160011 – Crash accessing null renderer inside WebCore::DeleteSelectionCommand::doApply

Bug 160011 - Crash accessing null renderer inside WebCore::DeleteSelectionCommand::doApply

Summary: Crash accessing null renderer inside WebCore::DeleteSelectionCommand::doApply

Status:	RESOLVED FIXED

Alias:	None

Product:	WebKit
Classification:	Unclassified
Component:	New Bugs (show other bugs)
Version:	WebKit Nightly Build
Hardware:	Unspecified Unspecified

Importance:	P2 Normal
Assignee:	Ryosuke Niwa

URL:
Keywords:	InRadar

Depends on:
Blocks:

Reported:	2016-07-20 21:44 PDT by Ryosuke Niwa
Modified:	2016-07-21 12:42 PDT (History)
CC List:	5 users (show)

See Also:

Attachments
Fixes the bug (1.43 KB, patch) 2016-07-20 21:46 PDT, Ryosuke Niwa	no flags	Details \| Formatted Diff \| Diff
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Ryosuke Niwa 2016-07-20 21:44:49 PDT

Crash accessing null renderer inside WebCore::DeleteSelectionCommand::doApply

Comment 1 Ryosuke Niwa 2016-07-20 21:46:13 PDT

<rdar://problem/21400186>

Comment 2 Ryosuke Niwa 2016-07-20 21:46:15 PDT

Created attachment 284188 [details]
Fixes the bug

Comment 3 Alexey Proskuryakov 2016-07-20 22:48:37 PDT

Comment on attachment 284188 [details]
Fixes the bug

View in context: https://bugs.webkit.org/attachment.cgi?id=284188&action=review

> Source/WebCore/editing/DeleteSelectionCommand.cpp:867
> +            if (textNode.length() && textNode.renderer())

Is it valid for ending position to be a node without renderer? Should there be an assertion to hopefully catch the root cause in the future?

Comment 4 Ryosuke Niwa 2016-07-20 22:52:43 PDT

Comment on attachment 284188 [details]
Fixes the bug

View in context: https://bugs.webkit.org/attachment.cgi?id=284188&action=review

>> Source/WebCore/editing/DeleteSelectionCommand.cpp:867
>> +            if (textNode.length() && textNode.renderer())
> 
> Is it valid for ending position to be a node without renderer? Should there be an assertion to hopefully catch the root cause in the future?

We try to avoid selecting a node without renderer but I wouldn't be surprised if we ended up getting it.
In general, I don't think m_endingPosition has any sort of guarantee like VisiblePosition's deepEquivalent.

Comment 5 WebKit Commit Bot 2016-07-21 12:42:45 PDT

Comment on attachment 284188 [details]
Fixes the bug

Clearing flags on attachment: 284188

Committed r203518: <http://trac.webkit.org/changeset/203518>

Comment 6 WebKit Commit Bot 2016-07-21 12:42:50 PDT

All reviewed patches have been landed.  Closing bug.