[webkit-changes] [WebKit/WebKit] 792bfb: [Live Range Selection] Crash in DOMSelection::getR...

Mon, 19 Dec 2022 19:21:38 -0800 

  Branch: refs/heads/main
  Home:   https://github.com/WebKit/WebKit
  Commit: 792bfbd9e5cffe4edd6c24a89eaf86a9e5a2eec1
      
https://github.com/WebKit/WebKit/commit/792bfbd9e5cffe4edd6c24a89eaf86a9e5a2eec1
  Author: Ryosuke Niwa <rn...@webkit.org>
  Date:   2022-12-19 (Mon, 19 Dec 2022)

  Changed paths:
    R 
LayoutTests/editing/pasteboard/copy-with-shadow-tree-crash-live-range-expected.txt
    R LayoutTests/editing/pasteboard/copy-with-shadow-tree-crash-live-range.html
    M LayoutTests/editing/pasteboard/copy-with-shadow-tree-crash.html
    M 
LayoutTests/editing/selection/delete-selection-with-disconnected-extent.html
    M LayoutTests/editing/selection/deleteFromDocument-shadow-tree-crash.html
    A LayoutTests/fast/forms/shadow-tree-exposure-live-range-expected.txt
    A LayoutTests/fast/forms/shadow-tree-exposure-live-range.html
    M LayoutTests/fast/forms/shadow-tree-exposure.html
    M Source/WebCore/page/DOMSelection.cpp

  Log Message:
  -----------
  [Live Range Selection] Crash in DOMSelection::getRangeAt with 
fast/forms/shadow-tree-exposure.html
https://bugs.webkit.org/show_bug.cgi?id=249526

Reviewed by Darin Adler.

The crash was caused by DOMSelection::getRangeAt assuming that the live range 
associated
with the selection is always non-null when FrameSelection::isNone is false. 
This is not the case
when the selection's end points are not in the document tree.

Fixed the bug by changing the condition in DOMSelection::rangeCount to return 
0. Namely we return 0
whenever FrameSelection::associatedLiveRange() returns nullptr.

Updated other layout tests to avoid hitting a JavaScript exception in 
getSelection().extend(~) by
forcing LiveRangeSelectionEnabled to be disabled.

* LayoutTests/editing/pasteboard/copy-with-shadow-tree-crash-live-range.html:
* LayoutTests/editing/pasteboard/copy-with-shadow-tree-crash.html:
* LayoutTests/editing/selection/delete-selection-with-disconnected-extent.html:
* LayoutTests/editing/selection/deleteFromDocument-shadow-tree-crash.html:
* LayoutTests/fast/forms/shadow-tree-exposure-live-range-expected.txt: Added.
* LayoutTests/fast/forms/shadow-tree-exposure-live-range.html: Added.
* LayoutTests/fast/forms/shadow-tree-exposure.html:
* Source/WebCore/page/DOMSelection.cpp:
(WebCore::DOMSelection::rangeCount const):

Canonical link: https://commits.webkit.org/258118@main


_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-changes

Reply via email to