Changeset 261664 in webkit


Ignore:
Timestamp:
May 13, 2020 5:21:50 PM (4 years ago)
Author:
Jack Lee
Message:

Nullptr crash in DeleteSelectionCommand::doApply() when merge node is disconnected.
https://bugs.webkit.org/show_bug.cgi?id=211793
<rdar://problem/62993645>

Reviewed by Geoffrey Garen.

Source/WebCore:

Check for disconnected merge destination and endingSelection() after mergeParagraph is
Called and bail out to avoid using corrupted positions for node insertion.

Test: editing/inserting/insert-text-merge-node-removed-crash.html

  • editing/CompositeEditCommand.cpp:

(WebCore::CompositeEditCommand::moveParagraphs):

  • editing/DeleteSelectionCommand.cpp:

(WebCore::DeleteSelectionCommand::mergeParagraphs):

LayoutTests:

Added a regression test for the crash.

  • editing/inserting/insert-text-merge-node-removed-crash-expected.txt: Added.
  • editing/inserting/insert-text-merge-node-removed-crash.html: Added.
Location:
trunk
Files:
2 added
4 edited

Legend:

Unmodified
Added
Removed
  • trunk/LayoutTests/ChangeLog

    r261663 r261664  
     12020-05-13  Jack Lee  <shihchieh_lee@apple.com>
     2
     3        Nullptr crash in DeleteSelectionCommand::doApply() when merge node is disconnected.
     4        https://bugs.webkit.org/show_bug.cgi?id=211793
     5        <rdar://problem/62993645>
     6
     7        Reviewed by Geoffrey Garen.
     8
     9        Added a regression test for the crash.
     10
     11        * editing/inserting/insert-text-merge-node-removed-crash-expected.txt: Added.
     12        * editing/inserting/insert-text-merge-node-removed-crash.html: Added.
     13
    1142020-05-13  Said Abou-Hallawa  <sabouhallawa@apple.com>
    215
  • trunk/Source/WebCore/ChangeLog

    r261663 r261664  
     12020-05-13  Jack Lee  <shihchieh_lee@apple.com>
     2
     3        Nullptr crash in DeleteSelectionCommand::doApply() when merge node is disconnected.
     4        https://bugs.webkit.org/show_bug.cgi?id=211793
     5        <rdar://problem/62993645>
     6
     7        Reviewed by Geoffrey Garen.
     8
     9        Check for disconnected merge destination and endingSelection() after mergeParagraph is
     10        Called and bail out to avoid using corrupted positions for node insertion.
     11
     12        Test: editing/inserting/insert-text-merge-node-removed-crash.html
     13
     14        * editing/CompositeEditCommand.cpp:
     15        (WebCore::CompositeEditCommand::moveParagraphs):
     16        * editing/DeleteSelectionCommand.cpp:
     17        (WebCore::DeleteSelectionCommand::mergeParagraphs):
     18
    1192020-05-13  Said Abou-Hallawa  <sabouhallawa@apple.com>
    220
  • trunk/Source/WebCore/editing/CompositeEditCommand.cpp

    r261126 r261664  
    14771477    ASSERT(destination.deepEquivalent().anchorNode()->isConnected());
    14781478    cleanupAfterDeletion(destination);
    1479     ASSERT(destination.deepEquivalent().anchorNode()->isConnected());
     1479
     1480    // FIXME (Bug 211793): We should redesign cleanupAfterDeletion or find another destination when it is removed.
     1481    if (!destination.deepEquivalent().anchorNode()->isConnected())
     1482        return;
    14801483
    14811484    // Add a br if pruning an empty block level element caused a collapse. For example:
  • trunk/Source/WebCore/editing/DeleteSelectionCommand.cpp

    r260831 r261664  
    755755    m_needPlaceholder = needPlaceholder;
    756756    // The endingPosition was likely clobbered by the move, so recompute it (moveParagraph selects the moved paragraph).
    757     m_endingPosition = endingSelection().start();
     757
     758    // FIXME (Bug 211793): endingSelection() becomes disconnected in moveParagraph
     759    if (endingSelection().start().anchorNode()->isConnected())
     760        m_endingPosition = endingSelection().start();
    758761}
    759762
Note: See TracChangeset for help on using the changeset viewer.