Bug 224518

Summary: Nullptr deref in CompositeEditCommand::isRemovableBlock in DeleteSelectionCommand::removeRedundantBlocks
Product: WebKit Reporter: Ian Gilbert <iang>
Component: WebCore Misc.Assignee: Nobody <webkit-unassigned>
Status: RESOLVED FIXED    
Severity: Normal CC: ews-watchlist, mifenton, rniwa, webkit-bug-importer
Priority: P2 Keywords: InRadar
Version: WebKit Nightly Build   
Hardware: Unspecified   
OS: Unspecified   
Attachments:
Description Flags
Patch
none
Patch
none
Patch none

Description Ian Gilbert 2021-04-13 16:43:44 PDT 
removeRedundantBlocks() may run into a null pointer while iterating over the tree, if the tree is unexpectedly modified during the execution of a command. Adding null check to quit this step if a parent node cannot be resolved.
Comment 1 Ian Gilbert 2021-04-13 16:44:14 PDT 
<rdar://problem/76264118>
Comment 2 Ian Gilbert 2021-04-13 17:08:43 PDT 
Created attachment 425933 [details]
Patch
Comment 3 Ryosuke Niwa 2021-04-13 18:26:45 PDT 
Comment on attachment 425933 [details]
Patch

View in context: https://bugs.webkit.org/attachment.cgi?id=425933&action=review

> Source/WebCore/editing/DeleteSelectionCommand.cpp:869
> +    RefPtr<Node> node = makeRefPtr(m_endingPosition.containerNode());
> +    RefPtr<Node> rootNode = makeRefPtr(node->rootEditableElement());

Use auto?

> Source/WebCore/editing/DeleteSelectionCommand.cpp:871
> +    while (node && (node != rootNode)) {

We don't usually nest parentheses like this.

> Source/WebCore/editing/DeleteSelectionCommand.cpp:877
> -            node = m_endingPosition.anchorNode();
> +            node = makeRefPtr(m_endingPosition.anchorNode());

No need to call makeRefPtr since node is already of type RefPtr<Node>.

> Source/WebCore/editing/DeleteSelectionCommand.cpp:879
> -            node = node->parentNode();
> +            node = makeRefPtr(node->parentNode());

Ditto.

> LayoutTests/editing/execCommand/remove-node-during-command-crash.html:24
> +    document.write('PASS')

Missing semicolon at the end.
Also, can we say that this test passes if WebKit doesn't crash?
Comment 4 Ian Gilbert 2021-04-15 16:49:41 PDT 
Created attachment 426154 [details]
Patch
Comment 5 Ian Gilbert 2021-04-15 16:53:39 PDT 
Tried to add the text to the test body saying the test passes if it doesn't crash but it either would stop the test from reproducing, or would get eaten by the command. Hopefully that is appropriate.
Comment 6 Ryosuke Niwa 2021-04-15 16:56:42 PDT 
Comment on attachment 426154 [details]
Patch

View in context: https://bugs.webkit.org/attachment.cgi?id=426154&action=review

> Source/WebCore/ChangeLog:3
> +        Editing null pointer dereference while resolving command

I've just renamed the bug. Please update the title here. It's overly generic.
Sorry I didn't notice earlier.

> LayoutTests/ChangeLog:3
> +        Editing null pointer dereference while resolving command

Ditto.

> LayoutTests/ChangeLog:8
> +        Add regression test.

Nit: Add *a* regression test.
Comment 7 Ian Gilbert 2021-04-16 13:35:51 PDT 
Created attachment 426267 [details]
Patch
Comment 8 Ryosuke Niwa 2021-04-16 13:37:40 PDT 
Let's at least wait for the stress EWS to make sure the new test isn't flaky, etc...
Comment 9 EWS 2021-04-16 17:57:30 PDT 
Committed r276186 (236668@main): <https://commits.webkit.org/236668@main>

All reviewed patches have been landed. Closing bug and clearing flags on attachment 426267 [details].