[Webkit-unassigned] [Bug 225219] SHOULD NEVER BE REACHED in FrameSelection::setSelectionWithoutUpdatingAppearance for editing/selection/selection-in-iframe-removed-crash.html

bugzilla-daemon at webkit.org bugzilla-daemon at webkit.org
Mon May 17 01:21:23 PDT 2021 

https://bugs.webkit.org/show_bug.cgi?id=225219

Frédéric Wang (:fredw) <fred.wang at free.fr> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |fred.wang at free.fr
           Assignee|webkit-unassigned at lists.web |fred.wang at free.fr
                   |kit.org                     |

--- Comment #8 from Frédéric Wang (:fredw) <fred.wang at free.fr> ---
Preliminary debugging: the selection is set in

https://webkit-search.igalia.com/webkit/rev/45eee1160003c6d3022e8d0b88fe15770b05ffac/Source/WebCore/editing/FrameSelection.cpp#1960

but the frame gets disconnected when the focus is set just the line before, due to the DOMFocusOut callback being executed

iframe1.addEventListener("DOMFocusOut", function () { document1.adoptNode(iframe1); }, false);

Taking bug, will investigate more later...

(BTW, FrameSelection::selectFrameElementInParentIfFullySelected should probably use more RefPtr per https://lists.webkit.org/pipermail/webkit-dev/2020-September/031386.html )

---------------------------- rr session ------------------------------------------

Thread 1 received signal SIGSEGV, Segmentation fault.
(rr) reverse-f
(rr) 
(rr)
    at ../../Source/WebCore/editing/FrameSelection.cpp:361
361                 ASSERT_NOT_REACHED();
(rr) p newSelection.m_start.m_anchorNode->isConnected()
$1 = false
(rr) watch -l newSelection.m_start
(rr) rc
(rr) delete
(rr) bt
#0  0x00007f71aa598e16 in WebCore::Position::Position(WebCore::Position const&) (this=0x7ffd737a03e0)
    at WebCore/PrivateHeaders/WebCore/Position.h:54
#1  0x00007f71aa5990ff in WebCore::VisibleSelection::VisibleSelection(WebCore::VisibleSelection const&)
    (this=0x7ffd737a03a0) at WebCore/PrivateHeaders/WebCore/VisibleSelection.h:36
#2  0x00007f71ac64645f in WebCore::FrameSelection::setSelectionWithoutUpdatingAppearance(WebCore::VisibleSelection const&, WTF::OptionSet<WebCore::FrameSelection::SetSelectionOption>, WebCore::FrameSelection::CursorAlignOnScroll, WebCore::TextGranularity)
    (this=0x7f719e9bc6b8, newSelectionPossiblyWithoutDirection=..., options=..., align=WebCore::FrameSelection::AlignCursorOnScrollIfNeeded, granularity=WebCore::TextGranularity::CharacterGranularity)
    at ../../Source/WebCore/editing/FrameSelection.cpp:333
#3  0x00007f71ac646e65 in WebCore::FrameSelection::setSelection(WebCore::VisibleSelection const&, WTF::OptionSet<WebCore::FrameSelection::SetSelectionOption>, WebCore::AXTextStateChangeIntent, WebCore::FrameSelection::CursorAlignOnScroll, WebCore::TextGranularity)
    (this=0x7f719e9bc6b8, selection=..., options=..., intent=..., align=WebCore::FrameSelection::AlignCursorOnScrollIfNeeded, granularity=WebCore::TextGranularity::CharacterGranularity)
    at ../../Source/WebCore/editing/FrameSelection.cpp:426
#4  0x00007f71ac64ec04 in WebCore::FrameSelection::selectFrameElementInParentIfFullySelected()
    (this=0x7f719e9bcac0) at ../../Source/WebCore/editing/FrameSelection.cpp:1959
(rr) reverse-f
(rr) 
(rr) 
(rr) 
    at ../../Source/WebCore/editing/FrameSelection.cpp:1959
1959            parent->selection().setSelection(newSelection);
(rr) p newSelection.m_start.m_anchorNode->isConnected()
$2 = false
(rr) p newSelection.m_start.m_anchorNode.get() == ownerElement
$3 = true
(rr) watch -l ((Node*)ownerElement)->m_nodeFlags
(rr) rc
(rr) bt
#0  0x00007f71ac3e73c4 in WTF::OptionSet<WebCore::Node::NodeFlag>::remove(WTF::OptionSet<WebCore::Node::NodeFlag>) (this=0x7f719ea18378, optionSet=...) at WTF/Headers/wtf/OptionSet.h:193
#1  0x00007f71ac3df9d5 in WebCore::Node::clearNodeFlag(WebCore::Node::NodeFlag) const
    (this=0x7f719ea18350, flag=WebCore::Node::NodeFlag::IsConnected) at ../../Source/WebCore/dom/Node.h:586
#2  0x00007f71ac4f25d9 in WebCore::Node::removedFromAncestor(WebCore::Node::RemovalType, WebCore::ContainerNode&) (this=0x7f719ea18350, removalType=..., oldParentOfRemovedTree=...)
    at ../../Source/WebCore/dom/Node.cpp:1312
#3  0x00007f71ac45fb88 in WebCore::Element::removedFromAncestor(WebCore::Node::RemovalType, WebCore::ContainerNode&) (this=0x7f719ea18350, removalType=..., oldParentOfRemovedTree=...)
    at ../../Source/WebCore/dom/Element.cpp:2316
#4  0x00007f71ac37c8a2 in WebCore::notifyNodeRemovedFromDocument(WebCore::ContainerNode&, WebCore::TreeScopeChange, WebCore::Node&) (oldParentOfRemovedTree=..., treeScopeChange=WebCore::TreeScopeChange::Changed, node=...)
    at ../../Source/WebCore/dom/ContainerNodeAlgorithms.cpp:126
#5  0x00007f71ac37cd6d in WebCore::notifyChildNodeRemoved(WebCore::ContainerNode&, WebCore::Node&)
    (oldParentOfRemovedTree=..., child=...) at ../../Source/WebCore/dom/ContainerNodeAlgorithms.cpp:178
#6  0x00007f71ac35dd16 in WebCore::ContainerNode::removeNodeWithScriptAssertion(WebCore::Node&, WebCore::ContainerNode::ChildChange::Source)
    (this=0x7f719ea23f40, childToRemove=..., source=WebCore::ContainerNode::ChildChange::Source::API)
    at ../../Source/WebCore/dom/ContainerNode.cpp:182
#7  0x00007f71ac35741a in WebCore::ContainerNode::removeChild(WebCore::Node&)
    (this=0x7f719ea23f40, oldChild=...) at ../../Source/WebCore/dom/ContainerNode.cpp:614
#8  0x00007f71ac4f05aa in WebCore::Node::remove() (this=0x7f719ea18350)
    at ../../Source/WebCore/dom/Node.cpp:639
#9  0x00007f71ac3a75bb in WebCore::Document::adoptNode(WebCore::Node&) (this=0x7f719ea19c10, source=...)
    at ../../Source/WebCore/dom/Document.cpp:1191
#10 0x00007f71aabae600 in WebCore::jsDocumentPrototypeFunction_adoptNodeBody(JSC::JSGlobalObject*, JSC::CallFrame*, WebCore::IDLOperation<WebCore::JSDocument>::ClassParameter) (lexicalGlobalObject=
    0x7f714ebdf668, callFrame=0x7ffd7379f030, castedThis=0x7f714c5c0f08)
    at WebCore/DerivedSources/JSDocument.cpp:5417
#11 0x00007f71aabd6b7f in WebCore::IDLOperation<WebCore::JSDocument>::call<WebCore::jsDocumentPrototypeFunction_adoptNodeBody>(JSC::JSGlobalObject&, JSC::CallFrame&, char const*)
    (lexicalGlobalObject=..., callFrame=..., operationName=0x7f71b008d91b "adoptNode")
    at ../../Source/WebCore/bindings/js/JSDOMOperation.h:55
#12 0x00007f71aabae6b2 in WebCore::jsDocumentPrototypeFunction_adoptNode(JSC::JSGlobalObject*, JSC::CallFrame*) (lexicalGlobalObject=0x7f714ebdf668, callFrame=0x7ffd7379f030) at WebCore/DerivedSources/JSDocument.cpp:5422
#13 0x00007f715e6262b8 in  ()
#14 0x00007ffd7379f0b0 in  ()
#15 0x00007f71a4158afe in llint_op_call ()
    at /app/webkit/Source/JavaScriptCore/llint/LowLevelInterpreter.asm:1097
#16 0x0000000000000000 in  ()

-- 
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20210517/c16aa211/attachment-0001.htm>

More information about the webkit-unassigned mailing list