Bug 226527

Summary: Nullptr crash in CompositeEditCommand::splitTreeToNode via InsertParagraphSeparatorCommand::doApply
Product: WebKit Reporter: Ryosuke Niwa <rniwa>
Component: HTML EditingAssignee: Frédéric Wang (:fredw) <fred.wang>
Status: RESOLVED FIXED    
Severity: Normal CC: bfulgham, cgarcia, ews-feeder, fred.wang, gpoo, product-security, rbuis, svillar, webkit-bug-importer, wenson_hsieh
Priority: P2 Keywords: InRadar
Version: WebKit Nightly Build   
Hardware: Unspecified   
OS: Unspecified   
See Also: https://bugs.webkit.org/show_bug.cgi?id=220349
Bug Depends on:    
Bug Blocks: 224977    
Attachments:
Description Flags
Test
none
Patch none

Ryosuke Niwa
Reported 2021-06-02 00:58:42 PDT
Created attachment 430323 [details] Test e.g. Thread 0 Crashed:: Dispatch queue: com.apple.main-thread 0 com.apple.WebCore 0x000000016919381f WebCore::Node::ref() const + 0 (Node.h:780) [inlined] 1 com.apple.WebCore 0x000000016919381f WTF::DefaultRefDerefTraits<WebCore::Node>::refIfNotNull(WebCore::Node*) + 0 (RefPtr.h:36) [inlined] 2 com.apple.WebCore 0x000000016919381f WTF::RefPtr<WebCore::Node, WTF::RawPtrTraits<WebCore::Node>, WTF::DefaultRefDerefTraits<WebCore::Node> >::RefPtr(WebCore::Node*) + 0 (RefPtr.h:63) [inlined] 3 com.apple.WebCore 0x000000016919381f WTF::RefPtr<WebCore::Node, WTF::RawPtrTraits<WebCore::Node>, WTF::DefaultRefDerefTraits<WebCore::Node> >::RefPtr(WebCore::Node*) + 0 (RefPtr.h:63) [inlined] 4 com.apple.WebCore 0x000000016919381f WTF::RefPtr<WebCore::Node, WTF::RawPtrTraits<WebCore::Node>, WTF::DefaultRefDerefTraits<WebCore::Node> >::operator=(WebCore::Node*) + 0 (RefPtr.h:153) [inlined] 5 com.apple.WebCore 0x000000016919381f WebCore::CompositeEditCommand::splitTreeToNode(WebCore::Node&, WebCore::Node&, bool) + 79 (CompositeEditCommand.cpp:1751) 6 com.apple.WebCore 0x00000001691e584a WebCore::InsertParagraphSeparatorCommand::doApply() + 6746 (InsertParagraphSeparatorCommand.cpp:396) 7 com.apple.WebCore 0x000000016918d508 WebCore::CompositeEditCommand::applyCommandToComposite(WTF::Ref<WebCore::EditCommand, WTF::RawPtrTraits<WebCore::EditCommand> >&&) + 40 (CompositeEditCommand.cpp:488) 8 com.apple.WebCore 0x000000016918da39 WebCore::CompositeEditCommand::insertParagraphSeparator(bool, bool) + 89 (CompositeEditCommand.cpp:529) 9 com.apple.WebCore 0x00000001691fc0eb WebCore::ReplaceSelectionCommand::doApply() + 14203 (ReplaceSelectionCommand.cpp:1426) 10 com.apple.WebCore 0x000000016917c7c7 WebCore::CompositeEditCommand::apply() + 167 (CompositeEditCommand.cpp:397) 11 com.apple.WebCore 0x00000001691b1034 WebCore::Editor::replaceSelectionWithFragment(WebCore::DocumentFragment&, WebCore::Editor::SelectReplacement, WebCore::Editor::SmartReplace, WebCore::Editor::MatchStyle, WebCore::EditAction, WebCore::MailBlockquoteHandling) + 868 (Editor.cpp:698) 12 com.apple.WebCore 0x00000001691b17f6 WebCore::Editor::replaceSelectionWithText(WTF::String const&, WebCore::Editor::SelectReplacement, WebCore::Editor::SmartReplace, WebCore::EditAction) + 118 (Editor.cpp:741) 13 com.apple.WebCore 0x00000001691b0c69 WebCore::Editor::handleTextEvent(WebCore::TextEvent&) + 201 (Editor.cpp:349) 14 com.apple.WebCore 0x000000016967de6f WebCore::EventHandler::defaultTextInputEventHandler(WebCore::TextEvent&) + 31 (EventHandler.cpp:4161) 15 com.apple.WebCore 0x00000001690e8ef3 WebCore::callDefaultEventHandlersInBubblingOrder(WebCore::Event&, WebCore::EventPath const&) + 39 (EventDispatcher.cpp:63) [inlined] 16 com.apple.WebCore 0x00000001690e8ef3 WebCore::EventDispatcher::dispatchEvent(WebCore::Node&, WebCore::Event&) + 1763 (EventDispatcher.cpp:204) 17 com.apple.WebCore 0x00000001691b3429 WebCore::Editor::pasteAsPlainText(WTF::String const&, bool) + 217 (Editor.cpp:621) 18 com.apple.WebCore 0x00000001691b3839 WebCore::Editor::pasteAsPlainTextWithPasteboard(WebCore::Pasteboard&) + 361 (Editor.cpp:641) 19 com.apple.WebCore 0x00000001691ba97c WebCore::Editor::pasteAsPlainText(WebCore::Editor::FromMenuOrKeyBinding) + 412 (Editor.cpp:1493) 20 com.apple.WebCore 0x00000001691dc3a3 WebCore::executePasteAndMatchStyle(WebCore::Frame&, WebCore::Event*, WebCore::EditorCommandSource, WTF::String const&) + 51 (EditorCommand.cpp:935) 21 com.apple.WebCore 0x00000001690ac0fc WebCore::Document::execCommand(WTF::String const&, bool, WTF::String const&) + 76 (Document.cpp:5758) 22 com.apple.WebCore 0x000000016836af76 WebCore::jsDocumentPrototypeFunction_execCommandBody(JSC::JSGlobalObject*, JSC::CallFrame*, WebCore::JSDocument*) + 218 (JSDocument.cpp:5869) [inlined] 23 com.apple.WebCore 0x000000016836af76 long long WebCore::IDLOperation<WebCore::JSDocument>::call<&(WebCore::jsDocumentPrototypeFunction_execCommandBody(JSC::JSGlobalObject*, JSC::CallFrame*, WebCore::JSDocument*)), (WebCore::CastedThisErrorBehavior)0>(JSC::JSGlobalObject&, JSC::CallFrame&, char const*) + 392 (JSDOMOperation.h:55) [inlined] 24 com.apple.WebCore 0x000000016836af76 WebCore::jsDocumentPrototypeFunction_execCommand(JSC::JSGlobalObject*, JSC::CallFrame*) + 422 (JSDocument.cpp:5874) <rdar://78561736>
Attachments
Test (298 bytes, text/html)
2021-06-02 00:58 PDT, Ryosuke Niwa 		no flags
Details
Patch (6.53 KB, patch)
2021-06-02 08:29 PDT, Frédéric Wang (:fredw) 		no flags
DetailsFormatted DiffDiff
View All Add attachment proposed patch, testcase, etc.
Frédéric Wang (:fredw)
Comment 1 2021-06-02 08:20:11 PDT
Below is the state of the tree before it crashes, where the divs are display: table. This is fixed by attachment 430342 [details] from bug 224977. #document 0x61f00001dc80 (renderer 0x6160003ce480) HTML 0x60c0002a6880 (renderer 0x61200007da40) DIV 0x60c0002abb00 (renderer 0x61400007bc40) * #text 0x60b0000e8c70 "onload = () => { document.execCommand('SelectAll'); document.execCommand('Copy'); document.execCommand('SelectAll'); document.designMode = 'on'; document.execCommand('PasteAndMatchStyle'); };" DIV 0x60c0002b3600 (renderer 0x61400007c240) BR 0x60c0002b3900 (renderer 0x6110001d5640) BODY 0x60c0002a7600 (renderer 0x61200007e040) STYLE 0x610000024140 (renderer (nil)) #text 0x60b0000e6ee0 "\n head, script, div {\n display: table;\n }\n"
Frédéric Wang (:fredw)
Comment 2 2021-06-02 08:29:43 PDT
Created attachment 430360 [details] Patch
EWS
Comment 3 2021-06-08 00:36:05 PDT
Committed r278593 (238583@main): <https://commits.webkit.org/238583@main> All reviewed patches have been landed. Closing bug and clearing flags on attachment 430360 [details].
Note You need to log in before you can comment on or make changes to this bug.