[Webkit-unassigned] [Bug 255704] New: REGRESSION (262544 at main): [ iOS debug ] - ASSERTION FAILED: !((anchorType == PositionIsBeforeChildren || anchorType == PositionIsAfterChildren) && (is<Text>(*m_anchorNode) || editingIgnoresContent(*m_anchorNode)))

bugzilla-daemon at webkit.org bugzilla-daemon at webkit.org
Wed Apr 19 22:16:08 PDT 2023 

https://bugs.webkit.org/show_bug.cgi?id=255704

            Bug ID: 255704
           Summary: REGRESSION (262544 at main): [ iOS debug ] - ASSERTION
                    FAILED: !((anchorType == PositionIsBeforeChildren ||
                    anchorType == PositionIsAfterChildren) &&
                    (is<Text>(*m_anchorNode) ||
                    editingIgnoresContent(*m_anchorNode)))
           Product: WebKit
           Version: WebKit Nightly Build
          Hardware: Unspecified
                OS: Unspecified
            Status: NEW
          Severity: Normal
          Priority: P2
         Component: New Bugs
          Assignee: webkit-unassigned at lists.webkit.org
          Reporter: rackler at apple.com

Description:
editing/inserting/insert-img-uneditable-canonical-position-crash.html is a consistent crash

The test was consistently passing and began to fail between ranges https://commits.webkit.org/compare/262536@main...262545@main .  Looking at the commits, it is possible that https://commits.webkit.org/262544@main caused the crashes as VisableSelection.cpp was modified, and the Assertion has reference to that.

This issue can be reproduced using the command: 
run-webkit-tests --debug --iterations=1  --ios-simulator  editing/inserting/insert-img-uneditable-canonical-position-crash.html

History:
https://results.webkit.org/?suite=layout-tests&test=editing%2Finserting%2Finsert-img-uneditable-canonical-position-crash.html&platform=ios&style=debug&limit=50000&recent=false

Crash Log:
No crash log found for com.apple.WebKit.WebContent.Development:22617.

stdout:

stderr:
ASSERTION FAILED: !((anchorType == PositionIsBeforeChildren || anchorType == PositionIsAfterChildren) && (is<Text>(*m_anchorNode) || editingIgnoresContent(*m_anchorNode)))
/Volumes/Data/worker/Apple-iOS-16-Simulator-Debug-Build/build/Source/WebCore/dom/Position.cpp(127) : WebCore::Position::Position(WebCore::Node *, WebCore::Position::AnchorType)
1   0x10c9968c8 WTFCrash
2   0x146135570 JSC::VMTraps::maybeNeedHandling() const
3   0x1490976e0 WebCore::Position::Position(WebCore::Node*, WebCore::Position::AnchorType)
4   0x149097720 WebCore::Position::Position(WebCore::Node*, WebCore::Position::AnchorType)
5   0x131048938 WebCore::firstPositionInNode(WebCore::Node*)
6   0x1325cc30c WebKit::computeEditableRootHasContentAndPlainText(WebCore::VisibleSelection const&, WebKit::EditorState::PostLayoutData&)
7   0x1325cbabc WebKit::WebPage::getPlatformEditorState(WebCore::LocalFrame&, WebKit::EditorState&) const
8   0x1332fe444 WebKit::WebPage::editorState(WebKit::WebPage::ShouldPerformLayout) const
9   0x133315d54 WebKit::WebPage::sendEditorStateUpdate()
10  0x133315e0c WebKit::WebPage::didChangeContents()
11  0x132fcb8d0 WebKit::WebEditorClient::respondToChangedContents()
12  0x1491da278 WebCore::Editor::respondToChangedContents(WebCore::VisibleSelection const&)
13  0x1491dd4d0 WebCore::Editor::appliedEditing(WebCore::CompositeEditCommand&)
14  0x14919ba5c WebCore::CompositeEditCommand::didApplyCommand()
15  0x149189740 WebCore::CompositeEditCommand::apply()
16  0x14920b844 WebCore::executeInsertFragment(WebCore::LocalFrame&, WTF::Ref<WebCore::DocumentFragment, WTF::RawPtrTraits<WebCore::DocumentFragment>>&&)
17  0x14920b998 WebCore::executeInsertNode(WebCore::LocalFrame&, WTF::Ref<WebCore::Node, WTF::RawPtrTraits<WebCore::Node>>&&)
18  0x149205e0c WebCore::executeInsertImage(WebCore::LocalFrame&, WebCore::Event*, WebCore::EditorCommandSource, WTF::String const&)
19  0x1491e1400 WebCore::Editor::Command::execute(WTF::String const&, WebCore::Event*) const
20  0x148ed7c54 WebCore::Document::execCommand(WTF::String const&, bool, WTF::String const&)
21  0x146523234 WebCore::jsDocumentPrototypeFunction_execCommandBody(JSC::JSGlobalObject*, JSC::CallFrame*, WebCore::JSDocument*)
22  0x146522d38 long long WebCore::IDLOperation<WebCore::JSDocument>::call<&WebCore::jsDocumentPrototypeFunction_execCommandBody(JSC::JSGlobalObject*, JSC::CallFrame*, WebCore::JSDocument*), (WebCore::CastedThisErrorBehavior)0>(JSC::JSGlobalObject&, JSC::CallFrame&, char const*)
23  0x14650f27c WebCore::jsDocumentPrototypeFunction_execCommand(JSC::JSGlobalObject*, JSC::CallFrame*)
24  0x2929981fc (null)
25  0x10d0138a0 llint_entry
26  0x10cfede28 vmEntryToJavaScript
27  0x10e0c196c JSC::Interpreter::executeProgram(JSC::SourceCode const&, JSC::JSGlobalObject*, JSC::JSObject*)
28  0x10e3c8c0c JSC::evaluate(JSC::JSGlobalObject*, JSC::SourceCode const&, JSC::JSValue, WTF::NakedPtr<JSC::Exception>&)
29  0x10e3c8d88 JSC::profiledEvaluate(JSC::JSGlobalObject*, JSC::ProfilingReason, JSC::SourceCode const&, JSC::JSValue, WTF::NakedPtr<JSC::Exception>&)
30  0x148771324 WebCore::JSExecState::profiledEvaluate(JSC::JSGlobalObject*, JSC::ProfilingReason, JSC::SourceCode const&, JSC::JSValue, WTF::NakedPtr<JSC::Exception>&)
31  0x148770dd0 WebCore::ScriptController::evaluateInWorld(WebCore::ScriptSourceCode const&, WebCore::DOMWrapperWorld&)
com.apple.WebKit.WebContent.Development terminated (pid 22617) for reason: crash

-- 
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20230420/e770cd6f/attachment-0001.htm>

More information about the webkit-unassigned mailing list