RESOLVED DUPLICATE of bug 220630 218495
EXC_BAD_INSTRUCTION in CompositeEditCommand::moveParagraphs+8933 
https://bugs.webkit.org/show_bug.cgi?id=218495
Summary EXC_BAD_INSTRUCTION in CompositeEditCommand::moveParagraphs+8933
Ian Gilbert
Reported 2020-11-03 02:50:06 PST
Stack Trace =========== Stack Trace ========= frame #0: WebCore`WebCore::CompositeEditCommand::moveParagraphs(WebCore::VisiblePosition const&, WebCore::VisiblePosition const&, WebCore::VisiblePosition const&, bool, bool)+8933 frame #1: WebCore`WebCore::InsertListCommand::doApplyForSingleParagraph(bool, WebCore::HTMLQualifiedName const&, WebCore::SimpleRange&)+7504 frame #2: WebCore`WebCore::InsertListCommand::doApply()+7534 frame #3: WebCore`WebCore::CompositeEditCommand::apply()+500 frame #4: WebCore`WebCore::executeInsertOrderedList(WebCore::Frame&, WebCore::Event*, WebCore::EditorCommandSource, WTF::String const&)+109 frame #5: WebCore`WebCore::Document::execCommand(WTF::String const&, bool, WTF::String const&)+77 frame #6: WebCore`WebCore::jsDocumentPrototypeFunctionExecCommand(JSC::JSGlobalObject*, JSC::CallFrame*)+428 frame #7: JavaScriptCore`llint_entry+104868 frame #8: JavaScriptCore`vmEntryToJavaScript+216 frame #9: JavaScriptCore`JSC::Interpreter::executeCall(JSC::JSGlobalObject*, JSC::JSObject*, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&)+518 frame #10: JavaScriptCore`JSC::profiledCall(JSC::JSGlobalObject*, JSC::ProfilingReason, JSC::JSValue, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&, WTF::NakedPtr<JSC::Exception>&)+147
Attachments
Crashing input (485.77 KB, text/html)
2020-11-03 02:51 PST, Ian Gilbert 		no flags
Details
Reduced test case (530 bytes, text/html)
2020-11-27 03:28 PST, Carlos Garcia Campos 		no flags
Details
View All Add attachment proposed patch, testcase, etc.
Radar WebKit Bug Importer
Comment 1 2020-11-03 02:50:21 PST
<rdar://problem/70987467>
Ian Gilbert
Comment 2 2020-11-03 02:51:10 PST
Created attachment 413029 [details] Crashing input
Ryosuke Niwa
Comment 3 2020-11-03 13:08:13 PST
<rdar://problem/70094270>
Rob Buis
Comment 4 2020-11-17 02:42:56 PST
On LinuxGTK I get: STDERR: ASSERTION FAILED: initialized() STDERR: DerivedSources/ForwardingHeaders/wtf/Optional.h(540) : constexpr T&& WTF::Optional< <template-parameter-1-1> >::operator*() && [with T = WebCore::SimpleRange] STDERR: 1 0x7f5d596cb77d WTFCrash STDERR: 2 0x7f5d6aac3599 WTF::Optional<WebCore::SimpleRange>::operator*() && STDERR: 3 0x7f5d6cec006e WebCore::CompositeEditCommand::moveParagraphs(WebCore::VisiblePosition const&, WebCore::VisiblePosition const&, WebCore::VisiblePosition const&, bool, bool) STDERR: 4 0x7f5d6b2711aa WebCore::InsertListCommand::unlistifyParagraph(WebCore::VisiblePosition const&, WebCore::HTMLElement*, WebCore::Node*) STDERR: 5 0x7f5d6b27091a WebCore::InsertListCommand::doApplyForSingleParagraph(bool, WebCore::HTMLQualifiedName const&, WebCore::SimpleRange&) STDERR: 6 0x7f5d6b26ffa5 WebCore::InsertListCommand::doApply() STDERR: 7 0x7f5d6ceb9c8a WebCore::CompositeEditCommand::apply() STDERR: 8 0x7f5d6b248dda /app/webkit/WebKitBuild/Debug/lib/libwebkit2gtk-4.0.so.37(+0x10023dda) [0x7f5d6b248dda] STDERR: 9 0x7f5d6b24d0bc WebCore::Editor::Command::execute(WTF::String const&, WebCore::Event*) const STDERR: 10 0x7f5d6afe3c4f WebCore::Document::execCommand(WTF::String const&, bool, WTF::String const&) STDERR: 11 0x7f5d6995de3a /app/webkit/WebKitBuild/Debug/lib/libwebkit2gtk-4.0.so.37(+0xe738e3a) [0x7f5d6995de3a] STDERR: 12 0x7f5d6997f903 /app/webkit/WebKitBuild/Debug/lib/libwebkit2gtk-4.0.so.37(+0xe75a903) [0x7f5d6997f903] STDERR: 13 0x7f5d6995df08 /app/webkit/WebKitBuild/Debug/lib/libwebkit2gtk-4.0.so.37(+0xe738f08) [0x7f5d6995df08] STDERR: 14 0x7f5d0f687178 [0x7f5d0f687178] STDERR: LEAK: 1 WebPageProxy
Carlos Garcia Campos
Comment 5 2020-11-17 02:53:30 PST
(In reply to Rob Buis from comment #4) > On LinuxGTK I get: > STDERR: ASSERTION FAILED: initialized() > STDERR: DerivedSources/ForwardingHeaders/wtf/Optional.h(540) : constexpr T&& > WTF::Optional< <template-parameter-1-1> >::operator*() && [with T = > WebCore::SimpleRange] > STDERR: 1 0x7f5d596cb77d WTFCrash > STDERR: 2 0x7f5d6aac3599 WTF::Optional<WebCore::SimpleRange>::operator*() > && > STDERR: 3 0x7f5d6cec006e > WebCore::CompositeEditCommand::moveParagraphs(WebCore::VisiblePosition > const&, WebCore::VisiblePosition const&, WebCore::VisiblePosition const&, > bool, bool) > STDERR: 4 0x7f5d6b2711aa > WebCore::InsertListCommand::unlistifyParagraph(WebCore::VisiblePosition > const&, WebCore::HTMLElement*, WebCore::Node*) > STDERR: 5 0x7f5d6b27091a > WebCore::InsertListCommand::doApplyForSingleParagraph(bool, > WebCore::HTMLQualifiedName const&, WebCore::SimpleRange&) > STDERR: 6 0x7f5d6b26ffa5 WebCore::InsertListCommand::doApply() > STDERR: 7 0x7f5d6ceb9c8a WebCore::CompositeEditCommand::apply() > STDERR: 8 0x7f5d6b248dda > /app/webkit/WebKitBuild/Debug/lib/libwebkit2gtk-4.0.so.37(+0x10023dda) > [0x7f5d6b248dda] > STDERR: 9 0x7f5d6b24d0bc WebCore::Editor::Command::execute(WTF::String > const&, WebCore::Event*) const > STDERR: 10 0x7f5d6afe3c4f WebCore::Document::execCommand(WTF::String > const&, bool, WTF::String const&) > STDERR: 11 0x7f5d6995de3a > /app/webkit/WebKitBuild/Debug/lib/libwebkit2gtk-4.0.so.37(+0xe738e3a) > [0x7f5d6995de3a] > STDERR: 12 0x7f5d6997f903 > /app/webkit/WebKitBuild/Debug/lib/libwebkit2gtk-4.0.so.37(+0xe75a903) > [0x7f5d6997f903] > STDERR: 13 0x7f5d6995df08 > /app/webkit/WebKitBuild/Debug/lib/libwebkit2gtk-4.0.so.37(+0xe738f08) > [0x7f5d6995df08] > STDERR: 14 0x7f5d0f687178 [0x7f5d0f687178] > STDERR: LEAK: 1 WebPageProxy Looks like bug #218494
Rob Buis
Comment 6 2020-11-17 02:55:41 PST
(In reply to Carlos Garcia Campos from comment #5) > Looks like bug #218494 Yeah, applying your fix there results in : STDERR: ASSERTION FAILED: startOfParagraphToMove == endOfParagraphToMove || !endOfParagraphToMove.isNull() STDERR: ../../Source/WebCore/editing/CompositeEditCommand.cpp(1403) : void WebCore::CompositeEditCommand::moveParagraphs(const WebCore::VisiblePosition&, const WebCore::VisiblePosition&, const WebCore::VisiblePosition&, bool, bool) STDERR: 1 0x7efe8587d77d WTFCrash STDERR: 2 0x7efe942185d7 /app/webkit/WebKitBuild/Debug/lib/libwebkit2gtk-4.0.so.37(+0xce415d7) [0x7efe942185d7] STDERR: 3 0x7efe99071477 WebCore::CompositeEditCommand::moveParagraphs(WebCore::VisiblePosition const&, WebCore::VisiblePosition const&, WebCore::VisiblePosition const&, bool, bool) STDERR: 4 0x7efe9742295e I assume this is a small improvement (crash seems later) but obviously still problematic.
Ryosuke Niwa
Comment 7 2020-11-17 14:32:10 PST
(In reply to Rob Buis from comment #6) > (In reply to Carlos Garcia Campos from comment #5) > > Looks like bug #218494 > > Yeah, applying your fix there results in : > STDERR: ASSERTION FAILED: startOfParagraphToMove == endOfParagraphToMove || > !endOfParagraphToMove.isNull() > STDERR: ../../Source/WebCore/editing/CompositeEditCommand.cpp(1403) : void > WebCore::CompositeEditCommand::moveParagraphs(const > WebCore::VisiblePosition&, const WebCore::VisiblePosition&, const > WebCore::VisiblePosition&, bool, bool) > STDERR: 1 0x7efe8587d77d WTFCrash > STDERR: 2 0x7efe942185d7 > /app/webkit/WebKitBuild/Debug/lib/libwebkit2gtk-4.0.so.37(+0xce415d7) > [0x7efe942185d7] > STDERR: 3 0x7efe99071477 > WebCore::CompositeEditCommand::moveParagraphs(WebCore::VisiblePosition > const&, WebCore::VisiblePosition const&, WebCore::VisiblePosition const&, > bool, bool) > STDERR: 4 0x7efe9742295e > > I assume this is a small improvement (crash seems later) but obviously still > problematic. Isn't that https://bugs.webkit.org/show_bug.cgi?id=218492 ?
Carlos Garcia Campos
Comment 8 2020-11-27 03:28:09 PST
Created attachment 414937 [details] Reduced test case
Carlos Garcia Campos
Comment 9 2020-11-27 03:29:12 PST
The problem is indeed similar to bug #218494, but in this case the li element has the actual body element as a child, so the fix for bug #218494 doesn't work here.
Ryosuke Niwa
Comment 10 2020-11-30 14:32:02 PST
(In reply to Carlos Garcia Campos from comment #9) > The problem is indeed similar to bug #218494, but in this case the li > element has the actual body element as a child, so the fix for bug #218494 > doesn't work here. Ah, ok.
Carlos Garcia Campos
Comment 11 2020-12-16 05:48:45 PST
So, the problem is the same than in bug #218494, endOfParagraphToMove is null in CompositeEditCommand::moveParagraphs() and also comes from InsertListCommand::unlistifyParagraph(), but the reason is different in this case. In InsertListCommand::unlistifyParagraph() firstPositionInNode and lastPositionInNode of the list child they both return the same position (offset 0 of LI 0x7f0eb851a7b0 id='htmlvar00010'). but when converted to a VisiblePosition, start is offset 0 of #text 0x7f0eb851a830 length=1 "a" and end is null. I don't understand why yet. The debug tree is this one: BODY 0x7f0eb85192e0 (renderer 0x7f0eb8519470) #text 0x7f0eb851a450 "\n" MAP 0x7f0eb851a4b0 (renderer 0x7f0eb851a990) #text 0x7f0eb851a530 "\n" UL 0x7f0eb97c4010 (renderer 0x7f0e6004c200) #text 0x7f0eb851a610 "\n" LI 0x7f0eb851a7b0 (renderer 0x7f0eb851b1f0) * #text 0x7f0eb851a830 "a" PRE 0x7f0eb851a890 (renderer 0x7f0e6004c300) #text 0x7f0eb97d8058 "b" #text 0x7f0eb851a750 "\n" #text 0x7f0eb97d80b0 "\n" LI 0x7f0eb851a910 (renderer 0x7f0eb851b720) #text 0x7f0eb97d8108 "c" #text 0x7f0eb97d8160 "\n" #text 0x7f0eb97d81b8 "\n\n\n" offset, offset:0
Julian Gonzalez
Comment 12 2021-01-20 18:35:16 PST
Ryosuke pointed out that this looks just like https://bugs.webkit.org/show_bug.cgi?id=220630
Julian Gonzalez
Comment 13 2021-01-20 18:39:24 PST
(In reply to Julian Gonzalez from comment #12) > Ryosuke pointed out that this looks just like > https://bugs.webkit.org/show_bug.cgi?id=220630 Indeed, the reduced and original test cases here don't crash on trunk with the patch from 220630.
Ryosuke Niwa
Comment 14 2021-01-20 18:43:27 PST
*** This bug has been marked as a duplicate of bug 220630 ***
Note You need to log in before you can comment on or make changes to this bug.