[Webkit-unassigned] [Bug 224836] New: Crash in StyledMarkupAccumulator::traverseNodesForSerialization()

bugzilla-daemon at webkit.org bugzilla-daemon at webkit.org
Tue Apr 20 15:34:06 PDT 2021 

https://bugs.webkit.org/show_bug.cgi?id=224836

            Bug ID: 224836
           Summary: Crash in
                    StyledMarkupAccumulator::traverseNodesForSerialization
                    ()
           Product: WebKit
           Version: WebKit Nightly Build
          Hardware: Unspecified
                OS: Unspecified
            Status: NEW
          Keywords: InRadar
          Severity: Normal
          Priority: P2
         Component: HTML Editing
          Assignee: webkit-unassigned at lists.webkit.org
          Reporter: julian_a_gonzalez at apple.com
                CC: wenson_hsieh at apple.com

In Release, I can hit the following crash:

WebCore::StyledMarkupAccumulator::firstChild(WebCore::Node&)
WebCore::StyledMarkupAccumulator::traverseNodesForSerialization(WebCore::Node*, WebCore::Node*, WebCore::StyledMarkupAccumulator::NodeTraversalMode)
WebCore::StyledMarkupAccumulator::serializeNodes(WebCore::Position const&, WebCore::Position const&)
WebCore::serializePreservingVisualAppearanceInternal(WebCore::Position const&, WebCore::Position const&, WTF::Vector<WebCore::Node*, 0ul, WTF::CrashOnOverflow, 16ul, WTF::FastMalloc>*, WebCore::ResolveURLs, WebCore::SerializeComposedTree, WebCore::AnnotateForInterchange, WebCore::ConvertBlocksToInlines, WebCore::StandardFontFamilySerializationMode, WebCore::MSOListMode)
WebCore::serializePreservingVisualAppearance(WebCore::VisibleSelection const&, WebCore::ResolveURLs, WebCore::SerializeComposedTree, WTF::Vector<WebCore::Node*, 0ul, WTF::CrashOnOverflow, 16ul, WTF::FastMalloc>*)


in Debug, we hit an assertion first:

ASSERTION FAILED: next || !pastEnd
./editing/markup.cpp : WebCore::Node *WebCore::StyledMarkupAccumulator::traverseNodesForSerialization(WebCore::Node *, WebCore::Node *, WebCore::StyledMarkupAccumulator::NodeTraversalMode)
1   0x3e7ef90d9 WTFCrash
2   0x3b0a5d2e0 PAL::canLoad_libAccessibility__AXSIsolatedTreeMode()
3   0x3b92bc1f0 WebCore::StyledMarkupAccumulator::traverseNodesForSerialization(WebCore::Node*, WebCore::Node*, WebCore::StyledMarkupAccumulator::NodeTraversalMode)
4   0x3b92bb6a0 WebCore::StyledMarkupAccumulator::serializeNodes(WebCore::Position const&, WebCore::Position const&)
5   0x3b92befc5 WebCore::serializePreservingVisualAppearanceInternal(WebCore::Position const&, WebCore::Position const&, WTF::Vector<WebCore::Node*, 0ul, WTF::CrashOnOverflow, 16ul, WTF::FastMalloc>*, WebCore::ResolveURLs, WebCore::SerializeComposedTree, WebCore::AnnotateForInterchange, WebCore::ConvertBlocksToInlines, WebCore::StandardFontFamilySerializationMode, WebCore::MSOListMode)
6   0x3b92bfa9e WebCore::serializePreservingVisualAppearance(WebCore::VisibleSelection const&, WebCore::ResolveURLs, WebCore::SerializeComposedTree, WTF::Vector<WebCore::Node*, 0ul, WTF::CrashOnOverflow, 16ul, WTF::FastMalloc>*)
7   0x3ba857c30 WebCore::LegacyWebArchive::createFromSelection(WebCore::Frame*)


<rdar://problem/76328325>

-- 
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20210420/10aafdea/attachment-0001.htm>

More information about the webkit-unassigned mailing list