Title: [279284] trunk
Revision
279284
Author
[email protected]
Date
2021-06-25 08:28:43 -0700 (Fri, 25 Jun 2021)

Log Message

Nullptr crash in StyledMarkupAccumulator::traverseNodesForSerialization
https://bugs.webkit.org/show_bug.cgi?id=226821

Reviewed by Ryosuke Niwa.

Source/WebCore:

r276394 fixed an issue in serialization when transversing the nodes. It added a new condition
to the ASSERT that was checking that its OK not to have a next pointer when there is a valid
pastEnd in the case of pastEnd being a descendant of the pointer traversing the node tree.

However that descendant check was not including the shadow DOM. This is precisely the case
detected by the test case this patch is adding.

Test: editing/selection/setSelection-shadow-dom-crash.html

* editing/markup.cpp:
(WebCore::StyledMarkupAccumulator::traverseNodesForSerialization):

LayoutTests:

* editing/selection/setSelection-shadow-dom-crash-expected.txt: Added.
* editing/selection/setSelection-shadow-dom-crash.html: Added.

Modified Paths

Added Paths

Diff

Modified: trunk/LayoutTests/ChangeLog (279283 => 279284)


--- trunk/LayoutTests/ChangeLog	2021-06-25 15:12:29 UTC (rev 279283)
+++ trunk/LayoutTests/ChangeLog	2021-06-25 15:28:43 UTC (rev 279284)
@@ -1,3 +1,13 @@
+2021-06-17  Sergio Villar Senin  <[email protected]>
+
+        Nullptr crash in StyledMarkupAccumulator::traverseNodesForSerialization
+        https://bugs.webkit.org/show_bug.cgi?id=226821
+
+        Reviewed by Ryosuke Niwa.
+
+        * editing/selection/setSelection-shadow-dom-crash-expected.txt: Added.
+        * editing/selection/setSelection-shadow-dom-crash.html: Added.
+
 2021-06-25  Philippe Normand  <[email protected]>
 
         Unreviewed, GStreamer gardening

Added: trunk/LayoutTests/editing/selection/setSelection-shadow-dom-crash-expected.txt (0 => 279284)


--- trunk/LayoutTests/editing/selection/setSelection-shadow-dom-crash-expected.txt	                        (rev 0)
+++ trunk/LayoutTests/editing/selection/setSelection-shadow-dom-crash-expected.txt	2021-06-25 15:28:43 UTC (rev 279284)
@@ -0,0 +1,2 @@
+
+This test PASS if it does not crash.
Property changes on: trunk/LayoutTests/editing/selection/setSelection-shadow-dom-crash-expected.txt
___________________________________________________________________

Added: svn:eol-style

+LF \ No newline at end of property

Added: trunk/LayoutTests/editing/selection/setSelection-shadow-dom-crash.html (0 => 279284)


--- trunk/LayoutTests/editing/selection/setSelection-shadow-dom-crash.html	                        (rev 0)
+++ trunk/LayoutTests/editing/selection/setSelection-shadow-dom-crash.html	2021-06-25 15:28:43 UTC (rev 279284)
@@ -0,0 +1,25 @@
+<!DOCTYPE html>
+<body></body>
+<script>
+if (window.testRunner)
+    testRunner.dumpAsText();
+
+const image = document.createElement('img');
+document.body.appendChild(image);
+const selection = window.getSelection();
+const image2 = document.createElement('img');
+const div = document.createElement('div');
+document.body.appendChild(div);
+const shadow = div.attachShadow({
+    mode: "open",
+});
+shadow.appendChild(image2);
+if (window.internals) {
+    internals.setSelectionWithoutValidation(shadow, 0, image, 2);
+    document.execCommand("copy");
+
+    const p = document.createElement('p');
+    p.innerHTML = "This test PASS if it does not crash."
+    document.body.appendChild(p);
+}
+</script>
Property changes on: trunk/LayoutTests/editing/selection/setSelection-shadow-dom-crash.html
___________________________________________________________________

Added: svn:eol-style

+LF \ No newline at end of property

Added: svn:mime-type

+text/html \ No newline at end of property

Modified: trunk/Source/WebCore/ChangeLog (279283 => 279284)


--- trunk/Source/WebCore/ChangeLog	2021-06-25 15:12:29 UTC (rev 279283)
+++ trunk/Source/WebCore/ChangeLog	2021-06-25 15:28:43 UTC (rev 279284)
@@ -1,3 +1,22 @@
+2021-06-17  Sergio Villar Senin  <[email protected]>
+
+        Nullptr crash in StyledMarkupAccumulator::traverseNodesForSerialization
+        https://bugs.webkit.org/show_bug.cgi?id=226821
+
+        Reviewed by Ryosuke Niwa.
+
+        r276394 fixed an issue in serialization when transversing the nodes. It added a new condition
+        to the ASSERT that was checking that its OK not to have a next pointer when there is a valid
+        pastEnd in the case of pastEnd being a descendant of the pointer traversing the node tree.
+
+        However that descendant check was not including the shadow DOM. This is precisely the case
+        detected by the test case this patch is adding.
+
+        Test: editing/selection/setSelection-shadow-dom-crash.html
+
+        * editing/markup.cpp:
+        (WebCore::StyledMarkupAccumulator::traverseNodesForSerialization):
+
 2021-06-25  Philippe Normand  <[email protected]>
 
         [GStreamer] Build warnings in AudioFileReader since r279123

Modified: trunk/Source/WebCore/editing/markup.cpp (279283 => 279284)


--- trunk/Source/WebCore/editing/markup.cpp	2021-06-25 15:12:29 UTC (rev 279283)
+++ trunk/Source/WebCore/editing/markup.cpp	2021-06-25 15:28:43 UTC (rev 279284)
@@ -697,7 +697,7 @@
                 }
             }
         }
-        ASSERT(next || !pastEnd || n->contains(pastEnd));
+        ASSERT(next || !pastEnd || n->containsIncludingShadowDOM(pastEnd));
 
         if (isBlock(n) && canHaveChildrenForEditing(*n) && next == pastEnd) {
             // Don't write out empty block containers that aren't fully selected.
_______________________________________________
webkit-changes mailing list
[email protected]
https://lists.webkit.org/mailman/listinfo/webkit-changes

Reply via email to