[webkit-changes] [261258] trunk

[shihchieh_lee]

Title: [261258] trunk

Revision

261258

Author

shihchieh_...@apple.com

Date

2020-05-06 16:16:14 -0700 (Wed, 06 May 2020)

Log Message

Nullptr crash in indentOutdentCommand::formatRange with asynchronous commands: indent and insert list.
https://bugs.webkit.org/show_bug.cgi?id=211466
<rdar://problem/62845430>

Reviewed by Geoffrey Garen.

Source/WebCore:

Check for null outerBlock returned by splitTreeToNode and bail out.

Test: fast/editing/indent-then-insertUL-crash.html

* editing/IndentOutdentCommand.cpp:
(WebCore::IndentOutdentCommand::indentIntoBlockquote):

LayoutTests:

Added a regression test for the crash.

* fast/editing/indent-then-insertUL-crash-expected.txt: Added.
* fast/editing/indent-then-insertUL-crash.html: Added.

Modified Paths

• trunk/LayoutTests/ChangeLog
• trunk/Source/WebCore/ChangeLog
• trunk/Source/WebCore/editing/IndentOutdentCommand.cpp

Added Paths

• trunk/LayoutTests/fast/editing/indent-then-insertUL-crash-expected.txt
• trunk/LayoutTests/fast/editing/indent-then-insertUL-crash.html

Diff

Modified: trunk/LayoutTests/ChangeLog (261257 => 261258)

--- trunk/LayoutTests/ChangeLog	2020-05-06 23:01:06 UTC (rev 261257)
+++ trunk/LayoutTests/ChangeLog	2020-05-06 23:16:14 UTC (rev 261258)
@@ -1,5 +1,18 @@
 2020-05-06  Jack Lee  <shihchieh_...@apple.com>
 
+        Nullptr crash in indentOutdentCommand::formatRange with asynchronous commands: indent and insert list.
+        https://bugs.webkit.org/show_bug.cgi?id=211466
+        <rdar://problem/62845430>
+
+        Reviewed by Geoffrey Garen.
+
+        Added a regression test for the crash.
+
+        * fast/editing/indent-then-insertUL-crash-expected.txt: Added.
+        * fast/editing/indent-then-insertUL-crash.html: Added.
+
+2020-05-06  Jack Lee  <shihchieh_...@apple.com>
+
         Nullptr crash in InsertListCommand::doApply with user-select:none elements
         https://bugs.webkit.org/show_bug.cgi?id=211534
         <rdar://problem/62898521>

Added: trunk/LayoutTests/fast/editing/indent-then-insertUL-crash-expected.txt (0 => 261258)

--- trunk/LayoutTests/fast/editing/indent-then-insertUL-crash-expected.txt	                        (rev 0)
+++ trunk/LayoutTests/fast/editing/indent-then-insertUL-crash-expected.txt	2020-05-06 23:16:14 UTC (rev 261258)
@@ -0,0 +1 @@
+Tests asynchronous indenting and list insertion commands. The test passes if WebKit doesn't crash or hit an ssertion.

Added: trunk/LayoutTests/fast/editing/indent-then-insertUL-crash.html (0 => 261258)

--- trunk/LayoutTests/fast/editing/indent-then-insertUL-crash.html	                        (rev 0)
+++ trunk/LayoutTests/fast/editing/indent-then-insertUL-crash.html	2020-05-06 23:16:14 UTC (rev 261258)
@@ -0,0 +1,21 @@
+<script>
+    if (window.testRunner) {
+        testRunner.dumpAsText();
+        testRunner.waitUntilDone();
+    }
+
+    function run() {
+        var iframe = document.createElement('iframe');
+        iframe.setAttribute("onload", "iframeLoad()");
+        select.appendChild(iframe);
+        document.execCommand("indent", false);
+        document.body.innerText = "Tests asynchronous indenting and list insertion commands. The test passes if WebKit doesn't crash or hit an ssertion.";
+        if (window.testRunner)
+            testRunner.notifyDone();
+    }
+    function iframeLoad() {
+        document.execCommand("insertUnorderedList", false);
+        window.getSelection().collapse(select);
+}
+</script>
+<body _onload_=run() contentEditable=true><details id=details open="true"><div>a</div><form hidden="hidden"><select id=select></select></form>b</details>

Modified: trunk/Source/WebCore/ChangeLog (261257 => 261258)

--- trunk/Source/WebCore/ChangeLog	2020-05-06 23:01:06 UTC (rev 261257)
+++ trunk/Source/WebCore/ChangeLog	2020-05-06 23:16:14 UTC (rev 261258)
@@ -1,3 +1,18 @@
+2020-05-06  Jack Lee  <shihchieh_...@apple.com>
+
+        Nullptr crash in indentOutdentCommand::formatRange with asynchronous commands: indent and insert list.
+        https://bugs.webkit.org/show_bug.cgi?id=211466
+        <rdar://problem/62845430>
+
+        Reviewed by Geoffrey Garen.
+
+        Check for null outerBlock returned by splitTreeToNode and bail out.
+
+        Test: fast/editing/indent-then-insertUL-crash.html
+
+        * editing/IndentOutdentCommand.cpp:
+        (WebCore::IndentOutdentCommand::indentIntoBlockquote):
+
 2020-05-06  Darin Adler  <da...@apple.com>
 
         Make a helper for the pattern of ICU functions that may need to be called twice to populate a buffer

Modified: trunk/Source/WebCore/editing/IndentOutdentCommand.cpp (261257 => 261258)

--- trunk/Source/WebCore/editing/IndentOutdentCommand.cpp	2020-05-06 23:01:06 UTC (rev 261257)
+++ trunk/Source/WebCore/editing/IndentOutdentCommand.cpp	2020-05-06 23:16:14 UTC (rev 261258)
@@ -106,6 +106,8 @@
 
     RefPtr<Node> nodeAfterStart = start.computeNodeAfterPosition();
     RefPtr<Node> outerBlock = (start.containerNode() == nodeToSplitTo) ? start.containerNode() : splitTreeToNode(*start.containerNode(), *nodeToSplitTo);
+    if (!outerBlock)
+        return;
 
     VisiblePosition startOfContents = start;
     if (!targetBlockquote) {

_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-changes