Changeset 238465 in webkit

Timestamp:

Nov 23, 2018 6:17:30 PM (5 years ago)

Author:

rniwa@webkit.org

Message:

REGRESSION (r236785): Nullptr crash in StyledMarkupAccumulator::traverseNodesForSerialization
​https://bugs.webkit.org/show_bug.cgi?id=191921

Reviewed by Dean Jackson.

Source/WebCore:

The bug was caused by traverseNodesForSerialization not being able to traverse past the end of shadow root
when skipping children of a node for which enterNode returns false because it was using NodeTraversal's
nextSkippingChildren instead of a member function which supports traversing the composed tree.

Fixed the crash by using variant of nextSkippingChildren which knows how to traverse past the last node
in a shadow tree. Also added more assertions to help debug issues like this in the future.

Test: editing/pasteboard/copy-paste-across-shadow-boundaries-5.html

• editing/markup.cpp:

(WebCore::StyledMarkupAccumulator::traverseNodesForSerialization):

LayoutTests:

Added a regression test.

• editing/pasteboard/copy-paste-across-shadow-boundaries-5-expected.txt: Added.
• editing/pasteboard/copy-paste-across-shadow-boundaries-5.html: Added.
• platform/ios/editing/pasteboard/copy-paste-across-shadow-boundaries-5-expected.txt: Added.

Location:

trunk

Files:

• LayoutTests/ChangeLog (modified) (1 diff)
• LayoutTests/editing/pasteboard/copy-paste-across-shadow-boundaries-5-expected.txt (added)
• LayoutTests/editing/pasteboard/copy-paste-across-shadow-boundaries-5.html (added)
• LayoutTests/platform/ios/editing/pasteboard/copy-paste-across-shadow-boundaries-5-expected.txt (added)
• Source/WebCore/ChangeLog (modified) (1 diff)
• Source/WebCore/editing/markup.cpp (modified) (2 diffs)

trunk/LayoutTests/ChangeLog

@@ +1 @@
+2018-11-23  Ryosuke Niwa  <rniwa@webkit.org>
+
+        REGRESSION (r236785): Nullptr crash in StyledMarkupAccumulator::traverseNodesForSerialization
+        https://bugs.webkit.org/show_bug.cgi?id=191921
+
+        Reviewed by Dean Jackson.
+
+        Added a regression test.
+
+        * editing/pasteboard/copy-paste-across-shadow-boundaries-5-expected.txt: Added.
+        * editing/pasteboard/copy-paste-across-shadow-boundaries-5.html: Added.
+        * platform/ios/editing/pasteboard/copy-paste-across-shadow-boundaries-5-expected.txt: Added.
+
 2018-11-22  Ryosuke Niwa  <rniwa@webkit.org>
 

trunk/Source/WebCore/ChangeLog

@@ +1 @@
+2018-11-23  Ryosuke Niwa  <rniwa@webkit.org>
+
+        REGRESSION (r236785): Nullptr crash in StyledMarkupAccumulator::traverseNodesForSerialization
+        https://bugs.webkit.org/show_bug.cgi?id=191921
+
+        Reviewed by Dean Jackson.
+
+        The bug was caused by traverseNodesForSerialization not being able to traverse past the end of shadow root
+        when skipping children of a node for which enterNode returns false because  it was using NodeTraversal's
+        nextSkippingChildren instead of a member function which supports traversing the composed tree.
+
+        Fixed the crash by using variant of nextSkippingChildren which knows how to traverse past the last node
+        in a shadow tree. Also added more assertions to help debug issues like this in the future.
+
+        Test: editing/pasteboard/copy-paste-across-shadow-boundaries-5.html
+
+        * editing/markup.cpp:
+        (WebCore::StyledMarkupAccumulator::traverseNodesForSerialization):
+
 2018-11-22  Ryosuke Niwa  <rniwa@webkit.org>
 

trunk/Source/WebCore/editing/markup.cpp

@@ -646 +646 @@
             }
         }
+        ASSERT(next || !pastEnd);
 
         if (isBlock(n) && canHaveChildrenForEditing(*n) && next == pastEnd) {
@@ -653 +654 @@
 
         if (!enterNode(*n)) {
-            next = NodeTraversal::nextSkippingChildren(*n);
+            next = nextSkippingChildren(*n);
             // Don't skip over pastEnd.
             if (pastEnd && isDescendantOf(*pastEnd, *n))
                 next = pastEnd;
+            ASSERT(next || !pastEnd);
         } else {
             if (!hasChildNodes(*n))