Bug 144047

Summary:

VisibleSelection should only accept Range by reference

Product:

WebKit

Reporter:

Brent Fulgham <bfulgham>

Component:

WebKit Misc.

Assignee:

Brent Fulgham <bfulgham>

Status:

RESOLVED FIXED

Severity:

Normal

CC:

bfulgham, thorton

Priority:

Version:

528+ (Nightly build)

Hardware:

All

OS:

All

Attachments:

Description	Flags
Patch	none
Patch v2 (No RELEASE_ASSERT, iOS Fixes)	none
Patch v3 (More build fixes for different configurations)	thorton: review+

Brent Fulgham

Reported 2015-04-22 09:32:13 PDT

One of the available VisibleSelection constructors accepts a Range pointer. However, it immediately dereferences the pointer to access members, resulting in runtime crashes if an unwitting developer passes an unchecked Range pointer. Since a nullptr is not valid input for this constructor, we should change the interface to require a reference. The code already must do null checks before passing Range pointers to this constructor, so simply changing this code to dereference the pointer is a trivial mechanical change. This will make it harder to accidentally code an unsafe use of VisibleSelection.

Attachments
Patch (20.42 KB, patch) 2015-04-22 16:48 PDT, Brent Fulgham	no flags	Details Formatted Diff Diff
Patch v2 (No RELEASE_ASSERT, iOS Fixes) (24.63 KB, patch) 2015-04-22 17:06 PDT, Brent Fulgham	no flags	Details Formatted Diff Diff
Patch v3 (More build fixes for different configurations) (29.68 KB, patch) 2015-04-22 17:38 PDT, Brent Fulgham	thorton: review+	Details Formatted Diff Diff
Show Obsolete (2) View All Add attachment proposed patch, testcase, etc.

Brent Fulgham

Comment 1 2015-04-22 09:36:18 PDT

It's interesting (alarming?) that there are cases in the same file (e.g., WebPage.cpp) where null checks are performed, and others where it is missed: Example 1: (WebPage.cpp Line 4207) void WebPage::insertTextAsync(const String& text, const EditingRange& replacementEditingRange, bool registerUndoGroup) RefPtr<Range> replacementRange = rangeFromEditingRange(frame, replacementEditingRange); if (replacementRange) frame.selection().setSelection(VisibleSelection(replacementRange.get(), SEL_DEFAULT_AFFINITY)); Example 2: (WebPage.cpp Line 4296) void WebPage::setCompositionAsync(const String& text, Vector<CompositionUnderline> underlines, const EditingRange& selection, const EditingRange& replacementEditingRange) replacementRange = rangeFromEditingRange(frame, replacementEditingRange); frame.selection().setSelection(VisibleSelection(replacementRange.get(), SEL_DEFAULT_AFFINITY));

Brent Fulgham

Comment 2 2015-04-22 16:48:00 PDT

Created attachment 251383 [details] Patch

Tim Horton

Comment 3 2015-04-22 16:53:50 PDT

Comment on attachment 251383 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=251383&action=review > Source/WebCore/editing/Editor.cpp:2003 > + RELEASE_ASSERT(badGrammarRange.get()); Please don't RELEASE_ASSERT in all these places. The next line will do a null deref anyway.

Brent Fulgham

Comment 4 2015-04-22 17:06:06 PDT

Created attachment 251387 [details] Patch v2 (No RELEASE_ASSERT, iOS Fixes)

Brent Fulgham

Comment 5 2015-04-22 17:38:43 PDT

Created attachment 251390 [details] Patch v3 (More build fixes for different configurations)

Brent Fulgham

Comment 6 2015-04-22 19:15:51 PDT

Committed r183158: <http://trac.webkit.org/changeset/183158>

Note You need to log in before you can comment on or make changes to this bug.