Skip to site navigation (Press enter)

[webkit-changes] [276344] trunk

commit-queue Tue, 20 Apr 2021 21:59:36 -0700

Title: [276344] trunk

Revision: 276344
Author: [email protected]
Date: 2021-04-20 21:58:39 -0700 (Tue, 20 Apr 2021)

Log Message

Crash in CompositeEditCommand::insertNodeAt
https://bugs.webkit.org/show_bug.cgi?id=224504


Patch by Ian Gilbert <[email protected]> on 2021-04-20
Reviewed by Ryosuke Niwa.

Source/WebCore:

CompositeEditCommand::cleanupAfterDeletion will remove text nodes that only
have a newline. Added check inside FormatBlockCommand::formatRange to avoid
a null pointer dereference on a removed node.

Test: editing/execCommand/format-block-remove-text-node-crash.html

* editing/FormatBlockCommand.cpp:
(WebCore::FormatBlockCommand::formatRange):

LayoutTests:

Adding a regression test case.

* editing/execCommand/format-block-remove-text-node-crash-expected.txt: Added.
* editing/execCommand/format-block-remove-text-node-crash.html: Added.

Modified Paths

trunk/LayoutTests/ChangeLog
trunk/Source/WebCore/ChangeLog
trunk/Source/WebCore/editing/FormatBlockCommand.cpp

Added Paths

trunk/LayoutTests/editing/execCommand/format-block-remove-text-node-crash-expected.txt
trunk/LayoutTests/editing/execCommand/format-block-remove-text-node-crash.html

Diff

Modified: trunk/LayoutTests/ChangeLog (276343 => 276344)


--- trunk/LayoutTests/ChangeLog	2021-04-21 02:38:11 UTC (rev 276343)
+++ trunk/LayoutTests/ChangeLog	2021-04-21 04:58:39 UTC (rev 276344)
@@ -1,5 +1,17 @@
 2021-04-20  Ian Gilbert  <[email protected]>
 
+        Crash in CompositeEditCommand::insertNodeAt
+        https://bugs.webkit.org/show_bug.cgi?id=224504
+
+        Reviewed by Ryosuke Niwa.
+
+        Adding a regression test case.
+
+        * editing/execCommand/format-block-remove-text-node-crash-expected.txt: Added.
+        * editing/execCommand/format-block-remove-text-node-crash.html: Added.
+
+2021-04-20  Ian Gilbert  <[email protected]>
+
         Crash due to VectorBuffer pre-allocation failure
         https://bugs.webkit.org/show_bug.cgi?id=224840

Added: trunk/LayoutTests/editing/execCommand/format-block-remove-text-node-crash-expected.txt (0 => 276344)


--- trunk/LayoutTests/editing/execCommand/format-block-remove-text-node-crash-expected.txt	                        (rev 0)
+++ trunk/LayoutTests/editing/execCommand/format-block-remove-text-node-crash-expected.txt	2021-04-21 04:58:39 UTC (rev 276344)
@@ -0,0 +1 @@
+Pass if test does not crash. PASS.

Added: trunk/LayoutTests/editing/execCommand/format-block-remove-text-node-crash.html (0 => 276344)


--- trunk/LayoutTests/editing/execCommand/format-block-remove-text-node-crash.html	                        (rev 0)
+++ trunk/LayoutTests/editing/execCommand/format-block-remove-text-node-crash.html	2021-04-21 04:58:39 UTC (rev 276344)
@@ -0,0 +1,20 @@
+<!DOCTYPE html>
+<script>
+_onload_ = function() {
+    if (window.testRunner)
+        testRunner.dumpAsText();
+    document.designMode = 'on';
+    document.execCommand('SelectAll');
+    document.execCommand('FormatBlock', false, '<pre>');
+    document.write('Pass if test does not crash.\nPASS.');
+};
+</script>
+Text
+
+<style>
+   div {
+        height: 100px;
+    }
+</style>
+<div></div>
+<div></div>

Modified: trunk/Source/WebCore/ChangeLog (276343 => 276344)


--- trunk/Source/WebCore/ChangeLog	2021-04-21 02:38:11 UTC (rev 276343)
+++ trunk/Source/WebCore/ChangeLog	2021-04-21 04:58:39 UTC (rev 276344)
@@ -1,3 +1,19 @@
+2021-04-20  Ian Gilbert  <[email protected]>
+
+        Crash in CompositeEditCommand::insertNodeAt
+        https://bugs.webkit.org/show_bug.cgi?id=224504
+
+        Reviewed by Ryosuke Niwa.
+
+        CompositeEditCommand::cleanupAfterDeletion will remove text nodes that only
+        have a newline. Added check inside FormatBlockCommand::formatRange to avoid
+        a null pointer dereference on a removed node. 
+
+        Test: editing/execCommand/format-block-remove-text-node-crash.html
+
+        * editing/FormatBlockCommand.cpp:
+        (WebCore::FormatBlockCommand::formatRange):
+
 2021-04-20  Basuke Suzuki  <[email protected]>
 
         [clang] Remove implicit cast related warnings.

Modified: trunk/Source/WebCore/editing/FormatBlockCommand.cpp (276343 => 276344)


--- trunk/Source/WebCore/editing/FormatBlockCommand.cpp	2021-04-21 02:38:11 UTC (rev 276343)
+++ trunk/Source/WebCore/editing/FormatBlockCommand.cpp	2021-04-21 04:58:39 UTC (rev 276344)
@@ -95,7 +95,8 @@
 
     moveParagraphWithClones(start, end, blockNode.get(), outerBlock.get());
 
-    if (wasEndOfParagraph && !isEndOfParagraph(lastParagraphInBlockNode) && !isStartOfParagraph(lastParagraphInBlockNode))
+    if (wasEndOfParagraph && lastParagraphInBlockNode.anchorNode()->isConnected()
+        && !isEndOfParagraph(lastParagraphInBlockNode) && !isStartOfParagraph(lastParagraphInBlockNode))
         insertBlockPlaceholder(lastParagraphInBlockNode);
 }

_______________________________________________
webkit-changes mailing list
[email protected]
https://lists.webkit.org/mailman/listinfo/webkit-changes