[Webkit-unassigned] [Bug 212723] Nullptr crash in DeleteSelectionCommand::doApply() when ending position is disconnected.

Wed Jun 3 16:55:07 PDT 2020

https://bugs.webkit.org/show_bug.cgi?id=212723

--- Comment #2 from Jack <shihchieh_lee at apple.com> ---
In this test case, removeNodeAndPruneAncestors is called in a different call stack comparing to that in 211793.

  * frame #0: 0x00000001209d6d96 WebCore`WebCore::CompositeEditCommand::removeNodeAndPruneAncestors(this=0x000000013b1e25e8, node=0x0000000135b9f450) at CompositeEditCommand.cpp:611:18
    frame #1: 0x00000001209f5874 WebCore`WebCore::DeleteSelectionCommand::mergeParagraphs(this=0x000000013b1e25e8) at DeleteSelectionCommand.cpp:731:13
    frame #2: 0x00000001209f7503 WebCore`WebCore::DeleteSelectionCommand::doApply(this=0x000000013b1e25e8) at DeleteSelectionCommand.cpp:939:5
    frame #3: 0x00000001209d5bff WebCore`WebCore::CompositeEditCommand::applyCommandToComposite(this=0x00000001393e7770, command=0x00007ffeeab0f218) at CompositeEditCommand.cpp:463:14
    frame #4: 0x00000001209d858b WebCore`WebCore::CompositeEditCommand::deleteSelection(this=0x00000001393e7770, selection=0x00007ffeeab0f818, smartDelete=false, mergeBlocksAfterDelete=true, replace=false, expandForSpecialElements=false, sanitizeMarkup=true) at CompositeEditCommand.cpp:835:9
    frame #5: 0x0000000120a9629d WebCore`WebCore::TypingCommand::deleteKeyPressed(this=0x00000001393e7770, granularity=CharacterGranularity, shouldAddToKillRing=false) at TypingCommand.cpp:748:27
    frame #6: 0x0000000120a982c8 WebCore`WebCore::TypingCommand::doApply(this=0x00000001393e7770) at TypingCommand.cpp:364:9
    frame #7: 0x00000001209c2ab5 WebCore`WebCore::CompositeEditCommand::apply(this=0x00000001393e7770) at CompositeEditCommand.cpp:372:9
    frame #8: 0x0000000120a951cc WebCore`WebCore::TypingCommand::deleteKeyPressed(document={ origin = file://, url = file:///Users/jacklee/browser2/min-63866653.html, inMainFrame = 1, backForwardCacheState = NotInBackForwardCache }, options=0, granularity=CharacterGranularity) at TypingCommand.cpp:193:86
    frame #9: 0x0000000120a42774 WebCore`WebCore::executeDelete(frame={ origin = file://, url = file:///Users/jacklee/browser2/min-63866653.html, isMainFrame = 1, backForwardCacheState = NotInBackForwardCache }, (null)=0x0000000000000000, source=CommandFromDOM, (null)={ length = 0, contents = '' }) at EditorCommand.cpp:298:9
    frame #10: 0x0000000120a1db5b WebCore`WebCore::Editor::Command::execute(this=0x00007ffeeab0fa08, parameter={ length = 0, contents = '' }, triggeringEvent=0x0000000000000000) const at EditorCommand.cpp:1876:12
    frame #11: 0x0000000120744385 WebCore`WebCore::Document::execCommand(this={ origin = file://, url = file:///Users/jacklee/browser2/min-63866653.html, inMainFrame = 1, backForwardCacheState = NotInBackForwardCache }, commandName={ length = 6, contents = 'delete' }, userInterface=false, value={ length = 0, contents = '' }) at Document.cpp:5566:54
    frame #12: 0x000000011e845bb4 WebCore`WebCore::jsDocumentPrototypeFunctionExecCommandBody(lexicalGlobalObject=0x0000000139df8468, callFrame=0x00007ffeeab0fca0, castedThis=0x000000013932cc38, throwScope=0x00007ffeeab0fc18) at JSDocument.cpp:6271:57

-- 
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20200603/1fd13c6c/attachment.htm>