Skip to site navigation (Press enter)

[webkit-changes] [261777] trunk

shihchieh_lee Fri, 15 May 2020 21:11:25 -0700

Title: [261777] trunk

Revision: 261777
Author: [email protected]
Date: 2020-05-15 21:09:51 -0700 (Fri, 15 May 2020)

Log Message

Nullptr crash in WebCore::Node::treeScope() when processing nested list insertion commands.
https://bugs.webkit.org/show_bug.cgi?id=211964
<rdar://problem/63224871>


Reviewed by Geoffrey Garen.

Source/WebCore:

Load event may fire in fixOrphanedListChild() and change the node tree. In doApplyForSingleParagraph check for
disconnected node returned by fixOrphanedListChild() and bail out.

Test: editing/inserting/nested-list-insertion-crash.html

* editing/InsertListCommand.cpp:
(WebCore::InsertListCommand::doApplyForSingleParagraph):

LayoutTests:

Added a regression test for the crash.

* editing/inserting/nested-list-insertion-crash-expected.txt: Added.
* editing/inserting/nested-list-insertion-crash.html: Added.

Modified Paths

trunk/LayoutTests/ChangeLog
trunk/Source/WebCore/ChangeLog
trunk/Source/WebCore/editing/InsertListCommand.cpp

Added Paths

trunk/LayoutTests/editing/inserting/nested-list-insertion-crash-expected.txt
trunk/LayoutTests/editing/inserting/nested-list-insertion-crash.html

Diff

Modified: trunk/LayoutTests/ChangeLog (261776 => 261777)


--- trunk/LayoutTests/ChangeLog	2020-05-16 03:45:59 UTC (rev 261776)
+++ trunk/LayoutTests/ChangeLog	2020-05-16 04:09:51 UTC (rev 261777)
@@ -1,3 +1,16 @@
+2020-05-15  Jack Lee  <[email protected]>
+
+        Nullptr crash in WebCore::Node::treeScope() when processing nested list insertion commands.
+        https://bugs.webkit.org/show_bug.cgi?id=211964
+        <rdar://problem/63224871>
+
+        Reviewed by Geoffrey Garen.
+
+        Added a regression test for the crash.
+
+        * editing/inserting/nested-list-insertion-crash-expected.txt: Added.
+        * editing/inserting/nested-list-insertion-crash.html: Added.
+
 2020-05-15  Simon Fraser  <[email protected]>
 
         REGRESSION (r249091): Can't click on a video in the second column of a paginated web view

Added: trunk/LayoutTests/editing/inserting/nested-list-insertion-crash-expected.txt (0 => 261777)


--- trunk/LayoutTests/editing/inserting/nested-list-insertion-crash-expected.txt	                        (rev 0)
+++ trunk/LayoutTests/editing/inserting/nested-list-insertion-crash-expected.txt	2020-05-16 04:09:51 UTC (rev 261777)
@@ -0,0 +1,3 @@
+Test nested list insertion. The test passes if WebKit doesn't crash or hit an assertion.
+
+

Added: trunk/LayoutTests/editing/inserting/nested-list-insertion-crash.html (0 => 261777)


--- trunk/LayoutTests/editing/inserting/nested-list-insertion-crash.html	                        (rev 0)
+++ trunk/LayoutTests/editing/inserting/nested-list-insertion-crash.html	2020-05-16 04:09:51 UTC (rev 261777)
@@ -0,0 +1,10 @@
+<script>
+    if (window.testRunner)
+        testRunner.dumpAsText();
+
+    function run() {
+        window.getSelection().setPosition(li,1);
+        document.execCommand("insertUnorderedList", false);
+    }
+</script>
+<body  contentEditable="true"><span>Test nested list insertion. The test passes if WebKit doesn't crash or hit an assertion.</span><li id=li><iframe hidden="hidden" _onload_="run()"></iframe>

Modified: trunk/Source/WebCore/ChangeLog (261776 => 261777)


--- trunk/Source/WebCore/ChangeLog	2020-05-16 03:45:59 UTC (rev 261776)
+++ trunk/Source/WebCore/ChangeLog	2020-05-16 04:09:51 UTC (rev 261777)
@@ -1,3 +1,19 @@
+2020-05-15  Jack Lee  <[email protected]>
+
+        Nullptr crash in WebCore::Node::treeScope() when processing nested list insertion commands.
+        https://bugs.webkit.org/show_bug.cgi?id=211964
+        <rdar://problem/63224871>
+
+        Reviewed by Geoffrey Garen.
+
+        Load event may fire in fixOrphanedListChild() and change the node tree. In doApplyForSingleParagraph check for 
+        disconnected node returned by fixOrphanedListChild() and bail out.
+
+        Test: editing/inserting/nested-list-insertion-crash.html
+
+        * editing/InsertListCommand.cpp:
+        (WebCore::InsertListCommand::doApplyForSingleParagraph):
+
 2020-05-15  Alex Christensen  <[email protected]>
 
         Use enum serialization instead of casting to/from uint32_t

Modified: trunk/Source/WebCore/editing/InsertListCommand.cpp (261776 => 261777)


--- trunk/Source/WebCore/editing/InsertListCommand.cpp	2020-05-16 03:45:59 UTC (rev 261776)
+++ trunk/Source/WebCore/editing/InsertListCommand.cpp	2020-05-16 04:09:51 UTC (rev 261777)
@@ -213,7 +213,7 @@
         RefPtr<HTMLElement> listNode = enclosingList(listChildNode);
         if (!listNode) {
             RefPtr<HTMLElement> listElement = fixOrphanedListChild(*listChildNode);
-            if (!listElement)
+            if (!listElement || !listElement->isConnected())
                 return;
 
             listNode = mergeWithNeighboringLists(*listElement);

_______________________________________________
webkit-changes mailing list
[email protected]
https://lists.webkit.org/mailman/listinfo/webkit-changes