Title: [261664] trunk
- Revision
- 261664
- Author
- [email protected]
- Date
- 2020-05-13 17:21:50 -0700 (Wed, 13 May 2020)
Log Message
Nullptr crash in DeleteSelectionCommand::doApply() when merge node is disconnected.
https://bugs.webkit.org/show_bug.cgi?id=211793
<rdar://problem/62993645>
Reviewed by Geoffrey Garen.
Source/WebCore:
Check for disconnected merge destination and endingSelection() after mergeParagraph is
Called and bail out to avoid using corrupted positions for node insertion.
Test: editing/inserting/insert-text-merge-node-removed-crash.html
* editing/CompositeEditCommand.cpp:
(WebCore::CompositeEditCommand::moveParagraphs):
* editing/DeleteSelectionCommand.cpp:
(WebCore::DeleteSelectionCommand::mergeParagraphs):
LayoutTests:
Added a regression test for the crash.
* editing/inserting/insert-text-merge-node-removed-crash-expected.txt: Added.
* editing/inserting/insert-text-merge-node-removed-crash.html: Added.
Modified Paths
Added Paths
Diff
Modified: trunk/LayoutTests/ChangeLog (261663 => 261664)
--- trunk/LayoutTests/ChangeLog 2020-05-13 23:28:34 UTC (rev 261663)
+++ trunk/LayoutTests/ChangeLog 2020-05-14 00:21:50 UTC (rev 261664)
@@ -1,3 +1,16 @@
+2020-05-13 Jack Lee <[email protected]>
+
+ Nullptr crash in DeleteSelectionCommand::doApply() when merge node is disconnected.
+ https://bugs.webkit.org/show_bug.cgi?id=211793
+ <rdar://problem/62993645>
+
+ Reviewed by Geoffrey Garen.
+
+ Added a regression test for the crash.
+
+ * editing/inserting/insert-text-merge-node-removed-crash-expected.txt: Added.
+ * editing/inserting/insert-text-merge-node-removed-crash.html: Added.
+
2020-05-13 Said Abou-Hallawa <[email protected]>
Enable the 'OutsideViewport' rAF throttling
Added: trunk/LayoutTests/editing/inserting/insert-text-merge-node-removed-crash-expected.txt (0 => 261664)
--- trunk/LayoutTests/editing/inserting/insert-text-merge-node-removed-crash-expected.txt (rev 0)
+++ trunk/LayoutTests/editing/inserting/insert-text-merge-node-removed-crash-expected.txt 2020-05-14 00:21:50 UTC (rev 261664)
@@ -0,0 +1 @@
+Tests inserting text when merge node is removed. The test passes if WebKit doesn't crash or hit an ssertion.
Added: trunk/LayoutTests/editing/inserting/insert-text-merge-node-removed-crash.html (0 => 261664)
--- trunk/LayoutTests/editing/inserting/insert-text-merge-node-removed-crash.html (rev 0)
+++ trunk/LayoutTests/editing/inserting/insert-text-merge-node-removed-crash.html 2020-05-14 00:21:50 UTC (rev 261664)
@@ -0,0 +1,9 @@
+<body contentEditable="true"><output></output><data style="writing-mode: vertical-lr;"><menu><table></table></menu>
+<script>
+ if (window.testRunner)
+ testRunner.dumpAsText();
+
+ document.execCommand("selectAll", false);
+ document.execCommand("insertText", "text");
+ document.body.innerText = "Tests inserting text when merge node is removed. The test passes if WebKit doesn't crash or hit an ssertion.";
+</script>
Modified: trunk/Source/WebCore/ChangeLog (261663 => 261664)
--- trunk/Source/WebCore/ChangeLog 2020-05-13 23:28:34 UTC (rev 261663)
+++ trunk/Source/WebCore/ChangeLog 2020-05-14 00:21:50 UTC (rev 261664)
@@ -1,3 +1,21 @@
+2020-05-13 Jack Lee <[email protected]>
+
+ Nullptr crash in DeleteSelectionCommand::doApply() when merge node is disconnected.
+ https://bugs.webkit.org/show_bug.cgi?id=211793
+ <rdar://problem/62993645>
+
+ Reviewed by Geoffrey Garen.
+
+ Check for disconnected merge destination and endingSelection() after mergeParagraph is
+ Called and bail out to avoid using corrupted positions for node insertion.
+
+ Test: editing/inserting/insert-text-merge-node-removed-crash.html
+
+ * editing/CompositeEditCommand.cpp:
+ (WebCore::CompositeEditCommand::moveParagraphs):
+ * editing/DeleteSelectionCommand.cpp:
+ (WebCore::DeleteSelectionCommand::mergeParagraphs):
+
2020-05-13 Said Abou-Hallawa <[email protected]>
Re-enable 'OutsideViewport' rAF throttling
Modified: trunk/Source/WebCore/editing/CompositeEditCommand.cpp (261663 => 261664)
--- trunk/Source/WebCore/editing/CompositeEditCommand.cpp 2020-05-13 23:28:34 UTC (rev 261663)
+++ trunk/Source/WebCore/editing/CompositeEditCommand.cpp 2020-05-14 00:21:50 UTC (rev 261664)
@@ -1476,8 +1476,11 @@
ASSERT(destination.deepEquivalent().anchorNode()->isConnected());
cleanupAfterDeletion(destination);
- ASSERT(destination.deepEquivalent().anchorNode()->isConnected());
+ // FIXME (Bug 211793): We should redesign cleanupAfterDeletion or find another destination when it is removed.
+ if (!destination.deepEquivalent().anchorNode()->isConnected())
+ return;
+
// Add a br if pruning an empty block level element caused a collapse. For example:
// foo^
// <div>bar</div>
Modified: trunk/Source/WebCore/editing/DeleteSelectionCommand.cpp (261663 => 261664)
--- trunk/Source/WebCore/editing/DeleteSelectionCommand.cpp 2020-05-13 23:28:34 UTC (rev 261663)
+++ trunk/Source/WebCore/editing/DeleteSelectionCommand.cpp 2020-05-14 00:21:50 UTC (rev 261664)
@@ -754,7 +754,10 @@
moveParagraph(startOfParagraphToMove, endOfParagraphToMove, mergeDestination, false, !paragraphToMergeIsEmpty);
m_needPlaceholder = needPlaceholder;
// The endingPosition was likely clobbered by the move, so recompute it (moveParagraph selects the moved paragraph).
- m_endingPosition = endingSelection().start();
+
+ // FIXME (Bug 211793): endingSelection() becomes disconnected in moveParagraph
+ if (endingSelection().start().anchorNode()->isConnected())
+ m_endingPosition = endingSelection().start();
}
void DeleteSelectionCommand::removePreviouslySelectedEmptyTableRows()
_______________________________________________
webkit-changes mailing list
[email protected]
https://lists.webkit.org/mailman/listinfo/webkit-changes
