RESOLVED FIXED 209021
Crash in TextManipulationController::replace 
https://bugs.webkit.org/show_bug.cgi?id=209021
Summary Crash in TextManipulationController::replace
Ryosuke Niwa
Reported 2020-03-12 15:02:16 PDT
TextManipulationController::replace can crash when accessing TextIterator::node and other places.
Attachments
Fixes the bug (7.58 KB, patch)
2020-03-12 15:16 PDT, Ryosuke Niwa 		wenson_hsieh: review+
DetailsFormatted DiffDiff
View All Add attachment proposed patch, testcase, etc.
Ryosuke Niwa
Comment 1 2020-03-12 15:16:30 PDT
Created attachment 393421 [details] Fixes the bug
Wenson Hsieh
Comment 2 2020-03-12 15:41:18 PDT
Comment on attachment 393421 [details] Fixes the bug View in context: https://bugs.webkit.org/attachment.cgi?id=393421&action=review > Source/WebCore/editing/TextManipulationController.cpp:580 > + Position insertionPoint = positionBeforeNode(firstContentNode.get()).parentAnchoredEquivalent(); Is it possible `firstContentNode` is null here? That would lead to a debug assertion in positionBeforeNode. (Seems like the answer is no because we’d already bail in the early return above…?)
Ryosuke Niwa
Comment 3 2020-03-12 15:45:56 PDT
Comment on attachment 393421 [details] Fixes the bug View in context: https://bugs.webkit.org/attachment.cgi?id=393421&action=review >> Source/WebCore/editing/TextManipulationController.cpp:580 >> + Position insertionPoint = positionBeforeNode(firstContentNode.get()).parentAnchoredEquivalent(); > > Is it possible `firstContentNode` is null here? That would lead to a debug assertion in positionBeforeNode. > > > (Seems like the answer is no because we’d already bail in the early return above…?) I don't think so because to get here, we must have had at least one token, which means we must have had at least one content node.
Ryosuke Niwa
Comment 4 2020-03-12 16:29:32 PDT
Committed r258371: <https://trac.webkit.org/changeset/258371>
Ryosuke Niwa
Comment 5 2020-03-12 16:29:57 PDT
<rdar://problem/60376855>
Note You need to log in before you can comment on or make changes to this bug.