Skip to site navigation (Press enter)

[webkit-changes] [269946] trunk

commit-queue Wed, 18 Nov 2020 00:29:02 -0800

Title: [269946] trunk

Revision: 269946
Author: [email protected]
Date: 2020-11-18 00:28:02 -0800 (Wed, 18 Nov 2020)

Log Message

Release assertion failure in Optional<WebCore::SimpleRange>::operator* via CompositeEditCommand::moveParagraphs
https://bugs.webkit.org/show_bug.cgi?id=218494


Patch by Carlos Garcia Campos <[email protected]> on 2020-11-18
Reviewed by Ryosuke Niwa.

Source/WebCore:

This is happening when insert list command is called for a list item containing a body element as a child. When
the tree is iterated looking for the end position, the body element selected as candidate, but a null position
is returned because it's considered to be in a different editing element. This happens because
Node::rootEditableElement() always returns the node itseld for body elements, but it should actually check that
the node is the document body.

Test: editing/inserting/insert-list-with-body-child-crash.html

* dom/Node.cpp:
(WebCore::Node::isRootEditableElement const): Check node is the document body, not just a body element.
(WebCore::Node::rootEditableElement const): Ditto.
* editing/CompositeEditCommand.cpp:
(WebCore::CompositeEditCommand::moveParagraphs): Add an assert to ensure it's not called with a null endOfParagraphToMove.

LayoutTests:

* editing/inserting/insert-list-with-body-child-crash-expected.txt: Added.
* editing/inserting/insert-list-with-body-child-crash.html: Added.

Modified Paths

trunk/LayoutTests/ChangeLog
trunk/Source/WebCore/ChangeLog
trunk/Source/WebCore/dom/Node.cpp
trunk/Source/WebCore/editing/CompositeEditCommand.cpp

Added Paths

trunk/LayoutTests/editing/inserting/insert-list-with-body-child-crash-expected.txt
trunk/LayoutTests/editing/inserting/insert-list-with-body-child-crash.html

Diff

Modified: trunk/LayoutTests/ChangeLog (269945 => 269946)


--- trunk/LayoutTests/ChangeLog	2020-11-18 06:37:17 UTC (rev 269945)
+++ trunk/LayoutTests/ChangeLog	2020-11-18 08:28:02 UTC (rev 269946)
@@ -1,3 +1,13 @@
+2020-11-18  Carlos Garcia Campos  <[email protected]>
+
+        Release assertion failure in Optional<WebCore::SimpleRange>::operator* via CompositeEditCommand::moveParagraphs
+        https://bugs.webkit.org/show_bug.cgi?id=218494
+
+        Reviewed by Ryosuke Niwa.
+
+        * editing/inserting/insert-list-with-body-child-crash-expected.txt: Added.
+        * editing/inserting/insert-list-with-body-child-crash.html: Added.
+
 2020-11-17  Lauro Moura  <[email protected]>
 
         [GLIB] Update webaudio baselines after r269853

Added: trunk/LayoutTests/editing/inserting/insert-list-with-body-child-crash-expected.txt (0 => 269946)


--- trunk/LayoutTests/editing/inserting/insert-list-with-body-child-crash-expected.txt	                        (rev 0)
+++ trunk/LayoutTests/editing/inserting/insert-list-with-body-child-crash-expected.txt	2020-11-18 08:28:02 UTC (rev 269946)
@@ -0,0 +1 @@
+Test inserting list with a body child. The test passes if WebKit doesn't crash or hit an assertion.

Added: trunk/LayoutTests/editing/inserting/insert-list-with-body-child-crash.html (0 => 269946)


--- trunk/LayoutTests/editing/inserting/insert-list-with-body-child-crash.html	                        (rev 0)
+++ trunk/LayoutTests/editing/inserting/insert-list-with-body-child-crash.html	2020-11-18 08:28:02 UTC (rev 269946)
@@ -0,0 +1,25 @@
+<script>
+if (window.testRunner) {
+    testRunner.dumpAsText();
+    testRunner.waitUntilDone();
+}
+
+function run() {
+    time.appendChild(document.createElement("body"));
+    form.appendChild(item);
+    window.getSelection().collapse(div);
+    document.execCommand("insertOrderedList", false);
+
+    if (window.testRunner) {
+        document.body.innerHTML = "<p>Test inserting list with a body child. The test passes if WebKit doesn't crash or hit an assertion.</p>";
+        testRunner.notifyDone();
+    }
+}
+</script>
+<body _onload_=run()>
+<form id="form" style="-webkit-user-modify: read-write;">
+<div id="div"></div>
+<li id="item">
+<video></video>
+<marquee>
+<time id="time">

Modified: trunk/Source/WebCore/ChangeLog (269945 => 269946)


--- trunk/Source/WebCore/ChangeLog	2020-11-18 06:37:17 UTC (rev 269945)
+++ trunk/Source/WebCore/ChangeLog	2020-11-18 08:28:02 UTC (rev 269946)
@@ -1,3 +1,24 @@
+2020-11-18  Carlos Garcia Campos  <[email protected]>
+
+        Release assertion failure in Optional<WebCore::SimpleRange>::operator* via CompositeEditCommand::moveParagraphs
+        https://bugs.webkit.org/show_bug.cgi?id=218494
+
+        Reviewed by Ryosuke Niwa.
+
+        This is happening when insert list command is called for a list item containing a body element as a child. When
+        the tree is iterated looking for the end position, the body element selected as candidate, but a null position
+        is returned because it's considered to be in a different editing element. This happens because
+        Node::rootEditableElement() always returns the node itseld for body elements, but it should actually check that
+        the node is the document body.
+
+        Test: editing/inserting/insert-list-with-body-child-crash.html
+
+        * dom/Node.cpp:
+        (WebCore::Node::isRootEditableElement const): Check node is the document body, not just a body element.
+        (WebCore::Node::rootEditableElement const): Ditto.
+        * editing/CompositeEditCommand.cpp:
+        (WebCore::CompositeEditCommand::moveParagraphs): Add an assert to ensure it's not called with a null endOfParagraphToMove.
+
 2020-11-17  Said Abou-Hallawa  <[email protected]>
 
         REGRESSION(r269614): [iOS] WebContent crashes when entering Full Screen video with text captions

Modified: trunk/Source/WebCore/dom/Node.cpp (269945 => 269946)


--- trunk/Source/WebCore/dom/Node.cpp	2020-11-18 06:37:17 UTC (rev 269945)
+++ trunk/Source/WebCore/dom/Node.cpp	2020-11-18 08:28:02 UTC (rev 269946)
@@ -1327,7 +1327,7 @@
 bool Node::isRootEditableElement() const
 {
     return hasEditableStyle() && isElementNode() && (!parentNode() || !parentNode()->hasEditableStyle()
-        || !parentNode()->isElementNode() || hasTagName(bodyTag));
+        || !parentNode()->isElementNode() || document().body() == this);
 }
 
 Element* Node::rootEditableElement() const
@@ -1336,7 +1336,7 @@
     for (Node* node = const_cast<Node*>(this); node && node->hasEditableStyle(); node = node->parentNode()) {
         if (is<Element>(*node))
             result = downcast<Element>(node);
-        if (is<HTMLBodyElement>(*node))
+        if (document().body() == node)
             break;
     }
     return result;

Modified: trunk/Source/WebCore/editing/CompositeEditCommand.cpp (269945 => 269946)


--- trunk/Source/WebCore/editing/CompositeEditCommand.cpp	2020-11-18 06:37:17 UTC (rev 269945)
+++ trunk/Source/WebCore/editing/CompositeEditCommand.cpp	2020-11-18 08:28:02 UTC (rev 269946)
@@ -1400,6 +1400,8 @@
     if (destination.isNull() || startOfParagraphToMove == destination)
         return;
 
+    ASSERT((startOfParagraphToMove.isNull() && endOfParagraphToMove.isNull()) || !endOfParagraphToMove.isNull());
+
     Optional<uint64_t> startIndex;
     Optional<uint64_t> endIndex;
     bool originalIsDirectional = endingSelection().isDirectional();

_______________________________________________
webkit-changes mailing list
[email protected]
https://lists.webkit.org/mailman/listinfo/webkit-changes