Title: [282075] trunk
- Revision
- 282075
- Author
- commit-qu...@webkit.org
- Date
- 2021-09-07 01:11:28 -0700 (Tue, 07 Sep 2021)
Log Message
Nullptr crash in DeleteSelectionCommand::removeNodeUpdatingStates
https://bugs.webkit.org/show_bug.cgi?id=229279
Patch by Rob Buis <rb...@igalia.com> on 2021-09-07
Reviewed by Ryosuke Niwa.
Source/WebCore:
Fix DeleteSelectionCommand::removeNodeUpdatingStates logic
to use m_endBlock rather than m_startBlock here.
Test: editing/deleting/delete-shadow-tree-crash.html
* editing/DeleteSelectionCommand.cpp:
(WebCore::DeleteSelectionCommand::removeNodeUpdatingStates):
LayoutTests:
* editing/deleting/delete-shadow-tree-crash-expected.txt: Added.
* editing/deleting/delete-shadow-tree-crash.html: Added.
Modified Paths
Added Paths
Diff
Modified: trunk/LayoutTests/ChangeLog (282074 => 282075)
--- trunk/LayoutTests/ChangeLog 2021-09-07 07:06:26 UTC (rev 282074)
+++ trunk/LayoutTests/ChangeLog 2021-09-07 08:11:28 UTC (rev 282075)
@@ -1,5 +1,15 @@
2021-09-07 Rob Buis <rb...@igalia.com>
+ Nullptr crash in DeleteSelectionCommand::removeNodeUpdatingStates
+ https://bugs.webkit.org/show_bug.cgi?id=229279
+
+ Reviewed by Ryosuke Niwa.
+
+ * editing/deleting/delete-shadow-tree-crash-expected.txt: Added.
+ * editing/deleting/delete-shadow-tree-crash.html: Added.
+
+2021-09-07 Rob Buis <rb...@igalia.com>
+
Nullptr crash in CSSValue::cssText() via DeleteSelectionCommand::calculateTypingStyleAfterDelete
https://bugs.webkit.org/show_bug.cgi?id=229281
Added: trunk/LayoutTests/editing/deleting/delete-shadow-tree-crash-expected.txt (0 => 282075)
--- trunk/LayoutTests/editing/deleting/delete-shadow-tree-crash-expected.txt (rev 0)
+++ trunk/LayoutTests/editing/deleting/delete-shadow-tree-crash-expected.txt 2021-09-07 08:11:28 UTC (rev 282075)
@@ -0,0 +1 @@
+Test passes if it does not crash.
Added: trunk/LayoutTests/editing/deleting/delete-shadow-tree-crash.html (0 => 282075)
--- trunk/LayoutTests/editing/deleting/delete-shadow-tree-crash.html (rev 0)
+++ trunk/LayoutTests/editing/deleting/delete-shadow-tree-crash.html 2021-09-07 08:11:28 UTC (rev 282075)
@@ -0,0 +1,17 @@
+<!DOCTYPE html>
+<script>
+ if (window.testRunner)
+ window.testRunner.dumpAsText();
+ _onload_ = () => {
+ document.designMode = 'on';
+ let span0 = document.createElement('span');
+ span0.appendChild(document.createElement('input'));
+ let div0 = document.createElement('div');
+ span0.appendChild(div0);
+ div0.appendChild(document.createElement('input'));
+ document.body.attachShadow({mode: 'open'}).append(span0);
+ getSelection().selectAllChildren(span0);
+ document.execCommand('Delete');
+ document.write("Test passes if it does not crash.");
+ };
+</script>
Modified: trunk/Source/WebCore/ChangeLog (282074 => 282075)
--- trunk/Source/WebCore/ChangeLog 2021-09-07 07:06:26 UTC (rev 282074)
+++ trunk/Source/WebCore/ChangeLog 2021-09-07 08:11:28 UTC (rev 282075)
@@ -1,5 +1,20 @@
2021-09-07 Rob Buis <rb...@igalia.com>
+ Nullptr crash in DeleteSelectionCommand::removeNodeUpdatingStates
+ https://bugs.webkit.org/show_bug.cgi?id=229279
+
+ Reviewed by Ryosuke Niwa.
+
+ Fix DeleteSelectionCommand::removeNodeUpdatingStates logic
+ to use m_endBlock rather than m_startBlock here.
+
+ Test: editing/deleting/delete-shadow-tree-crash.html
+
+ * editing/DeleteSelectionCommand.cpp:
+ (WebCore::DeleteSelectionCommand::removeNodeUpdatingStates):
+
+2021-09-07 Rob Buis <rb...@igalia.com>
+
Nullptr crash in CSSValue::cssText() via DeleteSelectionCommand::calculateTypingStyleAfterDelete
https://bugs.webkit.org/show_bug.cgi?id=229281
Modified: trunk/Source/WebCore/editing/DeleteSelectionCommand.cpp (282074 => 282075)
--- trunk/Source/WebCore/editing/DeleteSelectionCommand.cpp 2021-09-07 07:06:26 UTC (rev 282074)
+++ trunk/Source/WebCore/editing/DeleteSelectionCommand.cpp 2021-09-07 08:11:28 UTC (rev 282075)
@@ -491,10 +491,15 @@
void DeleteSelectionCommand::removeNodeUpdatingStates(Node& node, ShouldAssumeContentIsAlwaysEditable shouldAssumeContentIsAlwaysEditable)
{
- if (&node == m_startBlock && !isEndOfBlock(VisiblePosition(firstPositionInNode(m_startBlock.get())).previous()))
- m_needPlaceholder = true;
- else if (&node == m_endBlock && !isStartOfBlock(VisiblePosition(lastPositionInNode(m_startBlock.get())).next()))
- m_needPlaceholder = true;
+ if (&node == m_startBlock) {
+ auto prev = VisiblePosition(firstPositionInNode(m_startBlock.get())).previous();
+ if (!prev.isNull() && !isEndOfBlock(prev))
+ m_needPlaceholder = true;
+ } else if (&node == m_endBlock) {
+ auto next = VisiblePosition(lastPositionInNode(m_endBlock.get())).next();
+ if (!next.isNull() && !isStartOfBlock(next))
+ m_needPlaceholder = true;
+ }
// FIXME: Update the endpoints of the range being deleted.
updatePositionForNodeRemoval(m_endingPosition, node);
_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-changes
