Bug 255704

Summary: REGRESSION (262544@main): [ iOS ] Assertion failure in Position::Position via computeEditableRootHasContentAndPlainText
Product: WebKit Reporter: Karl Rackler <rackler>
Component: New BugsAssignee: Ryosuke Niwa <rniwa>
Status: RESOLVED FIXED    
Severity: Normal CC: cdumez, rniwa, webkit-bot-watchers-bugzilla, webkit-bug-importer
Priority: P2 Keywords: InRadar
Version: WebKit Nightly Build   
Hardware: Unspecified   
OS: Unspecified   

Description Karl Rackler 2023-04-19 22:16:08 PDT 
Description:
editing/inserting/insert-img-uneditable-canonical-position-crash.html is a consistent crash

The test was consistently passing and began to fail between ranges https://commits.webkit.org/compare/262536@main...262545@main .  Looking at the commits, it is possible that https://commits.webkit.org/262544@main caused the crashes as VisableSelection.cpp was modified, and the Assertion has reference to that.

This issue can be reproduced using the command: 
run-webkit-tests --debug --iterations=1  --ios-simulator  editing/inserting/insert-img-uneditable-canonical-position-crash.html

History:
https://results.webkit.org/?suite=layout-tests&test=editing%2Finserting%2Finsert-img-uneditable-canonical-position-crash.html&platform=ios&style=debug&limit=50000&recent=false

Crash Log:
No crash log found for com.apple.WebKit.WebContent.Development:22617.

stdout:

stderr:
ASSERTION FAILED: !((anchorType == PositionIsBeforeChildren || anchorType == PositionIsAfterChildren) && (is<Text>(*m_anchorNode) || editingIgnoresContent(*m_anchorNode)))
/Volumes/Data/worker/Apple-iOS-16-Simulator-Debug-Build/build/Source/WebCore/dom/Position.cpp(127) : WebCore::Position::Position(WebCore::Node *, WebCore::Position::AnchorType)
1   0x10c9968c8 WTFCrash
2   0x146135570 JSC::VMTraps::maybeNeedHandling() const
3   0x1490976e0 WebCore::Position::Position(WebCore::Node*, WebCore::Position::AnchorType)
4   0x149097720 WebCore::Position::Position(WebCore::Node*, WebCore::Position::AnchorType)
5   0x131048938 WebCore::firstPositionInNode(WebCore::Node*)
6   0x1325cc30c WebKit::computeEditableRootHasContentAndPlainText(WebCore::VisibleSelection const&, WebKit::EditorState::PostLayoutData&)
7   0x1325cbabc WebKit::WebPage::getPlatformEditorState(WebCore::LocalFrame&, WebKit::EditorState&) const
8   0x1332fe444 WebKit::WebPage::editorState(WebKit::WebPage::ShouldPerformLayout) const
9   0x133315d54 WebKit::WebPage::sendEditorStateUpdate()
10  0x133315e0c WebKit::WebPage::didChangeContents()
11  0x132fcb8d0 WebKit::WebEditorClient::respondToChangedContents()
12  0x1491da278 WebCore::Editor::respondToChangedContents(WebCore::VisibleSelection const&)
13  0x1491dd4d0 WebCore::Editor::appliedEditing(WebCore::CompositeEditCommand&)
14  0x14919ba5c WebCore::CompositeEditCommand::didApplyCommand()
15  0x149189740 WebCore::CompositeEditCommand::apply()
16  0x14920b844 WebCore::executeInsertFragment(WebCore::LocalFrame&, WTF::Ref<WebCore::DocumentFragment, WTF::RawPtrTraits<WebCore::DocumentFragment>>&&)
17  0x14920b998 WebCore::executeInsertNode(WebCore::LocalFrame&, WTF::Ref<WebCore::Node, WTF::RawPtrTraits<WebCore::Node>>&&)
18  0x149205e0c WebCore::executeInsertImage(WebCore::LocalFrame&, WebCore::Event*, WebCore::EditorCommandSource, WTF::String const&)
19  0x1491e1400 WebCore::Editor::Command::execute(WTF::String const&, WebCore::Event*) const
20  0x148ed7c54 WebCore::Document::execCommand(WTF::String const&, bool, WTF::String const&)
21  0x146523234 WebCore::jsDocumentPrototypeFunction_execCommandBody(JSC::JSGlobalObject*, JSC::CallFrame*, WebCore::JSDocument*)
22  0x146522d38 long long WebCore::IDLOperation<WebCore::JSDocument>::call<&WebCore::jsDocumentPrototypeFunction_execCommandBody(JSC::JSGlobalObject*, JSC::CallFrame*, WebCore::JSDocument*), (WebCore::CastedThisErrorBehavior)0>(JSC::JSGlobalObject&, JSC::CallFrame&, char const*)
23  0x14650f27c WebCore::jsDocumentPrototypeFunction_execCommand(JSC::JSGlobalObject*, JSC::CallFrame*)
24  0x2929981fc (null)
25  0x10d0138a0 llint_entry
26  0x10cfede28 vmEntryToJavaScript
27  0x10e0c196c JSC::Interpreter::executeProgram(JSC::SourceCode const&, JSC::JSGlobalObject*, JSC::JSObject*)
28  0x10e3c8c0c JSC::evaluate(JSC::JSGlobalObject*, JSC::SourceCode const&, JSC::JSValue, WTF::NakedPtr<JSC::Exception>&)
29  0x10e3c8d88 JSC::profiledEvaluate(JSC::JSGlobalObject*, JSC::ProfilingReason, JSC::SourceCode const&, JSC::JSValue, WTF::NakedPtr<JSC::Exception>&)
30  0x148771324 WebCore::JSExecState::profiledEvaluate(JSC::JSGlobalObject*, JSC::ProfilingReason, JSC::SourceCode const&, JSC::JSValue, WTF::NakedPtr<JSC::Exception>&)
31  0x148770dd0 WebCore::ScriptController::evaluateInWorld(WebCore::ScriptSourceCode const&, WebCore::DOMWrapperWorld&)
com.apple.WebKit.WebContent.Development terminated (pid 22617) for reason: crash
Comment 1 Radar WebKit Bug Importer 2023-04-19 22:18:43 PDT 
<rdar://problem/108299531>
Comment 2 Karl Rackler 2023-04-19 22:25:57 PDT 
I have marked this test as as skip while this issue is investigated.
Comment 3 EWS 2023-04-19 22:32:58 PDT 
Test gardening commit 263162@main (8d3513a4b76b): <https://commits.webkit.org/263162@main>

Reviewed commits have been landed. Closing PR #12957 and removing active labels.
Comment 4 Ryosuke Niwa 2023-04-20 18:19:13 PDT 
This indeed regressed in 262544@main.
Comment 5 Ryosuke Niwa 2023-04-20 18:53:16 PDT 
Pull request: https://github.com/WebKit/WebKit/pull/13004
Comment 6 EWS 2023-04-21 11:17:55 PDT 
Committed 263252@main (e3bec6d3fc6c): <https://commits.webkit.org/263252@main>

Reviewed commits have been landed. Closing PR #13004 and removing active labels.
Comment 7 Karl Rackler 2023-05-01 08:04:32 PDT 
Removing test expectation.
Comment 8 EWS 2023-05-01 08:09:24 PDT 
Test gardening commit 263550@main (c462f9edfc2e): <https://commits.webkit.org/263550@main>

Reviewed commits have been landed. Closing PR #13328 and removing active labels.