[webkit-changes] [276394] trunk

Wed, 21 Apr 2021 15:49:32 -0700

Title: [276394] trunk
Revision
276394
Author
[email protected]
Date
2021-04-21 15:48:38 -0700 (Wed, 21 Apr 2021)

Log Message

Crash in StyledMarkupAccumulator::traverseNodesForSerialization()
https://bugs.webkit.org/show_bug.cgi?id=224836

Patch by Julian Gonzalez <[email protected]> on 2021-04-21
Reviewed by Ryosuke Niwa.

Source/WebCore:

In traverseNodesForSerialization(), make sure we check if the current node
is a descendant of the pastEnd node even if we not entering the current node.

Test: editing/execCommand/selectAll-copy-crash.html

* editing/markup.cpp:
(WebCore::StyledMarkupAccumulator::traverseNodesForSerialization):

LayoutTests:

Add a test for the crash fixed here. Thanks to Tuomas Karkkainen for its first version.

* editing/execCommand/selectAll-copy-crash-expected.txt: Added.
* editing/execCommand/selectAll-copy-crash.html: Added.

Modified Paths

Added Paths

Diff

Modified: trunk/LayoutTests/ChangeLog (276393 => 276394)


--- trunk/LayoutTests/ChangeLog	2021-04-21 22:07:33 UTC (rev 276393)
+++ trunk/LayoutTests/ChangeLog	2021-04-21 22:48:38 UTC (rev 276394)
@@ -1,3 +1,15 @@
+2021-04-21  Julian Gonzalez  <[email protected]>
+
+        Crash in StyledMarkupAccumulator::traverseNodesForSerialization()
+        https://bugs.webkit.org/show_bug.cgi?id=224836
+
+        Reviewed by Ryosuke Niwa.
+
+        Add a test for the crash fixed here. Thanks to Tuomas Karkkainen for its first version.
+
+        * editing/execCommand/selectAll-copy-crash-expected.txt: Added.
+        * editing/execCommand/selectAll-copy-crash.html: Added.
+
 2021-04-21  Robert Jenner  <[email protected]>
 
         Mass removing prior test expectations that don't need to be set anymore

Added: trunk/LayoutTests/editing/execCommand/selectAll-copy-crash-expected.txt (0 => 276394)


--- trunk/LayoutTests/editing/execCommand/selectAll-copy-crash-expected.txt	                        (rev 0)
+++ trunk/LayoutTests/editing/execCommand/selectAll-copy-crash-expected.txt	2021-04-21 22:48:38 UTC (rev 276394)
@@ -0,0 +1 @@
+This test passes if WebKit does not crash. PASS

Added: trunk/LayoutTests/editing/execCommand/selectAll-copy-crash.html (0 => 276394)


--- trunk/LayoutTests/editing/execCommand/selectAll-copy-crash.html	                        (rev 0)
+++ trunk/LayoutTests/editing/execCommand/selectAll-copy-crash.html	2021-04-21 22:48:38 UTC (rev 276394)
@@ -0,0 +1,23 @@
+<!DOCTYPE html>
+<html>
+<head>
+<style>
+head, script {
+    all: inherit;
+}
+</style>
+<script>
+if (window.testRunner)
+    testRunner.dumpAsText();
+
+_onload_ = () => {
+    document.body.attachShadow({mode: 'open'});
+    document.execCommand('SelectAll');
+    document.execCommand('Copy');
+    document.write('This test passes if WebKit does not crash. PASS');
+};
+</script>
+</head>
+<body>
+</body>
+</html>
\ No newline at end of file

Modified: trunk/Source/WebCore/ChangeLog (276393 => 276394)


--- trunk/Source/WebCore/ChangeLog	2021-04-21 22:07:33 UTC (rev 276393)
+++ trunk/Source/WebCore/ChangeLog	2021-04-21 22:48:38 UTC (rev 276394)
@@ -1,3 +1,18 @@
+2021-04-21  Julian Gonzalez  <[email protected]>
+
+        Crash in StyledMarkupAccumulator::traverseNodesForSerialization()
+        https://bugs.webkit.org/show_bug.cgi?id=224836
+
+        Reviewed by Ryosuke Niwa.
+
+        In traverseNodesForSerialization(), make sure we check if the current node
+        is a descendant of the pastEnd node even if we not entering the current node.
+
+        Test: editing/execCommand/selectAll-copy-crash.html
+
+        * editing/markup.cpp:
+        (WebCore::StyledMarkupAccumulator::traverseNodesForSerialization):
+
 2021-04-21  Chris Dumez  <[email protected]>
 
         GPUProcess launches unnecessarily when loading the amazon front page

Modified: trunk/Source/WebCore/editing/markup.cpp (276393 => 276394)


--- trunk/Source/WebCore/editing/markup.cpp	2021-04-21 22:07:33 UTC (rev 276393)
+++ trunk/Source/WebCore/editing/markup.cpp	2021-04-21 22:48:38 UTC (rev 276394)
@@ -697,7 +697,7 @@
                 }
             }
         }
-        ASSERT(next || !pastEnd);
+        ASSERT(next || !pastEnd || n->contains(pastEnd));
 
         if (isBlock(n) && canHaveChildrenForEditing(*n) && next == pastEnd) {
             // Don't write out empty block containers that aren't fully selected.
@@ -704,17 +704,18 @@
             continue;
         }
 
-        if (!enterNode(*n)) {
+        bool didEnterNode = false;
+        if (!enterNode(*n))
             next = nextSkippingChildren(*n);
-            // Don't skip over pastEnd.
-            if (pastEnd && (isDescendantOf(*pastEnd, *n) || !next))
-                next = pastEnd;
-            ASSERT(next || !pastEnd);
-        } else {
-            if (!hasChildNodes(*n))
-                exitNode(*n);
-        }
+        else if (!hasChildNodes(*n))
+            exitNode(*n);
+        else
+            didEnterNode = true;
 
+        bool aboutToGoPastEnd = pastEnd && !didEnterNode && (!next || isDescendantOf(*pastEnd, *n));
+        if (aboutToGoPastEnd)
+            next = pastEnd;
+
         for (auto* ancestor : exitedAncestors) {
             if (!depth && next == pastEnd)
                 break;

_______________________________________________
webkit-changes mailing list
[email protected]
https://lists.webkit.org/mailman/listinfo/webkit-changes

Reply via email to