Skip to site navigation (Press enter)

[webkit-changes] [265647] trunk

carlosgc Thu, 13 Aug 2020 22:58:54 -0700

Title: [265647] trunk

Revision: 265647
Author: [email protected]
Date: 2020-08-13 22:57:42 -0700 (Thu, 13 Aug 2020)

Log Message

Crash in WebCore::StyledMarkupAccumulator::traverseNodesForSerialization
https://bugs.webkit.org/show_bug.cgi?id=199224


Reviewed by Michael Catanzaro.

Source/WebCore:

The crash happens in StyledMarkupAccumulator::traverseNodesForSerialization() when we can't enter the node and
nextSkippingChildren() returns nullptr.

Test: editing/pasteboard/copy-across-shadow-boundaries-crash.html

* editing/markup.cpp:
(WebCore::StyledMarkupAccumulator::traverseNodesForSerialization): Set next to pastEnd if nextSkippingChildren()
returns nullptr.

LayoutTests:

* editing/pasteboard/copy-across-shadow-boundaries-crash-expected.txt: Added.
* editing/pasteboard/copy-across-shadow-boundaries-crash.html: Added.

Modified Paths

trunk/LayoutTests/ChangeLog
trunk/Source/WebCore/ChangeLog
trunk/Source/WebCore/editing/markup.cpp

Added Paths

trunk/LayoutTests/editing/pasteboard/copy-across-shadow-boundaries-crash-expected.txt
trunk/LayoutTests/editing/pasteboard/copy-across-shadow-boundaries-crash.html

Diff

Modified: trunk/LayoutTests/ChangeLog (265646 => 265647)


--- trunk/LayoutTests/ChangeLog	2020-08-14 05:42:20 UTC (rev 265646)
+++ trunk/LayoutTests/ChangeLog	2020-08-14 05:57:42 UTC (rev 265647)
@@ -1,3 +1,13 @@
+2020-08-13  Carlos Garcia Campos  <[email protected]>
+
+        Crash in WebCore::StyledMarkupAccumulator::traverseNodesForSerialization
+        https://bugs.webkit.org/show_bug.cgi?id=199224
+
+        Reviewed by Michael Catanzaro.
+
+        * editing/pasteboard/copy-across-shadow-boundaries-crash-expected.txt: Added.
+        * editing/pasteboard/copy-across-shadow-boundaries-crash.html: Added.
+
 2020-08-13  Diego Pino Garcia  <[email protected]>
 
         [GLIB] Unreviewed test gardening. Add baseline for css3/filters/backdrop/blur-input-bounds.html.

Added: trunk/LayoutTests/editing/pasteboard/copy-across-shadow-boundaries-crash-expected.txt (0 => 265647)


--- trunk/LayoutTests/editing/pasteboard/copy-across-shadow-boundaries-crash-expected.txt	                        (rev 0)
+++ trunk/LayoutTests/editing/pasteboard/copy-across-shadow-boundaries-crash-expected.txt	2020-08-14 05:57:42 UTC (rev 265647)
@@ -0,0 +1,6 @@
+This tests copying content across shadow boundaries doesn't crash.
+To test manually, copy text below starting from "Hello" ending in the space before "World". Test passes if it doesn't crash.
+
+PASS if didn't crash.
+
+Hello

Added: trunk/LayoutTests/editing/pasteboard/copy-across-shadow-boundaries-crash.html (0 => 265647)


--- trunk/LayoutTests/editing/pasteboard/copy-across-shadow-boundaries-crash.html	                        (rev 0)
+++ trunk/LayoutTests/editing/pasteboard/copy-across-shadow-boundaries-crash.html	2020-08-14 05:57:42 UTC (rev 265647)
@@ -0,0 +1,27 @@
+<html>
+<body>
+<p>This tests copying content across shadow boundaries doesn't crash.<br>
+To test manually, copy text below starting from "Hello" ending in the space before "World". Test passes if it doesn't crash.</p>
+<p>PASS if didn't crash.</p>
+<div id="start"><span id="hello">Hello</span></div>
+<script>
+const shadowRoot = start.attachShadow({mode: 'open'});
+shadowRoot.innerHTML = '<slot></slot> World';
+
+if (window.testRunner) {
+    testRunner.dumpAsText();
+
+    var x = start.offsetLeft;
+    var y = start.offsetTop + start.offsetHeight / 2;
+
+    eventSender.mouseMoveTo(x, y);
+    eventSender.mouseDown();
+
+    eventSender.mouseMoveTo(x + hello.offsetWidth, y);
+    eventSender.mouseUp();
+
+    document.execCommand('copy');
+}
+</script>
+</body>
+</html>

Modified: trunk/Source/WebCore/ChangeLog (265646 => 265647)


--- trunk/Source/WebCore/ChangeLog	2020-08-14 05:42:20 UTC (rev 265646)
+++ trunk/Source/WebCore/ChangeLog	2020-08-14 05:57:42 UTC (rev 265647)
@@ -1,3 +1,19 @@
+2020-08-13  Carlos Garcia Campos  <[email protected]>
+
+        Crash in WebCore::StyledMarkupAccumulator::traverseNodesForSerialization
+        https://bugs.webkit.org/show_bug.cgi?id=199224
+
+        Reviewed by Michael Catanzaro.
+
+        The crash happens in StyledMarkupAccumulator::traverseNodesForSerialization() when we can't enter the node and
+        nextSkippingChildren() returns nullptr.
+
+        Test: editing/pasteboard/copy-across-shadow-boundaries-crash.html
+
+        * editing/markup.cpp:
+        (WebCore::StyledMarkupAccumulator::traverseNodesForSerialization): Set next to pastEnd if nextSkippingChildren()
+        returns nullptr.
+
 2020-08-13  Andres Gonzalez  <[email protected]>
 
         VoiceOver not able to invoke play button on some web sites.

Modified: trunk/Source/WebCore/editing/markup.cpp (265646 => 265647)


--- trunk/Source/WebCore/editing/markup.cpp	2020-08-14 05:42:20 UTC (rev 265646)
+++ trunk/Source/WebCore/editing/markup.cpp	2020-08-14 05:57:42 UTC (rev 265647)
@@ -668,7 +668,7 @@
         if (!enterNode(*n)) {
             next = nextSkippingChildren(*n);
             // Don't skip over pastEnd.
-            if (pastEnd && isDescendantOf(*pastEnd, *n))
+            if (pastEnd && (isDescendantOf(*pastEnd, *n) || !next))
                 next = pastEnd;
             ASSERT(next || !pastEnd);
         } else {

_______________________________________________
webkit-changes mailing list
[email protected]
https://lists.webkit.org/mailman/listinfo/webkit-changes