[Webkit-unassigned] [Bug 120625] New: ASSERTION FAILED: commonScope in WebCore::comparePositions

bugzilla-daemon at webkit.org bugzilla-daemon at webkit.org
Tue Sep 3 02:36:42 PDT 2013 

https://bugs.webkit.org/show_bug.cgi?id=120625

           Summary: ASSERTION FAILED: commonScope in
                    WebCore::comparePositions
           Product: WebKit
           Version: 528+ (Nightly build)
          Platform: Unspecified
        OS/Version: Unspecified
            Status: NEW
          Severity: Normal
          Priority: P2
         Component: HTML Editing
        AssignedTo: webkit-unassigned at lists.webkit.org
        ReportedBy: reni at webkit.org
            Blocks: 116980


Created an attachment (id=210340)
 --> (https://bugs.webkit.org/attachment.cgi?id=210340&action=review)
Test case

If you load the attached test you will get the assertion failure above (it's possible you have to force a refresh too). This test is a part of LayoutTests/editing/selection/selection-in-iframe-removed-crash.html what was introduced in r144400 as the test case of a security bug. Nevertheless the null check in the next line defends us from serious problems hopefully.

<html> 
<script> 
  var docElement = document.documentElement; 

  function crash() {
     iframe1 = document.createElementNS("http://www.w3.org/1999/xhtml", "iframe");
     iframe1.setAttribute("srcdoc", "ABC");
     docElement.appendChild(iframe1);
     document1 = document.implementation.createDocument("", null);
     iframe1.addEventListener("DOMFocusOut", function () {
         document1.adoptNode(iframe1); }, false);
         iframe1.focus();
         setTimeout("finish();", 0);
     }

     function finish() {
         document.designMode = "on";
         range1 = document.createRange();
         range1.selectNodeContents(iframe1.contentDocument);
         window.getSelection().addRange(range1); 
     }
     document.addEventListener("DOMContentLoaded", crash, false);
 </script> 
</html>


The backtrace:

Program received signal SIGSEGV, Segmentation fault.
0x00007ffff56dafad in WTFCrash () at /home/reni/Data/REPOS/webkit_sec/Source/WTF/wtf/Assertions.cpp:342
342        *(int *)(uintptr_t)0xbbadbeef = 0;
(gdb) bt
#0  0x00007ffff56dafad in WTFCrash () at /home/reni/Data/REPOS/webkit_sec/Source/WTF/wtf/Assertions.cpp:342
#1  0x00007ffff42dfe4a in WebCore::comparePositions (a=..., b=...) at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/editing/htmlediting.cpp:79
#2  0x00007ffff4322ad6 in WebCore::VisibleSelection::toNormalizedRange (this=0x7cfab8)
    at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/editing/VisibleSelection.cpp:173
#3  0x00007ffff3b6868f in WebCore::FrameSelection::toNormalizedRange (this=0x7cfa90)
    at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/editing/FrameSelection.h:205
#4  0x00007ffff3b6fe85 in WebCore::EditorClientQt::respondToChangedSelection (this=0x765660, frame=0x7d14b0)
    at /home/reni/Data/REPOS/webkit_sec/Source/WebKit/qt/WebCoreSupport/EditorClientQt.cpp:207
#5  0x00007ffff42bf2c5 in WebCore::Editor::notifyComponentsOnChangedSelection (this=0x7cf930, oldSelection=..., options=6)
    at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/editing/Editor.cpp:533
#6  0x00007ffff42cbdea in WebCore::Editor::respondToChangedSelection (this=0x7cf930, oldSelection=..., options=6)
    at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/editing/Editor.cpp:3042
#7  0x00007ffff42d7ef7 in WebCore::FrameSelection::setSelection (this=0x7cfa90, newSelection=..., options=6, 
    align=WebCore::FrameSelection::AlignCursorOnScrollIfNeeded, granularity=WebCore::CharacterGranularity)
    at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/editing/FrameSelection.cpp:329
#8  0x00007ffff42ddce3 in WebCore::FrameSelection::selectFrameElementInParentIfFullySelected (this=0x8b41f0)
    at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/editing/FrameSelection.cpp:1630
#9  0x00007ffff42d7eb8 in WebCore::FrameSelection::setSelection (this=0x8b41f0, newSelection=..., options=6, 
    align=WebCore::FrameSelection::AlignCursorOnScrollIfNeeded, granularity=WebCore::CharacterGranularity)
    at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/editing/FrameSelection.cpp:327
#10 0x00007ffff42d7ce7 in WebCore::FrameSelection::setSelection (this=0x7cfa90, newSelection=..., options=6, 
    align=WebCore::FrameSelection::AlignCursorOnScrollIfNeeded, granularity=WebCore::CharacterGranularity)
    at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/editing/FrameSelection.cpp:283
#11 0x00007ffff4622357 in WebCore::DOMSelection::addRange (this=0x922150, r=0x9488a0)
    at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/page/DOMSelection.cpp:395
#12 0x00007ffff502f2b2 in WebCore::jsDOMSelectionPrototypeFunctionAddRange (exec=0x7fff941e20e8) at generated/JSDOMSelection.cpp:439
#13 0x00007fff9ffff0e5 in ?? ()
#14 0x00007fffffffbfa0 in ?? ()
#15 0x00007ffff679ffa2 in llint_op_call () from /home/reni/Data/REPOS/webkit_sec/WebKitBuild/Debug/lib/libQt5WebKit.so.5
#16 0x00007fff941e2058 in ?? ()
#17 0x00000000007d0e98 in ?? ()
#18 0x00007fffffffbf60 in ?? ()
#19 0x00007ffff5506ba3 in JSC::JSStack::installTrapsAfterFrame (this=0x0, frame=0x0)
    at /home/reni/Data/REPOS/webkit_sec/Source/JavaScriptCore/interpreter/JSStackInlines.h:212
#20 0x00007ffff551752c in JSC::JITCode::execute (this=0x932510, stack=0x7d0e98, callFrame=0x7fff941e2058, vm=0x815ab0)
    at /home/reni/Data/REPOS/webkit_sec/Source/JavaScriptCore/jit/JITCode.cpp:46
#21 0x00007ffff5503419 in JSC::Interpreter::execute (this=0x7d0e80, program=0x7fff9c03fe70, callFrame=0x7fffe407efe0, thisObj=0x7fffe40bffd8)
    at /home/reni/Data/REPOS/webkit_sec/Source/JavaScriptCore/interpreter/Interpreter.cpp:766
#22 0x00007ffff55e1e92 in JSC::evaluate (exec=0x7fffe407efe0, source=..., thisValue=..., returnedException=0x7fffffffcc90)
    at /home/reni/Data/REPOS/webkit_sec/Source/JavaScriptCore/runtime/Completion.cpp:83
#23 0x00007ffff3f4f00d in WebCore::JSMainThreadExecState::evaluate (exec=0x7fffe407efe0, source=..., thisValue=..., exception=0x7fffffffcc90)
    at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/bindings/js/JSMainThreadExecState.h:74
#24 0x00007ffff3f6da56 in WebCore::ScriptController::evaluateInWorld (this=0x7cf840, sourceCode=..., world=0x78a8b0)
    at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/bindings/js/ScriptController.cpp:142
#25 0x00007ffff3f6eef5 in WebCore::ScriptController::executeScriptInWorld (this=0x7cf840, world=0x78a8b0, script=..., forceUserGesture=false)
    at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/bindings/js/ScriptController.cpp:466
#26 0x00007ffff3f66ffe in WebCore::ScheduledAction::execute (this=0x935680, document=0x958860)
    at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/bindings/js/ScheduledAction.cpp:134
#27 0x00007ffff3f66b7b in WebCore::ScheduledAction::execute (this=0x935680, context=0x958910)
    at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/bindings/js/ScheduledAction.cpp:80
#28 0x00007ffff462380c in WebCore::DOMTimer::fired (this=0x8ec900) at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/page/DOMTimer.cpp:141
#29 0x00007ffff47a4a06 in WebCore::ThreadTimers::sharedTimerFiredInternal (this=0x6ef760)
    at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/platform/ThreadTimers.cpp:129
---Type <return> to continue, or q <return> to quit---
#30 0x00007ffff47a48f3 in WebCore::ThreadTimers::sharedTimerFired () at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/platform/ThreadTimers.cpp:105
#31 0x00007ffff4aabd3e in WebCore::SharedTimerQt::timerEvent (this=0x6ef7b0, ev=0x7fffffffd5b0)
    at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/platform/qt/SharedTimerQt.cpp:113
#32 0x00007ffff21e766c in QObject::event(QEvent*) () from /usr/local/Trolltech/Qt5/Qt-5.0.0-r40/lib/libQt5Core.so.5
#33 0x00007ffff302ddbc in QApplicationPrivate::notify_helper(QObject*, QEvent*) () from /usr/local/Trolltech/Qt5/Qt-5.0.0-r40/lib/libQt5Widgets.so.5
#34 0x00007ffff3031075 in QApplication::notify(QObject*, QEvent*) () from /usr/local/Trolltech/Qt5/Qt-5.0.0-r40/lib/libQt5Widgets.so.5
#35 0x00007ffff21c1dbe in QCoreApplication::notifyInternal(QObject*, QEvent*) () from /usr/local/Trolltech/Qt5/Qt-5.0.0-r40/lib/libQt5Core.so.5
#36 0x00007ffff220875c in QTimerInfoList::activateTimers() () from /usr/local/Trolltech/Qt5/Qt-5.0.0-r40/lib/libQt5Core.so.5
#37 0x00007ffff2209094 in ?? () from /usr/local/Trolltech/Qt5/Qt-5.0.0-r40/lib/libQt5Core.so.5
#38 0x00007fffee34a2d6 in g_main_dispatch (context=0x6632f0) at /build/buildd/glib2.0-2.37.6/./glib/gmain.c:3065
#39 g_main_context_dispatch (context=context at entry=0x6632f0) at /build/buildd/glib2.0-2.37.6/./glib/gmain.c:3641
#40 0x00007fffee34a628 in g_main_context_iterate (context=context at entry=0x6632f0, block=block at entry=1, dispatch=dispatch at entry=1, self=<optimized out>)
    at /build/buildd/glib2.0-2.37.6/./glib/gmain.c:3712
#41 0x00007fffee34a6cc in g_main_context_iteration (context=0x6632f0, may_block=1) at /build/buildd/glib2.0-2.37.6/./glib/gmain.c:3773
#42 0x00007ffff22094bc in QEventDispatcherGlib::processEvents(QFlags<QEventLoop::ProcessEventsFlag>) ()
   from /usr/local/Trolltech/Qt5/Qt-5.0.0-r40/lib/libQt5Core.so.5
#43 0x00007ffff21c0d3b in QEventLoop::exec(QFlags<QEventLoop::ProcessEventsFlag>) () from /usr/local/Trolltech/Qt5/Qt-5.0.0-r40/lib/libQt5Core.so.5
#44 0x00007ffff21c4120 in QCoreApplication::exec() () from /usr/local/Trolltech/Qt5/Qt-5.0.0-r40/lib/libQt5Core.so.5
#45 0x0000000000421ba0 in launcherMain (app=...) at /home/reni/Data/REPOS/webkit_sec/Tools/QtTestBrowser/qttestbrowser.cpp:49
#46 0x0000000000423680 in main (argc=2, argv=0x7fffffffdb18) at /home/reni/Data/REPOS/webkit_sec/Tools/QtTestBrowser/qttestbrowser.cpp:318

-- 
Configure bugmail: https://bugs.webkit.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.

More information about the webkit-unassigned mailing list