RESOLVED FIXED 224518
Nullptr deref in CompositeEditCommand::isRemovableBlock in DeleteSelectionCommand::removeRedundantBlocks 
https://bugs.webkit.org/show_bug.cgi?id=224518
Summary Nullptr deref in CompositeEditCommand::isRemovableBlock in DeleteSelectionCom...
Ian Gilbert
Reported 2021-04-13 16:43:44 PDT
removeRedundantBlocks() may run into a null pointer while iterating over the tree, if the tree is unexpectedly modified during the execution of a command. Adding null check to quit this step if a parent node cannot be resolved.
Attachments
Patch (4.33 KB, patch)
2021-04-13 17:08 PDT, Ian Gilbert 		no flags
DetailsFormatted DiffDiff
Patch (4.15 KB, patch)
2021-04-15 16:49 PDT, Ian Gilbert 		no flags
DetailsFormatted DiffDiff
Patch (4.23 KB, patch)
2021-04-16 13:35 PDT, Ian Gilbert 		no flags
DetailsFormatted DiffDiff
Show Obsolete (2) View All Add attachment proposed patch, testcase, etc.
Ian Gilbert
Comment 1 2021-04-13 16:44:14 PDT
<rdar://problem/76264118>
Ian Gilbert
Comment 2 2021-04-13 17:08:43 PDT
Created attachment 425933 [details] Patch
Ryosuke Niwa
Comment 3 2021-04-13 18:26:45 PDT
Comment on attachment 425933 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=425933&action=review > Source/WebCore/editing/DeleteSelectionCommand.cpp:869 > + RefPtr<Node> node = makeRefPtr(m_endingPosition.containerNode()); > + RefPtr<Node> rootNode = makeRefPtr(node->rootEditableElement()); Use auto? > Source/WebCore/editing/DeleteSelectionCommand.cpp:871 > + while (node && (node != rootNode)) { We don't usually nest parentheses like this. > Source/WebCore/editing/DeleteSelectionCommand.cpp:877 > - node = m_endingPosition.anchorNode(); > + node = makeRefPtr(m_endingPosition.anchorNode()); No need to call makeRefPtr since node is already of type RefPtr<Node>. > Source/WebCore/editing/DeleteSelectionCommand.cpp:879 > - node = node->parentNode(); > + node = makeRefPtr(node->parentNode()); Ditto. > LayoutTests/editing/execCommand/remove-node-during-command-crash.html:24 > + document.write('PASS') Missing semicolon at the end. Also, can we say that this test passes if WebKit doesn't crash?
Ian Gilbert
Comment 4 2021-04-15 16:49:41 PDT
Created attachment 426154 [details] Patch
Ian Gilbert
Comment 5 2021-04-15 16:53:39 PDT
Tried to add the text to the test body saying the test passes if it doesn't crash but it either would stop the test from reproducing, or would get eaten by the command. Hopefully that is appropriate.
Ryosuke Niwa
Comment 6 2021-04-15 16:56:42 PDT
Comment on attachment 426154 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=426154&action=review > Source/WebCore/ChangeLog:3 > + Editing null pointer dereference while resolving command I've just renamed the bug. Please update the title here. It's overly generic. Sorry I didn't notice earlier. > LayoutTests/ChangeLog:3 > + Editing null pointer dereference while resolving command Ditto. > LayoutTests/ChangeLog:8 > + Add regression test. Nit: Add *a* regression test.
Ian Gilbert
Comment 7 2021-04-16 13:35:51 PDT
Created attachment 426267 [details] Patch
Ryosuke Niwa
Comment 8 2021-04-16 13:37:40 PDT
Let's at least wait for the stress EWS to make sure the new test isn't flaky, etc...
EWS
Comment 9 2021-04-16 17:57:30 PDT
Committed r276186 (236668@main): <https://commits.webkit.org/236668@main> All reviewed patches have been landed. Closing bug and clearing flags on attachment 426267 [details].
Note You need to log in before you can comment on or make changes to this bug.