222219 – REGRESSION (r272928): ASSERT NOT REACHED in WebCore::FrameSelection::setSelectionWithoutUpdatingAppearance

RESOLVED FIXED 222219

REGRESSION (r272928): ASSERT NOT REACHED in WebCore::FrameSelection::setSelectionWithoutUpdatingAppearance

https://bugs.webkit.org/show_bug.cgi?id=222219

Summary REGRESSION (r272928): ASSERT NOT REACHED in WebCore::FrameSelection::setSelec...

Ryan Haddad

Reported 2021-02-19 20:20:04 PST

Created attachment 421074 [details] crash log Seeing the following assert on iOS debug bots with editing/input/set-value-on-input-and-delete.html SHOULD NEVER BE REACHED ./editing/FrameSelection.cpp(361) : bool WebCore::FrameSelection::setSelectionWithoutUpdatingAppearance(const WebCore::VisibleSelection &, OptionSet<WebCore::FrameSelection::SetSelectionOption>, WebCore::FrameSelection::CursorAlignOnScroll, WebCore::TextGranularity) 1 0x44a27aaa9 WTFCrash 2 0x4524c556b WTFCrashWithInfo(int, char const*, char const*, int) 3 0x4554532be WebCore::FrameSelection::setSelectionWithoutUpdatingAppearance(WebCore::VisibleSelection const&, WTF::OptionSet<WebCore::FrameSelection::SetSelectionOption>, WebCore::FrameSelection::CursorAlignOnScroll, WebCore::TextGranularity) 4 0x4554368b1 WebCore::FrameSelection::setSelection(WebCore::VisibleSelection const&, WTF::OptionSet<WebCore::FrameSelection::SetSelectionOption>, WebCore::AXTextStateChangeIntent, WebCore::FrameSelection::CursorAlignOnScroll, WebCore::TextGranularity) 5 0x455441990 WebCore::Editor::selectComposition() 6 0x455441d3b WebCore::Editor::setComposition(WTF::String const&, WebCore::Editor::SetCompositionMode) 7 0x455441be4 WebCore::Editor::confirmComposition() 8 0x455441f26 WebCore::Editor::confirmCompositionAndNotifyClient() 9 0x455e24b1e WebCore::FrameLoader::commitProvisionalLoad() 10 0x455d96eac WebCore::DocumentLoader::commitIfReady() 11 0x455d97670 WebCore::DocumentLoader::finishedLoading() 12 0x455da31f1 WebCore::DocumentLoader::maybeLoadEmpty() 13 0x455da3375 WebCore::DocumentLoader::startLoadingMainResource() 14 0x455e52e4c WebCore::FrameLoader::continueLoadAfterNavigationPolicy(WebCore::ResourceRequest const&, WebCore::FormState*, WebCore::NavigationPolicyDecision, WebCore::AllowNavigationToInvalidURL)::$_11::operator()() 15 0x455e5275e WTF::Detail::CallableWrapper<WebCore::FrameLoader::continueLoadAfterNavigationPolicy(WebCore::ResourceRequest const&, WebCore::FormState*, WebCore::NavigationPolicyDecision, WebCore::AllowNavigationToInvalidURL)::$_11, void>::call() 16 0x4524dba02 WTF::Function<void ()>::operator()() const 17 0x452566ab5 WTF::CompletionHandler<void ()>::operator()() 18 0x455e21def WebCore::FrameLoader::continueLoadAfterNavigationPolicy(WebCore::ResourceRequest const&, WebCore::FormState*, WebCore::NavigationPolicyDecision, WebCore::AllowNavigationToInvalidURL) 19 0x455e4fbe0 WebCore::FrameLoader::loadWithDocumentLoader(WebCore::DocumentLoader*, WebCore::FrameLoadType, WTF::RefPtr<WebCore::FormState, WTF::RawPtrTraits<WebCore::FormState>, WTF::DefaultRefDerefTraits<WebCore::FormState> >&&, WebCore::AllowNavigationToInvalidURL, WTF::CompletionHandler<void ()>&&)::$_8::operator()(WebCore::ResourceRequest const&, WTF::WeakPtr<WebCore::FormState, WTF::EmptyCounter>&&, WebCore::NavigationPolicyDecision) 20 0x455e4fa9c WTF::Detail::CallableWrapper<WebCore::FrameLoader::loadWithDocumentLoader(WebCore::DocumentLoader*, WebCore::FrameLoadType, WTF::RefPtr<WebCore::FormState, WTF::RawPtrTraits<WebCore::FormState>, WTF::DefaultRefDerefTraits<WebCore::FormState> >&&, WebCore::AllowNavigationToInvalidURL, WTF::CompletionHandler<void ()>&&)::$_8, void, WebCore::ResourceRequest&&, WTF::WeakPtr<WebCore::FormState, WTF::EmptyCounter>&&, WebCore::NavigationPolicyDecision>::call(WebCore::ResourceRequest&&, WTF::WeakPtr<WebCore::FormState, WTF::EmptyCounter>&&, WebCore::NavigationPolicyDecision) 21 0x455e863b1 WTF::Function<void (WebCore::ResourceRequest&&, WTF::WeakPtr<WebCore::FormState, WTF::EmptyCounter>&&, WebCore::NavigationPolicyDecision)>::operator()(WebCore::ResourceRequest&&, WTF::WeakPtr<WebCore::FormState, WTF::EmptyCounter>&&, WebCore::NavigationPolicyDecision) const 22 0x455e7a297 WTF::CompletionHandler<void (WebCore::ResourceRequest&&, WTF::WeakPtr<WebCore::FormState, WTF::EmptyCounter>&&, WebCore::NavigationPolicyDecision)>::operator()(WebCore::ResourceRequest&&, WTF::WeakPtr<WebCore::FormState, WTF::EmptyCounter>&&, WebCore::NavigationPolicyDecision) 23 0x455e89c2e WebCore::FrameLoader::PolicyChecker::checkNavigationPolicy(WebCore::ResourceRequest&&, WebCore::ResourceResponse const&, WebCore::DocumentLoader*, WTF::RefPtr<WebCore::FormState, WTF::RawPtrTraits<WebCore::FormState>, WTF::DefaultRefDerefTraits<WebCore::FormState> >&&, WTF::CompletionHandler<void (WebCore::ResourceRequest&&, WTF::WeakPtr<WebCore::FormState, WTF::EmptyCounter>&&, WebCore::NavigationPolicyDecision)>&&, WebCore::PolicyDecisionMode)::$_3::operator()(WebCore::PolicyAction, WebCore::PolicyCheckIdentifier) 24 0x455e88a37 WTF::Detail::CallableWrapper<WebCore::FrameLoader::PolicyChecker::checkNavigationPolicy(WebCore::ResourceRequest&&, WebCore::ResourceResponse const&, WebCore::DocumentLoader*, WTF::RefPtr<WebCore::FormState, WTF::RawPtrTraits<WebCore::FormState>, WTF::DefaultRefDerefTraits<WebCore::FormState> >&&, WTF::CompletionHandler<void (WebCore::ResourceRequest&&, WTF::WeakPtr<WebCore::FormState, WTF::EmptyCounter>&&, WebCore::NavigationPolicyDecision)>&&, WebCore::PolicyDecisionMode)::$_3, void, WebCore::PolicyAction, WebCore::PolicyCheckIdentifier>::call(WebCore::PolicyAction, WebCore::PolicyCheckIdentifier) 25 0x431cf6528 WTF::Function<void (WebCore::PolicyAction, WebCore::PolicyCheckIdentifier)>::operator()(WebCore::PolicyAction, WebCore::PolicyCheckIdentifier) const 26 0x431cf7777 WebKit::WebFrameLoaderClient::dispatchDecidePolicyForNavigationAction(WebCore::NavigationAction const&, WebCore::ResourceRequest const&, WebCore::ResourceResponse const&, WebCore::FormState*, WebCore::PolicyDecisionMode, WebCore::PolicyCheckIdentifier, WTF::Function<void (WebCore::PolicyAction, WebCore::PolicyCheckIdentifier)>&&) 27 0x455e79df9 WebCore::FrameLoader::PolicyChecker::checkNavigationPolicy(WebCore::ResourceRequest&&, WebCore::ResourceResponse const&, WebCore::DocumentLoader*, WTF::RefPtr<WebCore::FormState, WTF::RawPtrTraits<WebCore::FormState>, WTF::DefaultRefDerefTraits<WebCore::FormState> >&&, WTF::CompletionHandler<void (WebCore::ResourceRequest&&, WTF::WeakPtr<WebCore::FormState, WTF::EmptyCounter>&&, WebCore::NavigationPolicyDecision)>&&, WebCore::PolicyDecisionMode) 28 0x455e20c44 WebCore::FrameLoader::loadWithDocumentLoader(WebCore::DocumentLoader*, WebCore::FrameLoadType, WTF::RefPtr<WebCore::FormState, WTF::RawPtrTraits<WebCore::FormState>, WTF::DefaultRefDerefTraits<WebCore::FormState> >&&, WebCore::AllowNavigationToInvalidURL, WTF::CompletionHandler<void ()>&&) 29 0x455e1b601 WebCore::FrameLoader::load(WebCore::DocumentLoader&) 30 0x455e1f713 WebCore::FrameLoader::load(WebCore::FrameLoadRequest&&) 31 0x456ded988 WebCore::UserInputBridge::loadRequest(WebCore::FrameLoadRequest&&, WebCore::InputSource) LEAK: 2 WebPageProxy https://results.webkit.org/?suite=layout-tests&test=editing%2Finput%2Fset-value-on-input-and-delete.html

Attachments
crash log (139.69 KB, text/plain) 2021-02-19 20:20 PST, Ryan Haddad	no flags	Details
Fixes the bug (4.50 KB, patch) 2021-02-22 15:34 PST, Ryosuke Niwa	wenson_hsieh: review+	Details Formatted Diff Diff
View All Add attachment proposed patch, testcase, etc.

Radar WebKit Bug Importer

Comment 1 2021-02-19 20:20:20 PST

<rdar://problem/74548257>

Ryan Haddad

Comment 2 2021-02-19 20:21:12 PST

Test history suggests that this may have started after https://trac.webkit.org/changeset/272928/webkit

Ryosuke Niwa

Comment 3 2021-02-22 14:03:46 PST

I can reproduce this crash with the following command: ./Tools/Scripts/run-webkit-tests --ios-simulator --debug --no-build --no-retry editing/input/select-all-clear-input-method.html editing/input/set-value-on-input-and-delete.html --force It looks like the issue is that we're not canceling the composition in time when we're navigating to a new document.

Ryosuke Niwa

Comment 4 2021-02-22 15:34:50 PST

Created attachment 421250 [details] Fixes the bug

Wenson Hsieh

Comment 5 2021-02-22 15:53:51 PST

Comment on attachment 421250 [details] Fixes the bug View in context: https://bugs.webkit.org/attachment.cgi?id=421250&action=review > Source/WebCore/ChangeLog:10 > + committing the composition even though the composition node had been removed from the docuemnt. Nit - docuemnt => document.

Ryosuke Niwa

Comment 6 2021-02-22 16:26:55 PST

Waiting for EWS...

Ryosuke Niwa

Comment 7 2021-02-22 19:50:07 PST

(In reply to Wenson Hsieh from comment #5) > Comment on attachment 421250 [details] > Fixes the bug > > View in context: > https://bugs.webkit.org/attachment.cgi?id=421250&action=review > > > Source/WebCore/ChangeLog:10 > > + committing the composition even though the composition node had been removed from the docuemnt. > > Nit - docuemnt => document. Fixed. Thanks for the review!

Ryosuke Niwa

Comment 8 2021-02-22 19:52:46 PST

Committed r273298 (234458@main): <https://commits.webkit.org/234458@main>

Note You need to log in before you can comment on or make changes to this bug.

Status RESOLVED

Resolution FIXED

Priority P2

Severity Normal

Classification Unclassified

Version Other

Hardware Unspecified

OS Unspecified

Product WebKit

Component New Bugs

Assignee

Ryosuke Niwa

Reported

2021-02-19 20:20 PST

Modified

2021-02-22 19:52 PST History

CC List

8 users Show

URL

Keywords InRadar

Depends on

Blocks