Changeset 261018 in webkit

Timestamp:

May 1, 2020 1:50:18 PM (4 years ago)

Author:

Jack Lee

Message:

Nullptr crash in EditCommand::EditCommand via CompositeEditCommand::removeNode
​https://bugs.webkit.org/show_bug.cgi?id=207600
Source/WebCore:

<rdar://problem/56969450>

Reviewed by Geoffrey Garen.

Second part of the fix. Remove m_frame in FrameSelection so it will not be
inadvertently used and cause this crash.

No new tests, covered by existing test.

• editing/AlternativeTextController.cpp:

(WebCore::AlternativeTextController::rootViewRectForRange const):

• editing/FrameSelection.cpp:

(WebCore::FrameSelection::FrameSelection):
(WebCore::FrameSelection::setSelectionWithoutUpdatingAppearance):
(WebCore::FrameSelection::modify):
(WebCore::FrameSelection::selectFrameElementInParentIfFullySelected):
(WebCore::FrameSelection::setFocusedElementIfNeeded):
(WebCore::FrameSelection::shouldDeleteSelection const):
(WebCore::FrameSelection::shouldDeleteSelection):
(WebCore::FrameSelection::revealSelection):
(WebCore::FrameSelection:: shouldChangeSelection):
(WebCore::FrameSelection::shouldChangeSelection const):

• editing/FrameSelection.h:
• editing/atk/FrameSelectionAtk.cpp:

(WebCore::FrameSelection::notifyAccessibilityForSelectionChange):

• editing/mac/FrameSelectionMac.mm:

(WebCore::FrameSelection::notifyAccessibilityForSelectionChange):

LayoutTests:

Reviewed by Geoffrey Garen.

Reduce run time for this test case.

• editing/inserting/insert-list-then-edit-command-crash.html:

Location:

trunk

Files:

• LayoutTests/ChangeLog (modified) (1 diff)
• LayoutTests/editing/inserting/insert-list-then-edit-command-crash.html (modified) (2 diffs)
• Source/WebCore/ChangeLog (modified) (1 diff)
• Source/WebCore/editing/AlternativeTextController.cpp (modified) (1 diff)
• Source/WebCore/editing/FrameSelection.cpp (modified) (14 diffs)
• Source/WebCore/editing/FrameSelection.h (modified) (1 diff)
• Source/WebCore/editing/atk/FrameSelectionAtk.cpp (modified) (1 diff)
• Source/WebCore/editing/mac/FrameSelectionMac.mm (modified) (2 diffs)

trunk/LayoutTests/ChangeLog

@@ +1 @@
+2020-05-01  Jack Lee  <shihchieh_lee@apple.com>
+
+        Nullptr crash in EditCommand::EditCommand via CompositeEditCommand::removeNode
+        https://bugs.webkit.org/show_bug.cgi?id=207600
+
+        Reviewed by Geoffrey Garen.
+
+        Reduce run time for this test case.
+
+        * editing/inserting/insert-list-then-edit-command-crash.html:
+
 2020-05-01  Eric Carlson  <eric.carlson@apple.com>
 

trunk/LayoutTests/editing/inserting/insert-list-then-edit-command-crash.html

@@ -1 @@
-<body><image></image><form id=form contentEditable=true><object data=? onload=objectOnLoad()></object></form><dialog open="true">a</dialog>
+<div style="width: 1px; height: 1px;"></div><div contentEditable=true><object data="?" onload=objectOnLoad()></object></div><span>text</span>
 <script>
-    document.getSelection().empty();
-    document.execCommand("selectAll", false);
     if (window.testRunner) {
         testRunner.dumpAsText();
@@ -8 +6 @@
     }
 
+    document.getSelection().empty();
+    document.execCommand("selectAll", false);
+
     function objectOnLoad() {
         document.execCommand("insertUnorderedList", false);
         document.execCommand("italic", false);
-        requestAnimationFrame(function () {
-            document.body.innerHTML = "<p> Tests inserting list followed by an edit command. The test passes if WebKit doesn't crash or hit an assertion.</p>";
-            if (window.testRunner)
-                testRunner.notifyDone();
-        });
+        document.body.innerHTML = "<p> Tests inserting list followed by an edit command. The test passes if WebKit doesn't crash or hit an assertion.</p>";
+        testRunner.notifyDone();
     }
 </script>

trunk/Source/WebCore/ChangeLog

@@ +1 @@
+2020-05-01  Jack Lee  <shihchieh_lee@apple.com>
+
+        Nullptr crash in EditCommand::EditCommand via CompositeEditCommand::removeNode
+        https://bugs.webkit.org/show_bug.cgi?id=207600
+        <rdar://problem/56969450>
+
+        Reviewed by Geoffrey Garen.
+
+        Second part of the fix. Remove m_frame in FrameSelection so it will not be
+        inadvertently used and cause this crash.
+
+        No new tests, covered by existing test.
+
+        * editing/AlternativeTextController.cpp:
+        (WebCore::AlternativeTextController::rootViewRectForRange const):
+        * editing/FrameSelection.cpp:
+        (WebCore::FrameSelection::FrameSelection):
+        (WebCore::FrameSelection::setSelectionWithoutUpdatingAppearance):
+        (WebCore::FrameSelection::modify):
+        (WebCore::FrameSelection::selectFrameElementInParentIfFullySelected):
+        (WebCore::FrameSelection::setFocusedElementIfNeeded):
+        (WebCore::FrameSelection::shouldDeleteSelection const):
+        (WebCore::FrameSelection::shouldDeleteSelection):
+        (WebCore::FrameSelection::revealSelection):
+        (WebCore::FrameSelection:: shouldChangeSelection):
+        (WebCore::FrameSelection::shouldChangeSelection const):
+        * editing/FrameSelection.h:
+        * editing/atk/FrameSelectionAtk.cpp:
+        (WebCore::FrameSelection::notifyAccessibilityForSelectionChange):
+        * editing/mac/FrameSelectionMac.mm:
+        (WebCore::FrameSelection::notifyAccessibilityForSelectionChange):
+
 2020-05-01  Darin Adler  <darin@apple.com>
 

trunk/Source/WebCore/editing/AlternativeTextController.cpp

@@ -343 +343 @@
 FloatRect AlternativeTextController::rootViewRectForRange(const SimpleRange& range) const
 {
-    auto* view = m_document.frame()->view();
+    auto* view = m_document.view();
     if (!view)
         return { };

trunk/Source/WebCore/editing/FrameSelection.cpp

@@ -147 +147 @@
 FrameSelection::FrameSelection(Document* document)
     : m_document(document)
-    , m_frame(document? document->frame() : nullptr)
     , m_xPosForVerticalArrowNavigation(NoXPosForVerticalArrowNavigation())
     , m_granularity(CharacterGranularity)
@@ -158 +157 @@
     , m_caretPaint(true)
     , m_isCaretBlinkingSuspended(false)
-    , m_focused(m_frame && m_frame->page() && m_frame->page()->focusController().focusedFrame() == m_frame)
+    , m_focused(document && document->frame() && document->page() && document->page()->focusController().focusedFrame() == document->frame())
     , m_shouldShowBlockCursor(false)
     , m_pendingSelectionUpdate(false)
@@ -337 +336 @@
         newSelection.setIsDirectional(true);
 
-    if (!m_frame) {
+    if (!m_document || !m_document->frame()) {
         m_selection = newSelection;
         return false;
@@ -343 +342 @@
 
     // <http://bugs.webkit.org/show_bug.cgi?id=23464>: Infinite recursion at FrameSelection::setSelection
-    // if document->frame() == m_frame we can get into an infinite loop
+    // if document->frame() == m_document->frame() we can get into an infinite loop
     if (Document* newSelectionDocument = newSelection.base().document()) {
         if (RefPtr<Frame> newSelectionFrame = newSelectionDocument->frame()) {
-            if (newSelectionFrame != m_frame && newSelectionDocument != m_document) {
-                newSelectionFrame->selection().setSelection(newSelection, options, AXTextStateChangeIntent(), align, granularity);
+            if (newSelectionFrame != m_document->frame() && newSelectionDocument != m_document) {
+                newSelectionDocument->selection().setSelection(newSelection, options, AXTextStateChangeIntent(), align, granularity);
                 // It's possible that during the above set selection, this FrameSelection has been modified by
                 // selectFrameElementInParentIfFullySelected, but that the selection is no longer valid since
@@ -385 +384 @@
         auto* oldFocusedElement = m_document->focusedElement();
         setFocusedElementIfNeeded();
+        if (!m_document->frame())
+            return false;
         // FIXME: Should not be needed.
         if (m_document->focusedElement() != oldFocusedElement)
@@ -1378 +1379 @@
         return false;
 
-    if (isSpatialNavigationEnabled(m_frame))
+    if (m_document && isSpatialNavigationEnabled(m_document->frame())) {
         if (!wasRange && alter == AlterationMove && position == originalStartPosition)
             return false;
+    }
 
     if (m_document && AXObjectCache::accessibilityEnabled()) {
@@ -1933 +1935 @@
 {
     // Find the parent frame; if there is none, then we have nothing to do.
-    Frame* parent = m_frame->tree().parent();
+    Frame* parent = m_document->frame()->tree().parent();
     if (!parent)
         return;
-    Page* page = m_frame->page();
+    Page* page = m_document->page();
     if (!page)
         return;
@@ -1949 +1951 @@
 
     // Get to the <iframe> or <frame> (or even <object>) element in the parent frame.
-    Element* ownerElement = m_frame->ownerElement();
+    Element* ownerElement = m_document->ownerElement();
     if (!ownerElement)
         return;
@@ -2254 +2256 @@
     if (caretBrowsing) {
         if (Element* anchor = enclosingAnchorElement(m_selection.base())) {
-            m_document->page()->focusController().setFocusedElement(anchor, *m_frame);
+            m_document->page()->focusController().setFocusedElement(anchor, *m_document->frame());
             return;
         }
@@ -2266 +2268 @@
             // work in the long term, but this is the safest fix at this time.
             if (target->isMouseFocusable() && !isFrameElement(target)) {
-                m_document->page()->focusController().setFocusedElement(target, *m_frame);
+                m_document->page()->focusController().setFocusedElement(target, *m_document->frame());
                 return;
             }
@@ -2275 +2277 @@
 
     if (caretBrowsing)
-        m_document->page()->focusController().setFocusedElement(nullptr, *m_frame);
+        m_document->page()->focusController().setFocusedElement(nullptr, *m_document->frame());
 }
 
@@ -2301 +2303 @@
 {
 #if PLATFORM(IOS_FAMILY)
-    if (m_frame->selectionChangeCallbacksDisabled())
+    if (m_document->frame() && m_document->frame()->selectionChangeCallbacksDisabled())
         return true;
 #endif
@@ -2412 +2414 @@
                 updateAppearance();
                 if (m_document->page())
-                    m_document->page()->chrome().client().notifyRevealedSelectionByScrollingFrame(*m_frame);
+                    m_document->page()->chrome().client().notifyRevealedSelectionByScrollingFrame(*m_document->frame());
             }
         }
@@ -2446 +2448 @@
 {
 #if PLATFORM(IOS_FAMILY)
-    if (m_frame->selectionChangeCallbacksDisabled())
+    if (m_document->frame() && m_document->frame()->selectionChangeCallbacksDisabled())
         return true;
 #endif

trunk/Source/WebCore/editing/FrameSelection.h

@@ -339 +339 @@
 
     Document* m_document;
-    Frame* m_frame;
 
     LayoutUnit m_xPosForVerticalArrowNavigation;

trunk/Source/WebCore/editing/atk/FrameSelectionAtk.cpp

@@ -98 +98 @@
         return;
 
-    AXObjectCache* cache = m_frame->document()->existingAXObjectCache();
+    AXObjectCache* cache = m_document->existingAXObjectCache();
     if (!cache)
         return;

trunk/Source/WebCore/editing/mac/FrameSelectionMac.mm

@@ -35 +35 @@
 void FrameSelection::notifyAccessibilityForSelectionChange(const AXTextStateChangeIntent& intent)
 {
-    Document* document = m_frame->document();
-
     if (m_selection.start().isNotNull() && m_selection.end().isNotNull()) {
-        if (AXObjectCache* cache = document->existingAXObjectCache())
+        if (AXObjectCache* cache = m_document->existingAXObjectCache())
             cache->postTextStateChangeNotification(m_selection.start(), intent, m_selection);
     }
@@ -47 +45 @@
         return;
 
-    RenderView* renderView = document->renderView();
+    RenderView* renderView = m_document->renderView();
     if (!renderView)
         return;
-    FrameView* frameView = m_frame->view();
+    FrameView* frameView = m_document->view();
     if (!frameView)
         return;