- Revision
- 284792
- Author
- commit-qu...@webkit.org
- Date
- 2021-10-25 10:48:24 -0700 (Mon, 25 Oct 2021)
Log Message
Source/WebCore:
ASSERT(node) triggered after surroundNodeRangeWithElement for node without editable style
https://bugs.webkit.org/show_bug.cgi?id=232133
Patch by Gabriel Nava Marino <gnavamar...@apple.com> on 2021-10-25
Reviewed by Wenson Hsieh.
If the last styled node was not parent node of a current text node, but we
wish to style the text node, we will add a style span to surround the text node.
However, this requires the parent to have an editable style, or
we will not properly insert the span in the right location, which
later leads to a traversal into an invalid node. This change
makes it so we return early if the parent node does not have an
editable style, but modifying the existing
CompositeEditCommand::insertNodeBefore to return a boolean in the
early return case.
Test: fast/editing/apply-relative-font-style-change-crash-003.html
* editing/ApplyStyleCommand.cpp:
(WebCore::ApplyStyleCommand::surroundNodeRangeWithElement):
* editing/CompositeEditCommand.cpp:
(WebCore::CompositeEditCommand::insertNodeBefore):
* editing/CompositeEditCommand.h:
LayoutTests:
ASSERT(node) triggered after surroundNodeRangeWithElement for node without editable style
https://bugs.webkit.org/show_bug.cgi?id=232133
Patch by Gabriel Nava Marino <gnavamar...@apple.com> on 2021-10-25
Reviewed by Wenson Hsieh.
* fast/editing/apply-relative-font-style-change-crash-003-expected.txt: Added.
* fast/editing/apply-relative-font-style-change-crash-003.html: Added.
Modified Paths
Added Paths
Diff
Modified: trunk/LayoutTests/ChangeLog (284791 => 284792)
--- trunk/LayoutTests/ChangeLog 2021-10-25 17:40:11 UTC (rev 284791)
+++ trunk/LayoutTests/ChangeLog 2021-10-25 17:48:24 UTC (rev 284792)
@@ -1,3 +1,13 @@
+2021-10-25 Gabriel Nava Marino <gnavamar...@apple.com>
+
+ ASSERT(node) triggered after surroundNodeRangeWithElement for node without editable style
+ https://bugs.webkit.org/show_bug.cgi?id=232133
+
+ Reviewed by Wenson Hsieh.
+
+ * fast/editing/apply-relative-font-style-change-crash-003-expected.txt: Added.
+ * fast/editing/apply-relative-font-style-change-crash-003.html: Added.
+
2021-10-25 Ayumi Kojima <ayumi_koj...@apple.com>
[ iOS Debug ] fast/selectors/ backtracking tests are timing out.
Added: trunk/LayoutTests/fast/editing/apply-relative-font-style-change-crash-003-expected.txt (0 => 284792)
--- trunk/LayoutTests/fast/editing/apply-relative-font-style-change-crash-003-expected.txt (rev 0)
+++ trunk/LayoutTests/fast/editing/apply-relative-font-style-change-crash-003-expected.txt 2021-10-25 17:48:24 UTC (rev 284792)
@@ -0,0 +1 @@
+PASS
Added: trunk/LayoutTests/fast/editing/apply-relative-font-style-change-crash-003.html (0 => 284792)
--- trunk/LayoutTests/fast/editing/apply-relative-font-style-change-crash-003.html (rev 0)
+++ trunk/LayoutTests/fast/editing/apply-relative-font-style-change-crash-003.html 2021-10-25 17:48:24 UTC (rev 284792)
@@ -0,0 +1,17 @@
+<head>
+ <style></style>
+ <script>
+ _onload_ = () => {
+ document.styleSheets[0].insertRule(`:last-child { content: url(); }`);
+ document.styleSheets[0].insertRule(`:last-of-type { all: initial; }`);
+ document.documentElement.prepend(document.createElement('input'));
+ document.head.appendChild(document.createElement('div'));
+ document.designMode = 'on';
+ document.execCommand('SelectAll');
+ document.execCommand('FontSizeDelta', false, '1');
+ document.write("PASS");
+ if (window.testRunner)
+ testRunner.dumpAsText();
+ };
+ </script>
+</head>
Modified: trunk/Source/WebCore/ChangeLog (284791 => 284792)
--- trunk/Source/WebCore/ChangeLog 2021-10-25 17:40:11 UTC (rev 284791)
+++ trunk/Source/WebCore/ChangeLog 2021-10-25 17:48:24 UTC (rev 284792)
@@ -1,3 +1,28 @@
+2021-10-25 Gabriel Nava Marino <gnavamar...@apple.com>
+
+ ASSERT(node) triggered after surroundNodeRangeWithElement for node without editable style
+ https://bugs.webkit.org/show_bug.cgi?id=232133
+
+ Reviewed by Wenson Hsieh.
+
+ If the last styled node was not parent node of a current text node, but we
+ wish to style the text node, we will add a style span to surround the text node.
+ However, this requires the parent to have an editable style, or
+ we will not properly insert the span in the right location, which
+ later leads to a traversal into an invalid node. This change
+ makes it so we return early if the parent node does not have an
+ editable style, but modifying the existing
+ CompositeEditCommand::insertNodeBefore to return a boolean in the
+ early return case.
+
+ Test: fast/editing/apply-relative-font-style-change-crash-003.html
+
+ * editing/ApplyStyleCommand.cpp:
+ (WebCore::ApplyStyleCommand::surroundNodeRangeWithElement):
+ * editing/CompositeEditCommand.cpp:
+ (WebCore::CompositeEditCommand::insertNodeBefore):
+ * editing/CompositeEditCommand.h:
+
2021-10-25 Darin Adler <da...@apple.com>
Restore strict parsing behavior in parseStringArrayFromDictionaryToUInt16Vector
Modified: trunk/Source/WebCore/editing/ApplyStyleCommand.cpp (284791 => 284792)
--- trunk/Source/WebCore/editing/ApplyStyleCommand.cpp 2021-10-25 17:40:11 UTC (rev 284791)
+++ trunk/Source/WebCore/editing/ApplyStyleCommand.cpp 2021-10-25 17:48:24 UTC (rev 284792)
@@ -1319,8 +1319,7 @@
Ref<Node> protectedStartNode = startNode;
Ref<Element> element = WTFMove(elementToInsert);
- insertNodeBefore(element.copyRef(), startNode);
- if (!element->isContentRichlyEditable()) {
+ if (!insertNodeBefore(element.copyRef(), startNode) || !element->isContentRichlyEditable()) {
removeNode(element);
return false;
}
Modified: trunk/Source/WebCore/editing/CompositeEditCommand.cpp (284791 => 284792)
--- trunk/Source/WebCore/editing/CompositeEditCommand.cpp 2021-10-25 17:40:11 UTC (rev 284791)
+++ trunk/Source/WebCore/editing/CompositeEditCommand.cpp 2021-10-25 17:48:24 UTC (rev 284792)
@@ -552,12 +552,13 @@
return false;
}
-void CompositeEditCommand::insertNodeBefore(Ref<Node>&& insertChild, Node& refChild, ShouldAssumeContentIsAlwaysEditable shouldAssumeContentIsAlwaysEditable)
+bool CompositeEditCommand::insertNodeBefore(Ref<Node>&& insertChild, Node& refChild, ShouldAssumeContentIsAlwaysEditable shouldAssumeContentIsAlwaysEditable)
{
RefPtr parent { refChild.parentNode() };
if (!parent || (!parent->hasEditableStyle() && parent->renderer()))
- return;
+ return false;
applyCommandToComposite(InsertNodeBeforeCommand::create(WTFMove(insertChild), refChild, shouldAssumeContentIsAlwaysEditable, editingAction()));
+ return true;
}
void CompositeEditCommand::insertNodeAfter(Ref<Node>&& insertChild, Node& refChild)
Modified: trunk/Source/WebCore/editing/CompositeEditCommand.h (284791 => 284792)
--- trunk/Source/WebCore/editing/CompositeEditCommand.h 2021-10-25 17:40:11 UTC (rev 284791)
+++ trunk/Source/WebCore/editing/CompositeEditCommand.h 2021-10-25 17:48:24 UTC (rev 284792)
@@ -154,7 +154,7 @@
void insertNodeAfter(Ref<Node>&&, Node& refChild);
void insertNodeAt(Ref<Node>&&, const Position&);
void insertNodeAtTabSpanPosition(Ref<Node>&&, const Position&);
- void insertNodeBefore(Ref<Node>&&, Node& refChild, ShouldAssumeContentIsAlwaysEditable = DoNotAssumeContentIsAlwaysEditable);
+ bool insertNodeBefore(Ref<Node>&&, Node& refChild, ShouldAssumeContentIsAlwaysEditable = DoNotAssumeContentIsAlwaysEditable);
void insertParagraphSeparatorAtPosition(const Position&, bool useDefaultParagraphElement = false, bool pasteBlockqutoeIntoUnquotedArea = false);
void insertParagraphSeparator(bool useDefaultParagraphElement = false, bool pasteBlockqutoeIntoUnquotedArea = false);
void insertLineBreak();
