<rdar://58978340> ==22496==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000014 (pc 0x00072bba7ae2 bp 0x7ffee215fd50 sp 0x7ffee215fd50 T0) ==22496==The signal is caused by a READ memory access. ==22496==Hint: address points to the zero page. ==22496==WARNING: invalid path to external symbolizer! ==22496==WARNING: Failed to use and restart external symbolizer! #0 0x72bba7ae1 in WebCore::Node::getFlag(WebCore::Node::NodeFlags) const (Safari_ASAN_254346_4878c59d1007965234bf2fabf087ce373bfe4e27.app/Contents/Frameworks/WebCore.framework/Versions/A/WebCore:x86_64+0x1afae1) #1 0x72bba79d1 in WebCore::Node::hasTagName(WebCore::HTMLQualifiedName const&) const (Safari_ASAN_254346_4878c59d1007965234bf2fabf087ce373bfe4e27.app/Contents/Frameworks/WebCore.framework/Versions/A/WebCore:x86_64+0x1af9d1) #2 0x72edcc895 in WebCore::CompositeEditCommand::moveParagraphContentsToNewBlockIfNecessary(WebCore::Position const&) (Safari_ASAN_254346_4878c59d1007965234bf2fabf087ce373bfe4e27.app/Contents/Frameworks/WebCore.framework/Versions/A/WebCore:x86_64+0x33d4895) #3 0x72edc96d7 in WebCore::ApplyStyleCommand::applyBlockStyle(WebCore::EditingStyle&) (Safari_ASAN_254346_4878c59d1007965234bf2fabf087ce373bfe4e27.app/Contents/Frameworks/WebCore.framework/Versions/A/WebCore:x86_64+0x33d16d7) #4 0x72edc8c52 in WebCore::ApplyStyleCommand::doApply() (Safari_ASAN_254346_4878c59d1007965234bf2fabf087ce373bfe4e27.app/Contents/Frameworks/WebCore.framework/Versions/A/WebCore:x86_64+0x33d0c52) #5 0x72edbfb36 in WebCore::CompositeEditCommand::apply() (Safari_ASAN_254346_4878c59d1007965234bf2fabf087ce373bfe4e27.app/Contents/Frameworks/WebCore.framework/Versions/A/WebCore:x86_64+0x33c7b36) #6 0x72ee33467 in WebCore::Editor::applyParagraphStyle(WebCore::StyleProperties*, WebCore::EditAction) (Safari_ASAN_254346_4878c59d1007965234bf2fabf087ce373bfe4e27.app/Contents/Frameworks/WebCore.framework/Versions/A/WebCore:x86_64+0x343b467) #7 0x72ee7bbf6 in WebCore::executeApplyParagraphStyle(WebCore::Frame&, WebCore::EditorCommandSource, WebCore::EditAction, WebCore::CSSPropertyID, WTF::String const&) (Safari_ASAN_254346_4878c59d1007965234bf2fabf087ce373bfe4e27.app/Contents/Frameworks/WebCore.framework/Versions/A/WebCore:x86_64+0x3483bf6) #8 0x72ee74692 in WebCore::executeJustifyCenter(WebCore::Frame&, WebCore::Event*, WebCore::EditorCommandSource, WTF::String const&) (Safari_ASAN_254346_4878c59d1007965234bf2fabf087ce373bfe4e27.app/Contents/Frameworks/WebCore.framework/Versions/A/WebCore:x86_64+0x347c692) #9 0x72eaf63d7 in WebCore::Document::execCommand(WTF::String const&, bool, WTF::String const&) (Safari_ASAN_254346_4878c59d1007965234bf2fabf087ce373bfe4e27.app/Contents/Frameworks/WebCore.framework/Versions/A/WebCore:x86_64+0x30fe3d7) #10 0x72c4671ba in WebCore::jsDocumentPrototypeFunctionExecCommandBody(JSC::JSGlobalObject*, JSC::CallFrame*, WebCore::JSDocument*, JSC::ThrowScope&) (Safari_ASAN_254346_4878c59d1007965234bf2fabf087ce373bfe4e27.app/Contents/Frameworks/WebCore.framework/Versions/A/WebCore:x86_64+0xa6f1ba)
<rdar://problem/61288781>
Root cause: In function moveParagraphContentsToNewBlockIfNecessary, an empty VisiblePosition is derefed for its anchor node. 1. Because span has attribute “draggable” set to true, its “UserSelect” style is set to none. 2. When “justifyCenter” command executes on the shadow element, we try to move the whole paragraph to a new block by calling moveParagraphContentsToNewBlockIfNecessary. 3. In moveParagraphContentsToNewBlockIfNecessary, we find the end of the paragraph by calling endOfParagraph. 4. However, endOfParagraph returns empty visible position because function canonicalPosition cannot find a candidate position. 5. The text node is supposed to be the end of the paragraph, but its parent, <span>, has UserSelect::None style, so it is not selected by canonicalPosition(). 6. Later the empty endOfParagraph is deref for its null anchor node, and the code crashes. <style> #SHADOW { initial; -webkit-user-select: text; } #LABEL { -webkit-user-select: all; } </style> <script> window.onload = () => { window.getSelection().collapse(SHADOW); document.execCommand("justifyCenter", false); } </script> <label id=LABEL contenteditable="true"><shadow id=SHADOW></shadow><span draggable="true">a BODY 0x60c000086e00 (renderer 0x612000071140) LABEL 0x60c000086ec0 (renderer 0x6110000d1f00) SHADOW 0x60c000086f80 (renderer 0x6110000d2040) SPAN 0x60c000087040 (renderer 0x6110000d2180) * #text 0x6080000501a0 "a\n"
Please refer to <rdar://58978340>. (In reply to Radar WebKit Bug Importer from comment #1) > <rdar://problem/61288781> This was caused by accidental save of the bug.
Created attachment 395437 [details] Patch
Comment on attachment 395437 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=395437&action=review > Source/WebCore/editing/CompositeEditCommand.cpp:1184 > + Nit: whitespace.
There is no security implication here.
Created attachment 395602 [details] Patch for landing
Committed r259595: <https://trac.webkit.org/changeset/259595> All reviewed patches have been landed. Closing bug and clearing flags on attachment 395602 [details].