Bug 209999 - Nullptr crash in CompositeEditCommand::moveParagraphContentsToNewBlockIfNecessary with draggable text
Summary: Nullptr crash in CompositeEditCommand::moveParagraphContentsToNewBlockIfNeces...
Status: RESOLVED FIXED
Alias: None
Product: WebKit
Classification: Unclassified
Component: HTML Editing (show other bugs)
Version: WebKit Nightly Build
Hardware: All All
: P2 Normal
Assignee: Jack
URL:
Keywords: InRadar
Depends on:
Blocks:
 
Reported: 2020-04-03 21:54 PDT by Jack
Modified: 2020-04-06 14:44 PDT (History)
6 users (show)

See Also:

Attachments
Patch (3.98 KB, patch)
2020-04-03 22:29 PDT, Jack 		no flags Details | Formatted Diff | Diff
Patch for landing (3.98 KB, patch)
2020-04-06 12:50 PDT, Jack 		no flags Details | Formatted Diff | Diff
Show Obsolete (1) View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Jack 2020-04-03 21:54:10 PDT 
<rdar://58978340>

==22496==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000014 (pc 0x00072bba7ae2 bp 0x7ffee215fd50 sp 0x7ffee215fd50 T0)
==22496==The signal is caused by a READ memory access.
==22496==Hint: address points to the zero page.
==22496==WARNING: invalid path to external symbolizer!
==22496==WARNING: Failed to use and restart external symbolizer!
    #0 0x72bba7ae1 in WebCore::Node::getFlag(WebCore::Node::NodeFlags) const (Safari_ASAN_254346_4878c59d1007965234bf2fabf087ce373bfe4e27.app/Contents/Frameworks/WebCore.framework/Versions/A/WebCore:x86_64+0x1afae1)
    #1 0x72bba79d1 in WebCore::Node::hasTagName(WebCore::HTMLQualifiedName const&) const (Safari_ASAN_254346_4878c59d1007965234bf2fabf087ce373bfe4e27.app/Contents/Frameworks/WebCore.framework/Versions/A/WebCore:x86_64+0x1af9d1)
    #2 0x72edcc895 in WebCore::CompositeEditCommand::moveParagraphContentsToNewBlockIfNecessary(WebCore::Position const&) (Safari_ASAN_254346_4878c59d1007965234bf2fabf087ce373bfe4e27.app/Contents/Frameworks/WebCore.framework/Versions/A/WebCore:x86_64+0x33d4895)
    #3 0x72edc96d7 in WebCore::ApplyStyleCommand::applyBlockStyle(WebCore::EditingStyle&) (Safari_ASAN_254346_4878c59d1007965234bf2fabf087ce373bfe4e27.app/Contents/Frameworks/WebCore.framework/Versions/A/WebCore:x86_64+0x33d16d7)
    #4 0x72edc8c52 in WebCore::ApplyStyleCommand::doApply() (Safari_ASAN_254346_4878c59d1007965234bf2fabf087ce373bfe4e27.app/Contents/Frameworks/WebCore.framework/Versions/A/WebCore:x86_64+0x33d0c52)
    #5 0x72edbfb36 in WebCore::CompositeEditCommand::apply() (Safari_ASAN_254346_4878c59d1007965234bf2fabf087ce373bfe4e27.app/Contents/Frameworks/WebCore.framework/Versions/A/WebCore:x86_64+0x33c7b36)
    #6 0x72ee33467 in WebCore::Editor::applyParagraphStyle(WebCore::StyleProperties*, WebCore::EditAction) (Safari_ASAN_254346_4878c59d1007965234bf2fabf087ce373bfe4e27.app/Contents/Frameworks/WebCore.framework/Versions/A/WebCore:x86_64+0x343b467)
    #7 0x72ee7bbf6 in WebCore::executeApplyParagraphStyle(WebCore::Frame&, WebCore::EditorCommandSource, WebCore::EditAction, WebCore::CSSPropertyID, WTF::String const&) (Safari_ASAN_254346_4878c59d1007965234bf2fabf087ce373bfe4e27.app/Contents/Frameworks/WebCore.framework/Versions/A/WebCore:x86_64+0x3483bf6)
    #8 0x72ee74692 in WebCore::executeJustifyCenter(WebCore::Frame&, WebCore::Event*, WebCore::EditorCommandSource, WTF::String const&) (Safari_ASAN_254346_4878c59d1007965234bf2fabf087ce373bfe4e27.app/Contents/Frameworks/WebCore.framework/Versions/A/WebCore:x86_64+0x347c692)
    #9 0x72eaf63d7 in WebCore::Document::execCommand(WTF::String const&, bool, WTF::String const&) (Safari_ASAN_254346_4878c59d1007965234bf2fabf087ce373bfe4e27.app/Contents/Frameworks/WebCore.framework/Versions/A/WebCore:x86_64+0x30fe3d7)
    #10 0x72c4671ba in WebCore::jsDocumentPrototypeFunctionExecCommandBody(JSC::JSGlobalObject*, JSC::CallFrame*, WebCore::JSDocument*, JSC::ThrowScope&) (Safari_ASAN_254346_4878c59d1007965234bf2fabf087ce373bfe4e27.app/Contents/Frameworks/WebCore.framework/Versions/A/WebCore:x86_64+0xa6f1ba)
Comment 1 Radar WebKit Bug Importer 2020-04-03 21:54:17 PDT 
<rdar://problem/61288781>
Comment 2 Jack 2020-04-03 21:59:10 PDT 
Root cause: In function moveParagraphContentsToNewBlockIfNecessary, an empty VisiblePosition is derefed for its anchor node.

1. Because span has attribute “draggable” set to true, its “UserSelect” style is set to none.
2. When “justifyCenter” command executes on the shadow element, we try to move the whole paragraph to a new block by calling moveParagraphContentsToNewBlockIfNecessary.
3. In moveParagraphContentsToNewBlockIfNecessary, we find the end of the paragraph by calling endOfParagraph.
4. However, endOfParagraph returns empty visible position because function canonicalPosition cannot find a candidate position.
5. The text node is supposed to be the end of the paragraph, but its parent, <span>, has UserSelect::None style, so it is not selected by canonicalPosition().
6. Later the empty endOfParagraph is deref for its null anchor node, and the code crashes.

<style>
    #SHADOW { initial; -webkit-user-select: text; }
    #LABEL { -webkit-user-select: all; }
</style>
<script>
window.onload = () =>  {
    window.getSelection().collapse(SHADOW);
    document.execCommand("justifyCenter", false);
}
</script>
<label id=LABEL contenteditable="true"><shadow id=SHADOW></shadow><span draggable="true">a

BODY	0x60c000086e00 (renderer 0x612000071140) 
	LABEL	0x60c000086ec0 (renderer 0x6110000d1f00) 
		SHADOW	0x60c000086f80 (renderer 0x6110000d2040) 
		SPAN	0x60c000087040 (renderer 0x6110000d2180) 
*			#text	0x6080000501a0 "a\n"
Comment 3 Jack 2020-04-03 22:00:22 PDT 
Please refer to <rdar://58978340>.

(In reply to Radar WebKit Bug Importer from comment #1)
> <rdar://problem/61288781>
This was caused by accidental save of the bug.
Comment 4 Jack 2020-04-03 22:29:15 PDT 
Created attachment 395437 [details]
Patch
Comment 5 Ryosuke Niwa 2020-04-06 12:43:30 PDT 
Comment on attachment 395437 [details]
Patch

View in context: https://bugs.webkit.org/attachment.cgi?id=395437&action=review

> Source/WebCore/editing/CompositeEditCommand.cpp:1184
> +    

Nit: whitespace.
Comment 6 Ryosuke Niwa 2020-04-06 12:43:47 PDT 
There is no security implication here.
Comment 7 Jack 2020-04-06 12:50:05 PDT 
Created attachment 395602 [details]
Patch for landing
Comment 8 EWS 2020-04-06 14:44:16 PDT 
Committed r259595: <https://trac.webkit.org/changeset/259595>

All reviewed patches have been landed. Closing bug and clearing flags on attachment 395602 [details].