Bug 208039 - Nullptr crash in CompositeEditCommand::splitTreeToNode when inserting list with read-only user-modify
Summary: Nullptr crash in CompositeEditCommand::splitTreeToNode when inserting list wi...
Status: RESOLVED FIXED
Alias: None
Product: WebKit
Classification: Unclassified
Component: HTML Editing (show other bugs)
Version: WebKit Nightly Build
Hardware: Unspecified Unspecified
: P2 Normal
Assignee: Nobody
URL:
Keywords: InRadar
Depends on:
Blocks:
 
Reported: 2020-02-20 17:01 PST by Jack
Modified: 2020-02-25 21:18 PST (History)
9 users (show)

See Also:

Attachments
Patch (5.91 KB, patch)
2020-02-20 17:48 PST, Jack 		no flags Details | Formatted Diff | Diff
Patch (5.79 KB, patch)
2020-02-20 18:10 PST, Jack 		no flags Details | Formatted Diff | Diff
Patch (5.76 KB, patch)
2020-02-20 19:45 PST, Jack 		no flags Details | Formatted Diff | Diff
Patch (5.90 KB, patch)
2020-02-21 00:31 PST, Jack 		no flags Details | Formatted Diff | Diff
Show Obsolete (3) View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Jack 2020-02-20 17:01:13 PST 
Dispatch queue: com.apple.main-thread
0   com.apple.WebCore             	0x000000011ae42732 WebCore::Node::getFlag(WebCore::Node::NodeFlags) const + 34
1   com.apple.WebCore             	0x000000011e108ff8 WebCore::CompositeEditCommand::splitTreeToNode(WebCore::Node&, WebCore::Node&, bool) + 552
2   com.apple.WebCore             	0x000000011e1ac626 WebCore::InsertListCommand::unlistifyParagraph(WebCore::VisiblePosition const&, WebCore::HTMLElement*, WebCore::Node*) + 1766
3   com.apple.WebCore             	0x000000011e1aba17 WebCore::InsertListCommand::doApplyForSingleParagraph(bool, WebCore::HTMLQualifiedName const&, WebCore::Range*) + 2839
4   com.apple.WebCore             	0x000000011e1aabd9 WebCore::InsertListCommand::doApply() + 2633
5   com.apple.WebCore             	0x000000011e0dd827 WebCore::CompositeEditCommand::apply() + 439
6   com.apple.WebCore             	0x000000011e19401e WebCore::executeInsertOrderedList(WebCore::Frame&, WebCore::Event*, WebCore::EditorCommandSource, WTF::String const&) + 206
7   com.apple.WebCore             	0x000000011de44dd2 WebCore::Document::execCommand(WTF::String const&, bool, WTF::String const&) + 258
8   com.apple.WebCore             	0x000000011b930278 WebCore::jsDocumentPrototypeFunctionExecCommandBody(JSC::ExecState*, WebCore::JSDocument*, JSC::ThrowScope&) + 984
9   com.apple.WebCore             	0x000000011b90bbe9 long long WebCore::IDLOperation<WebCore::JSDocument>::call<&(WebCore::jsDocumentPrototypeFunctionExecCommandBody(JSC::ExecState*, WebCore::JSDocument*, JSC::ThrowScope&)), (WebCore::CastedThisErrorBehavior)0>(JSC::ExecState&, char const*) + 329
10  ???                           	0x00004e731c00116b 0 + 86256297972075
11  com.apple.JavaScriptCore      	0x0000000107cd847c llint_entry + 93465
12  com.apple.JavaScriptCore      	0x0000000107cc15b9 vmEntryToJavaScript + 200
13  com.apple.JavaScriptCore      	0x0000000109236eb5 JSC::Interpreter::executeCall(JSC::ExecState*, JSC::JSObject*, JSC::CallType, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&) + 1205
14  com.apple.JavaScriptCore      	0x00000001098dbaf9 JSC::call(JSC::ExecState*, JSC::JSValue, JSC::CallType, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&) + 329
15  com.apple.JavaScriptCore      	0x00000001098dbca0 JSC::call(JSC::ExecState*, JSC::JSValue, JSC::CallType, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&, WTF::NakedPtr<JSC::Exception>&) + 304
16  com.apple.JavaScriptCore      	0x00000001098dc133 JSC::profiledCall(JSC::ExecState*, JSC::ProfilingReason, JSC::JSValue, JSC::CallType, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&, WTF::NakedPtr<JSC::Exception>&) + 355
17  com.apple.WebCore             	0x000000011d739fcc WebCore::JSExecState::profiledCall(JSC::ExecState*, JSC::ProfilingReason, JSC::JSValue, JSC::CallType, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&, WTF::NakedPtr<JSC::Exception>&) + 236
18  com.apple.WebCore             	0x000000011d7929aa WebCore::JSEventListener::handleEvent(WebCore::ScriptExecutionContext&, WebCore::Event&) + 1994
19  com.apple.WebCore             	0x000000011df5795c WebCore::EventTarget::innerInvokeEventListeners(WebCore::Event&, WTF::Vector<WTF::RefPtr<WebCore::RegisteredEventListener, WTF::DumbPtrTraits<WebCore::RegisteredEventListener> >, 1ul, WTF::CrashOnOverflow, 16ul>, WebCore::EventTarget::EventInvokePhase) + 1036
20  com.apple.WebCore             	0x000000011df52ac8 WebCore::EventTarget::fireEventListeners(WebCore::Event&, WebCore::EventTarget::EventInvokePhase) + 424
21  com.apple.WebCore             	0x000000011df44bac WebCore::EventContext::handleLocalEvents(WebCore::Event&, WebCore::EventTarget::EventInvokePhase) const + 460
22  com.apple.WebCore             	0x000000011df45daa WebCore::dispatchEventInDOM(WebCore::Event&, WebCore::EventPath const&) + 378
23  com.apple.WebCore             	0x000000011df45738 WebCore::EventDispatcher::dispatchEvent(WebCore::Node&, WebCore::Event&) + 776
24  com.apple.WebCore             	0x000000011e3eaf3f WebCore::HTMLMediaElement::dispatchEvent(WebCore::Event&) + 399
25  com.apple.WebCore             	0x000000011df45144 WebCore::EventDispatcher::dispatchScopedEvent(WebCore::Node&, WebCore::Event&) + 372
26  com.apple.WebCore             	0x000000011dfd16bf WebCore::Node::dispatchSubtreeModifiedEvent() + 463
27  com.apple.WebCore             	0x000000011ddbc6af WebCore::ContainerNode::removeChild(WebCore::Node&) + 2191
28  com.apple.WebCore             	0x000000011ddba2f0 WebCore::collectChildrenAndRemoveFromOldParent(WebCore::Node&, WTF::Vector<WTF::Ref<WebCore::Node, WTF::DumbPtrTraits<WebCore::Node> >, 11ul, WTF::CrashOnOverflow, 16ul>&) + 560
29  com.apple.WebCore             	0x000000011ddb9a2f WebCore::ContainerNode::appendChildWithoutPreInsertionValidityCheck(WebCore::Node&) + 415
30  com.apple.WebCore             	0x000000011ddbe625 WebCore::ContainerNode::appendChild(WebCore::Node&) + 261
31  com.apple.WebCore             	0x000000011dfc4756 WebCore::Node::appendChild(WebCore::Node&) + 214
32  com.apple.WebCore             	0x000000011c0e3e47 WebCore::jsNodePrototypeFunctionAppendChildBody(JSC::ExecState*, WebCore::JSNode*, JSC::ThrowScope&) + 535
33  com.apple.WebCore             	0x000000011c0daaf9 long long WebCore::IDLOperation<WebCore::JSNode>::call<&(WebCore::jsNodePrototypeFunctionAppendChildBody(JSC::ExecState*, WebCore::JSNode*, JSC::ThrowScope&)), (WebCore::CastedThisErrorBehavior)0>(JSC::ExecState&, char const*) + 329
34  ???                           	0x00004e731c00116b 0 + 86256297972075
35  com.apple.JavaScriptCore      	0x0000000107cd847c llint_entry + 93465
36  com.apple.JavaScriptCore      	0x0000000107cd830b llint_entry + 93096
37  com.apple.JavaScriptCore      	0x0000000107cc15b9 vmEntryToJavaScript + 200
38  com.apple.JavaScriptCore      	0x0000000109236eb5 JSC::Interpreter::executeCall(JSC::ExecState*, JSC::JSObject*, JSC::CallType, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&) + 1205
39  com.apple.JavaScriptCore      	0x00000001098dbaf9 JSC::call(JSC::ExecState*, JSC::JSValue, JSC::CallType, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&) + 329
40  com.apple.JavaScriptCore      	0x00000001098dbca0 JSC::call(JSC::ExecState*, JSC::JSValue, JSC::CallType, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&, WTF::NakedPtr<JSC::Exception>&) + 304
41  com.apple.JavaScriptCore      	0x00000001098dc133 JSC::profiledCall(JSC::ExecState*, JSC::ProfilingReason, JSC::JSValue, JSC::CallType, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&, WTF::NakedPtr<JSC::Exception>&) + 355
42  com.apple.WebCore             	0x000000011d739fcc WebCore::JSExecState::profiledCall(JSC::ExecState*, JSC::ProfilingReason, JSC::JSValue, JSC::CallType, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&, WTF::NakedPtr<JSC::Exception>&) + 236
43  com.apple.WebCore             	0x000000011d7929aa WebCore::JSEventListener::handleEvent(WebCore::ScriptExecutionContext&, WebCore::Event&) + 1994
44  com.apple.WebCore             	0x000000011df5795c WebCore::EventTarget::innerInvokeEventListeners(WebCore::Event&, WTF::Vector<WTF::RefPtr<WebCore::RegisteredEventListener, WTF::DumbPtrTraits<WebCore::RegisteredEventListener> >, 1ul, WTF::CrashOnOverflow, 16ul>, WebCore::EventTarget::EventInvokePhase) + 1036
45  com.apple.WebCore             	0x000000011df52ac8 WebCore::EventTarget::fireEventListeners(WebCore::Event&, WebCore::EventTarget::EventInvokePhase) + 424
46  com.apple.WebCore             	0x000000011df44bac WebCore::EventContext::handleLocalEvents(WebCore::Event&, WebCore::EventTarget::EventInvokePhase) const + 460
47  com.apple.WebCore             	0x000000011df45daa WebCore::dispatchEventInDOM(WebCore::Event&, WebCore::EventPath const&) + 378
48  com.apple.WebCore             	0x000000011df45738 WebCore::EventDispatcher::dispatchEvent(WebCore::Node&, WebCore::Event&) + 776
49  com.apple.WebCore             	0x000000011dfd1cc6 WebCore::Node::dispatchBeforeLoadEvent(WTF::String const&) + 326
50  com.apple.WebCore             	0x000000011e3a1e23 WebCore::HTMLLinkElement::shouldLoadLink() + 291
51  com.apple.WebCore             	0x000000011ea23b24 WebCore::LinkLoader::loadLink(WebCore::LinkRelAttribute const&, WTF::URL const&, WTF::String const&, WTF::String const&, WTF::String const&, WTF::String const&, WTF::String const&, WTF::String const&, WebCore::Document&) + 756
52  com.apple.WebCore             	0x000000011e3a0ab7 WebCore::HTMLLinkElement::process() + 871
53  com.apple.WebCore             	0x000000011ddb9e9e WebCore::ContainerNode::appendChildWithoutPreInsertionValidityCheck(WebCore::Node&) + 1550
54  com.apple.WebCore             	0x000000011ddbe625 WebCore::ContainerNode::appendChild(WebCore::Node&) + 261
55  com.apple.WebCore             	0x000000011dfc4756 WebCore::Node::appendChild(WebCore::Node&) + 214
56  com.apple.WebCore             	0x000000011c0e3e47 WebCore::jsNodePrototypeFunctionAppendChildBody(JSC::ExecState*, WebCore::JSNode*, JSC::ThrowScope&) + 535
57  com.apple.WebCore             	0x000000011c0daaf9 long long WebCore::IDLOperation<WebCore::JSNode>::call<&(WebCore::jsNodePrototypeFunctionAppendChildBody(JSC::ExecState*, WebCore::JSNode*, JSC::ThrowScope&)), (WebCore::CastedThisErrorBehavior)0>(JSC::ExecState&, char const*) + 329
58  ???                           	0x00004e731c00116b 0 + 86256297972075
59  com.apple.JavaScriptCore      	0x0000000107cd847c llint_entry + 93465
60  com.apple.JavaScriptCore      	0x0000000107cc15b9 vmEntryToJavaScript + 200
61  com.apple.JavaScriptCore      	0x0000000109236eb5 JSC::Interpreter::executeCall(JSC::ExecState*, JSC::JSObject*, JSC::CallType, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&) + 1205
62  com.apple.JavaScriptCore      	0x00000001098dbaf9 JSC::call(JSC::ExecState*, JSC::JSValue, JSC::CallType, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&) + 329
63  com.apple.JavaScriptCore      	0x00000001098dbca0 JSC::call(JSC::ExecState*, JSC::JSValue, JSC::CallType, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&, WTF::NakedPtr<JSC::Exception>&) + 304
64  com.apple.JavaScriptCore      	0x00000001098dc133 JSC::profiledCall(JSC::ExecState*, JSC::ProfilingReason, JSC::JSValue, JSC::CallType, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&, WTF::NakedPtr<JSC::Exception>&) + 355
65  com.apple.WebCore             	0x000000011d739fcc WebCore::JSExecState::profiledCall(JSC::ExecState*, JSC::ProfilingReason, JSC::JSValue, JSC::CallType, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&, WTF::NakedPtr<JSC::Exception>&) + 236
66  com.apple.WebCore             	0x000000011d7929aa WebCore::JSEventListener::handleEvent(WebCore::ScriptExecutionContext&, WebCore::Event&) + 1994
67  com.apple.WebCore             	0x000000011df5795c WebCore::EventTarget::innerInvokeEventListeners(WebCore::Event&, WTF::Vector<WTF::RefPtr<WebCore::RegisteredEventListener, WTF::DumbPtrTraits<WebCore::RegisteredEventListener> >, 1ul, WTF::CrashOnOverflow, 16ul>, WebCore::EventTarget::EventInvokePhase) + 1036
68  com.apple.WebCore             	0x000000011df52ac8 WebCore::EventTarget::fireEventListeners(WebCore::Event&, WebCore::EventTarget::EventInvokePhase) + 424
69  com.apple.WebCore             	0x000000011df44bac WebCore::EventContext::handleLocalEvents(WebCore::Event&, WebCore::EventTarget::EventInvokePhase) const + 460
70  com.apple.WebCore             	0x000000011df45daa WebCore::dispatchEventInDOM(WebCore::Event&, WebCore::EventPath const&) + 378
71  com.apple.WebCore             	0x000000011df45738 WebCore::EventDispatcher::dispatchEvent(WebCore::Node&, WebCore::Event&) + 776
72  com.apple.WebCore             	0x000000011df45144 WebCore::EventDispatcher::dispatchScopedEvent(WebCore::Node&, WebCore::Event&) + 372
73  com.apple.WebCore             	0x000000011dfd16bf WebCore::Node::dispatchSubtreeModifiedEvent() + 463
74  com.apple.WebCore             	0x000000011ddb9f48 WebCore::ContainerNode::appendChildWithoutPreInsertionValidityCheck(WebCore::Node&) + 1720
75  com.apple.WebCore             	0x000000011ddbe625 WebCore::ContainerNode::appendChild(WebCore::Node&) + 261
76  com.apple.WebCore             	0x000000011dfc4756 WebCore::Node::appendChild(WebCore::Node&) + 214
77  com.apple.WebCore             	0x000000011c0e3e47 WebCore::jsNodePrototypeFunctionAppendChildBody(JSC::ExecState*, WebCore::JSNode*, JSC::ThrowScope&) + 535
78  com.apple.WebCore             	0x000000011c0daaf9 long long WebCore::IDLOperation<WebCore::JSNode>::call<&(WebCore::jsNodePrototypeFunctionAppendChildBody(JSC::ExecState*, WebCore::JSNode*, JSC::ThrowScope&)), (WebCore::CastedThisErrorBehavior)0>(JSC::ExecState&, char const*) + 329
79  ???                           	0x00004e731c00116b 0 + 86256297972075
80  com.apple.JavaScriptCore      	0x0000000107cd847c llint_entry + 93465
81  com.apple.JavaScriptCore      	0x0000000107cd830b llint_entry + 93096
82  com.apple.JavaScriptCore      	0x0000000107cc15b9 vmEntryToJavaScript + 200
83  com.apple.JavaScriptCore      	0x0000000109236eb5 JSC::Interpreter::executeCall(JSC::ExecState*, JSC::JSObject*, JSC::CallType, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&) + 1205
84  com.apple.JavaScriptCore      	0x00000001098dbaf9 JSC::call(JSC::ExecState*, JSC::JSValue, JSC::CallType, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&) + 329
85  com.apple.JavaScriptCore      	0x00000001098dbca0 JSC::call(JSC::ExecState*, JSC::JSValue, JSC::CallType, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&, WTF::NakedPtr<JSC::Exception>&) + 304
86  com.apple.JavaScriptCore      	0x00000001098dc133 JSC::profiledCall(JSC::ExecState*, JSC::ProfilingReason, JSC::JSValue, JSC::CallType, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&, WTF::NakedPtr<JSC::Exception>&) + 355
87  com.apple.WebCore             	0x000000011d739fcc WebCore::JSExecState::profiledCall(JSC::ExecState*, JSC::ProfilingReason, JSC::JSValue, JSC::CallType, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&, WTF::NakedPtr<JSC::Exception>&) + 236
88  com.apple.WebCore             	0x000000011d7929aa WebCore::JSEventListener::handleEvent(WebCore::ScriptExecutionContext&, WebCore::Event&) + 1994
89  com.apple.WebCore             	0x000000011df5795c WebCore::EventTarget::innerInvokeEventListeners(WebCore::Event&, WTF::Vector<WTF::RefPtr<WebCore::RegisteredEventListener, WTF::DumbPtrTraits<WebCore::RegisteredEventListener> >, 1ul, WTF::CrashOnOverflow, 16ul>, WebCore::EventTarget::EventInvokePhase) + 1036
90  com.apple.WebCore             	0x000000011df52ac8 WebCore::EventTarget::fireEventListeners(WebCore::Event&, WebCore::EventTarget::EventInvokePhase) + 424
91  com.apple.WebCore             	0x000000011df44bac WebCore::EventContext::handleLocalEvents(WebCore::Event&, WebCore::EventTarget::EventInvokePhase) const + 460
92  com.apple.WebCore             	0x000000011df45daa WebCore::dispatchEventInDOM(WebCore::Event&, WebCore::EventPath const&) + 378
93  com.apple.WebCore             	0x000000011df45738 WebCore::EventDispatcher::dispatchEvent(WebCore::Node&, WebCore::Event&) + 776
94  com.apple.WebCore             	0x000000011e3eaf3f WebCore::HTMLMediaElement::dispatchEvent(WebCore::Event&) + 399
95  com.apple.WebCore             	0x000000011df5eb2b WebCore::GenericEventQueue::dispatchOneEvent() + 427
96  com.apple.WebCore             	0x000000011df706b2 std::__1::__bind_return<void (WebCore::GenericEventQueue::*)(), std::__1::tuple<WebCore::GenericEventQueue*>, std::__1::tuple<>, __is_valid_bind_return<void (WebCore::GenericEventQueue::*)(), std::__1::tuple<WebCore::GenericEventQueue*>, std::__1::tuple<> >::value>::type std::__1::__bind<void (WebCore::GenericEventQueue::*)(), WebCore::GenericEventQueue*>::operator()<>() + 194
97  com.apple.WebCore             	0x000000011ee98282 WebCore::TaskDispatcher<WebCore::Timer>::dispatchOneTask() + 290
98  com.apple.WebCore             	0x000000011ee97fac WebCore::TaskDispatcher<WebCore::Timer>::sharedTimerFired() + 348
99  com.apple.WebCore             	0x000000011eeed357 WebCore::ThreadTimers::sharedTimerFiredInternal() + 919
100 com.apple.WebCore             	0x000000011ef63aef WebCore::timerFired(__CFRunLoopTimer*, void*) + 191
101 com.apple.CoreFoundation      	0x00007fff339378b5 __CFRUNLOOP_IS_CALLING_OUT_TO_A_TIMER_CALLBACK_FUNCTION__ + 20
102 com.apple.CoreFoundation      	0x00007fff33937461 __CFRunLoopDoTimer + 864
103 com.apple.CoreFoundation      	0x00007fff33936f9a __CFRunLoopDoTimers + 330
104 com.apple.CoreFoundation      	0x00007fff339185e4 __CFRunLoopRun + 2141
105 com.apple.CoreFoundation      	0x00007fff33917b35 CFRunLoopRunSpecific + 459
106 DumpRenderTree                	0x0000000105ad3712 runTest(std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char> > const&) + 2754 (DumpRenderTree.mm:2083)
107 DumpRenderTree                	0x0000000105ad1a33 dumpRenderTree(int, char const**) + 1123 (DumpRenderTree.mm:1322)
108 DumpRenderTree                	0x0000000105ad42d0 DumpRenderTreeMain(int, char const**) + 128 (DumpRenderTree.mm:1438)
109                  	0x00007fff5ff0c3d5 start + 1
Comment 1 Jack 2020-02-20 17:02:57 PST 
In this test case, body contains a list item that is not enclosed by unordered list. Therefore, when JS tries to insert a list, ”fixOrphanedListChild(*listChildNode)” is called to create a HTMLUListElement and append list item to it. However, in CSS the ul is set to “-webkit-user-modify: read-only;”, so append is skipped. This results in li being parentless and the ul childless. Eventually in function splitTreeToNode, we dierectly access the parent of li and cuase nullptr crash.

<style>
dir { -webkit-user-modify: read-write; }
ul { -webkit-user-modify: read-only;}
</style>
<script>
    onload = function fun() {
        window.getSelection().setBaseAndExtent(LI,0,LI,0);
        document.execCommand("insertOrderedList", false);
    }
</script>
<body><dir><li id=LI>

Render tree before fixOrphanedListChild(*listChildNode) is called:
(B)lock/(I)nline/I(N)line-block, (A)bsolute/Fi(X)ed/(R)elative/Stic(K)y, (F)loating, (O)verflow clip, Anon(Y)mous, (G)enerated, has(L)ayer, (C)omposited, (+)Dirty style, (+)Dirty layout
B---YGL- --  RenderView at (0,0) size 800x600 renderer->(0x617000103080)
B-----L- --    HTML RenderBlock at (0,0) size 800x600 renderer->(0x61200003ed40) node->(0x60c000107800)
B------- --      BODY RenderBody at (8,8) size 784x576 renderer->(0x61200003eec0) node->(0x60c0001087c0)
B------- --*       DIR RenderBlock at (0,0) size 784x18 renderer->(0x61200003f040) node->(0x60c000108880)
B------- --          LI RenderListItem at (40,0) size 744x18 renderer->(0x61200003f1c0) node->(0x60c000108940)
-------- --            RootInlineBox at (0,0) size 14x18 (0x610000051640) renderer->(0x61200003f1c0)
-------- --              InlineBox at (-1,0) size 7x18 (0x607000155960) renderer->(0x61200003f4c0)
I---YG-- --            RenderListMarker at (-1,0) size 7x18 renderer->(0x61200003f4c0)

Render tree after fixOrphanedListChild(*listChildNode) is called:
(B)lock/(I)nline/I(N)line-block, (A)bsolute/Fi(X)ed/(R)elative/Stic(K)y, (F)loating, (O)verflow clip, Anon(Y)mous, (G)enerated, has(L)ayer, (C)omposited, (+)Dirty style, (+)Dirty layout
B---YGL- -+  RenderView at (0,0) size 800x600 renderer->(0x617000103080) layout->[normal child]
B-----L- -+    HTML RenderBlock at (0,0) size 800x600 renderer->(0x61200003ed40) node->(0x60c000107800) layout->[normal child]
B------- -+      BODY RenderBody at (8,8) size 784x576 renderer->(0x61200003eec0) node->(0x60c0001087c0) layout->[normal child]
B------- -+        DIR RenderBlock at (0,0) size 784x18 renderer->(0x61200003f040) node->(0x60c000108880) layout->[normal child]
B------- -+*         UL RenderBlock at (0,0) size 0x0 renderer->(0x612000081dc0) node->(0x60c0000fed40) layout->[self]
Comment 2 Jack 2020-02-20 17:30:04 PST 
<rdar://52011355>
Comment 3 Jack 2020-02-20 17:48:14 PST 
Created attachment 391363 [details]
Patch
Comment 4 Ryosuke Niwa 2020-02-20 18:05:32 PST 
Comment on attachment 391363 [details]
Patch

View in context: https://bugs.webkit.org/attachment.cgi?id=391363&action=review

> Source/WebCore/editing/InsertListCommand.cpp:213
> +            // If UL is not editable, listChildNode cannot be appended to a list, so fixOrphanedListChild() returns nullptr.

I don’t think we need this comment since anyone looking at this code can just look the code of fixOrphanedListChild.

> Source/WebCore/editing/InsertListCommand.cpp:214
> +            HTMLElement* listElement = fixOrphanedListChild(*listChildNode);

Please store this in RefPtr
Comment 5 Jack 2020-02-20 18:10:11 PST 
Created attachment 391367 [details]
Patch
Comment 6 Jack 2020-02-20 19:45:42 PST 
Created attachment 391375 [details]
Patch
Comment 7 Jack 2020-02-21 00:31:06 PST 
Created attachment 391386 [details]
Patch
Comment 8 Ryosuke Niwa 2020-02-24 19:00:15 PST 
This is not a security bug.
Comment 9 WebKit Commit Bot 2020-02-25 21:18:11 PST 
Comment on attachment 391386 [details]
Patch

Clearing flags on attachment: 391386

Committed r257407: <https://trac.webkit.org/changeset/257407>
Comment 10 WebKit Commit Bot 2020-02-25 21:18:13 PST 
All reviewed patches have been landed.  Closing bug.