[Webkit-unassigned] [Bug 212723] New: Nullptr crash in DeleteSelectionCommand::doApply() when ending position is disconnected.

bugzilla-daemon at webkit.org bugzilla-daemon at webkit.org
Wed Jun 3 16:48:24 PDT 2020 

https://bugs.webkit.org/show_bug.cgi?id=212723

            Bug ID: 212723
           Summary: Nullptr crash in DeleteSelectionCommand::doApply()
                    when ending position is disconnected.
           Product: WebKit
           Version: WebKit Nightly Build
          Hardware: All
                OS: All
            Status: NEW
          Keywords: InRadar
          Severity: Normal
          Priority: P2
         Component: HTML Editing
          Assignee: webkit-unassigned at lists.webkit.org
          Reporter: shihchieh_lee at apple.com
                CC: wenson_hsieh at apple.com

<rdar://63866653>

    #0 0x3ad2f71a1 in WebCore::Node::getFlag(WebCore::Node::NodeFlags) const (Safari_ASAN_262398_beabde7bd2de240129119de5a8d837355ac235e8.app/Contents/Frameworks/WebCore.framework/Versions/A/WebCore:x86_64+0x1ba1a1)
    #1 0x3b073459d in WebCore::canHaveChildrenForEditing(WebCore::Node const&) (Safari_ASAN_262398_beabde7bd2de240129119de5a8d837355ac235e8.app/Contents/Frameworks/WebCore.framework/Versions/A/WebCore:x86_64+0x35f759d)
    #2 0x3b06f5016 in WebCore::CompositeEditCommand::insertNodeAt(WTF::Ref<WebCore::Node, WTF::DumbPtrTraits<WebCore::Node> >&&, WebCore::Position const&) (Safari_ASAN_262398_beabde7bd2de240129119de5a8d837355ac235e8.app/Contents/Frameworks/WebCore.framework/Versions/A/WebCore:x86_64+0x35b8016)
    #3 0x3b0737b65 in WebCore::DeleteSelectionCommand::doApply() (Safari_ASAN_262398_beabde7bd2de240129119de5a8d837355ac235e8.app/Contents/Frameworks/WebCore.framework/Versions/A/WebCore:x86_64+0x35fab65)
    #4 0x3b070ee6a in WebCore::CompositeEditCommand::applyCommandToComposite(WTF::Ref<WebCore::EditCommand, WTF::DumbPtrTraits<WebCore::EditCommand> >&&) (Safari_ASAN_262398_beabde7bd2de240129119de5a8d837355ac235e8.app/Contents/Frameworks/WebCore.framework/Versions/A/WebCore:x86_64+0x35d1e6a)
    #5 0x3b0711f5a in WebCore::CompositeEditCommand::deleteSelection(WebCore::VisibleSelection const&, bool, bool, bool, bool, bool) (Safari_ASAN_262398_beabde7bd2de240129119de5a8d837355ac235e8.app/Contents/Frameworks/WebCore.framework/Versions/A/WebCore:x86_64+0x35d4f5a)
    #6 0x3b0827499 in WebCore::TypingCommand::deleteKeyPressed(WebCore::TextGranularity, bool) (Safari_ASAN_262398_beabde7bd2de240129119de5a8d837355ac235e8.app/Contents/Frameworks/WebCore.framework/Versions/A/WebCore:x86_64+0x36ea499)
    #7 0x3b06f2746 in WebCore::CompositeEditCommand::apply() (Safari_ASAN_262398_beabde7bd2de240129119de5a8d837355ac235e8.app/Contents/Frameworks/WebCore.framework/Versions/A/WebCore:x86_64+0x35b5746)
    #8 0x3b0826b44 in WebCore::TypingCommand::deleteKeyPressed(WebCore::Document&, unsigned int, WebCore::TextGranularity) (Safari_ASAN_262398_beabde7bd2de240129119de5a8d837355ac235e8.app/Contents/Frameworks/WebCore.framework/Versions/A/WebCore:x86_64+0x36e9b44)
    #9 0x3b07ae4de in WebCore::executeDelete(WebCore::Frame&, WebCore::Event*, WebCore::EditorCommandSource, WTF::String const&) (Safari_ASAN_262398_beabde7bd2de240129119de5a8d837355ac235e8.app/Contents/Frameworks/WebCore.framework/Versions/A/WebCore:x86_64+0x36714de)
    #10 0x3b0416d13 in WebCore::Document::execCommand(WTF::String const&, bool, WTF::String const&) (Safari_ASAN_262398_beabde7bd2de240129119de5a8d837355ac235e8.app/Contents/Frameworks/WebCore.framework/Versions/A/WebCore:x86_64+0x32d9d13)
    #11 0x3adc0e061 in WebCore::jsDocumentPrototypeFunctionExecCommandBody(JSC::JSGlobalObject*, JSC::CallFrame*, WebCore::JSDocument*, JSC::ThrowScope&) (Safari_ASAN_262398_beabde7bd2de240129119de5a8d837355ac235e8.app/Contents/Frameworks/WebCore.framework/Versions/A/WebCore:x86_64+0xad1061)
    #12 0x3adabb910 in long long WebCore::IDLOperation<WebCore::JSDocument>::call<&(WebCore::jsDocumentPrototypeFunctionExecCommandBody(JSC::JSGlobalObject*, JSC::CallFrame*, WebCore::JSDocument*, JSC::ThrowScope&)), (WebCore::CastedThisErrorBehavior)0>(JSC::JSGlobalObject&, JSC::CallFrame&, char const*) (Safari_ASAN_262398_beabde7bd2de240129119de5a8d837355ac235e8.app/Contents/Frameworks/WebCore.framework/Versions/A/WebCore:x86_64+0x97e910)
    #13 0x4f794b401177

-- 
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20200603/fed69efe/attachment-0001.htm>

More information about the webkit-unassigned mailing list