Bug 224801 - editing/execCommand/insert-image-in-composed-list.html is crashing
Summary: editing/execCommand/insert-image-in-composed-list.html is crashing
Status: RESOLVED FIXED
Alias: None
Product: WebKit
Classification: Unclassified
Component: HTML Editing (show other bugs)
Version: WebKit Nightly Build
Hardware: Unspecified Unspecified
: P2 Normal
Assignee: Fujii Hironori
URL:
Keywords: InRadar
: 223960 (view as bug list)
Depends on:
Blocks:
 
Reported: 2021-04-19 22:06 PDT by Fujii Hironori
Modified: 2021-04-23 02:46 PDT (History)
7 users (show)

See Also:

Attachments
insert-image-in-composed-list-crash-log.txt (60.49 KB, text/plain)
2021-04-19 22:06 PDT, Fujii Hironori 		no flags Details
debugging patch (622 bytes, patch)
2021-04-19 22:16 PDT, Fujii Hironori 		no flags Details | Formatted Diff | Diff
Patch (1.71 KB, patch)
2021-04-19 23:30 PDT, Fujii Hironori 		no flags Details | Formatted Diff | Diff
Patch (3.12 KB, patch)
2021-04-20 00:35 PDT, Fujii Hironori 		no flags Details | Formatted Diff | Diff
Show Obsolete (2) View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Fujii Hironori 2021-04-19 22:06:09 PDT 
Created attachment 426519 [details]
insert-image-in-composed-list-crash-log.txt

[WinCairo][Clang 12] editing/execCommand/insert-image-in-composed-list.html is crashing

WinCairo WK1/WK2 Release builds with Clang 12.0.0 reproduce the crash.
MSVC and Clang 11 don't reproduce the crash.
Comment 1 Fujii Hironori 2021-04-19 22:06:37 PDT 
Callstack:

WebKit2!WebCore::Node::treeScope(void) [C:\home\webkit\gb\Source\WebCore\dom\Node.h @ 359]
WebKit2!WebCore::Node::document(void) [C:\home\webkit\gb\Source\WebCore\dom\Node.h @ 354]
WebKit2!WebCore::Node::computeEditability(WebCore::Node::UserSelectAllTreatment treatment = UserSelectAllIsAlwaysNonEditable (0n1), WebCore::Node::ShouldUpdateStyle shouldUpdateStyle = DoNotUpdate (0n1))+0x8 [C:\home\webkit\gb\Source\WebCore\dom\Node.cpp @ 783]
WebKit2!WebCore::Node::hasEditableStyle(WebCore::Node::UserSelectAllTreatment treatment = <Value unavailable error>)+0x13 [C:\home\webkit\gb\Source\WebCore\dom\Node.h @ 331]
WebKit2!WebCore::Node::rootEditableElement(void)+0x23 [C:\home\webkit\gb\Source\WebCore\dom\Node.cpp @ 1335]
WebKit2!WebCore::DeleteSelectionCommand::removeRedundantBlocks(void)+0x31 [C:\home\webkit\gb\Source\WebCore\editing\DeleteSelectionCommand.cpp @ 869]
WebKit2!WebCore::DeleteSelectionCommand::doApply(void)+0x54b [C:\home\webkit\gb\Source\WebCore\editing\DeleteSelectionCommand.cpp @ 955]
WebKit2!WebCore::CompositeEditCommand::applyCommandToComposite(class WTF::Ref<WebCore::EditCommand,WTF::RawPtrTraits<WebCore::EditCommand> > * command = 0x00000005`27afe3d8)+0x20 [C:\home\webkit\gb\Source\WebCore\editing\CompositeEditCommand.cpp @ 489]
WebKit2!WebCore::CompositeEditCommand::deleteSelection(bool smartDelete = <Value unavailable error>, bool mergeBlocksAfterDelete = <Value unavailable error>, bool replace = <Value unavailable error>, bool expandForSpecialElements = <Value unavailable error>, bool sanitizeMarkup = <Value unavailable error>)+0xa3 [C:\home\webkit\gb\Source\WebCore\editing\CompositeEditCommand.cpp @ 857]
WebKit2!WebCore::ReplaceSelectionCommand::doApply(void)+0x76b [C:\home\webkit\gb\Source\WebCore\editing\ReplaceSelectionCommand.cpp @ 1147]
WebKit2!WebCore::CompositeEditCommand::apply(void)+0xb7 [C:\home\webkit\gb\Source\WebCore\editing\CompositeEditCommand.cpp @ 398]
WebKit2!WebCore::executeInsertFragment(class WebCore::Frame * frame = <Value unavailable error>, class WTF::Ref<WebCore::DocumentFragment,WTF::RawPtrTraits<WebCore::DocumentFragment> > * fragment = <Value unavailable error>)+0x5c [C:\home\webkit\gb\Source\WebCore\editing\EditorCommand.cpp @ 165]
WebKit2!WebCore::executeInsertNode(class WebCore::Frame * frame = 0x0000016b`8b96aaa0, class WTF::Ref<WebCore::Node,WTF::RawPtrTraits<WebCore::Node> > * content = 0x00000005`27afe928)+0x54 [C:\home\webkit\gb\Source\WebCore\editing\EditorCommand.cpp @ 175]
WebKit2!WebCore::executeInsertImage(class WebCore::Frame * frame = 0x0000016b`8b96aaa0, class WTF::String * value = <Value unavailable error>)+0x68 [C:\home\webkit\gb\Source\WebCore\editing\EditorCommand.cpp @ 473]
WebKit2!WebCore::Document::execCommand(class WTF::String * commandName = <Value unavailable error>, bool userInterface = <Value unavailable error>, class WTF::String * value = <Value unavailable error>)+0x57 [C:\home\webkit\gb\Source\WebCore\dom\Document.cpp @ 5707]
WebKit2!WebCore::jsDocumentPrototypeFunction_execCommandBody(class JSC::JSGlobalObject * lexicalGlobalObject = 0x0000016b`d15c2248, class JSC::CallFrame * callFrame = <Value unavailable error>, class WebCore::JSDocument * castedThis = <Value unavailable error>)+0x1a1 [C:\home\webkit\gb\WebKitBuild\Release\WebCore\DerivedSources\JSDocument.cpp @ 5850]
WebKit2!WebCore::IDLOperation<WebCore::JSDocument>::call(class JSC::JSGlobalObject * lexicalGlobalObject = 0x0000016b`d15c2248, class JSC::CallFrame * callFrame = <Value unavailable error>, char * operationName = <Value unavailable error>)+0x1fd [C:\home\webkit\gb\Source\WebCore\bindings\js\JSDOMOperation.h @ 55]
WebKit2!WebCore::jsDocumentPrototypeFunction_execCommand(class JSC::JSGlobalObject * lexicalGlobalObject = 0x0000016b`d15c2248, class JSC::CallFrame * callFrame = <Value unavailable error>)+0x229 [C:\home\webkit\gb\WebKitBuild\Release\WebCore\DerivedSources\JSDocument.cpp @ 5855]
Comment 2 Fujii Hironori 2021-04-19 22:16:13 PDT 
Created attachment 426520 [details]
debugging patch

'node' is null in DeleteSelectionCommand::removeRedundantBlocks.
This crash can be reproduced in Debug build by applying this debugging patch.
Comment 3 Fujii Hironori 2021-04-19 23:30:26 PDT 
Created attachment 426521 [details]
Patch
Comment 4 Fujii Hironori 2021-04-20 00:35:06 PDT 
Created attachment 426522 [details]
Patch
Comment 5 Fujii Hironori 2021-04-20 13:21:29 PDT 
Comment on attachment 426522 [details]
Patch

Clearing flags on attachment: 426522

Committed r276317 (236798@main): <https://commits.webkit.org/236798@main>
Comment 6 Fujii Hironori 2021-04-20 13:21:33 PDT 
All reviewed patches have been landed.  Closing bug.
Comment 7 Fujii Hironori 2021-04-20 13:22:23 PDT 
*** Bug 223960 has been marked as a duplicate of this bug. ***
Comment 8 Ling Ho 2021-04-23 02:46:29 PDT 
rdar://76914240