Skip to content

Commit 7c7310e

Browse files
Julian Gonzalezwebkit-commit-queue
authored andcommitted
Crash in ReplaceSelectionCommand::mergeEndIfNeeded()
https://bugs.webkit.org/show_bug.cgi?id=224587 Patch by Julian Gonzalez <julian_a_gonzalez@apple.com> on 2021-04-15 Reviewed by Ryosuke Niwa. Source/WebCore: Return early in mergeEndIfNeeded() if either of our VisiblePositions are null. Test: editing/inserting/insert-horizontal-rule-with-style-crash.html * editing/ReplaceSelectionCommand.cpp: (WebCore::ReplaceSelectionCommand::mergeEndIfNeeded): LayoutTests: Add a test to catch the editing crash fixed here; thanks to Tuomas Karkkainen for its basic structure and Ryosuke Niwa for some fixes. * editing/inserting/insert-horizontal-rule-with-style-crash-expected.txt: Added. * editing/inserting/insert-horizontal-rule-with-style-crash.html: Added. Canonical link: https://commits.webkit.org/236591@main git-svn-id: https://svn.webkit.org/repository/webkit/trunk@276078 268f45cc-cd09-0410-ab3c-d52691b4dbfc
1 parent 2db19c4 commit 7c7310e

5 files changed

Lines changed: 56 additions & 0 deletions

File tree

LayoutTests/ChangeLog

Lines changed: 13 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -1,3 +1,16 @@
1+
2021-04-15 Julian Gonzalez <julian_a_gonzalez@apple.com>
2+
3+
Crash in ReplaceSelectionCommand::mergeEndIfNeeded()
4+
https://bugs.webkit.org/show_bug.cgi?id=224587
5+
6+
Reviewed by Ryosuke Niwa.
7+
8+
Add a test to catch the editing crash fixed here; thanks to Tuomas Karkkainen
9+
for its basic structure and Ryosuke Niwa for some fixes.
10+
11+
* editing/inserting/insert-horizontal-rule-with-style-crash-expected.txt: Added.
12+
* editing/inserting/insert-horizontal-rule-with-style-crash.html: Added.
13+
114
2021-04-15 Antoine Quint <graouts@webkit.org>
215

316
calc() simplification for a multiplication should apply the multiplication to each value of an addition
Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1 @@
1+
This test passes if it does not crash. PASS
Lines changed: 24 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,24 @@
1+
<!DOCTYPE html>
2+
<html>
3+
<head>
4+
<style></style>
5+
<title>InsertHRWithStyle</title>
6+
<script>
7+
if (window.testRunner)
8+
testRunner.dumpAsText();
9+
10+
onload = () => {
11+
document.styleSheets[0].insertRule(`:not(:read-only) { display: inline-table; }`);
12+
document.styleSheets[0].insertRule(`:not(:host) { border-top: 1px solid; }`);
13+
document.styleSheets[0].insertRule(`:last-of-type { all: unset; }`);
14+
document.querySelector('title').appendChild(document.createElement('div'));
15+
document.execCommand('SelectAll');
16+
document.designMode = 'on';
17+
document.execCommand('InsertHorizontalRule');
18+
document.head.replaceChildren();
19+
document.body.textContent = 'This test passes if it does not crash. PASS';
20+
};
21+
</script>
22+
<script></script>
23+
</head>
24+
</html>

Source/WebCore/ChangeLog

Lines changed: 14 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -1,3 +1,17 @@
1+
2021-04-15 Julian Gonzalez <julian_a_gonzalez@apple.com>
2+
3+
Crash in ReplaceSelectionCommand::mergeEndIfNeeded()
4+
https://bugs.webkit.org/show_bug.cgi?id=224587
5+
6+
Reviewed by Ryosuke Niwa.
7+
8+
Return early in mergeEndIfNeeded() if either of our VisiblePositions are null.
9+
10+
Test: editing/inserting/insert-horizontal-rule-with-style-crash.html
11+
12+
* editing/ReplaceSelectionCommand.cpp:
13+
(WebCore::ReplaceSelectionCommand::mergeEndIfNeeded):
14+
115
2021-04-15 Manuel Rego Casasnovas <rego@igalia.com>
216

317
Move FocusRemovalEventsMode into FocusOptions

Source/WebCore/editing/ReplaceSelectionCommand.cpp

Lines changed: 4 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -990,6 +990,10 @@ void ReplaceSelectionCommand::mergeEndIfNeeded()
990990
ASSERT_NOT_REACHED();
991991
return;
992992
}
993+
994+
ASSERT(startOfInsertedContent.isNull() == endOfInsertedContent.isNull());
995+
if (startOfInsertedContent.isNull() || endOfInsertedContent.isNull())
996+
return;
993997

994998
// Merging two paragraphs will destroy the moved one's block styles. Always move the end of inserted forward
995999
// to preserve the block style of the paragraph already in the document, unless the paragraph to move would

0 commit comments

Comments
 (0)