RESOLVED FIXED209999
Nullptr crash in CompositeEditCommand::moveParagraphContentsToNewBlockIfNecessary with draggable text 
https://bugs.webkit.org/show_bug.cgi?id=209999
Summary Nullptr crash in CompositeEditCommand::moveParagraphContentsToNewBlockIfNeces...
Jack
Reported 2020-04-03 21:54:10 PDT
<rdar://58978340> ==22496==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000014 (pc 0x00072bba7ae2 bp 0x7ffee215fd50 sp 0x7ffee215fd50 T0) ==22496==The signal is caused by a READ memory access. ==22496==Hint: address points to the zero page. ==22496==WARNING: invalid path to external symbolizer! ==22496==WARNING: Failed to use and restart external symbolizer! #0 0x72bba7ae1 in WebCore::Node::getFlag(WebCore::Node::NodeFlags) const (Safari_ASAN_254346_4878c59d1007965234bf2fabf087ce373bfe4e27.app/Contents/Frameworks/WebCore.framework/Versions/A/WebCore:x86_64+0x1afae1) #1 0x72bba79d1 in WebCore::Node::hasTagName(WebCore::HTMLQualifiedName const&) const (Safari_ASAN_254346_4878c59d1007965234bf2fabf087ce373bfe4e27.app/Contents/Frameworks/WebCore.framework/Versions/A/WebCore:x86_64+0x1af9d1) #2 0x72edcc895 in WebCore::CompositeEditCommand::moveParagraphContentsToNewBlockIfNecessary(WebCore::Position const&) (Safari_ASAN_254346_4878c59d1007965234bf2fabf087ce373bfe4e27.app/Contents/Frameworks/WebCore.framework/Versions/A/WebCore:x86_64+0x33d4895) #3 0x72edc96d7 in WebCore::ApplyStyleCommand::applyBlockStyle(WebCore::EditingStyle&) (Safari_ASAN_254346_4878c59d1007965234bf2fabf087ce373bfe4e27.app/Contents/Frameworks/WebCore.framework/Versions/A/WebCore:x86_64+0x33d16d7) #4 0x72edc8c52 in WebCore::ApplyStyleCommand::doApply() (Safari_ASAN_254346_4878c59d1007965234bf2fabf087ce373bfe4e27.app/Contents/Frameworks/WebCore.framework/Versions/A/WebCore:x86_64+0x33d0c52) #5 0x72edbfb36 in WebCore::CompositeEditCommand::apply() (Safari_ASAN_254346_4878c59d1007965234bf2fabf087ce373bfe4e27.app/Contents/Frameworks/WebCore.framework/Versions/A/WebCore:x86_64+0x33c7b36) #6 0x72ee33467 in WebCore::Editor::applyParagraphStyle(WebCore::StyleProperties*, WebCore::EditAction) (Safari_ASAN_254346_4878c59d1007965234bf2fabf087ce373bfe4e27.app/Contents/Frameworks/WebCore.framework/Versions/A/WebCore:x86_64+0x343b467) #7 0x72ee7bbf6 in WebCore::executeApplyParagraphStyle(WebCore::Frame&, WebCore::EditorCommandSource, WebCore::EditAction, WebCore::CSSPropertyID, WTF::String const&) (Safari_ASAN_254346_4878c59d1007965234bf2fabf087ce373bfe4e27.app/Contents/Frameworks/WebCore.framework/Versions/A/WebCore:x86_64+0x3483bf6) #8 0x72ee74692 in WebCore::executeJustifyCenter(WebCore::Frame&, WebCore::Event*, WebCore::EditorCommandSource, WTF::String const&) (Safari_ASAN_254346_4878c59d1007965234bf2fabf087ce373bfe4e27.app/Contents/Frameworks/WebCore.framework/Versions/A/WebCore:x86_64+0x347c692) #9 0x72eaf63d7 in WebCore::Document::execCommand(WTF::String const&, bool, WTF::String const&) (Safari_ASAN_254346_4878c59d1007965234bf2fabf087ce373bfe4e27.app/Contents/Frameworks/WebCore.framework/Versions/A/WebCore:x86_64+0x30fe3d7) #10 0x72c4671ba in WebCore::jsDocumentPrototypeFunctionExecCommandBody(JSC::JSGlobalObject*, JSC::CallFrame*, WebCore::JSDocument*, JSC::ThrowScope&) (Safari_ASAN_254346_4878c59d1007965234bf2fabf087ce373bfe4e27.app/Contents/Frameworks/WebCore.framework/Versions/A/WebCore:x86_64+0xa6f1ba)
Attachments
Patch (3.98 KB, patch)
2020-04-03 22:29 PDT, Jack 		no flags
DetailsFormatted DiffDiff
Patch for landing (3.98 KB, patch)
2020-04-06 12:50 PDT, Jack 		no flags
DetailsFormatted DiffDiff
Show Obsolete (1) View All Add attachment proposed patch, testcase, etc.
Radar WebKit Bug Importer
Comment 1 2020-04-03 21:54:17 PDT
<rdar://problem/61288781>
Jack
Comment 2 2020-04-03 21:59:10 PDT
Root cause: In function moveParagraphContentsToNewBlockIfNecessary, an empty VisiblePosition is derefed for its anchor node. 1. Because span has attribute “draggable” set to true, its “UserSelect” style is set to none. 2. When “justifyCenter” command executes on the shadow element, we try to move the whole paragraph to a new block by calling moveParagraphContentsToNewBlockIfNecessary. 3. In moveParagraphContentsToNewBlockIfNecessary, we find the end of the paragraph by calling endOfParagraph. 4. However, endOfParagraph returns empty visible position because function canonicalPosition cannot find a candidate position. 5. The text node is supposed to be the end of the paragraph, but its parent, <span>, has UserSelect::None style, so it is not selected by canonicalPosition(). 6. Later the empty endOfParagraph is deref for its null anchor node, and the code crashes. <style> #SHADOW { initial; -webkit-user-select: text; } #LABEL { -webkit-user-select: all; } </style> <script> window.onload = () => { window.getSelection().collapse(SHADOW); document.execCommand("justifyCenter", false); } </script> <label id=LABEL contenteditable="true"><shadow id=SHADOW></shadow><span draggable="true">a BODY 0x60c000086e00 (renderer 0x612000071140) LABEL 0x60c000086ec0 (renderer 0x6110000d1f00) SHADOW 0x60c000086f80 (renderer 0x6110000d2040) SPAN 0x60c000087040 (renderer 0x6110000d2180) * #text 0x6080000501a0 "a\n"
Jack
Comment 3 2020-04-03 22:00:22 PDT
Please refer to <rdar://58978340>. (In reply to Radar WebKit Bug Importer from comment #1) > <rdar://problem/61288781> This was caused by accidental save of the bug.
Jack
Comment 4 2020-04-03 22:29:15 PDT
Created attachment 395437 [details] Patch
Ryosuke Niwa
Comment 5 2020-04-06 12:43:30 PDT
Comment on attachment 395437 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=395437&action=review > Source/WebCore/editing/CompositeEditCommand.cpp:1184 > + Nit: whitespace.
Ryosuke Niwa
Comment 6 2020-04-06 12:43:47 PDT
There is no security implication here.
Jack
Comment 7 2020-04-06 12:50:05 PDT
Created attachment 395602 [details] Patch for landing
EWS
Comment 8 2020-04-06 14:44:16 PDT
Committed r259595: <https://trac.webkit.org/changeset/259595> All reviewed patches have been landed. Closing bug and clearing flags on attachment 395602 [details].
Note You need to log in before you can comment on or make changes to this bug.