Changeset 228724 in webkit


Ignore:
Timestamp:
Feb 19, 2018 7:21:53 PM (6 years ago)
Author:
commit-queue@webkit.org
Message:

null m_lastNodeInserted dereference at ReplaceSelectionCommand::InsertedNodes::lastLeafInserted
https://bugs.webkit.org/show_bug.cgi?id=161947

Patch by Fujii Hironori <Fujii Hironori> on 2018-02-19
Reviewed by Ryosuke Niwa.

Source/WebCore:

InsertedNodes happened to be empty if the inserted nodes were
removed. Add more checks if InsertedNodes is empty.

No new tests (Covered by existing tests).

  • editing/ReplaceSelectionCommand.cpp:

(WebCore::ReplaceSelectionCommand::doApply): Return early if InsertedNodes becomes empty.

  • editing/ReplaceSelectionCommand.h:

(WebCore::ReplaceSelectionCommand::InsertedNodes::isEmpty): New method.
(WebCore::ReplaceSelectionCommand::InsertedNodes::lastLeafInserted const):
Assert m_lastNodeInserted is not null.
(WebCore::ReplaceSelectionCommand::InsertedNodes::pastLastLeaf const): Ditto.

LayoutTests:

  • platform/gtk/TestExpectations:

Unmarked editing/execCommand/crash-replacing-list-by-list.html and editing/inserting/insert-table-in-paragraph-crash.html.

Location:
trunk
Files:
5 edited

Legend:

Unmodified
Added
Removed

  • trunk/LayoutTests/ChangeLog

    r228718 r228724  
     12018-02-19  Fujii Hironori  <Hironori.Fujii@sony.com>
     2
     3        null m_lastNodeInserted dereference at ReplaceSelectionCommand::InsertedNodes::lastLeafInserted
     4        https://bugs.webkit.org/show_bug.cgi?id=161947
     5
     6        Reviewed by Ryosuke Niwa.
     7
     8        * platform/gtk/TestExpectations:
     9        Unmarked editing/execCommand/crash-replacing-list-by-list.html and editing/inserting/insert-table-in-paragraph-crash.html.
     10
    1112018-02-19  Antoine Quint  <graouts@apple.com>
    212

  • trunk/LayoutTests/platform/gtk/TestExpectations

    r228618 r228724  
    13011301webkit.org/b/172281 accessibility/insert-children-assert.html [ Crash ]
    13021302
    1303 webkit.org/b/172951 editing/execCommand/crash-replacing-list-by-list.html [ Crash ]
    1304 webkit.org/b/172951 editing/inserting/insert-table-in-paragraph-crash.html [ Crash ]
    1305 
    13061303webkit.org/b/172955 media/video-preload.html [ Crash Pass ]
    13071304

  • trunk/Source/WebCore/ChangeLog

    r228721 r228724  
     12018-02-19  Fujii Hironori  <Hironori.Fujii@sony.com>
     2
     3        null m_lastNodeInserted dereference at ReplaceSelectionCommand::InsertedNodes::lastLeafInserted
     4        https://bugs.webkit.org/show_bug.cgi?id=161947
     5
     6        Reviewed by Ryosuke Niwa.
     7
     8        InsertedNodes happened to be empty if the inserted nodes were
     9        removed. Add more checks if InsertedNodes is empty.
     10
     11        No new tests (Covered by existing tests).
     12
     13        * editing/ReplaceSelectionCommand.cpp:
     14        (WebCore::ReplaceSelectionCommand::doApply): Return early if InsertedNodes becomes empty.
     15        * editing/ReplaceSelectionCommand.h:
     16        (WebCore::ReplaceSelectionCommand::InsertedNodes::isEmpty): New method.
     17        (WebCore::ReplaceSelectionCommand::InsertedNodes::lastLeafInserted const):
     18        Assert m_lastNodeInserted is not null.
     19        (WebCore::ReplaceSelectionCommand::InsertedNodes::pastLastLeaf const): Ditto.
     20
    1212018-02-19  Said Abou-Hallawa  <sabouhallawa@apple.com>
    222

  • trunk/Source/WebCore/editing/ReplaceSelectionCommand.cpp

    r228482 r228724  
    11431143    }
    11441144
     1145    if (insertedNodes.isEmpty())
     1146        return;
    11451147    removeUnrenderedTextNodesAtEnds(insertedNodes);
    11461148
     
    11491151
    11501152    // Mutation events (bug 20161) may have already removed the inserted content
    1151     if (!insertedNodes.firstNodeInserted() || !insertedNodes.firstNodeInserted()->isConnected())
     1153    if (insertedNodes.isEmpty())
     1154        return;
     1155    if (!insertedNodes.firstNodeInserted()->isConnected())
    11521156        return;
    11531157
     
    11701174   
    11711175    makeInsertedContentRoundTrippableWithHTMLTreeBuilder(insertedNodes);
     1176    if (insertedNodes.isEmpty())
     1177        return;
    11721178
    11731179    removeRedundantStylesAndKeepStyleSpanInline(insertedNodes);
     1180    if (insertedNodes.isEmpty())
     1181        return;
    11741182
    11751183    if (m_sanitizeFragment)

  • trunk/Source/WebCore/editing/ReplaceSelectionCommand.h

    r216351 r228724  
    7070        void didReplaceNode(Node*, Node* newNode);
    7171
     72        bool isEmpty() { return !m_firstNodeInserted; }
    7273        Node* firstNodeInserted() const { return m_firstNodeInserted.get(); }
    73         Node* lastLeafInserted() const { return m_lastNodeInserted->lastDescendant(); }
     74        Node* lastLeafInserted() const
     75        {
     76            ASSERT(m_lastNodeInserted);
     77            return m_lastNodeInserted->lastDescendant();
     78        }
    7479        Node* pastLastLeaf() const
    7580        {
    76             if (m_lastNodeInserted) {
    77                 ASSERT(lastLeafInserted());
    78                 return NodeTraversal::next(*lastLeafInserted());
    79             }
    80             return nullptr;
     81            ASSERT(m_lastNodeInserted);
     82            return NodeTraversal::next(*lastLeafInserted());
    8183        }
    8284
Note: See TracChangeset for help on using the changeset viewer.