[webkit-changes] [278593] trunk

[commit-queue]

Title: [278593] trunk

Revision

278593

Author

commit-qu...@webkit.org

Date

2021-06-08 00:35:58 -0700 (Tue, 08 Jun 2021)

Log Message

Crash in InsertParagraphSeparatorCommand::doApply
https://bugs.webkit.org/show_bug.cgi?id=226527

Patch by Frédéric Wang <fw...@igalia.com> on 2021-06-08
Reviewed by Ryosuke Niwa.

Source/WebCore:

After r273375 and r278002, it is possible that InsertParagraphSeparatorCommand::doApply is
confused by a display: table start block, leading to nullptr crash in the rest of the
function. This patch just excludes that case in order to work around that kind of issue.

Test: fast/editing/insert-paragraph-with-img-in-table-crash.html

* editing/InsertParagraphSeparatorCommand.cpp:
(WebCore::InsertParagraphSeparatorCommand::doApply):

LayoutTests:

Add regression test.

* fast/editing/insert-paragraph-with-img-in-table-crash-expected.txt: Added.
* fast/editing/insert-paragraph-with-img-in-table-crash.html: Added. Note that not having a
new line at the end of the HTML file is required to make the test crash without the patch.
* fast/editing/insert-paragraph-with-text-in-table-crash-expected.txt: Added.
* fast/editing/insert-paragraph-with-text-in-table-crash.html: Added.

Modified Paths

• trunk/LayoutTests/ChangeLog
• trunk/Source/WebCore/ChangeLog
• trunk/Source/WebCore/editing/InsertParagraphSeparatorCommand.cpp

Added Paths

• trunk/LayoutTests/fast/editing/insert-paragraph-with-img-in-table-crash-expected.txt
• trunk/LayoutTests/fast/editing/insert-paragraph-with-img-in-table-crash.html
• trunk/LayoutTests/fast/editing/insert-paragraph-with-text-in-table-crash-expected.txt
• trunk/LayoutTests/fast/editing/insert-paragraph-with-text-in-table-crash.html

Diff

Modified: trunk/LayoutTests/ChangeLog (278592 => 278593)

--- trunk/LayoutTests/ChangeLog	2021-06-08 04:57:22 UTC (rev 278592)
+++ trunk/LayoutTests/ChangeLog	2021-06-08 07:35:58 UTC (rev 278593)
@@ -1,3 +1,19 @@
+2021-06-08  Frédéric Wang  <fw...@igalia.com>
+
+        Crash in InsertParagraphSeparatorCommand::doApply
+        https://bugs.webkit.org/show_bug.cgi?id=226527
+
+        Reviewed by Ryosuke Niwa.
+
+        Add regression test.
+
+        * fast/editing/insert-paragraph-with-img-in-table-crash-expected.txt: Added.
+        * fast/editing/insert-paragraph-with-img-in-table-crash.html: Added. Note that not having a
+        new line at the end of the HTML file is required to make the test crash without the patch.
+        * fast/editing/insert-paragraph-with-text-in-table-crash-expected.txt: Added.
+        * fast/editing/insert-paragraph-with-text-in-table-crash.html: Added.
+
+
 2021-06-07  Alexey Shvayka  <shvaikal...@gmail.com>
 
         Unreviewed, reland r276592 with a fix for put() override in prototype chain of a JSProxy

Added: trunk/LayoutTests/fast/editing/insert-paragraph-with-img-in-table-crash-expected.txt (0 => 278593)

--- trunk/LayoutTests/fast/editing/insert-paragraph-with-img-in-table-crash-expected.txt	                        (rev 0)
+++ trunk/LayoutTests/fast/editing/insert-paragraph-with-img-in-table-crash-expected.txt	2021-06-08 07:35:58 UTC (rev 278593)
@@ -0,0 +1,4 @@
+CONSOLE MESSAGE: This test passes if it does not crash.
+
+
+

Added: trunk/LayoutTests/fast/editing/insert-paragraph-with-img-in-table-crash.html (0 => 278593)

--- trunk/LayoutTests/fast/editing/insert-paragraph-with-img-in-table-crash.html	                        (rev 0)
+++ trunk/LayoutTests/fast/editing/insert-paragraph-with-img-in-table-crash.html	2021-06-08 07:35:58 UTC (rev 278593)
@@ -0,0 +1,15 @@
+<style>
+  #last::before {
+    content: '.';
+  }
+</style>
+<script>
+  _onload_ = () => {
+    if (window.testRunner)
+      testRunner.dumpAsText();
+    console.log("This test passes if it does not crash.")
+    getSelection().setBaseAndExtent(document.querySelector('img'), 1, document.querySelector('#last'), 0);
+    document.execCommand('InsertParagraph');
+  };
+</script>
+<body contenteditable style="display: table"><img style="content: ''"><div></div><div id="last"></div></body>
\ No newline at end of file

Added: trunk/LayoutTests/fast/editing/insert-paragraph-with-text-in-table-crash-expected.txt (0 => 278593)

--- trunk/LayoutTests/fast/editing/insert-paragraph-with-text-in-table-crash-expected.txt	                        (rev 0)
+++ trunk/LayoutTests/fast/editing/insert-paragraph-with-text-in-table-crash-expected.txt	2021-06-08 07:35:58 UTC (rev 278593)
@@ -0,0 +1,4 @@
+CONSOLE MESSAGE: This test passes if it does not crash.
+_onload_ = () => { if (window.testRunner) testRunner.dumpAsText(); console.log("This test passes if it does not crash.") document.execCommand('SelectAll'); document.execCommand('Copy'); document.execCommand('SelectAll'); document.designMode = 'on'; document.execCommand('PasteAndMatchStyle'); };
+
+

Added: trunk/LayoutTests/fast/editing/insert-paragraph-with-text-in-table-crash.html (0 => 278593)

--- trunk/LayoutTests/fast/editing/insert-paragraph-with-text-in-table-crash.html	                        (rev 0)
+++ trunk/LayoutTests/fast/editing/insert-paragraph-with-text-in-table-crash.html	2021-06-08 07:35:58 UTC (rev 278593)
@@ -0,0 +1,17 @@
+<style>
+  head, script, div {
+    display: table;
+  }
+</style>
+<script>
+  _onload_ = () => {
+    if (window.testRunner)
+      testRunner.dumpAsText();
+    console.log("This test passes if it does not crash.")
+    document.execCommand('SelectAll');
+    document.execCommand('Copy');
+    document.execCommand('SelectAll');
+    document.designMode = 'on';
+    document.execCommand('PasteAndMatchStyle');
+  };
+</script>

Modified: trunk/Source/WebCore/ChangeLog (278592 => 278593)

--- trunk/Source/WebCore/ChangeLog	2021-06-08 04:57:22 UTC (rev 278592)
+++ trunk/Source/WebCore/ChangeLog	2021-06-08 07:35:58 UTC (rev 278593)
@@ -1,3 +1,19 @@
+2021-06-08  Frédéric Wang  <fw...@igalia.com>
+
+        Crash in InsertParagraphSeparatorCommand::doApply
+        https://bugs.webkit.org/show_bug.cgi?id=226527
+
+        Reviewed by Ryosuke Niwa.
+
+        After r273375 and r278002, it is possible that InsertParagraphSeparatorCommand::doApply is
+        confused by a display: table start block, leading to nullptr crash in the rest of the
+        function. This patch just excludes that case in order to work around that kind of issue.
+
+        Test: fast/editing/insert-paragraph-with-img-in-table-crash.html
+
+        * editing/InsertParagraphSeparatorCommand.cpp:
+        (WebCore::InsertParagraphSeparatorCommand::doApply):
+
 2021-06-07  Alex Christensen  <achristen...@webkit.org>
 
         Adopt SecTrustGetCertificateAtIndex replacement where available

Modified: trunk/Source/WebCore/editing/InsertParagraphSeparatorCommand.cpp (278592 => 278593)

--- trunk/Source/WebCore/editing/InsertParagraphSeparatorCommand.cpp	2021-06-08 04:57:22 UTC (rev 278592)
+++ trunk/Source/WebCore/editing/InsertParagraphSeparatorCommand.cpp	2021-06-08 07:35:58 UTC (rev 278593)
@@ -166,6 +166,7 @@
     Position canonicalPos = VisiblePosition(insertionPosition).deepEquivalent();
     if (!startBlock
         || !startBlock->nonShadowBoundaryParentNode()
+        || isRenderedTable(startBlock.get())
         || isTableCell(startBlock.get())
         || is<HTMLFormElement>(*startBlock)
         // FIXME: If the node is hidden, we don't have a canonical position so we will do the wrong thing for tables and <hr>. https://bugs.webkit.org/show_bug.cgi?id=40342

_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-changes