Bug 210530 - ASSERTION FAILED: !selectionToDelete.isNone() in TypingCommand::forwardDeleteKeyPressed when deleting a UserSelect::None element.
Summary: ASSERTION FAILED: !selectionToDelete.isNone() in TypingCommand::forwardDelete...
Alias: None
Product: WebKit
Classification: Unclassified
Component: HTML Editing (show other bugs)
Version: WebKit Nightly Build
Hardware: All All
: P2 Normal
Assignee: Jack
Keywords: InRadar
Depends on:
Reported: 2020-04-14 21:23 PDT by Jack
Modified: 2020-04-15 14:57 PDT (History)
5 users (show)

See Also:

Patch (3.90 KB, patch)
2020-04-14 23:02 PDT, Jack
no flags Details | Formatted Diff | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Jack 2020-04-14 21:23:54 PDT

ASSERTION FAILED: !selectionToDelete.isNone()
./editing/TypingCommand.cpp(853) : void WebCore::TypingCommand::forwardDeleteKeyPressed(WebCore::TextGranularity, bool)
1   0x108235b79 WTFCrash
2   0x12d255f30 PAL::SOAuthorizationHintsFunction()
3   0x1341c43a0 WebCore::TypingCommand::forwardDeleteKeyPressed(WebCore::TextGranularity, bool)
4   0x1341c7012 WebCore::TypingCommand::doApply()
5   0x133f968fb WebCore::CompositeEditCommand::apply()
6   0x1341c289f WebCore::TypingCommand::forwardDeleteKeyPressed(WebCore::Document&, unsigned int, WebCore::TextGranularity)
7   0x1340bd46a WebCore::executeForwardDelete(WebCore::Frame&, WebCore::Event*, WebCore::EditorCommandSource, WTF::String const&)
8   0x134052c65 WebCore::Editor::Command::execute(WTF::String const&, WebCore::Event*) const
9   0x1339c6faa WebCore::Document::execCommand(WTF::String const&, bool, WTF::String const&)
10  0x12e8ea402 WebCore::jsDocumentPrototypeFunctionExecCommandBody(JSC::JSGlobalObject*, JSC::CallFrame*, WebCore::JSDocument*, JSC::ThrowScope&)
Comment 1 Jack 2020-04-14 22:38:18 PDT
In processing command "forwardDelete", we first validate and modify the selection by calling FrameSelection::modify. In this case, the original selection is div, the innerText of input. However, since div is UserSelect::Node, it fails the isCandidate check, and there is no other candidate found, FrameSelection::modify returns empty selection and triggers the assertion crash.

<body><input id=input required draggable="true">
    document.execCommand("forwardDelete", false);

BODY	0x60c000104f80 (renderer 0x612000067840) 
	INPUT	0x612000061fc0 (renderer 0x6120000679c0) 
		#document-fragment	0x612000062140 (renderer 0x0)  (needs style recalc) (child needs style recalc)
*			DIV	0x60c000105040 (renderer 0x612000067b40) 
	#text	0x608000143520 "\n"
	SCRIPT	0x61000004b440 (renderer 0x0) 
		#text	0x608000143620 "\n    input.focus();\n    document.execCommand("forwardDelete", false);\n"
Comment 2 Jack 2020-04-14 23:02:16 PDT
Created attachment 396502 [details]
Comment 3 Geoffrey Garen 2020-04-15 14:40:11 PDT
Comment on attachment 396502 [details]

Comment 4 EWS 2020-04-15 14:57:28 PDT
Committed r260153: <https://trac.webkit.org/changeset/260153>

All reviewed patches have been landed. Closing bug and clearing flags on attachment 396502 [details].