210530 – ASSERTION FAILED: !selectionToDelete.isNone() in TypingCommand::forwardDeleteKeyPressed when deleting a UserSelect::None element.

Bug 210530 - ASSERTION FAILED: !selectionToDelete.isNone() in TypingCommand::forwardDeleteKeyPressed when deleting a UserSelect::None element.

Summary: ASSERTION FAILED: !selectionToDelete.isNone() in TypingCommand::forwardDelete...

Status:	RESOLVED FIXED

Alias:	None

Product:	WebKit
Classification:	Unclassified
Component:	HTML Editing (show other bugs)
Version:	WebKit Nightly Build
Hardware:	All All

Importance:	P2 Normal
Assignee:	Jack

URL:
Keywords:	InRadar

Depends on:
Blocks:

Reported:	2020-04-14 21:23 PDT by Jack
Modified:	2020-04-15 14:57 PDT (History)
CC List:	5 users (show)

See Also:

Attachments
Patch (3.90 KB, patch) 2020-04-14 23:02 PDT, Jack	no flags	Details \| Formatted Diff \| Diff
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Jack 2020-04-14 21:23:54 PDT

<rdar://58591480>

ASSERTION FAILED: !selectionToDelete.isNone()
./editing/TypingCommand.cpp(853) : void WebCore::TypingCommand::forwardDeleteKeyPressed(WebCore::TextGranularity, bool)
1   0x108235b79 WTFCrash
2   0x12d255f30 PAL::SOAuthorizationHintsFunction()
3   0x1341c43a0 WebCore::TypingCommand::forwardDeleteKeyPressed(WebCore::TextGranularity, bool)
4   0x1341c7012 WebCore::TypingCommand::doApply()
5   0x133f968fb WebCore::CompositeEditCommand::apply()
6   0x1341c289f WebCore::TypingCommand::forwardDeleteKeyPressed(WebCore::Document&, unsigned int, WebCore::TextGranularity)
7   0x1340bd46a WebCore::executeForwardDelete(WebCore::Frame&, WebCore::Event*, WebCore::EditorCommandSource, WTF::String const&)
8   0x134052c65 WebCore::Editor::Command::execute(WTF::String const&, WebCore::Event*) const
9   0x1339c6faa WebCore::Document::execCommand(WTF::String const&, bool, WTF::String const&)
10  0x12e8ea402 WebCore::jsDocumentPrototypeFunctionExecCommandBody(JSC::JSGlobalObject*, JSC::CallFrame*, WebCore::JSDocument*, JSC::ThrowScope&)

Comment 1 Jack 2020-04-14 22:38:18 PDT

In processing command "forwardDelete", we first validate and modify the selection by calling FrameSelection::modify. In this case, the original selection is div, the innerText of input. However, since div is UserSelect::Node, it fails the isCandidate check, and there is no other candidate found, FrameSelection::modify returns empty selection and triggers the assertion crash.

<body><input id=input required draggable="true">
<script>
    input.focus();
    document.execCommand("forwardDelete", false);
</script>

BODY	0x60c000104f80 (renderer 0x612000067840) 
	INPUT	0x612000061fc0 (renderer 0x6120000679c0) 
		#document-fragment	0x612000062140 (renderer 0x0)  (needs style recalc) (child needs style recalc)
*			DIV	0x60c000105040 (renderer 0x612000067b40) 
	#text	0x608000143520 "\n"
	SCRIPT	0x61000004b440 (renderer 0x0) 
		#text	0x608000143620 "\n    input.focus();\n    document.execCommand("forwardDelete", false);\n"

Comment 2 Jack 2020-04-14 23:02:16 PDT

Created attachment 396502 [details]
Patch

Comment 3 Geoffrey Garen 2020-04-15 14:40:11 PDT

Comment on attachment 396502 [details]
Patch

r=me

Comment 4 EWS 2020-04-15 14:57:28 PDT

Committed r260153: <https://trac.webkit.org/changeset/260153>

All reviewed patches have been landed. Closing bug and clearing flags on attachment 396502 [details].