[webkit-changes] [263564] trunk
Title: [263564] trunk Revision 263564 Author shihchieh_...@apple.com Date 2020-06-26 09:44:31 -0700 (Fri, 26 Jun 2020) Log Message ASSERTION FAILED: (it != m_map.end()) in TreeScopeOrderedMap::remove https://bugs.webkit.org/show_bug.cgi?id=213611 Reviewed by Geoffrey Garen. Source/WebCore: In function HTMLImageElement::parseAttribute(), empty name attribute is considered valid which makes the function skip handling of subsequent name changes. Modified the check of name attribute so only non-empty name is considered valid. This code change is to match . Test: fast/images/img-change-name-assert.html * html/HTMLImageElement.cpp: (WebCore::HTMLImageElement::parseAttribute): LayoutTests: Added a regression test for the crash. * fast/images/img-change-name-assert-expected.txt: Added. * fast/images/img-change-name-assert.html: Added. Modified Paths trunk/LayoutTests/ChangeLog trunk/Source/WebCore/ChangeLog trunk/Source/WebCore/html/HTMLImageElement.cpp Added Paths trunk/LayoutTests/fast/images/img-change-name-assert-expected.txt trunk/LayoutTests/fast/images/img-change-name-assert.html Diff Modified: trunk/LayoutTests/ChangeLog (263563 => 263564) --- trunk/LayoutTests/ChangeLog 2020-06-26 16:41:15 UTC (rev 263563) +++ trunk/LayoutTests/ChangeLog 2020-06-26 16:44:31 UTC (rev 263564) @@ -1,3 +1,16 @@ +2020-06-26 Jack Lee + +ASSERTION FAILED: (it != m_map.end()) in TreeScopeOrderedMap::remove +https://bugs.webkit.org/show_bug.cgi?id=213611 + + +Reviewed by Geoffrey Garen. + +Added a regression test for the crash. + +* fast/images/img-change-name-assert-expected.txt: Added. +* fast/images/img-change-name-assert.html: Added. + 2020-06-26 Karl Rackler Remove expectation for http/tests/security/contentSecurityPolicy/upgrade-insecure-requests/upgrade-insecure-fetch-in-main-frame.html and http/tests/security/contentSecurityPolicy/upgrade-insecure-requests/upgrade-insecure-fetch-in-worker.html as they are passing. Added: trunk/LayoutTests/fast/images/img-change-name-assert-expected.txt (0 => 263564) --- trunk/LayoutTests/fast/images/img-change-name-assert-expected.txt (rev 0) +++ trunk/LayoutTests/fast/images/img-change-name-assert-expected.txt 2020-06-26 16:44:31 UTC (rev 263564) @@ -0,0 +1 @@ +"Tests changing name of an image element. The test passes if WebKit doesn't crash or hit an ssertion." Added: trunk/LayoutTests/fast/images/img-change-name-assert.html (0 => 263564) --- trunk/LayoutTests/fast/images/img-change-name-assert.html (rev 0) +++ trunk/LayoutTests/fast/images/img-change-name-assert.html 2020-06-26 16:44:31 UTC (rev 263564) @@ -0,0 +1,8 @@ +"Tests changing name of an image element. The test passes if WebKit doesn't crash or hit an ssertion." + +if (window.testRunner) +testRunner.dumpAsText(); + +img.name = "new name"; +img.remove(); + Modified: trunk/Source/WebCore/ChangeLog (263563 => 263564) --- trunk/Source/WebCore/ChangeLog 2020-06-26 16:41:15 UTC (rev 263563) +++ trunk/Source/WebCore/ChangeLog 2020-06-26 16:44:31 UTC (rev 263564) @@ -1,3 +1,21 @@ +2020-06-26 Jack Lee + +ASSERTION FAILED: (it != m_map.end()) in TreeScopeOrderedMap::remove +https://bugs.webkit.org/show_bug.cgi?id=213611 + + +Reviewed by Geoffrey Garen. + +In function HTMLImageElement::parseAttribute(), empty name attribute is considered valid +which makes the function skip handling of subsequent name changes. Modified the check of +name attribute so only non-empty name is considered valid. This code change is to match +. + +Test: fast/images/img-change-name-assert.html + +* html/HTMLImageElement.cpp: +(WebCore::HTMLImageElement::parseAttribute): + 2020-06-26 Sihui Liu Text manipulation should observe adjacent elements with new renderer together Modified: trunk/Source/WebCore/html/HTMLImageElement.cpp (263563 => 263564) --- trunk/Source/WebCore/html/HTMLImageElement.cpp 2020-06-26 16:41:15 UTC (rev 263563) +++ trunk/Source/WebCore/html/HTMLImageElement.cpp 2020-06-26 16:44:31 UTC (rev 263564) @@ -295,7 +295,7 @@ loadDeferredImage(); } else { if (name == nameAttr) { -bool willHaveName = !value.isNull(); +bool willHaveName = !value.isEmpty(); if (m_hadNameBeforeAttributeChanged != willHaveName && isConnected() && !isInShadowTree() && is(document())) { HTMLDocument& document = downcast(this->document()); const AtomString& id = getIdAttribute(); ___ webkit-changes mailing list webkit-changes@lists.webkit.org https://lists.webkit.org/mailman/listinfo/webkit-changes
[webkit-changes] [262593] trunk
Title: [262593] trunk Revision 262593 Author shihchieh_...@apple.com Date 2020-06-04 20:37:14 -0700 (Thu, 04 Jun 2020) Log Message Nullptr crash in DeleteSelectionCommand::doApply() when ending position is disconnected. https://bugs.webkit.org/show_bug.cgi?id=212723 Reviewed by Geoffrey Garen. Source/WebCore: In this test case, while merging paragraphs after deleting a text element, we need call removeNodeAndPruneAncestors() to remove a BR node. However, the ancestor of BR is also removed. Later we try to insert a node at the parent of the removed ancestor in function DeleteSelectionCommand::doApply(). For now we just check the parentless inserting position and bail out. The proper fix should be re-designing removeNodeAndPruneAncestors() or select a different inserting position after removeNodeAndPruneAncestors() is called. Test: editing/deleting/delete-txt-in-dl-crash.html * editing/DeleteSelectionCommand.cpp: (WebCore::DeleteSelectionCommand::doApply): LayoutTests: Added a regression test for the crash. * editing/deleting/delete-txt-in-dl-crash-expected.txt: Added. * editing/deleting/delete-txt-in-dl-crash.html: Added. Modified Paths trunk/LayoutTests/ChangeLog trunk/Source/WebCore/ChangeLog trunk/Source/WebCore/editing/DeleteSelectionCommand.cpp Added Paths trunk/LayoutTests/editing/deleting/delete-txt-in-dl-crash-expected.txt trunk/LayoutTests/editing/deleting/delete-txt-in-dl-crash.html Diff Modified: trunk/LayoutTests/ChangeLog (262592 => 262593) --- trunk/LayoutTests/ChangeLog 2020-06-05 03:28:46 UTC (rev 262592) +++ trunk/LayoutTests/ChangeLog 2020-06-05 03:37:14 UTC (rev 262593) @@ -1,3 +1,16 @@ +2020-06-04 Jack Lee + +Nullptr crash in DeleteSelectionCommand::doApply() when ending position is disconnected. +https://bugs.webkit.org/show_bug.cgi?id=212723 + + +Reviewed by Geoffrey Garen. + +Added a regression test for the crash. + +* editing/deleting/delete-txt-in-dl-crash-expected.txt: Added. +* editing/deleting/delete-txt-in-dl-crash.html: Added. + 2020-06-04 Simon Fraser [ Mojave wk2 Debug ] fast/scrolling/mac/scrollbars/select-overlay-scrollbar-hovered.html is flaky failing and flaky timing out. Added: trunk/LayoutTests/editing/deleting/delete-txt-in-dl-crash-expected.txt (0 => 262593) --- trunk/LayoutTests/editing/deleting/delete-txt-in-dl-crash-expected.txt (rev 0) +++ trunk/LayoutTests/editing/deleting/delete-txt-in-dl-crash-expected.txt 2020-06-05 03:37:14 UTC (rev 262593) @@ -0,0 +1 @@ +Tests deleting text in description list. The test passes if WebKit doesn't crash or hit an ssertion. Added: trunk/LayoutTests/editing/deleting/delete-txt-in-dl-crash.html (0 => 262593) --- trunk/LayoutTests/editing/deleting/delete-txt-in-dl-crash.html (rev 0) +++ trunk/LayoutTests/editing/deleting/delete-txt-in-dl-crash.html 2020-06-05 03:37:14 UTC (rev 262593) @@ -0,0 +1,10 @@ + +a + +if (window.testRunner) +testRunner.dumpAsText(); + +window.getSelection().setPosition(dt); +document.execCommand("delete", false); +document.body.innerText = "Tests deleting text in description list. The test passes if WebKit doesn't crash or hit an ssertion."; + Modified: trunk/Source/WebCore/ChangeLog (262592 => 262593) --- trunk/Source/WebCore/ChangeLog 2020-06-05 03:28:46 UTC (rev 262592) +++ trunk/Source/WebCore/ChangeLog 2020-06-05 03:37:14 UTC (rev 262593) @@ -1,3 +1,23 @@ +2020-06-04 Jack Lee + +Nullptr crash in DeleteSelectionCommand::doApply() when ending position is disconnected. +https://bugs.webkit.org/show_bug.cgi?id=212723 + + +Reviewed by Geoffrey Garen. + +In this test case, while merging paragraphs after deleting a text element, we need call removeNodeAndPruneAncestors() +to remove a BR node. However, the ancestor of BR is also removed. Later we try to insert a node at the parent of the +removed ancestor in function DeleteSelectionCommand::doApply(). + +For now we just check the parentless inserting position and bail out. The proper fix should be re-designing +removeNodeAndPruneAncestors() or select a different inserting position after removeNodeAndPruneAncestors() is called. + +Test: editing/deleting/delete-txt-in-dl-crash.html + +* editing/DeleteSelectionCommand.cpp: +(WebCore::DeleteSelectionCommand::doApply): + 2020-06-04 Ross Kirsling [PlayStation] Unreviewed revert of build fix. Missing include was not the cause. Modified: trunk/Source/WebCore/editing/DeleteSelectionCommand.cpp (262592 => 262593) --- trunk/Source/WebCore/editing/DeleteSelectionCommand.cpp 2020-06-05 03:28:46 UTC (rev 262592) +++ trunk/Source/WebCore/editing/DeleteSelectionCommand.cpp 2020-06-05 03:37:14 UTC (rev 262593) @@ -943,6 +943,13 @@ if (m_needPlaceholder) { if (m_sanitizeMarkup) removeRedundantBlocks();
[webkit-changes] [262103] trunk/Source/WebCore
Title: [262103] trunk/Source/WebCore Revision 262103 Author shihchieh_...@apple.com Date 2020-05-23 13:13:57 -0700 (Sat, 23 May 2020) Log Message ASSERTION FAILED: (!s_current || &m_view != &s_current->m_view) in RenderTreeBuilder::RenderTreeBuilder https://bugs.webkit.org/show_bug.cgi?id=212163 Unreviewed. Improve readability. Replace comments with curly brackets for scoping. * dom/Document.cpp: (WebCore::Document::updateRenderTree): Modified Paths trunk/Source/WebCore/ChangeLog trunk/Source/WebCore/dom/Document.cpp Diff Modified: trunk/Source/WebCore/ChangeLog (262102 => 262103) --- trunk/Source/WebCore/ChangeLog 2020-05-23 19:47:51 UTC (rev 262102) +++ trunk/Source/WebCore/ChangeLog 2020-05-23 20:13:57 UTC (rev 262103) @@ -1,3 +1,13 @@ +2020-05-23 Jack Lee + +ASSERTION FAILED: (!s_current || &m_view != &s_current->m_view) in RenderTreeBuilder::RenderTreeBuilder +https://bugs.webkit.org/show_bug.cgi?id=212163 + +Unreviewed. Improve readability. Replace comments with curly brackets for scoping. + +* dom/Document.cpp: +(WebCore::Document::updateRenderTree): + 2020-05-23 Zalan Bujtas [LFC][TFC] Maximum constraint of a cell should never be smaller than the minimum width Modified: trunk/Source/WebCore/dom/Document.cpp (262102 => 262103) --- trunk/Source/WebCore/dom/Document.cpp 2020-05-23 19:47:51 UTC (rev 262102) +++ trunk/Source/WebCore/dom/Document.cpp 2020-05-23 20:13:57 UTC (rev 262103) @@ -1924,13 +1924,14 @@ { ASSERT(!inRenderTreeUpdate()); -// NOTE: Preserve the order of definitions below so the destructors are called in proper sequence. Style::PostResolutionCallbackDisabler callbackDisabler(*this); -SetForScope inRenderTreeUpdate(m_inRenderTreeUpdate, true); -RenderTreeUpdater updater(*this, callbackDisabler); -// End of ordered definitions - -updater.commit(WTFMove(styleUpdate)); +{ +SetForScope inRenderTreeUpdate(m_inRenderTreeUpdate, true); +{ +RenderTreeUpdater updater(*this, callbackDisabler); +updater.commit(WTFMove(styleUpdate)); +} +} } void Document::resolveStyle(ResolveStyleType type) ___ webkit-changes mailing list webkit-changes@lists.webkit.org https://lists.webkit.org/mailman/listinfo/webkit-changes
[webkit-changes] [262095] trunk
Title: [262095] trunk Revision 262095 Author shihchieh_...@apple.com Date 2020-05-22 22:53:52 -0700 (Fri, 22 May 2020) Log Message ASSERTION FAILED: (!s_current || &m_view != &s_current->m_view) in RenderTreeBuilder::RenderTreeBuilder https://bugs.webkit.org/show_bug.cgi?id=212163 Reviewed by Geoffrey Garen. Source/WebCore: Calling ~PostResolutionCallbackDisabler() before completing render tree updating and releasing RenderTreeBuilder triggers this assertion. Therefore we added a utility function "updateRenderTree" in which PostResolutionCallback is delayed until RenderTreeUpdater is released and m_inRenderTreeUpdate is cleared. Test: fast/rendering/nested-render-tree-update-crash.html * Headers.cmake: * WebCore.xcodeproj/project.pbxproj: * dom/Document.cpp: (WebCore::Document::updateRenderTree): (WebCore::Document::resolveStyle): (WebCore::Document::updateTextRenderer): * dom/Document.h: * rendering/updating/RenderTreeUpdater.cpp: (WebCore::RenderTreeUpdater::RenderTreeUpdater): (WebCore::RenderTreeUpdater::commit): * rendering/updating/RenderTreeUpdater.h: LayoutTests: Added a regression test for the crash. * fast/rendering/nested-render-tree-update-crash-expected.txt: Added. * fast/rendering/nested-render-tree-update-crash.html: Added. Modified Paths trunk/LayoutTests/ChangeLog trunk/Source/WebCore/ChangeLog trunk/Source/WebCore/Headers.cmake trunk/Source/WebCore/WebCore.xcodeproj/project.pbxproj trunk/Source/WebCore/dom/Document.cpp trunk/Source/WebCore/dom/Document.h trunk/Source/WebCore/rendering/updating/RenderTreeUpdater.cpp trunk/Source/WebCore/rendering/updating/RenderTreeUpdater.h Added Paths trunk/LayoutTests/fast/rendering/ trunk/LayoutTests/fast/rendering/nested-render-tree-update-crash-expected.txt trunk/LayoutTests/fast/rendering/nested-render-tree-update-crash.html Diff Modified: trunk/LayoutTests/ChangeLog (262094 => 262095) --- trunk/LayoutTests/ChangeLog 2020-05-23 04:23:48 UTC (rev 262094) +++ trunk/LayoutTests/ChangeLog 2020-05-23 05:53:52 UTC (rev 262095) @@ -1,3 +1,16 @@ +2020-05-22 Jack Lee + +ASSERTION FAILED: (!s_current || &m_view != &s_current->m_view) in RenderTreeBuilder::RenderTreeBuilder +https://bugs.webkit.org/show_bug.cgi?id=212163 + + +Reviewed by Geoffrey Garen. + +Added a regression test for the crash. + +* fast/rendering/nested-render-tree-update-crash-expected.txt: Added. +* fast/rendering/nested-render-tree-update-crash.html: Added. + 2020-05-22 Zalan Bujtas Nullptr deref in WebCore::RenderTreeBuilder::Block::attachIgnoringContinuation when parent and beforeChild are siblings Added: trunk/LayoutTests/fast/rendering/nested-render-tree-update-crash-expected.txt (0 => 262095) --- trunk/LayoutTests/fast/rendering/nested-render-tree-update-crash-expected.txt (rev 0) +++ trunk/LayoutTests/fast/rendering/nested-render-tree-update-crash-expected.txt 2020-05-23 05:53:52 UTC (rev 262095) @@ -0,0 +1 @@ +Tests nested render tree update. The test passes if WebKit doesn't crash or hit an assertion. Added: trunk/LayoutTests/fast/rendering/nested-render-tree-update-crash.html (0 => 262095) --- trunk/LayoutTests/fast/rendering/nested-render-tree-update-crash.html (rev 0) +++ trunk/LayoutTests/fast/rendering/nested-render-tree-update-crash.html 2020-05-23 05:53:52 UTC (rev 262095) @@ -0,0 +1,13 @@ + +function run() { +if (window.testRunner) +testRunner.dumpAsText(); + +obj = document.createElement("object"); +li.appendChild(obj); +svg.currentScale = 0.99; +obj.data = "" 82) +ff.setAttribute("direction", "rtl"); +} + + Modified: trunk/Source/WebCore/ChangeLog (262094 => 262095) --- trunk/Source/WebCore/ChangeLog 2020-05-23 04:23:48 UTC (rev 262094) +++ trunk/Source/WebCore/ChangeLog 2020-05-23 05:53:52 UTC (rev 262095) @@ -1,3 +1,29 @@ +2020-05-22 Jack Lee + +ASSERTION FAILED: (!s_current || &m_view != &s_current->m_view) in RenderTreeBuilder::RenderTreeBuilder +https://bugs.webkit.org/show_bug.cgi?id=212163 + + +Reviewed by Geoffrey Garen. + +Calling ~PostResolutionCallbackDisabler() before completing render tree updating and releasing RenderTreeBuilder +triggers this assertion. Therefore we added a utility function "updateRenderTree" in which PostResolutionCallback +is delayed until RenderTreeUpdater is released and m_inRenderTreeUpdate is cleared. + +Test: fast/rendering/nested-render-tree-update-crash.html + +* Headers.cmake: +* WebCore.xcodeproj/project.pbxproj: +* dom/Document.cpp: +(WebCore::Document::updateRenderTree): +(WebCore::Document::resolveStyle): +(WebCore::Document::updateTextRenderer): +* dom/Document.h: +* rendering/updating/RenderTreeUpdater.cpp: +(WebCore::RenderTreeUpdater::RenderTreeUpdater): +(WebCore::RenderTreeUpdater::com
[webkit-changes] [261777] trunk
Title: [261777] trunk Revision 261777 Author shihchieh_...@apple.com Date 2020-05-15 21:09:51 -0700 (Fri, 15 May 2020) Log Message Nullptr crash in WebCore::Node::treeScope() when processing nested list insertion commands. https://bugs.webkit.org/show_bug.cgi?id=211964 Reviewed by Geoffrey Garen. Source/WebCore: Load event may fire in fixOrphanedListChild() and change the node tree. In doApplyForSingleParagraph check for disconnected node returned by fixOrphanedListChild() and bail out. Test: editing/inserting/nested-list-insertion-crash.html * editing/InsertListCommand.cpp: (WebCore::InsertListCommand::doApplyForSingleParagraph): LayoutTests: Added a regression test for the crash. * editing/inserting/nested-list-insertion-crash-expected.txt: Added. * editing/inserting/nested-list-insertion-crash.html: Added. Modified Paths trunk/LayoutTests/ChangeLog trunk/Source/WebCore/ChangeLog trunk/Source/WebCore/editing/InsertListCommand.cpp Added Paths trunk/LayoutTests/editing/inserting/nested-list-insertion-crash-expected.txt trunk/LayoutTests/editing/inserting/nested-list-insertion-crash.html Diff Modified: trunk/LayoutTests/ChangeLog (261776 => 261777) --- trunk/LayoutTests/ChangeLog 2020-05-16 03:45:59 UTC (rev 261776) +++ trunk/LayoutTests/ChangeLog 2020-05-16 04:09:51 UTC (rev 261777) @@ -1,3 +1,16 @@ +2020-05-15 Jack Lee + +Nullptr crash in WebCore::Node::treeScope() when processing nested list insertion commands. +https://bugs.webkit.org/show_bug.cgi?id=211964 + + +Reviewed by Geoffrey Garen. + +Added a regression test for the crash. + +* editing/inserting/nested-list-insertion-crash-expected.txt: Added. +* editing/inserting/nested-list-insertion-crash.html: Added. + 2020-05-15 Simon Fraser REGRESSION (r249091): Can't click on a video in the second column of a paginated web view Added: trunk/LayoutTests/editing/inserting/nested-list-insertion-crash-expected.txt (0 => 261777) --- trunk/LayoutTests/editing/inserting/nested-list-insertion-crash-expected.txt (rev 0) +++ trunk/LayoutTests/editing/inserting/nested-list-insertion-crash-expected.txt 2020-05-16 04:09:51 UTC (rev 261777) @@ -0,0 +1,3 @@ +Test nested list insertion. The test passes if WebKit doesn't crash or hit an assertion. + + Added: trunk/LayoutTests/editing/inserting/nested-list-insertion-crash.html (0 => 261777) --- trunk/LayoutTests/editing/inserting/nested-list-insertion-crash.html (rev 0) +++ trunk/LayoutTests/editing/inserting/nested-list-insertion-crash.html 2020-05-16 04:09:51 UTC (rev 261777) @@ -0,0 +1,10 @@ + +if (window.testRunner) +testRunner.dumpAsText(); + +function run() { +window.getSelection().setPosition(li,1); +document.execCommand("insertUnorderedList", false); +} + +Test nested list insertion. The test passes if WebKit doesn't crash or hit an assertion. Modified: trunk/Source/WebCore/ChangeLog (261776 => 261777) --- trunk/Source/WebCore/ChangeLog 2020-05-16 03:45:59 UTC (rev 261776) +++ trunk/Source/WebCore/ChangeLog 2020-05-16 04:09:51 UTC (rev 261777) @@ -1,3 +1,19 @@ +2020-05-15 Jack Lee + +Nullptr crash in WebCore::Node::treeScope() when processing nested list insertion commands. +https://bugs.webkit.org/show_bug.cgi?id=211964 + + +Reviewed by Geoffrey Garen. + +Load event may fire in fixOrphanedListChild() and change the node tree. In doApplyForSingleParagraph check for +disconnected node returned by fixOrphanedListChild() and bail out. + +Test: editing/inserting/nested-list-insertion-crash.html + +* editing/InsertListCommand.cpp: +(WebCore::InsertListCommand::doApplyForSingleParagraph): + 2020-05-15 Alex Christensen Use enum serialization instead of casting to/from uint32_t Modified: trunk/Source/WebCore/editing/InsertListCommand.cpp (261776 => 261777) --- trunk/Source/WebCore/editing/InsertListCommand.cpp 2020-05-16 03:45:59 UTC (rev 261776) +++ trunk/Source/WebCore/editing/InsertListCommand.cpp 2020-05-16 04:09:51 UTC (rev 261777) @@ -213,7 +213,7 @@ RefPtr listNode = enclosingList(listChildNode); if (!listNode) { RefPtr listElement = fixOrphanedListChild(*listChildNode); -if (!listElement) +if (!listElement || !listElement->isConnected()) return; listNode = mergeWithNeighboringLists(*listElement); ___ webkit-changes mailing list webkit-changes@lists.webkit.org https://lists.webkit.org/mailman/listinfo/webkit-changes
[webkit-changes] [261666] trunk
Title: [261666] trunk Revision 261666 Author shihchieh_...@apple.com Date 2020-05-13 17:45:45 -0700 (Wed, 13 May 2020) Log Message Nullptr crash in InsertParagraphSeparatorCommand::doApply when the canonical position is uneditable https://bugs.webkit.org/show_bug.cgi?id=211864 Reviewed by Geoffrey Garen. Source/WebCore: The position returned by positionAvoidingSpecialElementBoundary() is uneditable so we need to check for uneditable insertion position and bail out before calling insertNodeAt to avoid assertion. Test: editing/inserting/insert-img-uneditable-canonical-position-crash.html * editing/InsertParagraphSeparatorCommand.cpp: (WebCore::InsertParagraphSeparatorCommand::doApply): LayoutTests: Added a regression test for the crash. * editing/inserting/insert-img-uneditable-canonical-position-crash-expected.txt: Added. * editing/inserting/insert-img-uneditable-canonical-position-crash.html: Added. Modified Paths trunk/LayoutTests/ChangeLog trunk/Source/WebCore/ChangeLog trunk/Source/WebCore/editing/InsertParagraphSeparatorCommand.cpp Added Paths trunk/LayoutTests/editing/inserting/insert-img-uneditable-canonical-position-crash-expected.txt trunk/LayoutTests/editing/inserting/insert-img-uneditable-canonical-position-crash.html Diff Modified: trunk/LayoutTests/ChangeLog (261665 => 261666) --- trunk/LayoutTests/ChangeLog 2020-05-14 00:35:40 UTC (rev 261665) +++ trunk/LayoutTests/ChangeLog 2020-05-14 00:45:45 UTC (rev 261666) @@ -1,5 +1,18 @@ 2020-05-13 Jack Lee +Nullptr crash in InsertParagraphSeparatorCommand::doApply when the canonical position is uneditable +https://bugs.webkit.org/show_bug.cgi?id=211864 + + +Reviewed by Geoffrey Garen. + +Added a regression test for the crash. + +* editing/inserting/insert-img-uneditable-canonical-position-crash-expected.txt: Added. +* editing/inserting/insert-img-uneditable-canonical-position-crash.html: Added. + +2020-05-13 Jack Lee + Nullptr crash in DeleteSelectionCommand::doApply() when merge node is disconnected. https://bugs.webkit.org/show_bug.cgi?id=211793 Added: trunk/LayoutTests/editing/inserting/insert-img-uneditable-canonical-position-crash-expected.txt (0 => 261666) --- trunk/LayoutTests/editing/inserting/insert-img-uneditable-canonical-position-crash-expected.txt (rev 0) +++ trunk/LayoutTests/editing/inserting/insert-img-uneditable-canonical-position-crash-expected.txt 2020-05-14 00:45:45 UTC (rev 261666) @@ -0,0 +1 @@ +Tests inserting paragraph separator when an editable canonical position is not found. The test passes if WebKit doesn't crash or hit an ssertion. Added: trunk/LayoutTests/editing/inserting/insert-img-uneditable-canonical-position-crash.html (0 => 261666) --- trunk/LayoutTests/editing/inserting/insert-img-uneditable-canonical-position-crash.html (rev 0) +++ trunk/LayoutTests/editing/inserting/insert-img-uneditable-canonical-position-crash.html 2020-05-14 00:45:45 UTC (rev 261666) @@ -0,0 +1,10 @@ + + +if (window.testRunner) +testRunner.dumpAsText(); +hr1.appendChild(span_copy); +input.setSelectionRange(-1,67); +hr2.appendChild(span_copy); +document.execCommand("insertImage", "#foo"); +document.body.innerText = "Tests inserting paragraph separator when an editable canonical position is not found. The test passes if WebKit doesn't crash or hit an ssertion."; + Modified: trunk/Source/WebCore/ChangeLog (261665 => 261666) --- trunk/Source/WebCore/ChangeLog 2020-05-14 00:35:40 UTC (rev 261665) +++ trunk/Source/WebCore/ChangeLog 2020-05-14 00:45:45 UTC (rev 261666) @@ -1,5 +1,21 @@ 2020-05-13 Jack Lee +Nullptr crash in InsertParagraphSeparatorCommand::doApply when the canonical position is uneditable +https://bugs.webkit.org/show_bug.cgi?id=211864 + + +Reviewed by Geoffrey Garen. + +The position returned by positionAvoidingSpecialElementBoundary() is uneditable so we need to +check for uneditable insertion position and bail out before calling insertNodeAt to avoid assertion. + +Test: editing/inserting/insert-img-uneditable-canonical-position-crash.html + +* editing/InsertParagraphSeparatorCommand.cpp: +(WebCore::InsertParagraphSeparatorCommand::doApply): + +2020-05-13 Jack Lee + Nullptr crash in DeleteSelectionCommand::doApply() when merge node is disconnected. https://bugs.webkit.org/show_bug.cgi?id=211793 Modified: trunk/Source/WebCore/editing/InsertParagraphSeparatorCommand.cpp (261665 => 261666) --- trunk/Source/WebCore/editing/InsertParagraphSeparatorCommand.cpp 2020-05-14 00:35:40 UTC (rev 261665) +++ trunk/Source/WebCore/editing/InsertParagraphSeparatorCommand.cpp 2020-05-14 00:45:45 UTC (rev 261666) @@ -300,6 +300,10 @@ // it if visiblePos is at the start of a paragraph so that the // content will move down a
[webkit-changes] [261664] trunk
Title: [261664] trunk Revision 261664 Author shihchieh_...@apple.com Date 2020-05-13 17:21:50 -0700 (Wed, 13 May 2020) Log Message Nullptr crash in DeleteSelectionCommand::doApply() when merge node is disconnected. https://bugs.webkit.org/show_bug.cgi?id=211793 Reviewed by Geoffrey Garen. Source/WebCore: Check for disconnected merge destination and endingSelection() after mergeParagraph is Called and bail out to avoid using corrupted positions for node insertion. Test: editing/inserting/insert-text-merge-node-removed-crash.html * editing/CompositeEditCommand.cpp: (WebCore::CompositeEditCommand::moveParagraphs): * editing/DeleteSelectionCommand.cpp: (WebCore::DeleteSelectionCommand::mergeParagraphs): LayoutTests: Added a regression test for the crash. * editing/inserting/insert-text-merge-node-removed-crash-expected.txt: Added. * editing/inserting/insert-text-merge-node-removed-crash.html: Added. Modified Paths trunk/LayoutTests/ChangeLog trunk/Source/WebCore/ChangeLog trunk/Source/WebCore/editing/CompositeEditCommand.cpp trunk/Source/WebCore/editing/DeleteSelectionCommand.cpp Added Paths trunk/LayoutTests/editing/inserting/insert-text-merge-node-removed-crash-expected.txt trunk/LayoutTests/editing/inserting/insert-text-merge-node-removed-crash.html Diff Modified: trunk/LayoutTests/ChangeLog (261663 => 261664) --- trunk/LayoutTests/ChangeLog 2020-05-13 23:28:34 UTC (rev 261663) +++ trunk/LayoutTests/ChangeLog 2020-05-14 00:21:50 UTC (rev 261664) @@ -1,3 +1,16 @@ +2020-05-13 Jack Lee + +Nullptr crash in DeleteSelectionCommand::doApply() when merge node is disconnected. +https://bugs.webkit.org/show_bug.cgi?id=211793 + + +Reviewed by Geoffrey Garen. + +Added a regression test for the crash. + +* editing/inserting/insert-text-merge-node-removed-crash-expected.txt: Added. +* editing/inserting/insert-text-merge-node-removed-crash.html: Added. + 2020-05-13 Said Abou-Hallawa Enable the 'OutsideViewport' rAF throttling Added: trunk/LayoutTests/editing/inserting/insert-text-merge-node-removed-crash-expected.txt (0 => 261664) --- trunk/LayoutTests/editing/inserting/insert-text-merge-node-removed-crash-expected.txt (rev 0) +++ trunk/LayoutTests/editing/inserting/insert-text-merge-node-removed-crash-expected.txt 2020-05-14 00:21:50 UTC (rev 261664) @@ -0,0 +1 @@ +Tests inserting text when merge node is removed. The test passes if WebKit doesn't crash or hit an ssertion. Added: trunk/LayoutTests/editing/inserting/insert-text-merge-node-removed-crash.html (0 => 261664) --- trunk/LayoutTests/editing/inserting/insert-text-merge-node-removed-crash.html (rev 0) +++ trunk/LayoutTests/editing/inserting/insert-text-merge-node-removed-crash.html 2020-05-14 00:21:50 UTC (rev 261664) @@ -0,0 +1,9 @@ + + +if (window.testRunner) +testRunner.dumpAsText(); + +document.execCommand("selectAll", false); +document.execCommand("insertText", "text"); +document.body.innerText = "Tests inserting text when merge node is removed. The test passes if WebKit doesn't crash or hit an ssertion."; + Modified: trunk/Source/WebCore/ChangeLog (261663 => 261664) --- trunk/Source/WebCore/ChangeLog 2020-05-13 23:28:34 UTC (rev 261663) +++ trunk/Source/WebCore/ChangeLog 2020-05-14 00:21:50 UTC (rev 261664) @@ -1,3 +1,21 @@ +2020-05-13 Jack Lee + +Nullptr crash in DeleteSelectionCommand::doApply() when merge node is disconnected. +https://bugs.webkit.org/show_bug.cgi?id=211793 + + +Reviewed by Geoffrey Garen. + +Check for disconnected merge destination and endingSelection() after mergeParagraph is +Called and bail out to avoid using corrupted positions for node insertion. + +Test: editing/inserting/insert-text-merge-node-removed-crash.html + +* editing/CompositeEditCommand.cpp: +(WebCore::CompositeEditCommand::moveParagraphs): +* editing/DeleteSelectionCommand.cpp: +(WebCore::DeleteSelectionCommand::mergeParagraphs): + 2020-05-13 Said Abou-Hallawa Re-enable 'OutsideViewport' rAF throttling Modified: trunk/Source/WebCore/editing/CompositeEditCommand.cpp (261663 => 261664) --- trunk/Source/WebCore/editing/CompositeEditCommand.cpp 2020-05-13 23:28:34 UTC (rev 261663) +++ trunk/Source/WebCore/editing/CompositeEditCommand.cpp 2020-05-14 00:21:50 UTC (rev 261664) @@ -1476,8 +1476,11 @@ ASSERT(destination.deepEquivalent().anchorNode()->isConnected()); cleanupAfterDeletion(destination); -ASSERT(destination.deepEquivalent().anchorNode()->isConnected()); +// FIXME (Bug 211793): We should redesign cleanupAfterDeletion or find another destination when it is removed. +if (!destination.deepEquivalent().anchorNode()->isConnected()) +return; + // Add a br if pruning an empty block level element caused a collapse. For example: // foo^ // b
[webkit-changes] [261434] trunk
Title: [261434] trunk Revision 261434 Author shihchieh_...@apple.com Date 2020-05-09 01:07:27 -0700 (Sat, 09 May 2020) Log Message Nullptr crash in LegacyWebArchive::createPropertyListRepresentation when copying selected range that contains surrogate characters https://bugs.webkit.org/show_bug.cgi?id=211658 Reviewed by Ryosuke Niwa. Source/WebCore: Added check for null LegacyWebArchive in LegacyWebArchive::createFromSelection. Return nullptr when creation fails. Test: webarchive/copy-surrogate-char-crash.html * loader/archive/cf/LegacyWebArchive.cpp: (WebCore::LegacyWebArchive::createFromSelection): LayoutTests: Added a regression test for the crash. * webarchive/copy-surrogate-char-crash-expected.txt: Added. * webarchive/copy-surrogate-char-crash.html: Added. Modified Paths trunk/LayoutTests/ChangeLog trunk/Source/WebCore/ChangeLog trunk/Source/WebCore/loader/archive/cf/LegacyWebArchive.cpp Added Paths trunk/LayoutTests/webarchive/copy-surrogate-char-crash-expected.txt trunk/LayoutTests/webarchive/copy-surrogate-char-crash.html Diff Modified: trunk/LayoutTests/ChangeLog (261433 => 261434) --- trunk/LayoutTests/ChangeLog 2020-05-09 07:00:41 UTC (rev 261433) +++ trunk/LayoutTests/ChangeLog 2020-05-09 08:07:27 UTC (rev 261434) @@ -1,3 +1,16 @@ +2020-05-09 Jack Lee + +Nullptr crash in LegacyWebArchive::createPropertyListRepresentation when copying selected range that contains surrogate characters +https://bugs.webkit.org/show_bug.cgi?id=211658 + + +Reviewed by Ryosuke Niwa. + +Added a regression test for the crash. + +* webarchive/copy-surrogate-char-crash-expected.txt: Added. +* webarchive/copy-surrogate-char-crash.html: Added. + 2020-05-08 Diego Pino Garcia [GTK] Gardening, update expectations after revert of r261341 and r261392 Added: trunk/LayoutTests/webarchive/copy-surrogate-char-crash-expected.txt (0 => 261434) --- trunk/LayoutTests/webarchive/copy-surrogate-char-crash-expected.txt (rev 0) +++ trunk/LayoutTests/webarchive/copy-surrogate-char-crash-expected.txt 2020-05-09 08:07:27 UTC (rev 261434) @@ -0,0 +1 @@ +"Tests copying selected range that contains surrogate characters. The test passes if WebKit doesn't crash or hit an ssertion." Added: trunk/LayoutTests/webarchive/copy-surrogate-char-crash.html (0 => 261434) --- trunk/LayoutTests/webarchive/copy-surrogate-char-crash.html (rev 0) +++ trunk/LayoutTests/webarchive/copy-surrogate-char-crash.html 2020-05-09 08:07:27 UTC (rev 261434) @@ -0,0 +1,11 @@ +"Tests copying selected range that contains surrogate characters. The test passes if WebKit doesn't crash or hit an ssertion." + +if (window.testRunner) +testRunner.dumpAsText(); + +span.offsetParent.before(document.createElement("frameset")); +span.prepend("\ud800"); +document.execCommand("selectAll", true); +document.execCommand("copy", true); +document.getElementById("span").remove(); + Modified: trunk/Source/WebCore/ChangeLog (261433 => 261434) --- trunk/Source/WebCore/ChangeLog 2020-05-09 07:00:41 UTC (rev 261433) +++ trunk/Source/WebCore/ChangeLog 2020-05-09 08:07:27 UTC (rev 261434) @@ -1,3 +1,18 @@ +2020-05-09 Jack Lee + +Nullptr crash in LegacyWebArchive::createPropertyListRepresentation when copying selected range that contains surrogate characters +https://bugs.webkit.org/show_bug.cgi?id=211658 + + +Reviewed by Ryosuke Niwa. + +Added check for null LegacyWebArchive in LegacyWebArchive::createFromSelection. Return nullptr when creation fails. + +Test: webarchive/copy-surrogate-char-crash.html + +* loader/archive/cf/LegacyWebArchive.cpp: +(WebCore::LegacyWebArchive::createFromSelection): + 2020-05-09 Tetsuharu Ohzeki Fix wpt shadow-dom/slots-fallback-in-document.html Modified: trunk/Source/WebCore/loader/archive/cf/LegacyWebArchive.cpp (261433 => 261434) --- trunk/Source/WebCore/loader/archive/cf/LegacyWebArchive.cpp 2020-05-09 07:00:41 UTC (rev 261433) +++ trunk/Source/WebCore/loader/archive/cf/LegacyWebArchive.cpp 2020-05-09 08:07:27 UTC (rev 261434) @@ -605,7 +605,9 @@ builder.append(serializePreservingVisualAppearance(frame->selection().selection(), ResolveURLs::No, serializeComposedTree, &nodeList)); auto archive = create(builder.toString(), *frame, nodeList, nullptr); - +if (!archive) +return nullptr; + if (!document->isFrameSet()) return archive; ___ webkit-changes mailing list webkit-changes@lists.webkit.org https://lists.webkit.org/mailman/listinfo/webkit-changes
[webkit-changes] [261338] trunk/Source/WebCore
Title: [261338] trunk/Source/WebCore Revision 261338 Author shihchieh_...@apple.com Date 2020-05-07 15:58:14 -0700 (Thu, 07 May 2020) Log Message In Document::willBeRemovedFromFrame, clear FrameSelection before Editor so the selection is removed. https://bugs.webkit.org/show_bug.cgi?id=211551 Reviewed by Geoffrey Garen. Covered by existing tests. * dom/Document.cpp: (WebCore::Document::willBeRemovedFromFrame): Modified Paths trunk/Source/WebCore/ChangeLog trunk/Source/WebCore/dom/Document.cpp Diff Modified: trunk/Source/WebCore/ChangeLog (261337 => 261338) --- trunk/Source/WebCore/ChangeLog 2020-05-07 21:48:13 UTC (rev 261337) +++ trunk/Source/WebCore/ChangeLog 2020-05-07 22:58:14 UTC (rev 261338) @@ -1,3 +1,15 @@ +2020-05-07 Jack Lee + +In Document::willBeRemovedFromFrame, clear FrameSelection before Editor so the selection is removed. +https://bugs.webkit.org/show_bug.cgi?id=211551 + +Reviewed by Geoffrey Garen. + +Covered by existing tests. + +* dom/Document.cpp: +(WebCore::Document::willBeRemovedFromFrame): + 2020-05-07 Antoine Quint [Web Animations] imported/w3c/web-platform-tests/web-animations/timing-model/timelines/update-and-send-events.html is a flaky failure Modified: trunk/Source/WebCore/dom/Document.cpp (261337 => 261338) --- trunk/Source/WebCore/dom/Document.cpp 2020-05-07 21:48:13 UTC (rev 261337) +++ trunk/Source/WebCore/dom/Document.cpp 2020-05-07 22:58:14 UTC (rev 261338) @@ -2596,8 +2596,8 @@ page()->updateIsPlayingMedia(HTMLMediaElementInvalidID); } +selection().willBeRemovedFromFrame(); editor().clear(); -selection().willBeRemovedFromFrame(); detachFromFrame(); #if ENABLE(CSS_PAINTING_API) ___ webkit-changes mailing list webkit-changes@lists.webkit.org https://lists.webkit.org/mailman/listinfo/webkit-changes
[webkit-changes] [261258] trunk
Title: [261258] trunk Revision 261258 Author shihchieh_...@apple.com Date 2020-05-06 16:16:14 -0700 (Wed, 06 May 2020) Log Message Nullptr crash in indentOutdentCommand::formatRange with asynchronous commands: indent and insert list. https://bugs.webkit.org/show_bug.cgi?id=211466 Reviewed by Geoffrey Garen. Source/WebCore: Check for null outerBlock returned by splitTreeToNode and bail out. Test: fast/editing/indent-then-insertUL-crash.html * editing/IndentOutdentCommand.cpp: (WebCore::IndentOutdentCommand::indentIntoBlockquote): LayoutTests: Added a regression test for the crash. * fast/editing/indent-then-insertUL-crash-expected.txt: Added. * fast/editing/indent-then-insertUL-crash.html: Added. Modified Paths trunk/LayoutTests/ChangeLog trunk/Source/WebCore/ChangeLog trunk/Source/WebCore/editing/IndentOutdentCommand.cpp Added Paths trunk/LayoutTests/fast/editing/indent-then-insertUL-crash-expected.txt trunk/LayoutTests/fast/editing/indent-then-insertUL-crash.html Diff Modified: trunk/LayoutTests/ChangeLog (261257 => 261258) --- trunk/LayoutTests/ChangeLog 2020-05-06 23:01:06 UTC (rev 261257) +++ trunk/LayoutTests/ChangeLog 2020-05-06 23:16:14 UTC (rev 261258) @@ -1,5 +1,18 @@ 2020-05-06 Jack Lee +Nullptr crash in indentOutdentCommand::formatRange with asynchronous commands: indent and insert list. +https://bugs.webkit.org/show_bug.cgi?id=211466 + + +Reviewed by Geoffrey Garen. + +Added a regression test for the crash. + +* fast/editing/indent-then-insertUL-crash-expected.txt: Added. +* fast/editing/indent-then-insertUL-crash.html: Added. + +2020-05-06 Jack Lee + Nullptr crash in InsertListCommand::doApply with user-select:none elements https://bugs.webkit.org/show_bug.cgi?id=211534 Added: trunk/LayoutTests/fast/editing/indent-then-insertUL-crash-expected.txt (0 => 261258) --- trunk/LayoutTests/fast/editing/indent-then-insertUL-crash-expected.txt (rev 0) +++ trunk/LayoutTests/fast/editing/indent-then-insertUL-crash-expected.txt 2020-05-06 23:16:14 UTC (rev 261258) @@ -0,0 +1 @@ +Tests asynchronous indenting and list insertion commands. The test passes if WebKit doesn't crash or hit an ssertion. Added: trunk/LayoutTests/fast/editing/indent-then-insertUL-crash.html (0 => 261258) --- trunk/LayoutTests/fast/editing/indent-then-insertUL-crash.html (rev 0) +++ trunk/LayoutTests/fast/editing/indent-then-insertUL-crash.html 2020-05-06 23:16:14 UTC (rev 261258) @@ -0,0 +1,21 @@ + +if (window.testRunner) { +testRunner.dumpAsText(); +testRunner.waitUntilDone(); +} + +function run() { +var iframe = document.createElement('iframe'); +iframe.setAttribute("onload", "iframeLoad()"); +select.appendChild(iframe); +document.execCommand("indent", false); +document.body.innerText = "Tests asynchronous indenting and list insertion commands. The test passes if WebKit doesn't crash or hit an ssertion."; +if (window.testRunner) +testRunner.notifyDone(); +} +function iframeLoad() { +document.execCommand("insertUnorderedList", false); +window.getSelection().collapse(select); +} + +ab Modified: trunk/Source/WebCore/ChangeLog (261257 => 261258) --- trunk/Source/WebCore/ChangeLog 2020-05-06 23:01:06 UTC (rev 261257) +++ trunk/Source/WebCore/ChangeLog 2020-05-06 23:16:14 UTC (rev 261258) @@ -1,3 +1,18 @@ +2020-05-06 Jack Lee + +Nullptr crash in indentOutdentCommand::formatRange with asynchronous commands: indent and insert list. +https://bugs.webkit.org/show_bug.cgi?id=211466 + + +Reviewed by Geoffrey Garen. + +Check for null outerBlock returned by splitTreeToNode and bail out. + +Test: fast/editing/indent-then-insertUL-crash.html + +* editing/IndentOutdentCommand.cpp: +(WebCore::IndentOutdentCommand::indentIntoBlockquote): + 2020-05-06 Darin Adler Make a helper for the pattern of ICU functions that may need to be called twice to populate a buffer Modified: trunk/Source/WebCore/editing/IndentOutdentCommand.cpp (261257 => 261258) --- trunk/Source/WebCore/editing/IndentOutdentCommand.cpp 2020-05-06 23:01:06 UTC (rev 261257) +++ trunk/Source/WebCore/editing/IndentOutdentCommand.cpp 2020-05-06 23:16:14 UTC (rev 261258) @@ -106,6 +106,8 @@ RefPtr nodeAfterStart = start.computeNodeAfterPosition(); RefPtr outerBlock = (start.containerNode() == nodeToSplitTo) ? start.containerNode() : splitTreeToNode(*start.containerNode(), *nodeToSplitTo); +if (!outerBlock) +return; VisiblePosition startOfContents = start; if (!targetBlockquote) { ___ webkit-changes mailing list webkit-changes@lists.webkit.org https://lists.webkit.org/mailman/listinfo/webkit-changes
[webkit-changes] [261255] trunk
Title: [261255] trunk Revision 261255 Author shihchieh_...@apple.com Date 2020-05-06 15:55:30 -0700 (Wed, 06 May 2020) Log Message Nullptr crash in InsertListCommand::doApply with user-select:none elements https://bugs.webkit.org/show_bug.cgi?id=211534 Reviewed by Geoffrey Garen. Source/WebCore: Check for empty position in InsertListCommand::doApply when searching for the start of last paragraph in the selected range. Skip listifying individual paragraphs in the range. Test: editing/inserting/insert-list-user-select-none-crash.html * editing/InsertListCommand.cpp: (WebCore::InsertListCommand::doApply): LayoutTests: Added a regression test for the crash. * editing/inserting/insert-list-user-select-none-crash-expected.txt: Added. * editing/inserting/insert-list-user-select-none-crash.html: Added. Modified Paths trunk/LayoutTests/ChangeLog trunk/Source/WebCore/ChangeLog trunk/Source/WebCore/editing/InsertListCommand.cpp Added Paths trunk/LayoutTests/editing/inserting/insert-list-user-select-none-crash-expected.txt trunk/LayoutTests/editing/inserting/insert-list-user-select-none-crash.html Diff Modified: trunk/LayoutTests/ChangeLog (261254 => 261255) --- trunk/LayoutTests/ChangeLog 2020-05-06 22:54:22 UTC (rev 261254) +++ trunk/LayoutTests/ChangeLog 2020-05-06 22:55:30 UTC (rev 261255) @@ -1,3 +1,16 @@ +2020-05-06 Jack Lee + +Nullptr crash in InsertListCommand::doApply with user-select:none elements +https://bugs.webkit.org/show_bug.cgi?id=211534 + + +Reviewed by Geoffrey Garen. + +Added a regression test for the crash. + +* editing/inserting/insert-list-user-select-none-crash-expected.txt: Added. +* editing/inserting/insert-list-user-select-none-crash.html: Added. + 2020-05-06 Ryan Haddad Unreviewed, reverting r261239. Added: trunk/LayoutTests/editing/inserting/insert-list-user-select-none-crash-expected.txt (0 => 261255) --- trunk/LayoutTests/editing/inserting/insert-list-user-select-none-crash-expected.txt (rev 0) +++ trunk/LayoutTests/editing/inserting/insert-list-user-select-none-crash-expected.txt 2020-05-06 22:55:30 UTC (rev 261255) @@ -0,0 +1 @@ +Tests inserting list in paragraphs that have userSelect:none elements. The test passes if WebKit doesn't crash or hit an ssertion. Added: trunk/LayoutTests/editing/inserting/insert-list-user-select-none-crash.html (0 => 261255) --- trunk/LayoutTests/editing/inserting/insert-list-user-select-none-crash.html (rev 0) +++ trunk/LayoutTests/editing/inserting/insert-list-user-select-none-crash.html 2020-05-06 22:55:30 UTC (rev 261255) @@ -0,0 +1,14 @@ + +span { -webkit-user-select: all; } +a { -webkit-user-select: none; } + +a + +if (window.testRunner) +testRunner.dumpAsText(); + +body.appendChild(canvas); +document.execCommand("selectAll", false); +document.execCommand("insertOrderedList", false); +document.body.innerText = "Tests inserting list in paragraphs that have userSelect:none elements. The test passes if WebKit doesn't crash or hit an ssertion."; + Modified: trunk/Source/WebCore/ChangeLog (261254 => 261255) --- trunk/Source/WebCore/ChangeLog 2020-05-06 22:54:22 UTC (rev 261254) +++ trunk/Source/WebCore/ChangeLog 2020-05-06 22:55:30 UTC (rev 261255) @@ -1,3 +1,19 @@ +2020-05-06 Jack Lee + +Nullptr crash in InsertListCommand::doApply with user-select:none elements +https://bugs.webkit.org/show_bug.cgi?id=211534 + + +Reviewed by Geoffrey Garen. + +Check for empty position in InsertListCommand::doApply when searching for the start of +last paragraph in the selected range. Skip listifying individual paragraphs in the range. + +Test: editing/inserting/insert-list-user-select-none-crash.html + +* editing/InsertListCommand.cpp: +(WebCore::InsertListCommand::doApply): + 2020-05-06 Ryan Haddad Unreviewed, reverting r261239. Modified: trunk/Source/WebCore/editing/InsertListCommand.cpp (261254 => 261255) --- trunk/Source/WebCore/editing/InsertListCommand.cpp 2020-05-06 22:54:22 UTC (rev 261254) +++ trunk/Source/WebCore/editing/InsertListCommand.cpp 2020-05-06 22:55:30 UTC (rev 261255) @@ -140,12 +140,12 @@ VisiblePosition endOfSelection = selection.visibleEnd(); VisiblePosition startOfLastParagraph = startOfParagraph(endOfSelection, CanSkipOverEditingBoundary); -if (startOfParagraph(startOfSelection, CanSkipOverEditingBoundary) != startOfLastParagraph) { +if (startOfLastParagraph.isNotNull() && startOfParagraph(startOfSelection, CanSkipOverEditingBoundary) != startOfLastParagraph) { bool forceCreateList = !selectionHasListOfType(selection, listTag); auto currentSelection = createLiveRange(endingSelection().firstRange()); VisiblePosition startOfCurrentParagraph = startOfSelection; -
[webkit-changes] [261126] trunk
Title: [261126] trunk Revision 261126 Author shihchieh_...@apple.com Date 2020-05-04 16:55:06 -0700 (Mon, 04 May 2020) Log Message Nullptr crash in CompositeEditCommand::moveParagraphs when changing style on elements that are user-select:none and dir:rtl. https://bugs.webkit.org/show_bug.cgi?id=211206 Reviewed by Geoffrey Garen. Source/WebCore: In function moveParagraphs check if the destination is an empty position and bail out before moving the paragraphs. Test: fast/editing/justify-user-select-none-dir-rtl-crash.html * editing/CompositeEditCommand.cpp: (WebCore::CompositeEditCommand::moveParagraphs): LayoutTests: Added a regression test for the crash. * fast/editing/justify-user-select-none-dir-rtl-crash-expected.txt: Added. * fast/editing/justify-user-select-none-dir-rtl-crash.html: Added. Modified Paths trunk/LayoutTests/ChangeLog trunk/Source/WebCore/ChangeLog trunk/Source/WebCore/editing/CompositeEditCommand.cpp Added Paths trunk/LayoutTests/fast/editing/justify-user-select-none-dir-rtl-crash-expected.txt trunk/LayoutTests/fast/editing/justify-user-select-none-dir-rtl-crash.html Diff Modified: trunk/LayoutTests/ChangeLog (261125 => 261126) --- trunk/LayoutTests/ChangeLog 2020-05-04 23:37:44 UTC (rev 261125) +++ trunk/LayoutTests/ChangeLog 2020-05-04 23:55:06 UTC (rev 261126) @@ -1,3 +1,17 @@ +2020-05-04 Jack Lee + +Nullptr crash in CompositeEditCommand::moveParagraphs when changing style on elements that are +user-select:none and dir:rtl. +https://bugs.webkit.org/show_bug.cgi?id=211206 + + +Reviewed by Geoffrey Garen. + +Added a regression test for the crash. + +* fast/editing/justify-user-select-none-dir-rtl-crash-expected.txt: Added. +* fast/editing/justify-user-select-none-dir-rtl-crash.html: Added. + 2020-05-04 Jason Lawrence [ iPadOS wk2 ] editing/selection/selection-change-in-mutation-event-by-remove-children.html is timing out. Added: trunk/LayoutTests/fast/editing/justify-user-select-none-dir-rtl-crash-expected.txt (0 => 261126) --- trunk/LayoutTests/fast/editing/justify-user-select-none-dir-rtl-crash-expected.txt (rev 0) +++ trunk/LayoutTests/fast/editing/justify-user-select-none-dir-rtl-crash-expected.txt 2020-05-04 23:55:06 UTC (rev 261126) @@ -0,0 +1 @@ +Test editing a paragraph that is user-select:none and dir:rtl. The test passes if WebKit doesn't crash or hit an assertion. Added: trunk/LayoutTests/fast/editing/justify-user-select-none-dir-rtl-crash.html (0 => 261126) --- trunk/LayoutTests/fast/editing/justify-user-select-none-dir-rtl-crash.html (rev 0) +++ trunk/LayoutTests/fast/editing/justify-user-select-none-dir-rtl-crash.html 2020-05-04 23:55:06 UTC (rev 261126) @@ -0,0 +1,14 @@ +a + +if (window.testRunner) { +testRunner.dumpAsText(); +testRunner.waitUntilDone(); +} + +window.getSelection().selectAllChildren(q); +document.execCommand("justifyLeft", false); +document.body.innerText = "Test editing a paragraph that is user-select:none and dir:rtl. The test passes if WebKit doesn't crash or hit an assertion."; + +if (window.testRunner) +testRunner.notifyDone(); + Modified: trunk/Source/WebCore/ChangeLog (261125 => 261126) --- trunk/Source/WebCore/ChangeLog 2020-05-04 23:37:44 UTC (rev 261125) +++ trunk/Source/WebCore/ChangeLog 2020-05-04 23:55:06 UTC (rev 261126) @@ -1,3 +1,20 @@ +2020-05-04 Jack Lee + +Nullptr crash in CompositeEditCommand::moveParagraphs when changing style on elements that are +user-select:none and dir:rtl. +https://bugs.webkit.org/show_bug.cgi?id=211206 + + +Reviewed by Geoffrey Garen. + +In function moveParagraphs check if the destination is an empty position and +bail out before moving the paragraphs. + +Test: fast/editing/justify-user-select-none-dir-rtl-crash.html + +* editing/CompositeEditCommand.cpp: +(WebCore::CompositeEditCommand::moveParagraphs): + 2020-05-04 Jiewen Tan [WebAuthn] Implement +[_WKWebAuthenticationPanel clearAllLocalAuthenticatorCredentials] Modified: trunk/Source/WebCore/editing/CompositeEditCommand.cpp (261125 => 261126) --- trunk/Source/WebCore/editing/CompositeEditCommand.cpp 2020-05-04 23:37:44 UTC (rev 261125) +++ trunk/Source/WebCore/editing/CompositeEditCommand.cpp 2020-05-04 23:55:06 UTC (rev 261126) @@ -1398,7 +1398,7 @@ void CompositeEditCommand::moveParagraphs(const VisiblePosition& startOfParagraphToMove, const VisiblePosition& endOfParagraphToMove, const VisiblePosition& destination, bool preserveSelection, bool preserveStyle) { -if (startOfParagraphToMove == destination) +if (destination.isNull() || startOfParagraphToMove == destination) return; Optional startIndex; ___ webkit-changes mailing list webkit-changes@lists.webkit.o
[webkit-changes] [261032] trunk/Source/WebCore/ChangeLog
Title: [261032] trunk/Source/WebCore/ChangeLog Revision 261032 Author shihchieh_...@apple.com Date 2020-05-01 15:54:39 -0700 (Fri, 01 May 2020) Log Message Unreviewed, amend change log entry for r260831. * ChangeLog: Modified Paths trunk/Source/WebCore/ChangeLog Diff Modified: trunk/Source/WebCore/ChangeLog (261031 => 261032) --- trunk/Source/WebCore/ChangeLog 2020-05-01 22:30:06 UTC (rev 261031) +++ trunk/Source/WebCore/ChangeLog 2020-05-01 22:54:39 UTC (rev 261032) @@ -1,3 +1,9 @@ +2020-05-01 Jack Lee + +Unreviewed, amend change log entry for r260831. + +* ChangeLog: + 2020-05-01 Chris Dumez Unreviewed, another build fix after r260962. @@ -1978,15 +1984,14 @@ * dom/Document.cpp: (WebCore::m_selection): -(WebCore::Document::prepareForDestruction): +(WebCore::Document::willBeRemovedFromFrame): (WebCore::m_undoManager): Deleted. +(WebCore::Document::prepareForDestruction): Deleted. * dom/Document.h: (WebCore::Document::editor): (WebCore::Document::editor const): (WebCore::Document::selection): (WebCore::Document::selection const): -* dom/PositionIterator.cpp: -(WebCore::PositionIterator::isCandidate const): * editing/AlternativeTextController.cpp: (WebCore::AlternativeTextController::AlternativeTextController): (WebCore::AlternativeTextController::stopPendingCorrection): @@ -2116,11 +2121,10 @@ (WebCore::Editor::findString): (WebCore::Editor::countMatchesForText): (WebCore::Editor::respondToChangedSelection): -(WebCore::Editor::shouldDetectTelephoneNumbers): +(WebCore::Editor::shouldDetectTelephoneNumbers const): (WebCore::Editor::scanSelectionForTelephoneNumbers): (WebCore::Editor::editorUIUpdateTimerFired): (WebCore::Editor::selectionStartHasMarkerFor const): -(WebCore::candidateRangeForSelection): (WebCore::Editor::stringForCandidateRequest const): (WebCore::Editor::contextRangeForCandidateRequest const): (WebCore::Editor::fontAttributesAtSelectionStart const): @@ -2156,7 +2160,7 @@ (WebCore::FrameSelection::modifyMovingRight): (WebCore::FrameSelection::modifyMovingLeft): (WebCore::FrameSelection::modify): -(WebCore::FrameSelection::prepareForDestruction): +(WebCore::FrameSelection::willBeRemovedFromFrame): (WebCore::FrameSelection::absoluteCaretBounds): (WebCore::FrameSelection::recomputeCaretRect): (WebCore::FrameSelection::contains const): @@ -2179,6 +2183,7 @@ (WebCore::FrameSelection::updateAppearanceAfterLayoutOrStyleChange): (WebCore::FrameSelection::selectRangeOnElement): (WebCore::FrameSelection::setCaretBlinks): +(WebCore::FrameSelection::prepareForDestruction): Deleted. * editing/FrameSelection.h: * editing/InsertIntoTextNodeCommand.cpp: (WebCore::InsertIntoTextNodeCommand::doApply): @@ -2226,6 +2231,7 @@ * editing/TypingCommand.h: * editing/cocoa/EditorCocoa.mm: (WebCore::Editor::selectionInHTMLFormat): +(WebCore::selectionAsAttributedString): (WebCore::Editor::writeSelectionToPasteboard): (WebCore::Editor::writeSelection): (WebCore::Editor::selectionInWebArchiveFormat): @@ -2254,6 +2260,8 @@ * editing/win/EditorWin.cpp: (WebCore::Editor::pasteWithPasteboard): (WebCore::Editor::webContentFromPasteboard): +* history/CachedFrame.cpp: +(WebCore::CachedFrame::destroy): * loader/FrameLoader.cpp: (WebCore::FrameLoader::willTransitionToCommitted): (WebCore::FrameLoader::closeURL): @@ -2261,6 +2269,8 @@ (WebCore::FrameLoader::clear): * page/Frame.cpp: (WebCore::Frame::Frame): +(WebCore::Frame::setView): +(WebCore::Frame::setDocument): (WebCore::Frame::requestDOMPasteAccess): (WebCore::Frame::setPageAndTextZoomFactors): * page/Frame.h: ___ webkit-changes mailing list webkit-changes@lists.webkit.org https://lists.webkit.org/mailman/listinfo/webkit-changes
[webkit-changes] [261019] trunk
Title: [261019] trunk Revision 261019 Author shihchieh_...@apple.com Date 2020-05-01 13:53:59 -0700 (Fri, 01 May 2020) Log Message Source/WebCore: Nullptr crash in CompositeEditCommand::cloneParagraphUnderNewElement when indent and align a paragraph. https://bugs.webkit.org/show_bug.cgi?id=211273 Reviewed by Geoffrey Garen. A load event can fire when we clone and append a paragraph. Check if the elements are removed in the event and bail out. Test: fast/editing/indent-then-justifyFull-crash.html * editing/CompositeEditCommand.cpp: (WebCore::CompositeEditCommand::cloneParagraphUnderNewElement): LayoutTests: Nullptr crash in CompositeEditCommand::cloneParagraphUnderNewElement when indent and align a paragraph. https://bugs.webkit.org/show_bug.cgi?id=211273 Reviewed by Geoffrey Garen. Added a regression test for the crash. * fast/editing/indent-then-justifyFull-crash-expected.txt: Added. * fast/editing/indent-then-justifyFull-crash.html: Added. Modified Paths trunk/LayoutTests/ChangeLog trunk/Source/WebCore/ChangeLog trunk/Source/WebCore/editing/CompositeEditCommand.cpp Added Paths trunk/LayoutTests/fast/editing/indent-then-justifyFull-crash-expected.txt trunk/LayoutTests/fast/editing/indent-then-justifyFull-crash.html Diff Modified: trunk/LayoutTests/ChangeLog (261018 => 261019) --- trunk/LayoutTests/ChangeLog 2020-05-01 20:50:18 UTC (rev 261018) +++ trunk/LayoutTests/ChangeLog 2020-05-01 20:53:59 UTC (rev 261019) @@ -1,5 +1,19 @@ 2020-05-01 Jack Lee +Nullptr crash in CompositeEditCommand::cloneParagraphUnderNewElement when indent +and align a paragraph. +https://bugs.webkit.org/show_bug.cgi?id=211273 + + +Reviewed by Geoffrey Garen. + +Added a regression test for the crash. + +* fast/editing/indent-then-justifyFull-crash-expected.txt: Added. +* fast/editing/indent-then-justifyFull-crash.html: Added. + +2020-05-01 Jack Lee + Nullptr crash in EditCommand::EditCommand via CompositeEditCommand::removeNode https://bugs.webkit.org/show_bug.cgi?id=207600 Added: trunk/LayoutTests/fast/editing/indent-then-justifyFull-crash-expected.txt (0 => 261019) --- trunk/LayoutTests/fast/editing/indent-then-justifyFull-crash-expected.txt (rev 0) +++ trunk/LayoutTests/fast/editing/indent-then-justifyFull-crash-expected.txt 2020-05-01 20:53:59 UTC (rev 261019) @@ -0,0 +1 @@ +Tests editing elements followed by other commands that remove those elements. The test passes if WebKit doesn't crash or hit an ssertion. Added: trunk/LayoutTests/fast/editing/indent-then-justifyFull-crash.html (0 => 261019) --- trunk/LayoutTests/fast/editing/indent-then-justifyFull-crash.html (rev 0) +++ trunk/LayoutTests/fast/editing/indent-then-justifyFull-crash.html 2020-05-01 20:53:59 UTC (rev 261019) @@ -0,0 +1,20 @@ + +if (window.testRunner) { +testRunner.dumpAsText(); +testRunner.waitUntilDone(); +} + +function iframeOnload() { +document.execCommand("justifyFull", false); +CANVAS.toBlob(blob); +} + +function blob() { +document.execCommand("selectAll", false); +document.execCommand("indent", false); +document.body.innerText = "Tests editing elements followed by other commands that remove those elements. The test passes if WebKit doesn't crash or hit an ssertion."; +if (window.testRunner) +testRunner.notifyDone(); +} + + Modified: trunk/Source/WebCore/ChangeLog (261018 => 261019) --- trunk/Source/WebCore/ChangeLog 2020-05-01 20:50:18 UTC (rev 261018) +++ trunk/Source/WebCore/ChangeLog 2020-05-01 20:53:59 UTC (rev 261019) @@ -1,5 +1,22 @@ 2020-05-01 Jack Lee +Nullptr crash in CompositeEditCommand::cloneParagraphUnderNewElement when indent +and align a paragraph. +https://bugs.webkit.org/show_bug.cgi?id=211273 + + +Reviewed by Geoffrey Garen. + +A load event can fire when we clone and append a paragraph. Check if the elements +are removed in the event and bail out. + +Test: fast/editing/indent-then-justifyFull-crash.html + +* editing/CompositeEditCommand.cpp: +(WebCore::CompositeEditCommand::cloneParagraphUnderNewElement): + +2020-05-01 Jack Lee + Nullptr crash in EditCommand::EditCommand via CompositeEditCommand::removeNode https://bugs.webkit.org/show_bug.cgi?id=207600 Modified: trunk/Source/WebCore/editing/CompositeEditCommand.cpp (261018 => 261019) --- trunk/Source/WebCore/editing/CompositeEditCommand.cpp 2020-05-01 20:50:18 UTC (rev 261018) +++ trunk/Source/WebCore/editing/CompositeEditCommand.cpp 2020-05-01 20:53:59 UTC (rev 261019) @@ -1260,6 +1260,9 @@ } } +if (!start.deprecatedNode()->isConnected() || !end.deprecatedNode()->isConnected()) +return; + // Handle the case of paragraphs with more than one node, // cloni
[webkit-changes] [261018] trunk
Title: [261018] trunk Revision 261018 Author shihchieh_...@apple.com Date 2020-05-01 13:50:18 -0700 (Fri, 01 May 2020) Log Message Nullptr crash in EditCommand::EditCommand via CompositeEditCommand::removeNode https://bugs.webkit.org/show_bug.cgi?id=207600 Source/WebCore: Reviewed by Geoffrey Garen. Second part of the fix. Remove m_frame in FrameSelection so it will not be inadvertently used and cause this crash. No new tests, covered by existing test. * editing/AlternativeTextController.cpp: (WebCore::AlternativeTextController::rootViewRectForRange const): * editing/FrameSelection.cpp: (WebCore::FrameSelection::FrameSelection): (WebCore::FrameSelection::setSelectionWithoutUpdatingAppearance): (WebCore::FrameSelection::modify): (WebCore::FrameSelection::selectFrameElementInParentIfFullySelected): (WebCore::FrameSelection::setFocusedElementIfNeeded): (WebCore::FrameSelection::shouldDeleteSelection const): (WebCore::FrameSelection::shouldDeleteSelection): (WebCore::FrameSelection::revealSelection): (WebCore::FrameSelection:: shouldChangeSelection): (WebCore::FrameSelection::shouldChangeSelection const): * editing/FrameSelection.h: * editing/atk/FrameSelectionAtk.cpp: (WebCore::FrameSelection::notifyAccessibilityForSelectionChange): * editing/mac/FrameSelectionMac.mm: (WebCore::FrameSelection::notifyAccessibilityForSelectionChange): LayoutTests: Reviewed by Geoffrey Garen. Reduce run time for this test case. * editing/inserting/insert-list-then-edit-command-crash.html: Modified Paths trunk/LayoutTests/ChangeLog trunk/LayoutTests/editing/inserting/insert-list-then-edit-command-crash.html trunk/Source/WebCore/ChangeLog trunk/Source/WebCore/editing/AlternativeTextController.cpp trunk/Source/WebCore/editing/FrameSelection.cpp trunk/Source/WebCore/editing/FrameSelection.h trunk/Source/WebCore/editing/atk/FrameSelectionAtk.cpp trunk/Source/WebCore/editing/mac/FrameSelectionMac.mm Diff Modified: trunk/LayoutTests/ChangeLog (261017 => 261018) --- trunk/LayoutTests/ChangeLog 2020-05-01 20:46:38 UTC (rev 261017) +++ trunk/LayoutTests/ChangeLog 2020-05-01 20:50:18 UTC (rev 261018) @@ -1,3 +1,14 @@ +2020-05-01 Jack Lee + +Nullptr crash in EditCommand::EditCommand via CompositeEditCommand::removeNode +https://bugs.webkit.org/show_bug.cgi?id=207600 + +Reviewed by Geoffrey Garen. + +Reduce run time for this test case. + +* editing/inserting/insert-list-then-edit-command-crash.html: + 2020-05-01 Eric Carlson [MSE] Audio session category is sometimes not set correctly after changing video source Modified: trunk/LayoutTests/editing/inserting/insert-list-then-edit-command-crash.html (261017 => 261018) --- trunk/LayoutTests/editing/inserting/insert-list-then-edit-command-crash.html 2020-05-01 20:46:38 UTC (rev 261017) +++ trunk/LayoutTests/editing/inserting/insert-list-then-edit-command-crash.html 2020-05-01 20:50:18 UTC (rev 261018) @@ -1,19 +1,17 @@ -a +text-document.getSelection().empty(); -document.execCommand("selectAll", false);if (window.testRunner) { testRunner.dumpAsText(); testRunner.waitUntilDone(); } +document.getSelection().empty(); +document.execCommand("selectAll", false); + function objectOnLoad() { document.execCommand("insertUnorderedList", false); document.execCommand("italic", false);-requestAnimationFrame(function () { -document.body.innerHTML = "+document.body.innerHTML = "Tests inserting list followed by an edit command. The test passes if WebKit doesn't crash or hit an assertion.
"; -if (window.testRunner) -testRunner.notifyDone(); -});Tests inserting list followed by an edit command. The test passes if WebKit doesn't crash or hit an assertion.
"; +testRunner.notifyDone(); } Modified: trunk/Source/WebCore/ChangeLog (261017 => 261018) --- trunk/Source/WebCore/ChangeLog 2020-05-01 20:46:38 UTC (rev 261017) +++ trunk/Source/WebCore/ChangeLog 2020-05-01 20:50:18 UTC (rev 261018) @@ -1,3 +1,35 @@ +2020-05-01 Jack Lee + +Nullptr crash in EditCommand::EditCommand via CompositeEditCommand::removeNode +https://bugs.webkit.org/show_bug.cgi?id=207600 + + +Reviewed by Geoffrey Garen. + +Second part of the fix. Remove m_frame in FrameSelection so it will not be +inadvertently used and cause this crash. + +No new tests, covered by existing test. + +* editing/AlternativeTextController.cpp: +(WebCore::AlternativeTextController::rootViewRectForRange const): +* editing/FrameSelection.cpp: +(WebCore::
[webkit-changes] [260207] trunk
Title: [260207] trunk Revision 260207 Author shihchieh_...@apple.com Date 2020-04-16 11:42:36 -0700 (Thu, 16 Apr 2020) Log Message ASSERTION FAILED: candidate.isCandidate() in WebCore::canonicalizeCandidate https://bugs.webkit.org/show_bug.cgi?id=130844 Reviewed by Geoffrey Garen. Source/WebCore: Call Position::isCandidate() in PositionIterator::isCandidate so behavior of candidate search become identical in both classes. Test: editing/inserting/insert-in-br.html * dom/PositionIterator.cpp: (WebCore::PositionIterator::isCandidate const): LayoutTests: * editing/inserting/insert-in-br-expected.txt: Added. * editing/inserting/insert-in-br.html: Added. Added a regression test for the crash. * editing/inserting/insert-list-in-table-cell-07-expected.txt: Update node tree in expected text file due to behavior change in function PositionIterator::isCandidate. The visual result remains the same. Modified Paths trunk/LayoutTests/ChangeLog trunk/LayoutTests/editing/inserting/insert-list-in-table-cell-07-expected.txt trunk/Source/WebCore/ChangeLog trunk/Source/WebCore/dom/PositionIterator.cpp Added Paths trunk/LayoutTests/editing/inserting/insert-in-br-expected.txt trunk/LayoutTests/editing/inserting/insert-in-br.html Diff Modified: trunk/LayoutTests/ChangeLog (260206 => 260207) --- trunk/LayoutTests/ChangeLog 2020-04-16 18:38:22 UTC (rev 260206) +++ trunk/LayoutTests/ChangeLog 2020-04-16 18:42:36 UTC (rev 260207) @@ -1,3 +1,19 @@ +2020-04-16 Jack Lee + +ASSERTION FAILED: candidate.isCandidate() in WebCore::canonicalizeCandidate +https://bugs.webkit.org/show_bug.cgi?id=130844 + + +Reviewed by Geoffrey Garen. + +* editing/inserting/insert-in-br-expected.txt: Added. +* editing/inserting/insert-in-br.html: Added. +Added a regression test for the crash. + +* editing/inserting/insert-list-in-table-cell-07-expected.txt: +Update node tree in expected text file due to behavior change in function +PositionIterator::isCandidate. The visual result remains the same. + 2020-04-16 Chris Fleizach AX: Need method for setting selected range from NSRange Added: trunk/LayoutTests/editing/inserting/insert-in-br-expected.txt (0 => 260207) --- trunk/LayoutTests/editing/inserting/insert-in-br-expected.txt (rev 0) +++ trunk/LayoutTests/editing/inserting/insert-in-br-expected.txt 2020-04-16 18:42:36 UTC (rev 260207) @@ -0,0 +1 @@ +Tests inserting elements in br. The test passes if WebKit doesn't crash or hit an assertion. Added: trunk/LayoutTests/editing/inserting/insert-in-br.html (0 => 260207) --- trunk/LayoutTests/editing/inserting/insert-in-br.html (rev 0) +++ trunk/LayoutTests/editing/inserting/insert-in-br.html 2020-04-16 18:42:36 UTC (rev 260207) @@ -0,0 +1,10 @@ + + +var parent = document.getElementById('id_0') +parent.appendChild(document.createElement('svg_desc')) +parent = document.getElementById('id_1') +parent.focus() +document.body.innerText = "Tests inserting elements in br. The test passes if WebKit doesn't crash or hit an assertion."; +if (window.testRunner) +testRunner.dumpAsText(); + Modified: trunk/LayoutTests/editing/inserting/insert-list-in-table-cell-07-expected.txt (260206 => 260207) --- trunk/LayoutTests/editing/inserting/insert-list-in-table-cell-07-expected.txt 2020-04-16 18:38:22 UTC (rev 260206) +++ trunk/LayoutTests/editing/inserting/insert-list-in-table-cell-07-expected.txt 2020-04-16 18:42:36 UTC (rev 260207) @@ -1,6 +1,7 @@ Exec insertOrderedList twice in all the cells of a table removes the previously inserted list items: Before: +| <#selection-focus> | | border="1" | @@ -7,7 +8,8 @@ | id="element" | | -| "<#selection-anchor>fsdf" +| <#selection-anchor> +| "fsdf" | | "fsdf" | @@ -16,9 +18,9 @@ | | "fsfg" | -| <#selection-focus> After: +| <#selection-caret> | | border="1" | @@ -25,16 +27,11 @@ | id="element" | | -| "<#selection-anchor>fsdf" -| +| "fsdf" | | "fsdf" -| | | | "gghfg" -| | -| "fsfg<#selection-focus>" -| -| +| "fsfg" Modified: trunk/Source/WebCore/ChangeLog (260206 => 260207) --- trunk/Source/WebCore/ChangeLog 2020-04-16 18:38:22 UTC (rev 260206) +++ trunk/Source/WebCore/ChangeLog 2020-04-16 18:42:36 UTC (rev 260207) @@ -1,3 +1,19 @@ +2020-04-16 Jack Lee + +ASSERTION FAILED: candidate.isCandidate() in WebCore::canonicalizeCandidate +https://bugs.webkit.org/show_bug.cgi?id=130844 + + +Reviewed by Geoffrey Garen. + +Call Position::isCandidate() in PositionIterator::isCandidate so behavior of +candidate search become identical in both classes. + +Test: editing/inserting/insert-in-b
[webkit-changes] [260154] trunk/LayoutTests
Title: [260154] trunk/LayoutTests Revision 260154 Author shihchieh_...@apple.com Date 2020-04-15 15:01:51 -0700 (Wed, 15 Apr 2020) Log Message Infinite loop in InsertListCommand::doApply() https://bugs.webkit.org/show_bug.cgi?id=210354 Reviewed by Geoffrey Garen. Update the regression test for this hang issue. * editing/inserting/insert-list-end-of-table-expected.txt: Added. * editing/inserting/insert-list-end-of-table.html: Added. Modified Paths trunk/LayoutTests/ChangeLog trunk/LayoutTests/editing/inserting/insert-list-end-of-table.html Diff Modified: trunk/LayoutTests/ChangeLog (260153 => 260154) --- trunk/LayoutTests/ChangeLog 2020-04-15 21:57:22 UTC (rev 260153) +++ trunk/LayoutTests/ChangeLog 2020-04-15 22:01:51 UTC (rev 260154) @@ -1,5 +1,18 @@ 2020-04-15 Jack Lee +Infinite loop in InsertListCommand::doApply() +https://bugs.webkit.org/show_bug.cgi?id=210354 + + +Reviewed by Geoffrey Garen. + +Update the regression test for this hang issue. + +* editing/inserting/insert-list-end-of-table-expected.txt: Added. +* editing/inserting/insert-list-end-of-table.html: Added. + +2020-04-15 Jack Lee + ASSERTION FAILED: !selectionToDelete.isNone() in TypingCommand::forwardDeleteKeyPressed when deleting a UserSelect::None element. https://bugs.webkit.org/show_bug.cgi?id=210530 Modified: trunk/LayoutTests/editing/inserting/insert-list-end-of-table.html (260153 => 260154) --- trunk/LayoutTests/editing/inserting/insert-list-end-of-table.html 2020-04-15 21:57:22 UTC (rev 260153) +++ trunk/LayoutTests/editing/inserting/insert-list-end-of-table.html 2020-04-15 22:01:51 UTC (rev 260154) @@ -1,18 +1,10 @@ +content-if (window.testRunner) { -testRunner.dumpAsText(); -testRunner.waitUntilDone(); -} - -window._onload_ = () => { -window.getSelection().setBaseAndExtent(TH,1,SPAN,0); -document.execCommand("insertUnorderedList", false); - -requestAnimationFrame(function () { -document.body.innerHTML = "+document.body.offsetHeight; +window.getSelection().setBaseAndExtent(td, 1, input, 0); +document.execCommand("insertUnorderedList", false); +document.body.offsetHeight; +document.body.innerText = "Tests inserting list at the end of a table. The test passes if WebKit doesn't crash or hit an assertion."; +if (window.testRunner) + testRunner.dumpAsText(); -a ___ webkit-changes mailing list webkit-changes@lists.webkit.org https://lists.webkit.org/mailman/listinfo/webkit-changesTests inserting list at the end of a table. The test passes if WebKit doesn't crash or hit an assertion.
"; -if (window.testRunner) -testRunner.notifyDone(); -}); -}
[webkit-changes] [260153] trunk
Title: [260153] trunk Revision 260153 Author shihchieh_...@apple.com Date 2020-04-15 14:57:22 -0700 (Wed, 15 Apr 2020) Log Message Source/WebCore: ASSERTION FAILED: !selectionToDelete.isNone() in TypingCommand::forwardDeleteKeyPressed when deleting a UserSelect::None element. https://bugs.webkit.org/show_bug.cgi?id=210530 Reviewed by Geoffrey Garen. Quit forwardDeleteKeyPressed() if FrameSelection::modify() returns empty selection. Test: editing/deleting/forward-delete-UserSelect-None-element.html * editing/TypingCommand.cpp: (WebCore::TypingCommand::forwardDeleteKeyPressed): LayoutTests: ASSERTION FAILED: !selectionToDelete.isNone() in TypingCommand::forwardDeleteKeyPressed when deleting a UserSelect::None element. https://bugs.webkit.org/show_bug.cgi?id=210530 Reviewed by Geoffrey Garen. Added a regression test for the crash. * editing/deleting/forward-delete-UserSelect-None-element-expected.txt: Added. * editing/deleting/forward-delete-UserSelect-None-element.html: Added. Modified Paths trunk/LayoutTests/ChangeLog trunk/Source/WebCore/ChangeLog trunk/Source/WebCore/editing/TypingCommand.cpp Added Paths trunk/LayoutTests/editing/deleting/forward-delete-UserSelect-None-element-expected.txt trunk/LayoutTests/editing/deleting/forward-delete-UserSelect-None-element.html Diff Modified: trunk/LayoutTests/ChangeLog (260152 => 260153) --- trunk/LayoutTests/ChangeLog 2020-04-15 21:23:46 UTC (rev 260152) +++ trunk/LayoutTests/ChangeLog 2020-04-15 21:57:22 UTC (rev 260153) @@ -1,3 +1,17 @@ +2020-04-15 Jack Lee + +ASSERTION FAILED: !selectionToDelete.isNone() in TypingCommand::forwardDeleteKeyPressed +when deleting a UserSelect::None element. +https://bugs.webkit.org/show_bug.cgi?id=210530 + + +Reviewed by Geoffrey Garen. + +Added a regression test for the crash. + +* editing/deleting/forward-delete-UserSelect-None-element-expected.txt: Added. +* editing/deleting/forward-delete-UserSelect-None-element.html: Added. + 2020-04-15 Wenson Hsieh [iPadOS] Some pages indefinitely zoom in and out due to idempotent text autosizing Added: trunk/LayoutTests/editing/deleting/forward-delete-UserSelect-None-element-expected.txt (0 => 260153) --- trunk/LayoutTests/editing/deleting/forward-delete-UserSelect-None-element-expected.txt (rev 0) +++ trunk/LayoutTests/editing/deleting/forward-delete-UserSelect-None-element-expected.txt 2020-04-15 21:57:22 UTC (rev 260153) @@ -0,0 +1 @@ +Tests forward-deleting a UserSelect::None element. The test passes if WebKit doesn't crash or hit an ssertion. Added: trunk/LayoutTests/editing/deleting/forward-delete-UserSelect-None-element.html (0 => 260153) --- trunk/LayoutTests/editing/deleting/forward-delete-UserSelect-None-element.html (rev 0) +++ trunk/LayoutTests/editing/deleting/forward-delete-UserSelect-None-element.html 2020-04-15 21:57:22 UTC (rev 260153) @@ -0,0 +1,8 @@ + + +input.focus(); +document.execCommand("forwardDelete", false); +document.body.innerText = "Tests forward-deleting a UserSelect::None element. The test passes if WebKit doesn't crash or hit an ssertion."; +if (window.testRunner) +testRunner.dumpAsText(); + Modified: trunk/Source/WebCore/ChangeLog (260152 => 260153) --- trunk/Source/WebCore/ChangeLog 2020-04-15 21:23:46 UTC (rev 260152) +++ trunk/Source/WebCore/ChangeLog 2020-04-15 21:57:22 UTC (rev 260153) @@ -1,3 +1,19 @@ +2020-04-15 Jack Lee + +ASSERTION FAILED: !selectionToDelete.isNone() in TypingCommand::forwardDeleteKeyPressed +when deleting a UserSelect::None element. +https://bugs.webkit.org/show_bug.cgi?id=210530 + + +Reviewed by Geoffrey Garen. + +Quit forwardDeleteKeyPressed() if FrameSelection::modify() returns empty selection. + +Test: editing/deleting/forward-delete-UserSelect-None-element.html + +* editing/TypingCommand.cpp: +(WebCore::TypingCommand::forwardDeleteKeyPressed): + 2020-04-15 Peng Liu Video elements don't return to the correct position when exiting fullscreen Modified: trunk/Source/WebCore/editing/TypingCommand.cpp (260152 => 260153) --- trunk/Source/WebCore/editing/TypingCommand.cpp 2020-04-15 21:23:46 UTC (rev 260152) +++ trunk/Source/WebCore/editing/TypingCommand.cpp 2020-04-15 21:57:22 UTC (rev 260153) @@ -801,6 +801,8 @@ FrameSelection selection; selection.setSelection(endingSelection()); selection.modify(FrameSelection::AlterationExtend, DirectionForward, granularity); +if (selection.isNone()) +return; if (shouldAddToKillRing && selection.isCaret() && granularity != CharacterGranularity) selection.modify(FrameSelection::AlterationExtend, DirectionForward, CharacterGranularity); ___ webkit-changes mailing list webkit-changes@lists.webkit.or
[webkit-changes] [259939] trunk
Title: [259939] trunk Revision 259939 Author shihchieh_...@apple.com Date 2020-04-11 20:13:17 -0700 (Sat, 11 Apr 2020) Log Message Infinite loop in InsertListCommand::doApply() https://bugs.webkit.org/show_bug.cgi?id=210354 Reviewed by Darin Adler. Source/WebCore: Function startOfNextParagraph may return an empty position. Added null check to exit the while loop and stop looking for next paragraph. Test: editing/inserting/insert-list-end-of-table.html * editing/InsertListCommand.cpp: (WebCore::InsertListCommand::doApply): LayoutTests: Added a regression test for the crash. * editing/inserting/insert-list-end-of-table-expected.txt: Added. * editing/inserting/insert-list-end-of-table.html: Added. Modified Paths trunk/LayoutTests/ChangeLog trunk/Source/WebCore/ChangeLog trunk/Source/WebCore/editing/InsertListCommand.cpp Added Paths trunk/LayoutTests/editing/inserting/insert-list-end-of-table-expected.txt trunk/LayoutTests/editing/inserting/insert-list-end-of-table.html Diff Modified: trunk/LayoutTests/ChangeLog (259938 => 259939) --- trunk/LayoutTests/ChangeLog 2020-04-12 00:43:53 UTC (rev 259938) +++ trunk/LayoutTests/ChangeLog 2020-04-12 03:13:17 UTC (rev 259939) @@ -1,3 +1,16 @@ +2020-04-11 Jack Lee + +Infinite loop in InsertListCommand::doApply() +https://bugs.webkit.org/show_bug.cgi?id=210354 + + +Reviewed by Darin Adler. + +Added a regression test for the crash. + +* editing/inserting/insert-list-end-of-table-expected.txt: Added. +* editing/inserting/insert-list-end-of-table.html: Added. + 2020-04-11 Simon Fraser [Async overflow] Can't scroll overflow:scroll in sideways-scrollable RTL document Added: trunk/LayoutTests/editing/inserting/insert-list-end-of-table-expected.txt (0 => 259939) --- trunk/LayoutTests/editing/inserting/insert-list-end-of-table-expected.txt (rev 0) +++ trunk/LayoutTests/editing/inserting/insert-list-end-of-table-expected.txt 2020-04-12 03:13:17 UTC (rev 259939) @@ -0,0 +1 @@ +Tests inserting list at the end of a table. The test passes if WebKit doesn't crash or hit an assertion. Added: trunk/LayoutTests/editing/inserting/insert-list-end-of-table.html (0 => 259939) --- trunk/LayoutTests/editing/inserting/insert-list-end-of-table.html (rev 0) +++ trunk/LayoutTests/editing/inserting/insert-list-end-of-table.html 2020-04-12 03:13:17 UTC (rev 259939) @@ -0,0 +1,18 @@ + +if (window.testRunner) { +testRunner.dumpAsText(); +testRunner.waitUntilDone(); +} + +window._onload_ = () => { +window.getSelection().setBaseAndExtent(TH,1,SPAN,0); +document.execCommand("insertUnorderedList", false); + +requestAnimationFrame(function () { +document.body.innerHTML = "Tests inserting list at the end of a table. The test passes if WebKit doesn't crash or hit an assertion.
"; +if (window.testRunner) +testRunner.notifyDone(); +}); +} + +a Modified: trunk/Source/WebCore/ChangeLog (259938 => 259939) --- trunk/Source/WebCore/ChangeLog 2020-04-12 00:43:53 UTC (rev 259938) +++ trunk/Source/WebCore/ChangeLog 2020-04-12 03:13:17 UTC (rev 259939) @@ -1,3 +1,19 @@ +2020-04-11 Jack Lee + +Infinite loop in InsertListCommand::doApply() +https://bugs.webkit.org/show_bug.cgi?id=210354 + + +Reviewed by Darin Adler. + +Function startOfNextParagraph may return an empty position. Added null check to exit the while loop +and stop looking for next paragraph. + +Test: editing/inserting/insert-list-end-of-table.html + +* editing/InsertListCommand.cpp: +(WebCore::InsertListCommand::doApply): + 2020-04-11 Wenson Hsieh [macOS] [WK1] Touch Bar flashes when typing in Vietnamese in Mail Modified: trunk/Source/WebCore/editing/InsertListCommand.cpp (259938 => 259939) --- trunk/Source/WebCore/editing/InsertListCommand.cpp 2020-04-12 00:43:53 UTC (rev 259938) +++ trunk/Source/WebCore/editing/InsertListCommand.cpp 2020-04-12 03:13:17 UTC (rev 259939) @@ -145,7 +145,7 @@ RefPtr currentSelection = endingSelection().firstRange(); VisiblePosition startOfCurrentParagraph = startOfSelection; -while (!inSameParagraph(startOfCurrentParagraph, startOfLastParagraph, CanCrossEditingBoundary)) { +while (!startOfCurrentParagraph.isNull() && !inSameParagraph(startOfCurrentParagraph, startOfLastParagraph, CanCrossEditingBoundary)) { // doApply() may operate on and remove the last paragraph of the selection from the document // if it's in the same list item as startOfCurrentParagraph. Return early to avoid an // infinite loop and because there is no more work to be done. ___ webkit-changes mailing list webkit-changes@l
[webkit-changes] [259899] trunk
Title: [259899] trunk Revision 259899 Author shihchieh_...@apple.com Date 2020-04-10 13:44:52 -0700 (Fri, 10 Apr 2020) Log Message ASSERTION FAILED: selection.isRange() in InsertListCommand::doApply https://bugs.webkit.org/show_bug.cgi?id=210170 Reviewed by Wenson Hsieh. Source/WebCore: If selectionForParagraphIteration returns a non-range selection, there is no need for finding multiple paragraphs. And since non-range selection is handled, the assertion can be removed. Test: editing/inserting/insert-list-in-table-assert.html * editing/InsertListCommand.cpp: (WebCore::InsertListCommand::doApply): LayoutTests: Added a regression test for the crash. * editing/inserting/insert-list-in-table-assert-expected.txt: Added. * editing/inserting/insert-list-in-table-assert.html: Added. Modified Paths trunk/LayoutTests/ChangeLog trunk/Source/WebCore/ChangeLog trunk/Source/WebCore/editing/InsertListCommand.cpp Added Paths trunk/LayoutTests/editing/inserting/insert-list-in-table-assert-expected.txt trunk/LayoutTests/editing/inserting/insert-list-in-table-assert.html Diff Modified: trunk/LayoutTests/ChangeLog (259898 => 259899) --- trunk/LayoutTests/ChangeLog 2020-04-10 20:30:03 UTC (rev 259898) +++ trunk/LayoutTests/ChangeLog 2020-04-10 20:44:52 UTC (rev 259899) @@ -1,3 +1,16 @@ +2020-04-10 Jack Lee + +ASSERTION FAILED: selection.isRange() in InsertListCommand::doApply +https://bugs.webkit.org/show_bug.cgi?id=210170 + + +Reviewed by Wenson Hsieh. + +Added a regression test for the crash. + +* editing/inserting/insert-list-in-table-assert-expected.txt: Added. +* editing/inserting/insert-list-in-table-assert.html: Added. + 2020-04-10 Wenson Hsieh [iOS] Unable to select text by tap-hold or double tap-hold when allowsLinkPreview property is set to NO Added: trunk/LayoutTests/editing/inserting/insert-list-in-table-assert-expected.txt (0 => 259899) --- trunk/LayoutTests/editing/inserting/insert-list-in-table-assert-expected.txt (rev 0) +++ trunk/LayoutTests/editing/inserting/insert-list-in-table-assert-expected.txt 2020-04-10 20:44:52 UTC (rev 259899) @@ -0,0 +1 @@ +Tests inserting list in table. The test passes if WebKit doesn't crash or hit an assertion. Added: trunk/LayoutTests/editing/inserting/insert-list-in-table-assert.html (0 => 259899) --- trunk/LayoutTests/editing/inserting/insert-list-in-table-assert.html (rev 0) +++ trunk/LayoutTests/editing/inserting/insert-list-in-table-assert.html 2020-04-10 20:44:52 UTC (rev 259899) @@ -0,0 +1,18 @@ + +if (window.testRunner) { +testRunner.dumpAsText(); +testRunner.waitUntilDone(); +} + +window._onload_ = () => { +window.getSelection().setBaseAndExtent(TH,1,STYLE,1); +document.execCommand("insertUnorderedList", false); + +requestAnimationFrame(function () { +document.body.innerHTML = "Tests inserting list in table. The test passes if WebKit doesn't crash or hit an assertion.
"; +if (window.testRunner) +testRunner.notifyDone(); +}); +} + +a Modified: trunk/Source/WebCore/ChangeLog (259898 => 259899) --- trunk/Source/WebCore/ChangeLog 2020-04-10 20:30:03 UTC (rev 259898) +++ trunk/Source/WebCore/ChangeLog 2020-04-10 20:44:52 UTC (rev 259899) @@ -1,3 +1,19 @@ +2020-04-10 Jack Lee + +ASSERTION FAILED: selection.isRange() in InsertListCommand::doApply +https://bugs.webkit.org/show_bug.cgi?id=210170 + + +Reviewed by Wenson Hsieh. + +If selectionForParagraphIteration returns a non-range selection, there is no need for finding +multiple paragraphs. And since non-range selection is handled, the assertion can be removed. + +Test: editing/inserting/insert-list-in-table-assert.html + +* editing/InsertListCommand.cpp: +(WebCore::InsertListCommand::doApply): + 2020-04-10 Antti Koivisto [CSS Shadow Parts] Bad style sharing between sibling elements with different part attributes Modified: trunk/Source/WebCore/editing/InsertListCommand.cpp (259898 => 259899) --- trunk/Source/WebCore/editing/InsertListCommand.cpp 2020-04-10 20:30:03 UTC (rev 259898) +++ trunk/Source/WebCore/editing/InsertListCommand.cpp 2020-04-10 20:44:52 UTC (rev 259899) @@ -135,59 +135,60 @@ auto& listTag = (m_type == Type::OrderedList) ? olTag : ulTag; if (endingSelection().isRange()) { VisibleSelection selection = selectionForParagraphIteration(endingSelection()); -ASSERT(selection.isRange()); -VisiblePosition startOfSelection = selection.visibleStart(); -VisiblePosition endOfSelection = selection.visibleEnd(); -VisiblePosition startOfLastParagraph = startOfParagraph(endOfSelection, CanSkipOverEditingBoundary); +if (selection.isRange()) { +VisiblePosition startOfSelection = selection.visi
[webkit-changes] [259624] trunk
Title: [259624] trunk Revision 259624 Author shihchieh_...@apple.com Date 2020-04-06 23:29:24 -0700 (Mon, 06 Apr 2020) Log Message Nullptr crash in CompositeEditCommand::splitTreeToNode when inserting image in anchor element that has uneditable parent https://bugs.webkit.org/show_bug.cgi?id=210004 Reviewed by Ryosuke Niwa. Source/WebCore: RemoveNodePreservingChildren can fail and leave the children dangling if the parent of the node is uneditable. Added editability check for the to-be-removed node. Test: editing/inserting/insert-img-anchor-uneditable-parent.html * editing/RemoveNodePreservingChildrenCommand.cpp: (WebCore::RemoveNodePreservingChildrenCommand::doApply): LayoutTests: Added a regression test for the crash. * editing/inserting/insert-img-anchor-uneditable-parent-expected.txt: Added. * editing/inserting/insert-img-anchor-uneditable-parent.html: Added. Modified Paths trunk/LayoutTests/ChangeLog trunk/Source/WebCore/ChangeLog trunk/Source/WebCore/editing/RemoveNodePreservingChildrenCommand.cpp Added Paths trunk/LayoutTests/editing/inserting/insert-img-anchor-uneditable-parent-expected.txt trunk/LayoutTests/editing/inserting/insert-img-anchor-uneditable-parent.html Diff Modified: trunk/LayoutTests/ChangeLog (259623 => 259624) --- trunk/LayoutTests/ChangeLog 2020-04-07 04:59:57 UTC (rev 259623) +++ trunk/LayoutTests/ChangeLog 2020-04-07 06:29:24 UTC (rev 259624) @@ -1,3 +1,16 @@ +2020-04-06 Jack Lee + +Nullptr crash in CompositeEditCommand::splitTreeToNode when inserting image in anchor element that has uneditable parent +https://bugs.webkit.org/show_bug.cgi?id=210004 + + +Reviewed by Ryosuke Niwa. + +Added a regression test for the crash. + +* editing/inserting/insert-img-anchor-uneditable-parent-expected.txt: Added. +* editing/inserting/insert-img-anchor-uneditable-parent.html: Added. + 2020-04-06 Lauro Moura [GTK][WPE] Gardening EXIF orientation failure. Added: trunk/LayoutTests/editing/inserting/insert-img-anchor-uneditable-parent-expected.txt (0 => 259624) --- trunk/LayoutTests/editing/inserting/insert-img-anchor-uneditable-parent-expected.txt (rev 0) +++ trunk/LayoutTests/editing/inserting/insert-img-anchor-uneditable-parent-expected.txt 2020-04-07 06:29:24 UTC (rev 259624) @@ -0,0 +1,3 @@ +Test inserting image in anchor element that has uneditable parent. The test passes if WebKit doesn't crash or hit an assertion. + + Added: trunk/LayoutTests/editing/inserting/insert-img-anchor-uneditable-parent.html (0 => 259624) --- trunk/LayoutTests/editing/inserting/insert-img-anchor-uneditable-parent.html (rev 0) +++ trunk/LayoutTests/editing/inserting/insert-img-anchor-uneditable-parent.html 2020-04-07 06:29:24 UTC (rev 259624) @@ -0,0 +1,13 @@ + + +if (window.testRunner) +testRunner.dumpAsText(); + +window._onload_ = () => { +window.getSelection().collapse(BR); +document.execCommand("selectAll", false); +document.execCommand("fontName", false, "Times Roman"); +document.getSelection().collapseToStart(); +window.document.execCommand("insertImage", "#foo"); +} + Modified: trunk/Source/WebCore/ChangeLog (259623 => 259624) --- trunk/Source/WebCore/ChangeLog 2020-04-07 04:59:57 UTC (rev 259623) +++ trunk/Source/WebCore/ChangeLog 2020-04-07 06:29:24 UTC (rev 259624) @@ -1,3 +1,19 @@ +2020-04-06 Jack Lee + +Nullptr crash in CompositeEditCommand::splitTreeToNode when inserting image in anchor element that has uneditable parent +https://bugs.webkit.org/show_bug.cgi?id=210004 + + +Reviewed by Ryosuke Niwa. + +RemoveNodePreservingChildren can fail and leave the children dangling if the parent of the node +is uneditable. Added editability check for the to-be-removed node. + +Test: editing/inserting/insert-img-anchor-uneditable-parent.html + +* editing/RemoveNodePreservingChildrenCommand.cpp: +(WebCore::RemoveNodePreservingChildrenCommand::doApply): + 2020-04-06 David Kilzer Use-after-move of Vector in TextManipulationController::observeParagraphs() Modified: trunk/Source/WebCore/editing/RemoveNodePreservingChildrenCommand.cpp (259623 => 259624) --- trunk/Source/WebCore/editing/RemoveNodePreservingChildrenCommand.cpp 2020-04-07 04:59:57 UTC (rev 259623) +++ trunk/Source/WebCore/editing/RemoveNodePreservingChildrenCommand.cpp 2020-04-07 06:29:24 UTC (rev 259624) @@ -41,6 +41,10 @@ void RemoveNodePreservingChildrenCommand::doApply() { Vector> children; +auto parent = makeRefPtr(m_node->parentNode()); +if (!parent || (m_shouldAssumeContentIsAlwaysEditable == DoNotAssumeContentIsAlwaysEditable && !isEditableNode(*parent))) +return; + for (Node* child = m_node->firstChild(); child; child = child->nextSibling()) children.append(*child);
[webkit-changes] [259619] trunk
Title: [259619] trunk Revision 259619 Author shihchieh_...@apple.com Date 2020-04-06 18:45:56 -0700 (Mon, 06 Apr 2020) Log Message Nullptr crash in WebCore::lastPositionInNode when indenting text node that has user-select:all parent. https://bugs.webkit.org/show_bug.cgi?id=210016 Reviewed by Ryosuke Niwa. Source/WebCore: In rangeForParagraphSplittingTextNodesIfNeeded, added null check for previousSibling() after splitTextNode is called, and returns empty positions to caller. In formatSelection, check the returned positions from rangeForParagraphSplittingTextNodesIfNeeded and stop indenting the rest of the paragraphs. Test: fast/editing/indent-pre-user-select-all-crash.html * editing/ApplyBlockElementCommand.cpp: (WebCore::ApplyBlockElementCommand::formatSelection): (WebCore::ApplyBlockElementCommand::rangeForParagraphSplittingTextNodesIfNeeded): LayoutTests: Added a regression test for the crash. * fast/editing/indent-pre-user-select-all-crash-expected.txt: Added. * fast/editing/indent-pre-user-select-all-crash.html: Added. Modified Paths trunk/LayoutTests/ChangeLog trunk/Source/WebCore/ChangeLog trunk/Source/WebCore/editing/ApplyBlockElementCommand.cpp Added Paths trunk/LayoutTests/fast/editing/indent-pre-user-select-all-crash-expected.txt trunk/LayoutTests/fast/editing/indent-pre-user-select-all-crash.html Diff Modified: trunk/LayoutTests/ChangeLog (259618 => 259619) --- trunk/LayoutTests/ChangeLog 2020-04-07 01:04:05 UTC (rev 259618) +++ trunk/LayoutTests/ChangeLog 2020-04-07 01:45:56 UTC (rev 259619) @@ -1,3 +1,16 @@ +2020-04-06 Jack Lee + +Nullptr crash in WebCore::lastPositionInNode when indenting text node that has user-select:all parent. +https://bugs.webkit.org/show_bug.cgi?id=210016 + + +Reviewed by Ryosuke Niwa. + +Added a regression test for the crash. + +* fast/editing/indent-pre-user-select-all-crash-expected.txt: Added. +* fast/editing/indent-pre-user-select-all-crash.html: Added. + 2020-04-06 Jason Lawrence [ Mac wk1 Debug ] inspector/debugger/evaluateOnCallFrame-errors.html is flaky failing. Added: trunk/LayoutTests/fast/editing/indent-pre-user-select-all-crash-expected.txt (0 => 259619) --- trunk/LayoutTests/fast/editing/indent-pre-user-select-all-crash-expected.txt (rev 0) +++ trunk/LayoutTests/fast/editing/indent-pre-user-select-all-crash-expected.txt 2020-04-07 01:45:56 UTC (rev 259619) @@ -0,0 +1 @@ +Tests indenting pre element that has user-select:all parent. The test passes if WebKit doesn't crash or hit an assertion. Added: trunk/LayoutTests/fast/editing/indent-pre-user-select-all-crash.html (0 => 259619) --- trunk/LayoutTests/fast/editing/indent-pre-user-select-all-crash.html (rev 0) +++ trunk/LayoutTests/fast/editing/indent-pre-user-select-all-crash.html 2020-04-07 01:45:56 UTC (rev 259619) @@ -0,0 +1,23 @@ + +#DETAILS { -webkit-user-select: all; } + + +if (window.testRunner) { +testRunner.dumpAsText(); +testRunner.waitUntilDone(); +} + +window._onload_ = () => { +document.execCommand("selectAll", false); +document.execCommand("indent", false); + +requestAnimationFrame(function () { +document.body.innerHTML = "Tests indenting pre element that has user-select:all parent. The test passes if WebKit doesn't crash or hit an assertion.
"; +if (window.testRunner) { +testRunner.notifyDone(); +} +}); +} + +a +a Modified: trunk/Source/WebCore/ChangeLog (259618 => 259619) --- trunk/Source/WebCore/ChangeLog 2020-04-07 01:04:05 UTC (rev 259618) +++ trunk/Source/WebCore/ChangeLog 2020-04-07 01:45:56 UTC (rev 259619) @@ -1,3 +1,23 @@ +2020-04-06 Jack Lee + +Nullptr crash in WebCore::lastPositionInNode when indenting text node that has user-select:all parent. +https://bugs.webkit.org/show_bug.cgi?id=210016 + + +Reviewed by Ryosuke Niwa. + +In rangeForParagraphSplittingTextNodesIfNeeded, added null check for previousSibling() +after splitTextNode is called, and returns empty positions to caller. + +In formatSelection, check the returned positions from rangeForParagraphSplittingTextNodesIfNeeded +and stop indenting the rest of the paragraphs. + +Test: fast/editing/indent-pre-user-select-all-crash.html + +* editing/ApplyBlockElementCommand.cpp: +(WebCore::ApplyBlockElementCommand::formatSelection): +(WebCore::ApplyBlockElementCommand::rangeForParagraphSplittingTextNodesIfNeeded): + 2020-04-06 Devin Rousso Web Inspector: `console.log(...)` appear as `CONSOLE LOG LOG` in the system console Modified: trunk/Source/WebCore/editing/ApplyBlockElementCommand.cpp (259618 => 259619) --- trunk/Source/WebCore/editing/ApplyBlockElementCommand.cpp 2020-04-07 01:04:05 UTC (rev 259618) +++ trunk/Source/WebCore/editin
[webkit-changes] [259595] trunk
Title: [259595] trunk Revision 259595 Author shihchieh_...@apple.com Date 2020-04-06 14:44:11 -0700 (Mon, 06 Apr 2020) Log Message Nullptr crash in CompositeEditCommand::moveParagraphContentsToNewBlockIfNecessary with draggable text https://bugs.webkit.org/show_bug.cgi?id=20 Reviewed by Ryosuke Niwa. Source/WebCore: VisibleParagraphStart/End may return empty VisiblePosition if no proper element or node can be used as position candidate. Add null check for the returned VisiblePositions. Test: fast/css/style-change-draggable-text.html * editing/CompositeEditCommand.cpp: (WebCore::CompositeEditCommand::moveParagraphContentsToNewBlockIfNecessary): LayoutTests: Added a regression test for the crash. * fast/css/style-change-draggable-text-expected.txt: Added. * fast/css/style-change-draggable-text.html: Added. Modified Paths trunk/LayoutTests/ChangeLog trunk/Source/WebCore/ChangeLog trunk/Source/WebCore/editing/CompositeEditCommand.cpp Added Paths trunk/LayoutTests/fast/css/style-change-draggable-text-expected.txt trunk/LayoutTests/fast/css/style-change-draggable-text.html Diff Modified: trunk/LayoutTests/ChangeLog (259594 => 259595) --- trunk/LayoutTests/ChangeLog 2020-04-06 20:53:56 UTC (rev 259594) +++ trunk/LayoutTests/ChangeLog 2020-04-06 21:44:11 UTC (rev 259595) @@ -1,3 +1,16 @@ +2020-04-06 Jack Lee + +Nullptr crash in CompositeEditCommand::moveParagraphContentsToNewBlockIfNecessary with draggable text +https://bugs.webkit.org/show_bug.cgi?id=20 + + +Reviewed by Ryosuke Niwa. + +Added a regression test for the crash. + +* fast/css/style-change-draggable-text-expected.txt: Added. +* fast/css/style-change-draggable-text.html: Added. + 2020-04-06 Jer Noble [ Mac wk2 ] http/tests/media/track-in-band-hls-metadata.html is flaky crashing. Added: trunk/LayoutTests/fast/css/style-change-draggable-text-expected.txt (0 => 259595) --- trunk/LayoutTests/fast/css/style-change-draggable-text-expected.txt (rev 0) +++ trunk/LayoutTests/fast/css/style-change-draggable-text-expected.txt 2020-04-06 21:44:11 UTC (rev 259595) @@ -0,0 +1 @@ +Test changing style with draggable text. The test passes if WebKit doesn't crash or hit an assertiona Added: trunk/LayoutTests/fast/css/style-change-draggable-text.html (0 => 259595) --- trunk/LayoutTests/fast/css/style-change-draggable-text.html (rev 0) +++ trunk/LayoutTests/fast/css/style-change-draggable-text.html 2020-04-06 21:44:11 UTC (rev 259595) @@ -0,0 +1,14 @@ + +#SHADOW { initial; -webkit-user-select: text; } +#LABEL { -webkit-user-select: all; } + + +if (window.testRunner) +testRunner.dumpAsText(); + +window._onload_ = () => { +window.getSelection().collapse(SHADOW); +document.execCommand("justifyCenter", false); +} + +Test changing style with draggable text. The test passes if WebKit doesn't crash or hit an assertiona Modified: trunk/Source/WebCore/ChangeLog (259594 => 259595) --- trunk/Source/WebCore/ChangeLog 2020-04-06 20:53:56 UTC (rev 259594) +++ trunk/Source/WebCore/ChangeLog 2020-04-06 21:44:11 UTC (rev 259595) @@ -1,3 +1,19 @@ +2020-04-06 Jack Lee + +Nullptr crash in CompositeEditCommand::moveParagraphContentsToNewBlockIfNecessary with draggable text +https://bugs.webkit.org/show_bug.cgi?id=20 + + +Reviewed by Ryosuke Niwa. + +VisibleParagraphStart/End may return empty VisiblePosition if no proper element or node +can be used as position candidate. Add null check for the returned VisiblePositions. + +Test: fast/css/style-change-draggable-text.html + +* editing/CompositeEditCommand.cpp: +(WebCore::CompositeEditCommand::moveParagraphContentsToNewBlockIfNecessary): + 2020-04-06 Jer Noble Strengthen the ASSERT in ImageDecoderAVFObjC::storeSampleBuffer(). Modified: trunk/Source/WebCore/editing/CompositeEditCommand.cpp (259594 => 259595) --- trunk/Source/WebCore/editing/CompositeEditCommand.cpp 2020-04-06 20:53:56 UTC (rev 259594) +++ trunk/Source/WebCore/editing/CompositeEditCommand.cpp 2020-04-06 21:44:11 UTC (rev 259595) @@ -1159,6 +1159,9 @@ VisiblePosition visiblePos(pos, VP_DEFAULT_AFFINITY); VisiblePosition visibleParagraphStart(startOfParagraph(visiblePos)); VisiblePosition visibleParagraphEnd = endOfParagraph(visiblePos); +if (visibleParagraphStart.isNull() || visibleParagraphEnd.isNull()) +return nullptr; + VisiblePosition next = visibleParagraphEnd.next(); VisiblePosition visibleEnd = next.isNotNull() ? next : visibleParagraphEnd; ___ webkit-changes mailing list webkit-changes@lists.webkit.org https://lists.webkit.org/mailman/listinfo/webkit-changes
[webkit-changes] [259525] trunk/Source/WebCore
Title: [259525] trunk/Source/WebCore Revision 259525 Author shihchieh_...@apple.com Date 2020-04-03 18:04:42 -0700 (Fri, 03 Apr 2020) Log Message Protect contentFrame in SubframeLoader::loadOrRedirectSubframe with RefPtr. https://bugs.webkit.org/show_bug.cgi?id=127096 Reviewed by Alex Christensen. ContentFrame is used throughout loadOrRedirectSubframe so it needs to be protected with RefPtr. And if loader changes frame in SubframeLoader::loadSubframe, return nullptr to notify the caller. No new tests, covered by existing test. * loader/SubframeLoader.cpp: (WebCore::SubframeLoader::loadOrRedirectSubframe): (WebCore::SubframeLoader::loadSubframe): * loader/SubframeLoader.h: Modified Paths trunk/Source/WebCore/ChangeLog trunk/Source/WebCore/loader/SubframeLoader.cpp trunk/Source/WebCore/loader/SubframeLoader.h Diff Modified: trunk/Source/WebCore/ChangeLog (259524 => 259525) --- trunk/Source/WebCore/ChangeLog 2020-04-04 01:01:13 UTC (rev 259524) +++ trunk/Source/WebCore/ChangeLog 2020-04-04 01:04:42 UTC (rev 259525) @@ -1,3 +1,21 @@ +2020-04-03 Jack Lee + +Protect contentFrame in SubframeLoader::loadOrRedirectSubframe with RefPtr. +https://bugs.webkit.org/show_bug.cgi?id=127096 + + +Reviewed by Alex Christensen. + +ContentFrame is used throughout loadOrRedirectSubframe so it needs to be protected with RefPtr. +And if loader changes frame in SubframeLoader::loadSubframe, return nullptr to notify the caller. + +No new tests, covered by existing test. + +* loader/SubframeLoader.cpp: +(WebCore::SubframeLoader::loadOrRedirectSubframe): +(WebCore::SubframeLoader::loadSubframe): +* loader/SubframeLoader.h: + 2020-04-03 Alex Christensen Add SPI to make WKUserScripts wait for a notification Modified: trunk/Source/WebCore/loader/SubframeLoader.cpp (259524 => 259525) --- trunk/Source/WebCore/loader/SubframeLoader.cpp 2020-04-04 01:01:13 UTC (rev 259524) +++ trunk/Source/WebCore/loader/SubframeLoader.cpp 2020-04-04 01:04:42 UTC (rev 259525) @@ -303,7 +303,7 @@ URL upgradedRequestURL = requestURL; initiatingDocument.contentSecurityPolicy()->upgradeInsecureRequestIfNeeded(upgradedRequestURL, ContentSecurityPolicy::InsecureRequestType::Load); -auto* frame = ownerElement.contentFrame(); +RefPtr frame = makeRefPtr(ownerElement.contentFrame()); if (frame) frame->navigationScheduler().scheduleLocationChange(initiatingDocument, initiatingDocument.securityOrigin(), upgradedRequestURL, m_frame.loader().outgoingReferrer(), lockHistory, lockBackForwardList); else @@ -316,7 +316,7 @@ return ownerElement.contentFrame(); } -Frame* SubframeLoader::loadSubframe(HTMLFrameOwnerElement& ownerElement, const URL& url, const String& name, const String& referrer) +RefPtr SubframeLoader::loadSubframe(HTMLFrameOwnerElement& ownerElement, const URL& url, const String& name, const String& referrer) { Ref protect(m_frame); auto document = makeRef(ownerElement.document()); @@ -376,7 +376,10 @@ if (frame->loader().state() == FrameStateComplete && !frame->loader().policyDocumentLoader()) frame->loader().checkCompleted(); -return frame.get(); +if (!frame->tree().parent()) +return nullptr; + +return frame; } bool SubframeLoader::allowPlugins() Modified: trunk/Source/WebCore/loader/SubframeLoader.h (259524 => 259525) --- trunk/Source/WebCore/loader/SubframeLoader.h 2020-04-04 01:01:13 UTC (rev 259524) +++ trunk/Source/WebCore/loader/SubframeLoader.h 2020-04-04 01:04:42 UTC (rev 259525) @@ -70,7 +70,7 @@ private: bool requestPlugin(HTMLPlugInImageElement&, const URL&, const String& serviceType, const Vector& paramNames, const Vector& paramValues, bool useFallback); Frame* loadOrRedirectSubframe(HTMLFrameOwnerElement&, const URL&, const AtomString& frameName, LockHistory, LockBackForwardList); -Frame* loadSubframe(HTMLFrameOwnerElement&, const URL&, const String& name, const String& referrer); +RefPtr loadSubframe(HTMLFrameOwnerElement&, const URL&, const String& name, const String& referrer); bool loadPlugin(HTMLPlugInImageElement&, const URL&, const String& mimeType, const Vector& paramNames, const Vector& paramValues, bool useFallback); bool shouldUsePlugin(const URL&, const String& mimeType, bool hasFallback, bool& useFallback); ___ webkit-changes mailing list webkit-changes@lists.webkit.org https://lists.webkit.org/mailman/listinfo/webkit-changes
[webkit-changes] [259376] trunk/Source/WebCore
Title: [259376] trunk/Source/WebCore Revision 259376 Author shihchieh_...@apple.com Date 2020-04-01 19:31:24 -0700 (Wed, 01 Apr 2020) Log Message Remove the unnecessary null check for document https://bugs.webkit.org/show_bug.cgi?id=209819 Reviewed by Ryosuke Niwa. No new tests, covered by existing test. * dom/Node.cpp: (WebCore::Node::removedFromAncestor): Modified Paths trunk/Source/WebCore/ChangeLog trunk/Source/WebCore/dom/Node.cpp Diff Modified: trunk/Source/WebCore/ChangeLog (259375 => 259376) --- trunk/Source/WebCore/ChangeLog 2020-04-02 00:35:02 UTC (rev 259375) +++ trunk/Source/WebCore/ChangeLog 2020-04-02 02:31:24 UTC (rev 259376) @@ -1,3 +1,15 @@ +2020-04-01 Jack Lee + +Remove the unnecessary null check for document +https://bugs.webkit.org/show_bug.cgi?id=209819 + +Reviewed by Ryosuke Niwa. + +No new tests, covered by existing test. + +* dom/Node.cpp: +(WebCore::Node::removedFromAncestor): + 2020-04-01 Wenson Hsieh Remove some PLATFORM(IOS_FAMILY) guards in TextFieldInputType Modified: trunk/Source/WebCore/dom/Node.cpp (259375 => 259376) --- trunk/Source/WebCore/dom/Node.cpp 2020-04-02 00:35:02 UTC (rev 259375) +++ trunk/Source/WebCore/dom/Node.cpp 2020-04-02 02:31:24 UTC (rev 259376) @@ -1304,10 +1304,8 @@ if (isInShadowTree() && !treeScope().rootNode().isShadowRoot()) clearFlag(IsInShadowTreeFlag); if (removalType.disconnectedFromDocument) { -if (auto* document = &oldParentOfRemovedTree.treeScope().documentScope()) { -if (auto* cache = document->existingAXObjectCache()) -cache->remove(*this); -} +if (auto* cache = oldParentOfRemovedTree.document().existingAXObjectCache()) +cache->remove(*this); } } ___ webkit-changes mailing list webkit-changes@lists.webkit.org https://lists.webkit.org/mailman/listinfo/webkit-changes
[webkit-changes] [259349] trunk/Tools
Title: [259349] trunk/Tools Revision 259349 Author shihchieh_...@apple.com Date 2020-04-01 09:18:50 -0700 (Wed, 01 Apr 2020) Log Message Unreviewed, add new committer to contributors.json * Scripts/webkitpy/common/config/contributors.json: Modified Paths trunk/Tools/ChangeLog trunk/Tools/Scripts/webkitpy/common/config/contributors.json Diff Modified: trunk/Tools/ChangeLog (259348 => 259349) --- trunk/Tools/ChangeLog 2020-04-01 16:13:01 UTC (rev 259348) +++ trunk/Tools/ChangeLog 2020-04-01 16:18:50 UTC (rev 259349) @@ -1,3 +1,9 @@ +2020-04-01 Jack Lee + +Unreviewed, add new committer to contributors.json + +* Scripts/webkitpy/common/config/contributors.json: + 2020-04-01 Philippe Normand [Flatpak SDK] Migration to version 0.2 Modified: trunk/Tools/Scripts/webkitpy/common/config/contributors.json (259348 => 259349) --- trunk/Tools/Scripts/webkitpy/common/config/contributors.json 2020-04-01 16:13:01 UTC (rev 259348) +++ trunk/Tools/Scripts/webkitpy/common/config/contributors.json 2020-04-01 16:18:50 UTC (rev 259349) @@ -2533,6 +2533,15 @@ ], "status" : "reviewer" }, + "Jack Lee" : { + "emails" : [ + "shihchieh_...@apple.com" + ], + "nicks" : [ + "jackl" + ], + "status" : "committer" + }, "Jacky Jiang" : { "emails" : [ "jkji...@webkit.org", ___ webkit-changes mailing list webkit-changes@lists.webkit.org https://lists.webkit.org/mailman/listinfo/webkit-changes
[webkit-changes] [259348] trunk/Source/WebCore
Title: [259348] trunk/Source/WebCore Revision 259348 Author shihchieh_...@apple.com Date 2020-04-01 09:13:01 -0700 (Wed, 01 Apr 2020) Log Message Notify accessibility when a node is removed from its ancestor. https://bugs.webkit.org/show_bug.cgi?id=209819 Reviewed by Chris Fleizach. Covered by existing tests in LayoutTests/accessibility. * dom/Node.cpp: (WebCore::Node::removedFromAncestor): Modified Paths trunk/Source/WebCore/ChangeLog trunk/Source/WebCore/dom/Node.cpp Diff Modified: trunk/Source/WebCore/ChangeLog (259347 => 259348) --- trunk/Source/WebCore/ChangeLog 2020-04-01 16:04:07 UTC (rev 259347) +++ trunk/Source/WebCore/ChangeLog 2020-04-01 16:13:01 UTC (rev 259348) @@ -1,3 +1,15 @@ +2020-04-01 Jack Lee + +Notify accessibility when a node is removed from its ancestor. +https://bugs.webkit.org/show_bug.cgi?id=209819 + +Reviewed by Chris Fleizach. + +Covered by existing tests in LayoutTests/accessibility. + +* dom/Node.cpp: +(WebCore::Node::removedFromAncestor): + 2020-04-01 Commit Queue Unreviewed, reverting r259282. Modified: trunk/Source/WebCore/dom/Node.cpp (259347 => 259348) --- trunk/Source/WebCore/dom/Node.cpp 2020-04-01 16:04:07 UTC (rev 259347) +++ trunk/Source/WebCore/dom/Node.cpp 2020-04-01 16:13:01 UTC (rev 259348) @@ -1297,12 +1297,18 @@ return InsertedIntoAncestorResult::Done; } -void Node::removedFromAncestor(RemovalType removalType, ContainerNode&) +void Node::removedFromAncestor(RemovalType removalType, ContainerNode& oldParentOfRemovedTree) { if (removalType.disconnectedFromDocument) clearFlag(IsConnectedFlag); if (isInShadowTree() && !treeScope().rootNode().isShadowRoot()) clearFlag(IsInShadowTreeFlag); +if (removalType.disconnectedFromDocument) { +if (auto* document = &oldParentOfRemovedTree.treeScope().documentScope()) { +if (auto* cache = document->existingAXObjectCache()) +cache->remove(*this); +} +} } bool Node::isRootEditableElement() const ___ webkit-changes mailing list webkit-changes@lists.webkit.org https://lists.webkit.org/mailman/listinfo/webkit-changes
[webkit-changes] [259210] trunk
Title: [259210] trunk Revision 259210 Author shihchieh_...@apple.com Date 2020-03-30 10:43:22 -0700 (Mon, 30 Mar 2020) Log Message Division by zero in RenderBlockFlow::computeColumnCountAndWidth https://bugs.webkit.org/show_bug.cgi?id=209485 Reviewed by Zalan Bujtas. Source/WebCore: When computing content width and height, set it to 0 if the computed size is negative. Test: fast/multicol/negativeColumnGap.html * rendering/RenderBox.h: (WebCore::RenderBox::contentWidth const): (WebCore::RenderBox::contentHeight const): LayoutTests: Added a regression test for the crash. Also modify the expected output of button.html because the size would now be different. * fast/multicol/negativeColumnGap-expected.txt: Added. * fast/multicol/negativeColumnGap.html: Added. * platform/mac/css3/flexbox/button-expected.txt: Modified Paths trunk/LayoutTests/ChangeLog trunk/LayoutTests/platform/mac/css3/flexbox/button-expected.txt trunk/Source/WebCore/ChangeLog trunk/Source/WebCore/rendering/RenderBox.h Added Paths trunk/LayoutTests/fast/multicol/negativeColumnGap-expected.txt trunk/LayoutTests/fast/multicol/negativeColumnGap.html Diff Modified: trunk/LayoutTests/ChangeLog (259209 => 259210) --- trunk/LayoutTests/ChangeLog 2020-03-30 17:35:11 UTC (rev 259209) +++ trunk/LayoutTests/ChangeLog 2020-03-30 17:43:22 UTC (rev 259210) @@ -1,3 +1,18 @@ +2020-03-30 Jack Lee + +Division by zero in RenderBlockFlow::computeColumnCountAndWidth +https://bugs.webkit.org/show_bug.cgi?id=209485 + + +Reviewed by Zalan Bujtas. + +Added a regression test for the crash. Also modify the expected output +of button.html because the size would now be different. + +* fast/multicol/negativeColumnGap-expected.txt: Added. +* fast/multicol/negativeColumnGap.html: Added. +* platform/mac/css3/flexbox/button-expected.txt: + 2020-03-30 youenn fablet Skip webrtc/datachannel/multiple-connections.html on debug bots Added: trunk/LayoutTests/fast/multicol/negativeColumnGap-expected.txt (0 => 259210) --- trunk/LayoutTests/fast/multicol/negativeColumnGap-expected.txt (rev 0) +++ trunk/LayoutTests/fast/multicol/negativeColumnGap-expected.txt 2020-03-30 17:43:22 UTC (rev 259210) @@ -0,0 +1 @@ +Test negative column gap. The test passes if WebKit doesn't crash or hit an assertion. Added: trunk/LayoutTests/fast/multicol/negativeColumnGap.html (0 => 259210) --- trunk/LayoutTests/fast/multicol/negativeColumnGap.html (rev 0) +++ trunk/LayoutTests/fast/multicol/negativeColumnGap.html 2020-03-30 17:43:22 UTC (rev 259210) @@ -0,0 +1,13 @@ + +#TEXTAREA { grid-gap: 100%; -webkit-logical-width: 0px; } + + +if (window.testRunner) +testRunner.dumpAsText(); + +window._onload_ = () => { +TEXTAREA.style.setProperty("column-width", "1px"); +TEXTAREA.style.setProperty("padding", "0px 1px 0px 0px"); +} + +Test negative column gap. The test passes if WebKit doesn't crash or hit an assertion. Modified: trunk/LayoutTests/platform/mac/css3/flexbox/button-expected.txt (259209 => 259210) --- trunk/LayoutTests/platform/mac/css3/flexbox/button-expected.txt 2020-03-30 17:35:11 UTC (rev 259209) +++ trunk/LayoutTests/platform/mac/css3/flexbox/button-expected.txt 2020-03-30 17:43:22 UTC (rev 259210) @@ -1,8 +1,8 @@ layer at (0,0) size 800x600 RenderView at (0,0) size 800x600 -layer at (0,0) size 800x251 - RenderBlock {HTML} at (0,0) size 800x251 -RenderBody {BODY} at (8,8) size 784x235 +layer at (0,0) size 800x249 + RenderBlock {HTML} at (0,0) size 800x249 +RenderBody {BODY} at (8,8) size 784x233 RenderBlock (anonymous) at (0,0) size 784x36 RenderText {#text} at (0,0) size 778x36 text run at (0,0) width 410: "Test for empty buttons, which inherit from RenderFlexibleBox. " @@ -23,7 +23,7 @@ RenderButton {INPUT} at (2,39) size 16x18 [color=#00D8] [bgcolor=#C0C0C0] RenderBR {BR} at (20,40) size 0x18 RenderBlock {HR} at (0,121) size 784x2 [border: (1px inset #00)] - RenderBlock (anonymous) at (0,131) size 784x104 + RenderBlock (anonymous) at (0,131) size 784x102 RenderText {#text} at (0,0) size 744x36 text run at (0,0) width 744: "Empty and with overflow: scroll;. The presence of the scrollbar should not shrink the" text run at (0,18) width 45: "button." @@ -32,5 +32,5 @@ RenderBR {BR} at (35,70) size 0x18 layer at (10,187) size 31x20 clip at (12,187) size 12x5 RenderButton {BUTTON} at (2,48) size 31x20 [color=#00D8] [bgcolor=#C0C0C0] [border: none (2px outset #C0C0C0) none (2px outset #C0C0C0)] -layer at (10,223) size 31x18 clip at (10,223) size 16x3 - RenderButton {INPUT} at (2,84) size 31x18 [color=#00D8] [bgcolor=#C0C0C0] +layer at (10,221) size 31x18 clip at (10,221) size 16x3 + RenderButton {INPUT} at (2,82) size 31x18 [color=#00D8] [bgcolor=#C0C0
[webkit-changes] [259153] trunk
Title: [259153] trunk Revision 259153 Author shihchieh_...@apple.com Date 2020-03-27 21:17:00 -0700 (Fri, 27 Mar 2020) Log Message Nullptr crash in CompositeEditCommand::moveParagraphs when inserting OL into uneditable parent. https://bugs.webkit.org/show_bug.cgi?id=209641 Reviewed by Ryosuke Niwa. Source/WebCore: Inserting BR in unlistifyParagraph() or OL/UL in listifyParagraph() would fail because their insertion position is uneditable. In this case BR/OL/UL becomes parentless and the code crashes later when their parent is dereferenced in moveParagraphs(). In unlistifyParagraph(), only insertNodeBefore() and insertNodeAfter() are used and both check parent of listNode for editability, so in order to avoid assertion in the above functions, we check the editability of listNode before insertion. In listifyParagraph() it is hard to predict where the final insertion position would be, so we check the editability of the insertion position after it is finalized. Test: editing/inserting/insert-ol-uneditable-parent.html * editing/InsertListCommand.cpp: (WebCore::InsertListCommand::unlistifyParagraph): (WebCore::InsertListCommand::listifyParagraph): LayoutTests: Added a regression test for the crash. * editing/inserting/insert-ol-uneditable-parent-expected.txt: Added. * editing/inserting/insert-ol-uneditable-parent.html: Added. Modified Paths trunk/LayoutTests/ChangeLog trunk/Source/WebCore/ChangeLog trunk/Source/WebCore/editing/InsertListCommand.cpp Added Paths trunk/LayoutTests/editing/inserting/insert-ol-uneditable-parent-expected.txt trunk/LayoutTests/editing/inserting/insert-ol-uneditable-parent.html Diff Modified: trunk/LayoutTests/ChangeLog (259152 => 259153) --- trunk/LayoutTests/ChangeLog 2020-03-28 04:00:36 UTC (rev 259152) +++ trunk/LayoutTests/ChangeLog 2020-03-28 04:17:00 UTC (rev 259153) @@ -1,3 +1,16 @@ +2020-03-27 Jack Lee + +Nullptr crash in CompositeEditCommand::moveParagraphs when inserting OL into uneditable parent. +https://bugs.webkit.org/show_bug.cgi?id=209641 + + +Reviewed by Ryosuke Niwa. + +Added a regression test for the crash. + +* editing/inserting/insert-ol-uneditable-parent-expected.txt: Added. +* editing/inserting/insert-ol-uneditable-parent.html: Added. + 2020-03-27 Eugene But Test for RenderBox::styleDidChange crash fix Added: trunk/LayoutTests/editing/inserting/insert-ol-uneditable-parent-expected.txt (0 => 259153) --- trunk/LayoutTests/editing/inserting/insert-ol-uneditable-parent-expected.txt (rev 0) +++ trunk/LayoutTests/editing/inserting/insert-ol-uneditable-parent-expected.txt 2020-03-28 04:17:00 UTC (rev 259153) @@ -0,0 +1 @@ +Test insering an ol into uneditable parent. The test passes if WebKit doesn't crash or hit an assertion. Added: trunk/LayoutTests/editing/inserting/insert-ol-uneditable-parent.html (0 => 259153) --- trunk/LayoutTests/editing/inserting/insert-ol-uneditable-parent.html (rev 0) +++ trunk/LayoutTests/editing/inserting/insert-ol-uneditable-parent.html 2020-03-28 04:17:00 UTC (rev 259153) @@ -0,0 +1,10 @@ + +if (window.testRunner) +testRunner.dumpAsText(); + +window._onload_ = () => { +document.getSelection().setPosition(LI); +document.execCommand("insertOrderedList", false); +} + +Test insering an ol into uneditable parent. The test passes if WebKit doesn't crash or hit an assertion. Modified: trunk/Source/WebCore/ChangeLog (259152 => 259153) --- trunk/Source/WebCore/ChangeLog 2020-03-28 04:00:36 UTC (rev 259152) +++ trunk/Source/WebCore/ChangeLog 2020-03-28 04:17:00 UTC (rev 259153) @@ -1,3 +1,27 @@ +2020-03-27 Jack Lee + +Nullptr crash in CompositeEditCommand::moveParagraphs when inserting OL into uneditable parent. +https://bugs.webkit.org/show_bug.cgi?id=209641 + + +Reviewed by Ryosuke Niwa. + +Inserting BR in unlistifyParagraph() or OL/UL in listifyParagraph() would fail +because their insertion position is uneditable. In this case BR/OL/UL becomes +parentless and the code crashes later when their parent is dereferenced in +moveParagraphs(). +In unlistifyParagraph(), only insertNodeBefore() and insertNodeAfter() are used +and both check parent of listNode for editability, so in order to avoid assertion +in the above functions, we check the editability of listNode before insertion. +In listifyParagraph() it is hard to predict where the final insertion position would be, +so we check the editability of the insertion position after it is finalized. + +Test: editing/inserting/insert-ol-uneditable-parent.html + +* editing/InsertListCommand.cpp: +(WebCore::InsertListCommand::unlistifyParagraph): +(WebCore::InsertListCommand::listifyParagraph): + 2020-03-27 Eugene But Fix null pointer crash in RenderBo
[webkit-changes] [259027] trunk
Title: [259027] trunk Revision 259027 Author shihchieh_...@apple.com Date 2020-03-25 18:51:14 -0700 (Wed, 25 Mar 2020) Log Message Nullptr crash in WebCore::Node::isDescendantOf when inserting list https://bugs.webkit.org/show_bug.cgi?id=209529 Reviewed by Darin Adler. Source/WebCore: The visible positions may be null if the DOM tree is altered before an edit command is applied. Add null check for visible positions at the beginning of InsertListCommand::doApply. Test: editing/inserting/insert-list-during-node-removal-crash.html * editing/InsertListCommand.cpp: (WebCore::InsertListCommand::doApply): LayoutTests: Added a regression test for the crash. * editing/inserting/insert-list-during-node-removal-crash-expected.txt: Added. * editing/inserting/insert-list-during-node-removal-crash.html: Added. Modified Paths trunk/LayoutTests/ChangeLog trunk/Source/WebCore/ChangeLog trunk/Source/WebCore/editing/InsertListCommand.cpp Added Paths trunk/LayoutTests/editing/inserting/insert-list-during-node-removal-crash-expected.txt trunk/LayoutTests/editing/inserting/insert-list-during-node-removal-crash.html Diff Modified: trunk/LayoutTests/ChangeLog (259026 => 259027) --- trunk/LayoutTests/ChangeLog 2020-03-26 01:24:05 UTC (rev 259026) +++ trunk/LayoutTests/ChangeLog 2020-03-26 01:51:14 UTC (rev 259027) @@ -1,3 +1,16 @@ +2020-03-25 Jack Lee + +Nullptr crash in WebCore::Node::isDescendantOf when inserting list +https://bugs.webkit.org/show_bug.cgi?id=209529 + + +Reviewed by Darin Adler. + +Added a regression test for the crash. + +* editing/inserting/insert-list-during-node-removal-crash-expected.txt: Added. +* editing/inserting/insert-list-during-node-removal-crash.html: Added. + 2020-03-25 Alexey Shvayka Invalid numeric and named references should be early syntax errors Added: trunk/LayoutTests/editing/inserting/insert-list-during-node-removal-crash-expected.txt (0 => 259027) --- trunk/LayoutTests/editing/inserting/insert-list-during-node-removal-crash-expected.txt (rev 0) +++ trunk/LayoutTests/editing/inserting/insert-list-during-node-removal-crash-expected.txt 2020-03-26 01:51:14 UTC (rev 259027) @@ -0,0 +1 @@ +Tests inserting list during node removal. The test passes if WebKit doesn't crash or hit an assertion. Added: trunk/LayoutTests/editing/inserting/insert-list-during-node-removal-crash.html (0 => 259027) --- trunk/LayoutTests/editing/inserting/insert-list-during-node-removal-crash.html (rev 0) +++ trunk/LayoutTests/editing/inserting/insert-list-during-node-removal-crash.html 2020-03-26 01:51:14 UTC (rev 259027) @@ -0,0 +1,23 @@ + +if (window.testRunner) { +testRunner.dumpAsText(); +testRunner.waitUntilDone(); +} + +function DomNodeEventHandler() { +document.execCommand("insertOrderedList", false); +requestAnimationFrame(function () { +document.body.innerHTML = "Tests inserting list during node removal. The test passes if WebKit doesn't crash or hit an assertion.
"; +if (window.testRunner) { +testRunner.notifyDone(); +} +}); +} + +window._onload_ = () => { +TD.addEventListener("DOMNodeRemovedFromDocument", DomNodeEventHandler); +document.execCommand("selectAll", false); +window.getSelection().deleteFromDocument(); +} + +a Modified: trunk/Source/WebCore/ChangeLog (259026 => 259027) --- trunk/Source/WebCore/ChangeLog 2020-03-26 01:24:05 UTC (rev 259026) +++ trunk/Source/WebCore/ChangeLog 2020-03-26 01:51:14 UTC (rev 259027) @@ -1,3 +1,19 @@ +2020-03-25 Jack Lee + +Nullptr crash in WebCore::Node::isDescendantOf when inserting list +https://bugs.webkit.org/show_bug.cgi?id=209529 + + +Reviewed by Darin Adler. + +The visible positions may be null if the DOM tree is altered before an edit command is applied. +Add null check for visible positions at the beginning of InsertListCommand::doApply. + +Test: editing/inserting/insert-list-during-node-removal-crash.html + +* editing/InsertListCommand.cpp: +(WebCore::InsertListCommand::doApply): + 2020-03-25 Alexey Shvayka Invalid numeric and named references should be early syntax errors Modified: trunk/Source/WebCore/editing/InsertListCommand.cpp (259026 => 259027) --- trunk/Source/WebCore/editing/InsertListCommand.cpp 2020-03-26 01:24:05 UTC (rev 259026) +++ trunk/Source/WebCore/editing/InsertListCommand.cpp 2020-03-26 01:51:14 UTC (rev 259027) @@ -112,12 +112,13 @@ void InsertListCommand::doApply() { -if (endingSelection().isNoneOrOrphaned() || !endingSelection().isContentRichlyEditable()) +VisiblePosition visibleEnd = endingSelection().visibleEnd(); +VisiblePosition visibleStart = endingSelection().visibleStart(); + +if (visibleEnd.isNull() || visibleStart.isN