Bug 209021

Summary: Crash in TextManipulationController::replace
Product: WebKit Reporter: Ryosuke Niwa <rniwa>
Component: HTML EditingAssignee: Ryosuke Niwa <rniwa>
Status: RESOLVED FIXED    
Severity: Normal CC: cdumez, ews-watchlist, megan_gardner, mifenton, wenson_hsieh
Priority: P2 Keywords: InRadar
Version: WebKit Nightly Build   
Hardware: Unspecified   
OS: Unspecified   
Attachments:
Description Flags
Fixes the bug wenson_hsieh: review+

Ryosuke Niwa
Reported 2020-03-12 15:02:16 PDT
TextManipulationController::replace can crash when accessing TextIterator::node and other places.
Attachments
Fixes the bug (7.58 KB, patch)
2020-03-12 15:16 PDT, Ryosuke Niwa 		wenson_hsieh: review+
DetailsFormatted DiffDiff
View All Add attachment proposed patch, testcase, etc.
Ryosuke Niwa
Comment 1 2020-03-12 15:16:30 PDT
Created attachment 393421 [details] Fixes the bug
Wenson Hsieh
Comment 2 2020-03-12 15:41:18 PDT
Comment on attachment 393421 [details] Fixes the bug View in context: https://bugs.webkit.org/attachment.cgi?id=393421&action=review > Source/WebCore/editing/TextManipulationController.cpp:580 > + Position insertionPoint = positionBeforeNode(firstContentNode.get()).parentAnchoredEquivalent(); Is it possible `firstContentNode` is null here? That would lead to a debug assertion in positionBeforeNode. (Seems like the answer is no because we’d already bail in the early return above…?)
Ryosuke Niwa
Comment 3 2020-03-12 15:45:56 PDT
Comment on attachment 393421 [details] Fixes the bug View in context: https://bugs.webkit.org/attachment.cgi?id=393421&action=review >> Source/WebCore/editing/TextManipulationController.cpp:580 >> + Position insertionPoint = positionBeforeNode(firstContentNode.get()).parentAnchoredEquivalent(); > > Is it possible `firstContentNode` is null here? That would lead to a debug assertion in positionBeforeNode. > > > (Seems like the answer is no because we’d already bail in the early return above…?) I don't think so because to get here, we must have had at least one token, which means we must have had at least one content node.
Ryosuke Niwa
Comment 4 2020-03-12 16:29:32 PDT
Committed r258371: <https://trac.webkit.org/changeset/258371>
Ryosuke Niwa
Comment 5 2020-03-12 16:29:57 PDT
<rdar://problem/60376855>
Note You need to log in before you can comment on or make changes to this bug.