Bug 218495

Summary:

EXC_BAD_INSTRUCTION in CompositeEditCommand::moveParagraphs+8933

Product:

WebKit

Reporter:

Ian Gilbert <iang>

Component:

HTML Editing

Assignee:

Nobody <webkit-unassigned>

Status:

RESOLVED DUPLICATE

Severity:

Normal

CC:

bfulgham, cgarcia, julian_a_gonzalez, product-security, rbuis, rniwa, svillar, webkit-bug-importer, wenson_hsieh

Priority:

Keywords:

InRadar

Version:

WebKit Local Build

Hardware:

Unspecified

OS:

Unspecified

Attachments:

Description	Flags
Crashing input	none
Reduced test case	none

Description Ian Gilbert 2020-11-03 02:50:06 PST

Stack Trace
===========

Stack Trace
=========

frame #0: WebCore`WebCore::CompositeEditCommand::moveParagraphs(WebCore::VisiblePosition const&, WebCore::VisiblePosition const&, WebCore::VisiblePosition const&, bool, bool)+8933
frame #1: WebCore`WebCore::InsertListCommand::doApplyForSingleParagraph(bool, WebCore::HTMLQualifiedName const&, WebCore::SimpleRange&)+7504
frame #2: WebCore`WebCore::InsertListCommand::doApply()+7534
frame #3: WebCore`WebCore::CompositeEditCommand::apply()+500
frame #4: WebCore`WebCore::executeInsertOrderedList(WebCore::Frame&, WebCore::Event*, WebCore::EditorCommandSource, WTF::String const&)+109
frame #5: WebCore`WebCore::Document::execCommand(WTF::String const&, bool, WTF::String const&)+77
frame #6: WebCore`WebCore::jsDocumentPrototypeFunctionExecCommand(JSC::JSGlobalObject*, JSC::CallFrame*)+428
frame #7: JavaScriptCore`llint_entry+104868
frame #8: JavaScriptCore`vmEntryToJavaScript+216
frame #9: JavaScriptCore`JSC::Interpreter::executeCall(JSC::JSGlobalObject*, JSC::JSObject*, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&)+518
frame #10: JavaScriptCore`JSC::profiledCall(JSC::JSGlobalObject*, JSC::ProfilingReason, JSC::JSValue, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&, WTF::NakedPtr<JSC::Exception>&)+147

Comment 1 Radar WebKit Bug Importer 2020-11-03 02:50:21 PST

<rdar://problem/70987467>

Comment 2 Ian Gilbert 2020-11-03 02:51:10 PST

Created attachment 413029 [details]
Crashing input

Comment 3 Ryosuke Niwa 2020-11-03 13:08:13 PST

<rdar://problem/70094270>

Comment 4 Rob Buis 2020-11-17 02:42:56 PST

On LinuxGTK I get:
STDERR: ASSERTION FAILED: initialized()
STDERR: DerivedSources/ForwardingHeaders/wtf/Optional.h(540) : constexpr T&& WTF::Optional< <template-parameter-1-1> >::operator*() && [with T = WebCore::SimpleRange]
STDERR: 1   0x7f5d596cb77d WTFCrash
STDERR: 2   0x7f5d6aac3599 WTF::Optional<WebCore::SimpleRange>::operator*() &&
STDERR: 3   0x7f5d6cec006e WebCore::CompositeEditCommand::moveParagraphs(WebCore::VisiblePosition const&, WebCore::VisiblePosition const&, WebCore::VisiblePosition const&, bool, bool)
STDERR: 4   0x7f5d6b2711aa WebCore::InsertListCommand::unlistifyParagraph(WebCore::VisiblePosition const&, WebCore::HTMLElement*, WebCore::Node*)
STDERR: 5   0x7f5d6b27091a WebCore::InsertListCommand::doApplyForSingleParagraph(bool, WebCore::HTMLQualifiedName const&, WebCore::SimpleRange&)
STDERR: 6   0x7f5d6b26ffa5 WebCore::InsertListCommand::doApply()
STDERR: 7   0x7f5d6ceb9c8a WebCore::CompositeEditCommand::apply()
STDERR: 8   0x7f5d6b248dda /app/webkit/WebKitBuild/Debug/lib/libwebkit2gtk-4.0.so.37(+0x10023dda) [0x7f5d6b248dda]
STDERR: 9   0x7f5d6b24d0bc WebCore::Editor::Command::execute(WTF::String const&, WebCore::Event*) const
STDERR: 10  0x7f5d6afe3c4f WebCore::Document::execCommand(WTF::String const&, bool, WTF::String const&)
STDERR: 11  0x7f5d6995de3a /app/webkit/WebKitBuild/Debug/lib/libwebkit2gtk-4.0.so.37(+0xe738e3a) [0x7f5d6995de3a]
STDERR: 12  0x7f5d6997f903 /app/webkit/WebKitBuild/Debug/lib/libwebkit2gtk-4.0.so.37(+0xe75a903) [0x7f5d6997f903]
STDERR: 13  0x7f5d6995df08 /app/webkit/WebKitBuild/Debug/lib/libwebkit2gtk-4.0.so.37(+0xe738f08) [0x7f5d6995df08]
STDERR: 14  0x7f5d0f687178 [0x7f5d0f687178]
STDERR: LEAK: 1 WebPageProxy

Comment 5 Carlos Garcia Campos 2020-11-17 02:53:30 PST

(In reply to Rob Buis from comment #4)
> On LinuxGTK I get:
> STDERR: ASSERTION FAILED: initialized()
> STDERR: DerivedSources/ForwardingHeaders/wtf/Optional.h(540) : constexpr T&&
> WTF::Optional< <template-parameter-1-1> >::operator*() && [with T =
> WebCore::SimpleRange]
> STDERR: 1   0x7f5d596cb77d WTFCrash
> STDERR: 2   0x7f5d6aac3599 WTF::Optional<WebCore::SimpleRange>::operator*()
> &&
> STDERR: 3   0x7f5d6cec006e
> WebCore::CompositeEditCommand::moveParagraphs(WebCore::VisiblePosition
> const&, WebCore::VisiblePosition const&, WebCore::VisiblePosition const&,
> bool, bool)
> STDERR: 4   0x7f5d6b2711aa
> WebCore::InsertListCommand::unlistifyParagraph(WebCore::VisiblePosition
> const&, WebCore::HTMLElement*, WebCore::Node*)
> STDERR: 5   0x7f5d6b27091a
> WebCore::InsertListCommand::doApplyForSingleParagraph(bool,
> WebCore::HTMLQualifiedName const&, WebCore::SimpleRange&)
> STDERR: 6   0x7f5d6b26ffa5 WebCore::InsertListCommand::doApply()
> STDERR: 7   0x7f5d6ceb9c8a WebCore::CompositeEditCommand::apply()
> STDERR: 8   0x7f5d6b248dda
> /app/webkit/WebKitBuild/Debug/lib/libwebkit2gtk-4.0.so.37(+0x10023dda)
> [0x7f5d6b248dda]
> STDERR: 9   0x7f5d6b24d0bc WebCore::Editor::Command::execute(WTF::String
> const&, WebCore::Event*) const
> STDERR: 10  0x7f5d6afe3c4f WebCore::Document::execCommand(WTF::String
> const&, bool, WTF::String const&)
> STDERR: 11  0x7f5d6995de3a
> /app/webkit/WebKitBuild/Debug/lib/libwebkit2gtk-4.0.so.37(+0xe738e3a)
> [0x7f5d6995de3a]
> STDERR: 12  0x7f5d6997f903
> /app/webkit/WebKitBuild/Debug/lib/libwebkit2gtk-4.0.so.37(+0xe75a903)
> [0x7f5d6997f903]
> STDERR: 13  0x7f5d6995df08
> /app/webkit/WebKitBuild/Debug/lib/libwebkit2gtk-4.0.so.37(+0xe738f08)
> [0x7f5d6995df08]
> STDERR: 14  0x7f5d0f687178 [0x7f5d0f687178]
> STDERR: LEAK: 1 WebPageProxy

Looks like bug #218494

Comment 6 Rob Buis 2020-11-17 02:55:41 PST

(In reply to Carlos Garcia Campos from comment #5) 
> Looks like bug #218494

Yeah, applying your fix there results in :
STDERR: ASSERTION FAILED: startOfParagraphToMove == endOfParagraphToMove || !endOfParagraphToMove.isNull()
STDERR: ../../Source/WebCore/editing/CompositeEditCommand.cpp(1403) : void WebCore::CompositeEditCommand::moveParagraphs(const WebCore::VisiblePosition&, const WebCore::VisiblePosition&, const WebCore::VisiblePosition&, bool, bool)
STDERR: 1   0x7efe8587d77d WTFCrash
STDERR: 2   0x7efe942185d7 /app/webkit/WebKitBuild/Debug/lib/libwebkit2gtk-4.0.so.37(+0xce415d7) [0x7efe942185d7]
STDERR: 3   0x7efe99071477 WebCore::CompositeEditCommand::moveParagraphs(WebCore::VisiblePosition const&, WebCore::VisiblePosition const&, WebCore::VisiblePosition const&, bool, bool)
STDERR: 4   0x7efe9742295e 

I assume this is a small improvement (crash seems later) but obviously still problematic.

Comment 7 Ryosuke Niwa 2020-11-17 14:32:10 PST

(In reply to Rob Buis from comment #6)
> (In reply to Carlos Garcia Campos from comment #5) 
> > Looks like bug #218494
> 
> Yeah, applying your fix there results in :
> STDERR: ASSERTION FAILED: startOfParagraphToMove == endOfParagraphToMove ||
> !endOfParagraphToMove.isNull()
> STDERR: ../../Source/WebCore/editing/CompositeEditCommand.cpp(1403) : void
> WebCore::CompositeEditCommand::moveParagraphs(const
> WebCore::VisiblePosition&, const WebCore::VisiblePosition&, const
> WebCore::VisiblePosition&, bool, bool)
> STDERR: 1   0x7efe8587d77d WTFCrash
> STDERR: 2   0x7efe942185d7
> /app/webkit/WebKitBuild/Debug/lib/libwebkit2gtk-4.0.so.37(+0xce415d7)
> [0x7efe942185d7]
> STDERR: 3   0x7efe99071477
> WebCore::CompositeEditCommand::moveParagraphs(WebCore::VisiblePosition
> const&, WebCore::VisiblePosition const&, WebCore::VisiblePosition const&,
> bool, bool)
> STDERR: 4   0x7efe9742295e 
> 
> I assume this is a small improvement (crash seems later) but obviously still
> problematic.

Isn't that https://bugs.webkit.org/show_bug.cgi?id=218492 ?

Comment 8 Carlos Garcia Campos 2020-11-27 03:28:09 PST

Created attachment 414937 [details]
Reduced test case

Comment 9 Carlos Garcia Campos 2020-11-27 03:29:12 PST

The problem is indeed similar to bug #218494, but in this case the li element has the actual body element as a child, so the fix for bug #218494 doesn't work here.

Comment 10 Ryosuke Niwa 2020-11-30 14:32:02 PST

(In reply to Carlos Garcia Campos from comment #9)
> The problem is indeed similar to bug #218494, but in this case the li
> element has the actual body element as a child, so the fix for bug #218494
> doesn't work here.

Ah, ok.

Comment 11 Carlos Garcia Campos 2020-12-16 05:48:45 PST

So, the problem is the same than in bug #218494, endOfParagraphToMove is null in CompositeEditCommand::moveParagraphs() and also comes from InsertListCommand::unlistifyParagraph(), but the reason is different in this case. In InsertListCommand::unlistifyParagraph() firstPositionInNode and lastPositionInNode of the list child they both return the same position (offset 0 of LI 0x7f0eb851a7b0 id='htmlvar00010'). but when converted to a VisiblePosition, start is offset 0 of #text 0x7f0eb851a830 length=1 "a" and end is null. I don't understand why yet. The debug tree is this one:

BODY	0x7f0eb85192e0 (renderer 0x7f0eb8519470) 
	#text	0x7f0eb851a450 "\n"
	MAP	0x7f0eb851a4b0 (renderer 0x7f0eb851a990) 
		#text	0x7f0eb851a530 "\n"
		UL	0x7f0eb97c4010 (renderer 0x7f0e6004c200) 
			#text	0x7f0eb851a610 "\n"
			LI	0x7f0eb851a7b0 (renderer 0x7f0eb851b1f0) 
*				#text	0x7f0eb851a830 "a"
				PRE	0x7f0eb851a890 (renderer 0x7f0e6004c300) 
					#text	0x7f0eb97d8058 "b"
		#text	0x7f0eb851a750 "\n"
		#text	0x7f0eb97d80b0 "\n"
		LI	0x7f0eb851a910 (renderer 0x7f0eb851b720) 
			#text	0x7f0eb97d8108 "c"
		#text	0x7f0eb97d8160 "\n"
	#text	0x7f0eb97d81b8 "\n\n\n"
offset, offset:0

Comment 12 Julian Gonzalez 2021-01-20 18:35:16 PST

Ryosuke pointed out that this looks just like https://bugs.webkit.org/show_bug.cgi?id=220630

Comment 13 Julian Gonzalez 2021-01-20 18:39:24 PST

(In reply to Julian Gonzalez from comment #12)
> Ryosuke pointed out that this looks just like
> https://bugs.webkit.org/show_bug.cgi?id=220630

Indeed, the reduced and original test cases here don't crash on trunk with the patch from 220630.

Comment 14 Ryosuke Niwa 2021-01-20 18:43:27 PST


*** This bug has been marked as a duplicate of bug 220630 ***