222620 – Nullptr crash in Node::isTextNode() via ApplyBlockElementCommand::endOfNextParagraphSplittingTextNodesIfNeeded

Bug 222620 - Nullptr crash in Node::isTextNode() via ApplyBlockElementCommand::endOfNextParagraphSplittingTextNodesIfNeeded

Summary: Nullptr crash in Node::isTextNode() via ApplyBlockElementCommand::endOfNextPa...

Status:	RESOLVED FIXED

Alias:	None

Product:	WebKit
Classification:	Unclassified
Component:	HTML Editing (show other bugs)
Version:	Safari 12
Hardware:	Mac (Intel) All

Importance:	P2 Normal
Assignee:	Nobody

URL:
Keywords:	InRadar

Depends on:
Blocks:

Reported:	2021-03-02 14:58 PST by Venky Dass
Modified:	2021-03-09 23:03 PST (History)
CC List:	9 users (show)

See Also:

Attachments
Patch (2.88 KB, patch) 2021-03-02 15:03 PST, Venky Dass	no flags	Details \| Formatted Diff \| Diff
test case (625 bytes, text/html) 2021-03-02 15:45 PST, Venky Dass	no flags	Details
Patch (5.40 KB, patch) 2021-03-05 16:16 PST, Venky Dass	ews-feeder: commit-queue-	Details \| Formatted Diff \| Diff
Patch (5.44 KB, patch) 2021-03-05 23:06 PST, Venky Dass	no flags	Details \| Formatted Diff \| Diff
Patch (5.42 KB, patch) 2021-03-06 06:24 PST, Venky Dass	no flags	Details \| Formatted Diff \| Diff
Patch (5.43 KB, patch) 2021-03-07 20:35 PST, Venky Dass	no flags	Details \| Formatted Diff \| Diff
Patch (5.42 KB, patch) 2021-03-09 09:08 PST, Venky Dass	no flags	Details \| Formatted Diff \| Diff
Show Obsolete (5) View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Venky Dass 2021-03-02 14:58:43 PST

Crash when running a page.
<rdar://74574192>

Comment 1 Venky Dass 2021-03-02 14:59:06 PST

<rdar://74574192>

Comment 2 Radar WebKit Bug Importer 2021-03-02 14:59:41 PST

<rdar://problem/74950677>

Comment 3 Venky Dass 2021-03-02 15:03:06 PST

Created attachment 422000 [details]
Patch

Comment 4 Venky Dass 2021-03-02 15:45:19 PST

Created attachment 422010 [details]
test case

Comment 5 Ryosuke Niwa 2021-03-03 14:02:30 PST

Comment on attachment 422000 [details]
Patch

View in context: https://bugs.webkit.org/attachment.cgi?id=422000&action=review

r- due to the lack of a test.

> Source/WebCore/ChangeLog:8
> +        No new tests (OOPS!).

Please add a test.

> Source/WebCore/editing/ApplyBlockElementCommand.cpp:294
> +            if (previousSiblingOfText && is<Text>(*text->previousSibling())

is<Text>(*text->previousSibling()) -> is<Text>(is<Text>(*text->previousSibling()))

Comment 6 Chris Dumez 2021-03-03 14:10:57 PST

Comment on attachment 422000 [details]
Patch

View in context: https://bugs.webkit.org/attachment.cgi?id=422000&action=review

>> Source/WebCore/editing/ApplyBlockElementCommand.cpp:294
>> +            if (previousSiblingOfText && is<Text>(*text->previousSibling())
> 
> is<Text>(*text->previousSibling()) -> is<Text>(is<Text>(*text->previousSibling()))

Did you mean:
`if (is<Text>(previousSiblingOfText))`
?

Comment 7 Ryosuke Niwa 2021-03-03 14:18:59 PST

(In reply to Chris Dumez from comment #6)
> Comment on attachment 422000 [details]
> Patch
> 
> View in context:
> https://bugs.webkit.org/attachment.cgi?id=422000&action=review
> 
> >> Source/WebCore/editing/ApplyBlockElementCommand.cpp:294
> >> +            if (previousSiblingOfText && is<Text>(*text->previousSibling())
> > 
> > is<Text>(*text->previousSibling()) -> is<Text>(is<Text>(*text->previousSibling()))
> 
> Did you mean:
> `if (is<Text>(previousSiblingOfText))`
> ?

Ugh... yes, copy & paste error.

Comment 8 Venky Dass 2021-03-05 16:16:47 PST

Created attachment 422449 [details]
Patch

Comment 9 Ryosuke Niwa 2021-03-05 16:30:05 PST

Comment on attachment 422449 [details]
Patch

View in context: https://bugs.webkit.org/attachment.cgi?id=422449&action=review

> Source/WebCore/ChangeLog:7
> +        In function ApplyBlockElementCommand::endOfNextParagraphSplittingTextNodes(..) there is a 
> +        null check missing when using the previous silbing call which is causing the crash.
> +        the return from previousSiblingOfText.
> +
> +        https://bugs.webkit.org/show_bug.cgi?id=222620

This is not the right format. See other entries in the change log.
The line above bugzilla URL should match bug's title, and this description should appear below "reviewed by ~" line below.

> LayoutTests/ChangeLog:6
> +        In function ApplyBlockElementCommand::endOfNextParagraphSplittingTextNodes(..) there is a 
> +        null check missing when using the previous silbing call which is causing the crash.
> +        the return from previousSiblingOfText.
> +
> +        https://bugs.webkit.org/show_bug.cgi?id=222620

Ditto. We should be saying something like "Adding a regression test" instead.

> LayoutTests/ChangeLog:11
> +        * editing/inserting/scrollingelement-indent-crash-expected.txt: Added.
> +        * editing/inserting/scrollingelement-indent-crash.html: Added.

This is nothing to do with scrolling element. It's about the text node not having a previous sibling.
Probably something like: indent-split-text-not-having-previous-sibling-crash.html or something like that.

> LayoutTests/editing/inserting/scrollingelement-indent-crash.html:3
> +.class8,input:required,#x12:read-only { white-space: pre-line;-webkit-text-stroke: 100%;-webkit-user-modify: read-only;contain: }

We should reduce this test case further.

Comment 10 Venky Dass 2021-03-05 23:06:20 PST

Created attachment 422474 [details]
Patch

Comment 11 Ryosuke Niwa 2021-03-05 23:54:33 PST

Comment on attachment 422474 [details]
Patch

View in context: https://bugs.webkit.org/attachment.cgi?id=422474&action=review

> LayoutTests/editing/inserting/indent-split-text-not-having-previous-sibling-crash.html:6
> +   		testRunner.dumpAsText();

Nit: Wrong indentation. You need to use spaces, not tab characters.

Comment 12 Venky Dass 2021-03-06 06:24:00 PST

Created attachment 422489 [details]
Patch

Comment 13 Venky Dass 2021-03-06 06:36:26 PST

removed the extra spaces in the html file. Not sure why the following script could not catch it.

Tools/Scripts/check-webkit-style                                                          
Total errors found: 0 in 5 files

Comment 14 Ryosuke Niwa 2021-03-06 13:59:05 PST

Comment on attachment 422489 [details]
Patch

View in context: https://bugs.webkit.org/attachment.cgi?id=422489&action=review

> Source/WebCore/ChangeLog:1
> +2021-03-05  venky dass  <yaranamavenkataramana@apple.com>

Please capitalize your name.

> LayoutTests/ChangeLog:2
> +2021-03-05  venky dass  <yaranamavenkataramana@apple.com>
> +        Nullptr crash in Node::isTextNode() via ApplyBlockElementCommand::endOfNextParagraphSplittingTextNodesIfNeeded

You need a blank line between these. two lines.

> LayoutTests/ChangeLog:10
> +        
> +        Adding a regression test.

This description must appear before the list of files but below "Reviewed by" line

Comment 15 Venky Dass 2021-03-07 20:35:38 PST

Created attachment 422543 [details]
Patch

Comment 16 Ryosuke Niwa 2021-03-08 19:43:35 PST

Comment on attachment 422543 [details]
Patch

View in context: https://bugs.webkit.org/attachment.cgi?id=422543&action=review

> LayoutTests/editing/inserting/indent-split-text-not-having-previous-sibling-crash.html:7
> +    if (window.testRunner) {
> +        testRunner.dumpAsText();
> +    }

Nit: no curly braces around a single line statement:
https://webkit.org/code-style-guidelines/#braces-one-line

Comment 17 Ryosuke Niwa 2021-03-08 19:44:00 PST

Changing to non-security component since there is no security implication here.

Comment 18 Venky Dass 2021-03-09 09:08:59 PST

Created attachment 422712 [details]
Patch

Comment 19 EWS 2021-03-09 23:03:42 PST

Committed r274200: <https://commits.webkit.org/r274200>

All reviewed patches have been landed. Closing bug and clearing flags on attachment 422712 [details].