Modified: branches/safari-610.1.7-branch/Source/WebCore/ChangeLog (258408 => 258409)
--- branches/safari-610.1.7-branch/Source/WebCore/ChangeLog 2020-03-13 17:44:28 UTC (rev 258408)
+++ branches/safari-610.1.7-branch/Source/WebCore/ChangeLog 2020-03-13 17:44:32 UTC (rev 258409)
@@ -1,3 +1,55 @@
+2020-03-13 Kocsen Chung <kocsen_ch...@apple.com>
+
+ Cherry-pick r258399. rdar://problem/60422524
+
+ Crash in TextIterator::node via TextManipulationController::replace
+ https://bugs.webkit.org/show_bug.cgi?id=209048
+
+ Reviewed by Wenson Hsieh.
+
+ Source/WebCore:
+
+ The crash was caused by item.start being null in TextManipulationController::replace for a paragraph
+ consisting of just an image because TextManipulationController::observeParagraphs never may never set
+ startOfCurrentParagraph in such a case (content.isTextContent can be false for an image!).
+
+ Fixed the bug by setting startOfCurrentParagraph to a position before the current content's node
+ when inserting a token for a RenderReplaced if it's null.
+
+ Test: TextManipulation.CompleteTextManipulationShouldReplaceContentsAroundParagraphWithJustImage
+
+ * editing/TextManipulationController.cpp:
+ (WebCore::TextManipulationController::observeParagraphs):
+
+ Tools:
+
+ Added a regression test.
+
+ * TestWebKitAPI/Tests/WebKitCocoa/TextManipulation.mm:
+ (TextManipulation.CompleteTextManipulationShouldReplaceContentsAroundParagraphWithJustImage):
+
+
+ git-svn-id: https://svn.webkit.org/repository/webkit/trunk@258399 268f45cc-cd09-0410-ab3c-d52691b4dbfc
+
+ 2020-03-13 Ryosuke Niwa <rn...@webkit.org>
+
+ Crash in TextIterator::node via TextManipulationController::replace
+ https://bugs.webkit.org/show_bug.cgi?id=209048
+
+ Reviewed by Wenson Hsieh.
+
+ The crash was caused by item.start being null in TextManipulationController::replace for a paragraph
+ consisting of just an image because TextManipulationController::observeParagraphs never may never set
+ startOfCurrentParagraph in such a case (content.isTextContent can be false for an image!).
+
+ Fixed the bug by setting startOfCurrentParagraph to a position before the current content's node
+ when inserting a token for a RenderReplaced if it's null.
+
+ Test: TextManipulation.CompleteTextManipulationShouldReplaceContentsAroundParagraphWithJustImage
+
+ * editing/TextManipulationController.cpp:
+ (WebCore::TextManipulationController::observeParagraphs):
+
2020-03-12 Russell Epstein <repst...@apple.com>
Cherry-pick r258371. rdar://problem/60395490
Modified: branches/safari-610.1.7-branch/Source/WebCore/editing/TextManipulationController.cpp (258408 => 258409)
--- branches/safari-610.1.7-branch/Source/WebCore/editing/TextManipulationController.cpp 2020-03-13 17:44:28 UTC (rev 258408)
+++ branches/safari-610.1.7-branch/Source/WebCore/editing/TextManipulationController.cpp 2020-03-13 17:44:32 UTC (rev 258409)
@@ -278,6 +278,8 @@
}
if (content.isReplacedContent) {
+ if (startOfCurrentParagraph.isNull())
+ startOfCurrentParagraph = positionBeforeNode(content.node.get());
tokensInCurrentParagraph.append(ManipulationToken { m_tokenIdentifier.generate(), "[]", true /* isExcluded */});
continue;
}
Modified: branches/safari-610.1.7-branch/Tools/ChangeLog (258408 => 258409)
--- branches/safari-610.1.7-branch/Tools/ChangeLog 2020-03-13 17:44:28 UTC (rev 258408)
+++ branches/safari-610.1.7-branch/Tools/ChangeLog 2020-03-13 17:44:32 UTC (rev 258409)
@@ -1,3 +1,48 @@
+2020-03-13 Kocsen Chung <kocsen_ch...@apple.com>
+
+ Cherry-pick r258399. rdar://problem/60422524
+
+ Crash in TextIterator::node via TextManipulationController::replace
+ https://bugs.webkit.org/show_bug.cgi?id=209048
+
+ Reviewed by Wenson Hsieh.
+
+ Source/WebCore:
+
+ The crash was caused by item.start being null in TextManipulationController::replace for a paragraph
+ consisting of just an image because TextManipulationController::observeParagraphs never may never set
+ startOfCurrentParagraph in such a case (content.isTextContent can be false for an image!).
+
+ Fixed the bug by setting startOfCurrentParagraph to a position before the current content's node
+ when inserting a token for a RenderReplaced if it's null.
+
+ Test: TextManipulation.CompleteTextManipulationShouldReplaceContentsAroundParagraphWithJustImage
+
+ * editing/TextManipulationController.cpp:
+ (WebCore::TextManipulationController::observeParagraphs):
+
+ Tools:
+
+ Added a regression test.
+
+ * TestWebKitAPI/Tests/WebKitCocoa/TextManipulation.mm:
+ (TextManipulation.CompleteTextManipulationShouldReplaceContentsAroundParagraphWithJustImage):
+
+
+ git-svn-id: https://svn.webkit.org/repository/webkit/trunk@258399 268f45cc-cd09-0410-ab3c-d52691b4dbfc
+
+ 2020-03-13 Ryosuke Niwa <rn...@webkit.org>
+
+ Crash in TextIterator::node via TextManipulationController::replace
+ https://bugs.webkit.org/show_bug.cgi?id=209048
+
+ Reviewed by Wenson Hsieh.
+
+ Added a regression test.
+
+ * TestWebKitAPI/Tests/WebKitCocoa/TextManipulation.mm:
+ (TextManipulation.CompleteTextManipulationShouldReplaceContentsAroundParagraphWithJustImage):
+
2020-03-12 Russell Epstein <repst...@apple.com>
Cherry-pick r258371. rdar://problem/60395490
Modified: branches/safari-610.1.7-branch/Tools/TestWebKitAPI/Tests/WebKitCocoa/TextManipulation.mm (258408 => 258409)
--- branches/safari-610.1.7-branch/Tools/TestWebKitAPI/Tests/WebKitCocoa/TextManipulation.mm 2020-03-13 17:44:28 UTC (rev 258408)
+++ branches/safari-610.1.7-branch/Tools/TestWebKitAPI/Tests/WebKitCocoa/TextManipulation.mm 2020-03-13 17:44:32 UTC (rev 258409)
@@ -942,6 +942,42 @@
"<div><span style=\"display: block\">hello, world</span></div></div>", [webView stringByEvaluatingJavaScript:@"document.body.innerHTML"]);
}
+TEST(TextManipulation, CompleteTextManipulationShouldReplaceContentsAroundParagraphWithJustImage)
+{
+ auto delegate = adoptNS([[TextManipulationDelegate alloc] init]);
+ auto webView = adoptNS([[TestWKWebView alloc] initWithFrame:NSMakeRect(0, 0, 400, 400)]);
+ [webView _setTextManipulationDelegate:delegate.get()];
+
+ [webView synchronouslyLoadHTMLString:@"<!DOCTYPE html><html><body><div>heeey</div><div><img src=""
+
+ done = false;
+ [webView _startTextManipulationsWithConfiguration:nil completion:^{
+ done = true;
+ }];
+ TestWebKitAPI::Util::run(&done);
+
+ auto *items = [delegate items];
+ EXPECT_EQ(items.count, 3UL);
+ EXPECT_EQ(items[0].tokens.count, 1UL);
+ EXPECT_STREQ("heeey", items[0].tokens[0].content.UTF8String);
+ EXPECT_EQ(items[1].tokens.count, 1UL);
+ EXPECT_STREQ("[]", items[1].tokens[0].content.UTF8String);
+ EXPECT_EQ(items[2].tokens.count, 1UL);
+ EXPECT_STREQ("woorld", items[2].tokens[0].content.UTF8String);
+
+ done = false;
+ [webView _completeTextManipulationForItems:@[
+ (_WKTextManipulationItem *)createItem(items[0].identifier, { { items[0].tokens[0].identifier, @"hello" } }),
+ (_WKTextManipulationItem *)createItem(items[1].identifier, { { items[1].tokens[0].identifier, nil } }),
+ (_WKTextManipulationItem *)createItem(items[2].identifier, { { items[2].tokens[0].identifier, @"world" } }),
+ ] completion:^(NSArray<NSError *> *errors) {
+ EXPECT_EQ(errors, nil);
+ done = true;
+ }];
+ TestWebKitAPI::Util::run(&done);
+ EXPECT_WK_STREQ("<div>hello</div><div><img src="" [webView stringByEvaluatingJavaScript:@"document.body.innerHTML"]);
+}
+
TEST(TextManipulation, CompleteTextManipulationShouldBatchItemCallback)
{
auto delegate = adoptNS([[TextManipulationDelegate alloc] init]);
