218276 – REGRESSION(r267329): Crash in VisibleSelection::toNormalizedRange()

Bug 218276 - REGRESSION(r267329): Crash in VisibleSelection::toNormalizedRange()

Summary: REGRESSION(r267329): Crash in VisibleSelection::toNormalizedRange()

Status:	RESOLVED FIXED

Alias:	None

Product:	WebKit
Classification:	Unclassified
Component:	HTML Editing (show other bugs)
Version:	WebKit Nightly Build
Hardware:	Unspecified Unspecified

Importance:	P2 Normal
Assignee:	Ryosuke Niwa

URL:
Keywords:	InRadar

Depends on:	216739
Blocks:
	Show dependency tree / graph

Reported:	2020-10-28 03:02 PDT by Ryosuke Niwa
Modified:	2020-10-28 20:53 PDT (History)
CC List:	5 users (show)

See Also:

Attachments
Fixes the bug (4.82 KB, patch) 2020-10-28 03:13 PDT, Ryosuke Niwa	no flags	Details \| Formatted Diff \| Diff
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Ryosuke Niwa 2020-10-28 03:02:45 PDT

e.g.
    #0 0x74dbc0571 in WebCore::Node::treeScope() const+0x21 (/Volumes/Data/safari-2/OpenSource/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x1be571)
    #1 0x74dba3078 in WebCore::Node::document() const+0x8 (/Volumes/Data/safari-2/OpenSource/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x1a1078)
    #2 0x751459529 in WebCore::VisibleSelection::toNormalizedRange() const+0xe9 (/Volumes/Data/safari-2/OpenSource/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x3a57529)
    #3 0x7513807b2 in WebCore::Editor::shouldChangeSelection(WebCore::VisibleSelection const&, WebCore::VisibleSelection const&, WebCore::Affinity, bool) const+0x112 (/Volumes/Data/safari-2/OpenSource/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x397e7b2)
    #4 0x75137a33a in WebCore::FrameSelection::shouldChangeSelection(WebCore::VisibleSelection const&) const+0x4a (/Volumes/Data/safari-2/OpenSource/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x397833a)
    #5 0x7513683f8 in WebCore::Editor::changeSelectionAfterCommand(WebCore::VisibleSelection const&, WTF::OptionSet<WebCore::FrameSelection::SetSelectionOption>)+0x1c8 (/Volumes/Data/safari-2/OpenSource/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x39663f8)
    #6 0x75136785b in WebCore::Editor::appliedEditing(WebCore::CompositeEditCommand&)+0x25b (/Volumes/Data/safari-2/OpenSource/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x396585b)
    #7 0x75142d04d in WebCore::TypingCommand::typingAddedToOpenCommand(WebCore::TypingCommand::ETypingCommand)+0x11d (/Volumes/Data/safari-2/OpenSource/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x3a2b04d)
    #8 0x7514287af in WebCore::TypingCommand::deleteKeyPressed(WebCore::TextGranularity, bool)+0x107f (/Volumes/Data/safari-2/OpenSource/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x3a267af)
    #9 0x75142bffe in WebCore::TypingCommand::doApply()+0x1be (/Volumes/Data/safari-2/OpenSource/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x3a29ffe)
    #10 0x7512eb666 in WebCore::CompositeEditCommand::apply()+0x216 (/Volumes/Data/safari-2/OpenSource/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x38e9666)
    #11 0x75142748b in WebCore::TypingCommand::deleteKeyPressed(WebCore::Document&, unsigned int, WebCore::TextGranularity)+0x29b (/Volumes/Data/safari-2/OpenSource/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x3a2548b)
    #12 0x7513a974e in WebCore::executeDelete(WebCore::Frame&, WebCore::Event*, WebCore::EditorCommandSource, WTF::String const&)+0xde (/Volumes/Data/safari-2/OpenSource/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x39a774e)
    #13 0x75136febb in WebCore::Editor::Command::execute(WTF::String const&, WebCore::Event*) const+0xdb (/Volumes/Data/safari-2/OpenSource/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x396debb)
    #14 0x750ff39e3 in WebCore::Document::execCommand(WTF::String const&, bool, WTF::String const&)+0xf3 (/Volumes/Data/safari-2/OpenSource/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x35f19e3)
    #15 0x74e548d29 in WebCore::jsDocumentPrototypeFunctionExecCommandBody(JSC::JSGlobalObject*, JSC::CallFrame*, WebCore::JSDocument*)+0x469 (/Volumes/Data/safari-2/OpenSource/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0xb46d29)
    #16 0x74e3f17db in long long WebCore::IDLOperation<WebCore::JSDocument>::call<&(WebCore::jsDocumentPrototypeFunctionExecCommandBody(JSC::JSGlobalObject*, JSC::CallFrame*, WebCore::JSDocument*)), (WebCore::CastedThisErrorBehavior)0>(JSC::JSGlobalObject&, JSC::CallFrame&, char const*)+0xfb (/Volumes/Data/safari-2/OpenSource/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x9ef7db)
    #17 0x74e3f16d8 in WebCore::jsDocumentPrototypeFunctionExecCommand(JSC::JSGlobalObject*, JSC::CallFrame*)+0x8 (/Volumes/Data/safari-2/OpenSource/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x9ef6d8)

<rdar://problem/70064038>

Comment 1 Ryosuke Niwa 2020-10-28 03:13:35 PDT

Created attachment 412516 [details]
Fixes the bug

Comment 2 EWS 2020-10-28 20:53:08 PDT

Committed r269136: <https://trac.webkit.org/changeset/269136>

All reviewed patches have been landed. Closing bug and clearing flags on attachment 412516 [details].