Diff
Modified: trunk/LayoutTests/ChangeLog (281794 => 281795)
--- trunk/LayoutTests/ChangeLog 2021-08-31 08:11:32 UTC (rev 281794)
+++ trunk/LayoutTests/ChangeLog 2021-08-31 08:39:52 UTC (rev 281795)
@@ -1,3 +1,13 @@
+2021-08-31 Rob Buis <[email protected]>
+
+ Nullptr crash in TypingCommand::willAddTypingToOpenCommand via TypingCommand::deleteKeyPressed
+ https://bugs.webkit.org/show_bug.cgi?id=229277
+
+ Reviewed by Ryosuke Niwa.
+
+ * editing/deleting/delete-key-crash-expected.txt: Added.
+ * editing/deleting/delete-key-crash.html: Added.
+
2021-08-31 Kimmo Kinnunen <[email protected]>
webgl/1.0.x/conformance/glsl/misc/fragcolor-fragdata-invariant.html fails
Added: trunk/LayoutTests/editing/deleting/delete-key-crash-expected.txt (0 => 281795)
--- trunk/LayoutTests/editing/deleting/delete-key-crash-expected.txt (rev 0)
+++ trunk/LayoutTests/editing/deleting/delete-key-crash-expected.txt 2021-08-31 08:39:52 UTC (rev 281795)
@@ -0,0 +1 @@
+Test passes if it does not crash.
Added: trunk/LayoutTests/editing/deleting/delete-key-crash.html (0 => 281795)
--- trunk/LayoutTests/editing/deleting/delete-key-crash.html (rev 0)
+++ trunk/LayoutTests/editing/deleting/delete-key-crash.html 2021-08-31 08:39:52 UTC (rev 281795)
@@ -0,0 +1,21 @@
+<!DOCTYPE html>
+<style>
+ html {
+ display: table;
+ }
+</style>
+<script>
+ if (window.testRunner)
+ window.testRunner.dumpAsText();
+ _onload_ = () => {
+ document.designMode = 'on';
+ getSelection().selectAllChildren(document.body);
+ document.execCommand('InsertNestedUnorderedList');
+ document.body.append(document.createElement('div'));
+ document.body.innerHTML += '';
+ document.execCommand('Delete');
+ document.write("Test passes if it does not crash.");
+ };
+</script>
+<body>
+</body>
Modified: trunk/Source/WebCore/ChangeLog (281794 => 281795)
--- trunk/Source/WebCore/ChangeLog 2021-08-31 08:11:32 UTC (rev 281794)
+++ trunk/Source/WebCore/ChangeLog 2021-08-31 08:39:52 UTC (rev 281795)
@@ -1,3 +1,21 @@
+2021-08-31 Rob Buis <[email protected]>
+
+ Nullptr crash in TypingCommand::willAddTypingToOpenCommand via TypingCommand::deleteKeyPressed
+ https://bugs.webkit.org/show_bug.cgi?id=229277
+
+ Reviewed by Ryosuke Niwa.
+
+ Rewtite CompositeEditCommand::shouldBreakOutOfEmptyListItem() to return just VisibleSelection
+ and check that it is not none in TypingCommand::willAddTypingToOpenCommand.
+
+ Test: editing/deleting/delete-key-crash.html
+
+ * editing/CompositeEditCommand.cpp:
+ (WebCore::CompositeEditCommand::moveParagraphs):
+ * editing/CompositeEditCommand.h:
+ * editing/TypingCommand.cpp:
+ (WebCore::TypingCommand::deleteKeyPressed):
+
2021-08-31 Ryosuke Niwa <[email protected]>
Re-generalize top layer element concept
Modified: trunk/Source/WebCore/editing/CompositeEditCommand.cpp (281794 => 281795)
--- trunk/Source/WebCore/editing/CompositeEditCommand.cpp 2021-08-31 08:11:32 UTC (rev 281794)
+++ trunk/Source/WebCore/editing/CompositeEditCommand.cpp 2021-08-31 08:39:52 UTC (rev 281795)
@@ -1545,11 +1545,11 @@
}
}
-std::optional<VisibleSelection> CompositeEditCommand::shouldBreakOutOfEmptyListItem() const
+VisibleSelection CompositeEditCommand::shouldBreakOutOfEmptyListItem() const
{
auto emptyListItem = enclosingEmptyListItem(endingSelection().visibleStart());
if (!emptyListItem)
- return std::nullopt;
+ return { };
auto listNode = emptyListItem->parentNode();
// FIXME: Can't we do something better when the immediate parent wasn't a list node?
@@ -1557,7 +1557,7 @@
|| (!listNode->hasTagName(ulTag) && !listNode->hasTagName(olTag))
|| !listNode->hasEditableStyle()
|| listNode == emptyListItem->rootEditableElement())
- return std::nullopt;
+ return { };
return VisibleSelection(endingSelection().start().previous(BackwardDeletion), endingSelection().end());
}
@@ -1565,7 +1565,7 @@
// FIXME: Send an appropriate shouldDeleteRange call.
bool CompositeEditCommand::breakOutOfEmptyListItem()
{
- if (!shouldBreakOutOfEmptyListItem())
+ if (shouldBreakOutOfEmptyListItem().isNone())
return false;
auto emptyListItem = enclosingEmptyListItem(endingSelection().visibleStart());
Modified: trunk/Source/WebCore/editing/CompositeEditCommand.h (281794 => 281795)
--- trunk/Source/WebCore/editing/CompositeEditCommand.h 2021-08-31 08:11:32 UTC (rev 281794)
+++ trunk/Source/WebCore/editing/CompositeEditCommand.h 2021-08-31 08:39:52 UTC (rev 281795)
@@ -206,7 +206,7 @@
void cloneParagraphUnderNewElement(const Position& start, const Position& end, Node* outerNode, Element* blockElement);
void cleanupAfterDeletion(VisiblePosition destination = VisiblePosition());
- std::optional<VisibleSelection> shouldBreakOutOfEmptyListItem() const;
+ VisibleSelection shouldBreakOutOfEmptyListItem() const;
bool breakOutOfEmptyListItem();
bool breakOutOfEmptyMailBlockquotedParagraph();
Modified: trunk/Source/WebCore/editing/TypingCommand.cpp (281794 => 281795)
--- trunk/Source/WebCore/editing/TypingCommand.cpp 2021-08-31 08:11:32 UTC (rev 281794)
+++ trunk/Source/WebCore/editing/TypingCommand.cpp 2021-08-31 08:39:52 UTC (rev 281795)
@@ -662,8 +662,8 @@
const Node* enclosingTableCellForPreviousPosition = enclosingNodeOfType(previousPosition.deepEquivalent(), &isTableCell);
if (previousPosition.isNull() || enclosingTableCell != enclosingTableCellForPreviousPosition) {
// When the caret is at the start of the editable area in an empty list item, break out of the list item.
- if (auto deleteListSelection = shouldBreakOutOfEmptyListItem()) {
- if (willAddTypingToOpenCommand(DeleteKey, granularity, { }, *deleteListSelection.value().firstRange())) {
+ if (auto deleteListSelection = shouldBreakOutOfEmptyListItem(); !deleteListSelection.isNone()) {
+ if (willAddTypingToOpenCommand(DeleteKey, granularity, { }, deleteListSelection.firstRange())) {
breakOutOfEmptyListItem();
typingAddedToOpenCommand(DeleteKey);
}
