[webkit-changes] [263564] trunk
Title: [263564] trunk
Revision 263564
Author shihchieh_...@apple.com
Date 2020-06-26 09:44:31 -0700 (Fri, 26 Jun 2020)
Log Message
ASSERTION FAILED: (it != m_map.end()) in TreeScopeOrderedMap::remove
https://bugs.webkit.org/show_bug.cgi?id=213611
Reviewed by Geoffrey Garen.
Source/WebCore:
In function HTMLImageElement::parseAttribute(), empty name attribute is considered valid
which makes the function skip handling of subsequent name changes. Modified the check of
name attribute so only non-empty name is considered valid. This code change is to match
.
Test: fast/images/img-change-name-assert.html
* html/HTMLImageElement.cpp:
(WebCore::HTMLImageElement::parseAttribute):
LayoutTests:
Added a regression test for the crash.
* fast/images/img-change-name-assert-expected.txt: Added.
* fast/images/img-change-name-assert.html: Added.
Modified Paths
trunk/LayoutTests/ChangeLog
trunk/Source/WebCore/ChangeLog
trunk/Source/WebCore/html/HTMLImageElement.cpp
Added Paths
trunk/LayoutTests/fast/images/img-change-name-assert-expected.txt
trunk/LayoutTests/fast/images/img-change-name-assert.html
Diff
Modified: trunk/LayoutTests/ChangeLog (263563 => 263564)
--- trunk/LayoutTests/ChangeLog 2020-06-26 16:41:15 UTC (rev 263563)
+++ trunk/LayoutTests/ChangeLog 2020-06-26 16:44:31 UTC (rev 263564)
@@ -1,3 +1,16 @@
+2020-06-26 Jack Lee
+
+ASSERTION FAILED: (it != m_map.end()) in TreeScopeOrderedMap::remove
+https://bugs.webkit.org/show_bug.cgi?id=213611
+
+
+Reviewed by Geoffrey Garen.
+
+Added a regression test for the crash.
+
+* fast/images/img-change-name-assert-expected.txt: Added.
+* fast/images/img-change-name-assert.html: Added.
+
2020-06-26 Karl Rackler
Remove expectation for http/tests/security/contentSecurityPolicy/upgrade-insecure-requests/upgrade-insecure-fetch-in-main-frame.html and http/tests/security/contentSecurityPolicy/upgrade-insecure-requests/upgrade-insecure-fetch-in-worker.html as they are passing.
Added: trunk/LayoutTests/fast/images/img-change-name-assert-expected.txt (0 => 263564)
--- trunk/LayoutTests/fast/images/img-change-name-assert-expected.txt (rev 0)
+++ trunk/LayoutTests/fast/images/img-change-name-assert-expected.txt 2020-06-26 16:44:31 UTC (rev 263564)
@@ -0,0 +1 @@
+"Tests changing name of an image element. The test passes if WebKit doesn't crash or hit an ssertion."
Added: trunk/LayoutTests/fast/images/img-change-name-assert.html (0 => 263564)
--- trunk/LayoutTests/fast/images/img-change-name-assert.html (rev 0)
+++ trunk/LayoutTests/fast/images/img-change-name-assert.html 2020-06-26 16:44:31 UTC (rev 263564)
@@ -0,0 +1,8 @@
+"Tests changing name of an image element. The test passes if WebKit doesn't crash or hit an ssertion."
+
+if (window.testRunner)
+testRunner.dumpAsText();
+
+img.name = "new name";
+img.remove();
+
Modified: trunk/Source/WebCore/ChangeLog (263563 => 263564)
--- trunk/Source/WebCore/ChangeLog 2020-06-26 16:41:15 UTC (rev 263563)
+++ trunk/Source/WebCore/ChangeLog 2020-06-26 16:44:31 UTC (rev 263564)
@@ -1,3 +1,21 @@
+2020-06-26 Jack Lee
+
+ASSERTION FAILED: (it != m_map.end()) in TreeScopeOrderedMap::remove
+https://bugs.webkit.org/show_bug.cgi?id=213611
+
+
+Reviewed by Geoffrey Garen.
+
+In function HTMLImageElement::parseAttribute(), empty name attribute is considered valid
+which makes the function skip handling of subsequent name changes. Modified the check of
+name attribute so only non-empty name is considered valid. This code change is to match
+.
+
+Test: fast/images/img-change-name-assert.html
+
+* html/HTMLImageElement.cpp:
+(WebCore::HTMLImageElement::parseAttribute):
+
2020-06-26 Sihui Liu
Text manipulation should observe adjacent elements with new renderer together
Modified: trunk/Source/WebCore/html/HTMLImageElement.cpp (263563 => 263564)
--- trunk/Source/WebCore/html/HTMLImageElement.cpp 2020-06-26 16:41:15 UTC (rev 263563)
+++ trunk/Source/WebCore/html/HTMLImageElement.cpp 2020-06-26 16:44:31 UTC (rev 263564)
@@ -295,7 +295,7 @@
loadDeferredImage();
} else {
if (name == nameAttr) {
-bool willHaveName = !value.isNull();
+bool willHaveName = !value.isEmpty();
if (m_hadNameBeforeAttributeChanged != willHaveName && isConnected() && !isInShadowTree() && is(document())) {
HTMLDocument& document = downcast(this->document());
const AtomString& id = getIdAttribute();
___
webkit-changes mailing list
webkit-changes@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-changes
[webkit-changes] [262593] trunk
Title: [262593] trunk
Revision 262593
Author shihchieh_...@apple.com
Date 2020-06-04 20:37:14 -0700 (Thu, 04 Jun 2020)
Log Message
Nullptr crash in DeleteSelectionCommand::doApply() when ending position is disconnected.
https://bugs.webkit.org/show_bug.cgi?id=212723
Reviewed by Geoffrey Garen.
Source/WebCore:
In this test case, while merging paragraphs after deleting a text element, we need call removeNodeAndPruneAncestors()
to remove a BR node. However, the ancestor of BR is also removed. Later we try to insert a node at the parent of the
removed ancestor in function DeleteSelectionCommand::doApply().
For now we just check the parentless inserting position and bail out. The proper fix should be re-designing
removeNodeAndPruneAncestors() or select a different inserting position after removeNodeAndPruneAncestors() is called.
Test: editing/deleting/delete-txt-in-dl-crash.html
* editing/DeleteSelectionCommand.cpp:
(WebCore::DeleteSelectionCommand::doApply):
LayoutTests:
Added a regression test for the crash.
* editing/deleting/delete-txt-in-dl-crash-expected.txt: Added.
* editing/deleting/delete-txt-in-dl-crash.html: Added.
Modified Paths
trunk/LayoutTests/ChangeLog
trunk/Source/WebCore/ChangeLog
trunk/Source/WebCore/editing/DeleteSelectionCommand.cpp
Added Paths
trunk/LayoutTests/editing/deleting/delete-txt-in-dl-crash-expected.txt
trunk/LayoutTests/editing/deleting/delete-txt-in-dl-crash.html
Diff
Modified: trunk/LayoutTests/ChangeLog (262592 => 262593)
--- trunk/LayoutTests/ChangeLog 2020-06-05 03:28:46 UTC (rev 262592)
+++ trunk/LayoutTests/ChangeLog 2020-06-05 03:37:14 UTC (rev 262593)
@@ -1,3 +1,16 @@
+2020-06-04 Jack Lee
+
+Nullptr crash in DeleteSelectionCommand::doApply() when ending position is disconnected.
+https://bugs.webkit.org/show_bug.cgi?id=212723
+
+
+Reviewed by Geoffrey Garen.
+
+Added a regression test for the crash.
+
+* editing/deleting/delete-txt-in-dl-crash-expected.txt: Added.
+* editing/deleting/delete-txt-in-dl-crash.html: Added.
+
2020-06-04 Simon Fraser
[ Mojave wk2 Debug ] fast/scrolling/mac/scrollbars/select-overlay-scrollbar-hovered.html is flaky failing and flaky timing out.
Added: trunk/LayoutTests/editing/deleting/delete-txt-in-dl-crash-expected.txt (0 => 262593)
--- trunk/LayoutTests/editing/deleting/delete-txt-in-dl-crash-expected.txt (rev 0)
+++ trunk/LayoutTests/editing/deleting/delete-txt-in-dl-crash-expected.txt 2020-06-05 03:37:14 UTC (rev 262593)
@@ -0,0 +1 @@
+Tests deleting text in description list. The test passes if WebKit doesn't crash or hit an ssertion.
Added: trunk/LayoutTests/editing/deleting/delete-txt-in-dl-crash.html (0 => 262593)
--- trunk/LayoutTests/editing/deleting/delete-txt-in-dl-crash.html (rev 0)
+++ trunk/LayoutTests/editing/deleting/delete-txt-in-dl-crash.html 2020-06-05 03:37:14 UTC (rev 262593)
@@ -0,0 +1,10 @@
+
+a
+
+if (window.testRunner)
+testRunner.dumpAsText();
+
+window.getSelection().setPosition(dt);
+document.execCommand("delete", false);
+document.body.innerText = "Tests deleting text in description list. The test passes if WebKit doesn't crash or hit an ssertion.";
+
Modified: trunk/Source/WebCore/ChangeLog (262592 => 262593)
--- trunk/Source/WebCore/ChangeLog 2020-06-05 03:28:46 UTC (rev 262592)
+++ trunk/Source/WebCore/ChangeLog 2020-06-05 03:37:14 UTC (rev 262593)
@@ -1,3 +1,23 @@
+2020-06-04 Jack Lee
+
+Nullptr crash in DeleteSelectionCommand::doApply() when ending position is disconnected.
+https://bugs.webkit.org/show_bug.cgi?id=212723
+
+
+Reviewed by Geoffrey Garen.
+
+In this test case, while merging paragraphs after deleting a text element, we need call removeNodeAndPruneAncestors()
+to remove a BR node. However, the ancestor of BR is also removed. Later we try to insert a node at the parent of the
+removed ancestor in function DeleteSelectionCommand::doApply().
+
+For now we just check the parentless inserting position and bail out. The proper fix should be re-designing
+removeNodeAndPruneAncestors() or select a different inserting position after removeNodeAndPruneAncestors() is called.
+
+Test: editing/deleting/delete-txt-in-dl-crash.html
+
+* editing/DeleteSelectionCommand.cpp:
+(WebCore::DeleteSelectionCommand::doApply):
+
2020-06-04 Ross Kirsling
[PlayStation] Unreviewed revert of build fix. Missing include was not the cause.
Modified: trunk/Source/WebCore/editing/DeleteSelectionCommand.cpp (262592 => 262593)
--- trunk/Source/WebCore/editing/DeleteSelectionCommand.cpp 2020-06-05 03:28:46 UTC (rev 262592)
+++ trunk/Source/WebCore/editing/DeleteSelectionCommand.cpp 2020-06-05 03:37:14 UTC (rev 262593)
@@ -943,6 +943,13 @@
if (m_needPlaceholder) {
if (m_sanitizeMarkup)
removeRedundantBlocks();
[webkit-changes] [262103] trunk/Source/WebCore
Title: [262103] trunk/Source/WebCore
Revision 262103
Author shihchieh_...@apple.com
Date 2020-05-23 13:13:57 -0700 (Sat, 23 May 2020)
Log Message
ASSERTION FAILED: (!s_current || &m_view != &s_current->m_view) in RenderTreeBuilder::RenderTreeBuilder
https://bugs.webkit.org/show_bug.cgi?id=212163
Unreviewed. Improve readability. Replace comments with curly brackets for scoping.
* dom/Document.cpp:
(WebCore::Document::updateRenderTree):
Modified Paths
trunk/Source/WebCore/ChangeLog
trunk/Source/WebCore/dom/Document.cpp
Diff
Modified: trunk/Source/WebCore/ChangeLog (262102 => 262103)
--- trunk/Source/WebCore/ChangeLog 2020-05-23 19:47:51 UTC (rev 262102)
+++ trunk/Source/WebCore/ChangeLog 2020-05-23 20:13:57 UTC (rev 262103)
@@ -1,3 +1,13 @@
+2020-05-23 Jack Lee
+
+ASSERTION FAILED: (!s_current || &m_view != &s_current->m_view) in RenderTreeBuilder::RenderTreeBuilder
+https://bugs.webkit.org/show_bug.cgi?id=212163
+
+Unreviewed. Improve readability. Replace comments with curly brackets for scoping.
+
+* dom/Document.cpp:
+(WebCore::Document::updateRenderTree):
+
2020-05-23 Zalan Bujtas
[LFC][TFC] Maximum constraint of a cell should never be smaller than the minimum width
Modified: trunk/Source/WebCore/dom/Document.cpp (262102 => 262103)
--- trunk/Source/WebCore/dom/Document.cpp 2020-05-23 19:47:51 UTC (rev 262102)
+++ trunk/Source/WebCore/dom/Document.cpp 2020-05-23 20:13:57 UTC (rev 262103)
@@ -1924,13 +1924,14 @@
{
ASSERT(!inRenderTreeUpdate());
-// NOTE: Preserve the order of definitions below so the destructors are called in proper sequence.
Style::PostResolutionCallbackDisabler callbackDisabler(*this);
-SetForScope inRenderTreeUpdate(m_inRenderTreeUpdate, true);
-RenderTreeUpdater updater(*this, callbackDisabler);
-// End of ordered definitions
-
-updater.commit(WTFMove(styleUpdate));
+{
+SetForScope inRenderTreeUpdate(m_inRenderTreeUpdate, true);
+{
+RenderTreeUpdater updater(*this, callbackDisabler);
+updater.commit(WTFMove(styleUpdate));
+}
+}
}
void Document::resolveStyle(ResolveStyleType type)
___
webkit-changes mailing list
webkit-changes@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-changes
[webkit-changes] [262095] trunk
Title: [262095] trunk
Revision 262095
Author shihchieh_...@apple.com
Date 2020-05-22 22:53:52 -0700 (Fri, 22 May 2020)
Log Message
ASSERTION FAILED: (!s_current || &m_view != &s_current->m_view) in RenderTreeBuilder::RenderTreeBuilder
https://bugs.webkit.org/show_bug.cgi?id=212163
Reviewed by Geoffrey Garen.
Source/WebCore:
Calling ~PostResolutionCallbackDisabler() before completing render tree updating and releasing RenderTreeBuilder
triggers this assertion. Therefore we added a utility function "updateRenderTree" in which PostResolutionCallback
is delayed until RenderTreeUpdater is released and m_inRenderTreeUpdate is cleared.
Test: fast/rendering/nested-render-tree-update-crash.html
* Headers.cmake:
* WebCore.xcodeproj/project.pbxproj:
* dom/Document.cpp:
(WebCore::Document::updateRenderTree):
(WebCore::Document::resolveStyle):
(WebCore::Document::updateTextRenderer):
* dom/Document.h:
* rendering/updating/RenderTreeUpdater.cpp:
(WebCore::RenderTreeUpdater::RenderTreeUpdater):
(WebCore::RenderTreeUpdater::commit):
* rendering/updating/RenderTreeUpdater.h:
LayoutTests:
Added a regression test for the crash.
* fast/rendering/nested-render-tree-update-crash-expected.txt: Added.
* fast/rendering/nested-render-tree-update-crash.html: Added.
Modified Paths
trunk/LayoutTests/ChangeLog
trunk/Source/WebCore/ChangeLog
trunk/Source/WebCore/Headers.cmake
trunk/Source/WebCore/WebCore.xcodeproj/project.pbxproj
trunk/Source/WebCore/dom/Document.cpp
trunk/Source/WebCore/dom/Document.h
trunk/Source/WebCore/rendering/updating/RenderTreeUpdater.cpp
trunk/Source/WebCore/rendering/updating/RenderTreeUpdater.h
Added Paths
trunk/LayoutTests/fast/rendering/
trunk/LayoutTests/fast/rendering/nested-render-tree-update-crash-expected.txt
trunk/LayoutTests/fast/rendering/nested-render-tree-update-crash.html
Diff
Modified: trunk/LayoutTests/ChangeLog (262094 => 262095)
--- trunk/LayoutTests/ChangeLog 2020-05-23 04:23:48 UTC (rev 262094)
+++ trunk/LayoutTests/ChangeLog 2020-05-23 05:53:52 UTC (rev 262095)
@@ -1,3 +1,16 @@
+2020-05-22 Jack Lee
+
+ASSERTION FAILED: (!s_current || &m_view != &s_current->m_view) in RenderTreeBuilder::RenderTreeBuilder
+https://bugs.webkit.org/show_bug.cgi?id=212163
+
+
+Reviewed by Geoffrey Garen.
+
+Added a regression test for the crash.
+
+* fast/rendering/nested-render-tree-update-crash-expected.txt: Added.
+* fast/rendering/nested-render-tree-update-crash.html: Added.
+
2020-05-22 Zalan Bujtas
Nullptr deref in WebCore::RenderTreeBuilder::Block::attachIgnoringContinuation when parent and beforeChild are siblings
Added: trunk/LayoutTests/fast/rendering/nested-render-tree-update-crash-expected.txt (0 => 262095)
--- trunk/LayoutTests/fast/rendering/nested-render-tree-update-crash-expected.txt (rev 0)
+++ trunk/LayoutTests/fast/rendering/nested-render-tree-update-crash-expected.txt 2020-05-23 05:53:52 UTC (rev 262095)
@@ -0,0 +1 @@
+Tests nested render tree update. The test passes if WebKit doesn't crash or hit an assertion.
Added: trunk/LayoutTests/fast/rendering/nested-render-tree-update-crash.html (0 => 262095)
--- trunk/LayoutTests/fast/rendering/nested-render-tree-update-crash.html (rev 0)
+++ trunk/LayoutTests/fast/rendering/nested-render-tree-update-crash.html 2020-05-23 05:53:52 UTC (rev 262095)
@@ -0,0 +1,13 @@
+
+function run() {
+if (window.testRunner)
+testRunner.dumpAsText();
+
+obj = document.createElement("object");
+li.appendChild(obj);
+svg.currentScale = 0.99;
+obj.data = "" 82)
+ff.setAttribute("direction", "rtl");
+}
+
+
Modified: trunk/Source/WebCore/ChangeLog (262094 => 262095)
--- trunk/Source/WebCore/ChangeLog 2020-05-23 04:23:48 UTC (rev 262094)
+++ trunk/Source/WebCore/ChangeLog 2020-05-23 05:53:52 UTC (rev 262095)
@@ -1,3 +1,29 @@
+2020-05-22 Jack Lee
+
+ASSERTION FAILED: (!s_current || &m_view != &s_current->m_view) in RenderTreeBuilder::RenderTreeBuilder
+https://bugs.webkit.org/show_bug.cgi?id=212163
+
+
+Reviewed by Geoffrey Garen.
+
+Calling ~PostResolutionCallbackDisabler() before completing render tree updating and releasing RenderTreeBuilder
+triggers this assertion. Therefore we added a utility function "updateRenderTree" in which PostResolutionCallback
+is delayed until RenderTreeUpdater is released and m_inRenderTreeUpdate is cleared.
+
+Test: fast/rendering/nested-render-tree-update-crash.html
+
+* Headers.cmake:
+* WebCore.xcodeproj/project.pbxproj:
+* dom/Document.cpp:
+(WebCore::Document::updateRenderTree):
+(WebCore::Document::resolveStyle):
+(WebCore::Document::updateTextRenderer):
+* dom/Document.h:
+* rendering/updating/RenderTreeUpdater.cpp:
+(WebCore::RenderTreeUpdater::RenderTreeUpdater):
+(WebCore::RenderTreeUpdater::com
[webkit-changes] [261777] trunk
Title: [261777] trunk
Revision 261777
Author shihchieh_...@apple.com
Date 2020-05-15 21:09:51 -0700 (Fri, 15 May 2020)
Log Message
Nullptr crash in WebCore::Node::treeScope() when processing nested list insertion commands.
https://bugs.webkit.org/show_bug.cgi?id=211964
Reviewed by Geoffrey Garen.
Source/WebCore:
Load event may fire in fixOrphanedListChild() and change the node tree. In doApplyForSingleParagraph check for
disconnected node returned by fixOrphanedListChild() and bail out.
Test: editing/inserting/nested-list-insertion-crash.html
* editing/InsertListCommand.cpp:
(WebCore::InsertListCommand::doApplyForSingleParagraph):
LayoutTests:
Added a regression test for the crash.
* editing/inserting/nested-list-insertion-crash-expected.txt: Added.
* editing/inserting/nested-list-insertion-crash.html: Added.
Modified Paths
trunk/LayoutTests/ChangeLog
trunk/Source/WebCore/ChangeLog
trunk/Source/WebCore/editing/InsertListCommand.cpp
Added Paths
trunk/LayoutTests/editing/inserting/nested-list-insertion-crash-expected.txt
trunk/LayoutTests/editing/inserting/nested-list-insertion-crash.html
Diff
Modified: trunk/LayoutTests/ChangeLog (261776 => 261777)
--- trunk/LayoutTests/ChangeLog 2020-05-16 03:45:59 UTC (rev 261776)
+++ trunk/LayoutTests/ChangeLog 2020-05-16 04:09:51 UTC (rev 261777)
@@ -1,3 +1,16 @@
+2020-05-15 Jack Lee
+
+Nullptr crash in WebCore::Node::treeScope() when processing nested list insertion commands.
+https://bugs.webkit.org/show_bug.cgi?id=211964
+
+
+Reviewed by Geoffrey Garen.
+
+Added a regression test for the crash.
+
+* editing/inserting/nested-list-insertion-crash-expected.txt: Added.
+* editing/inserting/nested-list-insertion-crash.html: Added.
+
2020-05-15 Simon Fraser
REGRESSION (r249091): Can't click on a video in the second column of a paginated web view
Added: trunk/LayoutTests/editing/inserting/nested-list-insertion-crash-expected.txt (0 => 261777)
--- trunk/LayoutTests/editing/inserting/nested-list-insertion-crash-expected.txt (rev 0)
+++ trunk/LayoutTests/editing/inserting/nested-list-insertion-crash-expected.txt 2020-05-16 04:09:51 UTC (rev 261777)
@@ -0,0 +1,3 @@
+Test nested list insertion. The test passes if WebKit doesn't crash or hit an assertion.
+
+
Added: trunk/LayoutTests/editing/inserting/nested-list-insertion-crash.html (0 => 261777)
--- trunk/LayoutTests/editing/inserting/nested-list-insertion-crash.html (rev 0)
+++ trunk/LayoutTests/editing/inserting/nested-list-insertion-crash.html 2020-05-16 04:09:51 UTC (rev 261777)
@@ -0,0 +1,10 @@
+
+if (window.testRunner)
+testRunner.dumpAsText();
+
+function run() {
+window.getSelection().setPosition(li,1);
+document.execCommand("insertUnorderedList", false);
+}
+
+Test nested list insertion. The test passes if WebKit doesn't crash or hit an assertion.
Modified: trunk/Source/WebCore/ChangeLog (261776 => 261777)
--- trunk/Source/WebCore/ChangeLog 2020-05-16 03:45:59 UTC (rev 261776)
+++ trunk/Source/WebCore/ChangeLog 2020-05-16 04:09:51 UTC (rev 261777)
@@ -1,3 +1,19 @@
+2020-05-15 Jack Lee
+
+Nullptr crash in WebCore::Node::treeScope() when processing nested list insertion commands.
+https://bugs.webkit.org/show_bug.cgi?id=211964
+
+
+Reviewed by Geoffrey Garen.
+
+Load event may fire in fixOrphanedListChild() and change the node tree. In doApplyForSingleParagraph check for
+disconnected node returned by fixOrphanedListChild() and bail out.
+
+Test: editing/inserting/nested-list-insertion-crash.html
+
+* editing/InsertListCommand.cpp:
+(WebCore::InsertListCommand::doApplyForSingleParagraph):
+
2020-05-15 Alex Christensen
Use enum serialization instead of casting to/from uint32_t
Modified: trunk/Source/WebCore/editing/InsertListCommand.cpp (261776 => 261777)
--- trunk/Source/WebCore/editing/InsertListCommand.cpp 2020-05-16 03:45:59 UTC (rev 261776)
+++ trunk/Source/WebCore/editing/InsertListCommand.cpp 2020-05-16 04:09:51 UTC (rev 261777)
@@ -213,7 +213,7 @@
RefPtr listNode = enclosingList(listChildNode);
if (!listNode) {
RefPtr listElement = fixOrphanedListChild(*listChildNode);
-if (!listElement)
+if (!listElement || !listElement->isConnected())
return;
listNode = mergeWithNeighboringLists(*listElement);
___
webkit-changes mailing list
webkit-changes@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-changes
[webkit-changes] [261666] trunk
Title: [261666] trunk
Revision 261666
Author shihchieh_...@apple.com
Date 2020-05-13 17:45:45 -0700 (Wed, 13 May 2020)
Log Message
Nullptr crash in InsertParagraphSeparatorCommand::doApply when the canonical position is uneditable
https://bugs.webkit.org/show_bug.cgi?id=211864
Reviewed by Geoffrey Garen.
Source/WebCore:
The position returned by positionAvoidingSpecialElementBoundary() is uneditable so we need to
check for uneditable insertion position and bail out before calling insertNodeAt to avoid assertion.
Test: editing/inserting/insert-img-uneditable-canonical-position-crash.html
* editing/InsertParagraphSeparatorCommand.cpp:
(WebCore::InsertParagraphSeparatorCommand::doApply):
LayoutTests:
Added a regression test for the crash.
* editing/inserting/insert-img-uneditable-canonical-position-crash-expected.txt: Added.
* editing/inserting/insert-img-uneditable-canonical-position-crash.html: Added.
Modified Paths
trunk/LayoutTests/ChangeLog
trunk/Source/WebCore/ChangeLog
trunk/Source/WebCore/editing/InsertParagraphSeparatorCommand.cpp
Added Paths
trunk/LayoutTests/editing/inserting/insert-img-uneditable-canonical-position-crash-expected.txt
trunk/LayoutTests/editing/inserting/insert-img-uneditable-canonical-position-crash.html
Diff
Modified: trunk/LayoutTests/ChangeLog (261665 => 261666)
--- trunk/LayoutTests/ChangeLog 2020-05-14 00:35:40 UTC (rev 261665)
+++ trunk/LayoutTests/ChangeLog 2020-05-14 00:45:45 UTC (rev 261666)
@@ -1,5 +1,18 @@
2020-05-13 Jack Lee
+Nullptr crash in InsertParagraphSeparatorCommand::doApply when the canonical position is uneditable
+https://bugs.webkit.org/show_bug.cgi?id=211864
+
+
+Reviewed by Geoffrey Garen.
+
+Added a regression test for the crash.
+
+* editing/inserting/insert-img-uneditable-canonical-position-crash-expected.txt: Added.
+* editing/inserting/insert-img-uneditable-canonical-position-crash.html: Added.
+
+2020-05-13 Jack Lee
+
Nullptr crash in DeleteSelectionCommand::doApply() when merge node is disconnected.
https://bugs.webkit.org/show_bug.cgi?id=211793
Added: trunk/LayoutTests/editing/inserting/insert-img-uneditable-canonical-position-crash-expected.txt (0 => 261666)
--- trunk/LayoutTests/editing/inserting/insert-img-uneditable-canonical-position-crash-expected.txt (rev 0)
+++ trunk/LayoutTests/editing/inserting/insert-img-uneditable-canonical-position-crash-expected.txt 2020-05-14 00:45:45 UTC (rev 261666)
@@ -0,0 +1 @@
+Tests inserting paragraph separator when an editable canonical position is not found. The test passes if WebKit doesn't crash or hit an ssertion.
Added: trunk/LayoutTests/editing/inserting/insert-img-uneditable-canonical-position-crash.html (0 => 261666)
--- trunk/LayoutTests/editing/inserting/insert-img-uneditable-canonical-position-crash.html (rev 0)
+++ trunk/LayoutTests/editing/inserting/insert-img-uneditable-canonical-position-crash.html 2020-05-14 00:45:45 UTC (rev 261666)
@@ -0,0 +1,10 @@
+
+
+if (window.testRunner)
+testRunner.dumpAsText();
+hr1.appendChild(span_copy);
+input.setSelectionRange(-1,67);
+hr2.appendChild(span_copy);
+document.execCommand("insertImage", "#foo");
+document.body.innerText = "Tests inserting paragraph separator when an editable canonical position is not found. The test passes if WebKit doesn't crash or hit an ssertion.";
+
Modified: trunk/Source/WebCore/ChangeLog (261665 => 261666)
--- trunk/Source/WebCore/ChangeLog 2020-05-14 00:35:40 UTC (rev 261665)
+++ trunk/Source/WebCore/ChangeLog 2020-05-14 00:45:45 UTC (rev 261666)
@@ -1,5 +1,21 @@
2020-05-13 Jack Lee
+Nullptr crash in InsertParagraphSeparatorCommand::doApply when the canonical position is uneditable
+https://bugs.webkit.org/show_bug.cgi?id=211864
+
+
+Reviewed by Geoffrey Garen.
+
+The position returned by positionAvoidingSpecialElementBoundary() is uneditable so we need to
+check for uneditable insertion position and bail out before calling insertNodeAt to avoid assertion.
+
+Test: editing/inserting/insert-img-uneditable-canonical-position-crash.html
+
+* editing/InsertParagraphSeparatorCommand.cpp:
+(WebCore::InsertParagraphSeparatorCommand::doApply):
+
+2020-05-13 Jack Lee
+
Nullptr crash in DeleteSelectionCommand::doApply() when merge node is disconnected.
https://bugs.webkit.org/show_bug.cgi?id=211793
Modified: trunk/Source/WebCore/editing/InsertParagraphSeparatorCommand.cpp (261665 => 261666)
--- trunk/Source/WebCore/editing/InsertParagraphSeparatorCommand.cpp 2020-05-14 00:35:40 UTC (rev 261665)
+++ trunk/Source/WebCore/editing/InsertParagraphSeparatorCommand.cpp 2020-05-14 00:45:45 UTC (rev 261666)
@@ -300,6 +300,10 @@
// it if visiblePos is at the start of a paragraph so that the
// content will move down a
[webkit-changes] [261664] trunk
Title: [261664] trunk
Revision 261664
Author shihchieh_...@apple.com
Date 2020-05-13 17:21:50 -0700 (Wed, 13 May 2020)
Log Message
Nullptr crash in DeleteSelectionCommand::doApply() when merge node is disconnected.
https://bugs.webkit.org/show_bug.cgi?id=211793
Reviewed by Geoffrey Garen.
Source/WebCore:
Check for disconnected merge destination and endingSelection() after mergeParagraph is
Called and bail out to avoid using corrupted positions for node insertion.
Test: editing/inserting/insert-text-merge-node-removed-crash.html
* editing/CompositeEditCommand.cpp:
(WebCore::CompositeEditCommand::moveParagraphs):
* editing/DeleteSelectionCommand.cpp:
(WebCore::DeleteSelectionCommand::mergeParagraphs):
LayoutTests:
Added a regression test for the crash.
* editing/inserting/insert-text-merge-node-removed-crash-expected.txt: Added.
* editing/inserting/insert-text-merge-node-removed-crash.html: Added.
Modified Paths
trunk/LayoutTests/ChangeLog
trunk/Source/WebCore/ChangeLog
trunk/Source/WebCore/editing/CompositeEditCommand.cpp
trunk/Source/WebCore/editing/DeleteSelectionCommand.cpp
Added Paths
trunk/LayoutTests/editing/inserting/insert-text-merge-node-removed-crash-expected.txt
trunk/LayoutTests/editing/inserting/insert-text-merge-node-removed-crash.html
Diff
Modified: trunk/LayoutTests/ChangeLog (261663 => 261664)
--- trunk/LayoutTests/ChangeLog 2020-05-13 23:28:34 UTC (rev 261663)
+++ trunk/LayoutTests/ChangeLog 2020-05-14 00:21:50 UTC (rev 261664)
@@ -1,3 +1,16 @@
+2020-05-13 Jack Lee
+
+Nullptr crash in DeleteSelectionCommand::doApply() when merge node is disconnected.
+https://bugs.webkit.org/show_bug.cgi?id=211793
+
+
+Reviewed by Geoffrey Garen.
+
+Added a regression test for the crash.
+
+* editing/inserting/insert-text-merge-node-removed-crash-expected.txt: Added.
+* editing/inserting/insert-text-merge-node-removed-crash.html: Added.
+
2020-05-13 Said Abou-Hallawa
Enable the 'OutsideViewport' rAF throttling
Added: trunk/LayoutTests/editing/inserting/insert-text-merge-node-removed-crash-expected.txt (0 => 261664)
--- trunk/LayoutTests/editing/inserting/insert-text-merge-node-removed-crash-expected.txt (rev 0)
+++ trunk/LayoutTests/editing/inserting/insert-text-merge-node-removed-crash-expected.txt 2020-05-14 00:21:50 UTC (rev 261664)
@@ -0,0 +1 @@
+Tests inserting text when merge node is removed. The test passes if WebKit doesn't crash or hit an ssertion.
Added: trunk/LayoutTests/editing/inserting/insert-text-merge-node-removed-crash.html (0 => 261664)
--- trunk/LayoutTests/editing/inserting/insert-text-merge-node-removed-crash.html (rev 0)
+++ trunk/LayoutTests/editing/inserting/insert-text-merge-node-removed-crash.html 2020-05-14 00:21:50 UTC (rev 261664)
@@ -0,0 +1,9 @@
+
+
+if (window.testRunner)
+testRunner.dumpAsText();
+
+document.execCommand("selectAll", false);
+document.execCommand("insertText", "text");
+document.body.innerText = "Tests inserting text when merge node is removed. The test passes if WebKit doesn't crash or hit an ssertion.";
+
Modified: trunk/Source/WebCore/ChangeLog (261663 => 261664)
--- trunk/Source/WebCore/ChangeLog 2020-05-13 23:28:34 UTC (rev 261663)
+++ trunk/Source/WebCore/ChangeLog 2020-05-14 00:21:50 UTC (rev 261664)
@@ -1,3 +1,21 @@
+2020-05-13 Jack Lee
+
+Nullptr crash in DeleteSelectionCommand::doApply() when merge node is disconnected.
+https://bugs.webkit.org/show_bug.cgi?id=211793
+
+
+Reviewed by Geoffrey Garen.
+
+Check for disconnected merge destination and endingSelection() after mergeParagraph is
+Called and bail out to avoid using corrupted positions for node insertion.
+
+Test: editing/inserting/insert-text-merge-node-removed-crash.html
+
+* editing/CompositeEditCommand.cpp:
+(WebCore::CompositeEditCommand::moveParagraphs):
+* editing/DeleteSelectionCommand.cpp:
+(WebCore::DeleteSelectionCommand::mergeParagraphs):
+
2020-05-13 Said Abou-Hallawa
Re-enable 'OutsideViewport' rAF throttling
Modified: trunk/Source/WebCore/editing/CompositeEditCommand.cpp (261663 => 261664)
--- trunk/Source/WebCore/editing/CompositeEditCommand.cpp 2020-05-13 23:28:34 UTC (rev 261663)
+++ trunk/Source/WebCore/editing/CompositeEditCommand.cpp 2020-05-14 00:21:50 UTC (rev 261664)
@@ -1476,8 +1476,11 @@
ASSERT(destination.deepEquivalent().anchorNode()->isConnected());
cleanupAfterDeletion(destination);
-ASSERT(destination.deepEquivalent().anchorNode()->isConnected());
+// FIXME (Bug 211793): We should redesign cleanupAfterDeletion or find another destination when it is removed.
+if (!destination.deepEquivalent().anchorNode()->isConnected())
+return;
+
// Add a br if pruning an empty block level element caused a collapse. For example:
// foo^
// b
[webkit-changes] [261434] trunk
Title: [261434] trunk
Revision 261434
Author shihchieh_...@apple.com
Date 2020-05-09 01:07:27 -0700 (Sat, 09 May 2020)
Log Message
Nullptr crash in LegacyWebArchive::createPropertyListRepresentation when copying selected range that contains surrogate characters
https://bugs.webkit.org/show_bug.cgi?id=211658
Reviewed by Ryosuke Niwa.
Source/WebCore:
Added check for null LegacyWebArchive in LegacyWebArchive::createFromSelection. Return nullptr when creation fails.
Test: webarchive/copy-surrogate-char-crash.html
* loader/archive/cf/LegacyWebArchive.cpp:
(WebCore::LegacyWebArchive::createFromSelection):
LayoutTests:
Added a regression test for the crash.
* webarchive/copy-surrogate-char-crash-expected.txt: Added.
* webarchive/copy-surrogate-char-crash.html: Added.
Modified Paths
trunk/LayoutTests/ChangeLog
trunk/Source/WebCore/ChangeLog
trunk/Source/WebCore/loader/archive/cf/LegacyWebArchive.cpp
Added Paths
trunk/LayoutTests/webarchive/copy-surrogate-char-crash-expected.txt
trunk/LayoutTests/webarchive/copy-surrogate-char-crash.html
Diff
Modified: trunk/LayoutTests/ChangeLog (261433 => 261434)
--- trunk/LayoutTests/ChangeLog 2020-05-09 07:00:41 UTC (rev 261433)
+++ trunk/LayoutTests/ChangeLog 2020-05-09 08:07:27 UTC (rev 261434)
@@ -1,3 +1,16 @@
+2020-05-09 Jack Lee
+
+Nullptr crash in LegacyWebArchive::createPropertyListRepresentation when copying selected range that contains surrogate characters
+https://bugs.webkit.org/show_bug.cgi?id=211658
+
+
+Reviewed by Ryosuke Niwa.
+
+Added a regression test for the crash.
+
+* webarchive/copy-surrogate-char-crash-expected.txt: Added.
+* webarchive/copy-surrogate-char-crash.html: Added.
+
2020-05-08 Diego Pino Garcia
[GTK] Gardening, update expectations after revert of r261341 and r261392
Added: trunk/LayoutTests/webarchive/copy-surrogate-char-crash-expected.txt (0 => 261434)
--- trunk/LayoutTests/webarchive/copy-surrogate-char-crash-expected.txt (rev 0)
+++ trunk/LayoutTests/webarchive/copy-surrogate-char-crash-expected.txt 2020-05-09 08:07:27 UTC (rev 261434)
@@ -0,0 +1 @@
+"Tests copying selected range that contains surrogate characters. The test passes if WebKit doesn't crash or hit an ssertion."
Added: trunk/LayoutTests/webarchive/copy-surrogate-char-crash.html (0 => 261434)
--- trunk/LayoutTests/webarchive/copy-surrogate-char-crash.html (rev 0)
+++ trunk/LayoutTests/webarchive/copy-surrogate-char-crash.html 2020-05-09 08:07:27 UTC (rev 261434)
@@ -0,0 +1,11 @@
+"Tests copying selected range that contains surrogate characters. The test passes if WebKit doesn't crash or hit an ssertion."
+
+if (window.testRunner)
+testRunner.dumpAsText();
+
+span.offsetParent.before(document.createElement("frameset"));
+span.prepend("\ud800");
+document.execCommand("selectAll", true);
+document.execCommand("copy", true);
+document.getElementById("span").remove();
+
Modified: trunk/Source/WebCore/ChangeLog (261433 => 261434)
--- trunk/Source/WebCore/ChangeLog 2020-05-09 07:00:41 UTC (rev 261433)
+++ trunk/Source/WebCore/ChangeLog 2020-05-09 08:07:27 UTC (rev 261434)
@@ -1,3 +1,18 @@
+2020-05-09 Jack Lee
+
+Nullptr crash in LegacyWebArchive::createPropertyListRepresentation when copying selected range that contains surrogate characters
+https://bugs.webkit.org/show_bug.cgi?id=211658
+
+
+Reviewed by Ryosuke Niwa.
+
+Added check for null LegacyWebArchive in LegacyWebArchive::createFromSelection. Return nullptr when creation fails.
+
+Test: webarchive/copy-surrogate-char-crash.html
+
+* loader/archive/cf/LegacyWebArchive.cpp:
+(WebCore::LegacyWebArchive::createFromSelection):
+
2020-05-09 Tetsuharu Ohzeki
Fix wpt shadow-dom/slots-fallback-in-document.html
Modified: trunk/Source/WebCore/loader/archive/cf/LegacyWebArchive.cpp (261433 => 261434)
--- trunk/Source/WebCore/loader/archive/cf/LegacyWebArchive.cpp 2020-05-09 07:00:41 UTC (rev 261433)
+++ trunk/Source/WebCore/loader/archive/cf/LegacyWebArchive.cpp 2020-05-09 08:07:27 UTC (rev 261434)
@@ -605,7 +605,9 @@
builder.append(serializePreservingVisualAppearance(frame->selection().selection(), ResolveURLs::No, serializeComposedTree, &nodeList));
auto archive = create(builder.toString(), *frame, nodeList, nullptr);
-
+if (!archive)
+return nullptr;
+
if (!document->isFrameSet())
return archive;
___
webkit-changes mailing list
webkit-changes@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-changes
[webkit-changes] [261338] trunk/Source/WebCore
Title: [261338] trunk/Source/WebCore Revision 261338 Author shihchieh_...@apple.com Date 2020-05-07 15:58:14 -0700 (Thu, 07 May 2020) Log Message In Document::willBeRemovedFromFrame, clear FrameSelection before Editor so the selection is removed. https://bugs.webkit.org/show_bug.cgi?id=211551 Reviewed by Geoffrey Garen. Covered by existing tests. * dom/Document.cpp: (WebCore::Document::willBeRemovedFromFrame): Modified Paths trunk/Source/WebCore/ChangeLog trunk/Source/WebCore/dom/Document.cpp Diff Modified: trunk/Source/WebCore/ChangeLog (261337 => 261338) --- trunk/Source/WebCore/ChangeLog 2020-05-07 21:48:13 UTC (rev 261337) +++ trunk/Source/WebCore/ChangeLog 2020-05-07 22:58:14 UTC (rev 261338) @@ -1,3 +1,15 @@ +2020-05-07 Jack Lee + +In Document::willBeRemovedFromFrame, clear FrameSelection before Editor so the selection is removed. +https://bugs.webkit.org/show_bug.cgi?id=211551 + +Reviewed by Geoffrey Garen. + +Covered by existing tests. + +* dom/Document.cpp: +(WebCore::Document::willBeRemovedFromFrame): + 2020-05-07 Antoine Quint [Web Animations] imported/w3c/web-platform-tests/web-animations/timing-model/timelines/update-and-send-events.html is a flaky failure Modified: trunk/Source/WebCore/dom/Document.cpp (261337 => 261338) --- trunk/Source/WebCore/dom/Document.cpp 2020-05-07 21:48:13 UTC (rev 261337) +++ trunk/Source/WebCore/dom/Document.cpp 2020-05-07 22:58:14 UTC (rev 261338) @@ -2596,8 +2596,8 @@ page()->updateIsPlayingMedia(HTMLMediaElementInvalidID); } +selection().willBeRemovedFromFrame(); editor().clear(); -selection().willBeRemovedFromFrame(); detachFromFrame(); #if ENABLE(CSS_PAINTING_API) ___ webkit-changes mailing list webkit-changes@lists.webkit.org https://lists.webkit.org/mailman/listinfo/webkit-changes
[webkit-changes] [261258] trunk
Title: [261258] trunk
Revision 261258
Author shihchieh_...@apple.com
Date 2020-05-06 16:16:14 -0700 (Wed, 06 May 2020)
Log Message
Nullptr crash in indentOutdentCommand::formatRange with asynchronous commands: indent and insert list.
https://bugs.webkit.org/show_bug.cgi?id=211466
Reviewed by Geoffrey Garen.
Source/WebCore:
Check for null outerBlock returned by splitTreeToNode and bail out.
Test: fast/editing/indent-then-insertUL-crash.html
* editing/IndentOutdentCommand.cpp:
(WebCore::IndentOutdentCommand::indentIntoBlockquote):
LayoutTests:
Added a regression test for the crash.
* fast/editing/indent-then-insertUL-crash-expected.txt: Added.
* fast/editing/indent-then-insertUL-crash.html: Added.
Modified Paths
trunk/LayoutTests/ChangeLog
trunk/Source/WebCore/ChangeLog
trunk/Source/WebCore/editing/IndentOutdentCommand.cpp
Added Paths
trunk/LayoutTests/fast/editing/indent-then-insertUL-crash-expected.txt
trunk/LayoutTests/fast/editing/indent-then-insertUL-crash.html
Diff
Modified: trunk/LayoutTests/ChangeLog (261257 => 261258)
--- trunk/LayoutTests/ChangeLog 2020-05-06 23:01:06 UTC (rev 261257)
+++ trunk/LayoutTests/ChangeLog 2020-05-06 23:16:14 UTC (rev 261258)
@@ -1,5 +1,18 @@
2020-05-06 Jack Lee
+Nullptr crash in indentOutdentCommand::formatRange with asynchronous commands: indent and insert list.
+https://bugs.webkit.org/show_bug.cgi?id=211466
+
+
+Reviewed by Geoffrey Garen.
+
+Added a regression test for the crash.
+
+* fast/editing/indent-then-insertUL-crash-expected.txt: Added.
+* fast/editing/indent-then-insertUL-crash.html: Added.
+
+2020-05-06 Jack Lee
+
Nullptr crash in InsertListCommand::doApply with user-select:none elements
https://bugs.webkit.org/show_bug.cgi?id=211534
Added: trunk/LayoutTests/fast/editing/indent-then-insertUL-crash-expected.txt (0 => 261258)
--- trunk/LayoutTests/fast/editing/indent-then-insertUL-crash-expected.txt (rev 0)
+++ trunk/LayoutTests/fast/editing/indent-then-insertUL-crash-expected.txt 2020-05-06 23:16:14 UTC (rev 261258)
@@ -0,0 +1 @@
+Tests asynchronous indenting and list insertion commands. The test passes if WebKit doesn't crash or hit an ssertion.
Added: trunk/LayoutTests/fast/editing/indent-then-insertUL-crash.html (0 => 261258)
--- trunk/LayoutTests/fast/editing/indent-then-insertUL-crash.html (rev 0)
+++ trunk/LayoutTests/fast/editing/indent-then-insertUL-crash.html 2020-05-06 23:16:14 UTC (rev 261258)
@@ -0,0 +1,21 @@
+
+if (window.testRunner) {
+testRunner.dumpAsText();
+testRunner.waitUntilDone();
+}
+
+function run() {
+var iframe = document.createElement('iframe');
+iframe.setAttribute("onload", "iframeLoad()");
+select.appendChild(iframe);
+document.execCommand("indent", false);
+document.body.innerText = "Tests asynchronous indenting and list insertion commands. The test passes if WebKit doesn't crash or hit an ssertion.";
+if (window.testRunner)
+testRunner.notifyDone();
+}
+function iframeLoad() {
+document.execCommand("insertUnorderedList", false);
+window.getSelection().collapse(select);
+}
+
+ab
Modified: trunk/Source/WebCore/ChangeLog (261257 => 261258)
--- trunk/Source/WebCore/ChangeLog 2020-05-06 23:01:06 UTC (rev 261257)
+++ trunk/Source/WebCore/ChangeLog 2020-05-06 23:16:14 UTC (rev 261258)
@@ -1,3 +1,18 @@
+2020-05-06 Jack Lee
+
+Nullptr crash in indentOutdentCommand::formatRange with asynchronous commands: indent and insert list.
+https://bugs.webkit.org/show_bug.cgi?id=211466
+
+
+Reviewed by Geoffrey Garen.
+
+Check for null outerBlock returned by splitTreeToNode and bail out.
+
+Test: fast/editing/indent-then-insertUL-crash.html
+
+* editing/IndentOutdentCommand.cpp:
+(WebCore::IndentOutdentCommand::indentIntoBlockquote):
+
2020-05-06 Darin Adler
Make a helper for the pattern of ICU functions that may need to be called twice to populate a buffer
Modified: trunk/Source/WebCore/editing/IndentOutdentCommand.cpp (261257 => 261258)
--- trunk/Source/WebCore/editing/IndentOutdentCommand.cpp 2020-05-06 23:01:06 UTC (rev 261257)
+++ trunk/Source/WebCore/editing/IndentOutdentCommand.cpp 2020-05-06 23:16:14 UTC (rev 261258)
@@ -106,6 +106,8 @@
RefPtr nodeAfterStart = start.computeNodeAfterPosition();
RefPtr outerBlock = (start.containerNode() == nodeToSplitTo) ? start.containerNode() : splitTreeToNode(*start.containerNode(), *nodeToSplitTo);
+if (!outerBlock)
+return;
VisiblePosition startOfContents = start;
if (!targetBlockquote) {
___
webkit-changes mailing list
webkit-changes@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-changes
[webkit-changes] [261255] trunk
Title: [261255] trunk
Revision 261255
Author shihchieh_...@apple.com
Date 2020-05-06 15:55:30 -0700 (Wed, 06 May 2020)
Log Message
Nullptr crash in InsertListCommand::doApply with user-select:none elements
https://bugs.webkit.org/show_bug.cgi?id=211534
Reviewed by Geoffrey Garen.
Source/WebCore:
Check for empty position in InsertListCommand::doApply when searching for the start of
last paragraph in the selected range. Skip listifying individual paragraphs in the range.
Test: editing/inserting/insert-list-user-select-none-crash.html
* editing/InsertListCommand.cpp:
(WebCore::InsertListCommand::doApply):
LayoutTests:
Added a regression test for the crash.
* editing/inserting/insert-list-user-select-none-crash-expected.txt: Added.
* editing/inserting/insert-list-user-select-none-crash.html: Added.
Modified Paths
trunk/LayoutTests/ChangeLog
trunk/Source/WebCore/ChangeLog
trunk/Source/WebCore/editing/InsertListCommand.cpp
Added Paths
trunk/LayoutTests/editing/inserting/insert-list-user-select-none-crash-expected.txt
trunk/LayoutTests/editing/inserting/insert-list-user-select-none-crash.html
Diff
Modified: trunk/LayoutTests/ChangeLog (261254 => 261255)
--- trunk/LayoutTests/ChangeLog 2020-05-06 22:54:22 UTC (rev 261254)
+++ trunk/LayoutTests/ChangeLog 2020-05-06 22:55:30 UTC (rev 261255)
@@ -1,3 +1,16 @@
+2020-05-06 Jack Lee
+
+Nullptr crash in InsertListCommand::doApply with user-select:none elements
+https://bugs.webkit.org/show_bug.cgi?id=211534
+
+
+Reviewed by Geoffrey Garen.
+
+Added a regression test for the crash.
+
+* editing/inserting/insert-list-user-select-none-crash-expected.txt: Added.
+* editing/inserting/insert-list-user-select-none-crash.html: Added.
+
2020-05-06 Ryan Haddad
Unreviewed, reverting r261239.
Added: trunk/LayoutTests/editing/inserting/insert-list-user-select-none-crash-expected.txt (0 => 261255)
--- trunk/LayoutTests/editing/inserting/insert-list-user-select-none-crash-expected.txt (rev 0)
+++ trunk/LayoutTests/editing/inserting/insert-list-user-select-none-crash-expected.txt 2020-05-06 22:55:30 UTC (rev 261255)
@@ -0,0 +1 @@
+Tests inserting list in paragraphs that have userSelect:none elements. The test passes if WebKit doesn't crash or hit an ssertion.
Added: trunk/LayoutTests/editing/inserting/insert-list-user-select-none-crash.html (0 => 261255)
--- trunk/LayoutTests/editing/inserting/insert-list-user-select-none-crash.html (rev 0)
+++ trunk/LayoutTests/editing/inserting/insert-list-user-select-none-crash.html 2020-05-06 22:55:30 UTC (rev 261255)
@@ -0,0 +1,14 @@
+
+span { -webkit-user-select: all; }
+a { -webkit-user-select: none; }
+
+a
+
+if (window.testRunner)
+testRunner.dumpAsText();
+
+body.appendChild(canvas);
+document.execCommand("selectAll", false);
+document.execCommand("insertOrderedList", false);
+document.body.innerText = "Tests inserting list in paragraphs that have userSelect:none elements. The test passes if WebKit doesn't crash or hit an ssertion.";
+
Modified: trunk/Source/WebCore/ChangeLog (261254 => 261255)
--- trunk/Source/WebCore/ChangeLog 2020-05-06 22:54:22 UTC (rev 261254)
+++ trunk/Source/WebCore/ChangeLog 2020-05-06 22:55:30 UTC (rev 261255)
@@ -1,3 +1,19 @@
+2020-05-06 Jack Lee
+
+Nullptr crash in InsertListCommand::doApply with user-select:none elements
+https://bugs.webkit.org/show_bug.cgi?id=211534
+
+
+Reviewed by Geoffrey Garen.
+
+Check for empty position in InsertListCommand::doApply when searching for the start of
+last paragraph in the selected range. Skip listifying individual paragraphs in the range.
+
+Test: editing/inserting/insert-list-user-select-none-crash.html
+
+* editing/InsertListCommand.cpp:
+(WebCore::InsertListCommand::doApply):
+
2020-05-06 Ryan Haddad
Unreviewed, reverting r261239.
Modified: trunk/Source/WebCore/editing/InsertListCommand.cpp (261254 => 261255)
--- trunk/Source/WebCore/editing/InsertListCommand.cpp 2020-05-06 22:54:22 UTC (rev 261254)
+++ trunk/Source/WebCore/editing/InsertListCommand.cpp 2020-05-06 22:55:30 UTC (rev 261255)
@@ -140,12 +140,12 @@
VisiblePosition endOfSelection = selection.visibleEnd();
VisiblePosition startOfLastParagraph = startOfParagraph(endOfSelection, CanSkipOverEditingBoundary);
-if (startOfParagraph(startOfSelection, CanSkipOverEditingBoundary) != startOfLastParagraph) {
+if (startOfLastParagraph.isNotNull() && startOfParagraph(startOfSelection, CanSkipOverEditingBoundary) != startOfLastParagraph) {
bool forceCreateList = !selectionHasListOfType(selection, listTag);
auto currentSelection = createLiveRange(endingSelection().firstRange());
VisiblePosition startOfCurrentParagraph = startOfSelection;
-
[webkit-changes] [261126] trunk
Title: [261126] trunk
Revision 261126
Author shihchieh_...@apple.com
Date 2020-05-04 16:55:06 -0700 (Mon, 04 May 2020)
Log Message
Nullptr crash in CompositeEditCommand::moveParagraphs when changing style on elements that are
user-select:none and dir:rtl.
https://bugs.webkit.org/show_bug.cgi?id=211206
Reviewed by Geoffrey Garen.
Source/WebCore:
In function moveParagraphs check if the destination is an empty position and
bail out before moving the paragraphs.
Test: fast/editing/justify-user-select-none-dir-rtl-crash.html
* editing/CompositeEditCommand.cpp:
(WebCore::CompositeEditCommand::moveParagraphs):
LayoutTests:
Added a regression test for the crash.
* fast/editing/justify-user-select-none-dir-rtl-crash-expected.txt: Added.
* fast/editing/justify-user-select-none-dir-rtl-crash.html: Added.
Modified Paths
trunk/LayoutTests/ChangeLog
trunk/Source/WebCore/ChangeLog
trunk/Source/WebCore/editing/CompositeEditCommand.cpp
Added Paths
trunk/LayoutTests/fast/editing/justify-user-select-none-dir-rtl-crash-expected.txt
trunk/LayoutTests/fast/editing/justify-user-select-none-dir-rtl-crash.html
Diff
Modified: trunk/LayoutTests/ChangeLog (261125 => 261126)
--- trunk/LayoutTests/ChangeLog 2020-05-04 23:37:44 UTC (rev 261125)
+++ trunk/LayoutTests/ChangeLog 2020-05-04 23:55:06 UTC (rev 261126)
@@ -1,3 +1,17 @@
+2020-05-04 Jack Lee
+
+Nullptr crash in CompositeEditCommand::moveParagraphs when changing style on elements that are
+user-select:none and dir:rtl.
+https://bugs.webkit.org/show_bug.cgi?id=211206
+
+
+Reviewed by Geoffrey Garen.
+
+Added a regression test for the crash.
+
+* fast/editing/justify-user-select-none-dir-rtl-crash-expected.txt: Added.
+* fast/editing/justify-user-select-none-dir-rtl-crash.html: Added.
+
2020-05-04 Jason Lawrence
[ iPadOS wk2 ] editing/selection/selection-change-in-mutation-event-by-remove-children.html is timing out.
Added: trunk/LayoutTests/fast/editing/justify-user-select-none-dir-rtl-crash-expected.txt (0 => 261126)
--- trunk/LayoutTests/fast/editing/justify-user-select-none-dir-rtl-crash-expected.txt (rev 0)
+++ trunk/LayoutTests/fast/editing/justify-user-select-none-dir-rtl-crash-expected.txt 2020-05-04 23:55:06 UTC (rev 261126)
@@ -0,0 +1 @@
+Test editing a paragraph that is user-select:none and dir:rtl. The test passes if WebKit doesn't crash or hit an assertion.
Added: trunk/LayoutTests/fast/editing/justify-user-select-none-dir-rtl-crash.html (0 => 261126)
--- trunk/LayoutTests/fast/editing/justify-user-select-none-dir-rtl-crash.html (rev 0)
+++ trunk/LayoutTests/fast/editing/justify-user-select-none-dir-rtl-crash.html 2020-05-04 23:55:06 UTC (rev 261126)
@@ -0,0 +1,14 @@
+a
+
+if (window.testRunner) {
+testRunner.dumpAsText();
+testRunner.waitUntilDone();
+}
+
+window.getSelection().selectAllChildren(q);
+document.execCommand("justifyLeft", false);
+document.body.innerText = "Test editing a paragraph that is user-select:none and dir:rtl. The test passes if WebKit doesn't crash or hit an assertion.";
+
+if (window.testRunner)
+testRunner.notifyDone();
+
Modified: trunk/Source/WebCore/ChangeLog (261125 => 261126)
--- trunk/Source/WebCore/ChangeLog 2020-05-04 23:37:44 UTC (rev 261125)
+++ trunk/Source/WebCore/ChangeLog 2020-05-04 23:55:06 UTC (rev 261126)
@@ -1,3 +1,20 @@
+2020-05-04 Jack Lee
+
+Nullptr crash in CompositeEditCommand::moveParagraphs when changing style on elements that are
+user-select:none and dir:rtl.
+https://bugs.webkit.org/show_bug.cgi?id=211206
+
+
+Reviewed by Geoffrey Garen.
+
+In function moveParagraphs check if the destination is an empty position and
+bail out before moving the paragraphs.
+
+Test: fast/editing/justify-user-select-none-dir-rtl-crash.html
+
+* editing/CompositeEditCommand.cpp:
+(WebCore::CompositeEditCommand::moveParagraphs):
+
2020-05-04 Jiewen Tan
[WebAuthn] Implement +[_WKWebAuthenticationPanel clearAllLocalAuthenticatorCredentials]
Modified: trunk/Source/WebCore/editing/CompositeEditCommand.cpp (261125 => 261126)
--- trunk/Source/WebCore/editing/CompositeEditCommand.cpp 2020-05-04 23:37:44 UTC (rev 261125)
+++ trunk/Source/WebCore/editing/CompositeEditCommand.cpp 2020-05-04 23:55:06 UTC (rev 261126)
@@ -1398,7 +1398,7 @@
void CompositeEditCommand::moveParagraphs(const VisiblePosition& startOfParagraphToMove, const VisiblePosition& endOfParagraphToMove, const VisiblePosition& destination, bool preserveSelection, bool preserveStyle)
{
-if (startOfParagraphToMove == destination)
+if (destination.isNull() || startOfParagraphToMove == destination)
return;
Optional startIndex;
___
webkit-changes mailing list
webkit-changes@lists.webkit.o
[webkit-changes] [261032] trunk/Source/WebCore/ChangeLog
Title: [261032] trunk/Source/WebCore/ChangeLog Revision 261032 Author shihchieh_...@apple.com Date 2020-05-01 15:54:39 -0700 (Fri, 01 May 2020) Log Message Unreviewed, amend change log entry for r260831. * ChangeLog: Modified Paths trunk/Source/WebCore/ChangeLog Diff Modified: trunk/Source/WebCore/ChangeLog (261031 => 261032) --- trunk/Source/WebCore/ChangeLog 2020-05-01 22:30:06 UTC (rev 261031) +++ trunk/Source/WebCore/ChangeLog 2020-05-01 22:54:39 UTC (rev 261032) @@ -1,3 +1,9 @@ +2020-05-01 Jack Lee + +Unreviewed, amend change log entry for r260831. + +* ChangeLog: + 2020-05-01 Chris Dumez Unreviewed, another build fix after r260962. @@ -1978,15 +1984,14 @@ * dom/Document.cpp: (WebCore::m_selection): -(WebCore::Document::prepareForDestruction): +(WebCore::Document::willBeRemovedFromFrame): (WebCore::m_undoManager): Deleted. +(WebCore::Document::prepareForDestruction): Deleted. * dom/Document.h: (WebCore::Document::editor): (WebCore::Document::editor const): (WebCore::Document::selection): (WebCore::Document::selection const): -* dom/PositionIterator.cpp: -(WebCore::PositionIterator::isCandidate const): * editing/AlternativeTextController.cpp: (WebCore::AlternativeTextController::AlternativeTextController): (WebCore::AlternativeTextController::stopPendingCorrection): @@ -2116,11 +2121,10 @@ (WebCore::Editor::findString): (WebCore::Editor::countMatchesForText): (WebCore::Editor::respondToChangedSelection): -(WebCore::Editor::shouldDetectTelephoneNumbers): +(WebCore::Editor::shouldDetectTelephoneNumbers const): (WebCore::Editor::scanSelectionForTelephoneNumbers): (WebCore::Editor::editorUIUpdateTimerFired): (WebCore::Editor::selectionStartHasMarkerFor const): -(WebCore::candidateRangeForSelection): (WebCore::Editor::stringForCandidateRequest const): (WebCore::Editor::contextRangeForCandidateRequest const): (WebCore::Editor::fontAttributesAtSelectionStart const): @@ -2156,7 +2160,7 @@ (WebCore::FrameSelection::modifyMovingRight): (WebCore::FrameSelection::modifyMovingLeft): (WebCore::FrameSelection::modify): -(WebCore::FrameSelection::prepareForDestruction): +(WebCore::FrameSelection::willBeRemovedFromFrame): (WebCore::FrameSelection::absoluteCaretBounds): (WebCore::FrameSelection::recomputeCaretRect): (WebCore::FrameSelection::contains const): @@ -2179,6 +2183,7 @@ (WebCore::FrameSelection::updateAppearanceAfterLayoutOrStyleChange): (WebCore::FrameSelection::selectRangeOnElement): (WebCore::FrameSelection::setCaretBlinks): +(WebCore::FrameSelection::prepareForDestruction): Deleted. * editing/FrameSelection.h: * editing/InsertIntoTextNodeCommand.cpp: (WebCore::InsertIntoTextNodeCommand::doApply): @@ -2226,6 +2231,7 @@ * editing/TypingCommand.h: * editing/cocoa/EditorCocoa.mm: (WebCore::Editor::selectionInHTMLFormat): +(WebCore::selectionAsAttributedString): (WebCore::Editor::writeSelectionToPasteboard): (WebCore::Editor::writeSelection): (WebCore::Editor::selectionInWebArchiveFormat): @@ -2254,6 +2260,8 @@ * editing/win/EditorWin.cpp: (WebCore::Editor::pasteWithPasteboard): (WebCore::Editor::webContentFromPasteboard): +* history/CachedFrame.cpp: +(WebCore::CachedFrame::destroy): * loader/FrameLoader.cpp: (WebCore::FrameLoader::willTransitionToCommitted): (WebCore::FrameLoader::closeURL): @@ -2261,6 +2269,8 @@ (WebCore::FrameLoader::clear): * page/Frame.cpp: (WebCore::Frame::Frame): +(WebCore::Frame::setView): +(WebCore::Frame::setDocument): (WebCore::Frame::requestDOMPasteAccess): (WebCore::Frame::setPageAndTextZoomFactors): * page/Frame.h: ___ webkit-changes mailing list webkit-changes@lists.webkit.org https://lists.webkit.org/mailman/listinfo/webkit-changes
[webkit-changes] [261019] trunk
Title: [261019] trunk
Revision 261019
Author shihchieh_...@apple.com
Date 2020-05-01 13:53:59 -0700 (Fri, 01 May 2020)
Log Message
Source/WebCore:
Nullptr crash in CompositeEditCommand::cloneParagraphUnderNewElement when indent
and align a paragraph.
https://bugs.webkit.org/show_bug.cgi?id=211273
Reviewed by Geoffrey Garen.
A load event can fire when we clone and append a paragraph. Check if the elements
are removed in the event and bail out.
Test: fast/editing/indent-then-justifyFull-crash.html
* editing/CompositeEditCommand.cpp:
(WebCore::CompositeEditCommand::cloneParagraphUnderNewElement):
LayoutTests:
Nullptr crash in CompositeEditCommand::cloneParagraphUnderNewElement when indent
and align a paragraph.
https://bugs.webkit.org/show_bug.cgi?id=211273
Reviewed by Geoffrey Garen.
Added a regression test for the crash.
* fast/editing/indent-then-justifyFull-crash-expected.txt: Added.
* fast/editing/indent-then-justifyFull-crash.html: Added.
Modified Paths
trunk/LayoutTests/ChangeLog
trunk/Source/WebCore/ChangeLog
trunk/Source/WebCore/editing/CompositeEditCommand.cpp
Added Paths
trunk/LayoutTests/fast/editing/indent-then-justifyFull-crash-expected.txt
trunk/LayoutTests/fast/editing/indent-then-justifyFull-crash.html
Diff
Modified: trunk/LayoutTests/ChangeLog (261018 => 261019)
--- trunk/LayoutTests/ChangeLog 2020-05-01 20:50:18 UTC (rev 261018)
+++ trunk/LayoutTests/ChangeLog 2020-05-01 20:53:59 UTC (rev 261019)
@@ -1,5 +1,19 @@
2020-05-01 Jack Lee
+Nullptr crash in CompositeEditCommand::cloneParagraphUnderNewElement when indent
+and align a paragraph.
+https://bugs.webkit.org/show_bug.cgi?id=211273
+
+
+Reviewed by Geoffrey Garen.
+
+Added a regression test for the crash.
+
+* fast/editing/indent-then-justifyFull-crash-expected.txt: Added.
+* fast/editing/indent-then-justifyFull-crash.html: Added.
+
+2020-05-01 Jack Lee
+
Nullptr crash in EditCommand::EditCommand via CompositeEditCommand::removeNode
https://bugs.webkit.org/show_bug.cgi?id=207600
Added: trunk/LayoutTests/fast/editing/indent-then-justifyFull-crash-expected.txt (0 => 261019)
--- trunk/LayoutTests/fast/editing/indent-then-justifyFull-crash-expected.txt (rev 0)
+++ trunk/LayoutTests/fast/editing/indent-then-justifyFull-crash-expected.txt 2020-05-01 20:53:59 UTC (rev 261019)
@@ -0,0 +1 @@
+Tests editing elements followed by other commands that remove those elements. The test passes if WebKit doesn't crash or hit an ssertion.
Added: trunk/LayoutTests/fast/editing/indent-then-justifyFull-crash.html (0 => 261019)
--- trunk/LayoutTests/fast/editing/indent-then-justifyFull-crash.html (rev 0)
+++ trunk/LayoutTests/fast/editing/indent-then-justifyFull-crash.html 2020-05-01 20:53:59 UTC (rev 261019)
@@ -0,0 +1,20 @@
+
+if (window.testRunner) {
+testRunner.dumpAsText();
+testRunner.waitUntilDone();
+}
+
+function iframeOnload() {
+document.execCommand("justifyFull", false);
+CANVAS.toBlob(blob);
+}
+
+function blob() {
+document.execCommand("selectAll", false);
+document.execCommand("indent", false);
+document.body.innerText = "Tests editing elements followed by other commands that remove those elements. The test passes if WebKit doesn't crash or hit an ssertion.";
+if (window.testRunner)
+testRunner.notifyDone();
+}
+
+
Modified: trunk/Source/WebCore/ChangeLog (261018 => 261019)
--- trunk/Source/WebCore/ChangeLog 2020-05-01 20:50:18 UTC (rev 261018)
+++ trunk/Source/WebCore/ChangeLog 2020-05-01 20:53:59 UTC (rev 261019)
@@ -1,5 +1,22 @@
2020-05-01 Jack Lee
+Nullptr crash in CompositeEditCommand::cloneParagraphUnderNewElement when indent
+and align a paragraph.
+https://bugs.webkit.org/show_bug.cgi?id=211273
+
+
+Reviewed by Geoffrey Garen.
+
+A load event can fire when we clone and append a paragraph. Check if the elements
+are removed in the event and bail out.
+
+Test: fast/editing/indent-then-justifyFull-crash.html
+
+* editing/CompositeEditCommand.cpp:
+(WebCore::CompositeEditCommand::cloneParagraphUnderNewElement):
+
+2020-05-01 Jack Lee
+
Nullptr crash in EditCommand::EditCommand via CompositeEditCommand::removeNode
https://bugs.webkit.org/show_bug.cgi?id=207600
Modified: trunk/Source/WebCore/editing/CompositeEditCommand.cpp (261018 => 261019)
--- trunk/Source/WebCore/editing/CompositeEditCommand.cpp 2020-05-01 20:50:18 UTC (rev 261018)
+++ trunk/Source/WebCore/editing/CompositeEditCommand.cpp 2020-05-01 20:53:59 UTC (rev 261019)
@@ -1260,6 +1260,9 @@
}
}
+if (!start.deprecatedNode()->isConnected() || !end.deprecatedNode()->isConnected())
+return;
+
// Handle the case of paragraphs with more than one node,
// cloni
[webkit-changes] [261018] trunk
Title: [261018] trunk Revision 261018 Author shihchieh_...@apple.com Date 2020-05-01 13:50:18 -0700 (Fri, 01 May 2020) Log Message Nullptr crash in EditCommand::EditCommand via CompositeEditCommand::removeNode https://bugs.webkit.org/show_bug.cgi?id=207600 Source/WebCore: Reviewed by Geoffrey Garen. Second part of the fix. Remove m_frame in FrameSelection so it will not be inadvertently used and cause this crash. No new tests, covered by existing test. * editing/AlternativeTextController.cpp: (WebCore::AlternativeTextController::rootViewRectForRange const): * editing/FrameSelection.cpp: (WebCore::FrameSelection::FrameSelection): (WebCore::FrameSelection::setSelectionWithoutUpdatingAppearance): (WebCore::FrameSelection::modify): (WebCore::FrameSelection::selectFrameElementInParentIfFullySelected): (WebCore::FrameSelection::setFocusedElementIfNeeded): (WebCore::FrameSelection::shouldDeleteSelection const): (WebCore::FrameSelection::shouldDeleteSelection): (WebCore::FrameSelection::revealSelection): (WebCore::FrameSelection:: shouldChangeSelection): (WebCore::FrameSelection::shouldChangeSelection const): * editing/FrameSelection.h: * editing/atk/FrameSelectionAtk.cpp: (WebCore::FrameSelection::notifyAccessibilityForSelectionChange): * editing/mac/FrameSelectionMac.mm: (WebCore::FrameSelection::notifyAccessibilityForSelectionChange): LayoutTests: Reviewed by Geoffrey Garen. Reduce run time for this test case. * editing/inserting/insert-list-then-edit-command-crash.html: Modified Paths trunk/LayoutTests/ChangeLog trunk/LayoutTests/editing/inserting/insert-list-then-edit-command-crash.html trunk/Source/WebCore/ChangeLog trunk/Source/WebCore/editing/AlternativeTextController.cpp trunk/Source/WebCore/editing/FrameSelection.cpp trunk/Source/WebCore/editing/FrameSelection.h trunk/Source/WebCore/editing/atk/FrameSelectionAtk.cpp trunk/Source/WebCore/editing/mac/FrameSelectionMac.mm Diff Modified: trunk/LayoutTests/ChangeLog (261017 => 261018) --- trunk/LayoutTests/ChangeLog 2020-05-01 20:46:38 UTC (rev 261017) +++ trunk/LayoutTests/ChangeLog 2020-05-01 20:50:18 UTC (rev 261018) @@ -1,3 +1,14 @@ +2020-05-01 Jack Lee + +Nullptr crash in EditCommand::EditCommand via CompositeEditCommand::removeNode +https://bugs.webkit.org/show_bug.cgi?id=207600 + +Reviewed by Geoffrey Garen. + +Reduce run time for this test case. + +* editing/inserting/insert-list-then-edit-command-crash.html: + 2020-05-01 Eric Carlson [MSE] Audio session category is sometimes not set correctly after changing video source Modified: trunk/LayoutTests/editing/inserting/insert-list-then-edit-command-crash.html (261017 => 261018) --- trunk/LayoutTests/editing/inserting/insert-list-then-edit-command-crash.html 2020-05-01 20:46:38 UTC (rev 261017) +++ trunk/LayoutTests/editing/inserting/insert-list-then-edit-command-crash.html 2020-05-01 20:50:18 UTC (rev 261018) @@ -1,19 +1,17 @@ -a +text-document.getSelection().empty(); -document.execCommand("selectAll", false);if (window.testRunner) { testRunner.dumpAsText(); testRunner.waitUntilDone(); } +document.getSelection().empty(); +document.execCommand("selectAll", false); + function objectOnLoad() { document.execCommand("insertUnorderedList", false); document.execCommand("italic", false);-requestAnimationFrame(function () { -document.body.innerHTML = "+document.body.innerHTML = "Tests inserting list followed by an edit command. The test passes if WebKit doesn't crash or hit an assertion.
"; -if (window.testRunner) -testRunner.notifyDone(); -});Tests inserting list followed by an edit command. The test passes if WebKit doesn't crash or hit an assertion.
"; +testRunner.notifyDone(); } Modified: trunk/Source/WebCore/ChangeLog (261017 => 261018) --- trunk/Source/WebCore/ChangeLog 2020-05-01 20:46:38 UTC (rev 261017) +++ trunk/Source/WebCore/ChangeLog 2020-05-01 20:50:18 UTC (rev 261018) @@ -1,3 +1,35 @@ +2020-05-01 Jack Lee + +Nullptr crash in EditCommand::EditCommand via CompositeEditCommand::removeNode +https://bugs.webkit.org/show_bug.cgi?id=207600 + + +Reviewed by Geoffrey Garen. + +Second part of the fix. Remove m_frame in FrameSelection so it will not be +inadvertently used and cause this crash. + +No new tests, covered by existing test. + +* editing/AlternativeTextController.cpp: +(WebCore::AlternativeTextController::rootViewRectForRange const): +* editing/FrameSelection.cpp: +(WebCore::
[webkit-changes] [260207] trunk
Title: [260207] trunk
Revision 260207
Author shihchieh_...@apple.com
Date 2020-04-16 11:42:36 -0700 (Thu, 16 Apr 2020)
Log Message
ASSERTION FAILED: candidate.isCandidate() in WebCore::canonicalizeCandidate
https://bugs.webkit.org/show_bug.cgi?id=130844
Reviewed by Geoffrey Garen.
Source/WebCore:
Call Position::isCandidate() in PositionIterator::isCandidate so behavior of
candidate search become identical in both classes.
Test: editing/inserting/insert-in-br.html
* dom/PositionIterator.cpp:
(WebCore::PositionIterator::isCandidate const):
LayoutTests:
* editing/inserting/insert-in-br-expected.txt: Added.
* editing/inserting/insert-in-br.html: Added.
Added a regression test for the crash.
* editing/inserting/insert-list-in-table-cell-07-expected.txt:
Update node tree in expected text file due to behavior change in function
PositionIterator::isCandidate. The visual result remains the same.
Modified Paths
trunk/LayoutTests/ChangeLog
trunk/LayoutTests/editing/inserting/insert-list-in-table-cell-07-expected.txt
trunk/Source/WebCore/ChangeLog
trunk/Source/WebCore/dom/PositionIterator.cpp
Added Paths
trunk/LayoutTests/editing/inserting/insert-in-br-expected.txt
trunk/LayoutTests/editing/inserting/insert-in-br.html
Diff
Modified: trunk/LayoutTests/ChangeLog (260206 => 260207)
--- trunk/LayoutTests/ChangeLog 2020-04-16 18:38:22 UTC (rev 260206)
+++ trunk/LayoutTests/ChangeLog 2020-04-16 18:42:36 UTC (rev 260207)
@@ -1,3 +1,19 @@
+2020-04-16 Jack Lee
+
+ASSERTION FAILED: candidate.isCandidate() in WebCore::canonicalizeCandidate
+https://bugs.webkit.org/show_bug.cgi?id=130844
+
+
+Reviewed by Geoffrey Garen.
+
+* editing/inserting/insert-in-br-expected.txt: Added.
+* editing/inserting/insert-in-br.html: Added.
+Added a regression test for the crash.
+
+* editing/inserting/insert-list-in-table-cell-07-expected.txt:
+Update node tree in expected text file due to behavior change in function
+PositionIterator::isCandidate. The visual result remains the same.
+
2020-04-16 Chris Fleizach
AX: Need method for setting selected range from NSRange
Added: trunk/LayoutTests/editing/inserting/insert-in-br-expected.txt (0 => 260207)
--- trunk/LayoutTests/editing/inserting/insert-in-br-expected.txt (rev 0)
+++ trunk/LayoutTests/editing/inserting/insert-in-br-expected.txt 2020-04-16 18:42:36 UTC (rev 260207)
@@ -0,0 +1 @@
+Tests inserting elements in br. The test passes if WebKit doesn't crash or hit an assertion.
Added: trunk/LayoutTests/editing/inserting/insert-in-br.html (0 => 260207)
--- trunk/LayoutTests/editing/inserting/insert-in-br.html (rev 0)
+++ trunk/LayoutTests/editing/inserting/insert-in-br.html 2020-04-16 18:42:36 UTC (rev 260207)
@@ -0,0 +1,10 @@
+
+
+var parent = document.getElementById('id_0')
+parent.appendChild(document.createElement('svg_desc'))
+parent = document.getElementById('id_1')
+parent.focus()
+document.body.innerText = "Tests inserting elements in br. The test passes if WebKit doesn't crash or hit an assertion.";
+if (window.testRunner)
+testRunner.dumpAsText();
+
Modified: trunk/LayoutTests/editing/inserting/insert-list-in-table-cell-07-expected.txt (260206 => 260207)
--- trunk/LayoutTests/editing/inserting/insert-list-in-table-cell-07-expected.txt 2020-04-16 18:38:22 UTC (rev 260206)
+++ trunk/LayoutTests/editing/inserting/insert-list-in-table-cell-07-expected.txt 2020-04-16 18:42:36 UTC (rev 260207)
@@ -1,6 +1,7 @@
Exec insertOrderedList twice in all the cells of a table removes the previously inserted list items:
Before:
+| <#selection-focus>
|
| border="1"
|
@@ -7,7 +8,8 @@
| id="element"
|
|
-| "<#selection-anchor>fsdf"
+| <#selection-anchor>
+| "fsdf"
|
| "fsdf"
|
@@ -16,9 +18,9 @@
|
| "fsfg"
|
-| <#selection-focus>
After:
+| <#selection-caret>
|
| border="1"
|
@@ -25,16 +27,11 @@
| id="element"
|
|
-| "<#selection-anchor>fsdf"
-|
+| "fsdf"
|
| "fsdf"
-|
|
|
| "gghfg"
-|
|
-| "fsfg<#selection-focus>"
-|
-|
+| "fsfg"
Modified: trunk/Source/WebCore/ChangeLog (260206 => 260207)
--- trunk/Source/WebCore/ChangeLog 2020-04-16 18:38:22 UTC (rev 260206)
+++ trunk/Source/WebCore/ChangeLog 2020-04-16 18:42:36 UTC (rev 260207)
@@ -1,3 +1,19 @@
+2020-04-16 Jack Lee
+
+ASSERTION FAILED: candidate.isCandidate() in WebCore::canonicalizeCandidate
+https://bugs.webkit.org/show_bug.cgi?id=130844
+
+
+Reviewed by Geoffrey Garen.
+
+Call Position::isCandidate() in PositionIterator::isCandidate so behavior of
+candidate search become identical in both classes.
+
+Test: editing/inserting/insert-in-b
[webkit-changes] [260154] trunk/LayoutTests
Title: [260154] trunk/LayoutTests Revision 260154 Author shihchieh_...@apple.com Date 2020-04-15 15:01:51 -0700 (Wed, 15 Apr 2020) Log Message Infinite loop in InsertListCommand::doApply() https://bugs.webkit.org/show_bug.cgi?id=210354 Reviewed by Geoffrey Garen. Update the regression test for this hang issue. * editing/inserting/insert-list-end-of-table-expected.txt: Added. * editing/inserting/insert-list-end-of-table.html: Added. Modified Paths trunk/LayoutTests/ChangeLog trunk/LayoutTests/editing/inserting/insert-list-end-of-table.html Diff Modified: trunk/LayoutTests/ChangeLog (260153 => 260154) --- trunk/LayoutTests/ChangeLog 2020-04-15 21:57:22 UTC (rev 260153) +++ trunk/LayoutTests/ChangeLog 2020-04-15 22:01:51 UTC (rev 260154) @@ -1,5 +1,18 @@ 2020-04-15 Jack Lee +Infinite loop in InsertListCommand::doApply() +https://bugs.webkit.org/show_bug.cgi?id=210354 + + +Reviewed by Geoffrey Garen. + +Update the regression test for this hang issue. + +* editing/inserting/insert-list-end-of-table-expected.txt: Added. +* editing/inserting/insert-list-end-of-table.html: Added. + +2020-04-15 Jack Lee + ASSERTION FAILED: !selectionToDelete.isNone() in TypingCommand::forwardDeleteKeyPressed when deleting a UserSelect::None element. https://bugs.webkit.org/show_bug.cgi?id=210530 Modified: trunk/LayoutTests/editing/inserting/insert-list-end-of-table.html (260153 => 260154) --- trunk/LayoutTests/editing/inserting/insert-list-end-of-table.html 2020-04-15 21:57:22 UTC (rev 260153) +++ trunk/LayoutTests/editing/inserting/insert-list-end-of-table.html 2020-04-15 22:01:51 UTC (rev 260154) @@ -1,18 +1,10 @@ +content-if (window.testRunner) { -testRunner.dumpAsText(); -testRunner.waitUntilDone(); -} - -window._onload_ = () => { -window.getSelection().setBaseAndExtent(TH,1,SPAN,0); -document.execCommand("insertUnorderedList", false); - -requestAnimationFrame(function () { -document.body.innerHTML = "+document.body.offsetHeight; +window.getSelection().setBaseAndExtent(td, 1, input, 0); +document.execCommand("insertUnorderedList", false); +document.body.offsetHeight; +document.body.innerText = "Tests inserting list at the end of a table. The test passes if WebKit doesn't crash or hit an assertion."; +if (window.testRunner) + testRunner.dumpAsText(); -a ___ webkit-changes mailing list webkit-changes@lists.webkit.org https://lists.webkit.org/mailman/listinfo/webkit-changesTests inserting list at the end of a table. The test passes if WebKit doesn't crash or hit an assertion.
"; -if (window.testRunner) -testRunner.notifyDone(); -}); -}
[webkit-changes] [260153] trunk
Title: [260153] trunk
Revision 260153
Author shihchieh_...@apple.com
Date 2020-04-15 14:57:22 -0700 (Wed, 15 Apr 2020)
Log Message
Source/WebCore:
ASSERTION FAILED: !selectionToDelete.isNone() in TypingCommand::forwardDeleteKeyPressed
when deleting a UserSelect::None element.
https://bugs.webkit.org/show_bug.cgi?id=210530
Reviewed by Geoffrey Garen.
Quit forwardDeleteKeyPressed() if FrameSelection::modify() returns empty selection.
Test: editing/deleting/forward-delete-UserSelect-None-element.html
* editing/TypingCommand.cpp:
(WebCore::TypingCommand::forwardDeleteKeyPressed):
LayoutTests:
ASSERTION FAILED: !selectionToDelete.isNone() in TypingCommand::forwardDeleteKeyPressed
when deleting a UserSelect::None element.
https://bugs.webkit.org/show_bug.cgi?id=210530
Reviewed by Geoffrey Garen.
Added a regression test for the crash.
* editing/deleting/forward-delete-UserSelect-None-element-expected.txt: Added.
* editing/deleting/forward-delete-UserSelect-None-element.html: Added.
Modified Paths
trunk/LayoutTests/ChangeLog
trunk/Source/WebCore/ChangeLog
trunk/Source/WebCore/editing/TypingCommand.cpp
Added Paths
trunk/LayoutTests/editing/deleting/forward-delete-UserSelect-None-element-expected.txt
trunk/LayoutTests/editing/deleting/forward-delete-UserSelect-None-element.html
Diff
Modified: trunk/LayoutTests/ChangeLog (260152 => 260153)
--- trunk/LayoutTests/ChangeLog 2020-04-15 21:23:46 UTC (rev 260152)
+++ trunk/LayoutTests/ChangeLog 2020-04-15 21:57:22 UTC (rev 260153)
@@ -1,3 +1,17 @@
+2020-04-15 Jack Lee
+
+ASSERTION FAILED: !selectionToDelete.isNone() in TypingCommand::forwardDeleteKeyPressed
+when deleting a UserSelect::None element.
+https://bugs.webkit.org/show_bug.cgi?id=210530
+
+
+Reviewed by Geoffrey Garen.
+
+Added a regression test for the crash.
+
+* editing/deleting/forward-delete-UserSelect-None-element-expected.txt: Added.
+* editing/deleting/forward-delete-UserSelect-None-element.html: Added.
+
2020-04-15 Wenson Hsieh
[iPadOS] Some pages indefinitely zoom in and out due to idempotent text autosizing
Added: trunk/LayoutTests/editing/deleting/forward-delete-UserSelect-None-element-expected.txt (0 => 260153)
--- trunk/LayoutTests/editing/deleting/forward-delete-UserSelect-None-element-expected.txt (rev 0)
+++ trunk/LayoutTests/editing/deleting/forward-delete-UserSelect-None-element-expected.txt 2020-04-15 21:57:22 UTC (rev 260153)
@@ -0,0 +1 @@
+Tests forward-deleting a UserSelect::None element. The test passes if WebKit doesn't crash or hit an ssertion.
Added: trunk/LayoutTests/editing/deleting/forward-delete-UserSelect-None-element.html (0 => 260153)
--- trunk/LayoutTests/editing/deleting/forward-delete-UserSelect-None-element.html (rev 0)
+++ trunk/LayoutTests/editing/deleting/forward-delete-UserSelect-None-element.html 2020-04-15 21:57:22 UTC (rev 260153)
@@ -0,0 +1,8 @@
+
+
+input.focus();
+document.execCommand("forwardDelete", false);
+document.body.innerText = "Tests forward-deleting a UserSelect::None element. The test passes if WebKit doesn't crash or hit an ssertion.";
+if (window.testRunner)
+testRunner.dumpAsText();
+
Modified: trunk/Source/WebCore/ChangeLog (260152 => 260153)
--- trunk/Source/WebCore/ChangeLog 2020-04-15 21:23:46 UTC (rev 260152)
+++ trunk/Source/WebCore/ChangeLog 2020-04-15 21:57:22 UTC (rev 260153)
@@ -1,3 +1,19 @@
+2020-04-15 Jack Lee
+
+ASSERTION FAILED: !selectionToDelete.isNone() in TypingCommand::forwardDeleteKeyPressed
+when deleting a UserSelect::None element.
+https://bugs.webkit.org/show_bug.cgi?id=210530
+
+
+Reviewed by Geoffrey Garen.
+
+Quit forwardDeleteKeyPressed() if FrameSelection::modify() returns empty selection.
+
+Test: editing/deleting/forward-delete-UserSelect-None-element.html
+
+* editing/TypingCommand.cpp:
+(WebCore::TypingCommand::forwardDeleteKeyPressed):
+
2020-04-15 Peng Liu
Video elements don't return to the correct position when exiting fullscreen
Modified: trunk/Source/WebCore/editing/TypingCommand.cpp (260152 => 260153)
--- trunk/Source/WebCore/editing/TypingCommand.cpp 2020-04-15 21:23:46 UTC (rev 260152)
+++ trunk/Source/WebCore/editing/TypingCommand.cpp 2020-04-15 21:57:22 UTC (rev 260153)
@@ -801,6 +801,8 @@
FrameSelection selection;
selection.setSelection(endingSelection());
selection.modify(FrameSelection::AlterationExtend, DirectionForward, granularity);
+if (selection.isNone())
+return;
if (shouldAddToKillRing && selection.isCaret() && granularity != CharacterGranularity)
selection.modify(FrameSelection::AlterationExtend, DirectionForward, CharacterGranularity);
___
webkit-changes mailing list
webkit-changes@lists.webkit.or
[webkit-changes] [259939] trunk
Title: [259939] trunk
Revision 259939
Author shihchieh_...@apple.com
Date 2020-04-11 20:13:17 -0700 (Sat, 11 Apr 2020)
Log Message
Infinite loop in InsertListCommand::doApply()
https://bugs.webkit.org/show_bug.cgi?id=210354
Reviewed by Darin Adler.
Source/WebCore:
Function startOfNextParagraph may return an empty position. Added null check to exit the while loop
and stop looking for next paragraph.
Test: editing/inserting/insert-list-end-of-table.html
* editing/InsertListCommand.cpp:
(WebCore::InsertListCommand::doApply):
LayoutTests:
Added a regression test for the crash.
* editing/inserting/insert-list-end-of-table-expected.txt: Added.
* editing/inserting/insert-list-end-of-table.html: Added.
Modified Paths
trunk/LayoutTests/ChangeLog
trunk/Source/WebCore/ChangeLog
trunk/Source/WebCore/editing/InsertListCommand.cpp
Added Paths
trunk/LayoutTests/editing/inserting/insert-list-end-of-table-expected.txt
trunk/LayoutTests/editing/inserting/insert-list-end-of-table.html
Diff
Modified: trunk/LayoutTests/ChangeLog (259938 => 259939)
--- trunk/LayoutTests/ChangeLog 2020-04-12 00:43:53 UTC (rev 259938)
+++ trunk/LayoutTests/ChangeLog 2020-04-12 03:13:17 UTC (rev 259939)
@@ -1,3 +1,16 @@
+2020-04-11 Jack Lee
+
+Infinite loop in InsertListCommand::doApply()
+https://bugs.webkit.org/show_bug.cgi?id=210354
+
+
+Reviewed by Darin Adler.
+
+Added a regression test for the crash.
+
+* editing/inserting/insert-list-end-of-table-expected.txt: Added.
+* editing/inserting/insert-list-end-of-table.html: Added.
+
2020-04-11 Simon Fraser
[Async overflow] Can't scroll overflow:scroll in sideways-scrollable RTL document
Added: trunk/LayoutTests/editing/inserting/insert-list-end-of-table-expected.txt (0 => 259939)
--- trunk/LayoutTests/editing/inserting/insert-list-end-of-table-expected.txt (rev 0)
+++ trunk/LayoutTests/editing/inserting/insert-list-end-of-table-expected.txt 2020-04-12 03:13:17 UTC (rev 259939)
@@ -0,0 +1 @@
+Tests inserting list at the end of a table. The test passes if WebKit doesn't crash or hit an assertion.
Added: trunk/LayoutTests/editing/inserting/insert-list-end-of-table.html (0 => 259939)
--- trunk/LayoutTests/editing/inserting/insert-list-end-of-table.html (rev 0)
+++ trunk/LayoutTests/editing/inserting/insert-list-end-of-table.html 2020-04-12 03:13:17 UTC (rev 259939)
@@ -0,0 +1,18 @@
+
+if (window.testRunner) {
+testRunner.dumpAsText();
+testRunner.waitUntilDone();
+}
+
+window._onload_ = () => {
+window.getSelection().setBaseAndExtent(TH,1,SPAN,0);
+document.execCommand("insertUnorderedList", false);
+
+requestAnimationFrame(function () {
+document.body.innerHTML = " Tests inserting list at the end of a table. The test passes if WebKit doesn't crash or hit an assertion.
";
+if (window.testRunner)
+testRunner.notifyDone();
+});
+}
+
+a
Modified: trunk/Source/WebCore/ChangeLog (259938 => 259939)
--- trunk/Source/WebCore/ChangeLog 2020-04-12 00:43:53 UTC (rev 259938)
+++ trunk/Source/WebCore/ChangeLog 2020-04-12 03:13:17 UTC (rev 259939)
@@ -1,3 +1,19 @@
+2020-04-11 Jack Lee
+
+Infinite loop in InsertListCommand::doApply()
+https://bugs.webkit.org/show_bug.cgi?id=210354
+
+
+Reviewed by Darin Adler.
+
+Function startOfNextParagraph may return an empty position. Added null check to exit the while loop
+and stop looking for next paragraph.
+
+Test: editing/inserting/insert-list-end-of-table.html
+
+* editing/InsertListCommand.cpp:
+(WebCore::InsertListCommand::doApply):
+
2020-04-11 Wenson Hsieh
[macOS] [WK1] Touch Bar flashes when typing in Vietnamese in Mail
Modified: trunk/Source/WebCore/editing/InsertListCommand.cpp (259938 => 259939)
--- trunk/Source/WebCore/editing/InsertListCommand.cpp 2020-04-12 00:43:53 UTC (rev 259938)
+++ trunk/Source/WebCore/editing/InsertListCommand.cpp 2020-04-12 03:13:17 UTC (rev 259939)
@@ -145,7 +145,7 @@
RefPtr currentSelection = endingSelection().firstRange();
VisiblePosition startOfCurrentParagraph = startOfSelection;
-while (!inSameParagraph(startOfCurrentParagraph, startOfLastParagraph, CanCrossEditingBoundary)) {
+while (!startOfCurrentParagraph.isNull() && !inSameParagraph(startOfCurrentParagraph, startOfLastParagraph, CanCrossEditingBoundary)) {
// doApply() may operate on and remove the last paragraph of the selection from the document
// if it's in the same list item as startOfCurrentParagraph. Return early to avoid an
// infinite loop and because there is no more work to be done.
___
webkit-changes mailing list
webkit-changes@l
[webkit-changes] [259899] trunk
Title: [259899] trunk
Revision 259899
Author shihchieh_...@apple.com
Date 2020-04-10 13:44:52 -0700 (Fri, 10 Apr 2020)
Log Message
ASSERTION FAILED: selection.isRange() in InsertListCommand::doApply
https://bugs.webkit.org/show_bug.cgi?id=210170
Reviewed by Wenson Hsieh.
Source/WebCore:
If selectionForParagraphIteration returns a non-range selection, there is no need for finding
multiple paragraphs. And since non-range selection is handled, the assertion can be removed.
Test: editing/inserting/insert-list-in-table-assert.html
* editing/InsertListCommand.cpp:
(WebCore::InsertListCommand::doApply):
LayoutTests:
Added a regression test for the crash.
* editing/inserting/insert-list-in-table-assert-expected.txt: Added.
* editing/inserting/insert-list-in-table-assert.html: Added.
Modified Paths
trunk/LayoutTests/ChangeLog
trunk/Source/WebCore/ChangeLog
trunk/Source/WebCore/editing/InsertListCommand.cpp
Added Paths
trunk/LayoutTests/editing/inserting/insert-list-in-table-assert-expected.txt
trunk/LayoutTests/editing/inserting/insert-list-in-table-assert.html
Diff
Modified: trunk/LayoutTests/ChangeLog (259898 => 259899)
--- trunk/LayoutTests/ChangeLog 2020-04-10 20:30:03 UTC (rev 259898)
+++ trunk/LayoutTests/ChangeLog 2020-04-10 20:44:52 UTC (rev 259899)
@@ -1,3 +1,16 @@
+2020-04-10 Jack Lee
+
+ASSERTION FAILED: selection.isRange() in InsertListCommand::doApply
+https://bugs.webkit.org/show_bug.cgi?id=210170
+
+
+Reviewed by Wenson Hsieh.
+
+Added a regression test for the crash.
+
+* editing/inserting/insert-list-in-table-assert-expected.txt: Added.
+* editing/inserting/insert-list-in-table-assert.html: Added.
+
2020-04-10 Wenson Hsieh
[iOS] Unable to select text by tap-hold or double tap-hold when allowsLinkPreview property is set to NO
Added: trunk/LayoutTests/editing/inserting/insert-list-in-table-assert-expected.txt (0 => 259899)
--- trunk/LayoutTests/editing/inserting/insert-list-in-table-assert-expected.txt (rev 0)
+++ trunk/LayoutTests/editing/inserting/insert-list-in-table-assert-expected.txt 2020-04-10 20:44:52 UTC (rev 259899)
@@ -0,0 +1 @@
+Tests inserting list in table. The test passes if WebKit doesn't crash or hit an assertion.
Added: trunk/LayoutTests/editing/inserting/insert-list-in-table-assert.html (0 => 259899)
--- trunk/LayoutTests/editing/inserting/insert-list-in-table-assert.html (rev 0)
+++ trunk/LayoutTests/editing/inserting/insert-list-in-table-assert.html 2020-04-10 20:44:52 UTC (rev 259899)
@@ -0,0 +1,18 @@
+
+if (window.testRunner) {
+testRunner.dumpAsText();
+testRunner.waitUntilDone();
+}
+
+window._onload_ = () => {
+window.getSelection().setBaseAndExtent(TH,1,STYLE,1);
+document.execCommand("insertUnorderedList", false);
+
+requestAnimationFrame(function () {
+document.body.innerHTML = " Tests inserting list in table. The test passes if WebKit doesn't crash or hit an assertion.
";
+if (window.testRunner)
+testRunner.notifyDone();
+});
+}
+
+a
Modified: trunk/Source/WebCore/ChangeLog (259898 => 259899)
--- trunk/Source/WebCore/ChangeLog 2020-04-10 20:30:03 UTC (rev 259898)
+++ trunk/Source/WebCore/ChangeLog 2020-04-10 20:44:52 UTC (rev 259899)
@@ -1,3 +1,19 @@
+2020-04-10 Jack Lee
+
+ASSERTION FAILED: selection.isRange() in InsertListCommand::doApply
+https://bugs.webkit.org/show_bug.cgi?id=210170
+
+
+Reviewed by Wenson Hsieh.
+
+If selectionForParagraphIteration returns a non-range selection, there is no need for finding
+multiple paragraphs. And since non-range selection is handled, the assertion can be removed.
+
+Test: editing/inserting/insert-list-in-table-assert.html
+
+* editing/InsertListCommand.cpp:
+(WebCore::InsertListCommand::doApply):
+
2020-04-10 Antti Koivisto
[CSS Shadow Parts] Bad style sharing between sibling elements with different part attributes
Modified: trunk/Source/WebCore/editing/InsertListCommand.cpp (259898 => 259899)
--- trunk/Source/WebCore/editing/InsertListCommand.cpp 2020-04-10 20:30:03 UTC (rev 259898)
+++ trunk/Source/WebCore/editing/InsertListCommand.cpp 2020-04-10 20:44:52 UTC (rev 259899)
@@ -135,59 +135,60 @@
auto& listTag = (m_type == Type::OrderedList) ? olTag : ulTag;
if (endingSelection().isRange()) {
VisibleSelection selection = selectionForParagraphIteration(endingSelection());
-ASSERT(selection.isRange());
-VisiblePosition startOfSelection = selection.visibleStart();
-VisiblePosition endOfSelection = selection.visibleEnd();
-VisiblePosition startOfLastParagraph = startOfParagraph(endOfSelection, CanSkipOverEditingBoundary);
+if (selection.isRange()) {
+VisiblePosition startOfSelection = selection.visi
[webkit-changes] [259624] trunk
Title: [259624] trunk
Revision 259624
Author shihchieh_...@apple.com
Date 2020-04-06 23:29:24 -0700 (Mon, 06 Apr 2020)
Log Message
Nullptr crash in CompositeEditCommand::splitTreeToNode when inserting image in anchor element that has uneditable parent
https://bugs.webkit.org/show_bug.cgi?id=210004
Reviewed by Ryosuke Niwa.
Source/WebCore:
RemoveNodePreservingChildren can fail and leave the children dangling if the parent of the node
is uneditable. Added editability check for the to-be-removed node.
Test: editing/inserting/insert-img-anchor-uneditable-parent.html
* editing/RemoveNodePreservingChildrenCommand.cpp:
(WebCore::RemoveNodePreservingChildrenCommand::doApply):
LayoutTests:
Added a regression test for the crash.
* editing/inserting/insert-img-anchor-uneditable-parent-expected.txt: Added.
* editing/inserting/insert-img-anchor-uneditable-parent.html: Added.
Modified Paths
trunk/LayoutTests/ChangeLog
trunk/Source/WebCore/ChangeLog
trunk/Source/WebCore/editing/RemoveNodePreservingChildrenCommand.cpp
Added Paths
trunk/LayoutTests/editing/inserting/insert-img-anchor-uneditable-parent-expected.txt
trunk/LayoutTests/editing/inserting/insert-img-anchor-uneditable-parent.html
Diff
Modified: trunk/LayoutTests/ChangeLog (259623 => 259624)
--- trunk/LayoutTests/ChangeLog 2020-04-07 04:59:57 UTC (rev 259623)
+++ trunk/LayoutTests/ChangeLog 2020-04-07 06:29:24 UTC (rev 259624)
@@ -1,3 +1,16 @@
+2020-04-06 Jack Lee
+
+Nullptr crash in CompositeEditCommand::splitTreeToNode when inserting image in anchor element that has uneditable parent
+https://bugs.webkit.org/show_bug.cgi?id=210004
+
+
+Reviewed by Ryosuke Niwa.
+
+Added a regression test for the crash.
+
+* editing/inserting/insert-img-anchor-uneditable-parent-expected.txt: Added.
+* editing/inserting/insert-img-anchor-uneditable-parent.html: Added.
+
2020-04-06 Lauro Moura
[GTK][WPE] Gardening EXIF orientation failure.
Added: trunk/LayoutTests/editing/inserting/insert-img-anchor-uneditable-parent-expected.txt (0 => 259624)
--- trunk/LayoutTests/editing/inserting/insert-img-anchor-uneditable-parent-expected.txt (rev 0)
+++ trunk/LayoutTests/editing/inserting/insert-img-anchor-uneditable-parent-expected.txt 2020-04-07 06:29:24 UTC (rev 259624)
@@ -0,0 +1,3 @@
+Test inserting image in anchor element that has uneditable parent. The test passes if WebKit doesn't crash or hit an assertion.
+
+
Added: trunk/LayoutTests/editing/inserting/insert-img-anchor-uneditable-parent.html (0 => 259624)
--- trunk/LayoutTests/editing/inserting/insert-img-anchor-uneditable-parent.html (rev 0)
+++ trunk/LayoutTests/editing/inserting/insert-img-anchor-uneditable-parent.html 2020-04-07 06:29:24 UTC (rev 259624)
@@ -0,0 +1,13 @@
+
+
+if (window.testRunner)
+testRunner.dumpAsText();
+
+window._onload_ = () => {
+window.getSelection().collapse(BR);
+document.execCommand("selectAll", false);
+document.execCommand("fontName", false, "Times Roman");
+document.getSelection().collapseToStart();
+window.document.execCommand("insertImage", "#foo");
+}
+
Modified: trunk/Source/WebCore/ChangeLog (259623 => 259624)
--- trunk/Source/WebCore/ChangeLog 2020-04-07 04:59:57 UTC (rev 259623)
+++ trunk/Source/WebCore/ChangeLog 2020-04-07 06:29:24 UTC (rev 259624)
@@ -1,3 +1,19 @@
+2020-04-06 Jack Lee
+
+Nullptr crash in CompositeEditCommand::splitTreeToNode when inserting image in anchor element that has uneditable parent
+https://bugs.webkit.org/show_bug.cgi?id=210004
+
+
+Reviewed by Ryosuke Niwa.
+
+RemoveNodePreservingChildren can fail and leave the children dangling if the parent of the node
+is uneditable. Added editability check for the to-be-removed node.
+
+Test: editing/inserting/insert-img-anchor-uneditable-parent.html
+
+* editing/RemoveNodePreservingChildrenCommand.cpp:
+(WebCore::RemoveNodePreservingChildrenCommand::doApply):
+
2020-04-06 David Kilzer
Use-after-move of Vector in TextManipulationController::observeParagraphs()
Modified: trunk/Source/WebCore/editing/RemoveNodePreservingChildrenCommand.cpp (259623 => 259624)
--- trunk/Source/WebCore/editing/RemoveNodePreservingChildrenCommand.cpp 2020-04-07 04:59:57 UTC (rev 259623)
+++ trunk/Source/WebCore/editing/RemoveNodePreservingChildrenCommand.cpp 2020-04-07 06:29:24 UTC (rev 259624)
@@ -41,6 +41,10 @@
void RemoveNodePreservingChildrenCommand::doApply()
{
Vector> children;
+auto parent = makeRefPtr(m_node->parentNode());
+if (!parent || (m_shouldAssumeContentIsAlwaysEditable == DoNotAssumeContentIsAlwaysEditable && !isEditableNode(*parent)))
+return;
+
for (Node* child = m_node->firstChild(); child; child = child->nextSibling())
children.append(*child);
[webkit-changes] [259619] trunk
Title: [259619] trunk
Revision 259619
Author shihchieh_...@apple.com
Date 2020-04-06 18:45:56 -0700 (Mon, 06 Apr 2020)
Log Message
Nullptr crash in WebCore::lastPositionInNode when indenting text node that has user-select:all parent.
https://bugs.webkit.org/show_bug.cgi?id=210016
Reviewed by Ryosuke Niwa.
Source/WebCore:
In rangeForParagraphSplittingTextNodesIfNeeded, added null check for previousSibling()
after splitTextNode is called, and returns empty positions to caller.
In formatSelection, check the returned positions from rangeForParagraphSplittingTextNodesIfNeeded
and stop indenting the rest of the paragraphs.
Test: fast/editing/indent-pre-user-select-all-crash.html
* editing/ApplyBlockElementCommand.cpp:
(WebCore::ApplyBlockElementCommand::formatSelection):
(WebCore::ApplyBlockElementCommand::rangeForParagraphSplittingTextNodesIfNeeded):
LayoutTests:
Added a regression test for the crash.
* fast/editing/indent-pre-user-select-all-crash-expected.txt: Added.
* fast/editing/indent-pre-user-select-all-crash.html: Added.
Modified Paths
trunk/LayoutTests/ChangeLog
trunk/Source/WebCore/ChangeLog
trunk/Source/WebCore/editing/ApplyBlockElementCommand.cpp
Added Paths
trunk/LayoutTests/fast/editing/indent-pre-user-select-all-crash-expected.txt
trunk/LayoutTests/fast/editing/indent-pre-user-select-all-crash.html
Diff
Modified: trunk/LayoutTests/ChangeLog (259618 => 259619)
--- trunk/LayoutTests/ChangeLog 2020-04-07 01:04:05 UTC (rev 259618)
+++ trunk/LayoutTests/ChangeLog 2020-04-07 01:45:56 UTC (rev 259619)
@@ -1,3 +1,16 @@
+2020-04-06 Jack Lee
+
+Nullptr crash in WebCore::lastPositionInNode when indenting text node that has user-select:all parent.
+https://bugs.webkit.org/show_bug.cgi?id=210016
+
+
+Reviewed by Ryosuke Niwa.
+
+Added a regression test for the crash.
+
+* fast/editing/indent-pre-user-select-all-crash-expected.txt: Added.
+* fast/editing/indent-pre-user-select-all-crash.html: Added.
+
2020-04-06 Jason Lawrence
[ Mac wk1 Debug ] inspector/debugger/evaluateOnCallFrame-errors.html is flaky failing.
Added: trunk/LayoutTests/fast/editing/indent-pre-user-select-all-crash-expected.txt (0 => 259619)
--- trunk/LayoutTests/fast/editing/indent-pre-user-select-all-crash-expected.txt (rev 0)
+++ trunk/LayoutTests/fast/editing/indent-pre-user-select-all-crash-expected.txt 2020-04-07 01:45:56 UTC (rev 259619)
@@ -0,0 +1 @@
+Tests indenting pre element that has user-select:all parent. The test passes if WebKit doesn't crash or hit an assertion.
Added: trunk/LayoutTests/fast/editing/indent-pre-user-select-all-crash.html (0 => 259619)
--- trunk/LayoutTests/fast/editing/indent-pre-user-select-all-crash.html (rev 0)
+++ trunk/LayoutTests/fast/editing/indent-pre-user-select-all-crash.html 2020-04-07 01:45:56 UTC (rev 259619)
@@ -0,0 +1,23 @@
+
+#DETAILS { -webkit-user-select: all; }
+
+
+if (window.testRunner) {
+testRunner.dumpAsText();
+testRunner.waitUntilDone();
+}
+
+window._onload_ = () => {
+document.execCommand("selectAll", false);
+document.execCommand("indent", false);
+
+requestAnimationFrame(function () {
+document.body.innerHTML = "Tests indenting pre element that has user-select:all parent. The test passes if WebKit doesn't crash or hit an assertion.
";
+if (window.testRunner) {
+testRunner.notifyDone();
+}
+});
+}
+
+a
+a
Modified: trunk/Source/WebCore/ChangeLog (259618 => 259619)
--- trunk/Source/WebCore/ChangeLog 2020-04-07 01:04:05 UTC (rev 259618)
+++ trunk/Source/WebCore/ChangeLog 2020-04-07 01:45:56 UTC (rev 259619)
@@ -1,3 +1,23 @@
+2020-04-06 Jack Lee
+
+Nullptr crash in WebCore::lastPositionInNode when indenting text node that has user-select:all parent.
+https://bugs.webkit.org/show_bug.cgi?id=210016
+
+
+Reviewed by Ryosuke Niwa.
+
+In rangeForParagraphSplittingTextNodesIfNeeded, added null check for previousSibling()
+after splitTextNode is called, and returns empty positions to caller.
+
+In formatSelection, check the returned positions from rangeForParagraphSplittingTextNodesIfNeeded
+and stop indenting the rest of the paragraphs.
+
+Test: fast/editing/indent-pre-user-select-all-crash.html
+
+* editing/ApplyBlockElementCommand.cpp:
+(WebCore::ApplyBlockElementCommand::formatSelection):
+(WebCore::ApplyBlockElementCommand::rangeForParagraphSplittingTextNodesIfNeeded):
+
2020-04-06 Devin Rousso
Web Inspector: `console.log(...)` appear as `CONSOLE LOG LOG` in the system console
Modified: trunk/Source/WebCore/editing/ApplyBlockElementCommand.cpp (259618 => 259619)
--- trunk/Source/WebCore/editing/ApplyBlockElementCommand.cpp 2020-04-07 01:04:05 UTC (rev 259618)
+++ trunk/Source/WebCore/editin
[webkit-changes] [259595] trunk
Title: [259595] trunk
Revision 259595
Author shihchieh_...@apple.com
Date 2020-04-06 14:44:11 -0700 (Mon, 06 Apr 2020)
Log Message
Nullptr crash in CompositeEditCommand::moveParagraphContentsToNewBlockIfNecessary with draggable text
https://bugs.webkit.org/show_bug.cgi?id=20
Reviewed by Ryosuke Niwa.
Source/WebCore:
VisibleParagraphStart/End may return empty VisiblePosition if no proper element or node
can be used as position candidate. Add null check for the returned VisiblePositions.
Test: fast/css/style-change-draggable-text.html
* editing/CompositeEditCommand.cpp:
(WebCore::CompositeEditCommand::moveParagraphContentsToNewBlockIfNecessary):
LayoutTests:
Added a regression test for the crash.
* fast/css/style-change-draggable-text-expected.txt: Added.
* fast/css/style-change-draggable-text.html: Added.
Modified Paths
trunk/LayoutTests/ChangeLog
trunk/Source/WebCore/ChangeLog
trunk/Source/WebCore/editing/CompositeEditCommand.cpp
Added Paths
trunk/LayoutTests/fast/css/style-change-draggable-text-expected.txt
trunk/LayoutTests/fast/css/style-change-draggable-text.html
Diff
Modified: trunk/LayoutTests/ChangeLog (259594 => 259595)
--- trunk/LayoutTests/ChangeLog 2020-04-06 20:53:56 UTC (rev 259594)
+++ trunk/LayoutTests/ChangeLog 2020-04-06 21:44:11 UTC (rev 259595)
@@ -1,3 +1,16 @@
+2020-04-06 Jack Lee
+
+Nullptr crash in CompositeEditCommand::moveParagraphContentsToNewBlockIfNecessary with draggable text
+https://bugs.webkit.org/show_bug.cgi?id=20
+
+
+Reviewed by Ryosuke Niwa.
+
+Added a regression test for the crash.
+
+* fast/css/style-change-draggable-text-expected.txt: Added.
+* fast/css/style-change-draggable-text.html: Added.
+
2020-04-06 Jer Noble
[ Mac wk2 ] http/tests/media/track-in-band-hls-metadata.html is flaky crashing.
Added: trunk/LayoutTests/fast/css/style-change-draggable-text-expected.txt (0 => 259595)
--- trunk/LayoutTests/fast/css/style-change-draggable-text-expected.txt (rev 0)
+++ trunk/LayoutTests/fast/css/style-change-draggable-text-expected.txt 2020-04-06 21:44:11 UTC (rev 259595)
@@ -0,0 +1 @@
+Test changing style with draggable text. The test passes if WebKit doesn't crash or hit an assertiona
Added: trunk/LayoutTests/fast/css/style-change-draggable-text.html (0 => 259595)
--- trunk/LayoutTests/fast/css/style-change-draggable-text.html (rev 0)
+++ trunk/LayoutTests/fast/css/style-change-draggable-text.html 2020-04-06 21:44:11 UTC (rev 259595)
@@ -0,0 +1,14 @@
+
+#SHADOW { initial; -webkit-user-select: text; }
+#LABEL { -webkit-user-select: all; }
+
+
+if (window.testRunner)
+testRunner.dumpAsText();
+
+window._onload_ = () => {
+window.getSelection().collapse(SHADOW);
+document.execCommand("justifyCenter", false);
+}
+
+Test changing style with draggable text. The test passes if WebKit doesn't crash or hit an assertiona
Modified: trunk/Source/WebCore/ChangeLog (259594 => 259595)
--- trunk/Source/WebCore/ChangeLog 2020-04-06 20:53:56 UTC (rev 259594)
+++ trunk/Source/WebCore/ChangeLog 2020-04-06 21:44:11 UTC (rev 259595)
@@ -1,3 +1,19 @@
+2020-04-06 Jack Lee
+
+Nullptr crash in CompositeEditCommand::moveParagraphContentsToNewBlockIfNecessary with draggable text
+https://bugs.webkit.org/show_bug.cgi?id=20
+
+
+Reviewed by Ryosuke Niwa.
+
+VisibleParagraphStart/End may return empty VisiblePosition if no proper element or node
+can be used as position candidate. Add null check for the returned VisiblePositions.
+
+Test: fast/css/style-change-draggable-text.html
+
+* editing/CompositeEditCommand.cpp:
+(WebCore::CompositeEditCommand::moveParagraphContentsToNewBlockIfNecessary):
+
2020-04-06 Jer Noble
Strengthen the ASSERT in ImageDecoderAVFObjC::storeSampleBuffer().
Modified: trunk/Source/WebCore/editing/CompositeEditCommand.cpp (259594 => 259595)
--- trunk/Source/WebCore/editing/CompositeEditCommand.cpp 2020-04-06 20:53:56 UTC (rev 259594)
+++ trunk/Source/WebCore/editing/CompositeEditCommand.cpp 2020-04-06 21:44:11 UTC (rev 259595)
@@ -1159,6 +1159,9 @@
VisiblePosition visiblePos(pos, VP_DEFAULT_AFFINITY);
VisiblePosition visibleParagraphStart(startOfParagraph(visiblePos));
VisiblePosition visibleParagraphEnd = endOfParagraph(visiblePos);
+if (visibleParagraphStart.isNull() || visibleParagraphEnd.isNull())
+return nullptr;
+
VisiblePosition next = visibleParagraphEnd.next();
VisiblePosition visibleEnd = next.isNotNull() ? next : visibleParagraphEnd;
___
webkit-changes mailing list
webkit-changes@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-changes
[webkit-changes] [259525] trunk/Source/WebCore
Title: [259525] trunk/Source/WebCore
Revision 259525
Author shihchieh_...@apple.com
Date 2020-04-03 18:04:42 -0700 (Fri, 03 Apr 2020)
Log Message
Protect contentFrame in SubframeLoader::loadOrRedirectSubframe with RefPtr.
https://bugs.webkit.org/show_bug.cgi?id=127096
Reviewed by Alex Christensen.
ContentFrame is used throughout loadOrRedirectSubframe so it needs to be protected with RefPtr.
And if loader changes frame in SubframeLoader::loadSubframe, return nullptr to notify the caller.
No new tests, covered by existing test.
* loader/SubframeLoader.cpp:
(WebCore::SubframeLoader::loadOrRedirectSubframe):
(WebCore::SubframeLoader::loadSubframe):
* loader/SubframeLoader.h:
Modified Paths
trunk/Source/WebCore/ChangeLog
trunk/Source/WebCore/loader/SubframeLoader.cpp
trunk/Source/WebCore/loader/SubframeLoader.h
Diff
Modified: trunk/Source/WebCore/ChangeLog (259524 => 259525)
--- trunk/Source/WebCore/ChangeLog 2020-04-04 01:01:13 UTC (rev 259524)
+++ trunk/Source/WebCore/ChangeLog 2020-04-04 01:04:42 UTC (rev 259525)
@@ -1,3 +1,21 @@
+2020-04-03 Jack Lee
+
+Protect contentFrame in SubframeLoader::loadOrRedirectSubframe with RefPtr.
+https://bugs.webkit.org/show_bug.cgi?id=127096
+
+
+Reviewed by Alex Christensen.
+
+ContentFrame is used throughout loadOrRedirectSubframe so it needs to be protected with RefPtr.
+And if loader changes frame in SubframeLoader::loadSubframe, return nullptr to notify the caller.
+
+No new tests, covered by existing test.
+
+* loader/SubframeLoader.cpp:
+(WebCore::SubframeLoader::loadOrRedirectSubframe):
+(WebCore::SubframeLoader::loadSubframe):
+* loader/SubframeLoader.h:
+
2020-04-03 Alex Christensen
Add SPI to make WKUserScripts wait for a notification
Modified: trunk/Source/WebCore/loader/SubframeLoader.cpp (259524 => 259525)
--- trunk/Source/WebCore/loader/SubframeLoader.cpp 2020-04-04 01:01:13 UTC (rev 259524)
+++ trunk/Source/WebCore/loader/SubframeLoader.cpp 2020-04-04 01:04:42 UTC (rev 259525)
@@ -303,7 +303,7 @@
URL upgradedRequestURL = requestURL;
initiatingDocument.contentSecurityPolicy()->upgradeInsecureRequestIfNeeded(upgradedRequestURL, ContentSecurityPolicy::InsecureRequestType::Load);
-auto* frame = ownerElement.contentFrame();
+RefPtr frame = makeRefPtr(ownerElement.contentFrame());
if (frame)
frame->navigationScheduler().scheduleLocationChange(initiatingDocument, initiatingDocument.securityOrigin(), upgradedRequestURL, m_frame.loader().outgoingReferrer(), lockHistory, lockBackForwardList);
else
@@ -316,7 +316,7 @@
return ownerElement.contentFrame();
}
-Frame* SubframeLoader::loadSubframe(HTMLFrameOwnerElement& ownerElement, const URL& url, const String& name, const String& referrer)
+RefPtr SubframeLoader::loadSubframe(HTMLFrameOwnerElement& ownerElement, const URL& url, const String& name, const String& referrer)
{
Ref protect(m_frame);
auto document = makeRef(ownerElement.document());
@@ -376,7 +376,10 @@
if (frame->loader().state() == FrameStateComplete && !frame->loader().policyDocumentLoader())
frame->loader().checkCompleted();
-return frame.get();
+if (!frame->tree().parent())
+return nullptr;
+
+return frame;
}
bool SubframeLoader::allowPlugins()
Modified: trunk/Source/WebCore/loader/SubframeLoader.h (259524 => 259525)
--- trunk/Source/WebCore/loader/SubframeLoader.h 2020-04-04 01:01:13 UTC (rev 259524)
+++ trunk/Source/WebCore/loader/SubframeLoader.h 2020-04-04 01:04:42 UTC (rev 259525)
@@ -70,7 +70,7 @@
private:
bool requestPlugin(HTMLPlugInImageElement&, const URL&, const String& serviceType, const Vector& paramNames, const Vector& paramValues, bool useFallback);
Frame* loadOrRedirectSubframe(HTMLFrameOwnerElement&, const URL&, const AtomString& frameName, LockHistory, LockBackForwardList);
-Frame* loadSubframe(HTMLFrameOwnerElement&, const URL&, const String& name, const String& referrer);
+RefPtr loadSubframe(HTMLFrameOwnerElement&, const URL&, const String& name, const String& referrer);
bool loadPlugin(HTMLPlugInImageElement&, const URL&, const String& mimeType, const Vector& paramNames, const Vector& paramValues, bool useFallback);
bool shouldUsePlugin(const URL&, const String& mimeType, bool hasFallback, bool& useFallback);
___
webkit-changes mailing list
webkit-changes@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-changes
[webkit-changes] [259376] trunk/Source/WebCore
Title: [259376] trunk/Source/WebCore
Revision 259376
Author shihchieh_...@apple.com
Date 2020-04-01 19:31:24 -0700 (Wed, 01 Apr 2020)
Log Message
Remove the unnecessary null check for document
https://bugs.webkit.org/show_bug.cgi?id=209819
Reviewed by Ryosuke Niwa.
No new tests, covered by existing test.
* dom/Node.cpp:
(WebCore::Node::removedFromAncestor):
Modified Paths
trunk/Source/WebCore/ChangeLog
trunk/Source/WebCore/dom/Node.cpp
Diff
Modified: trunk/Source/WebCore/ChangeLog (259375 => 259376)
--- trunk/Source/WebCore/ChangeLog 2020-04-02 00:35:02 UTC (rev 259375)
+++ trunk/Source/WebCore/ChangeLog 2020-04-02 02:31:24 UTC (rev 259376)
@@ -1,3 +1,15 @@
+2020-04-01 Jack Lee
+
+Remove the unnecessary null check for document
+https://bugs.webkit.org/show_bug.cgi?id=209819
+
+Reviewed by Ryosuke Niwa.
+
+No new tests, covered by existing test.
+
+* dom/Node.cpp:
+(WebCore::Node::removedFromAncestor):
+
2020-04-01 Wenson Hsieh
Remove some PLATFORM(IOS_FAMILY) guards in TextFieldInputType
Modified: trunk/Source/WebCore/dom/Node.cpp (259375 => 259376)
--- trunk/Source/WebCore/dom/Node.cpp 2020-04-02 00:35:02 UTC (rev 259375)
+++ trunk/Source/WebCore/dom/Node.cpp 2020-04-02 02:31:24 UTC (rev 259376)
@@ -1304,10 +1304,8 @@
if (isInShadowTree() && !treeScope().rootNode().isShadowRoot())
clearFlag(IsInShadowTreeFlag);
if (removalType.disconnectedFromDocument) {
-if (auto* document = &oldParentOfRemovedTree.treeScope().documentScope()) {
-if (auto* cache = document->existingAXObjectCache())
-cache->remove(*this);
-}
+if (auto* cache = oldParentOfRemovedTree.document().existingAXObjectCache())
+cache->remove(*this);
}
}
___
webkit-changes mailing list
webkit-changes@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-changes
[webkit-changes] [259349] trunk/Tools
Title: [259349] trunk/Tools
Revision 259349
Author shihchieh_...@apple.com
Date 2020-04-01 09:18:50 -0700 (Wed, 01 Apr 2020)
Log Message
Unreviewed, add new committer to contributors.json
* Scripts/webkitpy/common/config/contributors.json:
Modified Paths
trunk/Tools/ChangeLog
trunk/Tools/Scripts/webkitpy/common/config/contributors.json
Diff
Modified: trunk/Tools/ChangeLog (259348 => 259349)
--- trunk/Tools/ChangeLog 2020-04-01 16:13:01 UTC (rev 259348)
+++ trunk/Tools/ChangeLog 2020-04-01 16:18:50 UTC (rev 259349)
@@ -1,3 +1,9 @@
+2020-04-01 Jack Lee
+
+Unreviewed, add new committer to contributors.json
+
+* Scripts/webkitpy/common/config/contributors.json:
+
2020-04-01 Philippe Normand
[Flatpak SDK] Migration to version 0.2
Modified: trunk/Tools/Scripts/webkitpy/common/config/contributors.json (259348 => 259349)
--- trunk/Tools/Scripts/webkitpy/common/config/contributors.json 2020-04-01 16:13:01 UTC (rev 259348)
+++ trunk/Tools/Scripts/webkitpy/common/config/contributors.json 2020-04-01 16:18:50 UTC (rev 259349)
@@ -2533,6 +2533,15 @@
],
"status" : "reviewer"
},
+ "Jack Lee" : {
+ "emails" : [
+ "shihchieh_...@apple.com"
+ ],
+ "nicks" : [
+ "jackl"
+ ],
+ "status" : "committer"
+ },
"Jacky Jiang" : {
"emails" : [
"jkji...@webkit.org",
___
webkit-changes mailing list
webkit-changes@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-changes
[webkit-changes] [259348] trunk/Source/WebCore
Title: [259348] trunk/Source/WebCore
Revision 259348
Author shihchieh_...@apple.com
Date 2020-04-01 09:13:01 -0700 (Wed, 01 Apr 2020)
Log Message
Notify accessibility when a node is removed from its ancestor.
https://bugs.webkit.org/show_bug.cgi?id=209819
Reviewed by Chris Fleizach.
Covered by existing tests in LayoutTests/accessibility.
* dom/Node.cpp:
(WebCore::Node::removedFromAncestor):
Modified Paths
trunk/Source/WebCore/ChangeLog
trunk/Source/WebCore/dom/Node.cpp
Diff
Modified: trunk/Source/WebCore/ChangeLog (259347 => 259348)
--- trunk/Source/WebCore/ChangeLog 2020-04-01 16:04:07 UTC (rev 259347)
+++ trunk/Source/WebCore/ChangeLog 2020-04-01 16:13:01 UTC (rev 259348)
@@ -1,3 +1,15 @@
+2020-04-01 Jack Lee
+
+Notify accessibility when a node is removed from its ancestor.
+https://bugs.webkit.org/show_bug.cgi?id=209819
+
+Reviewed by Chris Fleizach.
+
+Covered by existing tests in LayoutTests/accessibility.
+
+* dom/Node.cpp:
+(WebCore::Node::removedFromAncestor):
+
2020-04-01 Commit Queue
Unreviewed, reverting r259282.
Modified: trunk/Source/WebCore/dom/Node.cpp (259347 => 259348)
--- trunk/Source/WebCore/dom/Node.cpp 2020-04-01 16:04:07 UTC (rev 259347)
+++ trunk/Source/WebCore/dom/Node.cpp 2020-04-01 16:13:01 UTC (rev 259348)
@@ -1297,12 +1297,18 @@
return InsertedIntoAncestorResult::Done;
}
-void Node::removedFromAncestor(RemovalType removalType, ContainerNode&)
+void Node::removedFromAncestor(RemovalType removalType, ContainerNode& oldParentOfRemovedTree)
{
if (removalType.disconnectedFromDocument)
clearFlag(IsConnectedFlag);
if (isInShadowTree() && !treeScope().rootNode().isShadowRoot())
clearFlag(IsInShadowTreeFlag);
+if (removalType.disconnectedFromDocument) {
+if (auto* document = &oldParentOfRemovedTree.treeScope().documentScope()) {
+if (auto* cache = document->existingAXObjectCache())
+cache->remove(*this);
+}
+}
}
bool Node::isRootEditableElement() const
___
webkit-changes mailing list
webkit-changes@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-changes
[webkit-changes] [259210] trunk
Title: [259210] trunk
Revision 259210
Author shihchieh_...@apple.com
Date 2020-03-30 10:43:22 -0700 (Mon, 30 Mar 2020)
Log Message
Division by zero in RenderBlockFlow::computeColumnCountAndWidth
https://bugs.webkit.org/show_bug.cgi?id=209485
Reviewed by Zalan Bujtas.
Source/WebCore:
When computing content width and height, set it to 0 if the computed size
is negative.
Test: fast/multicol/negativeColumnGap.html
* rendering/RenderBox.h:
(WebCore::RenderBox::contentWidth const):
(WebCore::RenderBox::contentHeight const):
LayoutTests:
Added a regression test for the crash. Also modify the expected output
of button.html because the size would now be different.
* fast/multicol/negativeColumnGap-expected.txt: Added.
* fast/multicol/negativeColumnGap.html: Added.
* platform/mac/css3/flexbox/button-expected.txt:
Modified Paths
trunk/LayoutTests/ChangeLog
trunk/LayoutTests/platform/mac/css3/flexbox/button-expected.txt
trunk/Source/WebCore/ChangeLog
trunk/Source/WebCore/rendering/RenderBox.h
Added Paths
trunk/LayoutTests/fast/multicol/negativeColumnGap-expected.txt
trunk/LayoutTests/fast/multicol/negativeColumnGap.html
Diff
Modified: trunk/LayoutTests/ChangeLog (259209 => 259210)
--- trunk/LayoutTests/ChangeLog 2020-03-30 17:35:11 UTC (rev 259209)
+++ trunk/LayoutTests/ChangeLog 2020-03-30 17:43:22 UTC (rev 259210)
@@ -1,3 +1,18 @@
+2020-03-30 Jack Lee
+
+Division by zero in RenderBlockFlow::computeColumnCountAndWidth
+https://bugs.webkit.org/show_bug.cgi?id=209485
+
+
+Reviewed by Zalan Bujtas.
+
+Added a regression test for the crash. Also modify the expected output
+of button.html because the size would now be different.
+
+* fast/multicol/negativeColumnGap-expected.txt: Added.
+* fast/multicol/negativeColumnGap.html: Added.
+* platform/mac/css3/flexbox/button-expected.txt:
+
2020-03-30 youenn fablet
Skip webrtc/datachannel/multiple-connections.html on debug bots
Added: trunk/LayoutTests/fast/multicol/negativeColumnGap-expected.txt (0 => 259210)
--- trunk/LayoutTests/fast/multicol/negativeColumnGap-expected.txt (rev 0)
+++ trunk/LayoutTests/fast/multicol/negativeColumnGap-expected.txt 2020-03-30 17:43:22 UTC (rev 259210)
@@ -0,0 +1 @@
+Test negative column gap. The test passes if WebKit doesn't crash or hit an assertion.
Added: trunk/LayoutTests/fast/multicol/negativeColumnGap.html (0 => 259210)
--- trunk/LayoutTests/fast/multicol/negativeColumnGap.html (rev 0)
+++ trunk/LayoutTests/fast/multicol/negativeColumnGap.html 2020-03-30 17:43:22 UTC (rev 259210)
@@ -0,0 +1,13 @@
+
+#TEXTAREA { grid-gap: 100%; -webkit-logical-width: 0px; }
+
+
+if (window.testRunner)
+testRunner.dumpAsText();
+
+window._onload_ = () => {
+TEXTAREA.style.setProperty("column-width", "1px");
+TEXTAREA.style.setProperty("padding", "0px 1px 0px 0px");
+}
+
+Test negative column gap. The test passes if WebKit doesn't crash or hit an assertion.
Modified: trunk/LayoutTests/platform/mac/css3/flexbox/button-expected.txt (259209 => 259210)
--- trunk/LayoutTests/platform/mac/css3/flexbox/button-expected.txt 2020-03-30 17:35:11 UTC (rev 259209)
+++ trunk/LayoutTests/platform/mac/css3/flexbox/button-expected.txt 2020-03-30 17:43:22 UTC (rev 259210)
@@ -1,8 +1,8 @@
layer at (0,0) size 800x600
RenderView at (0,0) size 800x600
-layer at (0,0) size 800x251
- RenderBlock {HTML} at (0,0) size 800x251
-RenderBody {BODY} at (8,8) size 784x235
+layer at (0,0) size 800x249
+ RenderBlock {HTML} at (0,0) size 800x249
+RenderBody {BODY} at (8,8) size 784x233
RenderBlock (anonymous) at (0,0) size 784x36
RenderText {#text} at (0,0) size 778x36
text run at (0,0) width 410: "Test for empty buttons, which inherit from RenderFlexibleBox. "
@@ -23,7 +23,7 @@
RenderButton {INPUT} at (2,39) size 16x18 [color=#00D8] [bgcolor=#C0C0C0]
RenderBR {BR} at (20,40) size 0x18
RenderBlock {HR} at (0,121) size 784x2 [border: (1px inset #00)]
- RenderBlock (anonymous) at (0,131) size 784x104
+ RenderBlock (anonymous) at (0,131) size 784x102
RenderText {#text} at (0,0) size 744x36
text run at (0,0) width 744: "Empty and with overflow: scroll;. The presence of the scrollbar should not shrink the"
text run at (0,18) width 45: "button."
@@ -32,5 +32,5 @@
RenderBR {BR} at (35,70) size 0x18
layer at (10,187) size 31x20 clip at (12,187) size 12x5
RenderButton {BUTTON} at (2,48) size 31x20 [color=#00D8] [bgcolor=#C0C0C0] [border: none (2px outset #C0C0C0) none (2px outset #C0C0C0)]
-layer at (10,223) size 31x18 clip at (10,223) size 16x3
- RenderButton {INPUT} at (2,84) size 31x18 [color=#00D8] [bgcolor=#C0C0C0]
+layer at (10,221) size 31x18 clip at (10,221) size 16x3
+ RenderButton {INPUT} at (2,82) size 31x18 [color=#00D8] [bgcolor=#C0C0
[webkit-changes] [259153] trunk
Title: [259153] trunk
Revision 259153
Author shihchieh_...@apple.com
Date 2020-03-27 21:17:00 -0700 (Fri, 27 Mar 2020)
Log Message
Nullptr crash in CompositeEditCommand::moveParagraphs when inserting OL into uneditable parent.
https://bugs.webkit.org/show_bug.cgi?id=209641
Reviewed by Ryosuke Niwa.
Source/WebCore:
Inserting BR in unlistifyParagraph() or OL/UL in listifyParagraph() would fail
because their insertion position is uneditable. In this case BR/OL/UL becomes
parentless and the code crashes later when their parent is dereferenced in
moveParagraphs().
In unlistifyParagraph(), only insertNodeBefore() and insertNodeAfter() are used
and both check parent of listNode for editability, so in order to avoid assertion
in the above functions, we check the editability of listNode before insertion.
In listifyParagraph() it is hard to predict where the final insertion position would be,
so we check the editability of the insertion position after it is finalized.
Test: editing/inserting/insert-ol-uneditable-parent.html
* editing/InsertListCommand.cpp:
(WebCore::InsertListCommand::unlistifyParagraph):
(WebCore::InsertListCommand::listifyParagraph):
LayoutTests:
Added a regression test for the crash.
* editing/inserting/insert-ol-uneditable-parent-expected.txt: Added.
* editing/inserting/insert-ol-uneditable-parent.html: Added.
Modified Paths
trunk/LayoutTests/ChangeLog
trunk/Source/WebCore/ChangeLog
trunk/Source/WebCore/editing/InsertListCommand.cpp
Added Paths
trunk/LayoutTests/editing/inserting/insert-ol-uneditable-parent-expected.txt
trunk/LayoutTests/editing/inserting/insert-ol-uneditable-parent.html
Diff
Modified: trunk/LayoutTests/ChangeLog (259152 => 259153)
--- trunk/LayoutTests/ChangeLog 2020-03-28 04:00:36 UTC (rev 259152)
+++ trunk/LayoutTests/ChangeLog 2020-03-28 04:17:00 UTC (rev 259153)
@@ -1,3 +1,16 @@
+2020-03-27 Jack Lee
+
+Nullptr crash in CompositeEditCommand::moveParagraphs when inserting OL into uneditable parent.
+https://bugs.webkit.org/show_bug.cgi?id=209641
+
+
+Reviewed by Ryosuke Niwa.
+
+Added a regression test for the crash.
+
+* editing/inserting/insert-ol-uneditable-parent-expected.txt: Added.
+* editing/inserting/insert-ol-uneditable-parent.html: Added.
+
2020-03-27 Eugene But
Test for RenderBox::styleDidChange crash fix
Added: trunk/LayoutTests/editing/inserting/insert-ol-uneditable-parent-expected.txt (0 => 259153)
--- trunk/LayoutTests/editing/inserting/insert-ol-uneditable-parent-expected.txt (rev 0)
+++ trunk/LayoutTests/editing/inserting/insert-ol-uneditable-parent-expected.txt 2020-03-28 04:17:00 UTC (rev 259153)
@@ -0,0 +1 @@
+Test insering an ol into uneditable parent. The test passes if WebKit doesn't crash or hit an assertion.
Added: trunk/LayoutTests/editing/inserting/insert-ol-uneditable-parent.html (0 => 259153)
--- trunk/LayoutTests/editing/inserting/insert-ol-uneditable-parent.html (rev 0)
+++ trunk/LayoutTests/editing/inserting/insert-ol-uneditable-parent.html 2020-03-28 04:17:00 UTC (rev 259153)
@@ -0,0 +1,10 @@
+
+if (window.testRunner)
+testRunner.dumpAsText();
+
+window._onload_ = () => {
+document.getSelection().setPosition(LI);
+document.execCommand("insertOrderedList", false);
+}
+
+Test insering an ol into uneditable parent. The test passes if WebKit doesn't crash or hit an assertion.
Modified: trunk/Source/WebCore/ChangeLog (259152 => 259153)
--- trunk/Source/WebCore/ChangeLog 2020-03-28 04:00:36 UTC (rev 259152)
+++ trunk/Source/WebCore/ChangeLog 2020-03-28 04:17:00 UTC (rev 259153)
@@ -1,3 +1,27 @@
+2020-03-27 Jack Lee
+
+Nullptr crash in CompositeEditCommand::moveParagraphs when inserting OL into uneditable parent.
+https://bugs.webkit.org/show_bug.cgi?id=209641
+
+
+Reviewed by Ryosuke Niwa.
+
+Inserting BR in unlistifyParagraph() or OL/UL in listifyParagraph() would fail
+because their insertion position is uneditable. In this case BR/OL/UL becomes
+parentless and the code crashes later when their parent is dereferenced in
+moveParagraphs().
+In unlistifyParagraph(), only insertNodeBefore() and insertNodeAfter() are used
+and both check parent of listNode for editability, so in order to avoid assertion
+in the above functions, we check the editability of listNode before insertion.
+In listifyParagraph() it is hard to predict where the final insertion position would be,
+so we check the editability of the insertion position after it is finalized.
+
+Test: editing/inserting/insert-ol-uneditable-parent.html
+
+* editing/InsertListCommand.cpp:
+(WebCore::InsertListCommand::unlistifyParagraph):
+(WebCore::InsertListCommand::listifyParagraph):
+
2020-03-27 Eugene But
Fix null pointer crash in RenderBo
[webkit-changes] [259027] trunk
Title: [259027] trunk
Revision 259027
Author shihchieh_...@apple.com
Date 2020-03-25 18:51:14 -0700 (Wed, 25 Mar 2020)
Log Message
Nullptr crash in WebCore::Node::isDescendantOf when inserting list
https://bugs.webkit.org/show_bug.cgi?id=209529
Reviewed by Darin Adler.
Source/WebCore:
The visible positions may be null if the DOM tree is altered before an edit command is applied.
Add null check for visible positions at the beginning of InsertListCommand::doApply.
Test: editing/inserting/insert-list-during-node-removal-crash.html
* editing/InsertListCommand.cpp:
(WebCore::InsertListCommand::doApply):
LayoutTests:
Added a regression test for the crash.
* editing/inserting/insert-list-during-node-removal-crash-expected.txt: Added.
* editing/inserting/insert-list-during-node-removal-crash.html: Added.
Modified Paths
trunk/LayoutTests/ChangeLog
trunk/Source/WebCore/ChangeLog
trunk/Source/WebCore/editing/InsertListCommand.cpp
Added Paths
trunk/LayoutTests/editing/inserting/insert-list-during-node-removal-crash-expected.txt
trunk/LayoutTests/editing/inserting/insert-list-during-node-removal-crash.html
Diff
Modified: trunk/LayoutTests/ChangeLog (259026 => 259027)
--- trunk/LayoutTests/ChangeLog 2020-03-26 01:24:05 UTC (rev 259026)
+++ trunk/LayoutTests/ChangeLog 2020-03-26 01:51:14 UTC (rev 259027)
@@ -1,3 +1,16 @@
+2020-03-25 Jack Lee
+
+Nullptr crash in WebCore::Node::isDescendantOf when inserting list
+https://bugs.webkit.org/show_bug.cgi?id=209529
+
+
+Reviewed by Darin Adler.
+
+Added a regression test for the crash.
+
+* editing/inserting/insert-list-during-node-removal-crash-expected.txt: Added.
+* editing/inserting/insert-list-during-node-removal-crash.html: Added.
+
2020-03-25 Alexey Shvayka
Invalid numeric and named references should be early syntax errors
Added: trunk/LayoutTests/editing/inserting/insert-list-during-node-removal-crash-expected.txt (0 => 259027)
--- trunk/LayoutTests/editing/inserting/insert-list-during-node-removal-crash-expected.txt (rev 0)
+++ trunk/LayoutTests/editing/inserting/insert-list-during-node-removal-crash-expected.txt 2020-03-26 01:51:14 UTC (rev 259027)
@@ -0,0 +1 @@
+Tests inserting list during node removal. The test passes if WebKit doesn't crash or hit an assertion.
Added: trunk/LayoutTests/editing/inserting/insert-list-during-node-removal-crash.html (0 => 259027)
--- trunk/LayoutTests/editing/inserting/insert-list-during-node-removal-crash.html (rev 0)
+++ trunk/LayoutTests/editing/inserting/insert-list-during-node-removal-crash.html 2020-03-26 01:51:14 UTC (rev 259027)
@@ -0,0 +1,23 @@
+
+if (window.testRunner) {
+testRunner.dumpAsText();
+testRunner.waitUntilDone();
+}
+
+function DomNodeEventHandler() {
+document.execCommand("insertOrderedList", false);
+requestAnimationFrame(function () {
+document.body.innerHTML = " Tests inserting list during node removal. The test passes if WebKit doesn't crash or hit an assertion.
";
+if (window.testRunner) {
+testRunner.notifyDone();
+}
+});
+}
+
+window._onload_ = () => {
+TD.addEventListener("DOMNodeRemovedFromDocument", DomNodeEventHandler);
+document.execCommand("selectAll", false);
+window.getSelection().deleteFromDocument();
+}
+
+a
Modified: trunk/Source/WebCore/ChangeLog (259026 => 259027)
--- trunk/Source/WebCore/ChangeLog 2020-03-26 01:24:05 UTC (rev 259026)
+++ trunk/Source/WebCore/ChangeLog 2020-03-26 01:51:14 UTC (rev 259027)
@@ -1,3 +1,19 @@
+2020-03-25 Jack Lee
+
+Nullptr crash in WebCore::Node::isDescendantOf when inserting list
+https://bugs.webkit.org/show_bug.cgi?id=209529
+
+
+Reviewed by Darin Adler.
+
+The visible positions may be null if the DOM tree is altered before an edit command is applied.
+Add null check for visible positions at the beginning of InsertListCommand::doApply.
+
+Test: editing/inserting/insert-list-during-node-removal-crash.html
+
+* editing/InsertListCommand.cpp:
+(WebCore::InsertListCommand::doApply):
+
2020-03-25 Alexey Shvayka
Invalid numeric and named references should be early syntax errors
Modified: trunk/Source/WebCore/editing/InsertListCommand.cpp (259026 => 259027)
--- trunk/Source/WebCore/editing/InsertListCommand.cpp 2020-03-26 01:24:05 UTC (rev 259026)
+++ trunk/Source/WebCore/editing/InsertListCommand.cpp 2020-03-26 01:51:14 UTC (rev 259027)
@@ -112,12 +112,13 @@
void InsertListCommand::doApply()
{
-if (endingSelection().isNoneOrOrphaned() || !endingSelection().isContentRichlyEditable())
+VisiblePosition visibleEnd = endingSelection().visibleEnd();
+VisiblePosition visibleStart = endingSelection().visibleStart();
+
+if (visibleEnd.isNull() || visibleStart.isN
