[webkit-changes] [261019] trunk

Fri, 01 May 2020 13:54:21 -0700

Title: [261019] trunk
Revision
261019
Author
[email protected]
Date
2020-05-01 13:53:59 -0700 (Fri, 01 May 2020)

Log Message

Source/WebCore:
Nullptr crash in CompositeEditCommand::cloneParagraphUnderNewElement when indent
and align a paragraph.
https://bugs.webkit.org/show_bug.cgi?id=211273
<rdar://problem/61885958>

Reviewed by Geoffrey Garen.

A load event can fire when we clone and append a paragraph. Check if the elements
are removed in the event and bail out.

Test: fast/editing/indent-then-justifyFull-crash.html

* editing/CompositeEditCommand.cpp:
(WebCore::CompositeEditCommand::cloneParagraphUnderNewElement):

LayoutTests:
Nullptr crash in CompositeEditCommand::cloneParagraphUnderNewElement when indent
and align a paragraph.
https://bugs.webkit.org/show_bug.cgi?id=211273
<rdar://problem/61885958>

Reviewed by Geoffrey Garen.

Added a regression test for the crash.

* fast/editing/indent-then-justifyFull-crash-expected.txt: Added.
* fast/editing/indent-then-justifyFull-crash.html: Added.

Modified Paths

Added Paths

Diff

Modified: trunk/LayoutTests/ChangeLog (261018 => 261019)


--- trunk/LayoutTests/ChangeLog	2020-05-01 20:50:18 UTC (rev 261018)
+++ trunk/LayoutTests/ChangeLog	2020-05-01 20:53:59 UTC (rev 261019)
@@ -1,5 +1,19 @@
 2020-05-01  Jack Lee  <[email protected]>
 
+        Nullptr crash in CompositeEditCommand::cloneParagraphUnderNewElement when indent
+        and align a paragraph.
+        https://bugs.webkit.org/show_bug.cgi?id=211273
+        <rdar://problem/61885958>
+
+        Reviewed by Geoffrey Garen.
+
+        Added a regression test for the crash.
+
+        * fast/editing/indent-then-justifyFull-crash-expected.txt: Added.
+        * fast/editing/indent-then-justifyFull-crash.html: Added.
+
+2020-05-01  Jack Lee  <[email protected]>
+
         Nullptr crash in EditCommand::EditCommand via CompositeEditCommand::removeNode
         https://bugs.webkit.org/show_bug.cgi?id=207600

Added: trunk/LayoutTests/fast/editing/indent-then-justifyFull-crash-expected.txt (0 => 261019)


--- trunk/LayoutTests/fast/editing/indent-then-justifyFull-crash-expected.txt	                        (rev 0)
+++ trunk/LayoutTests/fast/editing/indent-then-justifyFull-crash-expected.txt	2020-05-01 20:53:59 UTC (rev 261019)
@@ -0,0 +1 @@
+Tests editing elements followed by other commands that remove those elements. The test passes if WebKit doesn't crash or hit an ssertion.

Added: trunk/LayoutTests/fast/editing/indent-then-justifyFull-crash.html (0 => 261019)


--- trunk/LayoutTests/fast/editing/indent-then-justifyFull-crash.html	                        (rev 0)
+++ trunk/LayoutTests/fast/editing/indent-then-justifyFull-crash.html	2020-05-01 20:53:59 UTC (rev 261019)
@@ -0,0 +1,20 @@
+<script>
+    if (window.testRunner) {
+        testRunner.dumpAsText();
+        testRunner.waitUntilDone();
+    }
+
+    function iframeOnload() {
+        document.execCommand("justifyFull", false);
+        CANVAS.toBlob(blob);
+    }
+
+    function blob() {
+        document.execCommand("selectAll", false);
+        document.execCommand("indent", false);
+        document.body.innerText = "Tests editing elements followed by other commands that remove those elements. The test passes if WebKit doesn't crash or hit an ssertion.";
+        if (window.testRunner)
+            testRunner.notifyDone();
+    }
+</script>
+<body contentEditable=true><canvas id=CANVAS hidden="hidden"></canvas><iframe _onload_="iframeOnload()"></iframe><select></select>

Modified: trunk/Source/WebCore/ChangeLog (261018 => 261019)


--- trunk/Source/WebCore/ChangeLog	2020-05-01 20:50:18 UTC (rev 261018)
+++ trunk/Source/WebCore/ChangeLog	2020-05-01 20:53:59 UTC (rev 261019)
@@ -1,5 +1,22 @@
 2020-05-01  Jack Lee  <[email protected]>
 
+        Nullptr crash in CompositeEditCommand::cloneParagraphUnderNewElement when indent 
+        and align a paragraph.
+        https://bugs.webkit.org/show_bug.cgi?id=211273
+        <rdar://problem/61885958>
+
+        Reviewed by Geoffrey Garen.
+
+        A load event can fire when we clone and append a paragraph. Check if the elements
+        are removed in the event and bail out.
+
+        Test: fast/editing/indent-then-justifyFull-crash.html
+
+        * editing/CompositeEditCommand.cpp:
+        (WebCore::CompositeEditCommand::cloneParagraphUnderNewElement):
+
+2020-05-01  Jack Lee  <[email protected]>
+
         Nullptr crash in EditCommand::EditCommand via CompositeEditCommand::removeNode
         https://bugs.webkit.org/show_bug.cgi?id=207600
         <rdar://problem/56969450>

Modified: trunk/Source/WebCore/editing/CompositeEditCommand.cpp (261018 => 261019)


--- trunk/Source/WebCore/editing/CompositeEditCommand.cpp	2020-05-01 20:50:18 UTC (rev 261018)
+++ trunk/Source/WebCore/editing/CompositeEditCommand.cpp	2020-05-01 20:53:59 UTC (rev 261019)
@@ -1260,6 +1260,9 @@
         }
     }
 
+    if (!start.deprecatedNode()->isConnected() || !end.deprecatedNode()->isConnected())
+        return;
+
     // Handle the case of paragraphs with more than one node,
     // cloning all the siblings until end.deprecatedNode() is reached.
     

_______________________________________________
webkit-changes mailing list
[email protected]
https://lists.webkit.org/mailman/listinfo/webkit-changes

Reply via email to