New issue
Advanced search Search tips

Issue 591275 link

Starred by 4 users
Status: Available
Owner: ----
Cc:
editing-dev@chromium.org
Components:
EstimatedDays: ----
NextAction: ----
OS: ----
Pri: 3
Type: Bug



Sign in to add a comment

Range::updateOwnerDocumentIfNeeded() should be called after all nodes in tree moved

Project Member Reported by ukai@chromium.org, Mar 2 2016 
Version: 51.0.2664.0 (Developer Build) (64-bit) with dcheck_always_on=1
OS: Linux

What steps will reproduce the problem?
1. edit a page on site.google.com
2. select region
3. C-x to cut
4. mouse move to other place
5. C-v to paste

What is the expected output? What do you see instead?
renderer crashed with assertion failure

ASSERTION FAILED: newDocument == m_end.container()->document()
../../third_party/WebKit/Source/core/dom/Range.cpp(1525) : void blink::Range::updateOwnerDocumentIfNeeded()
1   0x7fffe99bb8fa blink::Document::updateRangesAfterNodeMovedToAnotherDocument(blink::Node const&)
2   0x7fffe9a2f526 blink::Node::didMoveToNewDocument(blink::Document&)
3   0x7fffe99f60f9 blink::Element::didMoveToNewDocument(blink::Document&)
4   0x7fffe9a7db42
5   0x7fffe9a7d844
6   0x7fffe9a7b5c4 blink::TreeScope::adoptIfNeeded(blink::Node&)
7   0x7fffe99adcec blink::Document::adoptNode(WTF::RawPtr<blink::Node>, blink::ExceptionState&)
8   0x7fffe998aa40 blink::ContainerNode::parserAppendChild(WTF::RawPtr<blink::Node>)
9   0x7fffe998a64a blink::ContainerNode::parserTakeAllChildrenFrom(blink::ContainerNode&)
10  0x7fffe9e8f970
11  0x7fffe9dfe5cc blink::Editor::pasteWithPasteboard(blink::Pasteboard*)
12  0x7fffe9e00dba blink::Editor::paste()
13  0x7fffe9e55483
14  0x7fffe9e52656 blink::Editor::Command::execute(WTF::String const&, blink::Event*) const
15  0x7fffe9e527b7 blink::Editor::executeCommand(WTF::String const&, WTF::String const&)
16  0x7ffff1da3d7f
17  0x7ffff605e686 content::RenderViewImpl::handleCurrentKeyboardEvent()
18  0x7ffff1d3cab7
19  0x7fffe9e03e98 blink::Editor::handleKeyboardEvent(blink::KeyboardEvent*)
20  0x7fffe9ad11e9 blink::EventHandler::defaultKeyboardEventHandler(blink::KeyboardEvent*)
21  0x7fffe9aa98bf
22  0x7fffe9aa923b
23  0x7fffe9aa8910
24  0x7fffe9a30d95 blink::Node::dispatchEventInternal(WTF::RawPtr<blink::Event>)

25  0x7fffe9ab50d1 blink::EventTarget::dispatchEvent(WTF::RawPtr<blink::Event>)
26  0x7fffe9ad0df5 blink::EventHandler::keyEvent(blink::PlatformKeyboardEvent const&)
27  0x7ffff1dd0f38
28  0x7ffff1dcff32
29  0x7ffff5fe81d9 content::RenderWidgetInputHandler::HandleInputEvent(blink::WebInputEvent const&, ui::LatencyInfo const&, content::InputEventDispatchType)
30  0x7ffff6067945 content::RenderWidget::OnMessageReceived(IPC::Message const&)
31  0x7ffff6059b67 content::RenderViewImpl::OnMessageReceived(IPC::Message const&)
Received signal 11 SEGV_MAPERR 0000fbadbeef
#0 0x7ffff7ebeebb base::debug::(anonymous namespace)::StackDumpSignalHandler()
#1 0x7fffef744340 <unknown>
#2 0x7fffe9a544e9 blink::Range::updateOwnerDocumentIfNeeded()
#3 0x7fffe99bb8fa blink::Document::updateRangesAfterNodeMovedToAnotherDocument()
#4 0x7fffe9a2f526 blink::Node::didMoveToNewDocument()
#5 0x7fffe99f60f9 blink::Element::didMoveToNewDocument()
#6 0x7fffe9a7db42 blink::TreeScopeAdopter::moveNodeToNewDocument()
#7 0x7fffe9a7d844 blink::TreeScopeAdopter::moveTreeToNewScope()
#8 0x7fffe9a7b5c4 blink::TreeScope::adoptIfNeeded()
#9 0x7fffe99adcec blink::Document::adoptNode()
#10 0x7fffe998aa40 blink::ContainerNode::parserAppendChild()
#11 0x7fffe998a64a blink::ContainerNode::parserTakeAllChildrenFrom()
#12 0x7fffe9e8f970 blink::createFragmentFromMarkupWithContext()
#13 0x7fffe9dfe5cc blink::Editor::pasteWithPasteboard()
#14 0x7fffe9e00dba blink::Editor::paste()
#15 0x7fffe9e55483 blink::executePaste()
#16 0x7fffe9e52656 blink::Editor::Command::execute()
#17 0x7fffe9e527b7 blink::Editor::executeCommand()
#18 0x7ffff1da3d7f blink::WebLocalFrameImpl::executeCommand()
#19 0x7ffff605e686 content::RenderViewImpl::handleCurrentKeyboardEvent()
#20 0x7ffff1d3cab7 blink::EditorClientImpl::handleKeyboardEvent()
#21 0x7fffe9e03e98 blink::Editor::handleKeyboardEvent()
#22 0x7fffe9ad11e9 blink::EventHandler::defaultKeyboardEventHandler()
#23 0x7fffe9aa98bf blink::EventDispatcher::dispatchEventPostProcess()
#24 0x7fffe9aa923b blink::EventDispatcher::dispatch()
#25 0x7fffe9aa8910 blink::EventDispatcher::dispatchEvent()
#26 0x7fffe9a30d95 blink::Node::dispatchEventInternal()
#27 0x7fffe9ab50d1 blink::EventTarget::dispatchEvent()
#28 0x7fffe9ad0df5 blink::EventHandler::keyEvent()
#29 0x7ffff1dd0f38 blink::WebViewImpl::handleKeyEvent()
#30 0x7ffff1dcff32 blink::WebViewImpl::handleInputEvent()
#31 0x7ffff5fe81d9 content::RenderWidgetInputHandler::HandleInputEvent()
#32 0x7ffff6067945 content::RenderWidget::OnMessageReceived()
#33 0x7ffff6059b67 content::RenderViewImpl::OnMessageReceived()
#34 0x7ffff4e0bc87 IPC::MessageRouter::RouteMessage()
#35 0x7ffff4e0bbc8 IPC::MessageRouter::OnMessageReceived()
#36 0x7ffff55ea5c4 content::ChildThreadImpl::OnMessageReceived()
#37 0x7ffff5614962 _ZN4base8internal7InvokerINS_13IndexSequenceIJLm0EEEENS0_9BindStateINS0_15RunnableAdapterIMN7content19PendingNotificationEFvRK8SkBitmapEEEFvPS7_SA_EJNS_7WeakPtrIS7_EEEEENS0_12InvokeHelperILb1EvSD_EEFvSA_EE3RunEPNS0_13BindStateBaseESA_
#38 0x7ffff5569c38 _ZN4base8internal7InvokerINS_13IndexSequenceIJLm0EEEENS0_9BindStateINS_8CallbackIFvbEEES6_JRbEEENS0_12InvokeHelperILb0EvS7_EEFvvEE3RunEPNS0_13BindStateBaseE
#39 0x7ffff7ec053c base::debug::TaskAnnotator::RunTask()
#40 0x7fffed477d47 scheduler::TaskQueueManager::ProcessTaskFromWorkQueue()
#41 0x7fffed4769cf scheduler::TaskQueueManager::DoWork()
#42 0x7fffed478f84 _ZN4base8internal7InvokerINS_13IndexSequenceIJLm0ELm1ELm2EEEENS0_9BindStateINS0_15RunnableAdapterIMN9scheduler16TaskQueueManagerEFvNS_9TimeTicksEbEEEFvPS7_S8_bEJNS_7WeakPtrIS7_EERS8_bEEENS0_12InvokeHelperILb1EvSB_EEFvvEE3RunEPNS0_13BindStateBaseE
#43 0x7ffff7ec053c base::debug::TaskAnnotator::RunTask()
#44 0x7ffff7ee8e9b base::MessageLoop::RunTask()
#45 0x7ffff7ee91b8 base::MessageLoop::DeferOrRunPendingTask()
#46 0x7ffff7ee946b base::MessageLoop::DoWork()
#47 0x7ffff7eeaecf base::MessagePumpDefault::Run()
#48 0x7ffff7ee89f7 base::MessageLoop::RunHandler()
#49 0x7ffff7f1369c base::RunLoop::Run()
#50 0x7ffff7ee7a50 base::MessageLoop::Run()
#51 0x7ffff607550e content::RendererMain()
#52 0x7ffff61905ab content::RunZygote()
#53 0x7ffff6190bf2 content::RunNamedProcessTypeMain()
#54 0x7ffff61915fb content::ContentMainRunnerImpl::Run()
#55 0x7ffff6190153 content::ContentMain()
#56 0x555555a2470a ChromeMain
#57 0x7fffee0f2ec5 __libc_start_main
#58 0x555555a245e1 <unknown>
  r8: 00007fffe3ef3a00  r9: 3a6c706d49776569 r10: 00007fffee48dbe0 r11: 0000000000000000
 r12: 0000000000000001 r13: 00001a6e26fee110 r14: 00002c2eccaa9580 r15: 00000000fbadbeef
  di: 00001269cae17098  si: 00001269cc976740  bp: 00001a6e26fee0d0  bx: 00001a6e26fee230
  dx: 0000000000000976  ax: 5af8e4bc7c5ed200  cx: 0000000000000010  sp: 00007fffffff89b0
  ip: 00007fffe9a544e9 efl: 0000000000010246 cgf: 0000000000000033 erf: 0000000000000006
 trp: 000000000000000e msk: 0000000000000000 cr2: 00000000fbadbeef
[end of stack trace]


Please use labels and text to provide additional information.
https://chromium.googlesource.com/chromium/src/+/8fd47d1c1e9e5ea01181178f0c7feb64f7ffeab3

Comment 1 by yosin@chromium.org, Mar 3 2016

Status: Available (was: Untriaged)
Summary: Range::updateOwnerDocumentIfNeeded() should be called after all nodes in tree moved (was: ASSERTION FAILED: newDocument == m_end.container()->document() ../../third_party/WebKit/Source/core/dom/Range.cpp(1525) : void blink::Range::updateOwnerDocumentIfNeeded())
The root cause is Range::updateOwnerDocumentIfNeeded() is called before completion of moving tree to another document. This makes situation that start node is moved and end node isn't moved yet.

We should updates Range at end of
 - TreeScopeAdopter::moveTreeToNewScope()
 - TreeScopeAdopter::moveTreeToNewDocument()

Comment 2 by yosin@chromium.org, Mar 3 2016

Labels: -Pri-2 Pri-1
Project Member

Comment 3 by sheriffbot@chromium.org, Mar 3 2017

Labels: Hotlist-Recharge-Cold
Status: Untriaged (was: Available)
This issue has been available for more than 365 days, and should be re-evaluated. Please re-triage this issue.
The Hotlist-Recharge-Cold label is applied for tracking purposes, and should not be removed after re-triaging the issue.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Comment 4 by yosin@chromium.org, Mar 7 2017

Status: Available (was: Untriaged)

Comment 5 by yosin@chromium.org, Mar 15 2017

Cc: -yosin@chromium.org
Owner: yosin@chromium.org
Status: Started (was: Available)
Working...

Comment 6 by yosin@chromium.org, Mar 23 2017

Owner: ----
Status: Available (was: Started)

Comment 7 by yosin@chromium.org, Apr 25 2017

Labels: -Pri-1 Pri-3
Lower to Pri-2, since we don't have another report past one year.
Project Member

Comment 8 by sheriffbot@chromium.org, Apr 25 2018

Status: Untriaged (was: Available)
This issue has been Available for over a year. If it's no longer important or seems unlikely to be fixed, please consider closing it out. If it is important, please re-triage the issue.

Sorry for the inconvenience if the bug really should have been left as Available.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Comment 9 by yosin@chromium.org, May 28 2018

Status: Available (was: Untriaged)

Sign in to add a comment