Bug 216778 - [GTK] REGRESSION(r267329): imported/blink/editing/undo/crash-redo-with-iframes.html is crashing
Summary: [GTK] REGRESSION(r267329): imported/blink/editing/undo/crash-redo-with-iframe...
Status: RESOLVED FIXED
Alias: None
Product: WebKit
Classification: Unclassified
Component: New Bugs (show other bugs)
Version: WebKit Nightly Build
Hardware: Unspecified Unspecified
: P2 Normal
Assignee: Lauro Moura
URL:
Keywords: InRadar
Depends on:
Blocks: 216739
  Show dependency treegraph
 
Reported: 2020-09-21 07:02 PDT by Diego Pino
Modified: 2020-09-22 20:37 PDT (History)
6 users (show)

See Also:

Attachments
Debug crash log (28.58 KB, text/plain)
2020-09-21 14:06 PDT, Lauro Moura 		no flags Details
Patch (1.56 KB, patch)
2020-09-21 20:25 PDT, Lauro Moura 		no flags Details | Formatted Diff | Diff
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Diego Pino 2020-09-21 07:02:05 PDT 
The test started crashing in r267329. The test is passing in WPE though.

https://results.webkit.org/?suite=layout-tests&test=imported%2Fblink%2Fediting%2Fundo%2Fcrash-redo-with-iframes.html&platform=GTK&platform=WPE&platform=ios&platform=mac

Crash-log: https://build.webkit.org/results/GTK%20Linux%2064-bit%20Release%20(Tests)/r267339%20(15944)/imported/blink/editing/undo/crash-redo-with-iframes-crash-log.txt

Thread 1 (Thread 0x7fc99b7749c0 (LWP 129780)):
#0  0x00007fc9a5b578c6 in WebCore::StyledMarkupAccumulator::traverseNodesForSerialization(WebCore::Node*, WebCore::Node*, WebCore::StyledMarkupAccumulator::NodeTraversalMode) () at /app/webkit/WebKitBuild/Release/lib/libwebkit2gtk-4.0.so.37
#1  0x00007fc9a5b57727 in WebCore::StyledMarkupAccumulator::serializeNodes(WebCore::Position const&, WebCore::Position const&) () at /app/webkit/WebKitBuild/Release/lib/libwebkit2gtk-4.0.so.37
#2  0x00007fc9a5b5945a in WebCore::serializePreservingVisualAppearanceInternal(WebCore::Position const&, WebCore::Position const&, WTF::Vector<WebCore::Node*, 0ul, WTF::CrashOnOverflow, 16ul, WTF::FastMalloc>*, WebCore::ResolveURLs, WebCore::SerializeComposedTree, WebCore::AnnotateForInterchange, WebCore::ConvertBlocksToInlines, WebCore::StandardFontFamilySerializationMode, WebCore::MSOListMode) () at /app/webkit/WebKitBuild/Release/lib/libwebkit2gtk-4.0.so.37
#3  0x00007fc9a5b59ea2 in WebCore::serializePreservingVisualAppearance(WebCore::VisibleSelection const&, WebCore::ResolveURLs, WebCore::SerializeComposedTree, WTF::Vector<WebCore::Node*, 0ul, WTF::CrashOnOverflow, 16ul, WTF::FastMalloc>*) () at /app/webkit/WebKitBuild/Release/lib/libwebkit2gtk-4.0.so.37
#4  0x00007fc9a4cc7e18 in WebKit::WebEditorClient::updateGlobalSelection(WebCore::Frame*) () at /app/webkit/WebKitBuild/Release/lib/libwebkit2gtk-4.0.so.37
#5  0x00007fc9a4ca9f4e in WebKit::WebEditorClient::respondToChangedSelection(WebCore::Frame*) () at /app/webkit/WebKitBuild/Release/lib/libwebkit2gtk-4.0.so.37
#6  0x00007fc9a5ae46e7 in WebCore::Editor::respondToChangedSelection(WebCore::VisibleSelection const&, WTF::OptionSet<WebCore::FrameSelection::SetSelectionOption>) () at /app/webkit/WebKitBuild/Release/lib/libwebkit2gtk-4.0.so.37
#7  0x00007fc9a5aea220 in WebCore::FrameSelection::setSelectionWithoutUpdatingAppearance(WebCore::VisibleSelection const&, WTF::OptionSet<WebCore::FrameSelection::SetSelectionOption>, WebCore::FrameSelection::CursorAlignOnScroll, WebCore::TextGranularity) () at /app/webkit/WebKitBuild/Release/lib/libwebkit2gtk-4.0.so.37
#8  0x00007fc9a5acea15 in WebCore::FrameSelection::setSelection(WebCore::VisibleSelection const&, WTF::OptionSet<WebCore::FrameSelection::SetSelectionOption>, WebCore::AXTextStateChangeIntent, WebCore::FrameSelection::CursorAlignOnScroll, WebCore::TextGranularity) () at /app/webkit/WebKitBuild/Release/lib/libwebkit2gtk-4.0.so.37
#9  0x00007fc9a5ace666 in WebCore::FrameSelection::selectAll() () at /app/webkit/WebKitBuild/Release/lib/libwebkit2gtk-4.0.so.37
#10 0x00007fc9a5af8d54 in WebCore::executeSelectAll(WebCore::Frame&, WebCore::Event*, WebCore::EditorCommandSource, WTF::String const&) () at /app/webkit/WebKitBuild/Release/lib/libwebkit2gtk-4.0.so.37
#11 0x00007fc9a59d3416 in WebCore::Document::execCommand(WTF::String const&, bool, WTF::String const&) () at /app/webkit/WebKitBuild/Release/lib/libwebkit2gtk-4.0.so.37
#12 0x00007fc9a4f5e0c4 in WebCore::jsDocumentPrototypeFunctionExecCommand(JSC::JSGlobalObject*, JSC::CallFrame*) () at /app/webkit/WebKitBuild/Release/lib/libwebkit2gtk-4.0.so.37
#13 0x00007fc95aaff178 in  ()
#14 0x00007ffd2b48d8b0 in  ()
#15 0x00007fc9a1112ff0 in llint_op_call () at /app/webkit/WebKitBuild/Release/lib/libjavascriptcoregtk-4.0.so.18
#16 0x0000000000000000 in  ()
Comment 1 Darin Adler 2020-09-21 12:01:30 PDT 
What kind of crash is this? A null pointer dereference?
Comment 2 Darin Adler 2020-09-21 12:32:55 PDT 
This global selection feature is a GTK-only feature related to the feature of Unix window systems, so it’s not surprising that the crash is GTK-only.

I’d like to help with this; to help I will need some more information. What kind of crash is it? Most likely we just have to add some checks of some kind to serializePreservingVisualAppearanceInternal, but to understand what I need to know what kind of crash this is.
Comment 3 Lauro Moura 2020-09-21 14:06:04 PDT 
Created attachment 409318 [details]
Debug crash log

Here's the stack trace from the debug log. It fails the assertion at the start of serializeNodes:

Top of the stack:

Thread 1 (Thread 0x7ff19326e9c0 (LWP 115)):
#0  WTFCrash() () at ../../Source/WTF/wtf/Assertions.cpp:295
#1  0x00007ff1aa6fc197 in CRASH_WITH_INFO(...) () at DerivedSources/ForwardingHeaders/wtf/Assertions.h:713
#2  0x00007ff1ad8bb03f in WebCore::StyledMarkupAccumulator::serializeNodes(WebCore::Position const&, WebCore::Position const&) (this=0x7ffe2f683570, start=..., end=...) at ../../Source/WebCore/editing/markup.cpp:587
#3  0x00007ff1ad8bccf9 in WebCore::serializePreservingVisualAppearanceInternal(WebCore::Position const&, WebCore::Position const&, WTF::Vector<WebCore::Node*, 0, WTF::CrashOnOverflow, 16, WTF::FastMalloc>*, WebCore::ResolveURLs, WebCore::SerializeComposedTree, WebCore::AnnotateForInterchange, WebCore::ConvertBlocksToInlines, WebCore::StandardFontFamilySerializationMode, WebCore::MSOListMode) (start=..., end=..., nodes=0x0, resolveURLs=WebCore::ResolveURLs::YesExcludingLocalFileURLsForPrivacy, serializeComposedTree=WebCore::SerializeComposedTree::No, annotate=WebCore::AnnotateForInterchange::Yes, convertBlocksToInlines=WebCore::ConvertBlocksToInlines::No, standardFontFamilySerializationMode=WebCore::StandardFontFamilySerializationMode::Keep, msoListMode=WebCore::MSOListMode::DoNotPreserve) at ../../Source/WebCore/editing/markup.cpp:878
#4  0x00007ff1ad8bd478 in WebCore::serializePreservingVisualAppearance(WebCore::VisibleSelection const&, WebCore::ResolveURLs, WebCore::SerializeComposedTree, WTF::Vector<WebCore::Node*, 0ul, WTF::CrashOnOverflow, 16ul, WTF::FastMalloc>*) (selection=..., resolveURLs=WebCore::ResolveURLs::YesExcludingLocalFileURLsForPrivacy, serializeComposedTree=WebCore::SerializeComposedTree::No, nodes=0x0) at ../../Source/WebCore/editing/markup.cpp:946
#5  0x00007ff1abaa15ad in WebKit::WebEditorClient::updateGlobalSelection(WebCore::Frame*) (this=0x7ff1929f62b8, frame=0x7ff1929a4100) at ../../Source/WebKit/WebProcess/WebCoreSupport/gtk/WebEditorClientGtk.cpp:147
#6  0x00007ff1aba4daca in WebKit::WebEditorClient::respondToChangedSelection(WebCore::Frame*) (this=0x7ff1929f62b8, frame=0x7ff1929a4100) at ../../Source/WebKit/WebProcess/WebCoreSupport/WebEditorClient.cpp:229
#7  0x00007ff1ad81c583 in WebCore::Editor::respondToChangedSelection(WebCore::VisibleSelection const&, WTF::OptionSet<WebCore::FrameSelection::SetSelectionOption>) (this=0x7ff1929784e0, options=...) at ../../Source/WebCore/editing/Editor.cpp:3630
#8  0x00007ff1ad829170 in WebCore::FrameSelection::setSelectionWithoutUpdatingAppearance(WebCore::VisibleSelection const&, WTF::OptionSet<WebCore::FrameSelection::SetSelectionOption>, WebCore::FrameSelection::CursorAlignOnScroll, WebCore::TextGranularity) (this=0x7ff19297aa80, newSelectionPossiblyWithoutDirection=..., options=..., align=WebCore::FrameSelection::AlignCursorOnScrollIfNeeded, granularity=WebCore::TextGranularity::CharacterGranularity) at ../../Source/WebCore/editing/FrameSelection.cpp:395
#9  0x00007ff1ad82937d in WebCore::FrameSelection::setSelection(WebCore::VisibleSelection const&, WTF::OptionSet<WebCore::FrameSelection::SetSelectionOption>, WebCore::AXTextStateChangeIntent, WebCore::FrameSelection::CursorAlignOnScroll, WebCore::TextGranularity) (this=0x7ff19297aa80, selection=..., options=..., intent=..., align=WebCore::FrameSelection::AlignCursorOnScrollIfNeeded, granularity=WebCore::TextGranularity::CharacterGranularity) at ../../Source/WebCore/editing/FrameSelection.cpp:408
Comment 4 Darin Adler 2020-09-21 14:21:12 PDT 
Can work around this for now by changing serializePreservingVisualAppearanceInternal to use < instead of == at the top:

    if (!(start < end))
        return emptyString();
Comment 5 Darin Adler 2020-09-21 14:21:38 PDT 
I suggest putting that in for now.
Comment 6 Lauro Moura 2020-09-21 20:25:08 PDT 
Created attachment 409347 [details]
Patch
Comment 7 EWS 2020-09-22 20:36:18 PDT 
Committed r267457: <https://trac.webkit.org/changeset/267457>

All reviewed patches have been landed. Closing bug and clearing flags on attachment 409347 [details].
Comment 8 Radar WebKit Bug Importer 2020-09-22 20:37:17 PDT 
<rdar://problem/69410389>