Skip to site navigation (Press enter)

[webkit-changes] [280312] trunk

commit-queue Mon, 26 Jul 2021 13:48:23 -0700

Title: [280312] trunk

Revision: 280312
Author: [email protected]
Date: 2021-07-26 13:47:30 -0700 (Mon, 26 Jul 2021)

Log Message

Crash in InsertParagraphSeparatorCommand::doApply
https://bugs.webkit.org/show_bug.cgi?id=224977


Patch by Frédéric Wang <[email protected]> on 2021-07-26
Reviewed by Ryosuke Niwa.

Source/WebCore:

Because <html> elements are handled specially in Position::isCandidate() (a) and
PositionIterator::isCandidate() (b), the function InsertParagraphSeparatorCommand::doApply()
may end up in a edge case where the startBlock is a sibling of the visible position per (a)
but isFirstInBlock,isLastInBlock is true,false per (b). This leads to hitting the debug
assertion ASSERT(startBlock->firstChild()) and dereferencing a nullptr pointer in release.
This patch fixes that by exiting early if the visible position is not a descendant of the
start block.

Test: editing/inserting/insert-paragraph-separator-with-html-elements-crash.html

* editing/InsertParagraphSeparatorCommand.cpp:
(WebCore::InsertParagraphSeparatorCommand::doApply):

LayoutTests:

Add regression test.

* editing/inserting/insert-paragraph-separator-with-html-elements-crash-expected.txt: Added.
* editing/inserting/insert-paragraph-separator-with-html-elements-crash.html: Added.

Modified Paths

trunk/LayoutTests/ChangeLog
trunk/Source/WebCore/ChangeLog
trunk/Source/WebCore/editing/InsertParagraphSeparatorCommand.cpp

Added Paths

trunk/LayoutTests/editing/inserting/insert-paragraph-separator-with-html-elements-crash-expected.txt
trunk/LayoutTests/editing/inserting/insert-paragraph-separator-with-html-elements-crash.html

Diff

Modified: trunk/LayoutTests/ChangeLog (280311 => 280312)


--- trunk/LayoutTests/ChangeLog	2021-07-26 20:40:10 UTC (rev 280311)
+++ trunk/LayoutTests/ChangeLog	2021-07-26 20:47:30 UTC (rev 280312)
@@ -1,3 +1,15 @@
+2021-07-26  Frédéric Wang  <[email protected]>
+
+        Crash in InsertParagraphSeparatorCommand::doApply
+        https://bugs.webkit.org/show_bug.cgi?id=224977
+
+        Reviewed by Ryosuke Niwa.
+
+        Add regression test.
+
+        * editing/inserting/insert-paragraph-separator-with-html-elements-crash-expected.txt: Added.
+        * editing/inserting/insert-paragraph-separator-with-html-elements-crash.html: Added.
+
 2021-07-26  Johnson Zhou  <[email protected]>
 
         Added support for FormDataEvent. Rebaselined.

Added: trunk/LayoutTests/editing/inserting/insert-paragraph-separator-with-html-elements-crash-expected.txt (0 => 280312)


--- trunk/LayoutTests/editing/inserting/insert-paragraph-separator-with-html-elements-crash-expected.txt	                        (rev 0)
+++ trunk/LayoutTests/editing/inserting/insert-paragraph-separator-with-html-elements-crash-expected.txt	2021-07-26 20:47:30 UTC (rev 280312)
@@ -0,0 +1,3 @@
+CONSOLE MESSAGE: The test PASS if it does not crash.
+0
+

Added: trunk/LayoutTests/editing/inserting/insert-paragraph-separator-with-html-elements-crash.html (0 => 280312)


--- trunk/LayoutTests/editing/inserting/insert-paragraph-separator-with-html-elements-crash.html	                        (rev 0)
+++ trunk/LayoutTests/editing/inserting/insert-paragraph-separator-with-html-elements-crash.html	2021-07-26 20:47:30 UTC (rev 280312)
@@ -0,0 +1,46 @@
+<!DOCTYPE html>
+<script type="text/_javascript_">
+  if (window.testRunner)
+      testRunner.dumpAsText();
+  console.log('The test PASS if it does not crash.')
+  requestAnimationFrame(function() {
+      document.documentElement.addEventListener("DOMNodeRemoved", function() {
+          document.execCommand("SelectAll");
+          window.getSelection().
+              getRangeAt(0).surroundContents(document.head.firstElementChild);
+          document.body.insertAdjacentHTML('beforeend', "");
+      }, {once: true});
+      document.documentElement.innerHTML = '';
+
+      window.getSelection().deleteFromDocument();
+      document.documentElement.appendChild(document.documentElement.cloneNode());
+      var oElement = document.documentElement.firstElementChild;
+      oElement.contentEditable = true;
+
+      document.documentElement.addEventListener("DOMNodeRemoved", function() {
+          var el = document.documentElement.firstElementChild;
+          document.documentElement.appendChild(el);
+          el = document.importNode(el);
+          document.documentElement.appendChild(el);
+          el.insertAdjacentHTML('beforeend', "<svg></svg><svg></svg>[");
+      }, {once: true});
+      document.documentElement.
+          replaceChild(document.createElement('div'), oElement);
+
+      document.documentElement.appendChild(oElement);
+      window.getSelection().collapseToStart();
+      try {
+          window.getSelection().getRangeAt(0).
+              surroundContents(document.documentElement.firstElementChild);
+      } catch (e) {}
+      document.execCommand('InsertOrderedList');
+      oElement = document.documentElement.firstElementChild;
+      oElement.insertAdjacentText('afterend', '0');
+      document.documentElement.appendChild(document.importNode(oElement));
+
+      document.addEventListener("DOMNodeRemoved", function() {
+          document.execCommand('InsertParagraph');
+      }, {once: true});
+      oElement.outerHTML = "";
+  })
+</script>

Modified: trunk/Source/WebCore/ChangeLog (280311 => 280312)


--- trunk/Source/WebCore/ChangeLog	2021-07-26 20:40:10 UTC (rev 280311)
+++ trunk/Source/WebCore/ChangeLog	2021-07-26 20:47:30 UTC (rev 280312)
@@ -1,3 +1,23 @@
+2021-07-26  Frédéric Wang  <[email protected]>
+
+        Crash in InsertParagraphSeparatorCommand::doApply
+        https://bugs.webkit.org/show_bug.cgi?id=224977
+
+        Reviewed by Ryosuke Niwa.
+
+        Because <html> elements are handled specially in Position::isCandidate() (a) and
+        PositionIterator::isCandidate() (b), the function InsertParagraphSeparatorCommand::doApply()
+        may end up in a edge case where the startBlock is a sibling of the visible position per (a)
+        but isFirstInBlock,isLastInBlock is true,false per (b). This leads to hitting the debug
+        assertion ASSERT(startBlock->firstChild()) and dereferencing a nullptr pointer in release.
+        This patch fixes that by exiting early if the visible position is not a descendant of the
+        start block.
+
+        Test: editing/inserting/insert-paragraph-separator-with-html-elements-crash.html
+
+        * editing/InsertParagraphSeparatorCommand.cpp:
+        (WebCore::InsertParagraphSeparatorCommand::doApply):
+
 2021-07-26  Johnson Zhou  <[email protected]>
 
         FormDataEvent added, and dispatched upon creation of DOMFormData or submission of HTMLFormElement.

Modified: trunk/Source/WebCore/editing/InsertParagraphSeparatorCommand.cpp (280311 => 280312)


--- trunk/Source/WebCore/editing/InsertParagraphSeparatorCommand.cpp	2021-07-26 20:40:10 UTC (rev 280311)
+++ trunk/Source/WebCore/editing/InsertParagraphSeparatorCommand.cpp	2021-07-26 20:47:30 UTC (rev 280312)
@@ -187,6 +187,9 @@
     if (visiblePos.isNull())
         return;
 
+    if (!startBlock->contains(visiblePos.deepEquivalent().containerNode()))
+        return;
+
     calculateStyleBeforeInsertion(insertionPosition);
 
     //---------------------------------------------------------------------

_______________________________________________
webkit-changes mailing list
[email protected]
https://lists.webkit.org/mailman/listinfo/webkit-changes