RESOLVED FIXED 240377
ASSERTION FAILED: m_parent->hasEditableStyle() || !m_parent->renderer() via IndentOutdentCommand::indentIntoBlockquote 
https://bugs.webkit.org/show_bug.cgi?id=240377
Summary ASSERTION FAILED: m_parent->hasEditableStyle() || !m_parent->renderer() via I...
Frédéric Wang (:fredw)
Reported 2022-05-13 03:33:19 PDT
Created attachment 459289 [details] Repro case I'm opening this in the security component as testcase was deduced from a fuzzer output. At https://commits.webkit.org/250518@main in debug mode, I get the following debug assertion: ASSERTION FAILED: m_parent->hasEditableStyle() || !m_parent->renderer() ./editing/AppendNodeCommand.cpp(44) : WebCore::AppendNodeCommand::AppendNodeCommand(Ref<WebCore::ContainerNode> &&, Ref<WebCore::Node> &&, WebCore::EditAction) 1 0x150cd55e8 WTFCrash 2 0x2b768dfe4 WTFCrashWithInfo(int, char const*, char const*, int) 3 0x2bfcce5c8 WebCore::AppendNodeCommand::AppendNodeCommand(WTF::Ref<WebCore::ContainerNode, WTF::RawPtrTraits<WebCore::ContainerNode> >&&, WTF::Ref<WebCore::Node, WTF::RawPtrTraits<WebCore::Node> >&&, WebCore::EditAction) 4 0x2bfcce644 WebCore::AppendNodeCommand::AppendNodeCommand(WTF::Ref<WebCore::ContainerNode, WTF::RawPtrTraits<WebCore::ContainerNode> >&&, WTF::Ref<WebCore::Node, WTF::RawPtrTraits<WebCore::Node> >&&, WebCore::EditAction) 5 0x2bfcf52d0 WebCore::AppendNodeCommand::create(WTF::Ref<WebCore::ContainerNode, WTF::RawPtrTraits<WebCore::ContainerNode> >&&, WTF::Ref<WebCore::Node, WTF::RawPtrTraits<WebCore::Node> >&&, WebCore::EditAction) 6 0x2bfcd1a54 WebCore::CompositeEditCommand::appendNode(WTF::Ref<WebCore::Node, WTF::RawPtrTraits<WebCore::Node> >&&, WTF::Ref<WebCore::ContainerNode, WTF::RawPtrTraits<WebCore::ContainerNode> >&&) 7 0x2bfcffe30 WebCore::CompositeEditCommand::cloneParagraphUnderNewElement(WebCore::Position const&, WebCore::Position const&, WebCore::Node*, WebCore::Element*) 8 0x2bfd00e94 WebCore::CompositeEditCommand::moveParagraphWithClones(WebCore::VisiblePosition const&, WebCore::VisiblePosition const&, WebCore::Element*, WebCore::Node*) 9 0x2bfe0836c WebCore::IndentOutdentCommand::indentIntoBlockquote(WebCore::Position const&, WebCore::Position const&, WTF::RefPtr<WebCore::Element, WTF::RawPtrTraits<WebCore::Element>, WTF::DefaultRefDerefTraits<WebCore::Element> >&) 10 0x2bfe0a57c WebCore::IndentOutdentCommand::formatRange(WebCore::Position const&, WebCore::Position const&, WebCore::Position const&, WTF::RefPtr<WebCore::Element, WTF::RawPtrTraits<WebCore::Element>, WTF::DefaultRefDerefTraits<WebCore::Element> >&) 11 0x2bfcd0c88 WebCore::ApplyBlockElementCommand::formatSelection(WebCore::VisiblePosition const&, WebCore::VisiblePosition const&) 12 0x2bfe0a4f8 WebCore::IndentOutdentCommand::formatSelection(WebCore::VisiblePosition const&, WebCore::VisiblePosition const&) 13 0x2bfccf2a0 WebCore::ApplyBlockElementCommand::doApply() 14 0x2bfccd16c WebCore::CompositeEditCommand::apply() 15 0x2bfe233b8 WebCore::executeIndent(WebCore::Frame&, WebCore::Event*, WebCore::EditorCommandSource, WTF::String const&) 16 0x2bfdb7800 WebCore::Editor::Command::execute(WTF::String const&, WebCore::Event*) const 17 0x2bf5ffc88 WebCore::Document::execCommand(WTF::String const&, bool, WTF::String const&) 18 0x2b8596f68 WebCore::jsDocumentPrototypeFunction_execCommandBody(JSC::JSGlobalObject*, JSC::CallFrame*, WebCore::JSDocument*) 19 0x2b859636c long long WebCore::IDLOperation<WebCore::JSDocument>::call<&(WebCore::jsDocumentPrototypeFunction_execCommandBody(JSC::JSGlobalObject*, JSC::CallFrame*, WebCore::JSDocument*)), (WebCore::CastedThisErrorBehavior)0>(JSC::JSGlobalObject&, JSC::CallFrame&, char const*) 20 0x2b855d7c8 WebCore::jsDocumentPrototypeFunction_execCommand(JSC::JSGlobalObject*, JSC::CallFrame*) 21 0x28000c03c 22 0x155115f44 llint_entry 23 0x1550efaf8 vmEntryToJavaScript 24 0x157a859dc JSC::JITCode::execute(JSC::VM*, JSC::ProtoCallFrame*) 25 0x157a8376c JSC::Interpreter::executeProgram(JSC::SourceCode const&, JSC::JSGlobalObject*, JSC::JSObject*) 26 0x1586ba640 JSC::evaluate(JSC::JSGlobalObject*, JSC::SourceCode const&, JSC::JSValue, WTF::NakedPtr<JSC::Exception>&) 27 0x1586bab24 JSC::profiledEvaluate(JSC::JSGlobalObject*, JSC::ProfilingReason, JSC::SourceCode const&, JSC::JSValue, WTF::NakedPtr<JSC::Exception>&) 28 0x2be2a85d0 WebCore::JSExecState::profiledEvaluate(JSC::JSGlobalObject*, JSC::ProfilingReason, JSC::SourceCode const&, JSC::JSValue, WTF::NakedPtr<JSC::Exception>&) 29 0x2be2a76f8 WebCore::ScriptController::evaluateInWorld(WebCore::ScriptSourceCode const&, WebCore::DOMWrapperWorld&) 30 0x2be2a70fc WebCore::ScriptController::evaluateInWorldIgnoringException(WebCore::ScriptSourceCode const&, WebCore::DOMWrapperWorld&) 31 0x2be2a8aac WebCore::ScriptController::evaluateIgnoringException(WebCore::ScriptSourceCode const&)
Attachments
Repro case (462 bytes, text/html)
2022-05-13 03:33 PDT, Frédéric Wang (:fredw) 		no flags
Details
Patch (3.22 KB, patch)
2022-05-13 03:43 PDT, Rob Buis 		rbuis: review?
ews-feeder: commit-queue-
DetailsFormatted DiffDiff
View All Add attachment proposed patch, testcase, etc.
Radar WebKit Bug Importer
Comment 1 2022-05-13 03:33:28 PDT
<rdar://problem/93236442>
Rob Buis
Comment 2 2022-05-13 03:43:45 PDT
Created attachment 459290 [details] Patch
Miguel Salinas
Comment 3 2022-10-31 14:10:07 PDT
This is not a security bug. We're failing an assertion in debug builds only. This assertion asserts that the parent element we are appending a node to is editable before we try to append to it. Without the assertion we only fail to append the node and potentially lose the node.
Miguel Salinas
Comment 4 2022-10-31 14:12:28 PDT
Pull request: https://github.com/WebKit/WebKit/pull/5979
EWS
Comment 5 2022-11-16 12:50:58 PST
Committed 256749@main (8a344c3387b2): <https://commits.webkit.org/256749@main> Reviewed commits have been landed. Closing PR #5979 and removing active labels.
Note You need to log in before you can comment on or make changes to this bug.