RESOLVED FIXED 273581
Crash in CheckedPtr::decrementPtrCount via SplitTextNodeContainingElementCommand::doApply 
https://bugs.webkit.org/show_bug.cgi?id=273581
Summary Crash in CheckedPtr::decrementPtrCount via SplitTextNodeContainingElementComm...
Ryosuke Niwa
Reported 2024-05-01 15:10:12 PDT
e.g. 0 WebCore 0x11a8e45d8 OUTLINED_FUNCTION_0 + 8 1 WebCore 0x11b8c0ba4 WTFCrashWithInfo(int, char const*, char const*, int) + 24 [inlined] 2 WebCore 0x11b8c0ba4 WTF::CanMakeCheckedPtrBase<WTF::SingleThreadIntegralWrapper<unsigned int>, unsigned int>::decrementPtrCount() const + 24 (CheckedRef.h:286) [inlined] 3 WebCore 0x11b8c0ba4 WTF::CheckedPtr<WebCore::RenderElement, WTF::RawPtrTraits<WebCore::RenderElement>>::derefIfNotNull() + 24 (CheckedPtr.h:185) [inlined] 4 WebCore 0x11b8c0ba4 WTF::CheckedPtr<WebCore::RenderElement, WTF::RawPtrTraits<WebCore::RenderElement>>::~CheckedPtr() + 24 (CheckedPtr.h:72) [inlined] 5 WebCore 0x11b8c0ba4 WTF::CheckedPtr<WebCore::RenderElement, WTF::RawPtrTraits<WebCore::RenderElement>>::~CheckedPtr() + 24 (CheckedPtr.h:71) [inlined] 6 WebCore 0x11b8c0ba4 WebCore::SplitTextNodeContainingElementCommand::doApply() (.cold.1) + 24 (SplitTextNodeContainingElementCommand.cpp:65) 7 WebCore 0x11a845c40 WebCore::CompositeEditCommand::applyCommandToComposite(WTF::Ref<WebCore::EditCommand, WTF::RawPtrTraits<WebCore::EditCommand>, WTF::DefaultRefDerefTraits<WebCore::EditCommand>>&&) + 136 (CompositeEditCommand.cpp:498) 8 WebCore 0x11a841e00 WebCore::CompositeEditCommand::splitTextNodeContainingElement(WebCore::Text&, unsigned int) + 80 (CompositeEditCommand.cpp:729) 9 WebCore 0x11a83d638 WebCore::ApplyStyleCommand::splitTextElementAtEnd(WebCore::Position const&, WebCore::Position const&) + 92 (ApplyStyleCommand.cpp:1235) 10 WebCore 0x11a839b10 WebCore::ApplyStyleCommand::applyInlineStyle(WebCore::EditingStyle&) + 780 (ApplyStyleCommand.cpp:593) 11 WebCore 0x11a837a24 WebCore::ApplyStyleCommand::doApply() + 160 (ApplyStyleCommand.cpp:203) 12 WebCore 0x11a845c40 WebCore::CompositeEditCommand::applyCommandToComposite(WTF::Ref<WebCore::EditCommand, WTF::RawPtrTraits<WebCore::EditCommand>, WTF::DefaultRefDerefTraits<WebCore::EditCommand>>&&) + 136 (CompositeEditCommand.cpp:498) 13 WebCore 0x11a8b2f04 WebCore::RemoveFormatCommand::doApply() + 244 (RemoveFormatCommand.cpp:98) 14 WebCore 0x11a83344c WebCore::CompositeEditCommand::apply() + 300 (CompositeEditCommand.cpp:402) 15 WebCore 0x11a87343c WebCore::Editor::removeFormattingAndStyle() + 68 (Editor.cpp:961) 16 WebCore 0x11a89b520 WebCore::executeRemoveFormat(WebCore::LocalFrame&, WebCore::Event*, WebCore::EditorCommandSource, WTF::String const&) + 24 (EditorCommand.cpp:1012) 17 WebCore 0x11a7359a4 WebCore::Document::execCommand(WTF::String const&, bool, std::__1::variant<WTF::String, WTF::RefPtr<WebCore::TrustedHTML, WTF::RawPtrTraits<WebCore::TrustedHTML>, WTF::DefaultRefDerefTraits<WebCore::TrustedHTML>>> const&) + 224 (Document.cpp:6928) 18 WebCore 0x119719b98 WebCore::jsDocumentPrototypeFunction_execCommandBody(JSC::JSGlobalObject*, JSC::CallFrame*, WebCore::JSDocument*) + 440 (JSDocument.cpp:6446) <rdar://127116949>
Attachments
Add attachment proposed patch, testcase, etc.
Ryosuke Niwa
Comment 1 2024-05-01 15:37:06 PDT
Pull request: https://github.com/WebKit/WebKit/pull/28013
EWS
Comment 2 2024-05-01 18:27:08 PDT
Committed 278242@main (6de0a6e596b6): <https://commits.webkit.org/278242@main> Reviewed commits have been landed. Closing PR #28013 and removing active labels.
Note You need to log in before you can comment on or make changes to this bug.