193027 – Nullptr crash in CompositeEditCommand::moveParagraphs when root editable element goes away

RESOLVED FIXED193027

Nullptr crash in CompositeEditCommand::moveParagraphs when root editable element goes away

https://bugs.webkit.org/show_bug.cgi?id=193027

Summary Nullptr crash in CompositeEditCommand::moveParagraphs when root editable elem...

sekai wu

Reported 2018-12-24 20:28:34 PST

Created attachment 358052 [details] a html file to trigger this bug In webcore::CompositeEditCommand::moveParagraphs function auto editableRoot = destination.rootEditableElement(); ... Element* rootEditableElement() const { return m_deepPosition.isNotNull() ? m_deepPosition.deprecatedNode()->rootEditableElement() : 0; } It set the editableRoot to null. And then RefPtr<Range> startToDestinationRange(Range::create(document(), firstPositionInNode(editableRoot), destination.deepEquivalent().parentAnchoredEquivalent())); firstPositionInNode(editableRoot) will trigger a null pointer crash.

Attachments
a html file to trigger this bug (537.37 KB, text/html) 2018-12-24 20:28 PST, sekai wu	no flags	Details
Fixes the bug (6.13 KB, patch) 2019-04-10 17:04 PDT, Ryosuke Niwa	wenson_hsieh: review+	Details Formatted Diff Diff
View All Add attachment proposed patch, testcase, etc.

Ryosuke Niwa

Comment 1 2019-04-10 13:44:18 PDT

<rdar://problem/49448192>

Ryosuke Niwa

Comment 2 2019-04-10 17:04:06 PDT

Created attachment 367179 [details] Fixes the bug

Ryosuke Niwa

Comment 3 2019-04-10 19:12:58 PDT

Committed r244181: <https://trac.webkit.org/changeset/244181>

Note You need to log in before you can comment on or make changes to this bug.

Status RESOLVED

Resolution FIXED

Priority P2

Severity Normal

Classification Unclassified

Version WebKit Nightly Build

Hardware PC

OS macOS 10.13

Product WebKit

Component HTML Editing

Assignee

Ryosuke Niwa

Reported

2018-12-24 20:28 PST

Modified

2019-04-10 19:12 PDT History

CC List

3 users Show

URL

Keywords InRadar

Depends on

Blocks