Bug 47699

Summary: Crash in WebCore::ApplyStyleCommand::applyBlockStyle
Product: WebKit Reporter: Ryosuke Niwa <rniwa>
Component: HTML EditingAssignee: Ryosuke Niwa <rniwa>
Status: RESOLVED FIXED    
Severity: Normal CC: abarth, darin, enrica, eric, ojan, tkent, tony, webkit.review.bot
Priority: P1    
Version: 528+ (Nightly build)   
Hardware: All   
OS: All   
Attachments:
Description Flags
demo
none
fixes the crash darin: review+

Ryosuke Niwa
Reported 2010-10-14 16:31:07 PDT
Created attachment 70796 [details] demo We don't check nullity of start/end in applyBlockStyle and we hit an assert inside highestAncestor.
Attachments
demo (259 bytes, text/html)
2010-10-14 16:31 PDT, Ryosuke Niwa 		no flags
Details
fixes the crash (3.50 KB, patch)
2010-10-14 22:55 PDT, Ryosuke Niwa 		darin: review+
DetailsFormatted DiffDiff
View All Add attachment proposed patch, testcase, etc.
Ryosuke Niwa
Comment 1 2010-10-14 16:34:35 PDT
Oops, sorry. This isn't really a security bug.
Ryosuke Niwa
Comment 2 2010-10-14 22:19:13 PDT
http://crbug.com/58832
Ryosuke Niwa
Comment 3 2010-10-14 22:55:35 PDT
Created attachment 70834 [details] fixes the crash
Darin Adler
Comment 4 2010-10-15 10:49:02 PDT
Comment on attachment 70834 [details] fixes the crash View in context: https://bugs.webkit.org/attachment.cgi?id=70834&action=review > WebCore/editing/ApplyStyleCommand.cpp:648 > + if (visibleStart.isNull() || visibleStart.isOrphan() || visibleEnd.isNull() || visibleEnd.isOrphan()) > + return; Makes me wish isOrphan returned true for null. There seem to be very few cases where we check isOrphan and want to handle isNull differently.
Ryosuke Niwa
Comment 5 2010-10-15 11:01:54 PDT
(In reply to comment #4) > (From update of attachment 70834 [details]) > View in context: https://bugs.webkit.org/attachment.cgi?id=70834&action=review > > > WebCore/editing/ApplyStyleCommand.cpp:648 > > + if (visibleStart.isNull() || visibleStart.isOrphan() || visibleEnd.isNull() || visibleEnd.isOrphan()) > > + return; > > Makes me wish isOrphan returned true for null. There seem to be very few cases where we check isOrphan and want to handle isNull differently. We could do that given the following result for isOrphan but we probably want to rename isOrphan to isOrphanOrNull if we made this change. VisiblePosition.h: bool isOrphan() const { return m_deepPosition.isOrphan(); } VisiblePosition.h: bool isOrphan() const { return m_deepPosition.isOrphan(); } InsertListCommand.cpp: if (endOfSelection.isNull() || endOfSelection.isOrphan() || startOfLastParagraph.isNull() || startOfLastParagraph.isOrphan()) { InsertListCommand.cpp: if (endOfSelection.isNull() || endOfSelection.isOrphan() || startOfLastParagraph.isNull() || startOfLastParagraph.isOrphan()) { Position.h: bool isOrphan() const { return m_anchorNode && !m_anchorNode->inDocument(); } ApplyStyleCommand.cpp: if (visibleStart.isNull() || visibleStart.isOrphan() || visibleEnd.isNull() || visibleEnd.isOrphan()) ApplyStyleCommand.cpp: if (visibleStart.isNull() || visibleStart.isOrphan() || visibleEnd.isNull() || visibleEnd.isOrphan()) ApplyStyleCommand.cpp: if (nextParagraphStart.isOrphan()) ApplyStyleCommand.cpp: Position s = start.isNull() || start.isOrphan() ? pushDownStart : start; ApplyStyleCommand.cpp: Position e = end.isNull() || end.isOrphan() ? pushDownEnd : end; Editor.cpp: if (newSelection.start().isOrphan() || newSelection.end().isOrphan()) Editor.cpp: if (newSelection.start().isOrphan() || newSelection.end().isOrphan()) VisibleSelection.h: bool isNonOrphanedRange() const { return isRange() && !start().isOrphan() && !end().isOrphan(); } VisibleSelection.h: bool isNonOrphanedRange() const { return isRange() && !start().isOrphan() && !end().isOrphan(); } VisibleSelection.h: bool isNonOrphanedCaretOrRange() const { return isCaretOrRange() && !start().isOrphan() && !end().isOrphan(); } VisibleSelection.h: bool isNonOrphanedCaretOrRange() const { return isCaretOrRange() && !start().isOrphan() && !end().isOrphan(); }
Ryosuke Niwa
Comment 6 2010-10-15 11:05:53 PDT
Committed r69865: <http://trac.webkit.org/changeset/69865>
WebKit Review Bot
Comment 7 2010-10-15 11:23:46 PDT
http://trac.webkit.org/changeset/69865 might have broken Qt Linux Release The following tests are not passing: http/tests/security/mixedContent/insecure-css-in-main-frame.html
Note You need to log in before you can comment on or make changes to this bug.