[webkit-changes] [277174] trunk

Fri, 07 May 2021 08:25:38 -0700

Title: [277174] trunk
Revision
277174
Author
commit-qu...@webkit.org
Date
2021-05-07 08:23:51 -0700 (Fri, 07 May 2021)

Log Message

Crash in ApplyStyleCommand::applyRelativeFontStyleChange
https://bugs.webkit.org/show_bug.cgi?id=225235

Patch by Frédéric Wang <fw...@igalia.com> on 2021-05-07
Reviewed by Ryosuke Niwa.

Source/WebCore:

Test: editing/execCommand/font-size-delta-same-node-for-start-and-end-crash.html

In ApplyStyleCommand::applyRelativeFontStyleChange, when the selection start and end have the
same anchor node, the start node of the loop is obtained by calling Position::upstream on the
selection start while end node of the loop is obtained by calling NodeTraversal::next on the
anchor node. This can result in the former being after the latter. This patch fixes this by
moving the end of the loop after the anchor node (similar to what is already done when the
start anchor node is a strict descendant of the end anchor node).

* editing/ApplyStyleCommand.cpp:
(WebCore::ApplyStyleCommand::applyRelativeFontStyleChange): Also include the case where
end.deprecatedNode() == start.deprecatedNode() in the conditional.

LayoutTests:

Add regression test.

* editing/execCommand/font-size-delta-same-node-for-start-and-end-crash-expected.txt: Added.
* editing/execCommand/font-size-delta-same-node-for-start-and-end-crash.html: Added.
* platform/ios/editing/execCommand/font-size-delta-same-node-for-start-and-end-crash-expected.txt: Added.

Modified Paths

Added Paths

Diff

Modified: trunk/LayoutTests/ChangeLog (277173 => 277174)


--- trunk/LayoutTests/ChangeLog	2021-05-07 15:05:03 UTC (rev 277173)
+++ trunk/LayoutTests/ChangeLog	2021-05-07 15:23:51 UTC (rev 277174)
@@ -1,3 +1,16 @@
+2021-05-07  Frédéric Wang  <fw...@igalia.com>
+
+        Crash in ApplyStyleCommand::applyRelativeFontStyleChange
+        https://bugs.webkit.org/show_bug.cgi?id=225235
+
+        Reviewed by Ryosuke Niwa.
+
+        Add regression test.
+
+        * editing/execCommand/font-size-delta-same-node-for-start-and-end-crash-expected.txt: Added.
+        * editing/execCommand/font-size-delta-same-node-for-start-and-end-crash.html: Added.
+        * platform/ios/editing/execCommand/font-size-delta-same-node-for-start-and-end-crash-expected.txt: Added.
+
 2021-05-07  Philippe Normand  <pnorm...@igalia.com>
 
         Unreviewed, glib WebAudio gardening

Added: trunk/LayoutTests/editing/execCommand/font-size-delta-same-node-for-start-and-end-crash-expected.txt (0 => 277174)


--- trunk/LayoutTests/editing/execCommand/font-size-delta-same-node-for-start-and-end-crash-expected.txt	                        (rev 0)
+++ trunk/LayoutTests/editing/execCommand/font-size-delta-same-node-for-start-and-end-crash-expected.txt	2021-05-07 15:23:51 UTC (rev 277174)
@@ -0,0 +1,2 @@
+CONSOLE MESSAGE: This test passes if it does not crash.
+••••••

Added: trunk/LayoutTests/editing/execCommand/font-size-delta-same-node-for-start-and-end-crash.html (0 => 277174)


--- trunk/LayoutTests/editing/execCommand/font-size-delta-same-node-for-start-and-end-crash.html	                        (rev 0)
+++ trunk/LayoutTests/editing/execCommand/font-size-delta-same-node-for-start-and-end-crash.html	2021-05-07 15:23:51 UTC (rev 277174)
@@ -0,0 +1,21 @@
+<body style="-webkit-text-security: disc;">
+  <div></div>A
+  <script></script>
+  <div id="element"></div>
+  <script>
+    if (window.testRunner)
+        testRunner.dumpAsText()
+    console.log('This test passes if it does not crash.');
+    document.addEventListener("DOMCharacterDataModified", () => {
+        document.body.innerHTML = "B";
+    });
+    document.body.removeChild(document.getElementById('element'));
+    document.designMode = "on";
+    document.execCommand("SelectAll");
+    document.execCommand("FontSizeDelta", false, 3);
+  </script>
+  <script>
+    document.body.insertBefore(document.createElement("div"), document.body.firstChild);
+    document.execCommand("FontSizeDelta", false, 3);
+  </script>
+</body>

Added: trunk/LayoutTests/platform/ios/editing/execCommand/font-size-delta-same-node-for-start-and-end-crash-expected.txt (0 => 277174)


--- trunk/LayoutTests/platform/ios/editing/execCommand/font-size-delta-same-node-for-start-and-end-crash-expected.txt	                        (rev 0)
+++ trunk/LayoutTests/platform/ios/editing/execCommand/font-size-delta-same-node-for-start-and-end-crash-expected.txt	2021-05-07 15:23:51 UTC (rev 277174)
@@ -0,0 +1,2 @@
+CONSOLE MESSAGE: This test passes if it does not crash.
+●●●●●●

Modified: trunk/Source/WebCore/ChangeLog (277173 => 277174)


--- trunk/Source/WebCore/ChangeLog	2021-05-07 15:05:03 UTC (rev 277173)
+++ trunk/Source/WebCore/ChangeLog	2021-05-07 15:23:51 UTC (rev 277174)
@@ -1,3 +1,23 @@
+2021-05-07  Frédéric Wang  <fw...@igalia.com>
+
+        Crash in ApplyStyleCommand::applyRelativeFontStyleChange
+        https://bugs.webkit.org/show_bug.cgi?id=225235
+
+        Reviewed by Ryosuke Niwa.
+
+        Test: editing/execCommand/font-size-delta-same-node-for-start-and-end-crash.html
+
+        In ApplyStyleCommand::applyRelativeFontStyleChange, when the selection start and end have the
+        same anchor node, the start node of the loop is obtained by calling Position::upstream on the
+        selection start while end node of the loop is obtained by calling NodeTraversal::next on the
+        anchor node. This can result in the former being after the latter. This patch fixes this by
+        moving the end of the loop after the anchor node (similar to what is already done when the
+        start anchor node is a strict descendant of the end anchor node).
+
+        * editing/ApplyStyleCommand.cpp:
+        (WebCore::ApplyStyleCommand::applyRelativeFontStyleChange): Also include the case where
+        end.deprecatedNode() == start.deprecatedNode() in the conditional.
+
 2021-05-07  Carlos Garnacho  <carl...@gnome.org>
 
         [GTK4] Rewrite GTK gesture support to work for both 3.x and 4.x.

Modified: trunk/Source/WebCore/editing/ApplyStyleCommand.cpp (277173 => 277174)


--- trunk/Source/WebCore/editing/ApplyStyleCommand.cpp	2021-05-07 15:05:03 UTC (rev 277173)
+++ trunk/Source/WebCore/editing/ApplyStyleCommand.cpp	2021-05-07 15:23:51 UTC (rev 277174)
@@ -348,7 +348,7 @@
     RefPtr<Node> beyondEnd;
     ASSERT(start.deprecatedNode());
     ASSERT(end.deprecatedNode());
-    if (start.deprecatedNode()->isDescendantOf(*end.deprecatedNode()))
+    if (end.deprecatedNode()->contains(*start.deprecatedNode()))
         beyondEnd = NodeTraversal::nextSkippingChildren(*end.deprecatedNode());
     else
         beyondEnd = NodeTraversal::next(*end.deprecatedNode());

_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-changes

Reply via email to