208045 – ASSERTION FAILURE in AppendNodeCommand::AppendNodeCommand when inserting list with read-only user-modify

Bug 208045 - ASSERTION FAILURE in AppendNodeCommand::AppendNodeCommand when inserting list with read-only user-modify

Summary: ASSERTION FAILURE in AppendNodeCommand::AppendNodeCommand when inserting list...

Status:	RESOLVED FIXED

Alias:	None

Product:	WebKit
Classification:	Unclassified
Component:	HTML Editing (show other bugs)
Version:	WebKit Nightly Build
Hardware:	All All

Importance:	P2 Normal
Assignee:	Nobody

URL:
Keywords:	InRadar

Depends on:
Blocks:

Reported:	2020-02-21 00:38 PST by Jack
Modified:	2020-02-25 21:26 PST (History)
CC List:	9 users (show)

See Also:

Attachments
Patch (4.28 KB, patch) 2020-02-21 00:54 PST, Jack	no flags	Details \| Formatted Diff \| Diff
Patch (4.28 KB, patch) 2020-02-21 00:56 PST, Jack	no flags	Details \| Formatted Diff \| Diff
Show Obsolete (1) View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Jack 2020-02-21 00:38:37 PST

<rdar://39023383>

0   com.apple.JavaScriptCore      	0x000000011b48cd94 WTFCrash + 36
1   com.apple.WebCore             	0x000000010d07e75c WebCore::AppendNodeCommand::AppendNodeCommand(WTF::Ref<WebCore::ContainerNode, WTF::DumbPtrTraits<WebCore::ContainerNode> >&&, WTF::Ref<WebCore::Node, WTF::DumbPtrTraits<WebCore::Node> >&&, WebCore::EditAction) + 348
2   com.apple.WebCore             	0x000000010d07e7cb WebCore::AppendNodeCommand::AppendNodeCommand(WTF::Ref<WebCore::ContainerNode, WTF::DumbPtrTraits<WebCore::ContainerNode> >&&, WTF::Ref<WebCore::Node, WTF::DumbPtrTraits<WebCore::Node> >&&, WebCore::EditAction) + 43
3   com.apple.WebCore             	0x000000010d090f2c WebCore::AppendNodeCommand::create(WTF::Ref<WebCore::ContainerNode, WTF::DumbPtrTraits<WebCore::ContainerNode> >&&, WTF::Ref<WebCore::Node, WTF::DumbPtrTraits<WebCore::Node> >&&, WebCore::EditAction) + 92
4   com.apple.WebCore             	0x000000010d080329 WebCore::CompositeEditCommand::appendNode(WTF::Ref<WebCore::Node, WTF::DumbPtrTraits<WebCore::Node> >&&, WTF::Ref<WebCore::ContainerNode, WTF::DumbPtrTraits<WebCore::ContainerNode> >&&) + 153
5   com.apple.WebCore             	0x000000010d095a93 WebCore::CompositeEditCommand::cloneParagraphUnderNewElement(WebCore::Position const&, WebCore::Position const&, WebCore::Node*, WebCore::Element*) + 339
6   com.apple.WebCore             	0x000000010d096478 WebCore::CompositeEditCommand::moveParagraphWithClones(WebCore::VisiblePosition const&, WebCore::VisiblePosition const&, WebCore::Element*, WebCore::Node*) + 440
7   com.apple.WebCore             	0x000000010d0fb588 WebCore::InsertListCommand::doApplyForSingleParagraph(bool, WebCore::HTMLQualifiedName const&, WebCore::Range*) + 1192
8   com.apple.WebCore             	0x000000010d0fb094 WebCore::InsertListCommand::doApply() + 2340
9   com.apple.WebCore             	0x000000010d07c28a WebCore::CompositeEditCommand::apply() + 314
10  com.apple.WebCore             	0x000000010d0dc65b WebCore::executeInsertOrderedList(WebCore::Frame&, WebCore::Event*, WebCore::EditorCommandSource, WTF::String const&) + 123
11  com.apple.WebCore             	0x000000010d0c8f63 WebCore::Editor::Command::execute(WTF::String const&, WebCore::Event*) const + 211
12  com.apple.WebCore             	0x000000010ceb5579 WebCore::Document::execCommand(WTF::String const&, bool, WTF::String const&) + 89
13  com.apple.WebCore             	0x000000010b90e5c8 WebCore::jsDocumentPrototypeFunctionExecCommandBody(JSC::ExecState*, WebCore::JSDocument*, JSC::ThrowScope&) + 712
14  com.apple.WebCore             	0x000000010b8f3d0e long long WebCore::IDLOperation<WebCore::JSDocument>::call<&(WebCore::jsDocumentPrototypeFunctionExecCommandBody(JSC::ExecState*, WebCore::JSDocument*, JSC::ThrowScope&)), (WebCore::CastedThisErrorBehavior)0>(JSC::ExecState&, char const*) + 606
15  com.apple.WebCore             	0x000000010b8f3a9c WebCore::jsDocumentPrototypeFunctionExecCommand(JSC::ExecState*) + 28
16  ???                           	0x0000467ac9201185 0 + 77493174276485
17  com.apple.JavaScriptCore      	0x0000000119fc88b3 llint_entry + 32642
18  com.apple.JavaScriptCore      	0x0000000119fc0712 vmEntryToJavaScript + 343
19  com.apple.JavaScriptCore      	0x000000011ad393de JSC::JITCode::execute(JSC::VM*, JSC::ProtoCallFrame*) + 350
20  com.apple.JavaScriptCore      	0x000000011acdedd5 JSC::Interpreter::executeCall(JSC::ExecState*, JSC::JSObject*, JSC::CallType, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&) + 1269
21  com.apple.JavaScriptCore      	0x000000011af4728a JSC::call(JSC::ExecState*, JSC::JSValue, JSC::CallType, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&) + 202
22  com.apple.JavaScriptCore      	0x000000011af47369 JSC::call(JSC::ExecState*, JSC::JSValue, JSC::CallType, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&, WTF::NakedPtr<JSC::Exception>&) + 201
23  com.apple.JavaScriptCore      	0x000000011af4760d JSC::profiledCall(JSC::ExecState*, JSC::ProfilingReason, JSC::JSValue, JSC::CallType, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&, WTF::NakedPtr<JSC::Exception>&) + 125
24  com.apple.WebCore             	0x000000010c9c73eb WebCore::JSMainThreadExecState::profiledCall(JSC::ExecState*, JSC::ProfilingReason, JSC::JSValue, JSC::CallType, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&, WTF::NakedPtr<JSC::Exception>&) + 139
25  com.apple.WebCore             	0x000000010c9c71f3 WebCore::JSCallbackData::invokeCallback(WebCore::JSDOMGlobalObject&, JSC::JSObject*, JSC::JSValue, JSC::MarkedArgumentBuffer&, WebCore::JSCallbackData::CallbackType, JSC::PropertyName, WTF::NakedPtr<JSC::Exception>&) + 963
26  com.apple.WebCore             	0x000000010b514232 WebCore::JSCallbackDataStrong::invokeCallback(JSC::JSValue, JSC::MarkedArgumentBuffer&, WebCore::JSCallbackData::CallbackType, JSC::PropertyName, WTF::NakedPtr<JSC::Exception>&) + 162
27  com.apple.WebCore             	0x000000010bf25b07 WebCore::JSRequestAnimationFrameCallback::handleEvent(double) + 391
28  com.apple.WebCore             	0x000000010d01196b WebCore::ScriptedAnimationController::serviceScriptedAnimations(double) + 523
29  com.apple.WebCore             	0x000000010d011f11 WebCore::ScriptedAnimationController::displayRefreshFired() + 49
30  com.apple.WebCore             	0x000000010d9c1cd4 WebCore::DisplayRefreshMonitorClient::fireDisplayRefreshIfNeeded() + 52
31  com.apple.WebCore             	0x000000010d9c1971 WebCore::DisplayRefreshMonitor::displayDidRefresh() + 193
32  com.apple.WebCore             	0x000000010d9c189d WebCore::DisplayRefreshMonitor::handleDisplayRefreshedNotificationOnMainThread(void*) + 29
33  com.apple.WebCore             	0x000000010db98e70 WebCore::DisplayRefreshMonitorMac::displayLinkFired()::$_0::operator()() const + 48
34  com.apple.WebCore             	0x000000010db98cc9 WTF::Function<void ()>::CallableWrapper<WebCore::DisplayRefreshMonitorMac::displayLinkFired()::$_0>::call() + 25
35  com.apple.JavaScriptCore      	0x000000011b4a8edb WTF::Function<void ()>::operator()() const + 139
36  com.apple.JavaScriptCore      	0x000000011b4edcc3 WTF::RunLoop::performWork() + 211
37  com.apple.JavaScriptCore      	0x000000011b4ee524 WTF::RunLoop::performWork(void*) + 36
38  com.apple.CoreFoundation      	0x00007fff45121a61 __CFRUNLOOP_IS_CALLING_OUT_TO_A_SOURCE0_PERFORM_FUNCTION__ + 17
39  com.apple.CoreFoundation      	0x00007fff451db47c __CFRunLoopDoSource0 + 108
40  com.apple.CoreFoundation      	0x00007fff4510451c __CFRunLoopDoSources0 + 300
41  com.apple.CoreFoundation      	0x00007fff4510393d __CFRunLoopRun + 1293
42  com.apple.CoreFoundation      	0x00007fff451031a3 CFRunLoopRunSpecific + 483
43  com.apple.Foundation          	0x00007fff472b0f26 -[NSRunLoop(NSRunLoop) runMode:beforeDate:] + 277
44  parseWebKit                   	0x00000001056eb9ec main + 3596
45  libdyld.dylib                 	0x00007fff6db00015 start + 1

Comment 1 Jack 2020-02-21 00:54:52 PST

Created attachment 391387 [details]
Patch

Comment 2 Jack 2020-02-21 00:56:06 PST

Created attachment 391388 [details]
Patch

Comment 3 Jack 2020-02-24 15:03:50 PST

Root cause:

When JS is inserting an ordered list, the code needs to create a ol and move li into newly created ol. However, since ol is read-only, the assertion of m_parent->hasEditableStyle() in AppendNodeCommand::AppendNodeCommand is triggered.

<style>
dir { -webkit-user-modify: read-write; }
ol { -webkit-user-modify: read-only;}
</style>
<script>
    onload = function fun() {
        window.getSelection().setBaseAndExtent(LI,0,LI,0);
        document.execCommand("insertOrderedList", false);
    }
</script>
<body><dir><ul><li id=LI></ul>

Comment 4 Ryosuke Niwa 2020-02-24 19:00:44 PST

This is not a security bug.

Comment 5 WebKit Commit Bot 2020-02-25 21:26:08 PST

Comment on attachment 391388 [details]
Patch

Clearing flags on attachment: 391388

Committed r257408: <https://trac.webkit.org/changeset/257408>

Comment 6 WebKit Commit Bot 2020-02-25 21:26:10 PST

All reviewed patches have been landed.  Closing bug.