Changeset 259027 in webkit

Timestamp:

Mar 25, 2020 6:51:14 PM (4 years ago)

Author:

Jack Lee

Message:

Nullptr crash in WebCore::Node::isDescendantOf when inserting list
​https://bugs.webkit.org/show_bug.cgi?id=209529
<rdar://problem/60693542>

Reviewed by Darin Adler.

Source/WebCore:

The visible positions may be null if the DOM tree is altered before an edit command is applied.
Add null check for visible positions at the beginning of InsertListCommand::doApply.

Test: editing/inserting/insert-list-during-node-removal-crash.html

• editing/InsertListCommand.cpp:

(WebCore::InsertListCommand::doApply):

LayoutTests:

Added a regression test for the crash.

• editing/inserting/insert-list-during-node-removal-crash-expected.txt: Added.
• editing/inserting/insert-list-during-node-removal-crash.html: Added.

Location:

trunk

Files:

• LayoutTests/ChangeLog (modified) (1 diff)
• LayoutTests/editing/inserting/insert-list-during-node-removal-crash-expected.txt (added)
• LayoutTests/editing/inserting/insert-list-during-node-removal-crash.html (added)
• Source/WebCore/ChangeLog (modified) (1 diff)
• Source/WebCore/editing/InsertListCommand.cpp (modified) (1 diff)

trunk/LayoutTests/ChangeLog

@@ +1 @@
+2020-03-25  Jack Lee  <shihchieh_lee@apple.com>
+
+        Nullptr crash in WebCore::Node::isDescendantOf when inserting list
+        https://bugs.webkit.org/show_bug.cgi?id=209529
+        <rdar://problem/60693542>
+
+        Reviewed by Darin Adler.
+
+        Added a regression test for the crash.
+
+        * editing/inserting/insert-list-during-node-removal-crash-expected.txt: Added.
+        * editing/inserting/insert-list-during-node-removal-crash.html: Added.
+
 2020-03-25  Alexey Shvayka  <shvaikalesh@gmail.com>
 

trunk/Source/WebCore/ChangeLog

@@ +1 @@
+2020-03-25  Jack Lee  <shihchieh_lee@apple.com>
+
+        Nullptr crash in WebCore::Node::isDescendantOf when inserting list
+        https://bugs.webkit.org/show_bug.cgi?id=209529
+        <rdar://problem/60693542>
+
+        Reviewed by Darin Adler.
+
+        The visible positions may be null if the DOM tree is altered before an edit command is applied. 
+        Add null check for visible positions at the beginning of InsertListCommand::doApply.
+
+        Test: editing/inserting/insert-list-during-node-removal-crash.html
+
+        * editing/InsertListCommand.cpp:
+        (WebCore::InsertListCommand::doApply):
+
 2020-03-25  Alexey Shvayka  <shvaikalesh@gmail.com>
 

trunk/Source/WebCore/editing/InsertListCommand.cpp

@@ -113 +113 @@
 void InsertListCommand::doApply()
 {
-    if (endingSelection().isNoneOrOrphaned() || !endingSelection().isContentRichlyEditable())
-        return;
-
     VisiblePosition visibleEnd = endingSelection().visibleEnd();
     VisiblePosition visibleStart = endingSelection().visibleStart();
-    // When a selection ends at the start of a paragraph, we rarely paint 
+
+    if (visibleEnd.isNull() || visibleStart.isNull() || !endingSelection().isContentRichlyEditable())
+        return;
+
+    // When a selection ends at the start of a paragraph, we rarely paint
     // the selection gap before that paragraph, because there often is no gap.  
     // In a case like this, it's not obvious to the user that the selection