Bug 240377

Summary:

ASSERTION FAILED: m_parent->hasEditableStyle() || !m_parent->renderer() via IndentOutdentCommand::indentIntoBlockquote

Product:

WebKit

Reporter:

Frédéric Wang (:fredw) <fred.wang>

Component:

HTML Editing

Assignee:

Miguel Salinas <miguel_salinas>

Status:

RESOLVED FIXED

Severity:

Normal

CC:

beidson, bfulgham, brandonstewart, cgarcia, csaavedra, ews-feeder, fred.wang, gpoo, miguel_salinas, mmaxfield, msaboff, pascoe, rbuis, simon.fraser, svillar, webkit-bug-importer, wenson_hsieh, zalan

Priority:

Keywords:

InRadar

Version:

WebKit Nightly Build

Hardware:

All

OS:

All

Attachments:

Description	Flags
Repro case	none
Patch	rbuis: review?, ews-feeder: commit-queue-

Description Frédéric Wang (:fredw) 2022-05-13 03:33:19 PDT

Created attachment 459289 [details]
Repro case

I'm opening this in the security component as testcase was deduced from a fuzzer output.

At https://commits.webkit.org/250518@main in debug mode, I get the following debug assertion:

ASSERTION FAILED: m_parent->hasEditableStyle() || !m_parent->renderer()
./editing/AppendNodeCommand.cpp(44) : WebCore::AppendNodeCommand::AppendNodeCommand(Ref<WebCore::ContainerNode> &&, Ref<WebCore::Node> &&, WebCore::EditAction)
1   0x150cd55e8 WTFCrash
2   0x2b768dfe4 WTFCrashWithInfo(int, char const*, char const*, int)
3   0x2bfcce5c8 WebCore::AppendNodeCommand::AppendNodeCommand(WTF::Ref<WebCore::ContainerNode, WTF::RawPtrTraits<WebCore::ContainerNode> >&&, WTF::Ref<WebCore::Node, WTF::RawPtrTraits<WebCore::Node> >&&, WebCore::EditAction)
4   0x2bfcce644 WebCore::AppendNodeCommand::AppendNodeCommand(WTF::Ref<WebCore::ContainerNode, WTF::RawPtrTraits<WebCore::ContainerNode> >&&, WTF::Ref<WebCore::Node, WTF::RawPtrTraits<WebCore::Node> >&&, WebCore::EditAction)
5   0x2bfcf52d0 WebCore::AppendNodeCommand::create(WTF::Ref<WebCore::ContainerNode, WTF::RawPtrTraits<WebCore::ContainerNode> >&&, WTF::Ref<WebCore::Node, WTF::RawPtrTraits<WebCore::Node> >&&, WebCore::EditAction)
6   0x2bfcd1a54 WebCore::CompositeEditCommand::appendNode(WTF::Ref<WebCore::Node, WTF::RawPtrTraits<WebCore::Node> >&&, WTF::Ref<WebCore::ContainerNode, WTF::RawPtrTraits<WebCore::ContainerNode> >&&)
7   0x2bfcffe30 WebCore::CompositeEditCommand::cloneParagraphUnderNewElement(WebCore::Position const&, WebCore::Position const&, WebCore::Node*, WebCore::Element*)
8   0x2bfd00e94 WebCore::CompositeEditCommand::moveParagraphWithClones(WebCore::VisiblePosition const&, WebCore::VisiblePosition const&, WebCore::Element*, WebCore::Node*)
9   0x2bfe0836c WebCore::IndentOutdentCommand::indentIntoBlockquote(WebCore::Position const&, WebCore::Position const&, WTF::RefPtr<WebCore::Element, WTF::RawPtrTraits<WebCore::Element>, WTF::DefaultRefDerefTraits<WebCore::Element> >&)
10  0x2bfe0a57c WebCore::IndentOutdentCommand::formatRange(WebCore::Position const&, WebCore::Position const&, WebCore::Position const&, WTF::RefPtr<WebCore::Element, WTF::RawPtrTraits<WebCore::Element>, WTF::DefaultRefDerefTraits<WebCore::Element> >&)
11  0x2bfcd0c88 WebCore::ApplyBlockElementCommand::formatSelection(WebCore::VisiblePosition const&, WebCore::VisiblePosition const&)
12  0x2bfe0a4f8 WebCore::IndentOutdentCommand::formatSelection(WebCore::VisiblePosition const&, WebCore::VisiblePosition const&)
13  0x2bfccf2a0 WebCore::ApplyBlockElementCommand::doApply()
14  0x2bfccd16c WebCore::CompositeEditCommand::apply()
15  0x2bfe233b8 WebCore::executeIndent(WebCore::Frame&, WebCore::Event*, WebCore::EditorCommandSource, WTF::String const&)
16  0x2bfdb7800 WebCore::Editor::Command::execute(WTF::String const&, WebCore::Event*) const
17  0x2bf5ffc88 WebCore::Document::execCommand(WTF::String const&, bool, WTF::String const&)
18  0x2b8596f68 WebCore::jsDocumentPrototypeFunction_execCommandBody(JSC::JSGlobalObject*, JSC::CallFrame*, WebCore::JSDocument*)
19  0x2b859636c long long WebCore::IDLOperation<WebCore::JSDocument>::call<&(WebCore::jsDocumentPrototypeFunction_execCommandBody(JSC::JSGlobalObject*, JSC::CallFrame*, WebCore::JSDocument*)), (WebCore::CastedThisErrorBehavior)0>(JSC::JSGlobalObject&, JSC::CallFrame&, char const*)
20  0x2b855d7c8 WebCore::jsDocumentPrototypeFunction_execCommand(JSC::JSGlobalObject*, JSC::CallFrame*)
21  0x28000c03c
22  0x155115f44 llint_entry
23  0x1550efaf8 vmEntryToJavaScript
24  0x157a859dc JSC::JITCode::execute(JSC::VM*, JSC::ProtoCallFrame*)
25  0x157a8376c JSC::Interpreter::executeProgram(JSC::SourceCode const&, JSC::JSGlobalObject*, JSC::JSObject*)
26  0x1586ba640 JSC::evaluate(JSC::JSGlobalObject*, JSC::SourceCode const&, JSC::JSValue, WTF::NakedPtr<JSC::Exception>&)
27  0x1586bab24 JSC::profiledEvaluate(JSC::JSGlobalObject*, JSC::ProfilingReason, JSC::SourceCode const&, JSC::JSValue, WTF::NakedPtr<JSC::Exception>&)
28  0x2be2a85d0 WebCore::JSExecState::profiledEvaluate(JSC::JSGlobalObject*, JSC::ProfilingReason, JSC::SourceCode const&, JSC::JSValue, WTF::NakedPtr<JSC::Exception>&)
29  0x2be2a76f8 WebCore::ScriptController::evaluateInWorld(WebCore::ScriptSourceCode const&, WebCore::DOMWrapperWorld&)
30  0x2be2a70fc WebCore::ScriptController::evaluateInWorldIgnoringException(WebCore::ScriptSourceCode const&, WebCore::DOMWrapperWorld&)
31  0x2be2a8aac WebCore::ScriptController::evaluateIgnoringException(WebCore::ScriptSourceCode const&)

Comment 1 Radar WebKit Bug Importer 2022-05-13 03:33:28 PDT

<rdar://problem/93236442>

Comment 2 Rob Buis 2022-05-13 03:43:45 PDT

Created attachment 459290 [details]
Patch

Comment 3 Miguel Salinas 2022-10-31 14:10:07 PDT

This is not a security bug. We're failing an assertion in debug builds only. This assertion asserts that the parent element we are appending a node to is editable before we try to append to it. Without the assertion we only fail to append the node and potentially lose the node.

Comment 4 Miguel Salinas 2022-10-31 14:12:28 PDT

Pull request: https://github.com/WebKit/WebKit/pull/5979

Comment 5 EWS 2022-11-16 12:50:58 PST

Committed 256749@main (8a344c3387b2): <https://commits.webkit.org/256749@main>

Reviewed commits have been landed. Closing PR #5979 and removing active labels.