[webkit-changes] [259951] releases/WebKitGTK/webkit-2.28

Sun, 12 Apr 2020 06:04:45 -0700

Title: [259951] releases/WebKitGTK/webkit-2.28
Revision
259951
Author
[email protected]
Date
2020-04-12 06:03:18 -0700 (Sun, 12 Apr 2020)

Log Message

Merge r258662 - Fix ReplaceSelectionCommand::InsertedNodes::willRemoveNodePreservingChildren crash
https://bugs.webkit.org/show_bug.cgi?id=208312

Patch by Eugene But <[email protected]> on 2020-03-18
Reviewed by Ryosuke Niwa

ReplaceSelectionCommand::InsertedNodes::willRemoveNodePreservingChildren
was crashing on dereferencing m_firstNodeInserted pointer. Before the crash
ReplaceSelectionCommand::InsertedNodes object received the following calls:

respondToNodeInsertion() with node A, which set m_firstNodeInserted and m_lastNodeInserted to A
willRemoveNode() with node B, which left m_firstNodeInserted and m_lastNodeInserted unchanged (A)
(node A was destroyed setting m_firstNodeInserted and m_lastNodeInserted to null)
respondToNodeInsertion() with node C, which set m_firstNodeInserted and m_lastNodeInserted to C
willRemoveNodePreservingChildren() with node C, which set m_firstNodeInserted to null and crashed

This patch checks m_firstNodeInserted before dereferencing and sets m_lastNodeInserted to null if
m_firstNodeInserted became null. It seems like having non-null value for m_lastNodeInserted would
be an invalid state.

Test: editing/pasteboard/insert-apple-style-span-after-timeout.html

* editing/ReplaceSelectionCommand.cpp:
(WebCore::ReplaceSelectionCommand::InsertedNodes::willRemoveNodePreservingChildren):

LayoutTests:
Test for ReplaceSelectionCommand::InsertedNodes::willRemoveNodePreservingChildren crash fix
https://bugs.webkit.org/show_bug.cgi?id=208312

Patch by Eugene But <[email protected]> on 2020-03-18
Reviewed by Ryosuke Niwa

This test insers empty Apple-style-span after timeout to a non-empty document.

* editing/pasteboard/insert-apple-style-span-after-timeout.html:

Modified Paths

Added Paths

Diff

Modified: releases/WebKitGTK/webkit-2.28/LayoutTests/ChangeLog (259950 => 259951)


--- releases/WebKitGTK/webkit-2.28/LayoutTests/ChangeLog	2020-04-12 13:03:13 UTC (rev 259950)
+++ releases/WebKitGTK/webkit-2.28/LayoutTests/ChangeLog	2020-04-12 13:03:18 UTC (rev 259951)
@@ -1,3 +1,14 @@
+2020-03-18  Eugene But  <[email protected]>
+
+        Test for ReplaceSelectionCommand::InsertedNodes::willRemoveNodePreservingChildren crash fix
+        https://bugs.webkit.org/show_bug.cgi?id=208312
+
+        Reviewed by Ryosuke Niwa
+
+        This test insers empty Apple-style-span after timeout to a non-empty document.
+
+        * editing/pasteboard/insert-apple-style-span-after-timeout.html:
+
 2020-03-16  ChangSeok Oh  <[email protected]>
 
         A change event gets dispatched when textarea gets changed without focus

Added: releases/WebKitGTK/webkit-2.28/LayoutTests/editing/pasteboard/insert-apple-style-span-after-timeout-expected.txt (0 => 259951)


--- releases/WebKitGTK/webkit-2.28/LayoutTests/editing/pasteboard/insert-apple-style-span-after-timeout-expected.txt	                        (rev 0)
+++ releases/WebKitGTK/webkit-2.28/LayoutTests/editing/pasteboard/insert-apple-style-span-after-timeout-expected.txt	2020-04-12 13:03:18 UTC (rev 259951)
@@ -0,0 +1 @@
+No crash!

Added: releases/WebKitGTK/webkit-2.28/LayoutTests/editing/pasteboard/insert-apple-style-span-after-timeout.html (0 => 259951)


--- releases/WebKitGTK/webkit-2.28/LayoutTests/editing/pasteboard/insert-apple-style-span-after-timeout.html	                        (rev 0)
+++ releases/WebKitGTK/webkit-2.28/LayoutTests/editing/pasteboard/insert-apple-style-span-after-timeout.html	2020-04-12 13:03:18 UTC (rev 259951)
@@ -0,0 +1,21 @@
+<html>
+  <body>
+    <script>    
+      if (window.testRunner) {
+        window.testRunner.dumpAsText();
+        window.testRunner.waitUntilDone();
+      }
+
+      function test() {
+        document.designMode = 'on';
+        document.execCommand("selectAll");
+        document.execCommand("InsertHTML", false, "<p>No crash!</p>");
+        document.execCommand("InsertHTML", false, "<span class='Apple-style-span'></span>");
+        
+        if (window.testRunner)
+          testRunner.notifyDone();
+      }
+      setTimeout(test);
+    </script>&lt;
+  </body>
+</html>

Modified: releases/WebKitGTK/webkit-2.28/Source/WebCore/ChangeLog (259950 => 259951)


--- releases/WebKitGTK/webkit-2.28/Source/WebCore/ChangeLog	2020-04-12 13:03:13 UTC (rev 259950)
+++ releases/WebKitGTK/webkit-2.28/Source/WebCore/ChangeLog	2020-04-12 13:03:18 UTC (rev 259951)
@@ -1,3 +1,29 @@
+2020-03-18  Eugene But  <[email protected]>
+
+        Fix ReplaceSelectionCommand::InsertedNodes::willRemoveNodePreservingChildren crash
+        https://bugs.webkit.org/show_bug.cgi?id=208312
+        
+        Reviewed by Ryosuke Niwa
+
+        ReplaceSelectionCommand::InsertedNodes::willRemoveNodePreservingChildren
+        was crashing on dereferencing m_firstNodeInserted pointer. Before the crash
+        ReplaceSelectionCommand::InsertedNodes object received the following calls:
+
+        respondToNodeInsertion() with node A, which set m_firstNodeInserted and m_lastNodeInserted to A
+        willRemoveNode() with node B, which left m_firstNodeInserted and m_lastNodeInserted unchanged (A)
+        (node A was destroyed setting m_firstNodeInserted and m_lastNodeInserted to null)
+        respondToNodeInsertion() with node C, which set m_firstNodeInserted and m_lastNodeInserted to C
+        willRemoveNodePreservingChildren() with node C, which set m_firstNodeInserted to null and crashed
+
+        This patch checks m_firstNodeInserted before dereferencing and sets m_lastNodeInserted to null if
+        m_firstNodeInserted became null. It seems like having non-null value for m_lastNodeInserted would
+        be an invalid state.
+
+        Test: editing/pasteboard/insert-apple-style-span-after-timeout.html
+
+        * editing/ReplaceSelectionCommand.cpp:
+        (WebCore::ReplaceSelectionCommand::InsertedNodes::willRemoveNodePreservingChildren):
+
 2020-03-16  ChangSeok Oh  <[email protected]>
 
         A change event gets dispatched when textarea gets changed without focus

Modified: releases/WebKitGTK/webkit-2.28/Source/WebCore/editing/ReplaceSelectionCommand.cpp (259950 => 259951)


--- releases/WebKitGTK/webkit-2.28/Source/WebCore/editing/ReplaceSelectionCommand.cpp	2020-04-12 13:03:13 UTC (rev 259950)
+++ releases/WebKitGTK/webkit-2.28/Source/WebCore/editing/ReplaceSelectionCommand.cpp	2020-04-12 13:03:18 UTC (rev 259951)
@@ -388,7 +388,7 @@
         m_firstNodeInserted = NodeTraversal::next(*node);
     if (m_lastNodeInserted == node) {
         m_lastNodeInserted = node->lastChild() ? node->lastChild() : NodeTraversal::nextSkippingChildren(*node);
-        if (!m_lastNodeInserted) {
+        if (!m_lastNodeInserted && m_firstNodeInserted) {
             // If the last inserted node is at the end of the document and doesn't have any children, look backwards for the
             // previous node as the last inserted node, clamping to the first inserted node if needed to ensure that the
             // document position of the last inserted node is not behind the first inserted node.

_______________________________________________
webkit-changes mailing list
[email protected]
https://lists.webkit.org/mailman/listinfo/webkit-changes

Reply via email to