Title: [261666] trunk
- Revision
- 261666
- Author
- shihchieh_...@apple.com
- Date
- 2020-05-13 17:45:45 -0700 (Wed, 13 May 2020)
Log Message
Nullptr crash in InsertParagraphSeparatorCommand::doApply when the canonical position is uneditable
https://bugs.webkit.org/show_bug.cgi?id=211864
<rdar://problem/62982161>
Reviewed by Geoffrey Garen.
Source/WebCore:
The position returned by positionAvoidingSpecialElementBoundary() is uneditable so we need to
check for uneditable insertion position and bail out before calling insertNodeAt to avoid assertion.
Test: editing/inserting/insert-img-uneditable-canonical-position-crash.html
* editing/InsertParagraphSeparatorCommand.cpp:
(WebCore::InsertParagraphSeparatorCommand::doApply):
LayoutTests:
Added a regression test for the crash.
* editing/inserting/insert-img-uneditable-canonical-position-crash-expected.txt: Added.
* editing/inserting/insert-img-uneditable-canonical-position-crash.html: Added.
Modified Paths
Added Paths
Diff
Modified: trunk/LayoutTests/ChangeLog (261665 => 261666)
--- trunk/LayoutTests/ChangeLog 2020-05-14 00:35:40 UTC (rev 261665)
+++ trunk/LayoutTests/ChangeLog 2020-05-14 00:45:45 UTC (rev 261666)
@@ -1,5 +1,18 @@
2020-05-13 Jack Lee <shihchieh_...@apple.com>
+ Nullptr crash in InsertParagraphSeparatorCommand::doApply when the canonical position is uneditable
+ https://bugs.webkit.org/show_bug.cgi?id=211864
+ <rdar://problem/62982161>
+
+ Reviewed by Geoffrey Garen.
+
+ Added a regression test for the crash.
+
+ * editing/inserting/insert-img-uneditable-canonical-position-crash-expected.txt: Added.
+ * editing/inserting/insert-img-uneditable-canonical-position-crash.html: Added.
+
+2020-05-13 Jack Lee <shihchieh_...@apple.com>
+
Nullptr crash in DeleteSelectionCommand::doApply() when merge node is disconnected.
https://bugs.webkit.org/show_bug.cgi?id=211793
<rdar://problem/62993645>
Added: trunk/LayoutTests/editing/inserting/insert-img-uneditable-canonical-position-crash-expected.txt (0 => 261666)
--- trunk/LayoutTests/editing/inserting/insert-img-uneditable-canonical-position-crash-expected.txt (rev 0)
+++ trunk/LayoutTests/editing/inserting/insert-img-uneditable-canonical-position-crash-expected.txt 2020-05-14 00:45:45 UTC (rev 261666)
@@ -0,0 +1 @@
+Tests inserting paragraph separator when an editable canonical position is not found. The test passes if WebKit doesn't crash or hit an ssertion.
Added: trunk/LayoutTests/editing/inserting/insert-img-uneditable-canonical-position-crash.html (0 => 261666)
--- trunk/LayoutTests/editing/inserting/insert-img-uneditable-canonical-position-crash.html (rev 0)
+++ trunk/LayoutTests/editing/inserting/insert-img-uneditable-canonical-position-crash.html 2020-05-14 00:45:45 UTC (rev 261666)
@@ -0,0 +1,10 @@
+<video><span id=span_copy><input id=input></input></span></video><button></button><audio><hr id=hr1 contentEditable="true"><hr id=hr2></audio><textarea></textarea>
+<script>
+ if (window.testRunner)
+ testRunner.dumpAsText();
+ hr1.appendChild(span_copy);
+ input.setSelectionRange(-1,67);
+ hr2.appendChild(span_copy);
+ document.execCommand("insertImage", "#foo");
+ document.body.innerText = "Tests inserting paragraph separator when an editable canonical position is not found. The test passes if WebKit doesn't crash or hit an ssertion.";
+</script>
Modified: trunk/Source/WebCore/ChangeLog (261665 => 261666)
--- trunk/Source/WebCore/ChangeLog 2020-05-14 00:35:40 UTC (rev 261665)
+++ trunk/Source/WebCore/ChangeLog 2020-05-14 00:45:45 UTC (rev 261666)
@@ -1,5 +1,21 @@
2020-05-13 Jack Lee <shihchieh_...@apple.com>
+ Nullptr crash in InsertParagraphSeparatorCommand::doApply when the canonical position is uneditable
+ https://bugs.webkit.org/show_bug.cgi?id=211864
+ <rdar://problem/62982161>
+
+ Reviewed by Geoffrey Garen.
+
+ The position returned by positionAvoidingSpecialElementBoundary() is uneditable so we need to
+ check for uneditable insertion position and bail out before calling insertNodeAt to avoid assertion.
+
+ Test: editing/inserting/insert-img-uneditable-canonical-position-crash.html
+
+ * editing/InsertParagraphSeparatorCommand.cpp:
+ (WebCore::InsertParagraphSeparatorCommand::doApply):
+
+2020-05-13 Jack Lee <shihchieh_...@apple.com>
+
Nullptr crash in DeleteSelectionCommand::doApply() when merge node is disconnected.
https://bugs.webkit.org/show_bug.cgi?id=211793
<rdar://problem/62993645>
Modified: trunk/Source/WebCore/editing/InsertParagraphSeparatorCommand.cpp (261665 => 261666)
--- trunk/Source/WebCore/editing/InsertParagraphSeparatorCommand.cpp 2020-05-14 00:35:40 UTC (rev 261665)
+++ trunk/Source/WebCore/editing/InsertParagraphSeparatorCommand.cpp 2020-05-14 00:45:45 UTC (rev 261666)
@@ -300,6 +300,10 @@
// it if visiblePos is at the start of a paragraph so that the
// content will move down a line.
if (isStartOfParagraph(visiblePos)) {
+ // FIXME: <http://webkit.org/b/211864> If insertionPosition is not editable, we should compute a position that is.
+ if (!isEditablePosition(insertionPosition))
+ return;
+
auto br = HTMLBRElement::create(document());
auto* brPtr = br.ptr();
insertNodeAt(WTFMove(br), insertionPosition);
_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-changes
