Bug 211964

Summary:

Nullptr crash in WebCore::Node::treeScope() when processing nested list insertion commands.

Product:

WebKit

Reporter:

Jack <shihchieh_lee>

Component:

HTML Editing

Assignee:

Nobody <webkit-unassigned>

Status:

RESOLVED FIXED

Severity:

Normal

CC:

bfulgham, ews-feeder, ggaren, product-security, rniwa, webkit-bug-importer, wenson_hsieh

Priority:

Keywords:

InRadar

Version:

WebKit Nightly Build

Hardware:

Unspecified

OS:

Unspecified

Attachments:

Description	Flags
Patch	none
Patch	none

Description Jack 2020-05-15 12:22:02 PDT

<rdar://63224871>

    #0 0x4751abd80 in WebCore::Node::treeScope() const (Safari_ASAN_261664_772e0ec68fa8159b1c162d4b57bd51ada3f91b16.app/Contents/Frameworks/WebCore.framework/Versions/A/WebCore:x86_64+0x1b9d80)
    #1 0x47518f398 in WebCore::Node::document() const (Safari_ASAN_261664_772e0ec68fa8159b1c162d4b57bd51ada3f91b16.app/Contents/Frameworks/WebCore.framework/Versions/A/WebCore:x86_64+0x19d398)
    #2 0x47844c148 in WebCore::Node::computeEditability(WebCore::Node::UserSelectAllTreatment, WebCore::Node::ShouldUpdateStyle) const (Safari_ASAN_261664_772e0ec68fa8159b1c162d4b57bd51ada3f91b16.app/Contents/Frameworks/WebCore.framework/Versions/A/WebCore:x86_64+0x345a148)
    #3 0x477a8756d in WebCore::Node::hasEditableStyle(WebCore::Node::UserSelectAllTreatment) const (Safari_ASAN_261664_772e0ec68fa8159b1c162d4b57bd51ada3f91b16.app/Contents/Frameworks/WebCore.framework/Versions/A/WebCore:x86_64+0x2a9556d)
    #4 0x478661ae3 in WebCore::InsertListCommand::unlistifyParagraph(WebCore::VisiblePosition const&, WebCore::HTMLElement*, WebCore::Node*) (Safari_ASAN_261664_772e0ec68fa8159b1c162d4b57bd51ada3f91b16.app/Contents/Frameworks/WebCore.framework/Versions/A/WebCore:x86_64+0x366fae3)
    #5 0x478661474 in WebCore::InsertListCommand::doApplyForSingleParagraph(bool, WebCore::HTMLQualifiedName const&, WebCore::Range*) (Safari_ASAN_261664_772e0ec68fa8159b1c162d4b57bd51ada3f91b16.app/Contents/Frameworks/WebCore.framework/Versions/A/WebCore:x86_64+0x366f474)
    #6 0x478660170 in WebCore::InsertListCommand::doApply() (Safari_ASAN_261664_772e0ec68fa8159b1c162d4b57bd51ada3f91b16.app/Contents/Frameworks/WebCore.framework/Versions/A/WebCore:x86_64+0x366e170)
    #7 0x47858e346 in WebCore::CompositeEditCommand::apply() (Safari_ASAN_261664_772e0ec68fa8159b1c162d4b57bd51ada3f91b16.app/Contents/Frameworks/WebCore.framework/Versions/A/WebCore:x86_64+0x359c346)
    #8 0x47864781b in WebCore::executeInsertUnorderedList(WebCore::Frame&, WebCore::Event*, WebCore::EditorCommandSource, WTF::String const&) (Safari_ASAN_261664_772e0ec68fa8159b1c162d4b57bd51ada3f91b16.app/Contents/Frameworks/WebCore.framework/Versions/A/WebCore:x86_64+0x365581b)
    #9 0x4782b75f3 in WebCore::Document::execCommand(WTF::String const&, bool, WTF::String const&) (Safari_ASAN_261664_772e0ec68fa8159b1c162d4b57bd51ada3f91b16.app/Contents/Frameworks/WebCore.framework/Versions/A/WebCore:x86_64+0x32c55f3)
    #10 0x475ac30d1 in WebCore::jsDocumentPrototypeFunctionExecCommandBody(JSC::JSGlobalObject*, JSC::CallFrame*, WebCore::JSDocument*, JSC::ThrowScope&) (Safari_ASAN_261664_772e0ec68fa8159b1c162d4b57bd51ada3f91b16.app/Contents/Frameworks/WebCore.framework/Versions/A/WebCore:x86_64+0xad10d1)
    #11 0x4759710c0 in long long WebCore::IDLOperation<WebCore::JSDocument>::call<&(WebCore::jsDocumentPrototypeFunctionExecCommandBody(JSC::JSGlobalObject*, JSC::CallFrame*, WebCore::JSDocument*, JSC::ThrowScope&)), (WebCore::CastedThisErrorBehavior)0>(JSC::JSGlobalObject&, JSC::CallFrame&, char const*) (Safari_ASAN_261664_772e0ec68fa8159b1c162d4b57bd51ada3f91b16.app/Contents/Frameworks/WebCore.framework/Versions/A/WebCore:x86_64+0x97f0c0)

Comment 1 Jack 2020-05-15 12:22:53 PDT

<script>
    function run() {
        window.getSelection().setPosition(li,1);
        document.execCommand("insertUnorderedList", false);
    }
</script>
<body  contentEditable="true"><li id=li><iframe onload="run()"></iframe>

Root cause: fixOrphanedListChild fires another load event which removes a node that will be used
1. We are processing the first insertUnorderedList (frame #90) and need to fix the orphaned LI by calling fixOrphanedListChild.
2. In fixOrphanedListChild, after insert UL we try to append the LI in UL (frame #85), but it triggers load event and invoke second insertUnorderedList command (frame #16).
3. The second insertUnorderedList command removes the UL that was just created.
4. Later, UL is derefed in unlistifyParagraph() and the code crashes.

BODY	0x39b0bbab0 (renderer 0x39b0e23f0)  (child needs style recalc)
*	UL	0x39b0e2a30 (renderer 0x0)  (needs style recalc)
	LI	0x39b0bbb40 (renderer 0x39b0e2520) 
		IFRAME	0x39b0bbbd0 (renderer 0x0) 

Call stack that remove UL node:
  * frame #0: 0x0000000377acd5bc WebCore`WebCore::Node::setParentNode(this=0x000000039b0e2a30, parent=0x0000000000000000) at Node.h:740:31
    frame #1: 0x0000000377acf0d2 WebCore`WebCore::ContainerNode::removeBetween(this=0x000000039b0bbab0, previousChild=0x0000000000000000, nextChild=0x000000039b0e3c60, oldChild=0x000000039b0e2a30) at ContainerNode.cpp:615:14
    frame #2: 0x0000000377aceb2c WebCore`WebCore::ContainerNode::removeNodeWithScriptAssertion(this=0x000000039b0bbab0, childToRemove=0x000000039b0e2a30, source=API) at ContainerNode.cpp:166:9
    frame #3: 0x0000000377ace3a1 WebCore`WebCore::ContainerNode::removeChild(this=0x000000039b0bbab0, oldChild=0x000000039b0e2a30) at ContainerNode.cpp:577:10
    frame #4: 0x0000000377ca23c8 WebCore`WebCore::Node::remove(this=0x000000039b0e2a30) at Node.cpp:628:20
    frame #5: 0x0000000377e5a6cf WebCore`WebCore::RemoveNodeCommand::doApply(this=0x00000003976c4ae0) at RemoveNodeCommand.cpp:54:13
    frame #6: 0x0000000377dcde0f WebCore`WebCore::CompositeEditCommand::applyCommandToComposite(this=0x0000000397666e10, command=0x00007ffeef297560) at CompositeEditCommand.cpp:463:14
    frame #7: 0x0000000377dcbf34 WebCore`WebCore::CompositeEditCommand::removeNode(this=0x0000000397666e10, node=0x000000039b0e2a30, shouldAssumeContentIsAlwaysEditable=DoNotAssumeContentIsAlwaysEditable) at CompositeEditCommand.cpp:599:5
    frame #8: 0x0000000377dcf019 WebCore`WebCore::CompositeEditCommand::prune(this=0x0000000397666e10, node=0x000000039b0e2a30) at CompositeEditCommand.cpp:654:9
    frame #9: 0x0000000377dcefbb WebCore`WebCore::CompositeEditCommand::removeNodeAndPruneAncestors(this=0x0000000397666e10, node=0x000000039b0bbb40) at CompositeEditCommand.cpp:611:5
    frame #10: 0x0000000377dd3e29 WebCore`WebCore::CompositeEditCommand::cleanupAfterDeletion(this=0x0000000397666e10, destination=VisiblePosition @ 0x00007ffeef297a00) at CompositeEditCommand.cpp:1325:13
    frame #11: 0x0000000377dd2b36 WebCore`WebCore::CompositeEditCommand::moveParagraphs(this=0x0000000397666e10, startOfParagraphToMove=0x00007ffeef297f98, endOfParagraphToMove=0x00007ffeef297f80, destination=0x00007ffeef297e18, preserveSelection=true, preserveStyle=true) at CompositeEditCommand.cpp:1478:5
    frame #12: 0x0000000377e4df2f WebCore`WebCore::InsertListCommand::unlistifyParagraph(this=0x0000000397666e10, originalStart=0x00007ffeef2980a0, listNode=0x000000039b0e2a30, listChildNode=0x000000039b0bbb40) at InsertListCommand.cpp:330:5
    frame #13: 0x0000000377e4d5ef WebCore`WebCore::InsertListCommand::doApplyForSingleParagraph(this=0x0000000397666e10, forceCreateList=false, listTag=0x000000037bcd7ef0, currentSelection=0x000000039bb97440) at InsertListCommand.cpp:266:9
    frame #14: 0x0000000377e4cd3e WebCore`WebCore::InsertListCommand::doApply(this=0x0000000397666e10) at InsertListCommand.cpp:195:5
    frame #15: 0x0000000377dbac85 WebCore`WebCore::CompositeEditCommand::apply(this=0x0000000397666e10) at CompositeEditCommand.cpp:372:9
    frame #16: 0x0000000377e38f60 WebCore`WebCore::executeInsertUnorderedList(frame={ origin = file://, url = file:///Users/jacklee/browser2/63224871/min-63224871.html, isMainFrame = 1, backForwardCacheState = NotInBackForwardCache }, (null)=0x0000000000000000, (null)=CommandFromDOM, (null)={ length = 0, contents = '' }) at EditorCommand.cpp:543:91
    frame #17: 0x0000000377e105cb WebCore`WebCore::Editor::Command::execute(this=0x00007ffeef298858, parameter={ length = 0, contents = '' }, triggeringEvent=0x0000000000000000) const at EditorCommand.cpp:1876:12
    frame #18: 0x0000000377b40795 WebCore`WebCore::Document::execCommand(this={ origin = file://, url = file:///Users/jacklee/browser2/63224871/min-63224871.html, inMainFrame = 1, backForwardCacheState = NotInBackForwardCache }, commandName={ length = 19, contents = 'insertUnorderedList' }, userInterface=false, value={ length = 0, contents = '' }) at Document.cpp:5544:54
    frame #19: 0x0000000375c53044 WebCore`WebCore::jsDocumentPrototypeFunctionExecCommandBody(lexicalGlobalObject=0x00000003999f2768, callFrame=0x00007ffeef298af0, castedThis=0x000000039bbf24e8, throwScope=0x00007ffeef298a68) at JSDocument.cpp:6271:57
    frame #20: 0x0000000375b5a612 WebCore`long long WebCore::IDLOperation<WebCore::JSDocument>::call<&(lexicalGlobalObject=0x00000003999f2768, callFrame=0x00007ffeef298af0, operationName="execCommand")), (WebCore::CastedThisErrorBehavior)0>(JSC::JSGlobalObject&, JSC::CallFrame&, char const*) at JSDOMOperation.h:53:16
    frame #21: 0x0000000375b5a2f4 WebCore`WebCore::jsDocumentPrototypeFunctionExecCommand(lexicalGlobalObject=0x00000003999f2768, callFrame=0x00007ffeef298af0) at JSDocument.cpp:6277:12
    frame #22: 0x000059e0bb201178
    frame #23: 0x0000000390ea463d JavaScriptCore`llint_entry at LowLevelInterpreter.asm:1045
    frame #24: 0x0000000390ea463d JavaScriptCore`llint_entry at LowLevelInterpreter.asm:1045
    frame #25: 0x0000000390e84ef3 JavaScriptCore`vmEntryToJavaScript at LowLevelInterpreter64.asm:296
    frame #26: 0x0000000391c3226b JavaScriptCore`JSC::JITCode::execute(this=0x000000039bbc2528, vm=0x000000039b100000, protoCallFrame=0x00007ffeef298e08) at JITCodeInlines.h:42:38
    frame #27: 0x0000000391c32a2f JavaScriptCore`JSC::Interpreter::executeCall(this=0x00000003976feb78, lexicalGlobalObject=0x00000003999f2768, function=0x0000000399598a60, callData=0x00007ffeef299438, thisValue=JSValue @ 0x00007ffeef298f70, args=0x00007ffeef2992f8) at Interpreter.cpp:934:31
    frame #28: 0x0000000391f8f1bd JavaScriptCore`JSC::call(globalObject=0x00000003999f2768, functionObject=JSValue @ 0x00007ffeef298fe0, callData=0x00007ffeef299438, thisValue=JSValue @ 0x00007ffeef298fd8, args=0x00007ffeef2992f8) at CallData.cpp:58:28
    frame #29: 0x0000000391f8f29f JavaScriptCore`JSC::call(globalObject=0x00000003999f2768, functionObject=JSValue @ 0x00007ffeef2990e0, callData=0x00007ffeef299438, thisValue=JSValue @ 0x00007ffeef2990d8, args=0x00007ffeef2992f8, returnedException=0x00007ffeef299320) at CallData.cpp:65:22
    frame #30: 0x0000000391f8f582 JavaScriptCore`JSC::profiledCall(globalObject=0x00000003999f2768, reason=Other, functionObject=JSValue @ 0x00007ffeef299170, callData=0x00007ffeef299438, thisValue=JSValue @ 0x00007ffeef299168, args=0x00007ffeef2992f8, returnedException=0x00007ffeef299320) at CallData.cpp:86:12
    frame #31: 0x00000003775c0b0e WebCore`WebCore::JSExecState::profiledCall(lexicalGlobalObject=0x00000003999f2768, reason=Other, functionObject=JSValue @ 0x00007ffeef2991f0, callData=0x00007ffeef299438, thisValue=JSValue @ 0x00007ffeef2991e8, args=0x00007ffeef2992f8, returnedException=0x00007ffeef299320) at JSExecState.h:73:16
    frame #32: 0x00000003775dd8dc WebCore`WebCore::JSEventListener::handleEvent(this=0x00000003976aabc8, scriptExecutionContext={ origin = file://, url = file:///Users/jacklee/browser2/63224871/min-63224871.html, inMainFrame = 1, backForwardCacheState = NotInBackForwardCache }, event=0x000000039b0e2ac0) at JSEventListener.cpp:179:22
    frame #33: 0x0000000377c39027 WebCore`WebCore::EventTarget::innerInvokeEventListeners(this=0x000000039b0bbbd0, event=0x000000039b0e2ac0, listeners={ size = 1, capacity = 1 }, phase=Bubbling) at EventTarget.cpp:335:40
    frame #34: 0x0000000377c35300 WebCore`WebCore::EventTarget::fireEventListeners(this=0x000000039b0bbbd0, event=0x000000039b0e2ac0, phase=Bubbling) at EventTarget.cpp:267:9
    frame #35: 0x0000000377cab662 WebCore`WebCore::Node::handleLocalEvents(this=0x000000039b0bbbd0, event=0x000000039b0e2ac0, phase=Bubbling) at Node.cpp:2371:5
    frame #36: 0x0000000377c23a41 WebCore`WebCore::EventContext::handleLocalEvents(this=0x000000039bb96f28, event=0x000000039b0e2ac0, phase=Bubbling) const at EventContext.cpp:55:17
    frame #37: 0x0000000377c2450f WebCore`WebCore::dispatchEventInDOM(event=0x000000039b0e2ac0, path=0x00007ffeef299858) at EventDispatcher.cpp:100:22
    frame #38: 0x0000000377c24047 WebCore`WebCore::EventDispatcher::dispatchEvent(node=0x000000039b0bbbd0, event=0x000000039b0e2ac0) at EventDispatcher.cpp:154:9
    frame #39: 0x0000000377cab6bd WebCore`WebCore::Node::dispatchEvent(this=0x000000039b0bbbd0, event=0x000000039b0e2ac0) at Node.cpp:2381:5
    frame #40: 0x0000000378762715 WebCore`WebCore::DOMWindow::dispatchLoadEvent(this=0x000000039b0e2b20) at DOMWindow.cpp:2217:20
    frame #41: 0x0000000377b2faf8 WebCore`WebCore::Document::dispatchWindowLoadEvent(this={ origin = file://, url = about:blank, inMainFrame = Detached, backForwardCacheState = NotInBackForwardCache }) at Document.cpp:4800:18
    frame #42: 0x0000000377b2f655 WebCore`WebCore::Document::implicitClose(this={ origin = file://, url = about:blank, inMainFrame = Detached, backForwardCacheState = NotInBackForwardCache }) at Document.cpp:3058:5
    frame #43: 0x00000003785d6fab WebCore`WebCore::FrameLoader::checkCallImplicitClose(this=0x00000003976e2b60) at FrameLoader.cpp:965:25
    frame #44: 0x00000003785d6aba WebCore`WebCore::FrameLoader::checkCompleted(this=0x00000003976e2b60) at FrameLoader.cpp:906:5
    frame #45: 0x00000003785d4d87 WebCore`WebCore::FrameLoader::finishedParsing(this=0x00000003976e2b60) at FrameLoader.cpp:816:5
    frame #46: 0x0000000377b42926 WebCore`WebCore::Document::finishedParsing(this={ origin = file://, url = about:blank, inMainFrame = Detached, backForwardCacheState = NotInBackForwardCache }) at Document.cpp:5863:25
    frame #47: 0x0000000378206df8 WebCore`WebCore::HTMLConstructionSite::finishedParsing(this=0x0000000397665bb0) at HTMLConstructionSite.cpp:419:16
    frame #48: 0x0000000378253657 WebCore`WebCore::HTMLTreeBuilder::finished(this=0x0000000397665b90) at HTMLTreeBuilder.cpp:2843:12
    frame #49: 0x000000037820e258 WebCore`WebCore::HTMLDocumentParser::end(this=0x00000003999c6400) at HTMLDocumentParser.cpp:449:20
    frame #50: 0x000000037820c0d8 WebCore`WebCore::HTMLDocumentParser::attemptToRunDeferredScriptsAndEnd(this=0x00000003999c6400) at HTMLDocumentParser.cpp:458:5
    frame #51: 0x000000037820be07 WebCore`WebCore::HTMLDocumentParser::prepareToStopParsing(this=0x00000003999c6400) at HTMLDocumentParser.cpp:153:5
    frame #52: 0x000000037820e2c2 WebCore`WebCore::HTMLDocumentParser::attemptToEnd(this=0x00000003999c6400) at HTMLDocumentParser.cpp:470:5
    frame #53: 0x000000037820e399 WebCore`WebCore::HTMLDocumentParser::finish(this=0x00000003999c6400) at HTMLDocumentParser.cpp:498:5
    frame #54: 0x0000000378574be2 WebCore`WebCore::DocumentWriter::end(this=0x00000003994edc90) at DocumentWriter.cpp:288:15
    frame #55: 0x0000000378573c34 WebCore`WebCore::DocumentLoader::finishedLoading(this=0x00000003994edc00) at DocumentLoader.cpp:452:14
    frame #56: 0x000000037857f244 WebCore`WebCore::DocumentLoader::maybeLoadEmpty(this=0x00000003994edc00) at DocumentLoader.cpp:1799:5
    frame #57: 0x000000037857f3d5 WebCore`WebCore::DocumentLoader::startLoadingMainResource(this=0x00000003994edc00) at DocumentLoader.cpp:1813:9
    frame #58: 0x0000000378605bec WebCore`WebCore::FrameLoader::continueLoadAfterNavigationPolicy(this=0x0000000397654458)::$_11::operator()() at FrameLoader.cpp:3506:38
    frame #59: 0x00000003786054fe WebCore`WTF::Detail::CallableWrapper<WebCore::FrameLoader::continueLoadAfterNavigationPolicy(WebCore::ResourceRequest const&, WebCore::FormState*, WebCore::NavigationPolicyDecision, WebCore::AllowNavigationToInvalidURL)::$_11, void>::call(this=0x0000000397654450) at Function.h:52:39
    frame #60: 0x00000003752d1752 WebCore`WTF::Function<void ()>::operator(this=0x00007ffeef29a650)() const at Function.h:84:35
    frame #61: 0x000000037532f39e WebCore`WTF::CompletionHandler<void ()>::operator(this=0x00007ffeef29a7e0)() at CompletionHandler.h:62:16
    frame #62: 0x00000003785e061a WebCore`WebCore::FrameLoader::continueLoadAfterNavigationPolicy(this=0x00000003976e2b60, request=0x00000003976e6480, formState=0x0000000000000000, navigationPolicyDecision=ContinueLoad, allowNavigationToInvalidURL=Yes) at FrameLoader.cpp:3510:9
    frame #63: 0x0000000378603080 WebCore`WebCore::FrameLoader::loadWithDocumentLoader(this=0x000000039767c1b8, request=0x00000003976e6480, formState=0x00007ffeef29ad90, navigationPolicyDecision=ContinueLoad)>&&)::$_8::operator()(WebCore::ResourceRequest const&, WTF::WeakPtr<WebCore::FormState>&&, WebCore::NavigationPolicyDecision) at FrameLoader.cpp:1651:9
    frame #64: 0x0000000378602f3c WebCore`WTF::Detail::CallableWrapper<WebCore::FrameLoader::loadWithDocumentLoader(WebCore::DocumentLoader*, WebCore::FrameLoadType, WTF::RefPtr<WebCore::FormState, WTF::DumbPtrTraits<WebCore::FormState> >&&, WebCore::AllowNavigationToInvalidURL, WTF::CompletionHandler<void ()>&&)::$_8, void, WebCore::ResourceRequest&&, WTF::WeakPtr<WebCore::FormState>&&, WebCore::NavigationPolicyDecision>::call(this=0x000000039767c1b0, in=0x00000003976e6480, in=0x00007ffeef29ad90, in=ContinueLoad) at Function.h:52:39
    frame #65: 0x00000003786384e1 WebCore`WTF::Function<void (WebCore::ResourceRequest&&, WTF::WeakPtr<WebCore::FormState>&&, WebCore::NavigationPolicyDecision)>::operator(this=0x00007ffeef29aba8, in=0x00000003976e6480, in=0x00007ffeef29ad90, in=ContinueLoad)(WebCore::ResourceRequest&&, WTF::WeakPtr<WebCore::FormState>&&, WebCore::NavigationPolicyDecision) const at Function.h:84:35
    frame #66: 0x000000037862d987 WebCore`WTF::CompletionHandler<void (WebCore::ResourceRequest&&, WTF::WeakPtr<WebCore::FormState>&&, WebCore::NavigationPolicyDecision)>::operator(this=0x00000003976e6470, in=0x00000003976e6480, in=0x00007ffeef29ad90, in=ContinueLoad)(WebCore::ResourceRequest&&, WTF::WeakPtr<WebCore::FormState>&&, WebCore::NavigationPolicyDecision) at CompletionHandler.h:62:16
    frame #67: 0x000000037863b73e WebCore`WebCore::FrameLoader::PolicyChecker::checkNavigationPolicy(this=0x00000003976e6468, policyAction=Use, responseIdentifier=PolicyCheckIdentifier @ 0x00007ffeef29b330)>&&, WebCore::PolicyDecisionMode)::$_7::operator()(WebCore::PolicyAction, WebCore::PolicyCheckIdentifier) at PolicyChecker.cpp:237:20
    frame #68: 0x000000037863a547 WebCore`WTF::Detail::CallableWrapper<WebCore::FrameLoader::PolicyChecker::checkNavigationPolicy(WebCore::ResourceRequest&&, WebCore::ResourceResponse const&, WebCore::DocumentLoader*, WTF::RefPtr<WebCore::FormState, WTF::DumbPtrTraits<WebCore::FormState> >&&, WTF::CompletionHandler<void (WebCore::ResourceRequest&&, WTF::WeakPtr<WebCore::FormState>&&, WebCore::NavigationPolicyDecision)>&&, WebCore::PolicyDecisionMode)::$_7, void, WebCore::PolicyAction, WebCore::PolicyCheckIdentifier>::call(this=0x00000003976e6460, in=Use, in=PolicyCheckIdentifier @ 0x00007ffeef29b450) at Function.h:52:39
    frame #69: 0x00000003785d2b78 WebCore`WTF::Function<void (WebCore::PolicyAction, WebCore::PolicyCheckIdentifier)>::operator(this=0x00007ffeef29b8f8, in=Use, in=PolicyCheckIdentifier @ 0x00007ffeef29b4b0)(WebCore::PolicyAction, WebCore::PolicyCheckIdentifier) const at Function.h:84:35
    frame #70: 0x000000037862d40a WebCore`WebCore::FrameLoader::PolicyChecker::checkNavigationPolicy(this=0x00000003976e5850, request=0x00007ffeef29c790, redirectResponse=0x00007ffeef29c698, loader=0x00000003994edc00, formState=0x00007ffeef29ddd0, function=0x00007ffeef29c688, policyDecisionMode=Asynchronous)>&&, WebCore::PolicyDecisionMode) at PolicyChecker.cpp:245:9
    frame #71: 0x00000003785df46c WebCore`WebCore::FrameLoader::loadWithDocumentLoader(this=0x00000003976e2b60, loader=0x00000003994edc00, type=RedirectWithLockedBackForwardList, formState=0x00007ffeef29ddd0, allowNavigationToInvalidURL=Yes, completionHandler=0x00007ffeef29d498)>&&) at FrameLoader.cpp:1650:21
    frame #72: 0x00000003785dd4d5 WebCore`WebCore::FrameLoader::loadWithNavigationAction(this=0x00000003976e2b60, request=0x00007ffeef29da78, action=0x00007ffeef29d8a8, type=RedirectWithLockedBackForwardList, formState=0x00007ffeef29ddd0, allowNavigationToInvalidURL=Yes, completionHandler=0x00007ffeef29d498)>&&) at FrameLoader.cpp:1517:5
    frame #73: 0x00000003785d9871 WebCore`WebCore::FrameLoader::loadURL(this=0x00000003976e2b60, frameLoadRequest=0x00007ffeef29def0, referrer={ length = 0, contents = '' }, newLoadType=RedirectWithLockedBackForwardList, event=0x0000000000000000, formState=0x00007ffeef29ddd0, adClickAttribution=0x00007ffeef29dd88, completionHandler=0x00007ffeef29dd70)>&&) at FrameLoader.cpp:1426:5
    frame #74: 0x00000003785d7900 WebCore`WebCore::FrameLoader::loadURLIntoChildFrame(this=0x00000003976e2340, url={ about:blank }, referer={ length = 0, contents = '' }, childFrame={ origin = file://, url = about:blank, isMainFrame = 0, backForwardCacheState = NotInBackForwardCache }) at FrameLoader.cpp:1000:26
    frame #75: 0x000000037864d40b WebCore`WebCore::FrameLoader::SubframeLoader::loadSubframe(this=0x00000003976f6dd0, ownerElement=0x000000039b0bbbd0, url={ about:blank }, name={ length = 0, contents = '' }, referrer={ length = 57, contents = 'file:///Users/jacklee/browser2/63224871/min-63224871.html' }) at SubframeLoader.cpp:347:22
    frame #76: 0x000000037864bc25 WebCore`WebCore::FrameLoader::SubframeLoader::loadOrRedirectSubframe(this=0x00000003976f6dd0, ownerElement=0x000000039b0bbbd0, requestURL={ about:blank }, frameName={ length = 0, contents = '' }, lockHistory=Yes, lockBackForwardList=Yes) at SubframeLoader.cpp:309:17
    frame #77: 0x000000037864b66b WebCore`WebCore::FrameLoader::SubframeLoader::requestFrame(this=0x00000003976f6dd0, ownerElement=0x000000039b0bbbd0, urlString={ length = 11, contents = 'about:blank' }, frameName={ length = 0, contents = '' }, lockHistory=Yes, lockBackForwardList=Yes) at SubframeLoader.cpp:98:20
    frame #78: 0x0000000377fc53c8 WebCore`WebCore::HTMLFrameElementBase::openURL(this=0x000000039b0bbbd0, lockHistory=Yes, lockBackForwardList=Yes) at HTMLFrameElementBase.cpp:102:44
    frame #79: 0x0000000377fc55f2 WebCore`WebCore::HTMLFrameElementBase::didFinishInsertingNode(this=0x000000039b0bbbd0) at HTMLFrameElementBase.cpp:142:5
    frame #80: 0x0000000377acfce4 WebCore`void WebCore::executeNodeInsertionWithScriptAssertion<WebCore::ContainerNode::appendChildWithoutPreInsertionValidityCheck(WebCore::Node&)::$_4>(containerNode=0x000000039b0e2a30, child=0x000000039b0bbb40, source=API, replacedAllChildren=No, doNodeInsertion=(anonymous class) @ 0x00007ffeef29e880)::$_4) at ContainerNode.cpp:213:17
    frame #81: 0x0000000377acc9ca WebCore`WebCore::ContainerNode::appendChildWithoutPreInsertionValidityCheck(this=0x000000039b0e2a30, newChild=0x000000039b0bbb40) at ContainerNode.cpp:726:9
    frame #82: 0x0000000377acf9d6 WebCore`WebCore::ContainerNode::appendChild(this=0x000000039b0e2a30, newChild=0x000000039b0bbb40) at ContainerNode.cpp:692:12
    frame #83: 0x0000000377dbb53d WebCore`WebCore::AppendNodeCommand::doApply(this=0x00000003976f96c0) at AppendNodeCommand.cpp:51:15
    frame #84: 0x0000000377dcde0f WebCore`WebCore::CompositeEditCommand::applyCommandToComposite(this=0x0000000397666960, command=0x00007ffeef29eae0) at CompositeEditCommand.cpp:463:14
    frame #85: 0x0000000377dbd059 WebCore`WebCore::CompositeEditCommand::appendNode(this=0x0000000397666960, node=0x00007ffeef29eb40, parent=0x00007ffeef29eb38) at CompositeEditCommand.cpp:581:5
    frame #86: 0x0000000377e4be60 WebCore`WebCore::InsertListCommand::fixOrphanedListChild(this=0x0000000397666960, node=0x000000039b0bbb40) at InsertListCommand.cpp:65:5
    frame #87: 0x0000000377e4ce3c WebCore`WebCore::InsertListCommand::doApplyForSingleParagraph(this=0x0000000397666960, forceCreateList=false, listTag=0x000000037bcd7ef0, currentSelection=0x000000039bb97b40) at InsertListCommand.cpp:215:47
    frame #88: 0x0000000377e4cd3e WebCore`WebCore::InsertListCommand::doApply(this=0x0000000397666960) at InsertListCommand.cpp:195:5
    frame #89: 0x0000000377dbac85 WebCore`WebCore::CompositeEditCommand::apply(this=0x0000000397666960) at CompositeEditCommand.cpp:372:9
    frame #90: 0x0000000377e38f60 WebCore`WebCore::executeInsertUnorderedList(frame={ origin = file://, url = file:///Users/jacklee/browser2/63224871/min-63224871.html, isMainFrame = 1, backForwardCacheState = NotInBackForwardCache }, (null)=0x0000000000000000, (null)=CommandFromDOM, (null)={ length = 0, contents = '' }) at EditorCommand.cpp:543:91
    frame #91: 0x0000000377e105cb WebCore`WebCore::Editor::Command::execute(this=0x00007ffeef29f3f8, parameter={ length = 0, contents = '' }, triggeringEvent=0x0000000000000000) const at EditorCommand.cpp:1876:12
    frame #92: 0x0000000377b40795 WebCore`WebCore::Document::execCommand(this={ origin = file://, url = file:///Users/jacklee/browser2/63224871/min-63224871.html, inMainFrame = 1, backForwardCacheState = NotInBackForwardCache }, commandName={ length = 19, contents = 'insertUnorderedList' }, userInterface=false, value={ length = 0, contents = '' }) at Document.cpp:5544:54
    frame #93: 0x0000000375c53044 WebCore`WebCore::jsDocumentPrototypeFunctionExecCommandBody(lexicalGlobalObject=0x00000003999f2768, callFrame=0x00007ffeef29f690, castedThis=0x000000039bbf24e8, throwScope=0x00007ffeef29f608) at JSDocument.cpp:6271:57
    frame #94: 0x0000000375b5a612 WebCore`long long WebCore::IDLOperation<WebCore::JSDocument>::call<&(lexicalGlobalObject=0x00000003999f2768, callFrame=0x00007ffeef29f690, operationName="execCommand")), (WebCore::CastedThisErrorBehavior)0>(JSC::JSGlobalObject&, JSC::CallFrame&, char const*) at JSDOMOperation.h:53:16
    frame #95: 0x0000000375b5a2f4 WebCore`WebCore::jsDocumentPrototypeFunctionExecCommand(lexicalGlobalObject=0x00000003999f2768, callFrame=0x00007ffeef29f690) at JSDocument.cpp:6277:12

Comment 2 Jack 2020-05-15 14:47:49 PDT

Created attachment 399514 [details]
Patch

Comment 3 Jack 2020-05-15 14:49:52 PDT

Created attachment 399516 [details]
Patch

Comment 4 Geoffrey Garen 2020-05-15 20:21:01 PDT

Comment on attachment 399516 [details]
Patch

r=me

Comment 5 EWS 2020-05-15 21:09:55 PDT

Committed r261777: <https://trac.webkit.org/changeset/261777>

All reviewed patches have been landed. Closing bug and clearing flags on attachment 399516 [details].