RESOLVED FIXED 208045
ASSERTION FAILURE in AppendNodeCommand::AppendNodeCommand when inserting list with read-only user-modify 
https://bugs.webkit.org/show_bug.cgi?id=208045
Summary ASSERTION FAILURE in AppendNodeCommand::AppendNodeCommand when inserting list...
Jack
Reported 2020-02-21 00:38:37 PST
<rdar://39023383> 0 com.apple.JavaScriptCore 0x000000011b48cd94 WTFCrash + 36 1 com.apple.WebCore 0x000000010d07e75c WebCore::AppendNodeCommand::AppendNodeCommand(WTF::Ref<WebCore::ContainerNode, WTF::DumbPtrTraits<WebCore::ContainerNode> >&&, WTF::Ref<WebCore::Node, WTF::DumbPtrTraits<WebCore::Node> >&&, WebCore::EditAction) + 348 2 com.apple.WebCore 0x000000010d07e7cb WebCore::AppendNodeCommand::AppendNodeCommand(WTF::Ref<WebCore::ContainerNode, WTF::DumbPtrTraits<WebCore::ContainerNode> >&&, WTF::Ref<WebCore::Node, WTF::DumbPtrTraits<WebCore::Node> >&&, WebCore::EditAction) + 43 3 com.apple.WebCore 0x000000010d090f2c WebCore::AppendNodeCommand::create(WTF::Ref<WebCore::ContainerNode, WTF::DumbPtrTraits<WebCore::ContainerNode> >&&, WTF::Ref<WebCore::Node, WTF::DumbPtrTraits<WebCore::Node> >&&, WebCore::EditAction) + 92 4 com.apple.WebCore 0x000000010d080329 WebCore::CompositeEditCommand::appendNode(WTF::Ref<WebCore::Node, WTF::DumbPtrTraits<WebCore::Node> >&&, WTF::Ref<WebCore::ContainerNode, WTF::DumbPtrTraits<WebCore::ContainerNode> >&&) + 153 5 com.apple.WebCore 0x000000010d095a93 WebCore::CompositeEditCommand::cloneParagraphUnderNewElement(WebCore::Position const&, WebCore::Position const&, WebCore::Node*, WebCore::Element*) + 339 6 com.apple.WebCore 0x000000010d096478 WebCore::CompositeEditCommand::moveParagraphWithClones(WebCore::VisiblePosition const&, WebCore::VisiblePosition const&, WebCore::Element*, WebCore::Node*) + 440 7 com.apple.WebCore 0x000000010d0fb588 WebCore::InsertListCommand::doApplyForSingleParagraph(bool, WebCore::HTMLQualifiedName const&, WebCore::Range*) + 1192 8 com.apple.WebCore 0x000000010d0fb094 WebCore::InsertListCommand::doApply() + 2340 9 com.apple.WebCore 0x000000010d07c28a WebCore::CompositeEditCommand::apply() + 314 10 com.apple.WebCore 0x000000010d0dc65b WebCore::executeInsertOrderedList(WebCore::Frame&, WebCore::Event*, WebCore::EditorCommandSource, WTF::String const&) + 123 11 com.apple.WebCore 0x000000010d0c8f63 WebCore::Editor::Command::execute(WTF::String const&, WebCore::Event*) const + 211 12 com.apple.WebCore 0x000000010ceb5579 WebCore::Document::execCommand(WTF::String const&, bool, WTF::String const&) + 89 13 com.apple.WebCore 0x000000010b90e5c8 WebCore::jsDocumentPrototypeFunctionExecCommandBody(JSC::ExecState*, WebCore::JSDocument*, JSC::ThrowScope&) + 712 14 com.apple.WebCore 0x000000010b8f3d0e long long WebCore::IDLOperation<WebCore::JSDocument>::call<&(WebCore::jsDocumentPrototypeFunctionExecCommandBody(JSC::ExecState*, WebCore::JSDocument*, JSC::ThrowScope&)), (WebCore::CastedThisErrorBehavior)0>(JSC::ExecState&, char const*) + 606 15 com.apple.WebCore 0x000000010b8f3a9c WebCore::jsDocumentPrototypeFunctionExecCommand(JSC::ExecState*) + 28 16 ??? 0x0000467ac9201185 0 + 77493174276485 17 com.apple.JavaScriptCore 0x0000000119fc88b3 llint_entry + 32642 18 com.apple.JavaScriptCore 0x0000000119fc0712 vmEntryToJavaScript + 343 19 com.apple.JavaScriptCore 0x000000011ad393de JSC::JITCode::execute(JSC::VM*, JSC::ProtoCallFrame*) + 350 20 com.apple.JavaScriptCore 0x000000011acdedd5 JSC::Interpreter::executeCall(JSC::ExecState*, JSC::JSObject*, JSC::CallType, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&) + 1269 21 com.apple.JavaScriptCore 0x000000011af4728a JSC::call(JSC::ExecState*, JSC::JSValue, JSC::CallType, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&) + 202 22 com.apple.JavaScriptCore 0x000000011af47369 JSC::call(JSC::ExecState*, JSC::JSValue, JSC::CallType, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&, WTF::NakedPtr<JSC::Exception>&) + 201 23 com.apple.JavaScriptCore 0x000000011af4760d JSC::profiledCall(JSC::ExecState*, JSC::ProfilingReason, JSC::JSValue, JSC::CallType, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&, WTF::NakedPtr<JSC::Exception>&) + 125 24 com.apple.WebCore 0x000000010c9c73eb WebCore::JSMainThreadExecState::profiledCall(JSC::ExecState*, JSC::ProfilingReason, JSC::JSValue, JSC::CallType, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&, WTF::NakedPtr<JSC::Exception>&) + 139 25 com.apple.WebCore 0x000000010c9c71f3 WebCore::JSCallbackData::invokeCallback(WebCore::JSDOMGlobalObject&, JSC::JSObject*, JSC::JSValue, JSC::MarkedArgumentBuffer&, WebCore::JSCallbackData::CallbackType, JSC::PropertyName, WTF::NakedPtr<JSC::Exception>&) + 963 26 com.apple.WebCore 0x000000010b514232 WebCore::JSCallbackDataStrong::invokeCallback(JSC::JSValue, JSC::MarkedArgumentBuffer&, WebCore::JSCallbackData::CallbackType, JSC::PropertyName, WTF::NakedPtr<JSC::Exception>&) + 162 27 com.apple.WebCore 0x000000010bf25b07 WebCore::JSRequestAnimationFrameCallback::handleEvent(double) + 391 28 com.apple.WebCore 0x000000010d01196b WebCore::ScriptedAnimationController::serviceScriptedAnimations(double) + 523 29 com.apple.WebCore 0x000000010d011f11 WebCore::ScriptedAnimationController::displayRefreshFired() + 49 30 com.apple.WebCore 0x000000010d9c1cd4 WebCore::DisplayRefreshMonitorClient::fireDisplayRefreshIfNeeded() + 52 31 com.apple.WebCore 0x000000010d9c1971 WebCore::DisplayRefreshMonitor::displayDidRefresh() + 193 32 com.apple.WebCore 0x000000010d9c189d WebCore::DisplayRefreshMonitor::handleDisplayRefreshedNotificationOnMainThread(void*) + 29 33 com.apple.WebCore 0x000000010db98e70 WebCore::DisplayRefreshMonitorMac::displayLinkFired()::$_0::operator()() const + 48 34 com.apple.WebCore 0x000000010db98cc9 WTF::Function<void ()>::CallableWrapper<WebCore::DisplayRefreshMonitorMac::displayLinkFired()::$_0>::call() + 25 35 com.apple.JavaScriptCore 0x000000011b4a8edb WTF::Function<void ()>::operator()() const + 139 36 com.apple.JavaScriptCore 0x000000011b4edcc3 WTF::RunLoop::performWork() + 211 37 com.apple.JavaScriptCore 0x000000011b4ee524 WTF::RunLoop::performWork(void*) + 36 38 com.apple.CoreFoundation 0x00007fff45121a61 __CFRUNLOOP_IS_CALLING_OUT_TO_A_SOURCE0_PERFORM_FUNCTION__ + 17 39 com.apple.CoreFoundation 0x00007fff451db47c __CFRunLoopDoSource0 + 108 40 com.apple.CoreFoundation 0x00007fff4510451c __CFRunLoopDoSources0 + 300 41 com.apple.CoreFoundation 0x00007fff4510393d __CFRunLoopRun + 1293 42 com.apple.CoreFoundation 0x00007fff451031a3 CFRunLoopRunSpecific + 483 43 com.apple.Foundation 0x00007fff472b0f26 -[NSRunLoop(NSRunLoop) runMode:beforeDate:] + 277 44 parseWebKit 0x00000001056eb9ec main + 3596 45 libdyld.dylib 0x00007fff6db00015 start + 1
Attachments
Patch (4.28 KB, patch)
2020-02-21 00:54 PST, Jack 		no flags
DetailsFormatted DiffDiff
Patch (4.28 KB, patch)
2020-02-21 00:56 PST, Jack 		no flags
DetailsFormatted DiffDiff
Show Obsolete (1) View All Add attachment proposed patch, testcase, etc.
Jack
Comment 1 2020-02-21 00:54:52 PST
Created attachment 391387 [details] Patch
Jack
Comment 2 2020-02-21 00:56:06 PST
Created attachment 391388 [details] Patch
Jack
Comment 3 2020-02-24 15:03:50 PST
Root cause: When JS is inserting an ordered list, the code needs to create a ol and move li into newly created ol. However, since ol is read-only, the assertion of m_parent->hasEditableStyle() in AppendNodeCommand::AppendNodeCommand is triggered. <style> dir { -webkit-user-modify: read-write; } ol { -webkit-user-modify: read-only;} </style> <script> onload = function fun() { window.getSelection().setBaseAndExtent(LI,0,LI,0); document.execCommand("insertOrderedList", false); } </script> <body><dir><ul><li id=LI></ul>
Ryosuke Niwa
Comment 4 2020-02-24 19:00:44 PST
This is not a security bug.
WebKit Commit Bot
Comment 5 2020-02-25 21:26:08 PST
Comment on attachment 391388 [details] Patch Clearing flags on attachment: 391388 Committed r257408: <https://trac.webkit.org/changeset/257408>
WebKit Commit Bot
Comment 6 2020-02-25 21:26:10 PST
All reviewed patches have been landed. Closing bug.
Note You need to log in before you can comment on or make changes to this bug.