Title: [261255] trunk
- Revision
- 261255
- Author
- shihchieh_...@apple.com
- Date
- 2020-05-06 15:55:30 -0700 (Wed, 06 May 2020)
Log Message
Nullptr crash in InsertListCommand::doApply with user-select:none elements
https://bugs.webkit.org/show_bug.cgi?id=211534
<rdar://problem/62898521>
Reviewed by Geoffrey Garen.
Source/WebCore:
Check for empty position in InsertListCommand::doApply when searching for the start of
last paragraph in the selected range. Skip listifying individual paragraphs in the range.
Test: editing/inserting/insert-list-user-select-none-crash.html
* editing/InsertListCommand.cpp:
(WebCore::InsertListCommand::doApply):
LayoutTests:
Added a regression test for the crash.
* editing/inserting/insert-list-user-select-none-crash-expected.txt: Added.
* editing/inserting/insert-list-user-select-none-crash.html: Added.
Modified Paths
Added Paths
Diff
Modified: trunk/LayoutTests/ChangeLog (261254 => 261255)
--- trunk/LayoutTests/ChangeLog 2020-05-06 22:54:22 UTC (rev 261254)
+++ trunk/LayoutTests/ChangeLog 2020-05-06 22:55:30 UTC (rev 261255)
@@ -1,3 +1,16 @@
+2020-05-06 Jack Lee <shihchieh_...@apple.com>
+
+ Nullptr crash in InsertListCommand::doApply with user-select:none elements
+ https://bugs.webkit.org/show_bug.cgi?id=211534
+ <rdar://problem/62898521>
+
+ Reviewed by Geoffrey Garen.
+
+ Added a regression test for the crash.
+
+ * editing/inserting/insert-list-user-select-none-crash-expected.txt: Added.
+ * editing/inserting/insert-list-user-select-none-crash.html: Added.
+
2020-05-06 Ryan Haddad <ryanhad...@apple.com>
Unreviewed, reverting r261239.
Added: trunk/LayoutTests/editing/inserting/insert-list-user-select-none-crash-expected.txt (0 => 261255)
--- trunk/LayoutTests/editing/inserting/insert-list-user-select-none-crash-expected.txt (rev 0)
+++ trunk/LayoutTests/editing/inserting/insert-list-user-select-none-crash-expected.txt 2020-05-06 22:55:30 UTC (rev 261255)
@@ -0,0 +1 @@
+Tests inserting list in paragraphs that have userSelect:none elements. The test passes if WebKit doesn't crash or hit an ssertion.
Added: trunk/LayoutTests/editing/inserting/insert-list-user-select-none-crash.html (0 => 261255)
--- trunk/LayoutTests/editing/inserting/insert-list-user-select-none-crash.html (rev 0)
+++ trunk/LayoutTests/editing/inserting/insert-list-user-select-none-crash.html 2020-05-06 22:55:30 UTC (rev 261255)
@@ -0,0 +1,14 @@
+<style>
+span { -webkit-user-select: all; }
+a { -webkit-user-select: none; }
+</style>
+<body id=body contentEditable="true"><span><a>a</a><canvas id=canvas></canvas></span>
+<script>
+ if (window.testRunner)
+ testRunner.dumpAsText();
+
+ body.appendChild(canvas);
+ document.execCommand("selectAll", false);
+ document.execCommand("insertOrderedList", false);
+ document.body.innerText = "Tests inserting list in paragraphs that have userSelect:none elements. The test passes if WebKit doesn't crash or hit an ssertion.";
+</script>
Modified: trunk/Source/WebCore/ChangeLog (261254 => 261255)
--- trunk/Source/WebCore/ChangeLog 2020-05-06 22:54:22 UTC (rev 261254)
+++ trunk/Source/WebCore/ChangeLog 2020-05-06 22:55:30 UTC (rev 261255)
@@ -1,3 +1,19 @@
+2020-05-06 Jack Lee <shihchieh_...@apple.com>
+
+ Nullptr crash in InsertListCommand::doApply with user-select:none elements
+ https://bugs.webkit.org/show_bug.cgi?id=211534
+ <rdar://problem/62898521>
+
+ Reviewed by Geoffrey Garen.
+
+ Check for empty position in InsertListCommand::doApply when searching for the start of
+ last paragraph in the selected range. Skip listifying individual paragraphs in the range.
+
+ Test: editing/inserting/insert-list-user-select-none-crash.html
+
+ * editing/InsertListCommand.cpp:
+ (WebCore::InsertListCommand::doApply):
+
2020-05-06 Ryan Haddad <ryanhad...@apple.com>
Unreviewed, reverting r261239.
Modified: trunk/Source/WebCore/editing/InsertListCommand.cpp (261254 => 261255)
--- trunk/Source/WebCore/editing/InsertListCommand.cpp 2020-05-06 22:54:22 UTC (rev 261254)
+++ trunk/Source/WebCore/editing/InsertListCommand.cpp 2020-05-06 22:55:30 UTC (rev 261255)
@@ -140,12 +140,12 @@
VisiblePosition endOfSelection = selection.visibleEnd();
VisiblePosition startOfLastParagraph = startOfParagraph(endOfSelection, CanSkipOverEditingBoundary);
- if (startOfParagraph(startOfSelection, CanSkipOverEditingBoundary) != startOfLastParagraph) {
+ if (startOfLastParagraph.isNotNull() && startOfParagraph(startOfSelection, CanSkipOverEditingBoundary) != startOfLastParagraph) {
bool forceCreateList = !selectionHasListOfType(selection, listTag);
auto currentSelection = createLiveRange(endingSelection().firstRange());
VisiblePosition startOfCurrentParagraph = startOfSelection;
- while (!startOfCurrentParagraph.isNull() && !inSameParagraph(startOfCurrentParagraph, startOfLastParagraph, CanCrossEditingBoundary)) {
+ while (startOfCurrentParagraph.isNotNull() && !inSameParagraph(startOfCurrentParagraph, startOfLastParagraph, CanCrossEditingBoundary)) {
// doApply() may operate on and remove the last paragraph of the selection from the document
// if it's in the same list item as startOfCurrentParagraph. Return early to avoid an
// infinite loop and because there is no more work to be done.
_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-changes
