>, 0ul>(WebKit::WebResourceLoader*, void (WebKit::WebResourceLoader::*)(WebCore::NetworkLoadMetrics const&), std::__1::tuple<WebCore::NetworkLoadMetrics>&&, std::__1::integer_sequence<unsigned long, 0ul>) (WebKit/WebKitBuild/Debug/WebKit.framework/Versions/A/WebKit+0x1f45149)
    #45 0x10990ad54 in void IPC::callMemberFunction<WebKit::WebResourceLoader, void (WebKit::WebResourceLoader::*)(WebCore::NetworkLoadMetrics const&), std::__1::tuple<WebCore::NetworkLoadMetrics>, std::__1::integer_sequence<unsigned long, 0ul> >(std::__1::tuple<WebCore::NetworkLoadMetrics>&&, WebKit::WebResourceLoader*, void (WebKit::WebResourceLoader::*)(WebCore::NetworkLoadMetrics const&)) (WebKit/WebKitBuild/Debug/WebKit.framework/Versions/A/WebKit+0x1f44d54)
    #46 0x109907df8 in void IPC::handleMessage<Messages::WebResourceLoader::DidFinishResourceLoad, WebKit::WebResourceLoader, void (WebKit::WebResourceLoader::*)(WebCore::NetworkLoadMetrics const&)>(IPC::Decoder&, WebKit::WebResourceLoader*, void (WebKit::WebResourceLoader::*)(WebCore::NetworkLoadMetrics const&)) (WebKit/WebKitBuild/Debug/WebKit.framework/Versions/A/WebKit+0x1f41df8)
    #47 0x109905fba in WebKit::WebResourceLoader::didReceiveWebResourceLoaderMessage(IPC::Connection&, IPC::Decoder&) (WebKit/WebKitBuild/Debug/WebKit.framework/Versions/A/WebKit+0x1f3ffba)
    #48 0x10827bfcc in WebKit::NetworkProcessConnection::didReceiveMessage(IPC::Connection&, IPC::Decoder&) (WebKit/WebKitBuild/Debug/WebKit.framework/Versions/A/WebKit+0x8b5fcc)
    #49 0x107bd184a in IPC::Connection::dispatchMessage(IPC::Decoder&) (WebKit/WebKitBuild/Debug/WebKit.framework/Versions/A/WebKit+0x20b84a)
    #50 0x107bb5ea4 in IPC::Connection::dispatchMessage(std::__1::unique_ptr<IPC::Decoder, std::__1::default_delete<IPC::Decoder> >) (WebKit/WebKitBuild/Debug/WebKit.framework/Versions/A/WebKit+0x1efea4)
    #51 0x107bd2535 in IPC::Connection::dispatchOneMessage() (WebKit/WebKitBuild/Debug/WebKit.framework/Versions/A/WebKit+0x20c535)
    #52 0x107c1113c in IPC::Connection::enqueueIncomingMessage(std::__1::unique_ptr<IPC::Decoder, std::__1::default_delete<IPC::Decoder> >)::$_14::operator()() (WebKit/WebKitBuild/Debug/WebKit.framework/Versions/A/WebKit+0x24b13c)
    #53 0x107c11068 in WTF::Function<void ()>::CallableWrapper<IPC::Connection::enqueueIncomingMessage(std::__1::unique_ptr<IPC::Decoder, std::__1::default_delete<IPC::Decoder> >)::$_14>::call() (WebKit/WebKitBuild/Debug/WebKit.framework/Versions/A/WebKit+0x24b068)
    #54 0x12f49f600 in WTF::Function<void ()>::operator()() const (WebKit/WebKitBuild/Debug/JavaScriptCore.framework/Versions/A/JavaScriptCore+0x35cd600)
    #55 0x12f4ee3a0 in WTF::RunLoop::performWork() (WebKit/WebKitBuild/Debug/JavaScriptCore.framework/Versions/A/JavaScriptCore+0x361c3a0)
    #56 0x12f4ef3d1 in WTF::RunLoop::performWork(void*) (WebKit/WebKitBuild/Debug/JavaScriptCore.framework/Versions/A/JavaScriptCore+0x361d3d1)
    #57 0x7fffabc81320 in __CFRUNLOOP_IS_CALLING_OUT_TO_A_SOURCE0_PERFORM_FUNCTION__ (/System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation+0xa7320)
    #58 0x7fffabc6221c in __CFRunLoopDoSources0 (/System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation+0x8821c)
    #59 0x7fffabc61715 in __CFRunLoopRun (/System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation+0x87715)
    #60 0x7fffabc61113 in CFRunLoopRunSpecific (/System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation+0x87113)
    #61 0x7fffab1c2ebb in RunCurrentEventLoopInMode (/System/Library/Frameworks/Carbon.framework/Versions/A/Frameworks/HIToolbox.framework/Versions/A/HIToolbox+0x30ebb)
    #62 0x7fffab1c2cf0 in ReceiveNextEventCommon (/System/Library/Frameworks/Carbon.framework/Versions/A/Frameworks/HIToolbox.framework/Versions/A/HIToolbox+0x30cf0)
    #63 0x7fffab1c2b25 in _BlockUntilNextEventMatchingListInModeWithFilter (/System/Library/Frameworks/Carbon.framework/Versions/A/Frameworks/HIToolbox.framework/Versions/A/HIToolbox+0x30b25)
    #64 0x7fffa975ba53 in _DPSNextEvent (/System/Library/Frameworks/AppKit.framework/Versions/C/AppKit+0x46a53)
    #65 0x7fffa9ed77ed in -[NSApplication(NSEvent) _nextEventMatchingEventMask:untilDate:inMode:dequeue:] (/System/Library/Frameworks/AppKit.framework/Versions/C/AppKit+0x7c27ed)
    #66 0x7fffa97503da in -[NSApplication run] (/System/Library/Frameworks/AppKit.framework/Versions/C/AppKit+0x3b3da)
    #67 0x7fffa971ae0d in NSApplicationMain (/System/Library/Frameworks/AppKit.framework/Versions/C/AppKit+0x5e0d)
    #68 0x7fffc16348c6 in _xpc_objc_main (/usr/lib/system/libxpc.dylib+0x108c6)
    #69 0x7fffc16332e3 in xpc_main (/usr/lib/system/libxpc.dylib+0xf2e3)
    #70 0x1079b1f22 in main (WebKit/WebKitBuild/Debug/WebKit.framework/Versions/A/XPCServices/com.apple.WebKit.WebContent.xpc/Contents/MacOS/com.apple.WebKit.WebContent.Development+0x100001f22)
    #71 0x7fffc13db234 in start (/usr/lib/system/libdyld.dylib+0x5234)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV (WebKit/WebKitBuild/Debug/JavaScriptCore.framework/Versions/A/JavaScriptCore+0x3540d48) in WTFCrash
==68908==ABORTING
#CRASHED - com.apple.WebKit.WebContent.Development (pid 68908)
LEAK: 1 WebProcessPool
LEAK: 1 WebPageProxy