[webkit-changes] [210376] trunk/Source/WebCore

Thu, 05 Jan 2017 14:18:31 -0800

Title: [210376] trunk/Source/WebCore
Revision
210376
Author
rn...@webkit.org
Date
2017-01-05 14:18:36 -0800 (Thu, 05 Jan 2017)

Log Message

Crash inside Editor::styleForSelectionStart
https://bugs.webkit.org/show_bug.cgi?id=166710

Reviewed by Chris Dumez.

Added a null pointer check. This crash can happen when the DOM is mutated as editorState tries
to compute the style at the selection start.

No new tests since there is no reproducible test case, and I couldn't come up with one either.
This crash seems to retire some intricate dependency between when DOM is mutated, selection is
updated, and then performPostLayoutTasks ends up updating the editor state in response to
the element's editabilty changing.

* editing/cocoa/EditorCocoa.mm:
(WebCore::Editor::styleForSelectionStart):

Modified Paths

Diff

Modified: trunk/Source/WebCore/ChangeLog (210375 => 210376)


--- trunk/Source/WebCore/ChangeLog	2017-01-05 21:35:05 UTC (rev 210375)
+++ trunk/Source/WebCore/ChangeLog	2017-01-05 22:18:36 UTC (rev 210376)
@@ -1,3 +1,21 @@
+2017-01-04  Ryosuke Niwa  <rn...@webkit.org>
+
+        Crash inside Editor::styleForSelectionStart
+        https://bugs.webkit.org/show_bug.cgi?id=166710
+
+        Reviewed by Chris Dumez.
+
+        Added a null pointer check. This crash can happen when the DOM is mutated as editorState tries
+        to compute the style at the selection start.
+
+        No new tests since there is no reproducible test case, and I couldn't come up with one either.
+        This crash seems to retire some intricate dependency between when DOM is mutated, selection is
+        updated, and then performPostLayoutTasks ends up updating the editor state in response to
+        the element's editabilty changing.
+
+        * editing/cocoa/EditorCocoa.mm:
+        (WebCore::Editor::styleForSelectionStart):
+
 2017-01-05  Ryan Haddad  <ryanhad...@apple.com>
 
         Unreviewed, rolling out r210370.

Modified: trunk/Source/WebCore/editing/cocoa/EditorCocoa.mm (210375 => 210376)


--- trunk/Source/WebCore/editing/cocoa/EditorCocoa.mm	2017-01-05 21:35:05 UTC (rev 210375)
+++ trunk/Source/WebCore/editing/cocoa/EditorCocoa.mm	2017-01-05 22:18:36 UTC (rev 210376)
@@ -76,8 +76,9 @@
 
     styleElement->appendChild(frame->document()->createEditingTextNode(emptyString()));
 
-    if (position.deprecatedNode()->parentNode()->appendChild(styleElement).hasException())
-        return nullptr; 
+    auto positionNode = position.deprecatedNode();
+    if (!positionNode || !positionNode->parentNode() || positionNode->parentNode()->appendChild(styleElement).hasException())
+        return nullptr;
 
     nodeToRemove = styleElement.ptr();
 

_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-changes

Reply via email to