RESOLVED FIXED 218491
Nullptr dereference in DeleteSelectionCommand::mergeParagraphs() 
https://bugs.webkit.org/show_bug.cgi?id=218491
Summary Nullptr dereference in DeleteSelectionCommand::mergeParagraphs()
Ian Gilbert
Reported 2020-11-03 02:20:27 PST
Description: Crash found by fuzzing. Reproduces on WebKit revision 265497. #0 WebCore::Node::getFlag(WebCore::Node::NodeFlags) const #1 WebCore::DeleteSelectionCommand::mergeParagraphs() #2 WebCore::DeleteSelectionCommand::doApply() #3 WebCore::CompositeEditCommand::applyCommandToComposite(WTF::Ref<WebCore::EditCommand, WTF::DumbPtrTraits<WebCore::EditCommand> >&&) #4 WebCore::CompositeEditCommand::deleteSelection(WebCore::VisibleSelection const&, bool, bool, bool, bool, bool) #5 WebCore::TypingCommand::deleteKeyPressed(WebCore::TextGranularity, bool) #6 WebCore::CompositeEditCommand::apply() #7 WebCore::TypingCommand::deleteKeyPressed(WebCore::Document&, unsigned int, WebCore::TextGranularity) #8 WebCore::executeDelete(WebCore::Frame&, WebCore::Event*, WebCore::EditorCommandSource, WTF::String const&) #9 WebCore::Document::execCommand(WTF::String const&, bool, WTF::String const&) #10 WebCore::jsDocumentPrototypeFunctionExecCommandBody(JSC::JSGlobalObject*, JSC::CallFrame*, WebCore::JSDocument*)
Attachments
Crashing input (435 bytes, text/html)
2020-11-03 02:21 PST, Ian Gilbert 		no flags
Details
Patch (1.67 KB, patch)
2020-11-15 08:38 PST, Rob Buis 		no flags
DetailsFormatted DiffDiff
Patch (3.59 KB, patch)
2020-11-16 02:56 PST, Rob Buis 		no flags
DetailsFormatted DiffDiff
Show Obsolete (1) View All Add attachment proposed patch, testcase, etc.
Radar WebKit Bug Importer
Comment 1 2020-11-03 02:20:40 PST
<rdar://problem/70986855>
Ian Gilbert
Comment 2 2020-11-03 02:21:17 PST
Created attachment 413025 [details] Crashing input
Ryosuke Niwa
Comment 3 2020-11-03 13:06:32 PST
<rdar://problem/66842923>
Ryosuke Niwa
Comment 4 2020-11-04 10:55:34 PST
Something like this is supposed to work but there are some test failures: Index: Source/WebCore/editing/CompositeEditCommand.cpp =================================================================== --- Source/WebCore/editing/CompositeEditCommand.cpp (revision 268963) +++ Source/WebCore/editing/CompositeEditCommand.cpp (working copy) @@ -1456,8 +1456,9 @@ ASSERT(destination.deepEquivalent().anchorNode()->isConnected()); cleanupAfterDeletion(destination); + auto newEndingSelection = VisibleSelection(destination, originalIsDirectional); // FIXME (Bug 211793): We should redesign cleanupAfterDeletion or find another destination when it is removed. - if (!destination.deepEquivalent().anchorNode()->isConnected()) + if (!destination.deepEquivalent().anchorNode()->isConnected() || newEndingSelection.isNone()) return; // Add a br if pruning an empty block level element caused a collapse. For example: @@ -1482,7 +1483,7 @@ auto destinationIndex = characterCount({ { *editableRoot, 0 }, *makeBoundaryPoint(destination) }, TextIteratorEmitsCharactersBetweenAllVisiblePositions); - setEndingSelection(VisibleSelection(destination, originalIsDirectional)); + setEndingSelection(newEndingSelection); ASSERT(endingSelection().isCaretOrRange()); OptionSet<ReplaceSelectionCommand::CommandOption> options { ReplaceSelectionCommand::SelectReplacement, ReplaceSelectionCommand::MovingParagraph }; if (!preserveStyle)
Rob Buis
Comment 5 2020-11-15 08:38:37 PST
Created attachment 414166 [details] Patch
Rob Buis
Comment 6 2020-11-16 02:56:30 PST
Created attachment 414212 [details] Patch
Rob Buis
Comment 7 2020-11-16 07:47:47 PST
Comment on attachment 414212 [details] Patch There is probably some overlap with 218492.
Ryosuke Niwa
Comment 8 2020-11-16 22:29:26 PST
(In reply to Rob Buis from comment #7) > Comment on attachment 414212 [details] > Patch > > There is probably some overlap with 218492. In that case, can we re-land the fix for the bug 218492 first and check if it also fixes this bug or not?
Rob Buis
Comment 9 2020-11-16 22:59:52 PST
(In reply to Ryosuke Niwa from comment #8) > (In reply to Rob Buis from comment #7) > > Comment on attachment 414212 [details] > > Patch > > > > There is probably some overlap with 218492. > > In that case, can we re-land the fix for the bug 218492 first and check if > it also fixes this bug or not? I *think* this is happening (sorry my wording was a bit imprecise): - 218492 bt is specific to Mac. GTK instead has the bt from 218491 for the test case in 218492. - so the 218492 fix for Mac had a test case that fixes 218492 on Mac and thus equals it to GTK status, i.e. still hitting 218491. Hope that clears things up. If I am right fixing 218491 first and then relanding the 218492 fix should fix both bugs.
Ryosuke Niwa
Comment 10 2020-11-17 00:05:10 PST
Ah ok.
EWS
Comment 11 2020-11-17 00:22:32 PST
Committed r269894: <https://trac.webkit.org/changeset/269894> All reviewed patches have been landed. Closing bug and clearing flags on attachment 414212 [details].
Note You need to log in before you can comment on or make changes to this bug.