RESOLVED FIXED 224801
editing/execCommand/insert-image-in-composed-list.html is crashing 
https://bugs.webkit.org/show_bug.cgi?id=224801
Summary editing/execCommand/insert-image-in-composed-list.html is crashing
Fujii Hironori
Reported 2021-04-19 22:06:09 PDT
Created attachment 426519 [details] insert-image-in-composed-list-crash-log.txt [WinCairo][Clang 12] editing/execCommand/insert-image-in-composed-list.html is crashing WinCairo WK1/WK2 Release builds with Clang 12.0.0 reproduce the crash. MSVC and Clang 11 don't reproduce the crash.
Attachments
insert-image-in-composed-list-crash-log.txt (60.49 KB, text/plain)
2021-04-19 22:06 PDT, Fujii Hironori 		no flags
Details
debugging patch (622 bytes, patch)
2021-04-19 22:16 PDT, Fujii Hironori 		no flags
DetailsFormatted DiffDiff
Patch (1.71 KB, patch)
2021-04-19 23:30 PDT, Fujii Hironori 		no flags
DetailsFormatted DiffDiff
Patch (3.12 KB, patch)
2021-04-20 00:35 PDT, Fujii Hironori 		no flags
DetailsFormatted DiffDiff
Show Obsolete (2) View All Add attachment proposed patch, testcase, etc.
Fujii Hironori
Comment 1 2021-04-19 22:06:37 PDT
Callstack: WebKit2!WebCore::Node::treeScope(void) [C:\home\webkit\gb\Source\WebCore\dom\Node.h @ 359] WebKit2!WebCore::Node::document(void) [C:\home\webkit\gb\Source\WebCore\dom\Node.h @ 354] WebKit2!WebCore::Node::computeEditability(WebCore::Node::UserSelectAllTreatment treatment = UserSelectAllIsAlwaysNonEditable (0n1), WebCore::Node::ShouldUpdateStyle shouldUpdateStyle = DoNotUpdate (0n1))+0x8 [C:\home\webkit\gb\Source\WebCore\dom\Node.cpp @ 783] WebKit2!WebCore::Node::hasEditableStyle(WebCore::Node::UserSelectAllTreatment treatment = <Value unavailable error>)+0x13 [C:\home\webkit\gb\Source\WebCore\dom\Node.h @ 331] WebKit2!WebCore::Node::rootEditableElement(void)+0x23 [C:\home\webkit\gb\Source\WebCore\dom\Node.cpp @ 1335] WebKit2!WebCore::DeleteSelectionCommand::removeRedundantBlocks(void)+0x31 [C:\home\webkit\gb\Source\WebCore\editing\DeleteSelectionCommand.cpp @ 869] WebKit2!WebCore::DeleteSelectionCommand::doApply(void)+0x54b [C:\home\webkit\gb\Source\WebCore\editing\DeleteSelectionCommand.cpp @ 955] WebKit2!WebCore::CompositeEditCommand::applyCommandToComposite(class WTF::Ref<WebCore::EditCommand,WTF::RawPtrTraits<WebCore::EditCommand> > * command = 0x00000005`27afe3d8)+0x20 [C:\home\webkit\gb\Source\WebCore\editing\CompositeEditCommand.cpp @ 489] WebKit2!WebCore::CompositeEditCommand::deleteSelection(bool smartDelete = <Value unavailable error>, bool mergeBlocksAfterDelete = <Value unavailable error>, bool replace = <Value unavailable error>, bool expandForSpecialElements = <Value unavailable error>, bool sanitizeMarkup = <Value unavailable error>)+0xa3 [C:\home\webkit\gb\Source\WebCore\editing\CompositeEditCommand.cpp @ 857] WebKit2!WebCore::ReplaceSelectionCommand::doApply(void)+0x76b [C:\home\webkit\gb\Source\WebCore\editing\ReplaceSelectionCommand.cpp @ 1147] WebKit2!WebCore::CompositeEditCommand::apply(void)+0xb7 [C:\home\webkit\gb\Source\WebCore\editing\CompositeEditCommand.cpp @ 398] WebKit2!WebCore::executeInsertFragment(class WebCore::Frame * frame = <Value unavailable error>, class WTF::Ref<WebCore::DocumentFragment,WTF::RawPtrTraits<WebCore::DocumentFragment> > * fragment = <Value unavailable error>)+0x5c [C:\home\webkit\gb\Source\WebCore\editing\EditorCommand.cpp @ 165] WebKit2!WebCore::executeInsertNode(class WebCore::Frame * frame = 0x0000016b`8b96aaa0, class WTF::Ref<WebCore::Node,WTF::RawPtrTraits<WebCore::Node> > * content = 0x00000005`27afe928)+0x54 [C:\home\webkit\gb\Source\WebCore\editing\EditorCommand.cpp @ 175] WebKit2!WebCore::executeInsertImage(class WebCore::Frame * frame = 0x0000016b`8b96aaa0, class WTF::String * value = <Value unavailable error>)+0x68 [C:\home\webkit\gb\Source\WebCore\editing\EditorCommand.cpp @ 473] WebKit2!WebCore::Document::execCommand(class WTF::String * commandName = <Value unavailable error>, bool userInterface = <Value unavailable error>, class WTF::String * value = <Value unavailable error>)+0x57 [C:\home\webkit\gb\Source\WebCore\dom\Document.cpp @ 5707] WebKit2!WebCore::jsDocumentPrototypeFunction_execCommandBody(class JSC::JSGlobalObject * lexicalGlobalObject = 0x0000016b`d15c2248, class JSC::CallFrame * callFrame = <Value unavailable error>, class WebCore::JSDocument * castedThis = <Value unavailable error>)+0x1a1 [C:\home\webkit\gb\WebKitBuild\Release\WebCore\DerivedSources\JSDocument.cpp @ 5850] WebKit2!WebCore::IDLOperation<WebCore::JSDocument>::call(class JSC::JSGlobalObject * lexicalGlobalObject = 0x0000016b`d15c2248, class JSC::CallFrame * callFrame = <Value unavailable error>, char * operationName = <Value unavailable error>)+0x1fd [C:\home\webkit\gb\Source\WebCore\bindings\js\JSDOMOperation.h @ 55] WebKit2!WebCore::jsDocumentPrototypeFunction_execCommand(class JSC::JSGlobalObject * lexicalGlobalObject = 0x0000016b`d15c2248, class JSC::CallFrame * callFrame = <Value unavailable error>)+0x229 [C:\home\webkit\gb\WebKitBuild\Release\WebCore\DerivedSources\JSDocument.cpp @ 5855]
Fujii Hironori
Comment 2 2021-04-19 22:16:13 PDT
Created attachment 426520 [details] debugging patch 'node' is null in DeleteSelectionCommand::removeRedundantBlocks. This crash can be reproduced in Debug build by applying this debugging patch.
Fujii Hironori
Comment 3 2021-04-19 23:30:26 PDT
Created attachment 426521 [details] Patch
Fujii Hironori
Comment 4 2021-04-20 00:35:06 PDT
Created attachment 426522 [details] Patch
Fujii Hironori
Comment 5 2021-04-20 13:21:29 PDT
Comment on attachment 426522 [details] Patch Clearing flags on attachment: 426522 Committed r276317 (236798@main): <https://commits.webkit.org/236798@main>
Fujii Hironori
Comment 6 2021-04-20 13:21:33 PDT
All reviewed patches have been landed. Closing bug.
Fujii Hironori
Comment 7 2021-04-20 13:22:23 PDT
*** Bug 223960 has been marked as a duplicate of this bug. ***
Ling Ho
Comment 8 2021-04-23 02:46:29 PDT
rdar://76914240
Note You need to log in before you can comment on or make changes to this bug.