Skip to site navigation (Press enter)

[webkit-changes] [258662] trunk

commit-queue Wed, 18 Mar 2020 13:35:25 -0700

Title: [258662] trunk

Revision: 258662
Author: [email protected]
Date: 2020-03-18 13:23:39 -0700 (Wed, 18 Mar 2020)

Log Message

Source/WebCore:
Fix ReplaceSelectionCommand::InsertedNodes::willRemoveNodePreservingChildren crash
https://bugs.webkit.org/show_bug.cgi?id=208312


Patch by Eugene But <[email protected]> on 2020-03-18
Reviewed by Ryosuke Niwa

ReplaceSelectionCommand::InsertedNodes::willRemoveNodePreservingChildren
was crashing on dereferencing m_firstNodeInserted pointer. Before the crash
ReplaceSelectionCommand::InsertedNodes object received the following calls:

respondToNodeInsertion() with node A, which set m_firstNodeInserted and m_lastNodeInserted to A
willRemoveNode() with node B, which left m_firstNodeInserted and m_lastNodeInserted unchanged (A)
(node A was destroyed setting m_firstNodeInserted and m_lastNodeInserted to null)
respondToNodeInsertion() with node C, which set m_firstNodeInserted and m_lastNodeInserted to C
willRemoveNodePreservingChildren() with node C, which set m_firstNodeInserted to null and crashed

This patch checks m_firstNodeInserted before dereferencing and sets m_lastNodeInserted to null if
m_firstNodeInserted became null. It seems like having non-null value for m_lastNodeInserted would
be an invalid state.

Test: editing/pasteboard/insert-apple-style-span-after-timeout.html

* editing/ReplaceSelectionCommand.cpp:
(WebCore::ReplaceSelectionCommand::InsertedNodes::willRemoveNodePreservingChildren):

LayoutTests:
Test for ReplaceSelectionCommand::InsertedNodes::willRemoveNodePreservingChildren crash fix
https://bugs.webkit.org/show_bug.cgi?id=208312

Patch by Eugene But <[email protected]> on 2020-03-18
Reviewed by Ryosuke Niwa

This test insers empty Apple-style-span after timeout to a non-empty document.

* editing/pasteboard/insert-apple-style-span-after-timeout.html:

Modified Paths

trunk/LayoutTests/ChangeLog
trunk/Source/WebCore/ChangeLog
trunk/Source/WebCore/editing/ReplaceSelectionCommand.cpp

Added Paths

trunk/LayoutTests/editing/pasteboard/insert-apple-style-span-after-timeout-expected.txt
trunk/LayoutTests/editing/pasteboard/insert-apple-style-span-after-timeout.html

Diff

Modified: trunk/LayoutTests/ChangeLog (258661 => 258662)


--- trunk/LayoutTests/ChangeLog	2020-03-18 19:52:37 UTC (rev 258661)
+++ trunk/LayoutTests/ChangeLog	2020-03-18 20:23:39 UTC (rev 258662)
@@ -1,3 +1,14 @@
+2020-03-18  Eugene But  <[email protected]>
+
+        Test for ReplaceSelectionCommand::InsertedNodes::willRemoveNodePreservingChildren crash fix
+        https://bugs.webkit.org/show_bug.cgi?id=208312
+
+        Reviewed by Ryosuke Niwa
+
+        This test insers empty Apple-style-span after timeout to a non-empty document.
+
+        * editing/pasteboard/insert-apple-style-span-after-timeout.html:
+
 2020-03-18  Frank Yang  <[email protected]>
 
         [CSS Writing Modes] Import css/css-writing-modes from WPT

Added: trunk/LayoutTests/editing/pasteboard/insert-apple-style-span-after-timeout-expected.txt (0 => 258662)


--- trunk/LayoutTests/editing/pasteboard/insert-apple-style-span-after-timeout-expected.txt	                        (rev 0)
+++ trunk/LayoutTests/editing/pasteboard/insert-apple-style-span-after-timeout-expected.txt	2020-03-18 20:23:39 UTC (rev 258662)
@@ -0,0 +1 @@
+No crash!

Added: trunk/LayoutTests/editing/pasteboard/insert-apple-style-span-after-timeout.html (0 => 258662)


--- trunk/LayoutTests/editing/pasteboard/insert-apple-style-span-after-timeout.html	                        (rev 0)
+++ trunk/LayoutTests/editing/pasteboard/insert-apple-style-span-after-timeout.html	2020-03-18 20:23:39 UTC (rev 258662)
@@ -0,0 +1,21 @@
+<html>
+  <body>
+    <script>    
+      if (window.testRunner) {
+        window.testRunner.dumpAsText();
+        window.testRunner.waitUntilDone();
+      }
+
+      function test() {
+        document.designMode = 'on';
+        document.execCommand("selectAll");
+        document.execCommand("InsertHTML", false, "<p>No crash!</p>");
+        document.execCommand("InsertHTML", false, "<span class='Apple-style-span'></span>");
+        
+        if (window.testRunner)
+          testRunner.notifyDone();
+      }
+      setTimeout(test);
+    </script>&lt;
+  </body>
+</html>

Modified: trunk/Source/WebCore/ChangeLog (258661 => 258662)


--- trunk/Source/WebCore/ChangeLog	2020-03-18 19:52:37 UTC (rev 258661)
+++ trunk/Source/WebCore/ChangeLog	2020-03-18 20:23:39 UTC (rev 258662)
@@ -1,3 +1,29 @@
+2020-03-18  Eugene But  <[email protected]>
+
+        Fix ReplaceSelectionCommand::InsertedNodes::willRemoveNodePreservingChildren crash
+        https://bugs.webkit.org/show_bug.cgi?id=208312
+        
+        Reviewed by Ryosuke Niwa
+
+        ReplaceSelectionCommand::InsertedNodes::willRemoveNodePreservingChildren
+        was crashing on dereferencing m_firstNodeInserted pointer. Before the crash
+        ReplaceSelectionCommand::InsertedNodes object received the following calls:
+
+        respondToNodeInsertion() with node A, which set m_firstNodeInserted and m_lastNodeInserted to A
+        willRemoveNode() with node B, which left m_firstNodeInserted and m_lastNodeInserted unchanged (A)
+        (node A was destroyed setting m_firstNodeInserted and m_lastNodeInserted to null)
+        respondToNodeInsertion() with node C, which set m_firstNodeInserted and m_lastNodeInserted to C
+        willRemoveNodePreservingChildren() with node C, which set m_firstNodeInserted to null and crashed
+
+        This patch checks m_firstNodeInserted before dereferencing and sets m_lastNodeInserted to null if
+        m_firstNodeInserted became null. It seems like having non-null value for m_lastNodeInserted would
+        be an invalid state.
+
+        Test: editing/pasteboard/insert-apple-style-span-after-timeout.html
+
+        * editing/ReplaceSelectionCommand.cpp:
+        (WebCore::ReplaceSelectionCommand::InsertedNodes::willRemoveNodePreservingChildren):
+
 2020-03-18  Youenn Fablet  <[email protected]>
 
         CrossOriginPreflightResultCacheItem::allows methods should not use out parameters

Modified: trunk/Source/WebCore/editing/ReplaceSelectionCommand.cpp (258661 => 258662)


--- trunk/Source/WebCore/editing/ReplaceSelectionCommand.cpp	2020-03-18 19:52:37 UTC (rev 258661)
+++ trunk/Source/WebCore/editing/ReplaceSelectionCommand.cpp	2020-03-18 20:23:39 UTC (rev 258662)
@@ -388,7 +388,7 @@
         m_firstNodeInserted = NodeTraversal::next(*node);
     if (m_lastNodeInserted == node) {
         m_lastNodeInserted = node->lastChild() ? node->lastChild() : NodeTraversal::nextSkippingChildren(*node);
-        if (!m_lastNodeInserted) {
+        if (!m_lastNodeInserted && m_firstNodeInserted) {
             // If the last inserted node is at the end of the document and doesn't have any children, look backwards for the
             // previous node as the last inserted node, clamping to the first inserted node if needed to ensure that the
             // document position of the last inserted node is not behind the first inserted node.

_______________________________________________
webkit-changes mailing list
[email protected]
https://lists.webkit.org/mailman/listinfo/webkit-changes