WebKit Bugzilla
New
Browse
Log In
×
Sign in with GitHub
or
Remember my login
Create Account
·
Forgot Password
Forgotten password account recovery
RESOLVED FIXED
208039
Nullptr crash in CompositeEditCommand::splitTreeToNode when inserting list with read-only user-modify
https://bugs.webkit.org/show_bug.cgi?id=208039
Summary
Nullptr crash in CompositeEditCommand::splitTreeToNode when inserting list wi...
Jack
Reported
2020-02-20 17:01:13 PST
Dispatch queue: com.apple.main-thread 0 com.apple.WebCore 0x000000011ae42732 WebCore::Node::getFlag(WebCore::Node::NodeFlags) const + 34 1 com.apple.WebCore 0x000000011e108ff8 WebCore::CompositeEditCommand::splitTreeToNode(WebCore::Node&, WebCore::Node&, bool) + 552 2 com.apple.WebCore 0x000000011e1ac626 WebCore::InsertListCommand::unlistifyParagraph(WebCore::VisiblePosition const&, WebCore::HTMLElement*, WebCore::Node*) + 1766 3 com.apple.WebCore 0x000000011e1aba17 WebCore::InsertListCommand::doApplyForSingleParagraph(bool, WebCore::HTMLQualifiedName const&, WebCore::Range*) + 2839 4 com.apple.WebCore 0x000000011e1aabd9 WebCore::InsertListCommand::doApply() + 2633 5 com.apple.WebCore 0x000000011e0dd827 WebCore::CompositeEditCommand::apply() + 439 6 com.apple.WebCore 0x000000011e19401e WebCore::executeInsertOrderedList(WebCore::Frame&, WebCore::Event*, WebCore::EditorCommandSource, WTF::String const&) + 206 7 com.apple.WebCore 0x000000011de44dd2 WebCore::Document::execCommand(WTF::String const&, bool, WTF::String const&) + 258 8 com.apple.WebCore 0x000000011b930278 WebCore::jsDocumentPrototypeFunctionExecCommandBody(JSC::ExecState*, WebCore::JSDocument*, JSC::ThrowScope&) + 984 9 com.apple.WebCore 0x000000011b90bbe9 long long WebCore::IDLOperation<WebCore::JSDocument>::call<&(WebCore::jsDocumentPrototypeFunctionExecCommandBody(JSC::ExecState*, WebCore::JSDocument*, JSC::ThrowScope&)), (WebCore::CastedThisErrorBehavior)0>(JSC::ExecState&, char const*) + 329 10 ??? 0x00004e731c00116b 0 + 86256297972075 11 com.apple.JavaScriptCore 0x0000000107cd847c llint_entry + 93465 12 com.apple.JavaScriptCore 0x0000000107cc15b9 vmEntryToJavaScript + 200 13 com.apple.JavaScriptCore 0x0000000109236eb5 JSC::Interpreter::executeCall(JSC::ExecState*, JSC::JSObject*, JSC::CallType, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&) + 1205 14 com.apple.JavaScriptCore 0x00000001098dbaf9 JSC::call(JSC::ExecState*, JSC::JSValue, JSC::CallType, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&) + 329 15 com.apple.JavaScriptCore 0x00000001098dbca0 JSC::call(JSC::ExecState*, JSC::JSValue, JSC::CallType, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&, WTF::NakedPtr<JSC::Exception>&) + 304 16 com.apple.JavaScriptCore 0x00000001098dc133 JSC::profiledCall(JSC::ExecState*, JSC::ProfilingReason, JSC::JSValue, JSC::CallType, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&, WTF::NakedPtr<JSC::Exception>&) + 355 17 com.apple.WebCore 0x000000011d739fcc WebCore::JSExecState::profiledCall(JSC::ExecState*, JSC::ProfilingReason, JSC::JSValue, JSC::CallType, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&, WTF::NakedPtr<JSC::Exception>&) + 236 18 com.apple.WebCore 0x000000011d7929aa WebCore::JSEventListener::handleEvent(WebCore::ScriptExecutionContext&, WebCore::Event&) + 1994 19 com.apple.WebCore 0x000000011df5795c WebCore::EventTarget::innerInvokeEventListeners(WebCore::Event&, WTF::Vector<WTF::RefPtr<WebCore::RegisteredEventListener, WTF::DumbPtrTraits<WebCore::RegisteredEventListener> >, 1ul, WTF::CrashOnOverflow, 16ul>, WebCore::EventTarget::EventInvokePhase) + 1036 20 com.apple.WebCore 0x000000011df52ac8 WebCore::EventTarget::fireEventListeners(WebCore::Event&, WebCore::EventTarget::EventInvokePhase) + 424 21 com.apple.WebCore 0x000000011df44bac WebCore::EventContext::handleLocalEvents(WebCore::Event&, WebCore::EventTarget::EventInvokePhase) const + 460 22 com.apple.WebCore 0x000000011df45daa WebCore::dispatchEventInDOM(WebCore::Event&, WebCore::EventPath const&) + 378 23 com.apple.WebCore 0x000000011df45738 WebCore::EventDispatcher::dispatchEvent(WebCore::Node&, WebCore::Event&) + 776 24 com.apple.WebCore 0x000000011e3eaf3f WebCore::HTMLMediaElement::dispatchEvent(WebCore::Event&) + 399 25 com.apple.WebCore 0x000000011df45144 WebCore::EventDispatcher::dispatchScopedEvent(WebCore::Node&, WebCore::Event&) + 372 26 com.apple.WebCore 0x000000011dfd16bf WebCore::Node::dispatchSubtreeModifiedEvent() + 463 27 com.apple.WebCore 0x000000011ddbc6af WebCore::ContainerNode::removeChild(WebCore::Node&) + 2191 28 com.apple.WebCore 0x000000011ddba2f0 WebCore::collectChildrenAndRemoveFromOldParent(WebCore::Node&, WTF::Vector<WTF::Ref<WebCore::Node, WTF::DumbPtrTraits<WebCore::Node> >, 11ul, WTF::CrashOnOverflow, 16ul>&) + 560 29 com.apple.WebCore 0x000000011ddb9a2f WebCore::ContainerNode::appendChildWithoutPreInsertionValidityCheck(WebCore::Node&) + 415 30 com.apple.WebCore 0x000000011ddbe625 WebCore::ContainerNode::appendChild(WebCore::Node&) + 261 31 com.apple.WebCore 0x000000011dfc4756 WebCore::Node::appendChild(WebCore::Node&) + 214 32 com.apple.WebCore 0x000000011c0e3e47 WebCore::jsNodePrototypeFunctionAppendChildBody(JSC::ExecState*, WebCore::JSNode*, JSC::ThrowScope&) + 535 33 com.apple.WebCore 0x000000011c0daaf9 long long WebCore::IDLOperation<WebCore::JSNode>::call<&(WebCore::jsNodePrototypeFunctionAppendChildBody(JSC::ExecState*, WebCore::JSNode*, JSC::ThrowScope&)), (WebCore::CastedThisErrorBehavior)0>(JSC::ExecState&, char const*) + 329 34 ??? 0x00004e731c00116b 0 + 86256297972075 35 com.apple.JavaScriptCore 0x0000000107cd847c llint_entry + 93465 36 com.apple.JavaScriptCore 0x0000000107cd830b llint_entry + 93096 37 com.apple.JavaScriptCore 0x0000000107cc15b9 vmEntryToJavaScript + 200 38 com.apple.JavaScriptCore 0x0000000109236eb5 JSC::Interpreter::executeCall(JSC::ExecState*, JSC::JSObject*, JSC::CallType, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&) + 1205 39 com.apple.JavaScriptCore 0x00000001098dbaf9 JSC::call(JSC::ExecState*, JSC::JSValue, JSC::CallType, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&) + 329 40 com.apple.JavaScriptCore 0x00000001098dbca0 JSC::call(JSC::ExecState*, JSC::JSValue, JSC::CallType, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&, WTF::NakedPtr<JSC::Exception>&) + 304 41 com.apple.JavaScriptCore 0x00000001098dc133 JSC::profiledCall(JSC::ExecState*, JSC::ProfilingReason, JSC::JSValue, JSC::CallType, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&, WTF::NakedPtr<JSC::Exception>&) + 355 42 com.apple.WebCore 0x000000011d739fcc WebCore::JSExecState::profiledCall(JSC::ExecState*, JSC::ProfilingReason, JSC::JSValue, JSC::CallType, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&, WTF::NakedPtr<JSC::Exception>&) + 236 43 com.apple.WebCore 0x000000011d7929aa WebCore::JSEventListener::handleEvent(WebCore::ScriptExecutionContext&, WebCore::Event&) + 1994 44 com.apple.WebCore 0x000000011df5795c WebCore::EventTarget::innerInvokeEventListeners(WebCore::Event&, WTF::Vector<WTF::RefPtr<WebCore::RegisteredEventListener, WTF::DumbPtrTraits<WebCore::RegisteredEventListener> >, 1ul, WTF::CrashOnOverflow, 16ul>, WebCore::EventTarget::EventInvokePhase) + 1036 45 com.apple.WebCore 0x000000011df52ac8 WebCore::EventTarget::fireEventListeners(WebCore::Event&, WebCore::EventTarget::EventInvokePhase) + 424 46 com.apple.WebCore 0x000000011df44bac WebCore::EventContext::handleLocalEvents(WebCore::Event&, WebCore::EventTarget::EventInvokePhase) const + 460 47 com.apple.WebCore 0x000000011df45daa WebCore::dispatchEventInDOM(WebCore::Event&, WebCore::EventPath const&) + 378 48 com.apple.WebCore 0x000000011df45738 WebCore::EventDispatcher::dispatchEvent(WebCore::Node&, WebCore::Event&) + 776 49 com.apple.WebCore 0x000000011dfd1cc6 WebCore::Node::dispatchBeforeLoadEvent(WTF::String const&) + 326 50 com.apple.WebCore 0x000000011e3a1e23 WebCore::HTMLLinkElement::shouldLoadLink() + 291 51 com.apple.WebCore 0x000000011ea23b24 WebCore::LinkLoader::loadLink(WebCore::LinkRelAttribute const&, WTF::URL const&, WTF::String const&, WTF::String const&, WTF::String const&, WTF::String const&, WTF::String const&, WTF::String const&, WebCore::Document&) + 756 52 com.apple.WebCore 0x000000011e3a0ab7 WebCore::HTMLLinkElement::process() + 871 53 com.apple.WebCore 0x000000011ddb9e9e WebCore::ContainerNode::appendChildWithoutPreInsertionValidityCheck(WebCore::Node&) + 1550 54 com.apple.WebCore 0x000000011ddbe625 WebCore::ContainerNode::appendChild(WebCore::Node&) + 261 55 com.apple.WebCore 0x000000011dfc4756 WebCore::Node::appendChild(WebCore::Node&) + 214 56 com.apple.WebCore 0x000000011c0e3e47 WebCore::jsNodePrototypeFunctionAppendChildBody(JSC::ExecState*, WebCore::JSNode*, JSC::ThrowScope&) + 535 57 com.apple.WebCore 0x000000011c0daaf9 long long WebCore::IDLOperation<WebCore::JSNode>::call<&(WebCore::jsNodePrototypeFunctionAppendChildBody(JSC::ExecState*, WebCore::JSNode*, JSC::ThrowScope&)), (WebCore::CastedThisErrorBehavior)0>(JSC::ExecState&, char const*) + 329 58 ??? 0x00004e731c00116b 0 + 86256297972075 59 com.apple.JavaScriptCore 0x0000000107cd847c llint_entry + 93465 60 com.apple.JavaScriptCore 0x0000000107cc15b9 vmEntryToJavaScript + 200 61 com.apple.JavaScriptCore 0x0000000109236eb5 JSC::Interpreter::executeCall(JSC::ExecState*, JSC::JSObject*, JSC::CallType, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&) + 1205 62 com.apple.JavaScriptCore 0x00000001098dbaf9 JSC::call(JSC::ExecState*, JSC::JSValue, JSC::CallType, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&) + 329 63 com.apple.JavaScriptCore 0x00000001098dbca0 JSC::call(JSC::ExecState*, JSC::JSValue, JSC::CallType, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&, WTF::NakedPtr<JSC::Exception>&) + 304 64 com.apple.JavaScriptCore 0x00000001098dc133 JSC::profiledCall(JSC::ExecState*, JSC::ProfilingReason, JSC::JSValue, JSC::CallType, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&, WTF::NakedPtr<JSC::Exception>&) + 355 65 com.apple.WebCore 0x000000011d739fcc WebCore::JSExecState::profiledCall(JSC::ExecState*, JSC::ProfilingReason, JSC::JSValue, JSC::CallType, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&, WTF::NakedPtr<JSC::Exception>&) + 236 66 com.apple.WebCore 0x000000011d7929aa WebCore::JSEventListener::handleEvent(WebCore::ScriptExecutionContext&, WebCore::Event&) + 1994 67 com.apple.WebCore 0x000000011df5795c WebCore::EventTarget::innerInvokeEventListeners(WebCore::Event&, WTF::Vector<WTF::RefPtr<WebCore::RegisteredEventListener, WTF::DumbPtrTraits<WebCore::RegisteredEventListener> >, 1ul, WTF::CrashOnOverflow, 16ul>, WebCore::EventTarget::EventInvokePhase) + 1036 68 com.apple.WebCore 0x000000011df52ac8 WebCore::EventTarget::fireEventListeners(WebCore::Event&, WebCore::EventTarget::EventInvokePhase) + 424 69 com.apple.WebCore 0x000000011df44bac WebCore::EventContext::handleLocalEvents(WebCore::Event&, WebCore::EventTarget::EventInvokePhase) const + 460 70 com.apple.WebCore 0x000000011df45daa WebCore::dispatchEventInDOM(WebCore::Event&, WebCore::EventPath const&) + 378 71 com.apple.WebCore 0x000000011df45738 WebCore::EventDispatcher::dispatchEvent(WebCore::Node&, WebCore::Event&) + 776 72 com.apple.WebCore 0x000000011df45144 WebCore::EventDispatcher::dispatchScopedEvent(WebCore::Node&, WebCore::Event&) + 372 73 com.apple.WebCore 0x000000011dfd16bf WebCore::Node::dispatchSubtreeModifiedEvent() + 463 74 com.apple.WebCore 0x000000011ddb9f48 WebCore::ContainerNode::appendChildWithoutPreInsertionValidityCheck(WebCore::Node&) + 1720 75 com.apple.WebCore 0x000000011ddbe625 WebCore::ContainerNode::appendChild(WebCore::Node&) + 261 76 com.apple.WebCore 0x000000011dfc4756 WebCore::Node::appendChild(WebCore::Node&) + 214 77 com.apple.WebCore 0x000000011c0e3e47 WebCore::jsNodePrototypeFunctionAppendChildBody(JSC::ExecState*, WebCore::JSNode*, JSC::ThrowScope&) + 535 78 com.apple.WebCore 0x000000011c0daaf9 long long WebCore::IDLOperation<WebCore::JSNode>::call<&(WebCore::jsNodePrototypeFunctionAppendChildBody(JSC::ExecState*, WebCore::JSNode*, JSC::ThrowScope&)), (WebCore::CastedThisErrorBehavior)0>(JSC::ExecState&, char const*) + 329 79 ??? 0x00004e731c00116b 0 + 86256297972075 80 com.apple.JavaScriptCore 0x0000000107cd847c llint_entry + 93465 81 com.apple.JavaScriptCore 0x0000000107cd830b llint_entry + 93096 82 com.apple.JavaScriptCore 0x0000000107cc15b9 vmEntryToJavaScript + 200 83 com.apple.JavaScriptCore 0x0000000109236eb5 JSC::Interpreter::executeCall(JSC::ExecState*, JSC::JSObject*, JSC::CallType, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&) + 1205 84 com.apple.JavaScriptCore 0x00000001098dbaf9 JSC::call(JSC::ExecState*, JSC::JSValue, JSC::CallType, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&) + 329 85 com.apple.JavaScriptCore 0x00000001098dbca0 JSC::call(JSC::ExecState*, JSC::JSValue, JSC::CallType, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&, WTF::NakedPtr<JSC::Exception>&) + 304 86 com.apple.JavaScriptCore 0x00000001098dc133 JSC::profiledCall(JSC::ExecState*, JSC::ProfilingReason, JSC::JSValue, JSC::CallType, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&, WTF::NakedPtr<JSC::Exception>&) + 355 87 com.apple.WebCore 0x000000011d739fcc WebCore::JSExecState::profiledCall(JSC::ExecState*, JSC::ProfilingReason, JSC::JSValue, JSC::CallType, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&, WTF::NakedPtr<JSC::Exception>&) + 236 88 com.apple.WebCore 0x000000011d7929aa WebCore::JSEventListener::handleEvent(WebCore::ScriptExecutionContext&, WebCore::Event&) + 1994 89 com.apple.WebCore 0x000000011df5795c WebCore::EventTarget::innerInvokeEventListeners(WebCore::Event&, WTF::Vector<WTF::RefPtr<WebCore::RegisteredEventListener, WTF::DumbPtrTraits<WebCore::RegisteredEventListener> >, 1ul, WTF::CrashOnOverflow, 16ul>, WebCore::EventTarget::EventInvokePhase) + 1036 90 com.apple.WebCore 0x000000011df52ac8 WebCore::EventTarget::fireEventListeners(WebCore::Event&, WebCore::EventTarget::EventInvokePhase) + 424 91 com.apple.WebCore 0x000000011df44bac WebCore::EventContext::handleLocalEvents(WebCore::Event&, WebCore::EventTarget::EventInvokePhase) const + 460 92 com.apple.WebCore 0x000000011df45daa WebCore::dispatchEventInDOM(WebCore::Event&, WebCore::EventPath const&) + 378 93 com.apple.WebCore 0x000000011df45738 WebCore::EventDispatcher::dispatchEvent(WebCore::Node&, WebCore::Event&) + 776 94 com.apple.WebCore 0x000000011e3eaf3f WebCore::HTMLMediaElement::dispatchEvent(WebCore::Event&) + 399 95 com.apple.WebCore 0x000000011df5eb2b WebCore::GenericEventQueue::dispatchOneEvent() + 427 96 com.apple.WebCore 0x000000011df706b2 std::__1::__bind_return<void (WebCore::GenericEventQueue::*)(), std::__1::tuple<WebCore::GenericEventQueue*>, std::__1::tuple<>, __is_valid_bind_return<void (WebCore::GenericEventQueue::*)(), std::__1::tuple<WebCore::GenericEventQueue*>, std::__1::tuple<> >::value>::type std::__1::__bind<void (WebCore::GenericEventQueue::*)(), WebCore::GenericEventQueue*>::operator()<>() + 194 97 com.apple.WebCore 0x000000011ee98282 WebCore::TaskDispatcher<WebCore::Timer>::dispatchOneTask() + 290 98 com.apple.WebCore 0x000000011ee97fac WebCore::TaskDispatcher<WebCore::Timer>::sharedTimerFired() + 348 99 com.apple.WebCore 0x000000011eeed357 WebCore::ThreadTimers::sharedTimerFiredInternal() + 919 100 com.apple.WebCore 0x000000011ef63aef WebCore::timerFired(__CFRunLoopTimer*, void*) + 191 101 com.apple.CoreFoundation 0x00007fff339378b5 __CFRUNLOOP_IS_CALLING_OUT_TO_A_TIMER_CALLBACK_FUNCTION__ + 20 102 com.apple.CoreFoundation 0x00007fff33937461 __CFRunLoopDoTimer + 864 103 com.apple.CoreFoundation 0x00007fff33936f9a __CFRunLoopDoTimers + 330 104 com.apple.CoreFoundation 0x00007fff339185e4 __CFRunLoopRun + 2141 105 com.apple.CoreFoundation 0x00007fff33917b35 CFRunLoopRunSpecific + 459 106 DumpRenderTree 0x0000000105ad3712 runTest(std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char> > const&) + 2754 (DumpRenderTree.mm:2083) 107 DumpRenderTree 0x0000000105ad1a33 dumpRenderTree(int, char const**) + 1123 (DumpRenderTree.mm:1322) 108 DumpRenderTree 0x0000000105ad42d0 DumpRenderTreeMain(int, char const**) + 128 (DumpRenderTree.mm:1438) 109 0x00007fff5ff0c3d5 start + 1
Attachments
Patch
(5.91 KB, patch)
2020-02-20 17:48 PST
,
Jack
no flags
Details
Formatted Diff
Diff
Patch
(5.79 KB, patch)
2020-02-20 18:10 PST
,
Jack
no flags
Details
Formatted Diff
Diff
Patch
(5.76 KB, patch)
2020-02-20 19:45 PST
,
Jack
no flags
Details
Formatted Diff
Diff
Patch
(5.90 KB, patch)
2020-02-21 00:31 PST
,
Jack
no flags
Details
Formatted Diff
Diff
Show Obsolete
(3)
View All
Add attachment
proposed patch, testcase, etc.
Jack
Comment 1
2020-02-20 17:02:57 PST
In this test case, body contains a list item that is not enclosed by unordered list. Therefore, when JS tries to insert a list, ”fixOrphanedListChild(*listChildNode)” is called to create a HTMLUListElement and append list item to it. However, in CSS the ul is set to “-webkit-user-modify: read-only;”, so append is skipped. This results in li being parentless and the ul childless. Eventually in function splitTreeToNode, we dierectly access the parent of li and cuase nullptr crash. <style> dir { -webkit-user-modify: read-write; } ul { -webkit-user-modify: read-only;} </style> <script> onload = function fun() { window.getSelection().setBaseAndExtent(LI,0,LI,0); document.execCommand("insertOrderedList", false); } </script> <body><dir><li id=LI> Render tree before fixOrphanedListChild(*listChildNode) is called: (B)lock/(I)nline/I(N)line-block, (A)bsolute/Fi(X)ed/(R)elative/Stic(K)y, (F)loating, (O)verflow clip, Anon(Y)mous, (G)enerated, has(L)ayer, (C)omposited, (+)Dirty style, (+)Dirty layout B---YGL- -- RenderView at (0,0) size 800x600 renderer->(0x617000103080) B-----L- -- HTML RenderBlock at (0,0) size 800x600 renderer->(0x61200003ed40) node->(0x60c000107800) B------- -- BODY RenderBody at (8,8) size 784x576 renderer->(0x61200003eec0) node->(0x60c0001087c0) B------- --* DIR RenderBlock at (0,0) size 784x18 renderer->(0x61200003f040) node->(0x60c000108880) B------- -- LI RenderListItem at (40,0) size 744x18 renderer->(0x61200003f1c0) node->(0x60c000108940) -------- -- RootInlineBox at (0,0) size 14x18 (0x610000051640) renderer->(0x61200003f1c0) -------- -- InlineBox at (-1,0) size 7x18 (0x607000155960) renderer->(0x61200003f4c0) I---YG-- -- RenderListMarker at (-1,0) size 7x18 renderer->(0x61200003f4c0) Render tree after fixOrphanedListChild(*listChildNode) is called: (B)lock/(I)nline/I(N)line-block, (A)bsolute/Fi(X)ed/(R)elative/Stic(K)y, (F)loating, (O)verflow clip, Anon(Y)mous, (G)enerated, has(L)ayer, (C)omposited, (+)Dirty style, (+)Dirty layout B---YGL- -+ RenderView at (0,0) size 800x600 renderer->(0x617000103080) layout->[normal child] B-----L- -+ HTML RenderBlock at (0,0) size 800x600 renderer->(0x61200003ed40) node->(0x60c000107800) layout->[normal child] B------- -+ BODY RenderBody at (8,8) size 784x576 renderer->(0x61200003eec0) node->(0x60c0001087c0) layout->[normal child] B------- -+ DIR RenderBlock at (0,0) size 784x18 renderer->(0x61200003f040) node->(0x60c000108880) layout->[normal child] B------- -+* UL RenderBlock at (0,0) size 0x0 renderer->(0x612000081dc0) node->(0x60c0000fed40) layout->[self]
Jack
Comment 2
2020-02-20 17:30:04 PST
<
rdar://52011355
>
Jack
Comment 3
2020-02-20 17:48:14 PST
Created
attachment 391363
[details]
Patch
Ryosuke Niwa
Comment 4
2020-02-20 18:05:32 PST
Comment on
attachment 391363
[details]
Patch View in context:
https://bugs.webkit.org/attachment.cgi?id=391363&action=review
> Source/WebCore/editing/InsertListCommand.cpp:213 > + // If UL is not editable, listChildNode cannot be appended to a list, so fixOrphanedListChild() returns nullptr.
I don’t think we need this comment since anyone looking at this code can just look the code of fixOrphanedListChild.
> Source/WebCore/editing/InsertListCommand.cpp:214 > + HTMLElement* listElement = fixOrphanedListChild(*listChildNode);
Please store this in RefPtr
Jack
Comment 5
2020-02-20 18:10:11 PST
Created
attachment 391367
[details]
Patch
Jack
Comment 6
2020-02-20 19:45:42 PST
Created
attachment 391375
[details]
Patch
Jack
Comment 7
2020-02-21 00:31:06 PST
Created
attachment 391386
[details]
Patch
Ryosuke Niwa
Comment 8
2020-02-24 19:00:15 PST
This is not a security bug.
WebKit Commit Bot
Comment 9
2020-02-25 21:18:11 PST
Comment on
attachment 391386
[details]
Patch Clearing flags on attachment: 391386 Committed
r257407
: <
https://trac.webkit.org/changeset/257407
>
WebKit Commit Bot
Comment 10
2020-02-25 21:18:13 PST
All reviewed patches have been landed. Closing bug.
Note
You need to
log in
before you can comment on or make changes to this bug.
Top of Page
Format For Printing
XML
Clone This Bug