Bug 193027

Summary: Nullptr crash in CompositeEditCommand::moveParagraphs when root editable element goes away
Product: WebKit Reporter: sekai wu <hellowuzekai>
Component: HTML EditingAssignee: Ryosuke Niwa <rniwa>
Status: RESOLVED FIXED    
Severity: Normal CC: megan_gardner, rniwa, wenson_hsieh
Priority: P2 Keywords: InRadar
Version: WebKit Nightly Build   
Hardware: PC   
OS: macOS 10.13   
Attachments:
Description Flags
a html file to trigger this bug
none
Fixes the bug wenson_hsieh: review+

sekai wu
Reported 2018-12-24 20:28:34 PST
Created attachment 358052 [details] a html file to trigger this bug In webcore::CompositeEditCommand::moveParagraphs function auto editableRoot = destination.rootEditableElement(); ... Element* rootEditableElement() const { return m_deepPosition.isNotNull() ? m_deepPosition.deprecatedNode()->rootEditableElement() : 0; } It set the editableRoot to null. And then RefPtr<Range> startToDestinationRange(Range::create(document(), firstPositionInNode(editableRoot), destination.deepEquivalent().parentAnchoredEquivalent())); firstPositionInNode(editableRoot) will trigger a null pointer crash.
Attachments
a html file to trigger this bug (537.37 KB, text/html)
2018-12-24 20:28 PST, sekai wu 		no flags
Details
Fixes the bug (6.13 KB, patch)
2019-04-10 17:04 PDT, Ryosuke Niwa 		wenson_hsieh: review+
DetailsFormatted DiffDiff
View All Add attachment proposed patch, testcase, etc.
Ryosuke Niwa
Comment 1 2019-04-10 13:44:18 PDT
<rdar://problem/49448192>
Ryosuke Niwa
Comment 2 2019-04-10 17:04:06 PDT
Created attachment 367179 [details] Fixes the bug
Ryosuke Niwa
Comment 3 2019-04-10 19:12:58 PDT
Committed r244181: <https://trac.webkit.org/changeset/244181>
Note You need to log in before you can comment on or make changes to this bug.