WebKit Bugzilla
New
Browse
Log In
×
Sign in with GitHub
or
Remember my login
Create Account
·
Forgot Password
Forgotten password account recovery
RESOLVED FIXED
211964
Nullptr crash in WebCore::Node::treeScope() when processing nested list insertion commands.
https://bugs.webkit.org/show_bug.cgi?id=211964
Summary
Nullptr crash in WebCore::Node::treeScope() when processing nested list inser...
Jack
Reported
2020-05-15 12:22:02 PDT
<
rdar://63224871
> #0 0x4751abd80 in WebCore::Node::treeScope() const (Safari_ASAN_261664_772e0ec68fa8159b1c162d4b57bd51ada3f91b16.app/Contents/Frameworks/WebCore.framework/Versions/A/WebCore:x86_64+0x1b9d80) #1 0x47518f398 in WebCore::Node::document() const (Safari_ASAN_261664_772e0ec68fa8159b1c162d4b57bd51ada3f91b16.app/Contents/Frameworks/WebCore.framework/Versions/A/WebCore:x86_64+0x19d398) #2 0x47844c148 in WebCore::Node::computeEditability(WebCore::Node::UserSelectAllTreatment, WebCore::Node::ShouldUpdateStyle) const (Safari_ASAN_261664_772e0ec68fa8159b1c162d4b57bd51ada3f91b16.app/Contents/Frameworks/WebCore.framework/Versions/A/WebCore:x86_64+0x345a148) #3 0x477a8756d in WebCore::Node::hasEditableStyle(WebCore::Node::UserSelectAllTreatment) const (Safari_ASAN_261664_772e0ec68fa8159b1c162d4b57bd51ada3f91b16.app/Contents/Frameworks/WebCore.framework/Versions/A/WebCore:x86_64+0x2a9556d) #4 0x478661ae3 in WebCore::InsertListCommand::unlistifyParagraph(WebCore::VisiblePosition const&, WebCore::HTMLElement*, WebCore::Node*) (Safari_ASAN_261664_772e0ec68fa8159b1c162d4b57bd51ada3f91b16.app/Contents/Frameworks/WebCore.framework/Versions/A/WebCore:x86_64+0x366fae3) #5 0x478661474 in WebCore::InsertListCommand::doApplyForSingleParagraph(bool, WebCore::HTMLQualifiedName const&, WebCore::Range*) (Safari_ASAN_261664_772e0ec68fa8159b1c162d4b57bd51ada3f91b16.app/Contents/Frameworks/WebCore.framework/Versions/A/WebCore:x86_64+0x366f474) #6 0x478660170 in WebCore::InsertListCommand::doApply() (Safari_ASAN_261664_772e0ec68fa8159b1c162d4b57bd51ada3f91b16.app/Contents/Frameworks/WebCore.framework/Versions/A/WebCore:x86_64+0x366e170) #7 0x47858e346 in WebCore::CompositeEditCommand::apply() (Safari_ASAN_261664_772e0ec68fa8159b1c162d4b57bd51ada3f91b16.app/Contents/Frameworks/WebCore.framework/Versions/A/WebCore:x86_64+0x359c346) #8 0x47864781b in WebCore::executeInsertUnorderedList(WebCore::Frame&, WebCore::Event*, WebCore::EditorCommandSource, WTF::String const&) (Safari_ASAN_261664_772e0ec68fa8159b1c162d4b57bd51ada3f91b16.app/Contents/Frameworks/WebCore.framework/Versions/A/WebCore:x86_64+0x365581b) #9 0x4782b75f3 in WebCore::Document::execCommand(WTF::String const&, bool, WTF::String const&) (Safari_ASAN_261664_772e0ec68fa8159b1c162d4b57bd51ada3f91b16.app/Contents/Frameworks/WebCore.framework/Versions/A/WebCore:x86_64+0x32c55f3) #10 0x475ac30d1 in WebCore::jsDocumentPrototypeFunctionExecCommandBody(JSC::JSGlobalObject*, JSC::CallFrame*, WebCore::JSDocument*, JSC::ThrowScope&) (Safari_ASAN_261664_772e0ec68fa8159b1c162d4b57bd51ada3f91b16.app/Contents/Frameworks/WebCore.framework/Versions/A/WebCore:x86_64+0xad10d1) #11 0x4759710c0 in long long WebCore::IDLOperation<WebCore::JSDocument>::call<&(WebCore::jsDocumentPrototypeFunctionExecCommandBody(JSC::JSGlobalObject*, JSC::CallFrame*, WebCore::JSDocument*, JSC::ThrowScope&)), (WebCore::CastedThisErrorBehavior)0>(JSC::JSGlobalObject&, JSC::CallFrame&, char const*) (Safari_ASAN_261664_772e0ec68fa8159b1c162d4b57bd51ada3f91b16.app/Contents/Frameworks/WebCore.framework/Versions/A/WebCore:x86_64+0x97f0c0)
Attachments
Patch
(3.81 KB, patch)
2020-05-15 14:47 PDT
,
Jack
no flags
Details
Formatted Diff
Diff
Patch
(3.78 KB, patch)
2020-05-15 14:49 PDT
,
Jack
no flags
Details
Formatted Diff
Diff
Show Obsolete
(1)
View All
Add attachment
proposed patch, testcase, etc.
Jack
Comment 1
2020-05-15 12:22:53 PDT
<script> function run() { window.getSelection().setPosition(li,1); document.execCommand("insertUnorderedList", false); } </script> <body contentEditable="true"><li id=li><iframe onload="run()"></iframe> Root cause: fixOrphanedListChild fires another load event which removes a node that will be used 1. We are processing the first insertUnorderedList (frame #90) and need to fix the orphaned LI by calling fixOrphanedListChild. 2. In fixOrphanedListChild, after insert UL we try to append the LI in UL (frame #85), but it triggers load event and invoke second insertUnorderedList command (frame #16). 3. The second insertUnorderedList command removes the UL that was just created. 4. Later, UL is derefed in unlistifyParagraph() and the code crashes. BODY 0x39b0bbab0 (renderer 0x39b0e23f0) (child needs style recalc) * UL 0x39b0e2a30 (renderer 0x0) (needs style recalc) LI 0x39b0bbb40 (renderer 0x39b0e2520) IFRAME 0x39b0bbbd0 (renderer 0x0) Call stack that remove UL node: * frame #0: 0x0000000377acd5bc WebCore`WebCore::Node::setParentNode(this=0x000000039b0e2a30, parent=0x0000000000000000) at Node.h:740:31 frame #1: 0x0000000377acf0d2 WebCore`WebCore::ContainerNode::removeBetween(this=0x000000039b0bbab0, previousChild=0x0000000000000000, nextChild=0x000000039b0e3c60, oldChild=0x000000039b0e2a30) at ContainerNode.cpp:615:14 frame #2: 0x0000000377aceb2c WebCore`WebCore::ContainerNode::removeNodeWithScriptAssertion(this=0x000000039b0bbab0, childToRemove=0x000000039b0e2a30, source=API) at ContainerNode.cpp:166:9 frame #3: 0x0000000377ace3a1 WebCore`WebCore::ContainerNode::removeChild(this=0x000000039b0bbab0, oldChild=0x000000039b0e2a30) at ContainerNode.cpp:577:10 frame #4: 0x0000000377ca23c8 WebCore`WebCore::Node::remove(this=0x000000039b0e2a30) at Node.cpp:628:20 frame #5: 0x0000000377e5a6cf WebCore`WebCore::RemoveNodeCommand::doApply(this=0x00000003976c4ae0) at RemoveNodeCommand.cpp:54:13 frame #6: 0x0000000377dcde0f WebCore`WebCore::CompositeEditCommand::applyCommandToComposite(this=0x0000000397666e10, command=0x00007ffeef297560) at CompositeEditCommand.cpp:463:14 frame #7: 0x0000000377dcbf34 WebCore`WebCore::CompositeEditCommand::removeNode(this=0x0000000397666e10, node=0x000000039b0e2a30, shouldAssumeContentIsAlwaysEditable=DoNotAssumeContentIsAlwaysEditable) at CompositeEditCommand.cpp:599:5 frame #8: 0x0000000377dcf019 WebCore`WebCore::CompositeEditCommand::prune(this=0x0000000397666e10, node=0x000000039b0e2a30) at CompositeEditCommand.cpp:654:9 frame #9: 0x0000000377dcefbb WebCore`WebCore::CompositeEditCommand::removeNodeAndPruneAncestors(this=0x0000000397666e10, node=0x000000039b0bbb40) at CompositeEditCommand.cpp:611:5 frame #10: 0x0000000377dd3e29 WebCore`WebCore::CompositeEditCommand::cleanupAfterDeletion(this=0x0000000397666e10, destination=VisiblePosition @ 0x00007ffeef297a00) at CompositeEditCommand.cpp:1325:13 frame #11: 0x0000000377dd2b36 WebCore`WebCore::CompositeEditCommand::moveParagraphs(this=0x0000000397666e10, startOfParagraphToMove=0x00007ffeef297f98, endOfParagraphToMove=0x00007ffeef297f80, destination=0x00007ffeef297e18, preserveSelection=true, preserveStyle=true) at CompositeEditCommand.cpp:1478:5 frame #12: 0x0000000377e4df2f WebCore`WebCore::InsertListCommand::unlistifyParagraph(this=0x0000000397666e10, originalStart=0x00007ffeef2980a0, listNode=0x000000039b0e2a30, listChildNode=0x000000039b0bbb40) at InsertListCommand.cpp:330:5 frame #13: 0x0000000377e4d5ef WebCore`WebCore::InsertListCommand::doApplyForSingleParagraph(this=0x0000000397666e10, forceCreateList=false, listTag=0x000000037bcd7ef0, currentSelection=0x000000039bb97440) at InsertListCommand.cpp:266:9 frame #14: 0x0000000377e4cd3e WebCore`WebCore::InsertListCommand::doApply(this=0x0000000397666e10) at InsertListCommand.cpp:195:5 frame #15: 0x0000000377dbac85 WebCore`WebCore::CompositeEditCommand::apply(this=0x0000000397666e10) at CompositeEditCommand.cpp:372:9 frame #16: 0x0000000377e38f60 WebCore`WebCore::executeInsertUnorderedList(frame={ origin = file://, url = file:///Users/jacklee/browser2/63224871/min-63224871.html, isMainFrame = 1, backForwardCacheState = NotInBackForwardCache }, (null)=0x0000000000000000, (null)=CommandFromDOM, (null)={ length = 0, contents = '' }) at EditorCommand.cpp:543:91 frame #17: 0x0000000377e105cb WebCore`WebCore::Editor::Command::execute(this=0x00007ffeef298858, parameter={ length = 0, contents = '' }, triggeringEvent=0x0000000000000000) const at EditorCommand.cpp:1876:12 frame #18: 0x0000000377b40795 WebCore`WebCore::Document::execCommand(this={ origin = file://, url = file:///Users/jacklee/browser2/63224871/min-63224871.html, inMainFrame = 1, backForwardCacheState = NotInBackForwardCache }, commandName={ length = 19, contents = 'insertUnorderedList' }, userInterface=false, value={ length = 0, contents = '' }) at Document.cpp:5544:54 frame #19: 0x0000000375c53044 WebCore`WebCore::jsDocumentPrototypeFunctionExecCommandBody(lexicalGlobalObject=0x00000003999f2768, callFrame=0x00007ffeef298af0, castedThis=0x000000039bbf24e8, throwScope=0x00007ffeef298a68) at JSDocument.cpp:6271:57 frame #20: 0x0000000375b5a612 WebCore`long long WebCore::IDLOperation<WebCore::JSDocument>::call<&(lexicalGlobalObject=0x00000003999f2768, callFrame=0x00007ffeef298af0, operationName="execCommand")), (WebCore::CastedThisErrorBehavior)0>(JSC::JSGlobalObject&, JSC::CallFrame&, char const*) at JSDOMOperation.h:53:16 frame #21: 0x0000000375b5a2f4 WebCore`WebCore::jsDocumentPrototypeFunctionExecCommand(lexicalGlobalObject=0x00000003999f2768, callFrame=0x00007ffeef298af0) at JSDocument.cpp:6277:12 frame #22: 0x000059e0bb201178 frame #23: 0x0000000390ea463d JavaScriptCore`llint_entry at LowLevelInterpreter.asm:1045 frame #24: 0x0000000390ea463d JavaScriptCore`llint_entry at LowLevelInterpreter.asm:1045 frame #25: 0x0000000390e84ef3 JavaScriptCore`vmEntryToJavaScript at LowLevelInterpreter64.asm:296 frame #26: 0x0000000391c3226b JavaScriptCore`JSC::JITCode::execute(this=0x000000039bbc2528, vm=0x000000039b100000, protoCallFrame=0x00007ffeef298e08) at JITCodeInlines.h:42:38 frame #27: 0x0000000391c32a2f JavaScriptCore`JSC::Interpreter::executeCall(this=0x00000003976feb78, lexicalGlobalObject=0x00000003999f2768, function=0x0000000399598a60, callData=0x00007ffeef299438, thisValue=JSValue @ 0x00007ffeef298f70, args=0x00007ffeef2992f8) at Interpreter.cpp:934:31 frame #28: 0x0000000391f8f1bd JavaScriptCore`JSC::call(globalObject=0x00000003999f2768, functionObject=JSValue @ 0x00007ffeef298fe0, callData=0x00007ffeef299438, thisValue=JSValue @ 0x00007ffeef298fd8, args=0x00007ffeef2992f8) at CallData.cpp:58:28 frame #29: 0x0000000391f8f29f JavaScriptCore`JSC::call(globalObject=0x00000003999f2768, functionObject=JSValue @ 0x00007ffeef2990e0, callData=0x00007ffeef299438, thisValue=JSValue @ 0x00007ffeef2990d8, args=0x00007ffeef2992f8, returnedException=0x00007ffeef299320) at CallData.cpp:65:22 frame #30: 0x0000000391f8f582 JavaScriptCore`JSC::profiledCall(globalObject=0x00000003999f2768, reason=Other, functionObject=JSValue @ 0x00007ffeef299170, callData=0x00007ffeef299438, thisValue=JSValue @ 0x00007ffeef299168, args=0x00007ffeef2992f8, returnedException=0x00007ffeef299320) at CallData.cpp:86:12 frame #31: 0x00000003775c0b0e WebCore`WebCore::JSExecState::profiledCall(lexicalGlobalObject=0x00000003999f2768, reason=Other, functionObject=JSValue @ 0x00007ffeef2991f0, callData=0x00007ffeef299438, thisValue=JSValue @ 0x00007ffeef2991e8, args=0x00007ffeef2992f8, returnedException=0x00007ffeef299320) at JSExecState.h:73:16 frame #32: 0x00000003775dd8dc WebCore`WebCore::JSEventListener::handleEvent(this=0x00000003976aabc8, scriptExecutionContext={ origin = file://, url = file:///Users/jacklee/browser2/63224871/min-63224871.html, inMainFrame = 1, backForwardCacheState = NotInBackForwardCache }, event=0x000000039b0e2ac0) at JSEventListener.cpp:179:22 frame #33: 0x0000000377c39027 WebCore`WebCore::EventTarget::innerInvokeEventListeners(this=0x000000039b0bbbd0, event=0x000000039b0e2ac0, listeners={ size = 1, capacity = 1 }, phase=Bubbling) at EventTarget.cpp:335:40 frame #34: 0x0000000377c35300 WebCore`WebCore::EventTarget::fireEventListeners(this=0x000000039b0bbbd0, event=0x000000039b0e2ac0, phase=Bubbling) at EventTarget.cpp:267:9 frame #35: 0x0000000377cab662 WebCore`WebCore::Node::handleLocalEvents(this=0x000000039b0bbbd0, event=0x000000039b0e2ac0, phase=Bubbling) at Node.cpp:2371:5 frame #36: 0x0000000377c23a41 WebCore`WebCore::EventContext::handleLocalEvents(this=0x000000039bb96f28, event=0x000000039b0e2ac0, phase=Bubbling) const at EventContext.cpp:55:17 frame #37: 0x0000000377c2450f WebCore`WebCore::dispatchEventInDOM(event=0x000000039b0e2ac0, path=0x00007ffeef299858) at EventDispatcher.cpp:100:22 frame #38: 0x0000000377c24047 WebCore`WebCore::EventDispatcher::dispatchEvent(node=0x000000039b0bbbd0, event=0x000000039b0e2ac0) at EventDispatcher.cpp:154:9 frame #39: 0x0000000377cab6bd WebCore`WebCore::Node::dispatchEvent(this=0x000000039b0bbbd0, event=0x000000039b0e2ac0) at Node.cpp:2381:5 frame #40: 0x0000000378762715 WebCore`WebCore::DOMWindow::dispatchLoadEvent(this=0x000000039b0e2b20) at DOMWindow.cpp:2217:20 frame #41: 0x0000000377b2faf8 WebCore`WebCore::Document::dispatchWindowLoadEvent(this={ origin = file://, url = about:blank, inMainFrame = Detached, backForwardCacheState = NotInBackForwardCache }) at Document.cpp:4800:18 frame #42: 0x0000000377b2f655 WebCore`WebCore::Document::implicitClose(this={ origin = file://, url = about:blank, inMainFrame = Detached, backForwardCacheState = NotInBackForwardCache }) at Document.cpp:3058:5 frame #43: 0x00000003785d6fab WebCore`WebCore::FrameLoader::checkCallImplicitClose(this=0x00000003976e2b60) at FrameLoader.cpp:965:25 frame #44: 0x00000003785d6aba WebCore`WebCore::FrameLoader::checkCompleted(this=0x00000003976e2b60) at FrameLoader.cpp:906:5 frame #45: 0x00000003785d4d87 WebCore`WebCore::FrameLoader::finishedParsing(this=0x00000003976e2b60) at FrameLoader.cpp:816:5 frame #46: 0x0000000377b42926 WebCore`WebCore::Document::finishedParsing(this={ origin = file://, url = about:blank, inMainFrame = Detached, backForwardCacheState = NotInBackForwardCache }) at Document.cpp:5863:25 frame #47: 0x0000000378206df8 WebCore`WebCore::HTMLConstructionSite::finishedParsing(this=0x0000000397665bb0) at HTMLConstructionSite.cpp:419:16 frame #48: 0x0000000378253657 WebCore`WebCore::HTMLTreeBuilder::finished(this=0x0000000397665b90) at HTMLTreeBuilder.cpp:2843:12 frame #49: 0x000000037820e258 WebCore`WebCore::HTMLDocumentParser::end(this=0x00000003999c6400) at HTMLDocumentParser.cpp:449:20 frame #50: 0x000000037820c0d8 WebCore`WebCore::HTMLDocumentParser::attemptToRunDeferredScriptsAndEnd(this=0x00000003999c6400) at HTMLDocumentParser.cpp:458:5 frame #51: 0x000000037820be07 WebCore`WebCore::HTMLDocumentParser::prepareToStopParsing(this=0x00000003999c6400) at HTMLDocumentParser.cpp:153:5 frame #52: 0x000000037820e2c2 WebCore`WebCore::HTMLDocumentParser::attemptToEnd(this=0x00000003999c6400) at HTMLDocumentParser.cpp:470:5 frame #53: 0x000000037820e399 WebCore`WebCore::HTMLDocumentParser::finish(this=0x00000003999c6400) at HTMLDocumentParser.cpp:498:5 frame #54: 0x0000000378574be2 WebCore`WebCore::DocumentWriter::end(this=0x00000003994edc90) at DocumentWriter.cpp:288:15 frame #55: 0x0000000378573c34 WebCore`WebCore::DocumentLoader::finishedLoading(this=0x00000003994edc00) at DocumentLoader.cpp:452:14 frame #56: 0x000000037857f244 WebCore`WebCore::DocumentLoader::maybeLoadEmpty(this=0x00000003994edc00) at DocumentLoader.cpp:1799:5 frame #57: 0x000000037857f3d5 WebCore`WebCore::DocumentLoader::startLoadingMainResource(this=0x00000003994edc00) at DocumentLoader.cpp:1813:9 frame #58: 0x0000000378605bec WebCore`WebCore::FrameLoader::continueLoadAfterNavigationPolicy(this=0x0000000397654458)::$_11::operator()() at FrameLoader.cpp:3506:38 frame #59: 0x00000003786054fe WebCore`WTF::Detail::CallableWrapper<WebCore::FrameLoader::continueLoadAfterNavigationPolicy(WebCore::ResourceRequest const&, WebCore::FormState*, WebCore::NavigationPolicyDecision, WebCore::AllowNavigationToInvalidURL)::$_11, void>::call(this=0x0000000397654450) at Function.h:52:39 frame #60: 0x00000003752d1752 WebCore`WTF::Function<void ()>::operator(this=0x00007ffeef29a650)() const at Function.h:84:35 frame #61: 0x000000037532f39e WebCore`WTF::CompletionHandler<void ()>::operator(this=0x00007ffeef29a7e0)() at CompletionHandler.h:62:16 frame #62: 0x00000003785e061a WebCore`WebCore::FrameLoader::continueLoadAfterNavigationPolicy(this=0x00000003976e2b60, request=0x00000003976e6480, formState=0x0000000000000000, navigationPolicyDecision=ContinueLoad, allowNavigationToInvalidURL=Yes) at FrameLoader.cpp:3510:9 frame #63: 0x0000000378603080 WebCore`WebCore::FrameLoader::loadWithDocumentLoader(this=0x000000039767c1b8, request=0x00000003976e6480, formState=0x00007ffeef29ad90, navigationPolicyDecision=ContinueLoad)>&&)::$_8::operator()(WebCore::ResourceRequest const&, WTF::WeakPtr<WebCore::FormState>&&, WebCore::NavigationPolicyDecision) at FrameLoader.cpp:1651:9 frame #64: 0x0000000378602f3c WebCore`WTF::Detail::CallableWrapper<WebCore::FrameLoader::loadWithDocumentLoader(WebCore::DocumentLoader*, WebCore::FrameLoadType, WTF::RefPtr<WebCore::FormState, WTF::DumbPtrTraits<WebCore::FormState> >&&, WebCore::AllowNavigationToInvalidURL, WTF::CompletionHandler<void ()>&&)::$_8, void, WebCore::ResourceRequest&&, WTF::WeakPtr<WebCore::FormState>&&, WebCore::NavigationPolicyDecision>::call(this=0x000000039767c1b0, in=0x00000003976e6480, in=0x00007ffeef29ad90, in=ContinueLoad) at Function.h:52:39 frame #65: 0x00000003786384e1 WebCore`WTF::Function<void (WebCore::ResourceRequest&&, WTF::WeakPtr<WebCore::FormState>&&, WebCore::NavigationPolicyDecision)>::operator(this=0x00007ffeef29aba8, in=0x00000003976e6480, in=0x00007ffeef29ad90, in=ContinueLoad)(WebCore::ResourceRequest&&, WTF::WeakPtr<WebCore::FormState>&&, WebCore::NavigationPolicyDecision) const at Function.h:84:35 frame #66: 0x000000037862d987 WebCore`WTF::CompletionHandler<void (WebCore::ResourceRequest&&, WTF::WeakPtr<WebCore::FormState>&&, WebCore::NavigationPolicyDecision)>::operator(this=0x00000003976e6470, in=0x00000003976e6480, in=0x00007ffeef29ad90, in=ContinueLoad)(WebCore::ResourceRequest&&, WTF::WeakPtr<WebCore::FormState>&&, WebCore::NavigationPolicyDecision) at CompletionHandler.h:62:16 frame #67: 0x000000037863b73e WebCore`WebCore::FrameLoader::PolicyChecker::checkNavigationPolicy(this=0x00000003976e6468, policyAction=Use, responseIdentifier=PolicyCheckIdentifier @ 0x00007ffeef29b330)>&&, WebCore::PolicyDecisionMode)::$_7::operator()(WebCore::PolicyAction, WebCore::PolicyCheckIdentifier) at PolicyChecker.cpp:237:20 frame #68: 0x000000037863a547 WebCore`WTF::Detail::CallableWrapper<WebCore::FrameLoader::PolicyChecker::checkNavigationPolicy(WebCore::ResourceRequest&&, WebCore::ResourceResponse const&, WebCore::DocumentLoader*, WTF::RefPtr<WebCore::FormState, WTF::DumbPtrTraits<WebCore::FormState> >&&, WTF::CompletionHandler<void (WebCore::ResourceRequest&&, WTF::WeakPtr<WebCore::FormState>&&, WebCore::NavigationPolicyDecision)>&&, WebCore::PolicyDecisionMode)::$_7, void, WebCore::PolicyAction, WebCore::PolicyCheckIdentifier>::call(this=0x00000003976e6460, in=Use, in=PolicyCheckIdentifier @ 0x00007ffeef29b450) at Function.h:52:39 frame #69: 0x00000003785d2b78 WebCore`WTF::Function<void (WebCore::PolicyAction, WebCore::PolicyCheckIdentifier)>::operator(this=0x00007ffeef29b8f8, in=Use, in=PolicyCheckIdentifier @ 0x00007ffeef29b4b0)(WebCore::PolicyAction, WebCore::PolicyCheckIdentifier) const at Function.h:84:35 frame #70: 0x000000037862d40a WebCore`WebCore::FrameLoader::PolicyChecker::checkNavigationPolicy(this=0x00000003976e5850, request=0x00007ffeef29c790, redirectResponse=0x00007ffeef29c698, loader=0x00000003994edc00, formState=0x00007ffeef29ddd0, function=0x00007ffeef29c688, policyDecisionMode=Asynchronous)>&&, WebCore::PolicyDecisionMode) at PolicyChecker.cpp:245:9 frame #71: 0x00000003785df46c WebCore`WebCore::FrameLoader::loadWithDocumentLoader(this=0x00000003976e2b60, loader=0x00000003994edc00, type=RedirectWithLockedBackForwardList, formState=0x00007ffeef29ddd0, allowNavigationToInvalidURL=Yes, completionHandler=0x00007ffeef29d498)>&&) at FrameLoader.cpp:1650:21 frame #72: 0x00000003785dd4d5 WebCore`WebCore::FrameLoader::loadWithNavigationAction(this=0x00000003976e2b60, request=0x00007ffeef29da78, action=0x00007ffeef29d8a8, type=RedirectWithLockedBackForwardList, formState=0x00007ffeef29ddd0, allowNavigationToInvalidURL=Yes, completionHandler=0x00007ffeef29d498)>&&) at FrameLoader.cpp:1517:5 frame #73: 0x00000003785d9871 WebCore`WebCore::FrameLoader::loadURL(this=0x00000003976e2b60, frameLoadRequest=0x00007ffeef29def0, referrer={ length = 0, contents = '' }, newLoadType=RedirectWithLockedBackForwardList, event=0x0000000000000000, formState=0x00007ffeef29ddd0, adClickAttribution=0x00007ffeef29dd88, completionHandler=0x00007ffeef29dd70)>&&) at FrameLoader.cpp:1426:5 frame #74: 0x00000003785d7900 WebCore`WebCore::FrameLoader::loadURLIntoChildFrame(this=0x00000003976e2340, url={ about:blank }, referer={ length = 0, contents = '' }, childFrame={ origin = file://, url = about:blank, isMainFrame = 0, backForwardCacheState = NotInBackForwardCache }) at FrameLoader.cpp:1000:26 frame #75: 0x000000037864d40b WebCore`WebCore::FrameLoader::SubframeLoader::loadSubframe(this=0x00000003976f6dd0, ownerElement=0x000000039b0bbbd0, url={ about:blank }, name={ length = 0, contents = '' }, referrer={ length = 57, contents = 'file:///Users/jacklee/browser2/63224871/min-63224871.html' }) at SubframeLoader.cpp:347:22 frame #76: 0x000000037864bc25 WebCore`WebCore::FrameLoader::SubframeLoader::loadOrRedirectSubframe(this=0x00000003976f6dd0, ownerElement=0x000000039b0bbbd0, requestURL={ about:blank }, frameName={ length = 0, contents = '' }, lockHistory=Yes, lockBackForwardList=Yes) at SubframeLoader.cpp:309:17 frame #77: 0x000000037864b66b WebCore`WebCore::FrameLoader::SubframeLoader::requestFrame(this=0x00000003976f6dd0, ownerElement=0x000000039b0bbbd0, urlString={ length = 11, contents = 'about:blank' }, frameName={ length = 0, contents = '' }, lockHistory=Yes, lockBackForwardList=Yes) at SubframeLoader.cpp:98:20 frame #78: 0x0000000377fc53c8 WebCore`WebCore::HTMLFrameElementBase::openURL(this=0x000000039b0bbbd0, lockHistory=Yes, lockBackForwardList=Yes) at HTMLFrameElementBase.cpp:102:44 frame #79: 0x0000000377fc55f2 WebCore`WebCore::HTMLFrameElementBase::didFinishInsertingNode(this=0x000000039b0bbbd0) at HTMLFrameElementBase.cpp:142:5 frame #80: 0x0000000377acfce4 WebCore`void WebCore::executeNodeInsertionWithScriptAssertion<WebCore::ContainerNode::appendChildWithoutPreInsertionValidityCheck(WebCore::Node&)::$_4>(containerNode=0x000000039b0e2a30, child=0x000000039b0bbb40, source=API, replacedAllChildren=No, doNodeInsertion=(anonymous class) @ 0x00007ffeef29e880)::$_4) at ContainerNode.cpp:213:17 frame #81: 0x0000000377acc9ca WebCore`WebCore::ContainerNode::appendChildWithoutPreInsertionValidityCheck(this=0x000000039b0e2a30, newChild=0x000000039b0bbb40) at ContainerNode.cpp:726:9 frame #82: 0x0000000377acf9d6 WebCore`WebCore::ContainerNode::appendChild(this=0x000000039b0e2a30, newChild=0x000000039b0bbb40) at ContainerNode.cpp:692:12 frame #83: 0x0000000377dbb53d WebCore`WebCore::AppendNodeCommand::doApply(this=0x00000003976f96c0) at AppendNodeCommand.cpp:51:15 frame #84: 0x0000000377dcde0f WebCore`WebCore::CompositeEditCommand::applyCommandToComposite(this=0x0000000397666960, command=0x00007ffeef29eae0) at CompositeEditCommand.cpp:463:14 frame #85: 0x0000000377dbd059 WebCore`WebCore::CompositeEditCommand::appendNode(this=0x0000000397666960, node=0x00007ffeef29eb40, parent=0x00007ffeef29eb38) at CompositeEditCommand.cpp:581:5 frame #86: 0x0000000377e4be60 WebCore`WebCore::InsertListCommand::fixOrphanedListChild(this=0x0000000397666960, node=0x000000039b0bbb40) at InsertListCommand.cpp:65:5 frame #87: 0x0000000377e4ce3c WebCore`WebCore::InsertListCommand::doApplyForSingleParagraph(this=0x0000000397666960, forceCreateList=false, listTag=0x000000037bcd7ef0, currentSelection=0x000000039bb97b40) at InsertListCommand.cpp:215:47 frame #88: 0x0000000377e4cd3e WebCore`WebCore::InsertListCommand::doApply(this=0x0000000397666960) at InsertListCommand.cpp:195:5 frame #89: 0x0000000377dbac85 WebCore`WebCore::CompositeEditCommand::apply(this=0x0000000397666960) at CompositeEditCommand.cpp:372:9 frame #90: 0x0000000377e38f60 WebCore`WebCore::executeInsertUnorderedList(frame={ origin = file://, url = file:///Users/jacklee/browser2/63224871/min-63224871.html, isMainFrame = 1, backForwardCacheState = NotInBackForwardCache }, (null)=0x0000000000000000, (null)=CommandFromDOM, (null)={ length = 0, contents = '' }) at EditorCommand.cpp:543:91 frame #91: 0x0000000377e105cb WebCore`WebCore::Editor::Command::execute(this=0x00007ffeef29f3f8, parameter={ length = 0, contents = '' }, triggeringEvent=0x0000000000000000) const at EditorCommand.cpp:1876:12 frame #92: 0x0000000377b40795 WebCore`WebCore::Document::execCommand(this={ origin = file://, url = file:///Users/jacklee/browser2/63224871/min-63224871.html, inMainFrame = 1, backForwardCacheState = NotInBackForwardCache }, commandName={ length = 19, contents = 'insertUnorderedList' }, userInterface=false, value={ length = 0, contents = '' }) at Document.cpp:5544:54 frame #93: 0x0000000375c53044 WebCore`WebCore::jsDocumentPrototypeFunctionExecCommandBody(lexicalGlobalObject=0x00000003999f2768, callFrame=0x00007ffeef29f690, castedThis=0x000000039bbf24e8, throwScope=0x00007ffeef29f608) at JSDocument.cpp:6271:57 frame #94: 0x0000000375b5a612 WebCore`long long WebCore::IDLOperation<WebCore::JSDocument>::call<&(lexicalGlobalObject=0x00000003999f2768, callFrame=0x00007ffeef29f690, operationName="execCommand")), (WebCore::CastedThisErrorBehavior)0>(JSC::JSGlobalObject&, JSC::CallFrame&, char const*) at JSDOMOperation.h:53:16 frame #95: 0x0000000375b5a2f4 WebCore`WebCore::jsDocumentPrototypeFunctionExecCommand(lexicalGlobalObject=0x00000003999f2768, callFrame=0x00007ffeef29f690) at JSDocument.cpp:6277:12
Jack
Comment 2
2020-05-15 14:47:49 PDT
Created
attachment 399514
[details]
Patch
Jack
Comment 3
2020-05-15 14:49:52 PDT
Created
attachment 399516
[details]
Patch
Geoffrey Garen
Comment 4
2020-05-15 20:21:01 PDT
Comment on
attachment 399516
[details]
Patch r=me
EWS
Comment 5
2020-05-15 21:09:55 PDT
Committed
r261777
: <
https://trac.webkit.org/changeset/261777
> All reviewed patches have been landed. Closing bug and clearing flags on
attachment 399516
[details]
.
Note
You need to
log in
before you can comment on or make changes to this bug.
Top of Page
Format For Printing
XML
Clone This Bug