Title: [285764] trunk
- Revision
- 285764
- Author
- commit-qu...@webkit.org
- Date
- 2021-11-12 17:16:04 -0800 (Fri, 12 Nov 2021)
Log Message
Null check m_spanElement
https://bugs.webkit.org/show_bug.cgi?id=230894
Patch by Rob Buis <rb...@igalia.com> on 2021-11-12
Reviewed by Wenson Hsieh.
Source/WebCore:
Null check m_spanElement in ReplaceNodeWithSpanCommand::doUnapply, since
it may not be created by ReplaceNodeWithSpanCommand::doApply.
Test: editing/execCommand/default-paragraph-separator-crash.html
* editing/ReplaceNodeWithSpanCommand.cpp:
(WebCore::ReplaceNodeWithSpanCommand::doUnapply):
* editing/ReplaceSelectionCommand.cpp:
(WebCore::ReplaceSelectionCommand::makeInsertedContentRoundTrippableWithHTMLTreeBuilder):
LayoutTests:
* editing/execCommand/default-paragraph-separator-crash-expected.txt: Added.
* editing/execCommand/default-paragraph-separator-crash.html: Added.
Modified Paths
Added Paths
Diff
Modified: trunk/LayoutTests/ChangeLog (285763 => 285764)
--- trunk/LayoutTests/ChangeLog 2021-11-13 00:55:20 UTC (rev 285763)
+++ trunk/LayoutTests/ChangeLog 2021-11-13 01:16:04 UTC (rev 285764)
@@ -1,3 +1,13 @@
+2021-11-12 Rob Buis <rb...@igalia.com>
+
+ Null check m_spanElement
+ https://bugs.webkit.org/show_bug.cgi?id=230894
+
+ Reviewed by Wenson Hsieh.
+
+ * editing/execCommand/default-paragraph-separator-crash-expected.txt: Added.
+ * editing/execCommand/default-paragraph-separator-crash.html: Added.
+
2021-11-12 Chris Dumez <cdu...@apple.com>
Crash when accessing reason property of a newly created AbortSignal
Added: trunk/LayoutTests/editing/execCommand/default-paragraph-separator-crash-expected.txt (0 => 285764)
--- trunk/LayoutTests/editing/execCommand/default-paragraph-separator-crash-expected.txt (rev 0)
+++ trunk/LayoutTests/editing/execCommand/default-paragraph-separator-crash-expected.txt 2021-11-13 01:16:04 UTC (rev 285764)
@@ -0,0 +1 @@
+Test passes if it does not crash.
Added: trunk/LayoutTests/editing/execCommand/default-paragraph-separator-crash.html (0 => 285764)
--- trunk/LayoutTests/editing/execCommand/default-paragraph-separator-crash.html (rev 0)
+++ trunk/LayoutTests/editing/execCommand/default-paragraph-separator-crash.html 2021-11-13 01:16:04 UTC (rev 285764)
@@ -0,0 +1,20 @@
+<script>
+ if (window.testRunner)
+ window.testRunner.dumpAsText();
+ _onload_ = () => {
+ let output0 = document.createElement('output');
+ document.body.appendChild(output0);
+ let h1 = document.createElement('h1');
+ output0.appendChild(h1);
+ let table0 = document.createElement('table');
+ h1.appendChild(table0);
+ table0.appendChild(document.createElement('h1'));
+ output0.appendChild(document.createElement('div'));
+ document.designMode = 'on';
+ document.execCommand('SelectAll');
+ document.execCommand('DefaultParagraphSeparator', false, 'p');
+ document.execCommand('JustifyRight');
+ document.execCommand('Undo');
+ document.write("Test passes if it does not crash.");
+ };
+</script>
Modified: trunk/Source/WebCore/ChangeLog (285763 => 285764)
--- trunk/Source/WebCore/ChangeLog 2021-11-13 00:55:20 UTC (rev 285763)
+++ trunk/Source/WebCore/ChangeLog 2021-11-13 01:16:04 UTC (rev 285764)
@@ -1,3 +1,20 @@
+2021-11-12 Rob Buis <rb...@igalia.com>
+
+ Null check m_spanElement
+ https://bugs.webkit.org/show_bug.cgi?id=230894
+
+ Reviewed by Wenson Hsieh.
+
+ Null check m_spanElement in ReplaceNodeWithSpanCommand::doUnapply, since
+ it may not be created by ReplaceNodeWithSpanCommand::doApply.
+
+ Test: editing/execCommand/default-paragraph-separator-crash.html
+
+ * editing/ReplaceNodeWithSpanCommand.cpp:
+ (WebCore::ReplaceNodeWithSpanCommand::doUnapply):
+ * editing/ReplaceSelectionCommand.cpp:
+ (WebCore::ReplaceSelectionCommand::makeInsertedContentRoundTrippableWithHTMLTreeBuilder):
+
2021-11-12 Chris Dumez <cdu...@apple.com>
Crash when accessing reason property of a newly created AbortSignal
Modified: trunk/Source/WebCore/editing/ReplaceNodeWithSpanCommand.cpp (285763 => 285764)
--- trunk/Source/WebCore/editing/ReplaceNodeWithSpanCommand.cpp 2021-11-13 00:55:20 UTC (rev 285763)
+++ trunk/Source/WebCore/editing/ReplaceNodeWithSpanCommand.cpp 2021-11-13 01:16:04 UTC (rev 285764)
@@ -68,7 +68,7 @@
void ReplaceNodeWithSpanCommand::doUnapply()
{
- if (!m_spanElement->isConnected())
+ if (!m_spanElement || !m_spanElement->isConnected())
return;
swapInNodePreservingAttributesAndChildren(m_elementToReplace, *m_spanElement);
}
Modified: trunk/Source/WebCore/editing/ReplaceSelectionCommand.cpp (285763 => 285764)
--- trunk/Source/WebCore/editing/ReplaceSelectionCommand.cpp 2021-11-13 00:55:20 UTC (rev 285763)
+++ trunk/Source/WebCore/editing/ReplaceSelectionCommand.cpp 2021-11-13 01:16:04 UTC (rev 285764)
@@ -795,11 +795,17 @@
if (!is<HTMLElement>(*node))
continue;
+ if (!node->isConnected())
+ continue;
+
if (isProhibitedParagraphChild(downcast<HTMLElement>(*node).localName())) {
if (RefPtr paragraphElement = enclosingElementWithTag(positionInParentBeforeNode(node.get()), pTag)) {
RefPtr parent { paragraphElement->parentNode() };
- if (parent && parent->hasEditableStyle())
+ if (parent && parent->hasEditableStyle()) {
moveNodeOutOfAncestor(*node, *paragraphElement, insertedNodes);
+ if (!node->isConnected())
+ continue;
+ }
}
}
_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-changes
