[webkit-changes] [259027] trunk

Wed, 25 Mar 2020 18:52:16 -0700

Title: [259027] trunk
Revision
259027
Author
shihchieh_...@apple.com
Date
2020-03-25 18:51:14 -0700 (Wed, 25 Mar 2020)

Log Message

Nullptr crash in WebCore::Node::isDescendantOf when inserting list
https://bugs.webkit.org/show_bug.cgi?id=209529
<rdar://problem/60693542>

Reviewed by Darin Adler.

Source/WebCore:

The visible positions may be null if the DOM tree is altered before an edit command is applied.
Add null check for visible positions at the beginning of InsertListCommand::doApply.

Test: editing/inserting/insert-list-during-node-removal-crash.html

* editing/InsertListCommand.cpp:
(WebCore::InsertListCommand::doApply):

LayoutTests:

Added a regression test for the crash.

* editing/inserting/insert-list-during-node-removal-crash-expected.txt: Added.
* editing/inserting/insert-list-during-node-removal-crash.html: Added.

Modified Paths

Added Paths

Diff

Modified: trunk/LayoutTests/ChangeLog (259026 => 259027)


--- trunk/LayoutTests/ChangeLog	2020-03-26 01:24:05 UTC (rev 259026)
+++ trunk/LayoutTests/ChangeLog	2020-03-26 01:51:14 UTC (rev 259027)
@@ -1,3 +1,16 @@
+2020-03-25  Jack Lee  <shihchieh_...@apple.com>
+
+        Nullptr crash in WebCore::Node::isDescendantOf when inserting list
+        https://bugs.webkit.org/show_bug.cgi?id=209529
+        <rdar://problem/60693542>
+
+        Reviewed by Darin Adler.
+
+        Added a regression test for the crash.
+
+        * editing/inserting/insert-list-during-node-removal-crash-expected.txt: Added.
+        * editing/inserting/insert-list-during-node-removal-crash.html: Added.
+
 2020-03-25  Alexey Shvayka  <shvaikal...@gmail.com>
 
         Invalid numeric and named references should be early syntax errors

Added: trunk/LayoutTests/editing/inserting/insert-list-during-node-removal-crash-expected.txt (0 => 259027)


--- trunk/LayoutTests/editing/inserting/insert-list-during-node-removal-crash-expected.txt	                        (rev 0)
+++ trunk/LayoutTests/editing/inserting/insert-list-during-node-removal-crash-expected.txt	2020-03-26 01:51:14 UTC (rev 259027)
@@ -0,0 +1 @@
+Tests inserting list during node removal. The test passes if WebKit doesn't crash or hit an assertion.

Added: trunk/LayoutTests/editing/inserting/insert-list-during-node-removal-crash.html (0 => 259027)


--- trunk/LayoutTests/editing/inserting/insert-list-during-node-removal-crash.html	                        (rev 0)
+++ trunk/LayoutTests/editing/inserting/insert-list-during-node-removal-crash.html	2020-03-26 01:51:14 UTC (rev 259027)
@@ -0,0 +1,23 @@
+<script>
+    if (window.testRunner) {
+        testRunner.dumpAsText();
+        testRunner.waitUntilDone();
+    }
+
+    function DomNodeEventHandler() {
+        document.execCommand("insertOrderedList", false);
+        requestAnimationFrame(function () {
+            document.body.innerHTML = "<p> Tests inserting list during node removal. The test passes if WebKit doesn't crash or hit an assertion.</p>";
+            if (window.testRunner) {
+                testRunner.notifyDone();
+            }
+        });
+    }
+
+    window._onload_ = () => {
+        TD.addEventListener("DOMNodeRemovedFromDocument", DomNodeEventHandler);
+        document.execCommand("selectAll", false);
+        window.getSelection().deleteFromDocument();
+    }
+</script>
+<body contenteditable="true"><table><td id=TD></td></table><li contenteditable="false"></li><div>a</div>

Modified: trunk/Source/WebCore/ChangeLog (259026 => 259027)


--- trunk/Source/WebCore/ChangeLog	2020-03-26 01:24:05 UTC (rev 259026)
+++ trunk/Source/WebCore/ChangeLog	2020-03-26 01:51:14 UTC (rev 259027)
@@ -1,3 +1,19 @@
+2020-03-25  Jack Lee  <shihchieh_...@apple.com>
+
+        Nullptr crash in WebCore::Node::isDescendantOf when inserting list
+        https://bugs.webkit.org/show_bug.cgi?id=209529
+        <rdar://problem/60693542>
+
+        Reviewed by Darin Adler.
+
+        The visible positions may be null if the DOM tree is altered before an edit command is applied. 
+        Add null check for visible positions at the beginning of InsertListCommand::doApply.
+
+        Test: editing/inserting/insert-list-during-node-removal-crash.html
+
+        * editing/InsertListCommand.cpp:
+        (WebCore::InsertListCommand::doApply):
+
 2020-03-25  Alexey Shvayka  <shvaikal...@gmail.com>
 
         Invalid numeric and named references should be early syntax errors

Modified: trunk/Source/WebCore/editing/InsertListCommand.cpp (259026 => 259027)


--- trunk/Source/WebCore/editing/InsertListCommand.cpp	2020-03-26 01:24:05 UTC (rev 259026)
+++ trunk/Source/WebCore/editing/InsertListCommand.cpp	2020-03-26 01:51:14 UTC (rev 259027)
@@ -112,12 +112,13 @@
 
 void InsertListCommand::doApply()
 {
-    if (endingSelection().isNoneOrOrphaned() || !endingSelection().isContentRichlyEditable())
+    VisiblePosition visibleEnd = endingSelection().visibleEnd();
+    VisiblePosition visibleStart = endingSelection().visibleStart();
+
+    if (visibleEnd.isNull() || visibleStart.isNull() || !endingSelection().isContentRichlyEditable())
         return;
 
-    VisiblePosition visibleEnd = endingSelection().visibleEnd();
-    VisiblePosition visibleStart = endingSelection().visibleStart();
-    // When a selection ends at the start of a paragraph, we rarely paint 
+    // When a selection ends at the start of a paragraph, we rarely paint
     // the selection gap before that paragraph, because there often is no gap.  
     // In a case like this, it's not obvious to the user that the selection 
     // ends "inside" that paragraph, so it would be confusing if InsertUn{Ordered}List 

_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-changes

Reply via email to