184049 – Executing "insertunorderedlist" while selecting a contenteditable element inside a shadow dom hangs the browser

Bug 184049 - Executing "insertunorderedlist" while selecting a contenteditable element inside a shadow dom hangs the browser

Summary: Executing "insertunorderedlist" while selecting a contenteditable element ins...

Status:	RESOLVED FIXED

Alias:	None

Product:	WebKit
Classification:	Unclassified
Component:	DOM (show other bugs)
Version:	WebKit Nightly Build
Hardware:	Unspecified Unspecified

Importance:	P2 Normal
Assignee:	Ryosuke Niwa

URL:
Keywords:	InRadar

Depends on:
Blocks:

Reported:	2018-03-27 11:13 PDT by tvanderlippe
Modified:	2018-11-29 13:50 PST (History)
CC List:	6 users (show)

See Also:

Attachments
Reproduction case (926 bytes, text/html) 2018-03-27 11:13 PDT, tvanderlippe	no flags	Details
Reduction (440 bytes, text/html) 2018-11-13 11:08 PST, Ryosuke Niwa	no flags	Details
Fixes the hang (8.89 KB, patch) 2018-11-28 19:44 PST, Ryosuke Niwa	no flags	Details \| Formatted Diff \| Diff
Added the forgotten tests (8.89 KB, patch) 2018-11-28 19:45 PST, Ryosuke Niwa	no flags	Details \| Formatted Diff \| Diff
Added the forgotten tests (10.65 KB, patch) 2018-11-28 19:46 PST, Ryosuke Niwa	koivisto: review+	Details \| Formatted Diff \| Diff
Show Obsolete (3) View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description tvanderlippe 2018-03-27 11:13:43 PDT

Created attachment 336598 [details]
Reproduction case

Steps to reproduce the problem:
1. Create an element with a shadow dom
2. In the shadow dom, create an element with contenteditable
3. Select all text in the contenteditable element
4. Execute "insertunorderedlist" (a couple of times)

In the supplied test case the first text is without shadow dom, while the second text is within shadow dom.

What is the expected behavior?
The behavior is the same as in the non-shadow dom version, it create 3 bullet points for each line or removes all bullet points from all lines.

What went wrong?
The browser tab hangs and is completely unresponsive. Indeterminate spinner is running forever

Comment 1 Radar WebKit Bug Importer 2018-03-27 15:36:58 PDT

<rdar://problem/38931033>

Comment 2 Ryosuke Niwa 2018-11-12 18:41:47 PST

Hm... I can't reproduce this problem with STP70. Can you still reproduce the issue?

Please feel free to re-open the bug if you can.

Comment 3 tvanderlippe 2018-11-13 10:43:36 PST

I am not yet on Mojave, so I am unable to run on STP70. It was still broken on STP69 on High Sierra. Hopefully I can verify this soon after upgrading.

Comment 4 Ryosuke Niwa 2018-11-13 10:58:05 PST

Hm... I don't think there was any change between STP69 and STP70 in this area. In fact, it works just fine in STP68 for me.

Oh, I see, you'd have to select the entire list. Now I can reproduce it!

Comment 5 Ryosuke Niwa 2018-11-13 11:08:19 PST

Looks like TextIterator is getting stuck:

1213 WebCore::JSExecState::profiledEvaluate(JSC::ExecState*, JSC::ProfilingReason, JSC::SourceCode const&, JSC::JSValue, WTF::NakedPtr<JSC::Exception>&)  (in WebCore) + 84  [0x10be059a4]
  1213 JSC::evaluate(JSC::ExecState*, JSC::SourceCode const&, JSC::JSValue, WTF::NakedPtr<JSC::Exception>&)  (in JavaScriptCore) + 287  [0x578a193df]
    1213 JSC::Interpreter::executeProgram(JSC::SourceCode const&, JSC::ExecState*, JSC::JSObject*)  (in JavaScriptCore) + 11170  [0x57887a1e2]
      1213 vmEntryToJavaScript  (in JavaScriptCore) + 200  [0x57835d029]
        1213 llint_entry  (in JavaScriptCore) + 26835  [0x578363ab6]
          1213 ???  (in <unknown binary>)  [0x48e61f28177]
            1213 WebCore::jsDocumentPrototypeFunctionExecCommand(JSC::ExecState*)  (in WebCore) + 533  [0x10b4807d5]
              1213 WebCore::Document::execCommand(WTF::String const&, bool, WTF::String const&)  (in WebCore) + 73  [0x10b480999]
                1213 WebCore::executeInsertOrderedList(WebCore::Frame&, WebCore::Event*, WebCore::EditorCommandSource, WTF::String const&)  (in WebCore) + 48  [0x10c0ba740]
                  1213 WebCore::CompositeEditCommand::apply()  (in WebCore) + 268  [0x10b439c5c]
                    959 WebCore::InsertListCommand::doApply()  (in WebCore) + 879  [0x10c0cab2f]
                    ! 702 WebCore::indexForVisiblePosition(WebCore::VisiblePosition const&, WTF::RefPtr<WebCore::ContainerNode, WTF::DumbPtrTraits<WebCore::ContainerNode> >&)  (in WebCore) + 386  [0x10c09d1f2]
                    ! : 455 WebCore::TextIterator::rangeLength(WebCore::Range const*, bool)  (in WebCore) + 36  [0x10b436e84]
                    ! : | 191 WebCore::TextIterator::init()  (in WebCore) + 386  [0x10c0e84e2]
                    ! : | + 46 WebCore::TextIterator::advance()  (in WebCore) + 436  [0x10b3aa644]

Comment 6 Ryosuke Niwa 2018-11-13 11:08:41 PST

Created attachment 354684 [details]
Reduction

Comment 7 Ryosuke Niwa 2018-11-28 19:44:57 PST

Created attachment 355964 [details]
Fixes the hang

Comment 8 Ryosuke Niwa 2018-11-28 19:45:49 PST

Created attachment 355965 [details]
Added the forgotten tests

Comment 9 Ryosuke Niwa 2018-11-28 19:46:27 PST

Created attachment 355966 [details]
Added the forgotten tests

Comment 10 Ryosuke Niwa 2018-11-29 13:50:45 PST

Committed r238693: <https://trac.webkit.org/changeset/238693>