RESOLVED FIXED 119068
Crash in ReplaceSelectionCommand::removeRedundantStylesAndKeepStyleSpanInline 
https://bugs.webkit.org/show_bug.cgi?id=119068
Summary Crash in ReplaceSelectionCommand::removeRedundantStylesAndKeepStyleSpanInline
Ryosuke Niwa
Reported 2013-07-24 17:00:19 PDT
Consider merging https://chromium.googlesource.com/chromium/blink/+/3500267482e60550ce84fadd6c0db883937ce744 This patch changes inserted HTML sanitize process to check whether tree is in tree or not, for avoiding null pointer reference. This case is caused by ReplaceSelectionCommand::makeInsertedContentRoundTrippableWithHTMLTreeBuilder() when paragraph element contains prohibited paragraph child, e.g. address, article, ..., table, ..., specified in HTML Editing APIs specification.
Attachments
test file for reproducing crash (758 bytes, text/html)
2015-03-13 10:32 PDT, jacob berkman 		no flags
Details
Fixes the bug (6.16 KB, patch)
2015-05-13 23:08 PDT, Ryosuke Niwa 		enrica: review+
DetailsFormatted DiffDiff
View All Add attachment proposed patch, testcase, etc.
jacob berkman
Comment 1 2015-03-13 10:32:04 PDT
I'm hitting a crash that looks a lot like this. I'm able to reproduce in Safari on OS X 10.10.2 and iOS 8.2. Unfortunately, I'm unable to reproduce when building webkit from source, so I'm not able to test the proposed fix. Steps to reproduce: 1. load attached html file 2. click/tap on TAP to start editing 3. select all, copy, paste
jacob berkman
Comment 2 2015-03-13 10:32:29 PDT
Created attachment 248590 [details] test file for reproducing crash
Benjamin Poulain
Comment 3 2015-03-13 21:15:53 PDT
I can reproduce on ToT with the test attached. Backtrace: 0 com.apple.WebCore 0x000000010a26ca60 WebCore::ReplaceSelectionCommand::removeRedundantStylesAndKeepStyleSpanInline(WebCore::ReplaceSelectionCommand::InsertedNodes&) + 1152 1 com.apple.WebCore 0x000000010a272dcb WebCore::ReplaceSelectionCommand::doApply() + 12811 2 com.apple.WebCore 0x00000001098d2bdf WebCore::CompositeEditCommand::apply() + 143 3 com.apple.WebCore 0x0000000109b86132 WebCore::Editor::replaceSelectionWithFragment(WTF::PassRefPtr<WebCore::DocumentFragment>, bool, bool, bool, WebCore::MailBlockquoteHandling) + 402 4 com.apple.WebCore 0x00000001098d0154 WebCore::Editor::handleTextEvent(WebCore::TextEvent*) + 84 5 com.apple.WebCore 0x00000001098d00e8 WebCore::EventHandler::defaultTextInputEventHandler(WebCore::TextEvent*) + 24 6 com.apple.WebCore 0x0000000109ba572c WebCore::EventDispatcher::dispatchEvent(WebCore::Node*, WTF::PassRefPtr<WebCore::Event>) + 1532 7 com.apple.WebCore 0x000000010967c29d WebCore::Node::dispatchEvent(WTF::PassRefPtr<WebCore::Event>) + 29 8 com.apple.WebCore 0x00000001098c2478 WebCore::EventTarget::dispatchEvent(WTF::PassRefPtr<WebCore::Event>, int&) + 120 9 com.apple.WebCore 0x0000000109b874a1 WebCore::Editor::pasteAsFragment(WTF::PassRefPtr<WebCore::DocumentFragment>, bool, bool, WebCore::MailBlockquoteHandling) + 161 10 com.apple.WebCore 0x0000000109b97af5 WebCore::Editor::pasteWithPasteboard(WebCore::Pasteboard*, bool, WebCore::MailBlockquoteHandling) + 373 11 com.apple.WebCore 0x0000000109b8ae57 WebCore::Editor::paste(WebCore::Pasteboard&) + 183 12 com.apple.WebCore 0x0000000109b8ad6e WebCore::Editor::paste() + 30 13 com.apple.WebCore 0x0000000109b9595b WebCore::executePaste(WebCore::Frame&, WebCore::Event*, WebCore::EditorCommandSource, WTF::String const&) + 59 14 com.apple.WebCore 0x00000001098ddcd6 WebCore::Editor::Command::execute(WTF::String const&, WebCore::Event*) const + 182 15 com.apple.WebCore 0x0000000109a7423a WebCore::ContextMenuController::contextMenuItemSelected(WebCore::ContextMenuItem*) + 1674 16 com.apple.WebKit 0x000000010894b2d6 WebKit::WebContextMenu::itemSelected(WebKit::WebContextMenuItemData const&) + 58 17 com.apple.WebKit 0x00000001089823ca WebKit::WebPage::didSelectItemFromActiveContextMenu(WebKit::WebContextMenuItemData const&) + 26
Radar WebKit Bug Importer
Comment 4 2015-03-30 14:27:15 PDT
<rdar://problem/20352853>
Ryosuke Niwa
Comment 5 2015-05-13 23:08:37 PDT
Created attachment 253098 [details] Fixes the bug
Enrica Casucci
Comment 6 2015-05-14 14:36:31 PDT
Comment on attachment 253098 [details] Fixes the bug Looks good to me.
Ryosuke Niwa
Comment 7 2015-05-14 14:41:16 PDT
Committed r184355: <http://trac.webkit.org/changeset/184355>
Note You need to log in before you can comment on or make changes to this bug.