Skip to site navigation (Press enter)

[webkit-changes] [289736] trunk

commit-queue Mon, 14 Feb 2022 07:20:35 -0800

Title: [289736] trunk

Revision: 289736
Author: [email protected]
Date: 2022-02-14 07:19:44 -0800 (Mon, 14 Feb 2022)

Log Message

Nullptr crash in CompositeEditCommand::splitTreeToNode via InsertParagraphSeparatorCommand::doApply
https://bugs.webkit.org/show_bug.cgi?id=229283


Patch by Frédéric Wang <[email protected]> on 2022-02-14
Reviewed by Ryosuke Niwa.

Source/WebCore:

Position::upstream handles edge cases like tables specially which can lead to
InsertParagraphSeparatorCommand::doApply incorrectly expecting a next sibling after a text
node at last position in order to perform a split. This patch works around that by ignoring
the split in that case.

Test: editing/inserting/insert-paragraph-separator-with-inline-table-bold-crash.html

* editing/InsertParagraphSeparatorCommand.cpp:
(WebCore::InsertParagraphSeparatorCommand::doApply): Only try and remove remaining nodes if
splitTo is not null. moveRemainingSiblingsToNewParent will be a no-op when n is null. Also
switch from raw pointers to RefPtr<Node>.

LayoutTests:

Add regression test.

* editing/inserting/insert-paragraph-separator-with-inline-table-bold-crash-expected.txt: Added.
* editing/inserting/insert-paragraph-separator-with-inline-table-bold-crash.html: Added.

Modified Paths

trunk/LayoutTests/ChangeLog
trunk/Source/WebCore/ChangeLog
trunk/Source/WebCore/editing/InsertParagraphSeparatorCommand.cpp

Added Paths

trunk/LayoutTests/editing/inserting/insert-paragraph-separator-with-inline-table-bold-crash-expected.txt
trunk/LayoutTests/editing/inserting/insert-paragraph-separator-with-inline-table-bold-crash.html

Diff

Modified: trunk/LayoutTests/ChangeLog (289735 => 289736)


--- trunk/LayoutTests/ChangeLog	2022-02-14 14:42:22 UTC (rev 289735)
+++ trunk/LayoutTests/ChangeLog	2022-02-14 15:19:44 UTC (rev 289736)
@@ -1,3 +1,15 @@
+2022-02-14  Frédéric Wang  <[email protected]>
+
+        Nullptr crash in CompositeEditCommand::splitTreeToNode via InsertParagraphSeparatorCommand::doApply
+        https://bugs.webkit.org/show_bug.cgi?id=229283
+
+        Reviewed by Ryosuke Niwa.
+
+        Add regression test.
+
+        * editing/inserting/insert-paragraph-separator-with-inline-table-bold-crash-expected.txt: Added.
+        * editing/inserting/insert-paragraph-separator-with-inline-table-bold-crash.html: Added.
+
 2022-02-14  Antoine Quint  <[email protected]>
 
         [model] refactor model document tests to use a shared testing function

Added: trunk/LayoutTests/editing/inserting/insert-paragraph-separator-with-inline-table-bold-crash-expected.txt (0 => 289736)


--- trunk/LayoutTests/editing/inserting/insert-paragraph-separator-with-inline-table-bold-crash-expected.txt	                        (rev 0)
+++ trunk/LayoutTests/editing/inserting/insert-paragraph-separator-with-inline-table-bold-crash-expected.txt	2022-02-14 15:19:44 UTC (rev 289736)
@@ -0,0 +1 @@
+This test passes if it does not crash.

Added: trunk/LayoutTests/editing/inserting/insert-paragraph-separator-with-inline-table-bold-crash.html (0 => 289736)


--- trunk/LayoutTests/editing/inserting/insert-paragraph-separator-with-inline-table-bold-crash.html	                        (rev 0)
+++ trunk/LayoutTests/editing/inserting/insert-paragraph-separator-with-inline-table-bold-crash.html	2022-02-14 15:19:44 UTC (rev 289736)
@@ -0,0 +1,20 @@
+<style>
+  b {
+    display: inline-table;
+  }
+</style>
+<script>
+  _onload_ = () => {
+    if (window.testRunner)
+        testRunner.dumpAsText();
+    document.designMode = 'on';
+    document.execCommand('SelectAll');
+    document.execCommand('InsertText', false, 'a');
+    document.execCommand('SelectAll');
+    document.execCommand('Bold');
+    document.execCommand('Copy');
+    document.execCommand('PasteAsQuotation');
+    document.execCommand('InsertParagraph');
+    document.body.innerHTML = 'This test passes if it does not crash.';
+  };
+</script>

Modified: trunk/Source/WebCore/ChangeLog (289735 => 289736)


--- trunk/Source/WebCore/ChangeLog	2022-02-14 14:42:22 UTC (rev 289735)
+++ trunk/Source/WebCore/ChangeLog	2022-02-14 15:19:44 UTC (rev 289736)
@@ -1,3 +1,22 @@
+2022-02-14  Frédéric Wang  <[email protected]>
+
+        Nullptr crash in CompositeEditCommand::splitTreeToNode via InsertParagraphSeparatorCommand::doApply
+        https://bugs.webkit.org/show_bug.cgi?id=229283
+
+        Reviewed by Ryosuke Niwa.
+
+        Position::upstream handles edge cases like tables specially which can lead to
+        InsertParagraphSeparatorCommand::doApply incorrectly expecting a next sibling after a text
+        node at last position in order to perform a split. This patch works around that by ignoring
+        the split in that case.
+
+        Test: editing/inserting/insert-paragraph-separator-with-inline-table-bold-crash.html
+
+        * editing/InsertParagraphSeparatorCommand.cpp:
+        (WebCore::InsertParagraphSeparatorCommand::doApply): Only try and remove remaining nodes if
+        splitTo is not null. moveRemainingSiblingsToNewParent will be a no-op when n is null. Also
+        switch from raw pointers to RefPtr<Node>.
+
 2022-02-14  Alan Bujtas  <[email protected]>
 
         [LFC][IFC] Fix fast/inline/hidpi-outline-auto-with-border-radius-vertical-rtl.html

Modified: trunk/Source/WebCore/editing/InsertParagraphSeparatorCommand.cpp (289735 => 289736)


--- trunk/Source/WebCore/editing/InsertParagraphSeparatorCommand.cpp	2022-02-14 14:42:22 UTC (rev 289735)
+++ trunk/Source/WebCore/editing/InsertParagraphSeparatorCommand.cpp	2022-02-14 15:19:44 UTC (rev 289736)
@@ -390,23 +390,24 @@
 
     // Move the start node and the siblings of the start node.
     if (VisiblePosition(insertionPosition) != VisiblePosition(positionBeforeNode(blockToInsert.get()))) {
-        Node* n;
+        RefPtr<Node> n;
         if (insertionPosition.containerNode() == startBlock)
             n = insertionPosition.computeNodeAfterPosition();
         else {
-            Node* splitTo = insertionPosition.containerNode();
+            RefPtr<Node> splitTo = insertionPosition.containerNode();
             if (is<Text>(*splitTo) && insertionPosition.offsetInContainerNode() >= caretMaxOffset(*splitTo))
                 splitTo = NodeTraversal::next(*splitTo, startBlock.get());
-            ASSERT(splitTo);
-            splitTreeToNode(*splitTo, *startBlock);
+            if (splitTo) {
+                splitTreeToNode(*splitTo, *startBlock);
 
-            for (n = startBlock->firstChild(); n; n = n->nextSibling()) {
-                if (VisiblePosition(insertionPosition) <= VisiblePosition(positionBeforeNode(n)))
-                    break;
+                for (n = startBlock->firstChild(); n; n = n->nextSibling()) {
+                    if (VisiblePosition(insertionPosition) <= VisiblePosition(positionBeforeNode(n.get())))
+                        break;
+                }
             }
         }
 
-        moveRemainingSiblingsToNewParent(n, blockToInsert.get(), *blockToInsert);
+        moveRemainingSiblingsToNewParent(n.get(), blockToInsert.get(), *blockToInsert);
     }            
 
     // Handle whitespace that occurs after the split

_______________________________________________
webkit-changes mailing list
[email protected]
https://lists.webkit.org/mailman/listinfo/webkit-changes