Title: [274863] trunk
- Revision
- 274863
- Author
- [email protected]
- Date
- 2021-03-23 06:37:46 -0700 (Tue, 23 Mar 2021)
Log Message
Nullopt in DOMSelection::getRangeAt
https://bugs.webkit.org/show_bug.cgi?id=223361
Patch by Frédéric Wang <[email protected]> on 2021-03-23
Reviewed by Ryosuke Niwa.
Source/WebCore:
When extending the selection toward a pseudo element, it's possible to reach the
corresponding debug ASSERT in WebCore::Position::Position and later a nullptr dereference in
release mode. This patch fixes start/endPositionForLine to avoid that issue.
Test: editing/selection/modify-by-lineboundary-toward-pseudo-element.html
* editing/VisibleUnits.cpp: Make the two branches of LineEndpointComputationMode consistent
and merge them.
(WebCore::startPositionForLine): For logical ordering, try a non-pseudo element after.
(WebCore::endPositionForLine): For logical ordering, try a non-pseudo element before.
LayoutTests:
Add regression test.
* editing/selection/modify-by-lineboundary-toward-pseudo-element-expected.txt: Added.
* editing/selection/modify-by-lineboundary-toward-pseudo-element.html: Added.
Modified Paths
Added Paths
Diff
Modified: trunk/LayoutTests/ChangeLog (274862 => 274863)
--- trunk/LayoutTests/ChangeLog 2021-03-23 13:36:58 UTC (rev 274862)
+++ trunk/LayoutTests/ChangeLog 2021-03-23 13:37:46 UTC (rev 274863)
@@ -1,3 +1,15 @@
+2021-03-23 Frédéric Wang <[email protected]>
+
+ Nullopt in DOMSelection::getRangeAt
+ https://bugs.webkit.org/show_bug.cgi?id=223361
+
+ Reviewed by Ryosuke Niwa.
+
+ Add regression test.
+
+ * editing/selection/modify-by-lineboundary-toward-pseudo-element-expected.txt: Added.
+ * editing/selection/modify-by-lineboundary-toward-pseudo-element.html: Added.
+
2021-03-23 Carlos Garcia Campos <[email protected]>
Debug assert failure in RenderTable::layout()
Added: trunk/LayoutTests/editing/selection/modify-by-lineboundary-toward-pseudo-element-expected.txt (0 => 274863)
--- trunk/LayoutTests/editing/selection/modify-by-lineboundary-toward-pseudo-element-expected.txt (rev 0)
+++ trunk/LayoutTests/editing/selection/modify-by-lineboundary-toward-pseudo-element-expected.txt 2021-03-23 13:37:46 UTC (rev 274863)
@@ -0,0 +1,2 @@
+CONSOLE MESSAGE: This test passes if it does not crash.
+ A
Added: trunk/LayoutTests/editing/selection/modify-by-lineboundary-toward-pseudo-element.html (0 => 274863)
--- trunk/LayoutTests/editing/selection/modify-by-lineboundary-toward-pseudo-element.html (rev 0)
+++ trunk/LayoutTests/editing/selection/modify-by-lineboundary-toward-pseudo-element.html 2021-03-23 13:37:46 UTC (rev 274863)
@@ -0,0 +1,21 @@
+<style>
+ :after, :before {
+ content: counter(a);
+ -webkit-appearance: discrete-capacity-level-indicator;
+ }
+</style>
+<script>
+ function main() {
+ if (window.testRunner)
+ testRunner.dumpAsText();
+ console.log("This test passes if it does not crash.");
+ document.execCommand("selectAll",false,null);
+ window.getSelection().modify("extend","forward","lineboundary");
+ window.getSelection().getRangeAt(0);
+ document.execCommand("selectAll",false,null);
+ window.getSelection().modify("extend","backward","lineboundary");
+ window.getSelection().getRangeAt(0);
+ }
+</script>
+<body _onload_="main()">
+A
Modified: trunk/Source/WebCore/ChangeLog (274862 => 274863)
--- trunk/Source/WebCore/ChangeLog 2021-03-23 13:36:58 UTC (rev 274862)
+++ trunk/Source/WebCore/ChangeLog 2021-03-23 13:37:46 UTC (rev 274863)
@@ -1,5 +1,23 @@
2021-03-23 Frédéric Wang <[email protected]>
+ Nullopt in DOMSelection::getRangeAt
+ https://bugs.webkit.org/show_bug.cgi?id=223361
+
+ Reviewed by Ryosuke Niwa.
+
+ When extending the selection toward a pseudo element, it's possible to reach the
+ corresponding debug ASSERT in WebCore::Position::Position and later a nullptr dereference in
+ release mode. This patch fixes start/endPositionForLine to avoid that issue.
+
+ Test: editing/selection/modify-by-lineboundary-toward-pseudo-element.html
+
+ * editing/VisibleUnits.cpp: Make the two branches of LineEndpointComputationMode consistent
+ and merge them.
+ (WebCore::startPositionForLine): For logical ordering, try a non-pseudo element after.
+ (WebCore::endPositionForLine): For logical ordering, try a non-pseudo element before.
+
+2021-03-23 Frédéric Wang <[email protected]>
+
Nullptr crash in HTMLConverter::convert
https://bugs.webkit.org/show_bug.cgi?id=221719
Modified: trunk/Source/WebCore/editing/VisibleUnits.cpp (274862 => 274863)
--- trunk/Source/WebCore/editing/VisibleUnits.cpp 2021-03-23 13:36:58 UTC (rev 274862)
+++ trunk/Source/WebCore/editing/VisibleUnits.cpp 2021-03-23 13:37:46 UTC (rev 274863)
@@ -742,26 +742,21 @@
}
Node* startNode;
- LayoutIntegration::RunIterator startRun;
- if (mode == UseLogicalOrdering) {
- startRun = line.logicalStartRunWithNode();
+ LayoutIntegration::RunIterator startRun = mode == UseLogicalOrdering ? line.logicalStartRunWithNode() : line.firstRun();
+ // Generated content (e.g. list markers and CSS :before and :after pseudoelements) have no corresponding DOM element,
+ // and so cannot be represented by a VisiblePosition. Use whatever follows instead.
+ while (true) {
if (!startRun)
return VisiblePosition();
- startNode = startRun->renderer().node();
- } else {
- // Generated content (e.g. list markers and CSS :before and :after pseudoelements) have no corresponding DOM element,
- // and so cannot be represented by a VisiblePosition. Use whatever follows instead.
- startRun = line.firstRun();
- while (true) {
- if (!startRun)
- return VisiblePosition();
- startNode = startRun->renderer().nonPseudoNode();
- if (startNode)
- break;
+ startNode = startRun->renderer().nonPseudoNode();
+ if (startNode)
+ break;
+ if (mode == UseLogicalOrdering)
+ startRun.traverseNextOnLineInLogicalOrder();
+ else
startRun.traverseNextOnLine();
- }
}
return is<Text>(*startNode) ? Position(downcast<Text>(startNode), downcast<LayoutIntegration::PathTextRun>(*startRun).start())
@@ -817,26 +812,21 @@
}
Node* endNode;
- LayoutIntegration::RunIterator endRun;
- if (mode == UseLogicalOrdering) {
- endRun = line.logicalEndRunWithNode();
+ LayoutIntegration::RunIterator endRun = mode == UseLogicalOrdering ? line.logicalEndRunWithNode() : line.lastRun();
+ // Generated content (e.g. list markers and CSS :before and :after pseudoelements) have no corresponding DOM element,
+ // and so cannot be represented by a VisiblePosition. Use whatever precedes instead.
+ while (true) {
if (!endRun)
return VisiblePosition();
- endNode = endRun->renderer().node();
- } else {
- // Generated content (e.g. list markers and CSS :before and :after pseudoelements) have no corresponding DOM element,
- // and so cannot be represented by a VisiblePosition. Use whatever precedes instead.
- endRun = line.lastRun();
- while (true) {
- if (!endRun)
- return VisiblePosition();
- endNode = endRun->renderer().nonPseudoNode();
- if (endNode)
- break;
-
+ endNode = endRun->renderer().nonPseudoNode();
+ if (endNode)
+ break;
+
+ if (mode == UseLogicalOrdering)
+ endRun.traversePreviousOnLineInLogicalOrder();
+ else
endRun.traversePreviousOnLine();
- }
}
Position pos;
_______________________________________________
webkit-changes mailing list
[email protected]
https://lists.webkit.org/mailman/listinfo/webkit-changes
