TextManipulationController::replace can crash when accessing TextIterator::node and other places.
Created attachment 393421 [details] Fixes the bug
Comment on attachment 393421 [details] Fixes the bug View in context: https://bugs.webkit.org/attachment.cgi?id=393421&action=review > Source/WebCore/editing/TextManipulationController.cpp:580 > + Position insertionPoint = positionBeforeNode(firstContentNode.get()).parentAnchoredEquivalent(); Is it possible `firstContentNode` is null here? That would lead to a debug assertion in positionBeforeNode. (Seems like the answer is no because we’d already bail in the early return above…?)
Comment on attachment 393421 [details] Fixes the bug View in context: https://bugs.webkit.org/attachment.cgi?id=393421&action=review >> Source/WebCore/editing/TextManipulationController.cpp:580 >> + Position insertionPoint = positionBeforeNode(firstContentNode.get()).parentAnchoredEquivalent(); > > Is it possible `firstContentNode` is null here? That would lead to a debug assertion in positionBeforeNode. > > > (Seems like the answer is no because we’d already bail in the early return above…?) I don't think so because to get here, we must have had at least one token, which means we must have had at least one content node.
Committed r258371: <https://trac.webkit.org/changeset/258371>
<rdar://problem/60376855>