Skip to site navigation (Press enter)

[webkit-changes] [270018] trunk

svillar Thu, 19 Nov 2020 00:41:48 -0800

Title: [270018] trunk

Revision: 270018
Author: svil...@igalia.com
Date: 2020-11-19 00:40:50 -0800 (Thu, 19 Nov 2020)

Log Message

Nullptr crash in RenderObject::parent
https://bugs.webkit.org/show_bug.cgi?id=218484
<rdar://problem/70985057>


Reviewed by Ryosuke Niwa.

Source/WebCore:

Let's imagine the following scenario:

BODY
  LI contenteditable=true
    DIV

If the current visible selection is on DIV and we try to execute document.execCommand("InsertOrderedList") then
the current code will first try to fix the orphaned LI before inserting a new list. Fixing the orphaned
LI means that a new list tag must be created between BODY and LI. There is one caveat though, and is that the
InsertNodeBeforeCommand requires that the parent of the new node (in this case the BODY) must be richly editable
(something that is not happening in the example above). That's why we need to ensure that this precondition is met
before trying to fix the orphaned list item.

Test: fast/editing/insert-list-in-orphaned-list-item-crash.html

* editing/InsertListCommand.cpp:
(WebCore::InsertListCommand::fixOrphanedListChild): Early return if the parent is not richly editable.
(WebCore::InsertListCommand::doApplyForSingleParagraph): Fixed a typo.

LayoutTests:

Added new test case.

* fast/editing/insert-list-in-orphaned-list-item-crash-expected.txt: Added.
* fast/editing/insert-list-in-orphaned-list-item-crash.html: Added.

Modified Paths

trunk/LayoutTests/ChangeLog
trunk/Source/WebCore/ChangeLog
trunk/Source/WebCore/editing/InsertListCommand.cpp

Added Paths

trunk/LayoutTests/fast/editing/insert-list-in-orphaned-list-item-crash-expected.txt
trunk/LayoutTests/fast/editing/insert-list-in-orphaned-list-item-crash.html

Diff

Modified: trunk/LayoutTests/ChangeLog (270017 => 270018)


--- trunk/LayoutTests/ChangeLog	2020-11-19 08:16:18 UTC (rev 270017)
+++ trunk/LayoutTests/ChangeLog	2020-11-19 08:40:50 UTC (rev 270018)
@@ -1,3 +1,16 @@
+2020-11-17  Sergio Villar Senin  <svil...@igalia.com>
+
+        Nullptr crash in RenderObject::parent
+        https://bugs.webkit.org/show_bug.cgi?id=218484
+        <rdar://problem/70985057>
+
+        Reviewed by Ryosuke Niwa.
+
+        Added new test case.
+
+        * fast/editing/insert-list-in-orphaned-list-item-crash-expected.txt: Added.
+        * fast/editing/insert-list-in-orphaned-list-item-crash.html: Added.
+
 2020-11-19  Diego Pino Garcia  <dp...@igalia.com>
 
         [GLIB] Unreviewed test gardening. Move common GTK and WPE failures to GLIB.

Added: trunk/LayoutTests/fast/editing/insert-list-in-orphaned-list-item-crash-expected.txt (0 => 270018)


--- trunk/LayoutTests/fast/editing/insert-list-in-orphaned-list-item-crash-expected.txt	                        (rev 0)
+++ trunk/LayoutTests/fast/editing/insert-list-in-orphaned-list-item-crash-expected.txt	2020-11-19 08:40:50 UTC (rev 270018)
@@ -0,0 +1 @@
+The test PASS if it does not crash.
Property changes on: trunk/LayoutTests/fast/editing/insert-list-in-orphaned-list-item-crash-expected.txt
___________________________________________________________________

Added: svn:eol-style

+LF \ No newline at end of property

Added: trunk/LayoutTests/fast/editing/insert-list-in-orphaned-list-item-crash.html (0 => 270018)


--- trunk/LayoutTests/fast/editing/insert-list-in-orphaned-list-item-crash.html	                        (rev 0)
+++ trunk/LayoutTests/fast/editing/insert-list-in-orphaned-list-item-crash.html	2020-11-19 08:40:50 UTC (rev 270018)
@@ -0,0 +1,15 @@
+<!DOCTYPE html>
+<script>
+if (window.testRunner)
+    testRunner.dumpAsText();
+function test() {
+    document.getSelection().collapse(target);;
+    document.execCommand("insertOrderedList");
+}
+</script>
+<body _onload_=test()>
+<li contenteditable="true">
+    <div id="target"></div>
+</li>
+<p>The test PASS if it does not crash.</p>
+</body>
Property changes on: trunk/LayoutTests/fast/editing/insert-list-in-orphaned-list-item-crash.html
___________________________________________________________________

Added: svn:eol-style

+LF \ No newline at end of property

Added: svn:mime-type

+text/html \ No newline at end of property

Modified: trunk/Source/WebCore/ChangeLog (270017 => 270018)


--- trunk/Source/WebCore/ChangeLog	2020-11-19 08:16:18 UTC (rev 270017)
+++ trunk/Source/WebCore/ChangeLog	2020-11-19 08:40:50 UTC (rev 270018)
@@ -1,3 +1,30 @@
+2020-11-17  Sergio Villar Senin  <svil...@igalia.com>
+
+        Nullptr crash in RenderObject::parent
+        https://bugs.webkit.org/show_bug.cgi?id=218484
+        <rdar://problem/70985057>
+
+        Reviewed by Ryosuke Niwa.
+
+        Let's imagine the following scenario:
+
+        BODY
+          LI contenteditable=true
+            DIV
+
+        If the current visible selection is on DIV and we try to execute document.execCommand("InsertOrderedList") then
+        the current code will first try to fix the orphaned LI before inserting a new list. Fixing the orphaned
+        LI means that a new list tag must be created between BODY and LI. There is one caveat though, and is that the
+        InsertNodeBeforeCommand requires that the parent of the new node (in this case the BODY) must be richly editable
+        (something that is not happening in the example above). That's why we need to ensure that this precondition is met
+        before trying to fix the orphaned list item.
+
+        Test: fast/editing/insert-list-in-orphaned-list-item-crash.html
+
+        * editing/InsertListCommand.cpp:
+        (WebCore::InsertListCommand::fixOrphanedListChild): Early return if the parent is not richly editable.
+        (WebCore::InsertListCommand::doApplyForSingleParagraph): Fixed a typo.
+
 2020-11-18  Wenson Hsieh  <wenson_hs...@apple.com>
 
         Rename MetaCommandSwitchTo to MetaCommandSwitchToItemBuffer

Modified: trunk/Source/WebCore/editing/InsertListCommand.cpp (270017 => 270018)


--- trunk/Source/WebCore/editing/InsertListCommand.cpp	2020-11-19 08:16:18 UTC (rev 270017)
+++ trunk/Source/WebCore/editing/InsertListCommand.cpp	2020-11-19 08:40:50 UTC (rev 270018)
@@ -56,6 +56,10 @@
 
 HTMLElement* InsertListCommand::fixOrphanedListChild(Node& node)
 {
+    auto parentNode = makeRefPtr(node.parentNode());
+    if (parentNode && !parentNode->hasRichlyEditableStyle())
+        return nullptr;
+
     auto listElement = HTMLUListElement::create(document());
     insertNodeBefore(listElement.copyRef(), node);
     if (!listElement->hasEditableStyle())
@@ -210,7 +214,7 @@
     Node* listChildNode = enclosingListChild(selectionNode);
     bool switchListType = false;
     if (listChildNode) {
-        // Remove the list chlild.
+        // Remove the list child.
         RefPtr<HTMLElement> listNode = enclosingList(listChildNode);
         if (!listNode) {
             RefPtr<HTMLElement> listElement = fixOrphanedListChild(*listChildNode);

_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-changes