[webkit-changes] [280381] trunk

Wed, 28 Jul 2021 07:02:42 -0700

Title: [280381] trunk
Revision
280381
Author
[email protected]
Date
2021-07-28 07:01:53 -0700 (Wed, 28 Jul 2021)

Log Message

Crash in ApplyStyleCommand::applyRelativeFontStyleChange
https://bugs.webkit.org/show_bug.cgi?id=226926

Patch by Frédéric Wang <[email protected]> on 2021-07-28
Reviewed by Ryosuke Niwa.

Source/WebCore:

In r179944 and r180050, special handling was added for display: grid/flex nodes in
Position::isCandidate in order to make them editable but the same logic was not added in
PositionIterator::isCandidate. This patch fixes that inconsistency as well as the
corresponding debug ASSERT and release nullptr dereference.

Tests: fast/editing/apply-relative-font-style-change-crash-001.html
       fast/editing/apply-relative-font-style-change-crash-002.html

* dom/PositionIterator.cpp:
(WebCore::PositionIterator::isCandidate const): Handle flexbox and grid.

LayoutTests:

Add regression tests.

* fast/editing/apply-relative-font-style-change-crash-001-expected.txt: Added.
* fast/editing/apply-relative-font-style-change-crash-001-expected.txt: Added.
* fast/editing/apply-relative-font-style-change-crash-002.html: Added.
* fast/editing/apply-relative-font-style-change-crash-002.html: Added.

Modified Paths

Added Paths

Diff

Modified: trunk/LayoutTests/ChangeLog (280380 => 280381)


--- trunk/LayoutTests/ChangeLog	2021-07-28 08:34:54 UTC (rev 280380)
+++ trunk/LayoutTests/ChangeLog	2021-07-28 14:01:53 UTC (rev 280381)
@@ -1,3 +1,17 @@
+2021-07-28  Frédéric Wang  <[email protected]>
+
+        Crash in ApplyStyleCommand::applyRelativeFontStyleChange
+        https://bugs.webkit.org/show_bug.cgi?id=226926
+
+        Reviewed by Ryosuke Niwa.
+
+        Add regression tests.
+
+        * fast/editing/apply-relative-font-style-change-crash-001-expected.txt: Added.
+        * fast/editing/apply-relative-font-style-change-crash-001-expected.txt: Added.
+        * fast/editing/apply-relative-font-style-change-crash-002.html: Added.
+        * fast/editing/apply-relative-font-style-change-crash-002.html: Added.
+
 2021-07-28  Fujii Hironori  <[email protected]>
 
         [WinCairo] Unreviewed test gardening

Added: trunk/LayoutTests/fast/editing/apply-relative-font-style-change-crash-001-expected.txt (0 => 280381)


--- trunk/LayoutTests/fast/editing/apply-relative-font-style-change-crash-001-expected.txt	                        (rev 0)
+++ trunk/LayoutTests/fast/editing/apply-relative-font-style-change-crash-001-expected.txt	2021-07-28 14:01:53 UTC (rev 280381)
@@ -0,0 +1 @@
+The test PASS if it does not crash.

Added: trunk/LayoutTests/fast/editing/apply-relative-font-style-change-crash-001.html (0 => 280381)


--- trunk/LayoutTests/fast/editing/apply-relative-font-style-change-crash-001.html	                        (rev 0)
+++ trunk/LayoutTests/fast/editing/apply-relative-font-style-change-crash-001.html	2021-07-28 14:01:53 UTC (rev 280381)
@@ -0,0 +1,17 @@
+<!DOCTYPE html>
+<body>
+    <script>
+        if (window.testRunner)
+            testRunner.dumpAsText();
+        document.designMode = "on";
+        document.body.innerHTML = `<div>ANCHOR</div><div><button>FOCUS</button></div>TEXT_AFTER`
+        const anchorNode = document.body.firstElementChild.firstChild;
+        const anchorOffset = 0;
+        const focusNode = document.getElementsByTagName("button")[0].lastChild;
+        const focusOffset = focusNode.textContent.length;
+        getSelection().setBaseAndExtent(anchorNode, anchorOffset, focusNode, focusOffset);
+        getSelection().getRangeAt(0).deleteContents();
+        document.execCommand('FontSizeDelta', false, '1px');
+        document.body.textContent = 'The test PASS if it does not crash.';
+    </script>
+</body>

Added: trunk/LayoutTests/fast/editing/apply-relative-font-style-change-crash-002-expected.txt (0 => 280381)


--- trunk/LayoutTests/fast/editing/apply-relative-font-style-change-crash-002-expected.txt	                        (rev 0)
+++ trunk/LayoutTests/fast/editing/apply-relative-font-style-change-crash-002-expected.txt	2021-07-28 14:01:53 UTC (rev 280381)
@@ -0,0 +1 @@
+The test PASS if it does not crash.

Added: trunk/LayoutTests/fast/editing/apply-relative-font-style-change-crash-002.html (0 => 280381)


--- trunk/LayoutTests/fast/editing/apply-relative-font-style-change-crash-002.html	                        (rev 0)
+++ trunk/LayoutTests/fast/editing/apply-relative-font-style-change-crash-002.html	2021-07-28 14:01:53 UTC (rev 280381)
@@ -0,0 +1,17 @@
+<!DOCTYPE html>
+<body>
+    <script>
+        if (window.testRunner)
+            testRunner.dumpAsText();
+        document.designMode = "on";
+        document.body.innerHTML = `<div>ANCHOR</div><div><button style="display: grid">FOCUS</button></div>TEXT_AFTER`
+        const anchorNode = document.body.firstElementChild.firstChild;
+        const anchorOffset = 0;
+        const focusNode = document.getElementsByTagName("button")[0].lastChild;
+        const focusOffset = focusNode.textContent.length;
+        getSelection().setBaseAndExtent(anchorNode, anchorOffset, focusNode, focusOffset);
+        getSelection().getRangeAt(0).deleteContents();
+        document.execCommand('FontSizeDelta', false, '1px');
+        document.body.textContent = 'The test PASS if it does not crash.';
+    </script>
+</body>

Modified: trunk/Source/WebCore/ChangeLog (280380 => 280381)


--- trunk/Source/WebCore/ChangeLog	2021-07-28 08:34:54 UTC (rev 280380)
+++ trunk/Source/WebCore/ChangeLog	2021-07-28 14:01:53 UTC (rev 280381)
@@ -1,3 +1,21 @@
+2021-07-28  Frédéric Wang  <[email protected]>
+
+        Crash in ApplyStyleCommand::applyRelativeFontStyleChange
+        https://bugs.webkit.org/show_bug.cgi?id=226926
+
+        Reviewed by Ryosuke Niwa.
+
+        In r179944 and r180050, special handling was added for display: grid/flex nodes in
+        Position::isCandidate in order to make them editable but the same logic was not added in
+        PositionIterator::isCandidate. This patch fixes that inconsistency as well as the
+        corresponding debug ASSERT and release nullptr dereference.
+
+        Tests: fast/editing/apply-relative-font-style-change-crash-001.html
+               fast/editing/apply-relative-font-style-change-crash-002.html
+
+        * dom/PositionIterator.cpp:
+        (WebCore::PositionIterator::isCandidate const): Handle flexbox and grid.
+
 2021-07-27  Joonghun Park  <[email protected]>
 
         Unreviewed. Remove the build warning below since r280332.

Modified: trunk/Source/WebCore/dom/PositionIterator.cpp (280380 => 280381)


--- trunk/Source/WebCore/dom/PositionIterator.cpp	2021-07-28 08:34:54 UTC (rev 280380)
+++ trunk/Source/WebCore/dom/PositionIterator.cpp	2021-07-28 14:01:53 UTC (rev 280381)
@@ -32,6 +32,8 @@
 #include "HTMLHtmlElement.h"
 #include "HTMLNames.h"
 #include "RenderBlockFlow.h"
+#include "RenderFlexibleBox.h"
+#include "RenderGrid.h"
 #include "RenderText.h"
 
 namespace WebCore {
@@ -164,8 +166,8 @@
     if (isRenderedTable(m_anchorNode) || editingIgnoresContent(*m_anchorNode))
         return (atStartOfNode() || atEndOfNode()) && !Position::nodeIsUserSelectNone(m_anchorNode->parentNode());
 
-    if (!is<HTMLHtmlElement>(*m_anchorNode) && is<RenderBlockFlow>(*renderer)) {
-        RenderBlockFlow& block = downcast<RenderBlockFlow>(*renderer);
+    if (!is<HTMLHtmlElement>(*m_anchorNode) && (is<RenderBlockFlow>(*renderer) || is<RenderGrid>(*renderer) || is<RenderFlexibleBox>(*renderer))) {
+        auto& block = downcast<RenderBlock>(*renderer);
         if (block.logicalHeight() || is<HTMLBodyElement>(*m_anchorNode)) {
             if (!Position::hasRenderedNonAnonymousDescendantsWithHeight(block))
                 return atStartOfNode() && !Position::nodeIsUserSelectNone(m_anchorNode);

_______________________________________________
webkit-changes mailing list
[email protected]
https://lists.webkit.org/mailman/listinfo/webkit-changes

Reply via email to