[webkit-changes] [279284] trunk

[svillar]

Title: [279284] trunk

Revision

279284

Author

svil...@igalia.com

Date

2021-06-25 08:28:43 -0700 (Fri, 25 Jun 2021)

Log Message

Nullptr crash in StyledMarkupAccumulator::traverseNodesForSerialization
https://bugs.webkit.org/show_bug.cgi?id=226821

Reviewed by Ryosuke Niwa.

Source/WebCore:

r276394 fixed an issue in serialization when transversing the nodes. It added a new condition
to the ASSERT that was checking that its OK not to have a next pointer when there is a valid
pastEnd in the case of pastEnd being a descendant of the pointer traversing the node tree.

However that descendant check was not including the shadow DOM. This is precisely the case
detected by the test case this patch is adding.

Test: editing/selection/setSelection-shadow-dom-crash.html

* editing/markup.cpp:
(WebCore::StyledMarkupAccumulator::traverseNodesForSerialization):

LayoutTests:

* editing/selection/setSelection-shadow-dom-crash-expected.txt: Added.
* editing/selection/setSelection-shadow-dom-crash.html: Added.

Modified Paths

• trunk/LayoutTests/ChangeLog
• trunk/Source/WebCore/ChangeLog
• trunk/Source/WebCore/editing/markup.cpp

Added Paths

• trunk/LayoutTests/editing/selection/setSelection-shadow-dom-crash-expected.txt
• trunk/LayoutTests/editing/selection/setSelection-shadow-dom-crash.html

Diff

Modified: trunk/LayoutTests/ChangeLog (279283 => 279284)

--- trunk/LayoutTests/ChangeLog	2021-06-25 15:12:29 UTC (rev 279283)
+++ trunk/LayoutTests/ChangeLog	2021-06-25 15:28:43 UTC (rev 279284)
@@ -1,3 +1,13 @@
+2021-06-17  Sergio Villar Senin  <svil...@igalia.com>
+
+        Nullptr crash in StyledMarkupAccumulator::traverseNodesForSerialization
+        https://bugs.webkit.org/show_bug.cgi?id=226821
+
+        Reviewed by Ryosuke Niwa.
+
+        * editing/selection/setSelection-shadow-dom-crash-expected.txt: Added.
+        * editing/selection/setSelection-shadow-dom-crash.html: Added.
+
 2021-06-25  Philippe Normand  <pnorm...@igalia.com>
 
         Unreviewed, GStreamer gardening

Added: trunk/LayoutTests/editing/selection/setSelection-shadow-dom-crash-expected.txt (0 => 279284)

--- trunk/LayoutTests/editing/selection/setSelection-shadow-dom-crash-expected.txt	                        (rev 0)
+++ trunk/LayoutTests/editing/selection/setSelection-shadow-dom-crash-expected.txt	2021-06-25 15:28:43 UTC (rev 279284)
@@ -0,0 +1,2 @@
+
+This test PASS if it does not crash.
Property changes on: trunk/LayoutTests/editing/selection/setSelection-shadow-dom-crash-expected.txt
___________________________________________________________________

Added: svn:eol-style

+LF \ No newline at end of property

Added: trunk/LayoutTests/editing/selection/setSelection-shadow-dom-crash.html (0 => 279284)

--- trunk/LayoutTests/editing/selection/setSelection-shadow-dom-crash.html	                        (rev 0)
+++ trunk/LayoutTests/editing/selection/setSelection-shadow-dom-crash.html	2021-06-25 15:28:43 UTC (rev 279284)
@@ -0,0 +1,25 @@
+<!DOCTYPE html>
+<body></body>
+<script>
+if (window.testRunner)
+    testRunner.dumpAsText();
+
+const image = document.createElement('img');
+document.body.appendChild(image);
+const selection = window.getSelection();
+const image2 = document.createElement('img');
+const div = document.createElement('div');
+document.body.appendChild(div);
+const shadow = div.attachShadow({
+    mode: "open",
+});
+shadow.appendChild(image2);
+if (window.internals) {
+    internals.setSelectionWithoutValidation(shadow, 0, image, 2);
+    document.execCommand("copy");
+
+    const p = document.createElement('p');
+    p.innerHTML = "This test PASS if it does not crash."
+    document.body.appendChild(p);
+}
+</script>
Property changes on: trunk/LayoutTests/editing/selection/setSelection-shadow-dom-crash.html
___________________________________________________________________

Added: svn:eol-style

+LF \ No newline at end of property

Added: svn:mime-type

+text/html \ No newline at end of property

Modified: trunk/Source/WebCore/ChangeLog (279283 => 279284)

--- trunk/Source/WebCore/ChangeLog	2021-06-25 15:12:29 UTC (rev 279283)
+++ trunk/Source/WebCore/ChangeLog	2021-06-25 15:28:43 UTC (rev 279284)
@@ -1,3 +1,22 @@
+2021-06-17  Sergio Villar Senin  <svil...@igalia.com>
+
+        Nullptr crash in StyledMarkupAccumulator::traverseNodesForSerialization
+        https://bugs.webkit.org/show_bug.cgi?id=226821
+
+        Reviewed by Ryosuke Niwa.
+
+        r276394 fixed an issue in serialization when transversing the nodes. It added a new condition
+        to the ASSERT that was checking that its OK not to have a next pointer when there is a valid
+        pastEnd in the case of pastEnd being a descendant of the pointer traversing the node tree.
+
+        However that descendant check was not including the shadow DOM. This is precisely the case
+        detected by the test case this patch is adding.
+
+        Test: editing/selection/setSelection-shadow-dom-crash.html
+
+        * editing/markup.cpp:
+        (WebCore::StyledMarkupAccumulator::traverseNodesForSerialization):
+
 2021-06-25  Philippe Normand  <pnorm...@igalia.com>
 
         [GStreamer] Build warnings in AudioFileReader since r279123

Modified: trunk/Source/WebCore/editing/markup.cpp (279283 => 279284)

--- trunk/Source/WebCore/editing/markup.cpp	2021-06-25 15:12:29 UTC (rev 279283)
+++ trunk/Source/WebCore/editing/markup.cpp	2021-06-25 15:28:43 UTC (rev 279284)
@@ -697,7 +697,7 @@
                 }
             }
         }
-        ASSERT(next || !pastEnd || n->contains(pastEnd));
+        ASSERT(next || !pastEnd || n->containsIncludingShadowDOM(pastEnd));
 
         if (isBlock(n) && canHaveChildrenForEditing(*n) && next == pastEnd) {
             // Don't write out empty block containers that aren't fully selected.

_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-changes