Skip to site navigation (Press enter)

[webkit-changes] [228989] releases/WebKitGTK/webkit-2.20

carlosgc Mon, 26 Feb 2018 01:56:12 -0800

Title: [228989] releases/WebKitGTK/webkit-2.20

Revision: 228989
Author: [email protected]
Date: 2018-02-26 01:55:16 -0800 (Mon, 26 Feb 2018)

Log Message

Merge r228724 - null m_lastNodeInserted dereference at ReplaceSelectionCommand::InsertedNodes::lastLeafInserted
https://bugs.webkit.org/show_bug.cgi?id=161947


Patch by Fujii Hironori <[email protected]> on 2018-02-19
Reviewed by Ryosuke Niwa.

Source/WebCore:

InsertedNodes happened to be empty if the inserted nodes were
removed. Add more checks if InsertedNodes is empty.

No new tests (Covered by existing tests).

* editing/ReplaceSelectionCommand.cpp:
(WebCore::ReplaceSelectionCommand::doApply): Return early if InsertedNodes becomes empty.
* editing/ReplaceSelectionCommand.h:
(WebCore::ReplaceSelectionCommand::InsertedNodes::isEmpty): New method.
(WebCore::ReplaceSelectionCommand::InsertedNodes::lastLeafInserted const):
Assert m_lastNodeInserted is not null.
(WebCore::ReplaceSelectionCommand::InsertedNodes::pastLastLeaf const): Ditto.

LayoutTests:

* platform/gtk/TestExpectations:
Unmarked editing/execCommand/crash-replacing-list-by-list.html and editing/inserting/insert-table-in-paragraph-crash.html.

Modified Paths

releases/WebKitGTK/webkit-2.20/LayoutTests/ChangeLog
releases/WebKitGTK/webkit-2.20/LayoutTests/platform/gtk/TestExpectations
releases/WebKitGTK/webkit-2.20/Source/WebCore/ChangeLog
releases/WebKitGTK/webkit-2.20/Source/WebCore/editing/ReplaceSelectionCommand.cpp
releases/WebKitGTK/webkit-2.20/Source/WebCore/editing/ReplaceSelectionCommand.h

Diff

Modified: releases/WebKitGTK/webkit-2.20/LayoutTests/ChangeLog (228988 => 228989)


--- releases/WebKitGTK/webkit-2.20/LayoutTests/ChangeLog	2018-02-26 09:55:06 UTC (rev 228988)
+++ releases/WebKitGTK/webkit-2.20/LayoutTests/ChangeLog	2018-02-26 09:55:16 UTC (rev 228989)
@@ -1,3 +1,13 @@
+2018-02-19  Fujii Hironori  <[email protected]>
+
+        null m_lastNodeInserted dereference at ReplaceSelectionCommand::InsertedNodes::lastLeafInserted
+        https://bugs.webkit.org/show_bug.cgi?id=161947
+
+        Reviewed by Ryosuke Niwa.
+
+        * platform/gtk/TestExpectations:
+        Unmarked editing/execCommand/crash-replacing-list-by-list.html and editing/inserting/insert-table-in-paragraph-crash.html.
+
 2018-02-20  Carlos Garcia Campos  <[email protected]>
 
         Unreviewed GTK gardening.

Modified: releases/WebKitGTK/webkit-2.20/LayoutTests/platform/gtk/TestExpectations (228988 => 228989)


--- releases/WebKitGTK/webkit-2.20/LayoutTests/platform/gtk/TestExpectations	2018-02-26 09:55:06 UTC (rev 228988)
+++ releases/WebKitGTK/webkit-2.20/LayoutTests/platform/gtk/TestExpectations	2018-02-26 09:55:16 UTC (rev 228989)
@@ -1283,9 +1283,6 @@
 
 webkit.org/b/172281 accessibility/insert-children-assert.html [ Crash ]
 
-webkit.org/b/172951 editing/execCommand/crash-replacing-list-by-list.html [ Crash ]
-webkit.org/b/172951 editing/inserting/insert-table-in-paragraph-crash.html [ Crash ]
-
 webkit.org/b/172955 media/video-preload.html [ Crash Pass ]
 
 webkit.org/b/175575 imported/w3c/web-platform-tests/html/semantics/embedded-content/media-elements/ready-states/autoplay-with-slow-text-tracks.html [ Crash Pass ]

Modified: releases/WebKitGTK/webkit-2.20/Source/WebCore/ChangeLog (228988 => 228989)


--- releases/WebKitGTK/webkit-2.20/Source/WebCore/ChangeLog	2018-02-26 09:55:06 UTC (rev 228988)
+++ releases/WebKitGTK/webkit-2.20/Source/WebCore/ChangeLog	2018-02-26 09:55:16 UTC (rev 228989)
@@ -1,3 +1,23 @@
+2018-02-19  Fujii Hironori  <[email protected]>
+
+        null m_lastNodeInserted dereference at ReplaceSelectionCommand::InsertedNodes::lastLeafInserted
+        https://bugs.webkit.org/show_bug.cgi?id=161947
+
+        Reviewed by Ryosuke Niwa.
+
+        InsertedNodes happened to be empty if the inserted nodes were
+        removed. Add more checks if InsertedNodes is empty.
+
+        No new tests (Covered by existing tests).
+
+        * editing/ReplaceSelectionCommand.cpp:
+        (WebCore::ReplaceSelectionCommand::doApply): Return early if InsertedNodes becomes empty.
+        * editing/ReplaceSelectionCommand.h:
+        (WebCore::ReplaceSelectionCommand::InsertedNodes::isEmpty): New method.
+        (WebCore::ReplaceSelectionCommand::InsertedNodes::lastLeafInserted const):
+        Assert m_lastNodeInserted is not null.
+        (WebCore::ReplaceSelectionCommand::InsertedNodes::pastLastLeaf const): Ditto.
+
 2018-02-19  Chris Dumez  <[email protected]>
 
         Crash under MIMETypeRegistry::isSupportedJavaScriptMIMEType()

Modified: releases/WebKitGTK/webkit-2.20/Source/WebCore/editing/ReplaceSelectionCommand.cpp (228988 => 228989)


--- releases/WebKitGTK/webkit-2.20/Source/WebCore/editing/ReplaceSelectionCommand.cpp	2018-02-26 09:55:06 UTC (rev 228988)
+++ releases/WebKitGTK/webkit-2.20/Source/WebCore/editing/ReplaceSelectionCommand.cpp	2018-02-26 09:55:16 UTC (rev 228989)
@@ -1141,6 +1141,8 @@
         node = next;
     }
 
+    if (insertedNodes.isEmpty())
+        return;
     removeUnrenderedTextNodesAtEnds(insertedNodes);
 
     if (!handledStyleSpans)
@@ -1147,8 +1149,10 @@
         handleStyleSpans(insertedNodes);
 
     // Mutation events (bug 20161) may have already removed the inserted content
-    if (!insertedNodes.firstNodeInserted() || !insertedNodes.firstNodeInserted()->isConnected())
+    if (insertedNodes.isEmpty())
         return;
+    if (!insertedNodes.firstNodeInserted()->isConnected())
+        return;
 
     VisiblePosition startOfInsertedContent = firstPositionInOrBeforeNode(insertedNodes.firstNodeInserted());
 
@@ -1168,8 +1172,12 @@
     }
     
     makeInsertedContentRoundTrippableWithHTMLTreeBuilder(insertedNodes);
+    if (insertedNodes.isEmpty())
+        return;
 
     removeRedundantStylesAndKeepStyleSpanInline(insertedNodes);
+    if (insertedNodes.isEmpty())
+        return;
 
     if (m_sanitizeFragment)
         applyCommandToComposite(SimplifyMarkupCommand::create(document(), insertedNodes.firstNodeInserted(), insertedNodes.pastLastLeaf()));

Modified: releases/WebKitGTK/webkit-2.20/Source/WebCore/editing/ReplaceSelectionCommand.h (228988 => 228989)


--- releases/WebKitGTK/webkit-2.20/Source/WebCore/editing/ReplaceSelectionCommand.h	2018-02-26 09:55:06 UTC (rev 228988)
+++ releases/WebKitGTK/webkit-2.20/Source/WebCore/editing/ReplaceSelectionCommand.h	2018-02-26 09:55:16 UTC (rev 228989)
@@ -69,15 +69,17 @@
         void willRemoveNode(Node*);
         void didReplaceNode(Node*, Node* newNode);
 
+        bool isEmpty() { return !m_firstNodeInserted; }
         Node* firstNodeInserted() const { return m_firstNodeInserted.get(); }
-        Node* lastLeafInserted() const { return m_lastNodeInserted->lastDescendant(); }
+        Node* lastLeafInserted() const
+        {
+            ASSERT(m_lastNodeInserted);
+            return m_lastNodeInserted->lastDescendant();
+        }
         Node* pastLastLeaf() const
         {
-            if (m_lastNodeInserted) {
-                ASSERT(lastLeafInserted());
-                return NodeTraversal::next(*lastLeafInserted());
-            }
-            return nullptr;
+            ASSERT(m_lastNodeInserted);
+            return NodeTraversal::next(*lastLeafInserted());
         }
 
     private:

_______________________________________________
webkit-changes mailing list
[email protected]
https://lists.webkit.org/mailman/listinfo/webkit-changes