211964 – Nullptr crash in WebCore::Node::treeScope() when processing nested list insertion commands.

Bug 211964 - Nullptr crash in WebCore::Node::treeScope() when processing nested list insertion commands.

Summary: Nullptr crash in WebCore::Node::treeScope() when processing nested list inser...

Status:	RESOLVED FIXED

Alias:	None

Product:	WebKit
Classification:	Unclassified
Component:	HTML Editing (show other bugs)
Version:	WebKit Nightly Build
Hardware:	Unspecified Unspecified

Importance:	P2 Normal
Assignee:	Nobody

URL:
Keywords:	InRadar

Depends on:
Blocks:

Reported:	2020-05-15 12:22 PDT by Jack
Modified:	2020-05-15 22:02 PDT (History)
CC List:	7 users (show)

See Also:

Attachments
Patch (3.81 KB, patch) 2020-05-15 14:47 PDT, Jack	no flags	Details \| Formatted Diff \| Diff
Patch (3.78 KB, patch) 2020-05-15 14:49 PDT, Jack	no flags	Details \| Formatted Diff \| Diff
Show Obsolete (1) View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Jack 2020-05-15 12:22:02 PDT

<rdar://63224871>

    #0 0x4751abd80 in WebCore::Node::treeScope() const (Safari_ASAN_261664_772e0ec68fa8159b1c162d4b57bd51ada3f91b16.app/Contents/Frameworks/WebCore.framework/Versions/A/WebCore:x86_64+0x1b9d80)
    #1 0x47518f398 in WebCore::Node::document() const (Safari_ASAN_261664_772e0ec68fa8159b1c162d4b57bd51ada3f91b16.app/Contents/Frameworks/WebCore.framework/Versions/A/WebCore:x86_64+0x19d398)
    #2 0x47844c148 in WebCore::Node::computeEditability(WebCore::Node::UserSelectAllTreatment, WebCore::Node::ShouldUpdateStyle) const (Safari_ASAN_261664_772e0ec68fa8159b1c162d4b57bd51ada3f91b16.app/Contents/Frameworks/WebCore.framework/Versions/A/WebCore:x86_64+0x345a148)
    #3 0x477a8756d in WebCore::Node::hasEditableStyle(WebCore::Node::UserSelectAllTreatment) const (Safari_ASAN_261664_772e0ec68fa8159b1c162d4b57bd51ada3f91b16.app/Contents/Frameworks/WebCore.framework/Versions/A/WebCore:x86_64+0x2a9556d)
    #4 0x478661ae3 in WebCore::InsertListCommand::unlistifyParagraph(WebCore::VisiblePosition const&, WebCore::HTMLElement*, WebCore::Node*) (Safari_ASAN_261664_772e0ec68fa8159b1c162d4b57bd51ada3f91b16.app/Contents/Frameworks/WebCore.framework/Versions/A/WebCore:x86_64+0x366fae3)
    #5 0x478661474 in WebCore::InsertListCommand::doApplyForSingleParagraph(bool, WebCore::HTMLQualifiedName const&, WebCore::Range*) (Safari_ASAN_261664_772e0ec68fa8159b1c162d4b57bd51ada3f91b16.app/Contents/Frameworks/WebCore.framework/Versions/A/WebCore:x86_64+0x366f474)
    #6 0x478660170 in WebCore::InsertListCommand::doApply() (Safari_ASAN_261664_772e0ec68fa8159b1c162d4b57bd51ada3f91b16.app/Contents/Frameworks/WebCore.framework/Versions/A/WebCore:x86_64+0x366e170)
    #7 0x47858e346 in WebCore::CompositeEditCommand::apply() (Safari_ASAN_261664_772e0ec68fa8159b1c162d4b57bd51ada3f91b16.app/Contents/Frameworks/WebCore.framework/Versions/A/WebCore:x86_64+0x359c346)
    #8 0x47864781b in WebCore::executeInsertUnorderedList(WebCore::Frame&, WebCore::Event*, WebCore::EditorCommandSource, WTF::String const&) (Safari_ASAN_261664_772e0ec68fa8159b1c162d4b57bd51ada3f91b16.app/Contents/Frameworks/WebCore.framework/Versions/A/WebCore:x86_64+0x365581b)
    #9 0x4782b75f3 in WebCore::Document::execCommand(WTF::String const&, bool, WTF::String const&) (Safari_ASAN_261664_772e0ec68fa8159b1c162d4b57bd51ada3f91b16.app/Contents/Frameworks/WebCore.framework/Versions/A/WebCore:x86_64+0x32c55f3)
    #10 0x475ac30d1 in WebCore::jsDocumentPrototypeFunctionExecCommandBody(JSC::JSGlobalObject*, JSC::CallFrame*, WebCore::JSDocument*, JSC::ThrowScope&) (Safari_ASAN_261664_772e0ec68fa8159b1c162d4b57bd51ada3f91b16.app/Contents/Frameworks/WebCore.framework/Versions/A/WebCore:x86_64+0xad10d1)
    #11 0x4759710c0 in long long WebCore::IDLOperation<WebCore::JSDocument>::call<&(WebCore::jsDocumentPrototypeFunctionExecCommandBody(JSC::JSGlobalObject*, JSC::CallFrame*, WebCore::JSDocument*, JSC::ThrowScope&)), (WebCore::CastedThisErrorBehavior)0>(JSC::JSGlobalObject&, JSC::CallFrame&, char const*) (Safari_ASAN_261664_772e0ec68fa8159b1c162d4b57bd51ada3f91b16.app/Contents/Frameworks/WebCore.framework/Versions/A/WebCore:x86_64+0x97f0c0)

Comment 1 Jack 2020-05-15 12:22:53 PDT

<script>
    function run() {
        window.getSelection().setPosition(li,1);
        document.execCommand("insertUnorderedList", false);
    }
</script>
<body  contentEditable="true"><li id=li><iframe onload="run()"></iframe>

Root cause: fixOrphanedListChild fires another load event which removes a node that will be used
1. We are processing the first insertUnorderedList (frame #90) and need to fix the orphaned LI by calling fixOrphanedListChild.
2. In fixOrphanedListChild, after insert UL we try to append the LI in UL (frame #85), but it triggers load event and invoke second insertUnorderedList command (frame #16).
3. The second insertUnorderedList command removes the UL that was just created.
4. Later, UL is derefed in unlistifyParagraph() and the code crashes.

BODY	0x39b0bbab0 (renderer 0x39b0e23f0)  (child needs style recalc)
*	UL	0x39b0e2a30 (renderer 0x0)  (needs style recalc)
	LI	0x39b0bbb40 (renderer 0x39b0e2520) 
		IFRAME	0x39b0bbbd0 (renderer 0x0) 

Call stack that remove UL node:
  * frame #0: 0x0000000377acd5bc WebCore`WebCore::Node::setParentNode(this=0x000000039b0e2a30, parent=0x0000000000000000) at Node.h:740:31
    frame #1: 0x0000000377acf0d2 WebCore`WebCore::ContainerNode::removeBetween(this=0x000000039b0bbab0, previousChild=0x0000000000000000, nextChild=0x000000039b0e3c60, oldChild=0x000000039b0e2a30) at ContainerNode.cpp:615:14
    frame #2: 0x0000000377aceb2c WebCore`WebCore::ContainerNode::removeNodeWithScriptAssertion(this=0x000000039b0bbab0, childToRemove=0x000000039b0e2a30, source=API) at ContainerNode.cpp:166:9
    frame #3: 0x0000000377ace3a1 WebCore`WebCore::ContainerNode::removeChild(this=0x000000039b0bbab0, oldChild=0x000000039b0e2a30) at ContainerNode.cpp:577:10
    frame #4: 0x0000000377ca23c8 WebCore`WebCore::Node::remove(this=0x000000039b0e2a30) at Node.cpp:628:20
    frame #5: 0x0000000377e5a6cf WebCore`WebCore::RemoveNodeCommand::doApply(this=0x00000003976c4ae0) at RemoveNodeCommand.cpp:54:13
    frame #6: 0x0000000377dcde0f WebCore`WebCore::CompositeEditCommand::applyCommandToComposite(this=0x0000000397666e10, command=0x00007ffeef297560) at CompositeEditCommand.cpp:463:14
    frame #7: 0x0000000377dcbf34 WebCore`WebCore::CompositeEditCommand::removeNode(this=0x0000000397666e10, node=0x000000039b0e2a30, shouldAssumeContentIsAlwaysEditable=DoNotAssumeContentIsAlwaysEditable) at CompositeEditCommand.cpp:599:5
    frame #8: 0x0000000377dcf019 WebCore`WebCore::CompositeEditCommand::prune(this=0x0000000397666e10, node=0x000000039b0e2a30) at CompositeEditCommand.cpp:654:9
    frame #9: 0x0000000377dcefbb WebCore`WebCore::CompositeEditCommand::removeNodeAndPruneAncestors(this=0x0000000397666e10, node=0x000000039b0bbb40) at CompositeEditCommand.cpp:611:5
    frame #10: 0x0000000377dd3e29 WebCore`WebCore::CompositeEditCommand::cleanupAfterDeletion(this=0x0000000397666e10, destination=VisiblePosition @ 0x00007ffeef297a00) at CompositeEditCommand.cpp:1325:13
    frame #11: 0x0000000377dd2b36 WebCore`WebCore::CompositeEditCommand::moveParagraphs(this=0x0000000397666e10, startOfParagraphToMove=0x00007ffeef297f98, endOfParagraphToMove=0x00007ffeef297f80, destination=0x00007ffeef297e18, preserveSelection=true, preserveStyle=true) at CompositeEditCommand.cpp:1478:5
    frame #12: 0x0000000377e4df2f WebCore`WebCore::InsertListCommand::unlistifyParagraph(this=0x0000000397666e10, originalStart=0x00007ffeef2980a0, listNode=0x000000039b0e2a30, listChildNode=0x000000039b0bbb40) at InsertListCommand.cpp:330:5
    frame #13: 0x0000000377e4d5ef WebCore`WebCore::InsertListCommand::doApplyForSingleParagraph(this=0x0000000397666e10, forceCreateList=false, listTag=0x000000037bcd7ef0, currentSelection=0x000000039bb97440) at InsertListCommand.cpp:266:9
    frame #14: 0x0000000377e4cd3e WebCore`WebCore::InsertListCommand::doApply(this=0x0000000397666e10) at InsertListCommand.cpp:195:5
    frame #15: 0x0000000377dbac85 WebCore`WebCore::CompositeEditCommand::apply(this=0x0000000397666e10) at CompositeEditCommand.cpp:372:9
    frame #16: 0x0000000377e38f60 WebCore`WebCore::executeInsertUnorderedList(frame={ origin = file://, url = file:///Users/jacklee/browser2/63224871/min-63224871.html, isMainFrame = 1, backForwardCacheState = NotInBackForwardCache }, (null)=0x0000000000000000, (null)=CommandFromDOM, (null)={ length = 0, contents = '' }) at EditorCommand.cpp:543:91
    frame #17: 0x0000000377e105cb WebCore`WebCore::Editor::Command::execute(this=0x00007ffeef298858, parameter={ length = 0, contents = '' }, triggeringEvent=0x0000000000000000) const at EditorCommand.cpp:1876:12
    frame #18: 0x0000000377b40795 WebCore`WebCore::Document::execCommand(this={ origin = file://, url = file:///Users/jacklee/browser2/63224871/min-63224871.html, inMainFrame = 1, backForwardCacheState = NotInBackForwardCache }, commandName={ length = 19, contents = 'insertUnorderedList' }, userInterface=false, value={ length = 0, contents = '' }) at Document.cpp:5544:54
    frame #19: 0x0000000375c53044 WebCore`WebCore::jsDocumentPrototypeFunctionExecCommandBody(lexicalGlobalObject=0x00000003999f2768, callFrame=0x00007ffeef298af0, castedThis=0x000000039bbf24e8, throwScope=0x00007ffeef298a68) at JSDocument.cpp:6271:57
    frame #20: 0x0000000375b5a612 WebCore`long long WebCore::IDLOperation<WebCore::JSDocument>::call<&(lexicalGlobalObject=0x00000003999f2768, callFrame=0x00007ffeef298af0, operationName="execCommand")), (WebCore::CastedThisErrorBehavior)0>(JSC::JSGlobalObject&, JSC::CallFrame&, char const*) at JSDOMOperation.h:53:16
    frame #21: 0x0000000375b5a2f4 WebCore`WebCore::jsDocumentPrototypeFunctionExecCommand(lexicalGlobalObject=0x00000003999f2768, callFrame=0x00007ffeef298af0) at JSDocument.cpp:6277:12
    frame #22: 0x000059e0bb201178
    frame #23: 0x0000000390ea463d JavaScriptCore`llint_entry at LowLevelInterpreter.asm:1045
    frame #24: 0x0000000390ea463d JavaScriptCore`llint_entry at LowLevelInterpreter.asm:1045
    frame #25: 0x0000000390e84ef3 JavaScriptCore`vmEntryToJavaScript at LowLevelInterpreter64.asm:296
    frame #26: 0x0000000391c3226b JavaScriptCore`JSC::JITCode::execute(this=0x000000039bbc2528, vm=0x000000039b100000, protoCallFrame=0x00007ffeef298e08) at JITCodeInlines.h:42:38
    frame #27: 0x0000000391c32a2f JavaScriptCore`JSC::Interpreter::executeCall(this=0x00000003976feb78, lexicalGlobalObject=0x00000003999f2768, function=0x0000000399598a60, callData=0x00007ffeef299438, thisValue=JSValue @ 0x00007ffeef298f70, args=0x00007ffeef2992f8) at Interpreter.cpp:934:31
    frame #28: 0x0000000391f8f1bd JavaScriptCore`JSC::call(globalObject=0x00000003999f2768, functionObject=JSValue @ 0x00007ffeef298fe0, callData=0x00007ffeef299438, thisValue=JSValue @ 0x00007ffeef298fd8, args=0x00007ffeef2992f8) at CallData.cpp:58:28
    frame #29: 0x0000000391f8f29f JavaScriptCore`JSC::call(globalObject=0x00000003999f2768, functionObject=JSValue @ 0x00007ffeef2990e0, callData=0x00007ffeef299438, thisValue=JSValue @ 0x00007ffeef2990d8, args=0x00007ffeef2992f8, returnedException=0x00007ffeef299320) at CallData.cpp:65:22
    frame #30: 0x0000000391f8f582 JavaScriptCore`JSC::profiledCall(globalObject=0x00000003999f2768, reason=Other, functionObject=JSValue @ 0x00007ffeef299170, callData=0x00007ffeef299438, thisValue=JSValue @ 0x00007ffeef299168, args=0x00007ffeef2992f8, returnedException=0x00007ffeef299320) at CallData.cpp:86:12
    frame #31: 0x00000003775c0b0e WebCore`WebCore::JSExecState::profiledCall(lexicalGlobalObject=0x00000003999f2768, reason=Other, functionObject=JSValue @ 0x00007ffeef2991f0, callData=0x00007ffeef299438, thisValue=JSValue @ 0x00007ffeef2991e8, args=0x00007ffeef2992f8, returnedException=0x00007ffeef299320) at JSExecState.h:73:16
    frame #32: 0x00000003775dd8dc WebCore`WebCore::JSEventListener::handleEvent(this=0x00000003976aabc8, scriptExecutionContext={ origin = file://, url = file:///Users/jacklee/browser2/63224871/min-63224871.html, inMainFrame = 1, backForwardCacheState = NotInBackForwardCache }, event=0x000000039b0e2ac0) at JSEventListener.cpp:179:22
    frame #33: 0x0000000377c39027 WebCore`WebCore::EventTarget::innerInvokeEventListeners(this=0x000000039b0bbbd0, event=0x000000039b0e2ac0, listeners={ size = 1, capacity = 1 }, phase=Bubbling) at EventTarget.cpp:335:40
    frame #34: 0x0000000377c35300 WebCore`WebCore::EventTarget::fireEventListeners(this=0x000000039b0bbbd0, event=0x000000039b0e2ac0, phase=Bubbling) at EventTarget.cpp:267:9
    frame #35: 0x0000000377cab662 WebCore`WebCore::Node::handleLocalEvents(this=0x000000039b0bbbd0, event=0x000000039b0e2ac0, phase=Bubbling) at Node.cpp:2371:5
    frame #36: 0x0000000377c23a41 WebCore`WebCore::EventContext::handleLocalEvents(this=0x000000039bb96f28, event=0x000000039b0e2ac0, phase=Bubbling) const at EventContext.cpp:55:17
    frame #37: 0x0000000377c2450f WebCore`WebCore::dispatchEventInDOM(event=0x000000039b0e2ac0, path=0x00007ffeef299858) at EventDispatcher.cpp:100:22
    frame #38: 0x0000000377c24047 WebCore`WebCore::EventDispatcher::dispatchEvent(node=0x000000039b0bbbd0, event=0x000000039b0e2ac0) at EventDispatcher.cpp:154:9
    frame #39: 0x0000000377cab6bd WebCore`WebCore::Node::dispatchEvent(this=0x000000039b0bbbd0, event=0x000000039b0e2ac0) at Node.cpp:2381:5
    frame #40: 0x0000000378762715 WebCore`WebCore::DOMWindow::dispatchLoadEvent(this=0x000000039b0e2b20) at DOMWindow.cpp:2217:20
    frame #41: 0x0000000377b2faf8 WebCore`WebCore::Document::dispatchWindowLoadEvent(this={ origin = file://, url = about:blank, inMainFrame = Detached, backForwardCacheState = NotInBackForwardCache }) at Document.cpp:4800:18
    frame #42: 0x0000000377b2f655 WebCore`WebCore::Document::implicitClose(this={ origin = file://, url = about:blank, inMainFrame = Detached, backForwardCacheState = NotInBackForwardCache }) at Document.cpp:3058:5
    frame #43: 0x00000003785d6fab WebCore`WebCore::FrameLoader::checkCallImplicitClose(this=0x00000003976e2b60) at FrameLoader.cpp:965:25
    frame #44: 0x00000003785d6aba WebCore`WebCore::FrameLoader::checkCompleted(this=0x00000003976e2b60) at FrameLoader.cpp:906:5
    frame #45: 0x00000003785d4d87 WebCore`WebCore::FrameLoader::finishedParsing(this=0x00000003976e2b60) at FrameLoader.cpp:816:5
    frame #46: 0x0000000377b42926 WebCore`WebCore::Document::finishedParsing(this={ origin = file://, url = about:blank, inMainFrame = Detached, backForwardCacheState = NotInBackForwardCache }) at Document.cpp:5863:25
    frame #47: 0x0000000378206df8 WebCore`WebCore::HTMLConstructionSite::finishedParsing(this=0x0000000397665bb0) at HTMLConstructionSite.cpp:419:16
    frame #48: 0x0000000378253657 WebCore`WebCore::HTMLTreeBuilder::finished(this=0x0000000397665b90) at HTMLTreeBuilder.cpp:2843:12
    frame #49: 0x000000037820e258 WebCore`WebCore::HTMLDocumentParser::end(this=0x00000003999c6400) at HTMLDocumentParser.cpp:449:20
    frame #50: 0x000000037820c0d8 WebCore`WebCore::HTMLDocumentParser::attemptToRunDeferredScriptsAndEnd(this=0x00000003999c6400) at HTMLDocumentParser.cpp:458:5
    frame #51: 0x000000037820be07 WebCore`WebCore::HTMLDocumentParser::prepareToStopParsing(this=0x00000003999c6400) at HTMLDocumentParser.cpp:153:5
    frame #52: 0x000000037820e2c2 WebCore`WebCore::HTMLDocumentParser::attemptToEnd(this=0x00000003999c6400) at HTMLDocumentParser.cpp:470:5
    frame #53: 0x000000037820e399 WebCore`WebCore::HTMLDocumentParser::finish(this=0x00000003999c6400) at HTMLDocumentParser.cpp:498:5
    frame #54: 0x0000000378574be2 WebCore`WebCore::DocumentWriter::end(this=0x00000003994edc90) at DocumentWriter.cpp:288:15
    frame #55: 0x0000000378573c34 WebCore`WebCore::DocumentLoader::finishedLoading(this=0x00000003994edc00) at DocumentLoader.cpp:452:14
    frame #56: 0x000000037857f244 WebCore`WebCore::DocumentLoader::maybeLoadEmpty(this=0x00000003994edc00) at DocumentLoader.cpp:1799:5
    frame #57: 0x000000037857f3d5 WebCore`WebCore::DocumentLoader::startLoadingMainResource(this=0x00000003994edc00) at DocumentLoader.cpp:1813:9
    frame #58: 0x0000000378605bec WebCore`WebCore::FrameLoader::continueLoadAfterNavigationPolicy(this=0x0000000397654458)::$_11::operator()() at FrameLoader.cpp:3506:38
    frame #59: 0x00000003786054fe WebCore`WTF::Detail::CallableWrapper<WebCore::FrameLoader::continueLoadAfterNavigationPolicy(WebCore::ResourceRequest const&, WebCore::FormState*, WebCore::NavigationPolicyDecision, WebCore::AllowNavigationToInvalidURL)::$_11, void>::call(this=0x0000000397654450) at Function.h:52:39
    frame #60: 0x00000003752d1752 WebCore`WTF::Function<void ()>::operator(this=0x00007ffeef29a650)() const at Function.h:84:35
    frame #61: 0x000000037532f39e WebCore`WTF::CompletionHandler<void ()>::operator(this=0x00007ffeef29a7e0)() at CompletionHandler.h:62:16
    frame #62: 0x00000003785e061a WebCore`WebCore::FrameLoader::continueLoadAfterNavigationPolicy(this=0x00000003976e2b60, request=0x00000003976e6480, formState=0x0000000000000000, navigationPolicyDecision=ContinueLoad, allowNavigationToInvalidURL=Yes) at FrameLoader.cpp:3510:9
    frame #63: 0x0000000378603080 WebCore`WebCore::FrameLoader::loadWithDocumentLoader(this=0x000000039767c1b8, request=0x00000003976e6480, formState=0x00007ffeef29ad90, navigationPolicyDecision=ContinueLoad)>&&)::$_8::operator()(WebCore::ResourceRequest const&, WTF::WeakPtr<WebCore::FormState>&&, WebCore::NavigationPolicyDecision) at FrameLoader.cpp:1651:9
    frame #64: 0x0000000378602f3c WebCore`WTF::Detail::CallableWrapper<WebCore::FrameLoader::loadWithDocumentLoader(WebCore::DocumentLoader*, WebCore::FrameLoadType, WTF::RefPtr<WebCore::FormState, WTF::DumbPtrTraits<WebCore::FormState> >&&, WebCore::AllowNavigationToInvalidURL, WTF::CompletionHandler<void ()>&&)::$_8, void, WebCore::ResourceRequest&&, WTF::WeakPtr<WebCore::FormState>&&, WebCore::NavigationPolicyDecision>::call(this=0x000000039767c1b0, in=0x00000003976e6480, in=0x00007ffeef29ad90, in=ContinueLoad) at Function.h:52:39
    frame #65: 0x00000003786384e1 WebCore`WTF::Function<void (WebCore::ResourceRequest&&, WTF::WeakPtr<WebCore::FormState>&&, WebCore::NavigationPolicyDecision)>::operator(this=0x00007ffeef29aba8, in=0x00000003976e6480, in=0x00007ffeef29ad90, in=ContinueLoad)(WebCore::ResourceRequest&&, WTF::WeakPtr<WebCore::FormState>&&, WebCore::NavigationPolicyDecision) const at Function.h:84:35
    frame #66: 0x000000037862d987 WebCore`WTF::CompletionHandler<void (WebCore::ResourceRequest&&, WTF::WeakPtr<WebCore::FormState>&&, WebCore::NavigationPolicyDecision)>::operator(this=0x00000003976e6470, in=0x00000003976e6480, in=0x00007ffeef29ad90, in=ContinueLoad)(WebCore::ResourceRequest&&, WTF::WeakPtr<WebCore::FormState>&&, WebCore::NavigationPolicyDecision) at CompletionHandler.h:62:16
    frame #67: 0x000000037863b73e WebCore`WebCore::FrameLoader::PolicyChecker::checkNavigationPolicy(this=0x00000003976e6468, policyAction=Use, responseIdentifier=PolicyCheckIdentifier @ 0x00007ffeef29b330)>&&, WebCore::PolicyDecisionMode)::$_7::operator()(WebCore::PolicyAction, WebCore::PolicyCheckIdentifier) at PolicyChecker.cpp:237:20
    frame #68: 0x000000037863a547 WebCore`WTF::Detail::CallableWrapper<WebCore::FrameLoader::PolicyChecker::checkNavigationPolicy(WebCore::ResourceRequest&&, WebCore::ResourceResponse const&, WebCore::DocumentLoader*, WTF::RefPtr<WebCore::FormState, WTF::DumbPtrTraits<WebCore::FormState> >&&, WTF::CompletionHandler<void (WebCore::ResourceRequest&&, WTF::WeakPtr<WebCore::FormState>&&, WebCore::NavigationPolicyDecision)>&&, WebCore::PolicyDecisionMode)::$_7, void, WebCore::PolicyAction, WebCore::PolicyCheckIdentifier>::call(this=0x00000003976e6460, in=Use, in=PolicyCheckIdentifier @ 0x00007ffeef29b450) at Function.h:52:39
    frame #69: 0x00000003785d2b78 WebCore`WTF::Function<void (WebCore::PolicyAction, WebCore::PolicyCheckIdentifier)>::operator(this=0x00007ffeef29b8f8, in=Use, in=PolicyCheckIdentifier @ 0x00007ffeef29b4b0)(WebCore::PolicyAction, WebCore::PolicyCheckIdentifier) const at Function.h:84:35
    frame #70: 0x000000037862d40a WebCore`WebCore::FrameLoader::PolicyChecker::checkNavigationPolicy(this=0x00000003976e5850, request=0x00007ffeef29c790, redirectResponse=0x00007ffeef29c698, loader=0x00000003994edc00, formState=0x00007ffeef29ddd0, function=0x00007ffeef29c688, policyDecisionMode=Asynchronous)>&&, WebCore::PolicyDecisionMode) at PolicyChecker.cpp:245:9
    frame #71: 0x00000003785df46c WebCore`WebCore::FrameLoader::loadWithDocumentLoader(this=0x00000003976e2b60, loader=0x00000003994edc00, type=RedirectWithLockedBackForwardList, formState=0x00007ffeef29ddd0, allowNavigationToInvalidURL=Yes, completionHandler=0x00007ffeef29d498)>&&) at FrameLoader.cpp:1650:21
    frame #72: 0x00000003785dd4d5 WebCore`WebCore::FrameLoader::loadWithNavigationAction(this=0x00000003976e2b60, request=0x00007ffeef29da78, action=0x00007ffeef29d8a8, type=RedirectWithLockedBackForwardList, formState=0x00007ffeef29ddd0, allowNavigationToInvalidURL=Yes, completionHandler=0x00007ffeef29d498)>&&) at FrameLoader.cpp:1517:5
    frame #73: 0x00000003785d9871 WebCore`WebCore::FrameLoader::loadURL(this=0x00000003976e2b60, frameLoadRequest=0x00007ffeef29def0, referrer={ length = 0, contents = '' }, newLoadType=RedirectWithLockedBackForwardList, event=0x0000000000000000, formState=0x00007ffeef29ddd0, adClickAttribution=0x00007ffeef29dd88, completionHandler=0x00007ffeef29dd70)>&&) at FrameLoader.cpp:1426:5
    frame #74: 0x00000003785d7900 WebCore`WebCore::FrameLoader::loadURLIntoChildFrame(this=0x00000003976e2340, url={ about:blank }, referer={ length = 0, contents = '' }, childFrame={ origin = file://, url = about:blank, isMainFrame = 0, backForwardCacheState = NotInBackForwardCache }) at FrameLoader.cpp:1000:26
    frame #75: 0x000000037864d40b WebCore`WebCore::FrameLoader::SubframeLoader::loadSubframe(this=0x00000003976f6dd0, ownerElement=0x000000039b0bbbd0, url={ about:blank }, name={ length = 0, contents = '' }, referrer={ length = 57, contents = 'file:///Users/jacklee/browser2/63224871/min-63224871.html' }) at SubframeLoader.cpp:347:22
    frame #76: 0x000000037864bc25 WebCore`WebCore::FrameLoader::SubframeLoader::loadOrRedirectSubframe(this=0x00000003976f6dd0, ownerElement=0x000000039b0bbbd0, requestURL={ about:blank }, frameName={ length = 0, contents = '' }, lockHistory=Yes, lockBackForwardList=Yes) at SubframeLoader.cpp:309:17
    frame #77: 0x000000037864b66b WebCore`WebCore::FrameLoader::SubframeLoader::requestFrame(this=0x00000003976f6dd0, ownerElement=0x000000039b0bbbd0, urlString={ length = 11, contents = 'about:blank' }, frameName={ length = 0, contents = '' }, lockHistory=Yes, lockBackForwardList=Yes) at SubframeLoader.cpp:98:20
    frame #78: 0x0000000377fc53c8 WebCore`WebCore::HTMLFrameElementBase::openURL(this=0x000000039b0bbbd0, lockHistory=Yes, lockBackForwardList=Yes) at HTMLFrameElementBase.cpp:102:44
    frame #79: 0x0000000377fc55f2 WebCore`WebCore::HTMLFrameElementBase::didFinishInsertingNode(this=0x000000039b0bbbd0) at HTMLFrameElementBase.cpp:142:5
    frame #80: 0x0000000377acfce4 WebCore`void WebCore::executeNodeInsertionWithScriptAssertion<WebCore::ContainerNode::appendChildWithoutPreInsertionValidityCheck(WebCore::Node&)::$_4>(containerNode=0x000000039b0e2a30, child=0x000000039b0bbb40, source=API, replacedAllChildren=No, doNodeInsertion=(anonymous class) @ 0x00007ffeef29e880)::$_4) at ContainerNode.cpp:213:17
    frame #81: 0x0000000377acc9ca WebCore`WebCore::ContainerNode::appendChildWithoutPreInsertionValidityCheck(this=0x000000039b0e2a30, newChild=0x000000039b0bbb40) at ContainerNode.cpp:726:9
    frame #82: 0x0000000377acf9d6 WebCore`WebCore::ContainerNode::appendChild(this=0x000000039b0e2a30, newChild=0x000000039b0bbb40) at ContainerNode.cpp:692:12
    frame #83: 0x0000000377dbb53d WebCore`WebCore::AppendNodeCommand::doApply(this=0x00000003976f96c0) at AppendNodeCommand.cpp:51:15
    frame #84: 0x0000000377dcde0f WebCore`WebCore::CompositeEditCommand::applyCommandToComposite(this=0x0000000397666960, command=0x00007ffeef29eae0) at CompositeEditCommand.cpp:463:14
    frame #85: 0x0000000377dbd059 WebCore`WebCore::CompositeEditCommand::appendNode(this=0x0000000397666960, node=0x00007ffeef29eb40, parent=0x00007ffeef29eb38) at CompositeEditCommand.cpp:581:5
    frame #86: 0x0000000377e4be60 WebCore`WebCore::InsertListCommand::fixOrphanedListChild(this=0x0000000397666960, node=0x000000039b0bbb40) at InsertListCommand.cpp:65:5
    frame #87: 0x0000000377e4ce3c WebCore`WebCore::InsertListCommand::doApplyForSingleParagraph(this=0x0000000397666960, forceCreateList=false, listTag=0x000000037bcd7ef0, currentSelection=0x000000039bb97b40) at InsertListCommand.cpp:215:47
    frame #88: 0x0000000377e4cd3e WebCore`WebCore::InsertListCommand::doApply(this=0x0000000397666960) at InsertListCommand.cpp:195:5
    frame #89: 0x0000000377dbac85 WebCore`WebCore::CompositeEditCommand::apply(this=0x0000000397666960) at CompositeEditCommand.cpp:372:9
    frame #90: 0x0000000377e38f60 WebCore`WebCore::executeInsertUnorderedList(frame={ origin = file://, url = file:///Users/jacklee/browser2/63224871/min-63224871.html, isMainFrame = 1, backForwardCacheState = NotInBackForwardCache }, (null)=0x0000000000000000, (null)=CommandFromDOM, (null)={ length = 0, contents = '' }) at EditorCommand.cpp:543:91
    frame #91: 0x0000000377e105cb WebCore`WebCore::Editor::Command::execute(this=0x00007ffeef29f3f8, parameter={ length = 0, contents = '' }, triggeringEvent=0x0000000000000000) const at EditorCommand.cpp:1876:12
    frame #92: 0x0000000377b40795 WebCore`WebCore::Document::execCommand(this={ origin = file://, url = file:///Users/jacklee/browser2/63224871/min-63224871.html, inMainFrame = 1, backForwardCacheState = NotInBackForwardCache }, commandName={ length = 19, contents = 'insertUnorderedList' }, userInterface=false, value={ length = 0, contents = '' }) at Document.cpp:5544:54
    frame #93: 0x0000000375c53044 WebCore`WebCore::jsDocumentPrototypeFunctionExecCommandBody(lexicalGlobalObject=0x00000003999f2768, callFrame=0x00007ffeef29f690, castedThis=0x000000039bbf24e8, throwScope=0x00007ffeef29f608) at JSDocument.cpp:6271:57
    frame #94: 0x0000000375b5a612 WebCore`long long WebCore::IDLOperation<WebCore::JSDocument>::call<&(lexicalGlobalObject=0x00000003999f2768, callFrame=0x00007ffeef29f690, operationName="execCommand")), (WebCore::CastedThisErrorBehavior)0>(JSC::JSGlobalObject&, JSC::CallFrame&, char const*) at JSDOMOperation.h:53:16
    frame #95: 0x0000000375b5a2f4 WebCore`WebCore::jsDocumentPrototypeFunctionExecCommand(lexicalGlobalObject=0x00000003999f2768, callFrame=0x00007ffeef29f690) at JSDocument.cpp:6277:12

Comment 2 Jack 2020-05-15 14:47:49 PDT

Created attachment 399514 [details]
Patch

Comment 3 Jack 2020-05-15 14:49:52 PDT

Created attachment 399516 [details]
Patch

Comment 4 Geoffrey Garen 2020-05-15 20:21:01 PDT

Comment on attachment 399516 [details]
Patch

r=me

Comment 5 EWS 2020-05-15 21:09:55 PDT

Committed r261777: <https://trac.webkit.org/changeset/261777>

All reviewed patches have been landed. Closing bug and clearing flags on attachment 399516 [details].