Changeset 272928 in webkit

Timestamp:

Feb 16, 2021 2:05:09 PM (3 years ago)

Author:

rniwa@webkit.org

Message:

EventHandler::updateSelectionForMouseDownDispatchingSelectStart should not use an orphaned selection
​https://bugs.webkit.org/show_bug.cgi?id=221942

Reviewed by Wenson Hsieh.

Source/WebCore:

In r272777, we re-introduced a nullptr check in DOMSelection::getRangeAt as we were getting crash reports
in this code but we weren't sure of the root cause. Since then we've identified that one of the root causes
is that EventHandler::updateSelectionForMouseDownDispatchingSelectStart doesn't check if VisibleSelection
is still in a good state after dispatching selectstart event. This results in FrameSelection's
setSelectionWithoutUpdatingAppearance getting called with a selection with end points already being orphaned.

This patch fixes this bug in setSelectionWithoutUpdatingAppearance and also adds an additional check in
FrameSelection::setSelectionWithoutUpdatingAppearance itself to avoid using an orphaned selection. It also
introduces a number of release and debug assertions in a number of places to help catch similar bugs.

Test: editing/selection/click-selection-with-selectstart-node-removal.html

• dom/ContainerNode.cpp:

(WebCore::ContainerNode::removeAllChildrenWithScriptAssertion): Added a debug-only assertion.
(WebCore::ContainerNode::removeNodeWithScriptAssertion): Ditto.

• dom/Document.cpp:

(WebCore::Document::removedLastRef): Disallow script execution in this code entirely. Also release assert
that the selection had already been cleared by this point.
(WebCore::Document::willBeRemovedFromFrame): Disallow script execution once we've unloaded subframes.

• editing/FrameSelection.cpp:

(WebCore::FrameSelection::setSelectionWithoutUpdatingAppearance): Return early if the new selection's
end points had been orphaned, and disallow script execution between that and until we update the selection.

• editing/VisibleSelection.cpp:

(WebCore::VisibleSelection::isOrphan const): Added.

• editing/VisibleSelection.h:
• page/DOMSelection.cpp:

(WebCore::DOMSelection::getRangeAt): Removed nullptr check added in r272777.

• page/EventHandler.cpp:

(WebCore::EventHandler::updateSelectionForMouseDownDispatchingSelectStart): Fixed what is now believed to be
the root cause of the bug 221786.

LayoutTests:

Added a regression test for the bug 221786 / r272777.

Also updated a test imported from blink to expect rangeCount of 0 instead of 1
since we no longer update the selection when the target node has been removed
during selectstart.

• editing/selection/click-selection-with-selectstart-node-removal-expected.txt: Added.
• editing/selection/click-selection-with-selectstart-node-removal.html: Added.
• imported/blink/editing/selection/selectstart-event-crash.html:

Location:

trunk

Files:

• LayoutTests/ChangeLog (modified) (1 diff)
• LayoutTests/editing/selection/click-selection-with-selectstart-node-removal-expected.txt (added)
• LayoutTests/editing/selection/click-selection-with-selectstart-node-removal.html (added)
• LayoutTests/imported/blink/editing/selection/selectstart-event-crash.html (modified) (1 diff)
• Source/WebCore/ChangeLog (modified) (1 diff)
• Source/WebCore/dom/ContainerNode.cpp (modified) (2 diffs)
• Source/WebCore/dom/Document.cpp (modified) (3 diffs)
• Source/WebCore/editing/FrameSelection.cpp (modified) (4 diffs)
• Source/WebCore/editing/VisibleSelection.cpp (modified) (1 diff)
• Source/WebCore/editing/VisibleSelection.h (modified) (1 diff)
• Source/WebCore/page/DOMSelection.cpp (modified) (1 diff)
• Source/WebCore/page/EventHandler.cpp (modified) (1 diff)

trunk/LayoutTests/ChangeLog

@@ +1 @@
+2021-02-16  Ryosuke Niwa  <rniwa@webkit.org>
+
+        EventHandler::updateSelectionForMouseDownDispatchingSelectStart should not use an orphaned selection
+        https://bugs.webkit.org/show_bug.cgi?id=221942
+
+        Reviewed by Wenson Hsieh.
+
+        Added a regression test for the bug 221786 / r272777.
+
+        Also updated a test imported from blink to expect rangeCount of 0 instead of 1
+        since we no longer update the selection when the target node has been removed
+        during selectstart.
+
+        * editing/selection/click-selection-with-selectstart-node-removal-expected.txt: Added.
+        * editing/selection/click-selection-with-selectstart-node-removal.html: Added.
+        * imported/blink/editing/selection/selectstart-event-crash.html:
+
 2021-02-16  Antoine Quint  <graouts@webkit.org>
 

trunk/LayoutTests/imported/blink/editing/selection/selectstart-event-crash.html

@@ -15 +15 @@
     eventSender.mouseDown();
     var selection = getSelection();
-    assert_equals(selection.rangeCount, 1);
+    assert_equals(selection.rangeCount, 0);
 });
 </script>

trunk/Source/WebCore/ChangeLog

@@ +1 @@
+2021-02-16  Ryosuke Niwa  <rniwa@webkit.org>
+
+        EventHandler::updateSelectionForMouseDownDispatchingSelectStart should not use an orphaned selection
+        https://bugs.webkit.org/show_bug.cgi?id=221942
+
+        Reviewed by Wenson Hsieh.
+
+        In r272777, we re-introduced a nullptr check in DOMSelection::getRangeAt as we were getting crash reports
+        in this code but we weren't sure of the root cause. Since then we've identified that one of the root causes
+        is that EventHandler::updateSelectionForMouseDownDispatchingSelectStart doesn't check if VisibleSelection
+        is still in a good state after dispatching selectstart event. This results in FrameSelection's
+        setSelectionWithoutUpdatingAppearance getting called with a selection with end points already being orphaned.
+
+        This patch fixes this bug in setSelectionWithoutUpdatingAppearance and also adds an additional check in
+        FrameSelection::setSelectionWithoutUpdatingAppearance itself to avoid using an orphaned selection. It also
+        introduces a number of release and debug assertions in a number of places to help catch similar bugs.
+
+        Test: editing/selection/click-selection-with-selectstart-node-removal.html
+
+        * dom/ContainerNode.cpp:
+        (WebCore::ContainerNode::removeAllChildrenWithScriptAssertion): Added a debug-only assertion.
+        (WebCore::ContainerNode::removeNodeWithScriptAssertion): Ditto.
+        * dom/Document.cpp:
+        (WebCore::Document::removedLastRef): Disallow script execution in this code entirely. Also release assert
+        that the selection had already been cleared by this point.
+        (WebCore::Document::willBeRemovedFromFrame): Disallow script execution once we've unloaded subframes.
+        * editing/FrameSelection.cpp:
+        (WebCore::FrameSelection::setSelectionWithoutUpdatingAppearance): Return early if the new selection's
+        end points had been orphaned, and disallow script execution between that and until we update the selection. 
+        * editing/VisibleSelection.cpp:
+        (WebCore::VisibleSelection::isOrphan const): Added.
+        * editing/VisibleSelection.h:
+        * page/DOMSelection.cpp:
+        (WebCore::DOMSelection::getRangeAt): Removed nullptr check added in r272777.
+        * page/EventHandler.cpp:
+        (WebCore::EventHandler::updateSelectionForMouseDownDispatchingSelectStart): Fixed what is now believed to be
+        the root cause of the bug 221786.
+
 2021-02-16  Antoine Quint  <graouts@webkit.org>
 

trunk/Source/WebCore/dom/ContainerNode.cpp

@@ -127 +127 @@
     }
 
+    ASSERT_WITH_SECURITY_IMPLICATION(!document().selection().selection().isOrphan());
+
     if (deferChildrenChanged == DeferChildrenChanged::No)
         childrenChanged(ContainerNode::ChildChange { ChildChange::Type::AllChildrenRemoved, nullptr, nullptr, source });
@@ -192 +194 @@
     if (source == ChildChange::Source::API && subtreeObservability == RemovedSubtreeObservability::MaybeObservableByRefPtr)
         willCreatePossiblyOrphanedTreeByRemoval(&childToRemove);
+
+    ASSERT_WITH_SECURITY_IMPLICATION(!document().selection().selection().isOrphan());
 
     // FIXME: Move childrenChanged into ScriptDisallowedScope block.

trunk/Source/WebCore/dom/Document.cpp

@@ -782 +782 @@
 void Document::removedLastRef()
 {
+    ScriptDisallowedScope::InMainThread scriptDisallowedScope;
     ASSERT(!m_deletionHasBegun);
     if (m_referencingNodeCount) {
@@ -811 +812 @@
 
         detachParser();
+
+        RELEASE_ASSERT(m_selection->isNone());
 
         // removeDetachedChildren() doesn't always unregister IDs,
@@ -2594 +2597 @@
     RELEASE_ASSERT_WITH_SECURITY_IMPLICATION(!m_frame || !m_frame->tree().childCount());
 
+    ScriptDisallowedScope::InMainThread scriptDisallowedScope;
+
     if (m_domWindow && m_frame)
         m_domWindow->willDetachDocumentFromFrame();

trunk/Source/WebCore/editing/FrameSelection.cpp

@@ -66 +66 @@
 #include "RenderWidget.h"
 #include "RenderedPosition.h"
+#include "ScriptDisallowedScope.h"
 #include "Settings.h"
 #include "SimpleRange.h"
@@ -334 +335 @@
         newSelection.setIsDirectional(true);
 
-    if (!m_document || !m_document->frame()) {
-        m_selection = newSelection;
-        updateAssociatedLiveRange();
-        return false;
-    }
-
     // <http://bugs.webkit.org/show_bug.cgi?id=23464>: Infinite recursion at FrameSelection::setSelection
     // if document->frame() == m_document->frame() we can get into an infinite loop
     if (Document* newSelectionDocument = newSelection.base().document()) {
         if (RefPtr<Frame> newSelectionFrame = newSelectionDocument->frame()) {
-            if (newSelectionFrame != m_document->frame() && newSelectionDocument != m_document) {
+            if (m_document && newSelectionFrame != m_document->frame() && newSelectionDocument != m_document) {
                 newSelectionDocument->selection().setSelection(newSelection, options, AXTextStateChangeIntent(), align, granularity);
                 // It's possible that during the above set selection, this FrameSelection has been modified by
@@ -356 +351 @@
     }
 
-    m_granularity = granularity;
-
-    if (closeTyping)
-        TypingCommand::closeTyping(*m_document);
-
-    if (shouldClearTypingStyle)
-        clearTypingStyle();
-
     VisibleSelection oldSelection = m_selection;
-    bool didMutateSelection = oldSelection != newSelection;
-    if (didMutateSelection)
+    bool willMutateSelection = oldSelection != newSelection;
+    if (willMutateSelection && m_document)
         m_document->editor().selectionWillChange();
 
-    m_selection = newSelection;
-    updateAssociatedLiveRange();
+    {
+        ScriptDisallowedScope::InMainThread scriptDisallowedScope;
+        if (newSelection.isOrphan()) {
+            ASSERT_NOT_REACHED();
+            clear();
+            return false;
+        }
+
+        if (!m_document || !m_document->frame()) {
+            m_selection = newSelection;
+            updateAssociatedLiveRange();
+            return false;
+        }
+
+        if (closeTyping)
+            TypingCommand::closeTyping(*m_document);
+
+        if (shouldClearTypingStyle)
+            clearTypingStyle();
+
+        m_granularity = granularity;
+        m_selection = newSelection;
+        updateAssociatedLiveRange();
+    }
 
     // Selection offsets should increase when LF is inserted before the caret in InsertLineBreakCommand. See <https://webkit.org/b/56061>.
@@ -376 +385 @@
         textControl->selectionChanged(options.contains(FireSelectEvent));
 
-    if (!didMutateSelection)
+    if (!willMutateSelection)
         return false;
 

trunk/Source/WebCore/editing/VisibleSelection.cpp

@@ -132 +132 @@
 {
     setExtent(visiblePosition.deepEquivalent());
+}
+
+bool VisibleSelection::isOrphan() const
+{
+    if (m_base.isOrphan() || m_extent.isOrphan() || m_start.isOrphan() || m_end.isOrphan())
+        return true;
+    if (m_anchor.isOrphan() && m_anchor.document()->settings().liveRangeSelectionEnabled())
+        return true;
+    if (m_focus.isOrphan() && m_focus.document()->settings().liveRangeSelectionEnabled())
+        return true;
+    return false;
 }
 

trunk/Source/WebCore/editing/VisibleSelection.h

@@ -87 +87 @@
     bool isNonOrphanedRange() const { return isRange() && !start().isOrphan() && !end().isOrphan(); }
     bool isNoneOrOrphaned() const { return isNone() || start().isOrphan() || end().isOrphan(); }
+    bool isOrphan() const;
 
     bool isBaseFirst() const { return m_anchorIsFirst; }

trunk/Source/WebCore/page/DOMSelection.cpp

@@ -368 +368 @@
     if (auto shadowAncestor = selectionShadowAncestor(frame))
         return createLiveRange(makeSimpleRange(*makeBoundaryPointBeforeNode(*shadowAncestor)));
-    auto simpleRange = frame->selection().selection().firstRange();
-    ASSERT(simpleRange); // selection is orphaned but this shouldn't happen.
-    if (!simpleRange)
-        return Exception { IndexSizeError };
-    return createLiveRange(*simpleRange);
+    return createLiveRange(*frame->selection().selection().firstRange());
 }
 

trunk/Source/WebCore/page/EventHandler.cpp

@@ -467 +467 @@
     }
 
+    if (selection.isOrphan()) {
+        m_mouseDownMayStartSelect = false;
+        return false;
+    }
+
     if (selection.isRange())
         m_selectionInitiationState = ExtendedSelection;